1. A Strategy for Cyber Defense Strategy John C. Mallery (jcma@mit.edu) jcma@mit.edu Computer Science & Artificial Intelligence Laboratory Massachusetts Institute of Technology Presentation at the 2010 Workshop on Cyber Security and Global Affairs & Security Confabulation IV, Zurich, July 7-9, 2010. 11/10/2015 2:54:32 PM

2. John C. Mallery MIT CSAIL2 Message Decompose the cyber elephant! Decompose the cyber elephant! Identify attacker business models Identify attacker business models Make prioritized architectural moves to disrupt attacker business models Make prioritized architectural moves to disrupt attacker business models Increase the work factor for attackers Increase the work factor for attackers Lower the work factor for defenders Lower the work factor for defenders Plan defensive campaigns across life cycles of attack and defense Plan defensive campaigns across life cycles of attack and defense Disrupt the attacker business model at choke points Disrupt the attacker business model at choke points Channel the attacker to more defensible attack surfaces Channel the attacker to more defensible attack surfaces Seize the initiative Seize the initiative Change the game to the advantage of defense Change the game to the advantage of defense Change the incentive structures -> virtuous cycles Change the incentive structures -> virtuous cycles Align security and mission incentives Align security and mission incentives

3. John C. Mallery MIT CSAIL3 Threat Actors And Capabilities Threat ActorsMotiveTargetsMeansResources Nation States During War Time Political Military, intelligence, infrastructure, espionage, reconnaissance, influence operations Intelligence, military, broad private sector Fully mobilized, multi- spectrum Nation States During Peace Time Political Espionage, reconnaissance, influence operations Intelligence, military, leverages criminal enterprises or black markets High, multi-spectrum, variable skill sets below major cyber powers Terrorists, Insurgents PoliticalInfrastructure, extortionLeverage black markets?Limited, low expertise Political Activists or Parties PoliticalPolitical outcomesOutsourcing?Limited, low expertise Black Markets For Cyber Crime Financia l Hijacked resources, fraud, theft, IP theft, illicit content, scams, crime for hire Tools, exploits, platforms, data, expertise, planning Mobilizes cyber crime networks Criminal Enterprises Financia l Reconnaissance, planning, diverse expertise Professional, low end multi-spectrum, leverage of black markets Small Scale Criminals Financia l Leverages black markets Low, mostly reliant on black markets Rogue Enterprises Financia l IP theft, influence on sectoral issues Outsourcing to criminal enterprises? Sectoral expertise, funding, organization

4. John C. Mallery MIT CSAIL4 Integration of Technical and Economic Perspectives Security Engineering defends and attributes Security Economics analyzes incentives and risks Value at Risk Threat Actors Attack Vectors Value Monetization Political Return

5. John C. Mallery MIT CSAIL5 Asymmetries of Cyber Attack and Defense ModeAttackerDefender Initiative Chooses the best place, time and means of attack Must defend everywhere, all the time, against any attack Communications Organized around attack -> Good Organized around product -> Poor CoordinationSmall group -> highNon-scalable -> low Situational Awareness High After-market bolt-on -> Low Software ControlHigh Depends on supply chain -> Low Decision cycleFast Many stake holders -> Slow AgilityHigh (apparent)Low KnowledgeLow, narrowHigh, broad but diffuse Architectural ControlLowHigh, but slow Legal/LE SystemsLowHigh, but slow

6. John C. Mallery MIT CSAIL6 Laws of Information Assurance Centralization Risk: Concentration of value attracts better resourced attackers whenever the attacker work factor does not increase faster than the value at risk. Centralization Risk: Concentration of value attracts better resourced attackers whenever the attacker work factor does not increase faster than the value at risk. Corollary: Attackers can gain economies of scale through common mode vulnerability (low diversity) Corollary: Attackers can gain economies of scale through common mode vulnerability (low diversity) Corollary: Multiplexing functionality on the same platform aggregates the individual threat models Corollary: Multiplexing functionality on the same platform aggregates the individual threat models Markowitz’s Law: A minimal complexity system has fewer attack surfaces. Markowitz’s Law: A minimal complexity system has fewer attack surfaces. Corollary: Eliminate unnecessary functionality Corollary: Eliminate unnecessary functionality Gosler’s Law: Architectural change displaces preferred attack points. Gosler’s Law: Architectural change displaces preferred attack points. Corollary: Move attack points to where they can be best defended. Corollary: Move attack points to where they can be best defended. Architectural Leverage: Effective security can be achieved through synergistic architectural moves targeting attacker work factors Architectural Leverage: Effective security can be achieved through synergistic architectural moves targeting attacker work factors Success is achieved by raising attacker work factor across attack surfaces beyond the resources available to the attacker, or worthy of the target. Success is achieved by raising attacker work factor across attack surfaces beyond the resources available to the attacker, or worthy of the target.

