Cover: the Digital Big Bang, by Phil Quade

the DIGITAL BIG BANG

THE HARD STUFF, THE SOFT STUFF, AND THE FUTURE OF CYBERSECURITY

 

 

Phil Quade, CISO, Fortinet

 

 

 

 

 

 

 

Wiley Logo

To my family, Yvonne, Bennett, Kristen,

and Jackson Quade, who are

“the fundamental elements” of my life.

—Phil Quade, CISO, Fortinet

ABOUT THE AUTHOR

Phil Quade is the CISO of Fortinet. Quade brings more than three decades of cyber intelligence, defense, and attack experience, working across foreign, government, and commercial industry sectors at the National Security Agency (NSA), and partner organizations such as US Cyber Command, the CIA, and others.

Quade has responsibility for Fortinet's information and product security, leads strategy and expansion of Fortinet's Federal and Critical Infrastructure business, and serves as a strategic consultant to Fortinet's C-Level enterprise customers. Prior to Fortinet, Quade was the NSA Director's Special Assistant for Cyber and Chief of the NSA Cyber Task Force, with responsibility for the White House relationship in cybersecurity. Previously, Quade also served as the chief operating officer of the Information Assurance Directorate at the NSA, managing day-to-day activities associated with the protection of classified information systems. He held a variety of roles earlier in his tenure at the NSA, including head of the Information Operations Technology Center's Advanced Technology Group, professional staffer to the US Senate, detailee in the Office of the Director for National Intelligence, cryptanalyst, and computer scientist.

CONTRIBUTORS

  • Thad Allen
  • Ed Amoroso
  • Colin Anderson
  • Dan Boneh
  • Scott Charney
  • Michael Chertoff
  • Roland Cloutier
  • Tim Crothers
  • Michael Daniel
  • Erik Devine
  • George Do
  • Taher Elgamal
  • Jay Gonzales
  • Daniel Hooper
  • Chris Inglis
  • Michael Johnson
  • Mo Katibeh
  • Kevin Kealy
  • Peter Keenan
  • Simon Lambe
  • Shannon Lietz
  • Mike McConnell
  • Chris McDaniels
  • Kevin Miller
  • Theresa Payton
  • Dave Rankin
  • Chris Richter
  • Hussein Syed
  • Brian Talbert
  • Renee Tarun
  • Ken Xie
  • Michael Xie

ACKNOWLEDGMENTS

Although I am the named author of this volume, this book is the result of a much broader team effort. This book would not be possible without the contributions by leaders and experts in the field. All of the contributors are big thinkers and good cybercitizens—colleagues who give their time and energy to advancing the science of cybersecurity and who make our digital universe a better place.

I would first like to thank Ken Xie and the entire Fortinet team for supporting me in creating this book and providing me with the opportunity to explore and write about these topics.

And I especially want to thank Sandra Wheatley-Smerdon, my work colleague, who was instrumental in launching this exploration of the “big history” of cybersecurity.

INTRODUCTION

Diagrammatic representation of a star with a loop inside, which symbolizes speed and security.

Humankind experiences some of its greatest disappointments and disasters when we fail to acknowledge the fundamentals of physics and chemistry. As we solve problems and improve technology, we must work with, not against, the foundation of the laws of mass, force, energy, and chemical reactions—laws that began with the cosmic big bang.

Like the physical world, cybersecurity has its own set of fundamentals: speed and connectivity. When organizations ignore these fundamentals, distracted by sophisticated marketing or new products, we suffer the consequences. We end up with solutions that solve only part of the problem or that simply stop working (or stop us from working when put to the test of real-world conditions).

That's partly because, to date, cybersecurity has been treated as a cost of doing business, as opposed to a foundational set of primitives and rules that are leveraged to achieve greater things. To build a cybersecurity foundation that will work now and continue to work in a world exponentially faster and more connected, we must start treating cybersecurity more like a science. We must understand its fundamental elements and how they interact.

The early Internet, constructed decades ago to serve a small, tight-knit and primarily academic community, was built upon principles of game-changing speed and a deep understanding of the importance of connectivity. Security and privacy were not needed for that first small group of trusted users and thus were not part of the original design requirements. Although security and privacy have demonstrated their importance in today's blisteringly fast, global network, they have not kept up as the Internet has matured.

