SlideShare a Scribd company logo

Technologies and Policies for a Defensible Cyberspace

M
mark-smith

The document discusses the challenges and strategies for achieving a defensible cyberspace amidst the prevailing trend of attackers having the advantage over defenders. It outlines key factors contributing to this imbalance and suggests emerging technologies and policies that could potentially turn the tide, emphasizing the importance of collaborative, measurable, and resilient defense mechanisms. Additionally, it highlights the significance of understanding past interventions and designing future actions that prioritize effective defense at scale.

Internet
Related topics:
Cyber-Security Cyber Attack
1 of 48
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
Defense at Hyperscale: Technologies and Policies for a Defensible Cyberspace Jason Healey Senior Research Scholar, Columbia University SIPA @Jason_Healey
Outline 1. De-buzzwording This Talk 2. Bad Guys Finish First 3. A More Defensible Cyberspace 4. Payout for Getting it Right (or Wrong)
Not Trying to Make This an RSA Talk… • Forget “Hyperscale” and “Defensible” • Substitute “Internet and connected devices” instead of “cyberspace” if that helps
Core Ideas Beyond Buzzwords • No central strategy behind infosec today – To drive our actions – To judge between competing public goods – To measure our overall strategic progress against
Core Ideas • “Making _________ more defensible” is the strategy My Organization My Sector Cyberspace as a whole • Being defensible means solutions with advantage and scale • To find future advantage and scale, we must know what has so succeeded in the past
Outline 1. De-buzzwording This Talk 2. Bad Guys Finish First 3. A More Defensible Cyberspace 4. Payout for Getting it Right (or Wrong)
Bad Guys Finish First “Few if any contemporary computer security controls have prevented a [red team] from easily accessing any information sought.”
Bad Guys Finish First “Few if any contemporary computer security controls have prevented a [red team] from easily accessing any information sought.” O>D
Bad Guys Finish First Lt Col Roger Schell (USAF) in 1979 “Few if any contemporary computer security controls have prevented a [red team] from easily accessing any information sought.”
Why is O>D? A dollar (or hour) spent on attack buys far more than a dollar spent on defense
Why is O>D? 1. Internet architecture “The Internet is not insecure because it is buggy, but because of specific design decisions.” (David Clark, 2015) A dollar (or hour) spent on attack buys far more than a dollar spent on defense
Why is O>D? 1. Internet architecture “The Internet is not insecure because it is buggy, but because of specific design decisions.” (David Clark, 2015) 2. Software weaknesses “Today there are no real consequences for having bad security or having low-quality software of any kind. Even worse, the marketplace often rewards low quality.” (Bruce Schneier, 2003) A dollar (or hour) spent on attack buys far more than a dollar spent on defense
Why is O>D? 1. Internet architecture “The Internet is not insecure because it is buggy, but because of specific design decisions.” (David Clark, 2015) 2. Software weaknesses “Today there are no real consequences for having bad security or having low-quality software of any kind. Even worse, the marketplace often rewards low quality.” (Bruce Schneier, 2003) 3. Attacker initiative “Attacker must find but one of possibly multiple vulnerabilities in order to succeed; the security specialist must develop countermeasures for all” (Computers at Risk report, 1991) A dollar (or hour) spent on attack buys far more than a dollar spent on defense
Why is O>D? 1. Internet architecture “The Internet is not insecure because it is buggy, but because of specific design decisions.” (David Clark, 2015) 2. Software weaknesses “Today there are no real consequences for having bad security or having low-quality software of any kind. Even worse, the marketplace often rewards low quality.” (Bruce Schneier, 2003) 3. Attacker initiative “Attacker must find but one of possibly multiple vulnerabilities in order to succeed; the security specialist must develop countermeasures for all” (Computers at Risk report, 1991) 4. Incremental and mis-aimed solutions "We need more secure products, not more security products.” (Phil Venables, 2004) A dollar (or hour) spent on attack buys far more than a dollar spent on defense
Why is O>D? 1. Internet architecture “The Internet is not insecure because it is buggy, but because of specific design decisions.” (David Clark, 2015) 2. Software weaknesses “Today there are no real consequences for having bad security or having low-quality software of any kind. Even worse, the marketplace often rewards low quality.” (Bruce Schneier, 2003) 3. Attacker initiative “Attacker must find but one of possibly multiple vulnerabilities in order to succeed; the security specialist must develop countermeasures for all” (Computers at Risk report, 1991) 4. Incremental and mis-aimed solutions "We need more secure products, not more security products.” (Phil Venables, 2004) 5. Complexity and high cost of control Resulting complex systems: “processes that can be described, but not really understood ... often discovered through trial and error” (Charles Perrow) A dollar (or hour) spent on attack buys far more than a dollar spent on defense
Why is O>D? 1. Internet architecture “The Internet is not insecure because it is buggy, but because of specific design decisions.” (David Clark, 2015) 2. Software weaknesses “Today there are no real consequences for having bad security or having low-quality software of any kind. Even worse, the marketplace often rewards low quality.” (Bruce Schneier, 2003) 3. Attacker initiative “Attacker must find but one of possibly multiple vulnerabilities in order to succeed; the security specialist must develop countermeasures for all” (Computers at Risk report, 1991) 4. Incremental and mis-aimed solutions "We need more secure products, not more security products.” (Phil Venables, 2004) 5. Complexity and high cost of control Resulting complex systems: “processes that can be described, but not really understood ... often discovered through trial and error” (Charles Perrow) 6. Troublesome humans: Even the best and most secure technological systems can be bypassed when human users are lazy, confused or downright tricked. A dollar (or hour) spent on attack buys far more than a dollar spent on defense
Outline 1. Bad Guys Finish First 2. De-buzzwording This Talk 3. A More Defensible Cyberspace 4. Payout for Getting it Right (or Wrong)
If the problem is O>D the solution must be D>O (or even D>>O) Is this even possible?
Key Questions to Tackle D>O Results from NY Cyber Task Force 1. What is a defensible cyberspace and why hasn’t it been defensible to date? 2. What past interventions have made the biggest difference at the largest scale and least cost? 3. What interventions should we make today for the biggest differences at the largest scale and least cost?
What Would a Defensible Cyberspace Look Like? Results from NY Cyber Task Force Defensible = “Defense Advantage” 1. Agile response and decision-making 2. Instrumented and measurable 3. Multi-stakeholder and collaborative 4. Well-governed and policed 5. Few externalities 6. Resilient: Recovers readily A dollar (or hour) spent on defense buys far more than a dollar spent on attack!
What past interventions have made the biggest difference at the largest scale and least cost?
http://www.economist.com/news/briefing/21618680-our-guide-actions-have-done-most-slow-global-warming-deepest-cuts
Game-Changing Solutions Results of NY Cyber Task Force Requires two components: • Advantage: Dollar of defense must buy more than a dollar of attack • Scale: Dollar of defense should give 10x, 100x, or even 1,000,000x the benefits – hyperscale
Least Game-Changing Solutions • Generally impose far higher costs to the defender than the attacker – Technology: Compliance and other solutions featuring checking-the-box – Policy: Wassenaar Agreement to limit “cyber weapons”
Game-Changing Technologies With Scale and Advantage 1. Automated Updates 2. Cloud-Based architecture 3. Encryption 4. Secure default configurations 5. Authentication beyond passwords 6. Mass vulnerability scanning 7. Kerberos 8. Built-in NAT for home router 9. Address space layout randomization (ASLR) and kernel memory protection 10. DDoS protection
Game-Changing Technologies With Scale and Advantage 1. Automated Updates 2. Cloud-Based architecture 3. Encryption 4. Secure default configurations 5. Authentication beyond passwords 6. Mass vulnerability scanning 7. Kerberos 8. Built-in NAT for home router 9. Address space layout randomization (ASLR) and kernel memory protection 10. DDoS protection Automated updates: Including, but not limited to Microsoft Update. “Once Microsoft got vested in security they were in the best position to do something about it” (Jeff Moss, Jeff Schmidt)
Game-Changing Technologies With Scale and Advantage 1. Automated Updates 2. Cloud-Based architecture 3. Encryption 4. Secure default configurations 5. Authentication beyond passwords 6. Mass vulnerability scanning 7. Kerberos 8. Built-in NAT for home router 9. Address space layout randomization (ASLR) and kernel memory protection 10. DDoS protection Cloud-Based architecture: Including related technologies like virtualization and containterization. "When deployed properly, the cloud provides several critical security advantages over perimeter-based models including greater automation, self-tailoring, and self-healing characteristics of virtualized security." (Ed Amoroso, Phil Venables)
