Although Gartner customers almost never complain about false positive rates, I wonder if false positives are under estimated. End users rarely complain about false positives, but they are very vocal reporting Spam in their inbox. Box Sentry (www.boxsentry.com) recently did a tests in a number of organizations and found the false positive rate in some organizations using popular anti-spam tools was as high as 13% of legitimate emails. The largest proportion of false positives in their study was legitimate person-to-person traffic.  While it could be that these organizations have over-tuned their systems to block more Spam at the expense of quarantining more legit email, the reality was the email administrators had no idea they had such a high false positive rate because they never checked.  Have you? 

Going further, it would be very valuable to estimate the cost of false positives.

As I’ve discussed in a previous post, this is just another instance of a general problem in the security industry.  You can’t do rational analysis of effectiveness, cost-effectiveness, risk, and the rest without some estimate of false positive rates and their costs.

• A Roadmap for Cybersecurity Research, by DHS
• National Cyber Security Research and Development Challenges , by the I3P
• Toward a Safer and More Secure Cyberspace, National Academies
• Report to the President on Cyber Security: A Crisis of Prioritization , by PITAC
• Ensuring (and Insuring?) Critical Information Infrastructure Protection, 2005 Rueschlikon Conference on Information Policy
• Four Grand Challenges in Trustworthy Computing , Computing Research Association Conference, 2003
• Others

But no one seems to be able to mobilize any signficant research into solutions.   It’s been very frustrating to see so much talk and so little action.   

This reminds me of the quote by Mark Twain, shown at left, which is the inspiration for the title of this post.

The latest iteration of this was a panel at RSA: “The role of research in industry and government“.  SC Magazine summarized the discussion this way:

A disconnect between the primary research sectors and a lack of appropriate funding in each is leading to decreased technological progress, exposing a huge gap in security that is happily being exploited by cybercriminals.

(read on for a diagnosis and two proposed solutions…)

Part of the problem is the the incentives to focus research on problems and not solutions.  I run into this a lot at academic and other “thought leadership” conferences.  Here’s how it was explained to me: It’s much easier to do a modest-sized research project that shows yet another failure in the economics of security than it is to do the complex, large-scale research that would be necessary to develop both theory and empirical support for solutions. 

The bias toward complaining and against doing research work is even stronger at industry conferences.  I don’t blame any individuals.  Simply put, everyone has a day job that pays them to solve near-term problems and deliver immediate payoffs.   High-risk, fundamental research does not fit that template.

There was one recent attempt to mobilize breakthrough research — the “National Cyber Leap Year Summit” last August, sponsored by NITRD.  As I’ve previously written, that effort was largely a waste of time and money because you can’t brainstorm your way through hard problems like this.

Gene Spafford (a.k.a. “Spaf”) is one person who has thought long and hard about how to effectively mobilize and support interdisciplinary information security research.  In the second half of this blog post, he mentions a white paper that he has been circulating in DC for feedback.   The white paper advocates “changing the way we fund some of the research and education in the US in cybersecurity” and makes specific recommendations.  It’s a good read and very thoughtful suggestions.  The second of his two suggestions can be summarized:

I suggest a program similar in nature to the MacArthur “Genius Grants” program: the ISPEG, or Information Security and Privacy Extended Grant. Some agency or agencies would provide ISPEG funding to a small number of researchers in multi-year fashion, to “do good things” in cybersecurity and privacy. The intent would be to fund these individuals without requiring specific proposals or highly structured budgets, and with minimal requirements for deliverables and constraints. The researchers would be encouraged to exercise vision and leadership to the betterment of the country and the field of cybersecurity. If they are carefully selected, this will naturally follow.

A small set of ISPEG awardees [should be] chosen annually. These individuals will be senior academic, tenured faculty, chosen on the basis of past accomplishments specifically in the fields of information security and privacy, and because of a commitment to service and education. [emphasis added]

I think this is a keen idea overall.  Several formal studies of scientific performance have shown that the most productive method for acheiving major research innovations is through senior, experienced researchers who have both freedom and adequate support over an extended period of time.  However, Spaf’s model is aimed at supporting only academic researchers and only those researchers who have been blessed by the academic system (“tenured”).  Yes, they merit this sort of support, but they aren’t the only people who can or should play in the advanced research arena. Therefore I want to propose another idea that could work in parallel with ISPEG.