While we are exponentially more connected than at any other time in history, with nearly instantaneously accessible information at our fingertips, the cyberadversaries—not the defenders—are the ones who have mastered speed and connectivity to their advantage. Speed and connectivity serve us well as communication building blocks, but too often have failed us in cybersecurity, because we have failed to establish the foundation of cybersecurity upon those fundamental elements.

In a hypercompetitive business landscape, not only do cybersecurity fundamentals protect you and make you a much less attractive target to bad actors, but they also cast a halo of protection across all the individuals and organizations to which you are connected.

When we build our cybersecurity based on a complete understanding of fundamental elements and how they can work together, we can inspire and encourage scientific revolutions and evolutions in cybersecurity that will make us much better off.

We are on the verge of a new understanding of a basic element of human society. Just as the world has understood that economic security has been highly dependent on a stable flow of fossil fuels and that national security is dependent on safeguards for nuclear weapons, today we understand that, in our hyperconnected world, there is no global security without understanding and mastering the science of cybersecurity.

But the real historical analogy of cybersecurity, the story of the digital big bang, starts much earlier. Let's rewind nearly 14 billion years to the Big Bang, the beginning of the universe as we understand it today.

THE COSMIC BIG BANG: THE BIRTH OF THE PHYSICAL UNIVERSE AND THE HUMAN SOCIETY THAT EMERGED

At the beginning of time as we know it, around 14 billion years ago, energy and matter were born in a moment of unfathomable brilliance. Those core building blocks combined into atoms, followed by even more complex assemblies (molecules) just a few hundred thousand years later.

Billions of years later, after countless stars were born and died out, our solar system was formed from the remnants of furnaces of those long-dead stars. Physicists and chemists study the big bang's fundamental elements and their interactions in part to explain what things are made of and how they behave.

Some of those complex configurations coalesced into what we call life. We study life and how it evolved from its most primitive state to discover where we come from and to help us thrive within our given universe, not fighting mother nature.

The human life that eventually emerged from among this plethora of creatures eventually formed complex rules and societies that evolved in a broad set of stages or ages. Yuval Noah Harari in Sapiens cited them as follows:

  • The Cognitive Revolution (c. 70,000 BCE, when Homo sapiens evolved imagination)
  • The Agricultural Revolution (c. 10,000 BCE, the development of agriculture)
  • The unification of humankind (the gradual consolidation of human political organizations toward one global empire)
  • The Scientific Revolution (c. 1500 CE, the emergence of objective science)

In each of these ages, humans made relatively large leaps forward in understanding their environment and, at times, directly shaping it.

THE DIGITAL BIG BANG: THE BIRTH OF THE DIGITAL UNIVERSE

If we take on the mindset of a cybersecurity historian, we can look at the big picture in the same way and attempt to understand what is driving it forward. Consider these observations:

  • While it took billions of years for the physical world we know to create and sustain human life, it took just 50 years from the beginnings of the Internet as ARPAnet in 1969, for the explosive forces of digital speed and connectivity to transform human society.
  • Ninety percent of all the data in the world ever created was generated in the last two years. Bang!
  • The Internet itself—a vast and hyperconnected data transmission system—now creates 2.5 quintillion bits of data per day. I don't even have a fathomable analogy to characterize how much that is—but it's 18 zeros.

Digital technology has come to enmesh and propel nearly every aspect of modern life, from the operational infrastructure that keeps our cities and towns powered and functioning, to the now almost entirely digitally driven systems of global finance, security, and energy production. The rapid transference of digital information is how we connect, communicate, and—in many ways—sustain human life, order, and a tentative semblance of peace on Earth.

Our opportunity is to describe how the digital big bang progressed over time, understand its significance, and do something smart and productive about it.

THE SCIENTIFIC REVOLUTION

After the cosmic big bang, billions of years passed before humans came along and eventually started trying to make sense of the whole thing.

In human history, the most recent and most significant age is the Scientific Revolution, not so much because of what it achieved, but because of what it left behind. It was in the Scientific Revolution that we finally admitted that we didn't know everything. The admission of ignorance advanced the pursuit of knowledge and reason. It allowed us to define the modern laws of physics and chemistry; to explain, in a data-driven way, how nature's fundamental elements interact; and to discover the perils? of ignoring those laws. It incentivized us to fill in gaps in our data collection that we didn't feel obliged to before.