Game-Changing Technologies With Scale and Advantage 1. Automated Updates 2. Cloud-Based architecture 3. Encryption 4. Secure default configurations 5. Authentication beyond passwords 6. Mass vulnerability scanning 7. Kerberos 8. Built-in NAT for home router 9. Address space layout randomization (ASLR) and kernel memory protection 10. DDoS protection Encryption: One of the few places in all computer science where, if properly implemented, the defense has all the advantages against the attacker (Steve Bellovin) “Effective enough that it dissuades most from breaking it; there are usually other, less costly means available to the attacker.” (Wade Baker)
Game-Changing Technologies With Scale and Advantage 1. Automated Updates 2. Cloud-Based architecture 3. Encryption 4. Secure default configurations 5. Authentication beyond passwords 6. Mass vulnerability scanning 7. Kerberos 8. Built-in NAT for home router 9. Address space layout randomization (ASLR) and kernel memory protection 10. DDoS protection Secure default configurations: “Some vendors have made some progress here (particularly Microsoft), and it makes a huge difference. The most impactful parts of the USG Configuration Baseline are when vendors just incorporate it into their standard configuration.” (Senior Government Official)
Game-Changing Technologies With Scale and Advantage 1. Automated Updates 2. Cloud-Based architecture 3. Encryption 4. Secure default configurations 5. Authentication beyond passwords 6. Mass vulnerability scanning 7. Kerberos 8. Built-in NAT for home router 9. Address space layout randomization (ASLR) and kernel memory protection 10. DDoS protection Kerberos: “Changed the way the entire world did authentication” (Phil Venables) Authentication beyond passwords: Not just authentication, but a slew of multi-factor solutions such as algorithmic and the like (Bruce Schneier)
Game-Changing Technologies With Scale and Advantage 1. Automated Updates 2. Cloud-Based architecture 3. Encryption 4. Secure default configurations 5. Authentication beyond passwords 6. Mass vulnerability scanning 7. Kerberos 8. Built-in NAT for home router 9. Address space layout randomization (ASLR) and kernel memory protection 10. DDoS protection Mass vulnerability scanning: “Solutions like nmap gave an easy and fast enterprise-wide view making fixing them far easier” (Mike Aiello)
Game-Changing Technologies With Scale and Advantage 1. Automated Updates 2. Cloud-Based architecture 3. Encryption 4. Secure default configurations 5. Authentication beyond passwords 6. Mass vulnerability scanning 7. Kerberos 8. Built-in NAT for home router 9. Address space layout randomization (ASLR) and kernel memory protection 10. DDoS protection Built-in NAT for home router: “Built-in NAT (simple firewall) has been extremely effective in stopping direct front door assaults against systems with open ports and unknown running services.” (Marc Sachs)
Game-Changing Technologies With Scale and Advantage 1. Automated Updates 2. Cloud-Based architecture 3. Encryption 4. Secure default configurations 5. Authentication beyond passwords 6. Mass vulnerability scanning 7. Kerberos 8. Built-in NAT for home router 9. Address space layout randomization (ASLR) and kernel memory protection 10. DDoS protection Address space layout randomization (ASLR) and kernel memory protection: “Measures like stackguard and ASLR moving from research (ca 2000) to mainstream (ca 2008) defeated slew of common attacks … prioritizing security over compatibility.” (Jose Nazario, Dan Geer)
Game-Changing Technologies With Scale and Advantage 1. Automated Updates 2. Cloud-Based architecture 3. Encryption 4. Secure default configurations 5. Authentication beyond passwords 6. Mass vulnerability scanning 7. Kerberos 8. Built-in NAT for home router 9. Address space layout randomization (ASLR) and kernel memory protection 10. DDoS protection DDoS protection: “If an org can afford Cloudfare, etc., they can withstand hundreds of Gbps and stay online … not ‘solved,’ but defenses can substantially mitigate impact, unlike so many other issues.” (Richard Bejtlich)
Additional Possibilities: Beau Woods I Am the Cavalry and Atlantic Council • Language choice – With C it's really hard to prevent errors and the failure modes are catastrophic to the software stack. By contrast something like Ruby on Rails has the penalty for failure of a nerf football • Controls Retirement – We keep adding one control after another in pursuit of better defense in depth. Most organizations are up to their neck in DiD and it's suffocating them without benefit. Old controls like AV aren't really helping but they're costing 8-10B per year. – Radically different IT thinking obviates some of these old expensive things by fixing root causes not apparent ones – Related: Retire legacy infrastructure (Phil Venables) • MAC not DAC – Mandatory Access Control is like whitelisting on steroids. The entire OS is hostile to untrusted code. Especially effective in Mobile, IoT, and other places • Software Supply Chain – Modern software platforms are 80-90 percent assembled rather than written – DevOps is an application of supply chain theory to agile development allowing us to run faster and stay safer • Software Bill of Materials – Even the best vulnerability scanners have high degree of false positives and negatives. SBOMs are precise and accurate
Possible Next-Gen Game-Changers Ongoing Work of the NY Cyber Task Force • Return of Formal Methods, like DARPA’s High-Assurance Cyber Military Systems “Not unhackable completely. There are certain obvious pathways for attackers that have all been shut down in a way that’s mathematically proven to be unhackable for those pathways.” (Arati Prabhakar) • Compiler-Generated Software Diversity: “After every 100th download of a given app … re-compiles that app with a strong diversity compiler making the next 100 downloads different from the previous 100. This prevents mass exploitation, though at a cost: it is no longer possible to confirm whether a given binary corresponds to a given source blob.” (Dan Geer) • Security solutions for IoT If you think cyberspace is insecure today, just wait for the coming Internet of Things. “The first 5 billion devices won’t be like the next 50 billion. Modern cars are computers on wheels, and cutting edge patient care is delivered over the Internet. If we get this right, the promise will transform society; if we get this wrong we eliminate the resilience we seek.” (Beau Woods) • Security score cards like BitSight to drive insurance, behavior (Phil Venables) • Data-level protection (Greg Touhill) Hyperscale: Critical mass of cloud deployment
How Do Techs Become Real Game-Changers Ongoing Work of the NY Cyber Task Force 1. Take Away Entire Classes of Attacks (Arati Prabhakar) 2. Take User out of the Solution (Bruce Schneier) 3. "Those responsible make a change that helps all their users” (Jeff Moss) 4. “Improve security by decreasing cost of control” (Phil Venables) 5. Minimize Consequence - agility, detection, and resilience (Art Coviello)
Operational and Policy Game-Changers Harder to Measure • Creation of the first CERTs in late 1980s • Operational innovations: kill chain • Automated threat sharing – STIX, TAXII, CyBox • Institutionalized bug bounty programs • Volunteer groups: Conficker, NSP-SEC, I am the Cavalry • Industry Alliances: ICASI, Cyber Threat Alliance • Budapest Convention on cyber crime
Operational and Policy Game-Changers • International norms along with indictments and threat of sanctions • FireEye: massive reduction of detected Chinese intrusions from ~70/month to less than 5/month • What other solution have we ever implemented for such success at so little cost? https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-china-espionage.pdf
Operational and Policy Game-Changers • USG policy of “bias” to not retain vulnerabilities, but disclose to vendors • USG “discloses far more vulnerabilities than it decides to keep secret, in one year keeping only about two for offensive purposes out of about 100 the White House reviewed” VEP Process - 2014 to Present
Operational and Policy Game-Changers • USG policy bias to disclose to US companies when they’ve been pwned • Result: Law Enforcement now #1 source for breach notification (esp for botnet takedown), per Verizon http://www.verizonenterprise.com/verizon-insights- lab/dbir/2016/
Outline 1. De-buzzwording This Talk 2. Bad Guys Finish First 3. A More Defensible Cyberspace 4. Payout for Getting it Right (or Wrong)
Implications • Only potential futures aren’t just – O>D (continued status quo) – D>O (defense advantage) • Could be far worse, O>>D – or far better, D>>O • Atlantic Council and Zurich Insurance Group modeled the economic impact of getting it right (or horribly wrong)
Possible Futures… Cumulative Annual Benefits and Costs Economic Impact Through 2030 Best case: ~$30 trillion Worst case: ~$90 trillion Difference in government control less impactful, still meaningful: $30 trillion Best case is “Cyber Shangri-La” where D>O Worst case is “Clockwork Orange Internet” where O>>D
If Future Possibilities are “Fat Tail Distribution” Then Far More Potential Variability Expected Future Regular standard deviation Lower chance of massive, unexpected events Expected Future Variance not bounded Far higher chance for surprise
Measuring Defensibility • Verizon Data Breach Investigations Report – “Detection deficit … is getting worse” – “Attackers are getting even quicker at compromising their victims” – Slight improvements in how quickly defenders detect compromises • Commerce: 45 percent of US online households have stopped some sensitive online transactions • Index of Cyber Security
For a More Defensible Cyberspace And a $120 Trillion Payoff • Advantage: Dollar of defense must buy more than a dollar of attack • Scale: Dollar of defense should give 10x, 100x, or even 1,000,000x the benefits – hyperscale
THANK YOU @Jason_Healey

