Most organizations focus their IT security efforts on fixing problems rather than preventing them, and many academic programs train their students in that approach. That model, says Professor Eugene Spafford, isn't adequately preparing the next generation of cybersecurity professionals.
In part two of a joint interview with Ron Ross of the National Institute of Standards and Technology, Spafford, a computer science professor at Purdue University, worries about the affects of existing approaches to IT security on those entering the profession.
When asked by Ross whether he sees a movement away from teaching fundamental security capabilities at universities, Spafford replied: "The fact that we have a demand from the market for more patching, a more after-the-fact add-on, rather than getting it right the first time, has reduced some of the emphasis at many institutions in teaching [fundamentals]."
Spafford, in the interview with Information Security Media Group [transcript below], further explains: "What that's doing is attempting to shorten the pipeline and select down for a group of people who know how to manage current threats and current systems, rather than emphasizing fundamental principles, broad knowledge and a life-long path for career."
What are the long-term effects of this recruitment trend? Down the line, Spafford warns that those individuals who received jobs due to their ability to find and exploit problems won't be able to build new systems, such as the successor to cloud systems, or operate security, simply because they have no background.
"That's probably the longer-term danger that we have," he says. "We're not doing enough to build up a cadre of people with deep experience and basic principles."
In the interview:
- Spafford foresees a day when cheaper hardware and software will mean organizations won't need to migrate to the cloud in many instances, resulting in a more secure computing environment;
- Ross questions how the evolving definition of information security over the past two decades might change the way organizations address their security needs.
In part one, Ross and Spafford presented differing views on the role cloud computing performs in helping mitigate information risk [see: Cloud Computing: A Way to Reduce Risk?].
Besides being a computer science professor, Spafford serves as executive director at Purdue University's Center for Education and Research in Information Assurance and Security. Widely considered a leading expert in information security, Spafford has served on the Purdue computer science faculty since 1987. His research focuses on information security, computer crime investigation and information ethics.
Ross, a NIST fellow, serves as the architect of the risk-management framework that integrates the suite of NIST security standards and guidelines into a comprehensive enterprise security program. He leads NIST's Federal Information Security Management Act Implementation Project as well as the Joint Task Force Transformation Initiative Working Group, a joint partnership of NIST, the Defense Department, the intelligence community and the Committee on National Security Systems, to develop a unified information security framework for the federal government.
Virtualization in the Cloud
This is part two of a conversation about the impact of the cloud on risk management. It starts with Ross asking Spafford a question about virtualization in the cloud.
RON ROSS: I would like to ask Spaf [a question]. With all the virtualization that we're going to be building in the clouds, one of the problems we continue to have with cyber-attacks is that it's very difficult with this complexity that we talked about to stop all attacks, because the infrastructure is inherently complex. The solutions that we build sometimes are not as strong as we would like. Long-term, with virtualization, there's a theory out there that if we can churn the infrastructure with virtualization or micro-virtualization techniques, it really won't make any difference if some of the attacks do get through because the time on target is going to be so limited that the adversary really won't be able to carry out the exploit to the degree that they would like. I wanted to get your thoughts on that. What are you seeing with the technology, some of the research and development? You're plugged in very closely to the university system with Purdue and all the groups that you work with around the country. I'm just curious to know your thoughts on that.
GENE SPAFFORD: It's a good question, and part of it, I think, is looking at the trends we've seen. [A lot of what's been developed in] cloud computing ... has largely been in reaction to cost. It's intended to provide surge capability with elasticity and reduce cost by not requiring you to make an investment for your surge capabilities, and to save some on personnel. The cost of hardware keeps dropping. Some of the technologies that are being built into the hardware make these technologies a lot cheaper. I'm wondering how much cloud computing will actually be attractive as we move forward, as we see this evolution in hardware and software for any reason, not just security, but also some of the other issues whereas having the capacity in-house to monitor it may be better. That doesn't completely address your question, but I think it's related.
More to your question about where some of the trends are in the technology. There are a lot of attacks; there are a lot of things that are going on now that we're beginning to see - horizontal supply-chain attacks, business-partner attacks to be able to get access - where they do have to have longer time to accomplish the business relationships. That's being exploited. We also are seeing various kinds of things going on that don't require necessarily prolonged direct access because it's so quick to get information out or to deny service.
