It was a terrible year for the health of computer systems. Cyberthieves stole credit- and debit-card numbers from up to 56 million customers of the retail giant Home Depot, even more than the 40 million they stole in 2013 from Target.
At JPMorgan Chase, 76 million bank accounts were compromised. The Heartbleed bug poked a big hole in widely used encryption software, and the Bash bug exposed millions of computers to malware. A Russian gang made off with more than a billion email addresses and passwords and compromised a half-million websites.
What’s going on, and what can we do about it? Discover spoke with Eugene Spafford, a longtime computer security expert and director of Purdue University’s Center for Education and Research in Information Assurance and Security (CERIAS).
Discover: As you look over the recent incidents, what do they tell you about the state of our cybersecurity?
Spafford: The Home Depot and Target breaches were examples of how our commercial infrastructure is very vulnerable to those who want to exploit it. As criminals increase their sophistication, they will pick bigger and more complex targets. That targeting won’t be for the intellectual challenge — it will be because bigger targets have more to offer. Theft of millions of credit card transactions provides a huge body of information to break up and resell to other criminals. Theft of medical data, design and marketing plans, and financial information is a growing business with little in the way to discourage it.
It took months before the Home Depot and Target breaches were detected. It took more time before the companies patched their software, then assured customers that the patched systems were safe. Can we really trust that such ad hoc fixes to existing programs will protect us from credit card fraud?
The software industry has built a response mechanism around the idea that flaws in products can be patched and that somehow the “patchability” is a substitute for sound design. Unfortunately, as we have seen with a great many incidents, it takes time to discover and analyze each flaw, and the patches take time to apply. The Heartbleed and Shellshock (Bash) flaws took years to discover, for instance — with the Shellshock flaw reported as being present for nearly 25 years! Then, too, some flaws may never get fixed everywhere. This combination of factors means sloppy design is ensuring that our overall infrastructure will be riddled with vulnerabilities for the foreseeable future.
What about the theft of passwords by Russian gangsters?
It’s unlikely we’ll be able to identify and apprehend the people who’ve stolen all those passwords because of the difficulty of investigating and prosecuting computer crime. But for them to get the passwords means that they somehow found weaknesses in lots of vendors that they were able to exploit. The Target breach, the collection of passwords and a number of other incidents this year all point to a significant, well-funded, technically talented criminal element that is actively attacking and exploiting systems, from home users up to major corporations.
If you were the cybersecurity czar, what steps would you recommend?
This is an area that needs more fundamental research on how to change the way we build and deploy things, not simply on how to patch what’s there. An awful lot of the federal research funding is, how do we fix Windows, how do we fix Linux, how do we make a stronger PC. That’s not going back and questioning fundamental assumptions.
We are currently using general-purpose, mass-market computing platforms to do things that don’t really require that level of generality. It makes them vulnerable to a wider variety of attack than they would be if they were custom-built.
If we build systems that do only one or two things, they’re less likely to be attacked. Your microwave oven has software inside that’s used to make it run. If that’s not connected anywhere and it doesn’t do anything else, like calculate your taxes and store your recipe files and send email, it can’t be attacked by outside mechanisms. Yes, it might be more expensive to build a new system or to remove components from an existing system. But being in business means you also have a duty to your customers and society not to endanger them unnecessarily with what your product does.
We’ve also got to move the job of combating malicious cyberactivity away from the military and more into law enforcement. A lot of what the federal government does is that it tries to mandate from a centralized, top-down approach. By default, most information flows to a small number of federal agencies. That’s not the right approach. What we really need is a local view.
You’ve proposed a local extension service for small, local businesses, something akin to the agricultural extension service.
If you found an unusual proliferation of caterpillars eating everything in your garden, you wouldn’t contact somebody in Washington to come look at them. You would find your local extension service, and you would take a sample in, and they would give you advice as to what it was and how to respond. I think we need to adopt that kind of model for cyber — have an extension service, at a local level, that people can go to for classes, advice as to what software to get and help to identify a problem.