More Related Content

PPTX
Keynote at the Cyber Security Summit Prague 2015
Claus Cramon Houmann
 
PDF
Rothke - A Pragmatic Approach To Purchasing Information Security Products
Ben Rothke
 
PPTX
Keynote Information Security days Luxembourg 2015
Claus Cramon Houmann
 
PDF
System Security Beyond the Libraries
Eoin Woods
 
PDF
Process_to_Produce_Secure_Software-DHS_White-House_Geoff-Shively
Curious Geoff (Shively)
 
PPTX
Threat Modeling Lessons from Star Wars
Adam Shostack
 
PPTX
Threat Modeling Lessons From Star Wars
Adam Shostack
 
PDF
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Resilient Systems
 
Keynote at the Cyber Security Summit Prague 2015
Claus Cramon Houmann
 
Rothke - A Pragmatic Approach To Purchasing Information Security Products
Ben Rothke
 
Keynote Information Security days Luxembourg 2015
Claus Cramon Houmann
 
System Security Beyond the Libraries
Eoin Woods
 
Process_to_Produce_Secure_Software-DHS_White-House_Geoff-Shively
Curious Geoff (Shively)
 
Threat Modeling Lessons from Star Wars
Adam Shostack
 
Threat Modeling Lessons From Star Wars
Adam Shostack
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Resilient Systems
 

What's hot (20)

PPTX
Prevent Getting Hacked by Using a Network Vulnerability Scanner
GFI Software
 
PDF
The New Normal: Managing the constant stream of new vulnerabilities
Major Hayden
 
PPTX
Cloud, DevOps and the New Security Practitioner
Adrian Sanabria
 
PDF
Is talent shortage ws marco morana
Marco Morana
 
PDF
"Evolving cybersecurity strategies" - Seizing the Opportunity
Dean Iacovelli
 
PDF
Lastline Case Study
Lastline, Inc.
 