7. John C. Mallery MIT CSAIL7 Defensive Complexity Analysis Meta-metric for security focuses on difficulty of tasks an attacker or defender must perform Meta-metric for security focuses on difficulty of tasks an attacker or defender must perform Work factor is the difficulty of executing tasks Work factor is the difficulty of executing tasks Analogous to computational difficulty in crypto Analogous to computational difficulty in crypto Extends beyond the technical designs to domain embeddings Extends beyond the technical designs to domain embeddings Dimensions of work factors Dimensions of work factors Resources Resources  Computational complexity  Cost  Expertise and Knowledge Planning, execution and information management Planning, execution and information management  Cognitive difficulty (non-linear planning)  Learning difficulty  Organizational effectiveness/dysfunction Risk Risk  Uncertainty  Culture Make technical or policy moves that cumulatively Make technical or policy moves that cumulatively Impose hard problems on attackers Impose hard problems on attackers Facilitate coordinated defense Facilitate coordinated defense

8. John C. Mallery MIT CSAIL8 High Leverage Solutions: Eliminate Whole Classes Of Vulnerability By Design Example: Runtime type checking and array bounds checking eliminates 99% of penetration exploits on COTS operating systems. – Source: Alexander Sotirov (Solved in the 1970s – use it!) Fixing security vulnerabilities at their source retires an entire attack surface, and its consequences. Failure to fix the cause results in multiplicative vulnerabilities and multiplicative impacts on defender work factors. Leverage means fixing the cause rather than the symptoms. Example: Lack of separation in COTs operating systems means one Trojan in the supply chain can subvert downstream products and systems. (See separation kernels) Example: Ubiquitous input validation eliminates code injection attacks (e.g., SQL injection) (see CLIM) Tree Descent Is Exponential

9. John C. Mallery MIT CSAIL9 Cyber Security Leverage is highest at base of IT Innovation Hierarchy Social networking Use of cloud computing Digital organizations Application software Personal computing, global Interweb Large-scale E-commerce frameworks E- financial & payment systems DoD Global Information Grid Global network infrastructure IT capital goods industry Commodity computing technologies High performance routers Global Internet protocols & structure Commodity ICs & storage Crypto, computer/network security Packet-switched networking Fiber Optics, quantum communication Computer architecture, PL/OS models Transistor, VLSI, quantum computing? “Edge innovation,” leverage of IT infrastructures Large-scale IT infrastructures Core technologies supporting IT infrastructure Disruptive foundational technologies Mainstream Commerce framing ecosystems Technology base Scientific basis Flexible, adaptive within frameworks Slow, large investments, incremental change Low external flexibility due to constraints of other levels Intellectually Difficult 4 3 2 1 ExamplesScope No AgilityType

10. John C. Mallery MIT CSAIL10 Attack/Defense Work Factors at Every Stage In System Life Cycles Evolving Technology Landscape Requirements Design Implementation Accreditation Integration Manufacturing Shipping Deployment Operation Training Maintenance Evolution  The attacker can choose to attack the weakest surface at the most inopportune time for the defender.  The sophisticated attacker can deploy multi-spectrum techniques in a well-resourced coordinated plan.  The sophisticated attacker can attack anywhere along the supply chain.  The defender must protect all attack surfaces at all times, including those in the supply chain

11. John C. Mallery MIT CSAIL11 Attacker Work Factors at Every Stage in the Offensive Life Cycle (days) ModeAction Research Target Conceptualize Probe Map networks, apps, files, info Plan Penetrate, Develop Persistence & Collect Camouflage Penetrate Camouflage Execute Exfiltrate Obfuscate Analysis Data Mine Analyze Disseminate & Act Integrate Distribute

