What can the logistical challenges of moving vehicles across the Country teach us about cybersecurity? Although these two topics seem unrelated, the speaker will take the audience on a journey that begins in early 20th century road-building projects, travels through ARPANET and the commercialization of the Internet, and arrives in current-day cyberspace. These two massive infrastructures have changed the world, and there are important lessons that the former can teach about the latter. The presentation ends with predictions about future of the the Information Superhighway and how security researches can prepare.
2. About @damonsmall
• Technical Project Manager at NCC Group
• Louisiana native
“Not from Texas but I got here as fast as I could!”
• In IT since 1995; infosec since 2001
• Studied music at LSU; grad school in 2005 for Information Assurance
12. The Point?
What started as an infrastructure built for a very specific use-case ended up having a
profound economic and sociological effect once turned over to the private sector.
14. The First Four Nodes of ARPA
• University of California, Los Angeles,
(UCLA)
• Stanford Research Institute (SRI) in
Menlo Park, CA
• U.C. Santa Barbara (UCSB)
• University of Utah
http://www.scientificamerican.com/gallery/early-sketch-of-arpanets-first-four-nodes/
15. The First Four Nodes of ARPA
• University of California, Los Angeles,
(UCLA)
• Stanford Research Institute (SRI) in
Menlo Park, CA
• U.C. Santa Barbara (UCSB)
• University of Utah
http://www.scientificamerican.com/gallery/early-sketch-of-arpanets-first-four-nodes/
16. The Internet was invented…
• …by ______________________________
• …in _______________________
humans
the 20th century
…for very specific purposes. Design requirements did not fully account for:
• Unauthorized Users
• Non-private networks
17. Then e-Commerce Happened
• UUNET - non-profit Internet access
c.1988; for-profit c.1990
• The World - Offered Internet Access
c.1989; full access to non ARPA-
approved users by 1992
• Commercial applications prohibited
until 1995
18. Security Concept
• Initial design requirements of an infrastructure are not necessarily
what it becomes
• ARPA was formed to explore computational time-sharing across
great distance; engaged academia
• Eisenhower’s Interstate System fueled America’s love for road trips
and travel far beyond the initial goal of moving military vehicles
• Similarly, we have far exceeded ARPA’s intention from 50 years ago
19. Predictions
• Started as a hard, flat surface
• Adaptive construction materials
• Toll Roads
• Sophisticated Lighting
• Dynamic Lanes
• Self-driving cars
20. Predictions
• Started as an internetworking infrastructure featuring packet switching
• Math-based encryption will include elements of quantum computing
• Broadband will become more broad and ubiquitous
• Physical possession will continue to lose value; access to information is the
21st century currency
• Infosec challenges have moved up the OSI model from Layer 3 network-
based attacks to Layer 7 application attacks.
• Will continue to move to Layer 8.
21. As security professionals,
our charge be to not only understand how the
technology works,
but also how people interact with it.
Thanks for listening!
Editor's Notes
The idea for this narrative began after a conversation I had years ago when a non-security person asked, “Why didn’t they think of that when designing the Internet?” It’s a simple, honest question, and the answer lies with how the Internet came to be. It’s an important question because, as information security professionals, we have to understand why the technology is the way it is, how people will use it, and how malicious users will leverage design weaknesses to steal information.
The idea for a National Interstate system began in 1919 (source) with a trip from Washington, D.C. to San Francisco involving 80 military vehicles. It took 2 months and covered 3,000 miles (source).
Then-Lieutenant Colonel Eisenhower (source) realized that the ability to mobile forces was key to protecting the Country.
In Europe during the 1930s, the autobahn reinforced the idea that roads were critical to a nation’s security and economy (source).
As President, Eisenhower supported a nationwide infrastructure that would not only facilitate military objectives but also create jobs and boost the economy.
The initial requirement was to facilitate moving military vehicles across vast distances, but the result was that private industry created a culture around this new infrastructure.
Because of his experiences, President Eisenhower fought hard to get Congress to pass the Federal-Aid Highway Act of 1956. For that reason, he is called "The Father of the Interstate System." To honor him for that "personal and absolute decision," Congress passed a bill in 1990 that changed the legal name of the Interstate System. It is now called The Dwight D. Eisenhower National System of Interstate and Defense Highways. President George H. W. Bush signed the bill into law on October 15, 1990.
http://www.fhwa.dot.gov/interstate/brainiacs/eisenhowerinterstate.cfm
Americans began traveling cross-country, and cities sprung up near these new roads. Entire towns existed to support the Interstate (source). Route 66*, which ran from Chicago to Santa Monica, CA (2,448 miles), provided jobs for everyone that lived nearby. *Not actually a part of the National Highway System, but it illustrates the point.
The initial requirement was to facilitate moving military vehicles across vast distances, but the result was that private industry created a culture around this new infrastructure.
Key concepts, although largely attributed to American computer scientists, also included European researchers (source). Packet switching, long-distance links, and protocols that supported routing around disrupted connections led to the first nodes of ARPANET coming online in [year] (source). It crashed after three keystrokes (source).
The first message on the ARPANET was sent by UCLA student programmer Charley Kline, at 10:30 pm on 29 October 1969, from Boelter Hall 3420.[20] Kline transmitted from the university's SDS Sigma 7 Host computer to the Stanford Research Institute's SDS 940 Host computer. The message text was the word login; the l and the o letters were transmitted, but the system then crashed. Hence, the literal first message over the ARPANET was lo. About an hour later, having recovered from the crash, the SDS Sigma 7 computer effected a full login. The first permanent ARPANET link was established on 21 November 1969, between the IMP at UCLA and the IMP at the Stanford Research Institute. By 5 December 1969, the entire four-node network was established.
