Can Highly Secure Computing Defeat Cybercrime?

 
 
By Karen A. Frenkel  |  Posted 02-14-2014 Email Print this article Print
 
 
 
 
 
 
 
 

The EastWest Institute is calling for a new computing paradigm called Highly Secure Computing (HSC), in a new report, "Resetting the System: Why Highly Secure Computing Should be the Priority of Cybersecurity Policies." The EastWest Institute's goal is to make the world safer by addressing seemingly intractable problems that threaten regional and global stability. Current IT paradigms have "tolerated inherent structural security deficits of information technology for too long," according to authors Sandro Gayacken and Greg Austin. Traditional IT security and its social management are not up to the task of combating state-sponsored cyber-attacks, the EastWest Institute report says. The remedy is so-called passive security measures, regardless of who launched a cyber-attack. This "new ecology of cyber security" would result in less pressure on liberty and privacy in the name of political security, the authors claim. Instead, HSC espouses the concept of "deterrence by denial," which would render attribution of attacks irrelevant and reduce the need for surveillance and Internet control. They argue that HSC would therefore be a win-win strategy for both security and civil liberties. To read the full report, click here

 
 
 
  • Cyber-Security is Based on Health Model

    The EastWest Institute report claims that cyber-security is incorrectly based on the public health model of education, monitoring, epidemiology, immunization and incident response, but this model does not safeguard systems, even against petty criminals.
    Cyber-Security is Based on Health Model
  • Many Prefer a Military Model

    A military model is based on "active defense," meaning "hack back and deter." But massive surveillance goes with it, which upsets the public, is destabilizing, and can escalate.
    Many Prefer a Military Model
  • Critique of Active Defense

    Active defense profiles and retaliates against attackers. They are identified through forensic data traces in networks and where attacks occur. Active defense also includes preemptive hacking of foreign IT environments of both adversaries and allies, which can be provocative. The goal: threaten, discourage, or deter hackers.
    Critique of Active Defense
  • Yet, Exposing Identity No longer Deters

    China's APT-1 group, a military cyber-espionage unit, hardly bothered to disguise itself and did not seem to care about covering its tracks, according to the report.
    Yet, Exposing Identity No longer Deters
  • Ripe Time For Preventive High-Security IT

    The report asks, "Why not get the basic technology secured so no one can attack strategically critical systems in devastating ways in the first place?
    Ripe Time For Preventive High-Security IT
  • Defining Highly Secure Computing

    Highly Secure Computing (HSC) accepts the idea that it is not possible to construct totally secure computing systems and admits that they can be only "highly secure." But being highly secure will greatly reduce active defense and surveillance. This new paradigm matches the actual threat, whereas military active defense is more dangerous than helpful, according to the report.
    Defining Highly Secure Computing
  • Fundamental Elements of HSC

    Widely deploying unconventional ideas spawned in research laboratories could permanently solve much of the cyber-security problem, the report says. These ideas include architectural redesign, data flows, minimal complexity, language and reducing network dependency.
    Fundamental Elements of HSC
  • Architectural Redesign

    Von Neumann architecture does not distinguish between data and programs, so attackers force computers to read data that make it execute a program differently, therefore installing an attack. The EastWest report advocates the Harvard Architecture, which distinguishes between data and executables and makes attacks more difficult.
    Architectural Redesign
  • Data Flows

    Disallow flow of legitimate activity from one IT environment to another, making it harder for an attacker to navigate inside the system. OSs would not execute different kinds of code in different functional segments.
    Data Flows
  • Minimal Complexity

    Reduce computational complexity with microkernels. Today's Oss have tens of millions of lines of code that are exploitable, but a system with only 10,000 lines can be checked rigorously.
    Minimal Complexity
  • Language

    As with spoken language, the same expression can mean different things in computer languages. Attacks on computer networks intentionally cause divergent interpretations. The report recommends reducing language complexity and expressiveness to reduce misinterpretation.
    Language
  • Reduce Network Dependency

    Disconnect what does not have to be accessible through large external networks, like power plants for production facilities, thereby minimizing the scale of the risks.
    Reduce Network Dependency
 
 
 
 
 
Karen A. Frenkel writes about technology and science, innovation, and entrepreneurs and lives in New York City.

 
 
 
 
 
 

Submit a Comment

Loading Comments...