The denial-of-service going on right now, as a business issue, really has nothing to do with virtualization, other than if you've got a lot of virtualized systems you can generate even more bandwidth. There are so many different aspects to what it means to have a secure or protected system, or at least to be able to reduce the risk for it. The advances in hardware and software are changing still; some of the cost dynamics. I'm not really sure what a computing platform ten years from now will look like, but I'm actually wondering how much connectivity we're going to want to have for some of the really critical resources, whether we won't have the capacity to have very powerful systems that aren't connected to them all the time to maintain what we need.
Will New Hires Impede Security?
ROSS: We were talking about technology and where that's going to be, and the churning of the infrastructure. I'm also concerned about the people who are going to be helping to provide the security solutions. I know you and I talked at RSA a little about the future of the computer scientist and the computer security folks that are building careers on top of that computer science degree or computer engineering. I'm wondering if our definition of security today has evolved from what it was two decades ago. I'm talking about the evolution away from more trustworthy systems, systems that are inherently stronger, more resilient, things that we could apply some of the best practices to.
The first principles of it go back decades. ... Are you seeing a move away from some of those fundamental capabilities coming out of our universities? If that's true, how's that going to affect our ability to have the right people in place to help provide some of these stronger solutions, whether it's cloud or any other type of computing? Even in the cloud, we're going to need those kinds of folks that can help us understand the fundamentals and really build those stronger solutions.
SPAFFORD: A lot of what we've seen in the evolution here of security and moving towards these other kind of solutions is putting more things in the way between our resources and potential attackers. We're putting in antivirus IDS; we're putting in firewalls; we're putting in various other kinds of devices, and then we're moving it out into the cloud with presumably further rings of protection. Rather than trying to build secure systems, which is time-consuming and costs more than the current mass-produced versions, organizations keep trying to add patches on top. The fact that we have a demand from the market for more patching, a more after-the-fact add-on rather than getting it right the first time, has reduced some of the emphasis at many institutions in teaching that.
But we also have a secondary effect that's going on now, and the government is actually one of the drivers here. You have various people in prominent positions saying, "We've got a huge shortfall. We've got to get more people. Let's have competitions to identify the best hackers." What that's doing is attempting to shorten the pipeline and select down for a group of people who know how to manage current threats and current systems, rather than emphasizing fundamental principles, broad knowledge and a life-long path for career here.
The result of that is we're going to have a whole lot of people out there in 10 years who got their jobs and were really, really good at finding and exploiting problems in Windows and Linux, but have no idea how to build a new system that's a successor to the cloud systems or to operate the security in these because they've never had the background. That's probably the longer-term danger that we have. As we're going to moving all this stuff off into the cloud, we're moving off into an environment that's going to change because of technology and laws, and we're not doing enough to build up a cadre of people with deep experience and basic principles.
ROSS: Those basic principles, whether we're talking cloud or otherwise, are still applicable. Just because we're moving to the cloud at some pace doesn't diminish the need for the things you just talked about. ... We're at the tipping point. I know at NIST we've been working really hard during this past year. In our upcoming publication, we're trying to rebrand this whole notion of assurance and trustworthiness for the very reasons you just articulated. It's really an unanswered question about whether this new emphasis is going to be successful or not, because I believe we're at a tipping point. We could go either way. Redefining security to some of the things that we're doing today without regard to the fundamentals could be problematic long-term, because just going to the cloud is not going to solve those fundamental problems that we're talking about here today.
SPAFFORD: I agree. Looking back at the field - and I've got 30 years of actual practice experience in this - but also reading the history, we have had cycles where new technology innovation has led to massive change in the way that people approach computing, presumably to solve many of the problems. Some of them are cost-related, some security and some usability. We keep jumping to time-sharing. We see [movement] to more mini-computers or micro-computers. We see movement to graphical user interfaces. We see movement to database engines. We see movement to local area networks and distributed file systems. Each one of these steps along the way has been held out as the solution to all the previous problems, but they've introduced a whole new set of problems that weren't anticipated. Cloud computing offers many benefits, and I certainly don't mean to suggest that they don't. And they offer a lot of potential for better security for organizations that don't understand it and can't use it. They're going to introduce new problems, many of which we haven't seen. Unless we're preparing a generation of people to then deal with the next one, and I don't believe we are, the government and big companies are seeking out mechanics rather than architects - we're going to have longer-term problems. The cloud is a great solution, but it breeds new problems.
ROSS: I would agree with that.