Solving The Cyber Security Crisis

By BlackRidge

The cyber security crisis has dual root causes: insecure technology, and wishful thinking.

We have become fiscally committed to technologies with inherent lack of protections: society is so completely dependent on them that they cannot be supplanted by secure alternatives for any rational amount of money.

At the same time, deep technical understanding of the first-principles basis for the inherent vulnerability of the Internet and Wintel-style architectures is so limited, even among professionals, that businesses and government leaders often can do little more than resort to posturing and half measures, praying that the hand of adversaries will pass over them by luck.

Obviously this cannot continue indefinitely.  A bow wave is forming, and eventually it will be in the interest of some group to exploit the security vulnerabilities which offer access to assets and disruption (and which they understand as well as any experts) in a major catastrophic event.

What to do?  Oddly, a relatively straightforward combination of low cost technology, well-considered policy, and economic incentives could turn the tide in this contest quickly and effectively.

The availability of two technical components, one hardware and one software, provides a starting point.  The TPM specification of the Trusted Computing Group provides a hardware mechanism which securely and cost-effectively stops much malicious cyber behavior in its tracks.  Taken in conjunction with software solutions  (such as BlackRidge Transport Access Control) which permit only valid ordinary Internet (i.e., TCP/IP) transactions to reach servers and other endpoints, it is now possible to offer efficient, low cost secure Internet presence, which is immune to attack by malicious adversaries, to anyone.

These technologies are now being brought to market, but their adoption could be greatly accelerated by explicit policy support from agencies and government arms with responsibility for protecting infrastructure, financial transactions, and privacy.  Such support could be garnered once the bodies in question fully grasped the nature of the solution that is at hand, and the ease with which its use could be promoted.

Adoption could also be accelerated by passage of tax and other incentives to businesses and organizations, which committed themselves to implement the use of these technologies; natural economic forces would provide impetus to effective protection, fostering its implementation.  Security is notoriously something for which users are unwilling to pay; by making it a virtuous choice with tax benefits, suddenly cyber security can become the norm, rather than an unwanted orphan.

A great deal of sophisticated systems development must still be accomplished by companies and agencies pursuing solutions to cyber threats in order for the environment described above to be fully deployable, but how to do this is known, and companies like ours are hard at work on making it a reality.

What we now need is much more education, for users, policy makers, and developers, in the nature of the threat and in the availability of practical, attainable solutions.