Proposal: Information Security Pioneers Fellowship Program (ISPFP)

Here’s how it might work. A non-profit organization would administer the program and would be the “home” for a number of individuals (the “Pioneer Fellows”) who would have financial and institutional support for a period of time. In return for this support, they would serve as catalysts, leaders, orchestrators, and even program managers for innovative interdisciplinary research projects, esp. those that involve industry, academic, and government partners. They could also work on projects and activities that enable advanced research or help bring advanced research results to the masses: in education, industry, or government policy. For example, here are some specific project ideas that would be well suited for Pioneer Fellows:

• Organizing and leading multi-organization proposal teams for advanced interdisciplinary InfoSec research projects (“Broad Agency Announcments” from DARPA, DHS, NSF, NIST, others).
• Leading the specification and field testing of security metrics, e.g. Center for Internet Security’s consensus metrics , and also pilot implementations.
• Leading the design and implementation of a statistically robust survey of information security practices, metric results, and costs, to displace the current “Computer Crime and Security Survey” (CSI/FBI).  (“Statistically robust” would include random sampling of organization populations, for example.)
• Design and help implement a “Cyber CDC” for advanced vulnerability and threat research and intelligence.
• Organize, lead, and/or collaborate in international research projects. 
• Help integrate economics, organization science, and behavioral science into education, training, and certification programs for security managers and executives.

Being a non-profit (preferably 501c3), they could accept and administer donations from many sources — corporations, foundations, and government. This would open the door to funding from many sources, including organizations that don’t usually provide funding, including VCs, industry associations, privacy advocates, IT vendors and consultants of all stripes, etc.

The fellowship period and applicant qualifications are open to consideration.  Ideally, this program should be “idea capitalists”, knowing some people and ideas won’t payoff but others will be huge winners.  One thing for sure — we shouldn’t focus this program only on people who have been “officially” annointed by some hierarchy, some certification program, or by credentials alone. 

OK… now for all of you who might be frustrated with lack of action, this message is for you:  THIS IDEA COULD BE IMPLEMENTED IMMEDIATELY!

Sorry to shout, but I want that message to hit you between the eyes.

First, there are several candidates for host institution:

• Center for Internet Security
• Security Innovation Network (SINET)
• European Network and information Security Agency (ENISA)

Second, there are a good list of possible projects, not only the list above but also ideas from any of the reports listed at the top of this post. 

Third, there are plenty of good candidates for Pioneer Fellows.  Just look for the people who are already doing pioneer work on their own dime or in their “spare time”.

Fourth, the funding would probably start flowing if the right executives were in the same room at the same time, and someone with sufficient “gravitas” asked for the order.  $35K to $50K per major sponsor is reasonable and comparable to other sponsorship arrangements.  Ten major sponsors would fund 8 to 10 Fellows, assuming they paid full salaries. Once this is all in place, we could probably solicit a “foundational grant” from a major government agency to ramp up recruitment and other administrative parts of the process.

That’s a sketch of the idea.  What do you think?

We can take inspiration from other fields.  Consider this innovation in statistical value management in baseball, a.k.a. the ”Moneyball” approach:

Evaluating fielding is baseball’s hardest math. There are just too many unknowns in a play. How much ground did Jeter cover? How fast was the ball moving? In essence: How unlikely was it that he’d catch the ball?   [...]

Sportvision’s FieldFX camera system records the action while object-recognition software identifies each fielder and runner, as well as the ball. After a play, the system spits out data for every movement: the trajectory of the ball, how far the fielder ran, and so on. “After an amazing catch by an outfielder, we can compare his speed and route to the ball with our database and show the TV audience that this player performed so well that 80 percent of the league couldn’t have made that catch,” says Ryan Zander, Sportvision’s manager of baseball products. That information, he says, will allow a much more quantitative measure of exactly what is an error.

The Great Family Shame of incest between Oedipus and Jocasta

The public display of taboo is one of the more interesting aspects of Operation Aurora, a.k.a. the Google-China affair (summary and analysis is here, more details here.).  It’s unfolding almost like a like a Greek tragedy. 

Act 1 in the play was Google’s strategic decision to go public and recruit other breached companies to join them (without success).  Google went public anyway, violating the InfoSec disclosure taboo, and also the taboo against corporations speaking out against China.

Act 2 was the public and institutional reaction to Google’s announcement, the political posturing between US and China, and even the tempest of chatter in the InfoSec community about “Advanced Persistent Threats“  (or “Advanced Persistent Adversaries“, a term I prefer).

