Today's Essential Cyber Security Requirements
Today's cyber space (Internet and Computing) is not trustworthy or dependable. To quote U.S. President Obama's Cyberspace Policy Review - "Our reliance on the internet is becoming nearly total." ... "Threats to cyberspace pose one of the most serious economic and national security challenges of the 21st Century for the United States and our allies." ... "Ensuring that cyberspace is sufficiently resilient and trustworthy to support U.S. goals of economic growth, civil liberties and privacy protections, national security, and the continued advancement of democratic institutions requires making cybersecurity a national priority."
Consequently there have been major initiatives over 2009/10 to identify the essential features that are required in existing and future security systems to ensure the safe and assured operation of our essential ICT. The ICT Gozo Malta projects directly address many of the current hard problems and deliver features that are considered essential today for achieving trustworthy and dependable cyber security. We begin by listing cross-cutting security requirements and then capture requests from different organisations / contexts.
Cross-cutting security requirements called for today
In this entry we compile a short-list of cross-cutting security features most called for by Government and Industry security experts. The ICT Gozo Malta projects specifically address each of these points:
- security built in from the ground up
- removing central points of failure by distributing trust and using multiple layers of defense
- protection against a wide range of insider (management, trusted staff, malware in hardware and software) and external attacks
- rewards collaboration between competitors (organisations or divisions can guarantee their own security and satisfy legislation, while gaining superior security when collaborating with others, including their competitors)
- exploiting existing infrastructure and standards investments
- careful attention to maintaining interoperability and security standards compliance
- enhancing and removing known threats to existing standards security systems
DHS - Security features required for trustworthy systems envisioned by U.S. Government
The United States Department of Homeland Security November 2009 Cyber Security Roadmap has outlined the following eight current hardest and most critical security problems and needs that must be addressed if trustworthy systems envisioned by the U.S. Government are to be built. In addition to the first eight (1-8), there are three other important security features (9-10). These features need to be retro fitted where possible to existing security systems and present in all future systems. Projects in the ICT Gozo Malta forum directly contribute to those security properties marked with an asterisk * for both existing and future systems.
- Global-scale identity management *
- Combatting insider threats *
- Availability and survivability of time-critical systems *
- Building scalable trustworthy and secure systems *
- Situational understanding and attack attribution *
- Information provenance *
- Security with privacy *
- Enterprise-level security metrics
- System evaluation life cycle
- Combating malware and botnets *
- Privacy-aware security *
NITRD - Leap ahead cyber-security themes
"It's not about security, its about Trustworthiness of our digital infrastructure. This means Security and Reliability, Resiliance, Privacy and Useability." Dr. Jeanette Wing, Assistant director for computer & information science and engineering (CISE), NSF (2010)
The US Federal Network and Information Technology Research and Development Program (NITRD) co-ordinates practically all US Federal Government research. NITRD has been charged with leading the national cyber security initiatives and is currently promoting three cybersecurity themes: tailored trustworthy spaces, moving target, and cyber economic incentives. These cyber security themes are considered universal and should apply to most ICT projects.
- Tailored trustworthy spaces:
- According to Dr. Jeanette Wing in the NITRD 2010 Cybersecurity R&D Themes webcast, based on federal consensus the tailored trustworthy spaces theme is considered the most important of the three NITRD themes.
- "Tailored Trustworthy Spaces is a New Paradigm. Users can select different environments for different activities (online banking, commerce, healthcare, personal communications) providing operating capabilities across many dimensions, including confidentiality, anonymity, data and system integrity, provenance, availability and performance."
- Moving target theme:
- According to Dr. Jeanette Wing in the NITRD 2010 webcast, the moving target theme is about providing resilience through agility.
- According to Dr Patricia Muoio, Science and technology lead for cyber, Office of the Director of National Intelligence defines agility as the ability to control change across multiple system dimensions to:
- increase uncertainty and apparent complexity for attackers,
- reduce their windows of opportunity, and
- increase their costs in time and effort.
- increase resiliency and fault tolerance within a system.
- Cyber economic incentives theme:
- According to Dr. Jeanette Wing in the NITRD 2010 webcast, the cyber economics theme is about providing incentives to good security.
- Dr Douglas Maughan, Program Manager, Cyber Security R&D, Science & Technology Directorate, Department of Homeland Security (DHS S&T), goes on to say that the consensus agreement today is "Crime pays on the internet". He asks, in the future can we create an environment where being a good guy pays, and a bad guy doesn't?
- The ICT Gozo Malta approach to cyber economic incentives is to employ notions such as user-centric design, holding all parties equally accountable, and design for protecting the legitimate interests of all stake-holders as proactive design strategies to begin addressing the cyber economic incentives.
NITRD - Leap-ahead recommendations
We will list several suggestions or desirable features from the working groups of the NITRD National Cyber Leap Year 2009 Summit that are adopted in one or more of the ICT Gozo Malta Project. Security features and design techniques were proposed in five cyber security themes.