For example, the maps of the world from 750 years ago had elaborate drawings of mid-ocean whirlpools and sea monsters—here be dragons—mid-continent mountain ranges, and other physical phenomena. Faulty thinking, and the desire to warn of the dangers of sea exploration, led mapmakers to fill in what they did not know.

In contrast, the maps of the Scientific Age were drawn with large blank areas, showing where we had no data. It was not until we admitted that we in fact had very little idea what was beyond the horizon, or mid-ocean or continent, that we began exploring those areas and filling in the missing pieces that led to a much better understanding of our world.

The pull of curiosity about basic principles reduced the fear of the unknown and prompted the physical world's golden age of scientific education.

Now we must make the same leap in cybersecurity. We need to stop quaking at the cyber threats—real and imagined—and get down to the business of defining how to navigate and master those threats.

THE BANG BEGINS

A masterpiece of international collaboration, the Internet has its roots in the desire to share computing and information resources and the US Department of Defense's goal of establishing connectivity via computers in the event of a nuclear attack that destroyed telephone systems.

On October 29, 1969, the first message was sent over what would eventually become the Internet. Meant to be the word “login,” the letters “L” and “O” were sent from researchers at UCLA to a team at Stanford. Then the system crashed. (We'll pause while you chuckle about that first crash.)

When it was constructed and deployed, the Internet served as a communication platform for a tightly restricted group of specific users.

With the advent of packet switching—the division of information into smaller blocks to be transmitted and then reassembled, pioneered as a Cold War strategy—that communication became a viable, though intensely limited, reality.

WHAT WE GOT RIGHT

Internet pioneers got speed and connectivity right—the digital big bang's equivalent of matter and energy. Their goal was a secure, distributed widespread computer communication system, and they achieved that goal.

WHAT WE GOT WRONG

Because the digital transmission of information was so restricted in both users and data, the use of ARPAnet was governed by a shared sense of trust that was informed and enforced by security clearances, professional accountability, and total lack of anonymity.

AN UNWARRANTED ASSUMPTION OF TRUST

With this assumption of trust, things went off-kilter. That assumption thwarted the parallel development of security, particularly trustworthy authentication, that could have supported the speed and connectivity that would make the Internet transformational.

With the passage in 1992 of the Scientific and Advanced-Technology Act, research and academic institutions started using this early Internet. Security shortfalls were generally understood, but the circle of institutions that had access remained small and tight-knit. It wasn't until 1993, and the release of the first web browser that Internet access became mainstream. At that point, both the Internet and its security, or lack of security, achieved greater significance.

The assumption of trust that was still deep within the DNA of the Internet became a huge problem the moment the public could go online. On an increasingly vast and anonymous network, that trust soon transformed from guiding philosophy to greatest weakness. As more people arrived, the Internet quickly became a newly discovered continent of naïve users, systems, and networks to be exploited and hacked for digital fraud, grift, or simply to prove it could be done.

Since those first hacks, the field of cybersecurity has struggled to catch up and compensate. Mitigating the weakness—the wrongful assumption of trust and the lack of strong authentication—while still balancing the essential benefits and fundamentals of speed and connectivity, remains an enduring challenge of cybersecurity today.

AN HONEST ASSESSMENT OF THE CURRENT STATE

For all the stunning power of its speed and the vastness of its data, the Internet is shockingly fragile and fallible. We're propping it up, sometimes with ridiculously complex schemas and other times with little more than digital Popsicle sticks and Elmer's glue and, for high-end applications, duct tape.

The Internet is fast, anonymous, powerful, and profitable—all factors that have accelerated its use and deployment—while at the same time prone to malicious exploitation, with terrible potential for criminality and sabotage. The continuing series of breaches of organizations of all levels of sophistication shows what a huge problem we have.

WHAT CYBERCRIMES EXPLOIT

Perhaps what is most amazing (or at least ironic) about cybercrime is how this masterpiece of technological collaboration and human connection is so often exploited to gratify human impulses. Distributed denial-of-service (DDoS) attacks, phishing emails, and ever-evolving scams manipulate recipients for the purpose of mass theft and extortion. From data corruption to identity theft, malware to man-in-the-middle attacks, the crimes that cybersecurity must mitigate and prevent run a gamut that only seems to get broader. Attacks are not only launched by criminals but also by rogue nation-states. Over time, these attacks become more destructive and less difficult to perpetrate.