PPT
Meletis Belsis -CSIRTs
Meletis Belsis MPhil/MRes/BSc
 
PPTX
Dressing up the ICS Kill Chain
Dragos, Inc.
 
PDF
You Give Us The Fire We'll Give'em Hell!
wmetcalf
 
PPTX
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Adrian Sanabria
 
PDF
Threat Activity Groups - Dragos
Dragos, Inc.
 
PPTX
Security and Mobility Co Create Week Jakarta
Stefan Streichsbier
 
PDF
Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)
ITCamp
 
PDF
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
EC-Council
 
PPTX
Cyber Security: Strategies, Defence and what’s not working
Jonathan Sinclair
 
PDF
Why Zero Trust Yields Maximum Security
Priyanka Aash
 
PPTX
Neighborhood Keeper - Introduction
Dragos, Inc.
 
PPTX
Omniscient H4D 2020 Lessons Learned
Stanford University
 
PPTX
CheckPoint: Anatomy of an evolving bot
Group of company MUK
 
PPTX
Harry Regan - It's Never So Bad That It Can't Get Worse
centralohioissa
 
Prevent Getting Hacked by Using a Network Vulnerability Scanner
GFI Software
 
The New Normal: Managing the constant stream of new vulnerabilities
Major Hayden
 
Cloud, DevOps and the New Security Practitioner
Adrian Sanabria
 
Is talent shortage ws marco morana
Marco Morana
 
"Evolving cybersecurity strategies" - Seizing the Opportunity
Dean Iacovelli
 
Lastline Case Study
Lastline, Inc.
 
Meletis Belsis -CSIRTs
Meletis Belsis MPhil/MRes/BSc
 
Dressing up the ICS Kill Chain
Dragos, Inc.
 
You Give Us The Fire We'll Give'em Hell!
wmetcalf
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Adrian Sanabria
 
Threat Activity Groups - Dragos
Dragos, Inc.
 
Security and Mobility Co Create Week Jakarta
Stefan Streichsbier
 
Security Myths and Facts in Today's It World (Tudor Damian & Mihai Tataran)
ITCamp
 
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
EC-Council
 
Cyber Security: Strategies, Defence and what’s not working
Jonathan Sinclair
 
Why Zero Trust Yields Maximum Security
Priyanka Aash
 
Neighborhood Keeper - Introduction
Dragos, Inc.
 
Omniscient H4D 2020 Lessons Learned
Stanford University
 
CheckPoint: Anatomy of an evolving bot
Group of company MUK
 
Harry Regan - It's Never So Bad That It Can't Get Worse
centralohioissa
 
Ad

Viewers also liked (20)

DOCX
CV Jorge Adrián Morales Pérez
Jorge Adrian Morales Perez
 
PDF
Learning to love supply chain plans
BVG Associates
 
PDF
On the margins of scholarship
Richard Davis
 
PDF
Libec LS-22DV
AV ProfShop
 
PDF
sistema-calentador-de-agua-vfc
Gabriel Rondon Alba
 
PDF
Natural Resources Wales: Making the most of of all our assets in the Rhondda 2
scarletdesign
 
PDF
Tower Fund Community Consultation
scarletdesign
 
PPT
SPIKE's BIOGRAPHY
karthik v
 
PPTX
Myeloma
Crisbert Cualteros
 
PPT
Presentazione Stesegeo - Forum PA 2014
Apulian ICT Living Labs
 
PPT
PowerPoint Downhill
AngelAriasAlvarez
 
PPSX
Premio colunistas coca-cola-2
zerotres
 
PPT
Three-Hypers Series:Hyperlipidemia – 07 Small, dense LDL - an important risk ...
SD Shyu
 
PDF
Sjogren’s syndrome
Crisbert Cualteros
 
PDF
Stroke
Crisbert Cualteros
 
PDF
Approach to a patient with JAUNDICE
Crisbert Cualteros
 
PPTX
Pulmonary Embolism Wells Criteria
Crisbert Cualteros
 
PPT
Itc Annual report 2008
karthik v
 
PPTX
Project Analysis - PPT
arindu liyanage
 
PPTX
Epilepsy
Crisbert Cualteros
 
CV Jorge Adrián Morales Pérez
Jorge Adrian Morales Perez
 
Learning to love supply chain plans
BVG Associates
 
On the margins of scholarship
Richard Davis
 
Libec LS-22DV
AV ProfShop
 
sistema-calentador-de-agua-vfc
Gabriel Rondon Alba
 
Natural Resources Wales: Making the most of of all our assets in the Rhondda 2
scarletdesign
 
Tower Fund Community Consultation
scarletdesign
 
SPIKE's BIOGRAPHY
karthik v
 
Myeloma
Crisbert Cualteros
 
Presentazione Stesegeo - Forum PA 2014
Apulian ICT Living Labs
 
PowerPoint Downhill
AngelAriasAlvarez
 
Premio colunistas coca-cola-2
zerotres
 
Three-Hypers Series:Hyperlipidemia – 07 Small, dense LDL - an important risk ...
SD Shyu
 
Sjogren’s syndrome
Crisbert Cualteros
 
Stroke
Crisbert Cualteros
 
Approach to a patient with JAUNDICE
Crisbert Cualteros
 
Pulmonary Embolism Wells Criteria
Crisbert Cualteros
 
Itc Annual report 2008
karthik v
 
Project Analysis - PPT
arindu liyanage
 
Epilepsy
Crisbert Cualteros
 
Ad

Similar to Technologies and Policies for a Defensible Cyberspace (20)