12. John C. Mallery MIT CSAIL12 Defender Work Factors at Every Stage in The Defensive Life Cycle (years) ModeAction ModelAnticipate Attack Attack Sensing, Warning and Response (ASW&R) Sense, Warn, Respond Identify ThreatDiagnose Design Mitigation Adapt/remediate Regenerate Investigate Develop & Deploy Develop Deploy Maintenance Or Upgrade

13. John C. Mallery MIT CSAIL13 Today’s COTs: Even Partial Solutions Can Impact The Attacker Work Factor Microsoft introduced a series of partial moves against penetration over past 10 years Microsoft introduced a series of partial moves against penetration over past 10 years Penetration is when the attacker gets his first function to run before he escalates privilege Penetration is when the attacker gets his first function to run before he escalates privilege None of MS counter measures are fully effective None of MS counter measures are fully effective Some break existing code and are not turned on Some break existing code and are not turned on Yet, the impact on the attacker work factor increased the time to develop an exploit from 3 days in the late 1990s to 3 weeks in 2010 Yet, the impact on the attacker work factor increased the time to develop an exploit from 3 days in the late 1990s to 3 weeks in 2010 Assumes exploit development (but not packaging) must be done by a single person Assumes exploit development (but not packaging) must be done by a single person Source: Alexander Sotirov, February, 2010 Source: Alexander Sotirov, February, 2010 Still not outside the 4 week patch cycle? Still not outside the 4 week patch cycle?

14. John C. Mallery MIT CSAIL14 Medium-term (3-5 yrs): Enhancing Power Grid Security Create secure SCADA cyber infrastructure based on: Create secure SCADA cyber infrastructure based on: Minimal complexity hosts with high assurance Minimal complexity hosts with high assurance Minimal connectivity overlay networks Minimal connectivity overlay networks Approach Approach Separation: Build on existing platforms like separation kernels Separation: Build on existing platforms like separation kernels Safety: Use safe programming languages Safety: Use safe programming languages  Type checking & buffer bounds checking Correctness: Verify critical code, including compiler Correctness: Verify critical code, including compiler Input Checking: Use comprehensive syntactic input validation Input Checking: Use comprehensive syntactic input validation  Example: CLIM presentation system Model Checking: Build semantic model to validate input Model Checking: Build semantic model to validate input  Massoud Amin (U. Minn.) claims that 60% of parameter input sets could be checked for safety Resilience: Build in via strong adaptive capacity Resilience: Build in via strong adaptive capacity Redundancy: Use physically redundant networking with out of band control Redundancy: Use physically redundant networking with out of band control Adapt approach to other critical infrastructures Adapt approach to other critical infrastructures WF Impact: Major, state of the art security, push the attacks into the supply chain and insiders WF Impact: Major, state of the art security, push the attacks into the supply chain and insiders

15. John C. Mallery MIT CSAIL15 Mid-term (3-5 yrs): Prophylactic Networking Strategy (HTTP and SMTP) Eliminate exploitable vulnerabilities from the network application stack so as to deny botnets and bad actors a vector through which to subvert COTs OSes. Eliminate exploitable vulnerabilities from the network application stack so as to deny botnets and bad actors a vector through which to subvert COTs OSes. Reimplement the TCP/IP and SSL stacks in a safe language. Reimplement the TCP/IP and SSL stacks in a safe language. Reimplement HTTP and SMTP servers and clients in safe languages. Reimplement HTTP and SMTP servers and clients in safe languages. Provide a competent security model and sandboxing for mobile code (e.g., JavaScript). Provide a competent security model and sandboxing for mobile code (e.g., JavaScript). Use virtualized COTS OS + app (e.g. word, multimedia code) in a one-shot-then-reset mode to view embedded media or attachments. Use virtualized COTS OS + app (e.g. word, multimedia code) in a one-shot-then-reset mode to view embedded media or attachments. Parse and rewrite any media or attachments that are returned to the primary host environment. Parse and rewrite any media or attachments that are returned to the primary host environment. Industry knows how to implement these systems Industry knows how to implement these systems For probably $1B, the HTTP and SMTP range of software could be reimplemented within 2-3 years. For probably $1B, the HTTP and SMTP range of software could be reimplemented within 2-3 years. Some legal requirements for “network safety” would incentivize the development and update. Some legal requirements for “network safety” would incentivize the development and update. Spear phishing eliminated by design (maybe spam too) Spear phishing eliminated by design (maybe spam too) Drive-by Web site attacks eliminated by design Drive-by Web site attacks eliminated by design WF Impact: Significant, push attacker on to other penetration vectors, make him do R&D WF Impact: Significant, push attacker on to other penetration vectors, make him do R&D