The widening breadth of cybercrime is a direct reflection of our expanding global attack surface—and the increasing commodification of threat. The digital criminal barrier for entry that individuals and organizations alike must defend against is lower than ever. Today, it can be as easy to purchase a cyberattack as it is to buy a cup of coffee, and often even cheaper. We must defend ourselves from near constant silent digital attacks on the fabric of our societies, all roiling beneath the surface of an increasingly interconnected world.

Today, there is little difference between cybersecurity and national, even global, security. As we have seen time and again in reported malicious cyber activity—often in chilling reports of narrowly averted attacks—we can be reached at the most foundational levels by nearly anyone, from anywhere.

WHAT WE CAN GET RIGHT NOW

With so much at stake, it's time to borrow a page from the Scientific Revolution:

Scientific Revolution Cybersecurity Scientific Revolution
  • Admit our ignorance (redraw the earth's maps).
  • Acknowledge what we got wrong (authentication).
  • Use steadily increased strategies for becoming masters of our physical domain (sail oceans, fly planes, explore space).
  • Implement steadily stronger strategies to become masters of the cyber domain.
  • Replace fear with curiosity.
  • Replace outmoded assumptions and strategies with rigorous fundamental strategies that build up to advanced strategies.

We need to stop expecting our network operators to continuously run ahead of ever more sophisticated attacks. You can't outrun the speed of light.

We can achieve better cybersecurity by thinking like physicists and chemists, by postulating and outlining the theorems and proofs necessary to master the cyberspace domain. As critical as these fundamentals are, though, they can easily be overlooked or forgotten by a digital culture that looks myopically to the near future, placing short-term gains ahead of long-term stability and sustainability. Cybersecurity is a marathon—not a sprint.

As our connectivity expands and deepens, the strength and intractability of these fundamentals only becomes more apparent. And more necessary.

With the exponential increase of digital connectivity, cyber-physical interfaces (in the Internet of Things), and machine learning and artificial intelligence, it is more important than ever to treat cybersecurity as a science and a business enabler, as opposed to simply a cost of doing business.

We must reveal the connection between fundamental scientific principles and cybersecurity best practices. What are the foundational primitives and rules that would have been beneficial to have at the beginning of the Internet? How would things have been different if they had been in place? How can we create a better form of cybersecurity based on the nature of fundamental forces and accurate assumptions?

Embracing cybersecurity as a science can be an incredibly powerful and effective way to underpin innovation. It will enable us to focus on effectively leveraging the Internet's forces of speed and connectivity as well as one more unchangeable force that we'll talk about later in this book: the fallibility and needs of humans.

It is a bold goal to attempt to make cybersecurity more scientific, but in our view, it is achievable with the right vision and engineering. By doing so, we can further extend the power of speed and connectivity to thrive within the digital world. Rather than suffering through the cosmic big bang's equivalent of the melting of our planet by the death of our sun billions of years from now, let's understand, define, and work within the laws of the science of cybersecurity.

THE DIGITAL NUCLEUS

As mentioned earlier, the most fundamental forces of cybersecurity are speed and connectivity. Our solutions must be built to support and leverage these forces.

Although security has historically slowed things down, security without speed is a losing proposition. Similarly, security is only as strong as the weakest link in the chain, so security must enable connectivity—specifically, an integration of your defenses to leverage your strengths. This is a far better core strategy than the common alternative: expecting your weakest point to be better than the adversary's strongest methods. To achieve not only optimal but even basically functional cybersecurity, we must have speed, connectivity, and integrated cybersecurity.

In the pages that follow, we will explore the scientific forces of speed and connectivity that must shape our approach (see Figure 1). We must show how to harness and amplify these forces with cybersecurity that offers greater degrees of precision to counter the increasing sophistication of threat actors and cybercriminals.

Diagrammatic representation of digital big bang, with higher-order dimensions, advanced strategies, fundamental strategies, elemental shortfalls.

Figure 1 Speed and connectivity form the nucleus of the digital big bang.

We will explore how we can create a more scientific approach to cybersecurity, based on accurate assumptions. We will probe the essence of the modern problems we face and see how lessons from the world of science extend to cyberspace, leading us to certain inevitable mind-expanding conclusions about the very nature and order of how cybersecurity must evolve.

This book is divided into parts. Part I explores the digital nucleus of speed and connectivity.