PDF
Technologies and Policies for a Defensible Cyberspace
mark-smith
 
PDF
From Identity to Ownership Theft
University of Hertfordshire
 
PDF
Evolving it security Threats and Solutions
University of Hertfordshire
 
PPTX
Cyber security by Gaurav Singh
Gaurav Singh
 
PPTX
Cyber Security
BryCunal
 
PPT
Systemic cybersecurity risk
blogzilla
 
PPT
Cyber(in)security: systemic risks and responses
blogzilla
 
PDF
Contextual Cyber Security for IoT
MONICA-Project
 
PPT
College Presentation
scottfrost
 
PPTX
chapter1 Introduction to Software Security.pptx
Lina Shimelis
 
PPTX
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Sounil Yu
 
PPTX
Cloud Security.pptx
Binod Rimal
 
PPTX
crisc_wk_5.pptx
dotco
 
PDF
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
Cyber Security Alliance
 
PDF
Cyber Security in Manufacturing
CentraComm
 
PDF
Cyber Security in a Fully Mobile World
University of Hertfordshire
 
PDF
CYBER SECURITY WHAT IS IT AND WHAT YOU NEED TO KNOW.pdf
Jenna Murray
 
PDF
Sonic WALL Secure Wireless Network Integrated Solutions Guide 1st Edition Joe...
kolindmryl
 
PPTX
Securing Networks and Operating Systems.pptx
lionbitme
 
PDF
Cybersecurity Awareness- Libya' 1st Cybersecurity Days Conference (CDC)
Esam Abulkhirat
 
Technologies and Policies for a Defensible Cyberspace
mark-smith
 
From Identity to Ownership Theft
University of Hertfordshire
 
Evolving it security Threats and Solutions
University of Hertfordshire
 
Cyber security by Gaurav Singh
Gaurav Singh
 
Cyber Security
BryCunal
 
Systemic cybersecurity risk
blogzilla
 
Cyber(in)security: systemic risks and responses
blogzilla
 
Contextual Cyber Security for IoT
MONICA-Project
 
College Presentation
scottfrost
 
chapter1 Introduction to Software Security.pptx
Lina Shimelis
 
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Sounil Yu
 
Cloud Security.pptx
Binod Rimal
 
crisc_wk_5.pptx
dotco
 
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...
Cyber Security Alliance
 
Cyber Security in Manufacturing
CentraComm
 
Cyber Security in a Fully Mobile World
University of Hertfordshire
 
CYBER SECURITY WHAT IS IT AND WHAT YOU NEED TO KNOW.pdf
Jenna Murray
 
Sonic WALL Secure Wireless Network Integrated Solutions Guide 1st Edition Joe...
kolindmryl
 
Securing Networks and Operating Systems.pptx
lionbitme
 
Cybersecurity Awareness- Libya' 1st Cybersecurity Days Conference (CDC)
Esam Abulkhirat
 

More from mark-smith (11)

PDF
How Your DRAM Becomes a Security Problem
mark-smith
 
PDF
Remotely Compromising iOS via Wi-Fi and Escaping the Sandbox
mark-smith
 
PDF
Applied Machine Learning for Data exfil and other fun topics
mark-smith
 
PDF
JailBreak DIY- Fried Apple
mark-smith
 
PDF
The linux kernel hidden inside windows 10
mark-smith
 
PDF
Exploiting Curiosity and Context
mark-smith
 
PDF
Abusing belkin home automation devices
mark-smith
 
PDF
Greed for Fame Benefits Large Scale Botnets
mark-smith
 
PDF
How your smartphone cpu breaks software level security and privacy
mark-smith
 
PDF
Attacking Network Infrastructure to Generate a 4 Tbs DDoS
mark-smith
 
PDF
How to Make People Click on a Dangerous Link Despite their Security Awareness
mark-smith
 
How Your DRAM Becomes a Security Problem
mark-smith
 
Remotely Compromising iOS via Wi-Fi and Escaping the Sandbox
mark-smith
 
Applied Machine Learning for Data exfil and other fun topics
mark-smith
 
JailBreak DIY- Fried Apple
mark-smith
 
The linux kernel hidden inside windows 10
mark-smith
 
Exploiting Curiosity and Context
mark-smith
 
Abusing belkin home automation devices
mark-smith
 
Greed for Fame Benefits Large Scale Botnets
mark-smith
 
How your smartphone cpu breaks software level security and privacy
mark-smith
 
Attacking Network Infrastructure to Generate a 4 Tbs DDoS
mark-smith
 
How to Make People Click on a Dangerous Link Despite their Security Awareness
mark-smith
 

Recently uploaded (20)

PPTX
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
PPTX
Funds Management Learning Material for Beg
NKKumar16
 
PPTX
newyork.pptxirantrafgshenepalchinachinane
PrashantKoirala12
 
PPTX
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
PDF
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 
PPTX
Mathew Digital SEO Checklist Guidlines 2025
Mathew Digital
 
PPT
FIRE PREVENTION AND CONTROL PLAN- LUS.FM.MQ.OM.UTM.PLN.00014.ppt
MelwinPaul6
 
PPTX
Introduction to cybersecurity and digital nettiquette
shanefrancisjavier21
 
PDF
Exploring VPS Hosting Trends for SMBs in 2025
Liquid Web
 
PPT
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
PPTX
artificialintelligenceai1-copy-210604123353.pptx
b45r14
 
PPT
Ethics in Information System - Management Information System
faizhossain3
 
DOCX
Unit-3 cyber security network security of internet system
shivangisharma636228
 
PPT
isotopes_sddsadsaadasdasdasdasdsa1213.ppt
Kenneth James Alamillo
 
PPTX
Power Point - Lesson 3_2.pptx grad school presentation
JoyPPD
 
PDF
Vigrab.top – Online Tool for Downloading and Converting Social Media Videos a...
Vigrab Top
 
PDF
Smart Home Technology for Health Monitoring (www.kiu.ac.ug)
publication11
 
PPTX
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
 
PDF
Introduction to the IoT system, how the IoT system works
TinBinh
 
PPTX
artificial intelligence overview of it and more
yafotin445
 
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
Funds Management Learning Material for Beg
NKKumar16
 
newyork.pptxirantrafgshenepalchinachinane
PrashantKoirala12
 
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 
Mathew Digital SEO Checklist Guidlines 2025
Mathew Digital
 