16. John C. Mallery MIT CSAIL16 Long-term (5-10 yrs): Transformational Architectures Eliminate single point failures leading to collapse of security in: Eliminate single point failures leading to collapse of security in: System architectures (e.g., monolithic privileged kernel) System architectures (e.g., monolithic privileged kernel) Crypto (e.g., secret key leakage) Crypto (e.g., secret key leakage) ID management (e.g., insider) ID management (e.g., insider) Application architectures Application architectures Principles: Principles: Bake in security Bake in security  Eliminate vulnerabilities by design  Enforce strong fine-grained separation  Factor components Ground trust in multiple separate ways forcing an attack to compromise all simultaneously Ground trust in multiple separate ways forcing an attack to compromise all simultaneously Enhance resilience through adaptive software forcing an attacker to impair all functional variants simultaneously Enhance resilience through adaptive software forcing an attacker to impair all functional variants simultaneously Raise productivity dramatically based on semi-automatic program synthesis using verified and composable components Raise productivity dramatically based on semi-automatic program synthesis using verified and composable components WF Impact: Dramatic, over the horizon, push attacks into the supply chain WF Impact: Dramatic, over the horizon, push attacks into the supply chain

17. John C. Mallery MIT CSAIL17 Work Factor Analysis Can Help Guide Policy Formation Non-technical architectures have an impact on attacker and defender work factors Non-technical architectures have an impact on attacker and defender work factors International Law: Distinguish attack rising to “armed force” from espionage International Law: Distinguish attack rising to “armed force” from espionage  Separate exploitation targets from C 2 architecturally to enable clear response? Design component sourcing so that supply chain attacks must compromise multiple branches to succeed. Design component sourcing so that supply chain attacks must compromise multiple branches to succeed.  Eliminate single point supply chain vulnerabilities  Multiply suppliers and randomize component sourcing Technical architectures interact with policy choices Technical architectures interact with policy choices Isolation: Separate functions across systems so that compromise of a single system does not compromise multiple systems Isolation: Separate functions across systems so that compromise of a single system does not compromise multiple systems  Costs more money Self-knowledge: Map systems to build situational awareness of functions at risk to infer attacker goals and business model Self-knowledge: Map systems to build situational awareness of functions at risk to infer attacker goals and business model  Layout systems so they can be used to instrument attacker objectives Work factors can clarify leverage to help prioritize policy moves Work factors can clarify leverage to help prioritize policy moves

18. John C. Mallery MIT CSAIL18 Legal Moves: Black Markets For Cyber Crime Black markets provide: Black markets provide: Scalable cyber crime Scalable cyber crime Empower low-end state actors (over 100) Empower low-end state actors (over 100) A number of activities may not be illegal! A number of activities may not be illegal! Target reconnaissance Target reconnaissance Attack tools Attack tools Cryptographic support Cryptographic support Extend legal system to cover support activities for cyber crime Extend legal system to cover support activities for cyber crime Outlaw activities without non-criminal applications Outlaw activities without non-criminal applications Control “dual use” activities with high criminal leverage Control “dual use” activities with high criminal leverage WF Impact: Increase work factor by raising legal risk WF Impact: Increase work factor by raising legal risk LE focus on high leverage supply activities LE focus on high leverage supply activities Increase scarcity & price of high leverage ingredients Increase scarcity & price of high leverage ingredients