Part II details the elementary shortfalls in the areas of authentication, patching, and training, and Part III discusses fundamental strategies of access control, cryptography, and segmentation.

Part IV covers advanced strategies, including visibility, inspection, and failure recovery, and Part V lays out higher-order dimensions we must account for, including complexity management, privacy, and human frailty.

In keeping with the spirit of the Internet's invention, this book is a collaborative effort. For each of the topics mentioned, we will hear from some of the leading experts in cybersecurity today, across industries and disciplines, as they come together to offer their insights.

We define success as enabling a pace of innovation in the field of security that outruns the inevitable attempts by adversaries to do their dirty deeds.

It is our hope that by focusing on the fundamental and foundational principles of the science of cybersecurity, this book will empower those who fight the battles to achieve more effective, efficient, and consistent victories for many years to come.

SECTION 1
BINDING STRATEGIES:THE CORE OF CYBERSECURITY

Diagrammatic representation of a rocket and a connector, which symbolizes the core of cybersecurity, that is, speed and connectivity.

The central parallel between the cosmic big bang and the digital big bang rests in their origins. The cosmic big bang unleashed the two central forces of matter and energy, inexorably connecting them in a way that has shaped and driven our entire existence. The invention of the Internet harnessed technological innovation to weld speed and connectivity—the central forces of the digital big bang equivalent to matter and energy—as a means of communication so powerful it has the potential to change the future of the human race.

Because speed and connectivity are the two primary elements of the Internet, harnessing their strengths and managing their risks must be the primary elements of any effective security strategy.

But too often cybersecurity is at odds with speed and connectivity.

THE NEED FOR SPEED

The Internet created a game-changing means to increase the velocity of information and the speed at which business can be done—to send data faster, accelerating the rate at which we can connect and communicate with others. Remember the days of sending data on disks through the mail? From those early academic uses, that connection has grown. Now the connection includes large-scale business and personal interests, contains our most sensitive health and financial information, and falls within the private and public sectors. Or we may use that connection for sheer entertainment.

The velocity with which we can now send and receive even massive amounts of data is staggering and getting faster every day. We can search for obscure facts, with answers in seconds; communicate in real time with people all over the world; and buy products with one easy click. Regardless of their use and application, today's systems of digital data transmission were designed to be faster than any other means at the time, and they have consistently exceeded that goal.

But to date, that speed has been a problem for defenders. Defensive systems often leach CPU cycles, forcing communication to slow down. When that happens, users often will simply turn off security features, leaving the network and its data vulnerable to attackers. To succeed, our security strategies must be based on leveraging that core philosophy of doing things at Internet speed.

THE DRIVE TO CONNECT

The Internet's creation was a testament to the power of collaboration. Researchers realized that they could achieve more insightful results by comparing and combining their efforts and getting access to remote computing resources.

The resulting architecture was designed around rich and resilient connectivity. As it matured, the Internet fulfilled deep needs for speed and connectivity—organizational, financial, physical, mental, and even emotional—which catalyzed its unprecedented proliferation.

But that highly desired connectivity also opened the door to attacks. Attackers soon learned that they could use connectivity to their advantage to achieve a malicious effect without being near their actual target. Adversaries now can launch attacks from multiple places, focusing their multifaceted barrage on points of weakness. Perhaps it is the central dilemma of cybersecurity: if you can connect with everybody, you can be reached by anybody.

Defenders should take the same architectural approach: design security that leverages connectivity.

HARNESSING SPEED AND CONNECTIVITY

Just as the cosmic big bang's fundamental forces of energy and matter must be carefully managed to achieve intended results, so too must speed and connectivity in the digital universe. For example, a split atom can do one of these two things:

  • Blast and heat whole cities—Generate cool air in the summer and heated air in the winter via clean electricity from nuclear power plants
  • Heat and blast whole cities—Generate fire and concussion via a nuclear weapon

Cybersecurity implementations must be efficient enough to enable both the highest possible safe speed at all times and the maximum reach and scope of connectivity.

Trying to build cybersecurity solutions that do not maintain speed and connectivity will fail, like an engineer who tries to ignore the laws of physics and chemistry. Just as the communication infrastructure of the Internet is based on a connected fabric of fast communication mechanisms, the security fabric that underpins communications also must be based on an integrated security strategy. Because speed and connectivity are the two primary elements of the Internet, harnessing their strengths and managing their risks must be the primary elements of any effective security strategy.