FIRE PREVENTION AND CONTROL PLAN- LUS.FM.MQ.OM.UTM.PLN.00014.ppt
MelwinPaul6
 
Introduction to cybersecurity and digital nettiquette
shanefrancisjavier21
 
Exploring VPS Hosting Trends for SMBs in 2025
Liquid Web
 
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
artificialintelligenceai1-copy-210604123353.pptx
b45r14
 
Ethics in Information System - Management Information System
faizhossain3
 
Unit-3 cyber security network security of internet system
shivangisharma636228
 
isotopes_sddsadsaadasdasdasdasdsa1213.ppt
Kenneth James Alamillo
 
Power Point - Lesson 3_2.pptx grad school presentation
JoyPPD
 
Vigrab.top – Online Tool for Downloading and Converting Social Media Videos a...
Vigrab Top
 
Smart Home Technology for Health Monitoring (www.kiu.ac.ug)
publication11
 
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
 
Introduction to the IoT system, how the IoT system works
TinBinh
 
artificial intelligence overview of it and more
yafotin445
 

Technologies and Policies for a Defensible Cyberspace

  • 1. Defense at Hyperscale: Technologies and Policies for a Defensible Cyberspace Jason Healey Senior Research Scholar, Columbia University SIPA @Jason_Healey
  • 2. Outline 1. De-buzzwording This Talk 2. Bad Guys Finish First 3. A More Defensible Cyberspace 4. Payout for Getting it Right (or Wrong)
  • 3. Not Trying to Make This an RSA Talk… • Forget “Hyperscale” and “Defensible” • Substitute “Internet and connected devices” instead of “cyberspace” if that helps
  • 4. Core Ideas Beyond Buzzwords • No central strategy behind infosec today – To drive our actions – To judge between competing public goods – To measure our overall strategic progress against
  • 5. Core Ideas • “Making _________ more defensible” is the strategy My Organization My Sector Cyberspace as a whole • Being defensible means solutions with advantage and scale • To find future advantage and scale, we must know what has so succeeded in the past
  • 6. Outline 1. De-buzzwording This Talk 2. Bad Guys Finish First 3. A More Defensible Cyberspace 4. Payout for Getting it Right (or Wrong)
  • 7. Bad Guys Finish First “Few if any contemporary computer security controls have prevented a [red team] from easily accessing any information sought.”
  • 8. Bad Guys Finish First “Few if any contemporary computer security controls have prevented a [red team] from easily accessing any information sought.” O>D
  • 9. Bad Guys Finish First Lt Col Roger Schell (USAF) in 1979 “Few if any contemporary computer security controls have prevented a [red team] from easily accessing any information sought.”
  • 10. Why is O>D? A dollar (or hour) spent on attack buys far more than a dollar spent on defense
  • 11. Why is O>D? 1. Internet architecture “The Internet is not insecure because it is buggy, but because of specific design decisions.” (David Clark, 2015) A dollar (or hour) spent on attack buys far more than a dollar spent on defense
  • 12. Why is O>D? 1. Internet architecture “The Internet is not insecure because it is buggy, but because of specific design decisions.” (David Clark, 2015) 2. Software weaknesses “Today there are no real consequences for having bad security or having low-quality software of any kind. Even worse, the marketplace often rewards low quality.” (Bruce Schneier, 2003) A dollar (or hour) spent on attack buys far more than a dollar spent on defense
  • 13. Why is O>D? 1. Internet architecture “The Internet is not insecure because it is buggy, but because of specific design decisions.” (David Clark, 2015) 2. Software weaknesses “Today there are no real consequences for having bad security or having low-quality software of any kind. Even worse, the marketplace often rewards low quality.” (Bruce Schneier, 2003) 3. Attacker initiative “Attacker must find but one of possibly multiple vulnerabilities in order to succeed; the security specialist must develop countermeasures for all” (Computers at Risk report, 1991) A dollar (or hour) spent on attack buys far more than a dollar spent on defense
  • 14. Why is O>D? 1. Internet architecture “The Internet is not insecure because it is buggy, but because of specific design decisions.” (David Clark, 2015) 2. Software weaknesses “Today there are no real consequences for having bad security or having low-quality software of any kind. Even worse, the marketplace often rewards low quality.” (Bruce Schneier, 2003) 3. Attacker initiative “Attacker must find but one of possibly multiple vulnerabilities in order to succeed; the security specialist must develop countermeasures for all” (Computers at Risk report, 1991) 4. Incremental and mis-aimed solutions "We need more secure products, not more security products.” (Phil Venables, 2004) A dollar (or hour) spent on attack buys far more than a dollar spent on defense
  • 15. Why is O>D? 1. Internet architecture “The Internet is not insecure because it is buggy, but because of specific design decisions.” (David Clark, 2015) 2. Software weaknesses “Today there are no real consequences for having bad security or having low-quality software of any kind. Even worse, the marketplace often rewards low quality.” (Bruce Schneier, 2003) 3. Attacker initiative “Attacker must find but one of possibly multiple vulnerabilities in order to succeed; the security specialist must develop countermeasures for all” (Computers at Risk report, 1991) 4. Incremental and mis-aimed solutions "We need more secure products, not more security products.” (Phil Venables, 2004) 5. Complexity and high cost of control Resulting complex systems: “processes that can be described, but not really understood ... often discovered through trial and error” (Charles Perrow) A dollar (or hour) spent on attack buys far more than a dollar spent on defense
  • 16. Why is O>D? 1. Internet architecture “The Internet is not insecure because it is buggy, but because of specific design decisions.” (David Clark, 2015) 2. Software weaknesses “Today there are no real consequences for having bad security or having low-quality software of any kind. Even worse, the marketplace often rewards low quality.” (Bruce Schneier, 2003) 3. Attacker initiative “Attacker must find but one of possibly multiple vulnerabilities in order to succeed; the security specialist must develop countermeasures for all” (Computers at Risk report, 1991) 4. Incremental and mis-aimed solutions "We need more secure products, not more security products.” (Phil Venables, 2004) 5. Complexity and high cost of control Resulting complex systems: “processes that can be described, but not really understood ... often discovered through trial and error” (Charles Perrow) 6. Troublesome humans: Even the best and most secure technological systems can be bypassed when human users are lazy, confused or downright tricked. A dollar (or hour) spent on attack buys far more than a dollar spent on defense
