Cyber Security has proved to be an elusive goal that now requires a radical shift in the mental models of IT practitioners.

The first issue stems from the idealised concept of security with the implicit belief that a system can be made invulnerable to attack.

This is an unattainable goal if we are dealing with any complex IT system, and by complex I mean any network containing more than two computers to which human users have access.

This may be considered an extreme position by some, but the challenge of defending ICT systems does require some stocktaking at this point in time.

In particular the concept that cyber security should be viewed as a complex adaptive system is strongly advocated and this is the objective of the article.

We will also briefly discuss some alternative perspectives on security utilising Game Theory in defending computer systems; with a sprinkling of Chinese philosophy.

Games of chance

The best model with which we can understand the issues surrounding cyber security is a game theoretic approach [3][4]. Originally developed as a strategy tool in the nuclear cold-war, game theory studies the choice of optimal behaviour when the costs and benefits depend upon the choices of other individuals.

What we now have in the cyber domain is also an N player game of benign and malicious players. In addition a legitimate user may choose to switch roles to become a defecting agent at any instant. We are also in a state of co-evolution where each new defence strategy leads to co-adaptation by a corresponding set of attacks.

In addition the attack space is infinitely larger than the possible defence space. This is not good news if you still believe cyber security is an achievable state. The best we can ever achieve is a dynamically stable and robust defence. Ideally using a combination of signature and behaviour based responses. (A useful introduction to game theory is available at: http://en.wikipedia.org/wiki/Game_theory.)

It may also be productive to consider the idea of evolutionary stable strategies (ESS), as proposed by Maynard Smith [2], as a model of how the long term dynamic behaviour of offensive and defensive strategies will evolve in cyber security.

Hence if we introduce a new security mechanism the question to ask is: will it lead to a dynamically stable defensive effect over time? (An ESS basically states that for a set of behaviours to be conserved over evolutionary time, they must be the most profitable avenue of action when common, so that no alternative behaviour can invade).

The art of cyber-war

Shifting mental gear I believe we also need to see the world in a more Eastern frame of mind; as perceived by the Chinese philosopher Chuang Tzu; 'There is order in chaos, and certainty in doubt.

The wise are guided by this order and certainty.' Hence, disorder is not necessarily an evil, i.e. some feel that cyber attacks are positively useful in increasing the quality and robustness of our systems.

The distinction between western and oriental philosophy is emblematic of the issues facing the cyber security domain. What we require is a softer and balanced perspective as reflected in the traditional eastern stance towards life.

The classical western mindset of a binary world is fundamentally flawed when applied to securing complex networks and systems. There is no inside and outside only a continuous spectrum of risk and trust.

'If we wish to fight, the enemy can be forced to an engagement even though he be sheltered behind a high rampart and a deep ditch. All we need do is attack some other place that he will be obliged to relieve.' The Art of War: Section VI: Weak Points and Strong, Sun Tzu.

Endless vistas

OK, it is time to address the obvious subject in any article on computer security, i.e. Microsoft and its operating systems. Based on a preliminary and very superficial analysis of the design and implementation of the latest incarnation, Vista, I feel confident that it will provide a high degree of reliability and security.

The application of dynamic addressing of DLLs, built in Windows Defender, IE 7 protected mode, and enhanced Windows Security Center are significant improvements. More importantly the use of an adaptive defence response is exactly the right kind of security model to pursue.

'All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.' The Art of War, Sun Tzu.

If we consider the state of security in Apple and Linux, then prior to Vista, they have proved more secure than Microsoft's OS. It is a fact that they suffered fewer attacks; however this is comparing apples and pears.

They have traditionally occupied quite different market segments with a smaller installed base and thus offered a reduced target to attackers; and hence reduced motivation. The recent resurgence in Apple however is raising its profile and 2006 has seen the beginning of more diverse attack vectors targeted at OS X. It will be interesting to observe how well OS X copes against this new level of malicious behaviour.

However, there are some obvious and extensively discussed counterpoints to the security enhancements within Vista and other OS, i.e. while we have reached OS nirvana, the application layer will remain highly susceptible as the majority have very weak security.

Even if the major software vendors raise their game and are commercially forced to implement basic security controls in their code the millions of shareware and smaller vendors will remain as a risk factor.

Users and education

The following statement in a recent Microsoft report highlights the dynamic nature of the threat and the interaction between users and the technology.

'There is often an inherent tension between making things simple and intuitive for users and ensuring strong security and online safety measures. The industry continues to make good progress in improving the layers of protection available in both hardware and software.

But the consumer is an essential part of the solution and needs to understand the options available and how best to deploy them. Neither is the threat landscape static - it constantly evolves, requiring consumer education and awareness to be an ongoing process.' Microsoft report to UK House of Lords, Nov. 2006, sec.5.2.

This education is going to require a major effort on the part of government, academia, and the private sector selling the crap (sorry feature-rich applications!). Second, the poor educational standards of the UK means that expecting the users to be able to even read a complex security warning is a dangerous exercise.

