Bees do it. And if the cyber-strategists working at such high-level organizations as the National Security Agency and the Los Alamos National Laboratory are right, ‘smart swarming’ may be en effective way to solve even the toughest security problems.
The idea is to get lots of people focused on a security issue, or even a programming problem, and then have them chisel away at the code and examine how those pieces interact and work with all the total software. Instead of looking at programming as just lines of code, these swarms of people examine how each piece interrelates and works within a network.
“The key to robust security is network thinking,” said W. David Stephenson, principal at Stephenson Strategies, a company that works closely with the Department of Homeland Security to develop defenses against terrorist attacks on computer networks. He is also an expert in the emerging science of social networks. This means he spends a lot of time looking at the behavior patterns in ant hills and beehives and applying them to networks and network design.
Stephenson was part of a contingent of security-minded thinkers who came to Boston University recently to discuss new approaches to security and privacy as part of an inaugural symposium hosted by the school’s Center for Reliable Information Systems and Cyber Security (RISCS). Most promoted a mix of left-brain and right-brain thinking to tackle seemingly difficult problems with a fresh approach.
Attending the one-day event was the cream of the security intelligentsia, including Ron Rivest, one of the founders of RSA Security and now a professor at MIT; and Radia Perlman, a member of the engineering elite at Sun Microsystems and known for developing the technology behind routers.
One way is to look at security breaches or even a terrorist cyber-attack as a control problem and not an accident or major crime, explained Nancy Leveson, a professor of aeronautics and astronautics at MIT and pioneer in the field of “software safety.” In most cases, she said, people are looking for someone to blame and as a result, they can miss the small issues and control problems that led to the incident.
“You should not look at failure, but how well software controls and does its job,” she noted. “What happens is you start to see the larger picture when you don’t find someone to blame.”
Sometimes the design of a network or security system is ultimately responsible for its failure, said Sun’s Perlman. Network security is bound to fail, for example, if users are required to remember too many passwords and ID structures. As a result, they scribble a password down on a piece of paper, which can easily be found by an intruder.
One solution is to develop a third-party solution that automatically maintains password and identities for each user, and “creates, advertises, protects and then deletes these cryptographic keys,” she said. This “ephemerizer,” as she called it, would automatically unlock and decrypt message and applications. It would also shuffle and change encryption keys to keep one step ahead of the bad guys, she noted.
The NSA and other government agencies hope to recruit more schools as Centers of Academic Excellence, especially as the government moves toward using more public standards and commercial products as opposed to custom software solutions, said Richard George, technical director of the information assurance directorate at the NSA. In layman’s terms, he’s the NSA’s head crypto honcho.
The NSA also hires a fair number of graduates from these schools, one of whom went on to revamp security of The White House computer network not long after leaving school.
“The issues and research problems associated with security and reliability are most important and fundamental today,” said Steve Palmer, co-director of the RISCS.
“The center will bring together researchers and government agencies to focus on these problems.”