  • 17. Outline 1. Bad Guys Finish First 2. De-buzzwording This Talk 3. A More Defensible Cyberspace 4. Payout for Getting it Right (or Wrong)
  • 18. If the problem is O>D the solution must be D>O (or even D>>O) Is this even possible?
  • 19. Key Questions to Tackle D>O Results from NY Cyber Task Force 1. What is a defensible cyberspace and why hasn’t it been defensible to date? 2. What past interventions have made the biggest difference at the largest scale and least cost? 3. What interventions should we make today for the biggest differences at the largest scale and least cost?
  • 20. What Would a Defensible Cyberspace Look Like? Results from NY Cyber Task Force Defensible = “Defense Advantage” 1. Agile response and decision-making 2. Instrumented and measurable 3. Multi-stakeholder and collaborative 4. Well-governed and policed 5. Few externalities 6. Resilient: Recovers readily A dollar (or hour) spent on defense buys far more than a dollar spent on attack!
  • 21. What past interventions have made the biggest difference at the largest scale and least cost?
  • 23. Game-Changing Solutions Results of NY Cyber Task Force Requires two components: • Advantage: Dollar of defense must buy more than a dollar of attack • Scale: Dollar of defense should give 10x, 100x, or even 1,000,000x the benefits – hyperscale
  • 24. Least Game-Changing Solutions • Generally impose far higher costs to the defender than the attacker – Technology: Compliance and other solutions featuring checking-the-box – Policy: Wassenaar Agreement to limit “cyber weapons”
  • 25. Game-Changing Technologies With Scale and Advantage 1. Automated Updates 2. Cloud-Based architecture 3. Encryption 4. Secure default configurations 5. Authentication beyond passwords 6. Mass vulnerability scanning 7. Kerberos 8. Built-in NAT for home router 9. Address space layout randomization (ASLR) and kernel memory protection 10. DDoS protection
  • 26. Game-Changing Technologies With Scale and Advantage 1. Automated Updates 2. Cloud-Based architecture 3. Encryption 4. Secure default configurations 5. Authentication beyond passwords 6. Mass vulnerability scanning 7. Kerberos 8. Built-in NAT for home router 9. Address space layout randomization (ASLR) and kernel memory protection 10. DDoS protection Automated updates: Including, but not limited to Microsoft Update. “Once Microsoft got vested in security they were in the best position to do something about it” (Jeff Moss, Jeff Schmidt)
  • 27. Game-Changing Technologies With Scale and Advantage 1. Automated Updates 2. Cloud-Based architecture 3. Encryption 4. Secure default configurations 5. Authentication beyond passwords 6. Mass vulnerability scanning 7. Kerberos 8. Built-in NAT for home router 9. Address space layout randomization (ASLR) and kernel memory protection 10. DDoS protection Cloud-Based architecture: Including related technologies like virtualization and containterization. "When deployed properly, the cloud provides several critical security advantages over perimeter-based models including greater automation, self-tailoring, and self-healing characteristics of virtualized security." (Ed Amoroso, Phil Venables)
  • 28. Game-Changing Technologies With Scale and Advantage 1. Automated Updates 2. Cloud-Based architecture 3. Encryption 4. Secure default configurations 5. Authentication beyond passwords 6. Mass vulnerability scanning 7. Kerberos 8. Built-in NAT for home router 9. Address space layout randomization (ASLR) and kernel memory protection 10. DDoS protection Encryption: One of the few places in all computer science where, if properly implemented, the defense has all the advantages against the attacker (Steve Bellovin) “Effective enough that it dissuades most from breaking it; there are usually other, less costly means available to the attacker.” (Wade Baker)
  • 29. Game-Changing Technologies With Scale and Advantage 1. Automated Updates 2. Cloud-Based architecture 3. Encryption 4. Secure default configurations 5. Authentication beyond passwords 6. Mass vulnerability scanning 7. Kerberos 8. Built-in NAT for home router 9. Address space layout randomization (ASLR) and kernel memory protection 10. DDoS protection Secure default configurations: “Some vendors have made some progress here (particularly Microsoft), and it makes a huge difference. The most impactful parts of the USG Configuration Baseline are when vendors just incorporate it into their standard configuration.” (Senior Government Official)
  • 30. Game-Changing Technologies With Scale and Advantage 1. Automated Updates 2. Cloud-Based architecture 3. Encryption 4. Secure default configurations 5. Authentication beyond passwords 6. Mass vulnerability scanning 7. Kerberos 8. Built-in NAT for home router 9. Address space layout randomization (ASLR) and kernel memory protection 10. DDoS protection Kerberos: “Changed the way the entire world did authentication” (Phil Venables) Authentication beyond passwords: Not just authentication, but a slew of multi-factor solutions such as algorithmic and the like (Bruce Schneier)
  • 31. Game-Changing Technologies With Scale and Advantage 1. Automated Updates 2. Cloud-Based architecture 3. Encryption 4. Secure default configurations 5. Authentication beyond passwords 6. Mass vulnerability scanning 7. Kerberos 8. Built-in NAT for home router 9. Address space layout randomization (ASLR) and kernel memory protection 10. DDoS protection Mass vulnerability scanning: “Solutions like nmap gave an easy and fast enterprise-wide view making fixing them far easier” (Mike Aiello)
  • 32. Game-Changing Technologies With Scale and Advantage 1. Automated Updates 2. Cloud-Based architecture 3. Encryption 4. Secure default configurations 5. Authentication beyond passwords 6. Mass vulnerability scanning 7. Kerberos 8. Built-in NAT for home router 9. Address space layout randomization (ASLR) and kernel memory protection 10. DDoS protection Built-in NAT for home router: “Built-in NAT (simple firewall) has been extremely effective in stopping direct front door assaults against systems with open ports and unknown running services.” (Marc Sachs)
  • 33. Game-Changing Technologies With Scale and Advantage 1. Automated Updates 2. Cloud-Based architecture 3. Encryption 4. Secure default configurations 5. Authentication beyond passwords 6. Mass vulnerability scanning 7. Kerberos 8. Built-in NAT for home router 9. Address space layout randomization (ASLR) and kernel memory protection 10. DDoS protection Address space layout randomization (ASLR) and kernel memory protection: “Measures like stackguard and ASLR moving from research (ca 2000) to mainstream (ca 2008) defeated slew of common attacks … prioritizing security over compatibility.” (Jose Nazario, Dan Geer)
