A string of internet security breaches over the last year have brought the discussion about cyber security to the public domain. At the Aspen Security Forum organized by the Aspen Institute, three security experts discussed the future of cyber security. The panel consisted of Mati Kochavi chairman and CEO of AGT International, Jon Ramsey chief technology officer of Dell SecureWorks and General Michael Hayden former director of the CIA and NSA. The discussion was moderated by Allan Holmes technology editor at Bloomberg.

Gen. Hayden categorized three forms of cyber threats: exploitation, disruption and destruction. Exploitation is when a network is breached to pull information out of it, such as cases of identity theft or corporate espionage. Disruption is when a network is compromised to create an effect. The 2007 Russian DoS attacks on Estonia which knocked out the country’s internet infrastructure, count as an example. Destruction is when cyber attacks have a destructive consequence in the physical world. With the arrival of Stuxnet -a virus aimed at sabotaging centrifuges of an Iranian nuclear power plant- that third category cyber threat is now part of reality.

Jon Ramsey churns out some staggering numbers: as part of the Dell SecureWorks Counter Threat Unit, a research team analyzing and countering cyber threats, he comes across 25.000 unique pieces of malware, a quarter of the estimated 100.000 generated daily. The unit detects 40 software vulnerabilities a week and of the 14 billion events it monitors daily, 15 to 20 million are exploitations. 2011 has been adequately coined the Year of the Hack as the long list of high profile security breaches continues to grow. Cyber security has deservedly made the agenda.

However, the thing is that the internet was engineered to be open. Its raison d’être is to let data flow easily. Its predecessor Arpanet was engineered to shift information between different nodes in case a node would be taken out by a physical attack. In that phase the network was only conceived of as nodes of allied parties being linked together. A swift, unhindered data flow was the objective, not internal security. And the lightning speed expansion of the internet that we’ve witnessed since, is a direct result of that openness.

The primary objectives during the expansion were functionality, performance and low cost. And these are features people have come to expect. Software and services are offered at a low cost or even for free. Ramsey points out that it is possible to build secure programs using mathematics to proof there are no vulnerabilities. But that’s very expensive and the market isn’t willing to bear those costs.

The result of the typical historical development of the internet, says Mati Kochavi, is that cyber space is ruled by a different set cultural values than physical space. Values such as privacy, copyright and even security which are unquestionable axioms of the moral paradigm in the physical world, carry much less weight in cyber. Cyber has developed its own culture. And it is unlikely that the moral paradigm established in the physical world will overwrite that over cyber culture.

People, especially the young generation who grew up with the internet, will be hard to convince to make the inevitable trade-off that security demands. More security means less functionality, less performance and less freedom. The internet, says Kochavi, is a disruptive technology if ever there was one. And only disruptive solutions will bring about more security. The old ways of solving things just won’t work.

Gen. Hayden agrees that cyber has its own dynamics. He points out that in military lingo there are five domains: land, sea, air, space and cyber. In the first four domains there is a great expectancy that the state provides protection. In cyber you are much more on your own. When there is a physical intrusion in a company’s headquarters the cops are called in. But who to call when there is a network intrusion?

Also on an international level the established treaties are not extended to cyber as a matter of course. Take for instance the DoS attacks on Estonia. The country is a NATO member and in the case of a physical attack article 5 -which reads that an attack on one is considered an attack on all- would have compelled the alliance to retaliate. But when it comes to cyber attacks things aren’t all that clear and in the end Estonia did not invoke article 5.

Hayden agrees with Kochavi that there is a lack of general consensus when it comes to cyber security. This is the result of the diverse nature of cyber. On the one hand it’s a zone of communication. People exchange e-mails, are active on social networks and build up search histories. This is an area of life where people do not want the government heavily involved. But on the other hand cyber can be a zone of conflict. In the case of exploitation and especially disruption and destruction, people do expect the government to step in. How and where to demarcate these lines should be a subject of public debate.

Watch the entire discussion below. Courtesy of the Aspen Institute



Photo: John Buckley typographics