19. John C. Mallery MIT CSAIL19 Legal Moves: Separate Cyber Crime From Terrorists Terrorist may seek cyber attack capabilities in criminal black markets Terrorist may seek cyber attack capabilities in criminal black markets Cyber criminals are economic actors Cyber criminals are economic actors Pursue a business model Pursue a business model Seek to reduce risk to continuity of operations Seek to reduce risk to continuity of operations Make legal moves against transfer of cyber attack data, tools or expertise to terrorist organizations Make legal moves against transfer of cyber attack data, tools or expertise to terrorist organizations Raise response to national security level using military and intelligence resources Raise response to national security level using military and intelligence resources Institute exceptionally severe penalties, especially for critical infrastructure attacks Institute exceptionally severe penalties, especially for critical infrastructure attacks Channel activity away from terrorism Channel activity away from terrorism Make the risk reward calculus uneconomic Make the risk reward calculus uneconomic WF Impact: Reinforce incentives against aid to terrorists WF Impact: Reinforce incentives against aid to terrorists

20. John C. Mallery MIT CSAIL20 Economics: Monetizing Cyber Security & Modernizing the IT Sector Success: Success: Market forces spread reasonably high assurance throughout society and continue to innovate (Precedent: 1990s build out of civilian Internet) Market forces spread reasonably high assurance throughout society and continue to innovate (Precedent: 1990s build out of civilian Internet) Requirements: Requirements: Ability to accurately measure and compare system security characteristics Ability to accurately measure and compare system security characteristics  Predictive metrics  Historical data series Ability of buyers of IT to reliably understand & measure risk Ability of buyers of IT to reliably understand & measure risk  Anticipate and measure threat levels  Estimate losses due to potential cyber attacks  Determine commensurate levels of investment in security Transformation of the IT technology plane for security and agility Transformation of the IT technology plane for security and agility  Strongly bias work factors in favor of defender against attacker  Dramatically harden systems  Architect for adaptive resilience and rapid recovery  Radically increase productivity of secure system development, certification, accreditation, and operation  Align security with functionality by making it inherent and largely transparent  Deliver faster development cycles and superior total ownership cost than current generation COTS Alignment of market incentives for uptake – ultimately next gen COTS Alignment of market incentives for uptake – ultimately next gen COTS  Stratify markets according to assurance needs to provide a learning curve and a path to scale  Phased introduction of safety regulations, liability and meaningful cyber insurance as industry is genuinely able to respond based on transformational technologies  Attenuate rigidities in IT capital goods ecosystem that impede technical evolution

21. John C. Mallery MIT CSAIL21 Message Decompose the cyber elephant! Decompose the cyber elephant! Identify attacker business models Identify attacker business models Make prioritized architectural moves to disrupt attacker business models Make prioritized architectural moves to disrupt attacker business models Increase the work factor for attackers Increase the work factor for attackers Lower the work factor for defenders Lower the work factor for defenders Plan defensive campaigns across life cycles of attack and defense Plan defensive campaigns across life cycles of attack and defense Disrupt the attacker business model at choke points Disrupt the attacker business model at choke points Channel the attacker to more defensible attack surfaces Channel the attacker to more defensible attack surfaces Seize the initiative Seize the initiative Change the game to the advantage of defense Change the game to the advantage of defense Change the incentive structures -> virtuous cycles Change the incentive structures -> virtuous cycles Align security and mission incentives Align security and mission incentives

22. Appendix

23. John C. Mallery MIT CSAIL23 Received Notions Of Sustainability Developmental Economics: Growth based on resources available in sufficient supply in the future Developmental Economics: Growth based on resources available in sufficient supply in the future Foreign exchange bottleneck Foreign exchange bottleneck Environmental degradation Environmental degradation Sustainable development -> appropriate resource usage Sustainable development -> appropriate resource usage Green Technology: Reduced impact on environment (output) and improved utilization of depletable resources (input) Green Technology: Reduced impact on environment (output) and improved utilization of depletable resources (input) Renewable resources -> sustainability Renewable resources -> sustainability Clean energy sources to reduce CO 2 emissions and climate impact Clean energy sources to reduce CO 2 emissions and climate impact Efficient resource utilization (inputs & outputs/externalities) Efficient resource utilization (inputs & outputs/externalities) Computational Sustainability: Use of computation to improve resource utilization (e.g., Smart Grid) Computational Sustainability: Use of computation to improve resource utilization (e.g., Smart Grid) Core notion is continuity of dissipative systems Core notion is continuity of dissipative systems Non-equilibrium thermodynamics (Prigogine) looks at how living systems maintain themselves in the face of entropy via matter energy exchange with their environments Non-equilibrium thermodynamics (Prigogine) looks at how living systems maintain themselves in the face of entropy via matter energy exchange with their environments Living System (autopoesis): a network of component producing processes that recreate the network over time Living System (autopoesis): a network of component producing processes that recreate the network over time