- Hardware enabled trust
- Trustworthy hardware that will not leak information
- Hardware-enabled resilience
- Application behavioral analysis
- Trustworthy storage and data
- Cyber economics
- Infrastructure diversity
- Moving target defense
- Diversity in software
- Resilient cryptographic systems
- Configuration-space randomization for infrastructure
- Digital provenance
- Global identifier based cryptography
- Global electronic identity management system
- Systems that are post-quantum secure
- Network behavioral analysis and over-the-horizon network visibility
- Digital Immune System (Nature-inspired cyber health):
- Create a digital immune system for ICT systems that employs:
- distributed processing
- decentralised control
- distributed defense
- multi-layered protection
- pathogenic pattern recognition
- diversity
- signalling
- Employ early and dependable detection and recognition of information attacks, rational utilization of the network resources for minimization of the damage and fast recovery, and development of successful ways to prevent further attacks.
- Create a digital immune system for ICT systems that employs:
ENISA - Critical security requirements for public cloud computing
Major security studies in 2009/10 (such as those by European Network and Information Security Agency (ENISA), the US NIST and the Cloud Security Alliance CSA) have identified a short-list of top threats / open problems. The common themes found in these studies are:
- A cloud user's or user organization's loss of governance:
- Ceding security controls of data to cloud provider
- Insufficient assurances of data security controls
- Data leakage or destruction:
- Malicious insider attacks by cloud provider
- Malicious insider attacks by managed security providers
- Inherent vulnerabilities and malicious back-doors present in the cloud's software & hardware platforms
- Malicious client attacks that exploit isolation failure between virtual machines in the cloud (cloud-bursting)
- Client does not know what the risk profile of the cloud provider is, and so cannot mitigate those risks
- Account or service hijacking
Projects in the ICT Gozo Malta forum directly address these security requirements.
DHS - Essential security requirements for global-scale identity management
In this section we outline many of the requirements for global-scale identity management systems identified by the US Department of Homeland Security. The ICT Gozo Malta global-scale IdM-CKM model is designed (or is being designed) to address these issues.
- Must be capable of trustworthy binding of identities [humans, organisations] and credentials
- Must be capable of multi-stakeholder, multi-jursidiction environments.
- Must be capable of managing diverse interorganizational relationships that today are hampered by the lack of trustworthy credentials for accessing shared resources.
- Will need to incorporate policies governing release of identifying information. (user-centricity, data-self determination)
- Support the control and management of credentials used to authenticate one entity to another, and authorization of an entity to adopt a specific role and assert properties, characteristics, or attributes of entities performing in a role.
- Must support efficient support for management of identities of objects, processes, and transactions on a very large scale.
- Must provide mechanisms for two-way assertions and authentication handshakes building mutual trust among mutually suspicious parties.
- The lifetimes of credentials may exceed human lifetimes in some cases, which implies that prevention of and recovery from losses are particularly difficult problems that must be managed.
- Must achieve longevity of security without the use of public-key cryptography or with quantum-resistant public key cryptography (such as Merkle Tree digital signatures).
- Insider and outsider misuses are commonplace in identity management systems. These must be addressed.
- To whatever extent it can be automated, it must be administratively manageable and psychologically acceptable to users
- Must be embedded in trustworthy systems and be integrally related to authentication mechanisms and authorization systems, such as access controls.
NIST - Essential requirements for global-scale key management
"Key management is critical for all sensitive information processing applications. Economic prosperity is a major goal and needs information security.” ... “Nearly all Internet security protocols use cryptography for authentication, integrity and/or confidentiality, and hence, require key management (KM).” - Curtis Barker, Division Chief - Computer Security Division, NIST.
“There are several problems with today’s Cryptographic Key Management (CKM) solutions. They are expensive, hard to implement, difficult to maintain, perhaps insecure, and user unfriendly.” - Miles Smid, Former acting NIST Computer Security Division Chief.
Some identified essential features that are frequently not present in currently deployed key management systems include:
- Solutions that are focused on the user:
- "It is not acceptable to only have a choice between usability with little security and security with little usability. A CKM system designer has to know the prospective user and to understand that security is not the primary task of the user. A system must be efficient, effective and understandable. There is no complex system that is secure"
- Scalable Solutions:
- "We know how to handle key management reasonably effectively for up to a million people, we need to go a couple of orders of magnitude beyond that in the relatively near future”
- “Identity based symmetric keys may reduce the scale of symmetric key distribution problem”
- Solutions that offer vastly improved security:
- “We’re not going to accept high risks in the future Internet, because we don’t want the adversaries to have high payoffs.”
- “In light of quantum computing, CKM system designers must look at means other than public key-based key management systems; they must look at quantum computing-resistant algorithms and schemes.”
- “… must be secure, cost-effective, fault-tolerant, and highly available”
- Designs that are fault-tolerant and highly available:
- “Survivable key management systems”