My favourite example is a website popping up a message such as: 'Do you accept this X.509 certificate from Acme Inc.' Approximately one third of the UK population does not understand what the word 'certificate' means; let alone what a digital one implies!

In this case the first part of the MS statement above is plain wrong, i.e. '…an inherent tension between making things simple and intuitive for users and ensuring strong security and online safety measures.'

Security must be simple and intuitive, at all levels, or it is utterly useless. Even for technically skilled users and experts the growth in scale and complexity of the ICT domain requires simplicity to be at the core of every security concept.

One of the more recent UK government initiatives in this space is the DTI sponsored Cyber Security Knowledge Transfer Network (KTN) and associated Innovation Platform. The mission statement for this venture is:

'The Cyber Security KTN will be the single focal point for UK Cyber Security expertise, to collaboratively identify universal challenges and develop effective response, influence UK investment strategy and government policy, accelerate innovation and education, harness and promote UK capability internationally and help improve the UK security baseline.'

This is a very positive step and is laudable for engaging the widest possible stakeholder group, i.e. everyone interested in cyber security.

Computer defence as a complex system

Returning to the arena of game playing, it is particularly useful to consider the cyber security domain as a Complex Adaptive System (CAS). An annual series of workshops held in collaboration with the Santa Fe Institute have sought to examine the value of this approach. Some of the specific problems, which have been addressed, include:

  • Design of self-healing networks;
  • Optimisation versus robustness;
  • Recovery oriented computing;
  • Machine learning and defence strategies;
  • Dynamic stability in large-scale networks;
  • Self & non-self recognition, and immunology models.

Ultimately, this interdisciplinary CAS approach is the best model for understanding and enhancing cyber security. Only by combining knowledge from biology, immunology, physics and economics do we have any hope of improving the situation; (the work by Forrest et al is a good example of a bio-inspired strategy [1].)

The emphasis again is on improving the defensive capability rather than eliminating the threat. 

Identity and role playing

Human beings rely primarily on visual processing and a visual image of a card provides an intuitive and contextual reference model for a user. If we can establish a robust identity process then the task of constructing meaningful webs of trust online can begin.

The migration of social trust dynamics into the virtual domain is fundamentally important for society as a whole and is a key component in securing the net.

'Social mechanisms complement hard security techniques (such as passwords and digital certificates), which only guarantee that a party is authenticated and authorised, but do not ensure that it exercises its authorisation in a way that is desirable to others,' (Yu and Singh 2003).

Hence we return to the utility of the game-theoretic perspective, i.e. agents will defect after trust has been granted by other players, if the payoff is sufficient. Unfortunately, what are sufficient defection criteria for any particular user or group is highly context dependent and virtually impossible to predict.

Summary

At first glance this would appear to be a pessimistic interpretation of the state of cyber security; however we could at least raise our game in terms of the base robustness of ICT systems. Vista and the current varieties of OS are clearly superior to previous platforms.

More can still be done at the OS level but the signs are encouraging. Yes a skilled adversary can always find a vulnerability, but this will become increasingly difficult. The application layer is significantly harder to secure, but again with commercial, social and legal pressure on the major vendors a vast improvement could be obtained.

The tricky part is the cognitively challenged individual using the system. Education will help, such as the UK get safe online programmes, but don't expect this to have any significant impact. The problem of users being maliciously fooled online is a non-trivial one that will require a great deal of research on how we interact with technology.

The explosive growth in social networking in 2006 (e.g. Bebo and MySpace) is a fascinating example of users transferring social trust into cyber space, usually with no thought of possible threats. In particular more research is required on how to bridge the risk perception gap between virtual threats and physical threats.

In summary we need simple intuitive solutions based on a clear appreciation of the economic incentives motivating malicious behaviour and the inherent nature of human users to extend spheres of trust into the cyber domain.

References

  1. Forrest, S., Perelson, A.S., Allen, L., & Cherukuri, R., 'Self-Nonself Discrimination in a Computer'. In Proceedings of the 1994 IEEE Symposium on Research in Security and Privacy, Los Alamitos, CA: IEEE Computer Society Press (1994).
  2. Maynard Smith J., Evolution and the Theory of Games, Cambridge University Press 1982
  3. Morgenstern, O., & von Neumann J., The Theory of Games and Economic Behavior, Princeton University Press (1947).
  4. Myerson Roger B.: Game Theory: Analysis of Conflict, Harvard University Press, Cambridge, 1991, ISBN 0-674-34116-3.
  5. Nowak M.A., & May R.M. 'Evolutionary Games and Spatial Chaos'. Nature, 359(6398), 29 October, pp. 826-829, 1992.
  6. Yu B., & Singh M.P., 'Detecting Deception in Reputation Management', Proceedings of Second International Joint Conference on Autonomous Agents and Multi-Agent Systems, 2003.

About the author

Robert Ghanea-Hercock is a chief research engineer at BT Laboratories and a chartered member of BCS. He is chair of the DTI Cyber Security KTN Steering Committee.