ARPANET In 1957, the U.S. government formed the Advanced Research Projects Agency (ARPA), a segment of the Department of Defense charged with ensuring U.S. leadership in science and technology with military applications. In 1969, ARPA established ARPANET, the forerunner of the Internet. Research and education ARPANET was a network that connected major computers at the University of California at Los Angeles, the University of California at Santa Barbara, Stanford Research Institute, and the University of Utah. Within a couple of years, several other educational and research institutions joined the network. In response to the threat of nuclear attack, ARPANET was designed to allow continued communication if one or more sites were destroyed.
http://historynewsnetwork.org/article/142824
ARPANET In 1957, the U.S. government formed the Advanced Research Projects Agency (ARPA), a segment of the Department of Defense charged with ensuring U.S. leadership in science and technology with military applications. In 1969, ARPA established ARPANET, the forerunner of the Internet. Research and education ARPANET was a network that connected major computers at the University of California at Los Angeles, the University of California at Santa Barbara, Stanford Research Institute, and the University of Utah. Within a couple of years, several other educational and research institutions joined the network. In response to the threat of nuclear attack, ARPANET was designed to allow continued communication if one or more sites were destroyed.
http://historynewsnetwork.org/article/142824
The concept for the Internet, although debated (source), involved creating a system that would allow for geographically dispersed computers to share information with one another. In the event of a catastrophic attack against the United States, data, no longer stored in any single location, could continue to be shared with those that needed it to defend its citizens.
SECURITY CONCEPT - why are we burdened with the security problems we are today? Why didn’t “they” think of these issues while developing the technology? The answer is that the concept of regular people using such a network were specifically left out of the design requirements. In fact, commercial applications of the Internet were prohibited until 1995 (source). Until then, Internet users had to be affiliated with the Military or academia. The first commercial ISP, “The World,” came online in 1989 (http://en.wikipedia.org/wiki/Internet_service_provider).
Amazon came online in 1995.
SECURITY CONCEPT - The initial design requirements of an infrastructure are not necessarily representative of what that infrastructure eventually becomes.
ARPA was started to explore this concept.
ARPA had no facilities of its own, so it engaged academia to help develop the technology.
(details, sources for above)
Eisenhower’s roads fueled America’s love for automobiles and exploring remote cities. The Internet allowed people to exchange information across vast distances and matured from the first application of simple email (source) to ecommerce, delivery of streaming media, and remote control of a variety of devices (reference “The Internet of Things”).
Researchers did not ignore the problems that would eventually face us today; they were not a part of the initial design. There was no concept of an “unauthorized user” or any application beyond the simple exchange of text.
Once commercial uses of the Internet were allowed, things quickly escalated.
I won’t go through a history of what has happened since, as I think we all appreciate those concepts..
The Internet was never intended, initially, to support e-commerce and the vast array of applications we use it for today.
Therefore, we have had to “bolt on” features to allow these things to continue. Encryption and authentication have become application-layer issues while the underlying protocols remain similar to what they were decades ago.
PREDICTIONS
Safety features have become commonplace on Interstates. What started as a hard and flat surface has evolved into a network that includes lighting, reflective markers, electronic signage, and sophisticated building materials.
Cryptography, which is based on the concept that factoring prime numbers is hard, will begin using more sophisticated materials as well.
We use particles to transfer information - electrons and photons that represent two states. Quantum particles will allow multiple states, and we will take advantage of the Heisenberg Uncertainty Principle, which states that you cannot observe something without changing it. (source, details) Quantum encryption will replace current math-based crypto.
Lanes will continue to become “wider.”
Existing broadband will become “more broad.”
Technological advances will connect more people to the Internet.
This will allow richer content and increase the value of online data. This will also increase malicious activity as the information assets become more attractive.
Example - I used to have an impressive library of CDs. Today, my CD collection is zero. I have none. They exist in the iTunes cloud. Further, I use subscription services to gain access to huge libraries of music from Pandora and Rhapsody. Possession of physical items is no longer the value proposition; rather, access to information is the 21st century currency.
New lanes of traffic will be unrecognizable compared to the next generation. (Compare Route 66 to part of I-10, and compare the Internet to the Internet2 [sources]).
As private industry continues to push the envelope of technical capability, we in infosec will have to remain vigilant because attack vectors will also increase in sophistication.
Crypto is often defeated not by breaking the algorithm, but by attacking a poor implementation. Even with something like quantum encryption, humans will make mistakes and hackers will take advantage of them.
As security professionals, our charge will continue to be to understand not only how the technology works, BUT HOW PEOPLE USE IT.
Just as Interstates do not require that you be in a military vehicle, the Internet has long ceased being a tool used exclusively by computer scientists. Regular people will continue using the Internet more and more. While they may become more security savvy over time, their focus will be on utility and entertainment. Time-to-market for new applications continues to shrink, web applications continue adoption in business, and The Cloud is pushing more data online. As a result, security pros will busy for the foreseeable future, but our jobs will become more focused on “Layer 8” issues and how people interact with technology and no longer a “simple” issue of understanding ports and protocols.