  • 34. Game-Changing Technologies With Scale and Advantage 1. Automated Updates 2. Cloud-Based architecture 3. Encryption 4. Secure default configurations 5. Authentication beyond passwords 6. Mass vulnerability scanning 7. Kerberos 8. Built-in NAT for home router 9. Address space layout randomization (ASLR) and kernel memory protection 10. DDoS protection DDoS protection: “If an org can afford Cloudfare, etc., they can withstand hundreds of Gbps and stay online … not ‘solved,’ but defenses can substantially mitigate impact, unlike so many other issues.” (Richard Bejtlich)
  • 35. Additional Possibilities: Beau Woods I Am the Cavalry and Atlantic Council • Language choice – With C it's really hard to prevent errors and the failure modes are catastrophic to the software stack. By contrast something like Ruby on Rails has the penalty for failure of a nerf football • Controls Retirement – We keep adding one control after another in pursuit of better defense in depth. Most organizations are up to their neck in DiD and it's suffocating them without benefit. Old controls like AV aren't really helping but they're costing 8-10B per year. – Radically different IT thinking obviates some of these old expensive things by fixing root causes not apparent ones – Related: Retire legacy infrastructure (Phil Venables) • MAC not DAC – Mandatory Access Control is like whitelisting on steroids. The entire OS is hostile to untrusted code. Especially effective in Mobile, IoT, and other places • Software Supply Chain – Modern software platforms are 80-90 percent assembled rather than written – DevOps is an application of supply chain theory to agile development allowing us to run faster and stay safer • Software Bill of Materials – Even the best vulnerability scanners have high degree of false positives and negatives. SBOMs are precise and accurate
  • 36. Possible Next-Gen Game-Changers Ongoing Work of the NY Cyber Task Force • Return of Formal Methods, like DARPA’s High-Assurance Cyber Military Systems “Not unhackable completely. There are certain obvious pathways for attackers that have all been shut down in a way that’s mathematically proven to be unhackable for those pathways.” (Arati Prabhakar) • Compiler-Generated Software Diversity: “After every 100th download of a given app … re-compiles that app with a strong diversity compiler making the next 100 downloads different from the previous 100. This prevents mass exploitation, though at a cost: it is no longer possible to confirm whether a given binary corresponds to a given source blob.” (Dan Geer) • Security solutions for IoT If you think cyberspace is insecure today, just wait for the coming Internet of Things. “The first 5 billion devices won’t be like the next 50 billion. Modern cars are computers on wheels, and cutting edge patient care is delivered over the Internet. If we get this right, the promise will transform society; if we get this wrong we eliminate the resilience we seek.” (Beau Woods) • Security score cards like BitSight to drive insurance, behavior (Phil Venables) • Data-level protection (Greg Touhill) Hyperscale: Critical mass of cloud deployment
  • 37. How Do Techs Become Real Game-Changers Ongoing Work of the NY Cyber Task Force 1. Take Away Entire Classes of Attacks (Arati Prabhakar) 2. Take User out of the Solution (Bruce Schneier) 3. "Those responsible make a change that helps all their users” (Jeff Moss) 4. “Improve security by decreasing cost of control” (Phil Venables) 5. Minimize Consequence - agility, detection, and resilience (Art Coviello)
  • 38. Operational and Policy Game-Changers Harder to Measure • Creation of the first CERTs in late 1980s • Operational innovations: kill chain • Automated threat sharing – STIX, TAXII, CyBox • Institutionalized bug bounty programs • Volunteer groups: Conficker, NSP-SEC, I am the Cavalry • Industry Alliances: ICASI, Cyber Threat Alliance • Budapest Convention on cyber crime
  • 39. Operational and Policy Game-Changers • International norms along with indictments and threat of sanctions • FireEye: massive reduction of detected Chinese intrusions from ~70/month to less than 5/month • What other solution have we ever implemented for such success at so little cost? https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-china-espionage.pdf
  • 40. Operational and Policy Game-Changers • USG policy of “bias” to not retain vulnerabilities, but disclose to vendors • USG “discloses far more vulnerabilities than it decides to keep secret, in one year keeping only about two for offensive purposes out of about 100 the White House reviewed” VEP Process - 2014 to Present
  • 41. Operational and Policy Game-Changers • USG policy bias to disclose to US companies when they’ve been pwned • Result: Law Enforcement now #1 source for breach notification (esp for botnet takedown), per Verizon http://www.verizonenterprise.com/verizon-insights- lab/dbir/2016/
  • 42. Outline 1. De-buzzwording This Talk 2. Bad Guys Finish First 3. A More Defensible Cyberspace 4. Payout for Getting it Right (or Wrong)
  • 43. Implications • Only potential futures aren’t just – O>D (continued status quo) – D>O (defense advantage) • Could be far worse, O>>D – or far better, D>>O • Atlantic Council and Zurich Insurance Group modeled the economic impact of getting it right (or horribly wrong)
  • 44. Possible Futures… Cumulative Annual Benefits and Costs Economic Impact Through 2030 Best case: ~$30 trillion Worst case: ~$90 trillion Difference in government control less impactful, still meaningful: $30 trillion Best case is “Cyber Shangri-La” where D>O Worst case is “Clockwork Orange Internet” where O>>D
  • 45. If Future Possibilities are “Fat Tail Distribution” Then Far More Potential Variability Expected Future Regular standard deviation Lower chance of massive, unexpected events Expected Future Variance not bounded Far higher chance for surprise
  • 46. Measuring Defensibility • Verizon Data Breach Investigations Report – “Detection deficit … is getting worse” – “Attackers are getting even quicker at compromising their victims” – Slight improvements in how quickly defenders detect compromises • Commerce: 45 percent of US online households have stopped some sensitive online transactions • Index of Cyber Security
  • 47. For a More Defensible Cyberspace And a $120 Trillion Payoff • Advantage: Dollar of defense must buy more than a dollar of attack • Scale: Dollar of defense should give 10x, 100x, or even 1,000,000x the benefits – hyperscale