24. John C. Mallery MIT CSAIL24 Cyber As A Computational Sustainability Conundrum Cyber refers to the embedding or integration of computation and communication within human organizations and social systems Cyber refers to the embedding or integration of computation and communication within human organizations and social systems Human systems are understood as living systems Human systems are understood as living systems Dissipative structures face perpetual challenge of continuity Dissipative structures face perpetual challenge of continuity  Must repair internal failures of essential components  Must adapt to changing environments  Usually face intelligent competitors Cyber impacts continuity Cyber impacts continuity Benefits: Greater adaptive potential through better information and computation Benefits: Greater adaptive potential through better information and computation Challenges: Environmental change driven by cyber Challenges: Environmental change driven by cyber  Requires internal and external adaptation Entropy: Cyber attack/exploitation consume resources Entropy: Cyber attack/exploitation consume resources  Direct impact of lost information or degraded operation  Indirect cost of recovery or investment in cyber security  Social costs of cyber pollution - export of risk, externalities Cyber sustainability involves: Cyber sustainability involves: Designing for reliability to manage complexity Designing for reliability to manage complexity Adapting to changes in the environment, often cyber fueled Adapting to changes in the environment, often cyber fueled Resisting cyber attack and exploitation Resisting cyber attack and exploitation Dialectic of computation: benefits come with vulnerabilities Dialectic of computation: benefits come with vulnerabilities

25. John C. Mallery MIT CSAIL25 Focus: Cyber Attack/Exploitation Cyber attack/exploitation undermines organizational autonomy Cyber attack/exploitation undermines organizational autonomy Computers become disloyal to owners, working against them Computers become disloyal to owners, working against them Reduced organizational integrity impairs goal seeking behavior and weakens adaptive capacity Reduced organizational integrity impairs goal seeking behavior and weakens adaptive capacity Everyday cyber impacts – death by 1000 cuts Everyday cyber impacts – death by 1000 cuts Economic: Drag on GNP of cyber crime, recovery, cyber security investment Economic: Drag on GNP of cyber crime, recovery, cyber security investment Innovation: Loss of intellectual property, trade secrets, know- how, plans Innovation: Loss of intellectual property, trade secrets, know- how, plans National security: Degraded systems, loss of classified information National security: Degraded systems, loss of classified information Potential existential threats via cyber Potential existential threats via cyber Industrial espionage: Loss of commercial or national advantage Industrial espionage: Loss of commercial or national advantage Economic disruption: Degradation of critical infrastructures Economic disruption: Degradation of critical infrastructures Cyber war: Impairment of national security functions Cyber war: Impairment of national security functions

26. John C. Mallery MIT CSAIL26 Moderate Frequency High Frequency Low Frequency Attacker Resources High Low High Low Espionage Cyber War with Peers Cyber Terrorism? Interdiction of Global Communication Industrial Espionage Cyber War Major Critical Infrastructure Attacks Cyber Crime Interception of Global Communication Attacker Resources Required for Cyber Impacts Most Cyber Data

27. John C. Mallery MIT CSAIL27 Strategy Decomposition Cyber technology base Cyber technology base IT capital goods industry IT capital goods industry  Computers, embedded, mobile  Networking Telecommunications operators Telecommunications operators Identity management & crypto industries Identity management & crypto industries Defense domains Defense domains Military & intelligence systems Military & intelligence systems Defense industrial base Defense industrial base Critical infrastructure Critical infrastructure Government systems Government systems Research infrastructure Research infrastructure Supply Chain Supply Chain  Major enterprise  Enterprise Consumer Consumer International cooperation International cooperation Allies Allies Trading partners Trading partners Global Global