Act 3 is now under way at that great annual public meeting of Big Thinkers, the World Economic Forum in Davos, Switzerland.  While they discussed almost every other topic and idea, they avoided the Operation Aurora as if it was the Great Family Shame, as highlighted here:

“BusinessWeek reports that the cyber attack on Google was the elephant-in-the-room at the annual meeting of world leaders in Davos. ‘China didn’t want to discuss Google,’ Josef Ackermann, CEO of Deutsche Bank AG and a co-chair of this year’s World Economic Forum, said in an interview. China’s Vice Premier Li Keqiang made that clear, he added. Even Google CEO Eric Schmidt didn’t bring up China, and Bill Gates was mum on the topic in an interview. The reluctance of companies to talk about China illustrates the pressure on them to protect their business in the country, while the U.S. government doesn’t want to upset Chinese investors, said Andy Mok of Red Pagoda Concepts LLC. ‘People have their commercial interests,’ explained Deutsche Bank’s Ackermann.” [emphasis added]

The Business Week article is here.  (Funny: here is a great Saturday Night Live skit that satirizes the power of China over the US in matters like this.)

While the Operation Aurora taboo is rooted in international politics, similar taboos exist within both the public and private sectors and no international politics are involved.   While we must deal productively with these taboos, we also can’t let them block meaningful progress toward the goal of data-driven information security and collective learning.

If this is how you feel, buy our products. Then you'll feel better.

Headline is “You are losing the war!”, followed by “Criminal and state-sponsored adversaries are winning”.    The key line: “NetWitness delivers real-time network forensics and automated threat intelligence solutions designed to combat advanced cyber security threats like Operation Aurora.”

I don’t blame them for surfing the publicity wave of “Operation Aurora”  (China, Google, Adobe, et. al.).  And I can’t blame them for following industry practice of amplifying FUD, primarily “fear”, to get potential buyers to give attention and budget to NetWitness solutions, to wit: 

“You have a choice: The NSA or FBI can sit down with your CEO and report your company’s network compromises, or you can be the one telling them that an attack was detected, thwarted, and steps were taken to prevent it from happening again. Which scenario sounds better to you?”

OK… so here’s a glimmer of NewSchool hope in the last lines of the email:

“We’re so sure of this fact that we’re determined to prove it on your network. We’re offering a complimentary Proof of Concept to any organization meeting a minimum set of qualifications.” 

So they are willing to show how their solution will actually work in your organization.  Not bad.  But to get the “NewSchool Tip-of-the-Hat”, it would be even better if the Proof of Concept included some sort of data about effectiveness vs. alternatives vs. make-do-with-whatever.  It would be even better if they published such data or made it available via various information sharing organizations.  We can only hope.

(I have no opinion about NetWitness or their solutions or their competitors, nor do I have any relationship.)

The problem isn’t usually – or at least isn’t only – too little information, but too much, most of it ambiguous, contradictory, or misleading. The blackboard is filled with dots, many of them false, and they can be connected in innumerable ways. Only with hindsight does the correct pattern leap out at us, and to fix what “broke” the last time around only guarantees you have solved yesterday’s problem.

Far more important, and useful, is to address the flaws in how we interpret and use the intelligence that we already gather. Intelligence analysts are human beings, and many of their failures follow from intuitive ways of thinking that, while allowing the human mind to cut through reams of confusing information, often end up misleading us. This isn’t a problem that occurs only with spying. It is central to how we make sense of our everyday lives, and how we reach decisions based on the imperfect information we have in our hands. And the best way to fix it is to craft policies, institutions, and analytical habits that can compensate for our very understandable flaws.

[...]

The first and most important tendency is that our minds are prone to see patterns and meaning in our world quite quickly, and then tend to ignore information that might disprove them. Premature cognitive closure, to use the phrase employed by psychologists, lies behind many intelligence failures.

[...]

Second, people pay more attention to visible information than to information generated by an absence. In a famous Arthur Conan Doyle story, it took the extraordinary skill of Sherlock Holmes to see that an important clue in the case was a dog not barking. The equivalent, in the intelligence world, is information that should be there but is not.

[...]

Third, conclusions often rest on assumptions that are not readily testable, and may even be immune to disproof.

I’ll add a fourth — ignoring threat intelligence all together or treating it as taboo.  This may take several forms: ”it’s beyond our control”, “we don’t have good data”, “it’s too hard to quantify”, “we aren’t paid for guess-work”, “we rely on vendors for that”, “everybody knows what the threats are”, “if we bring it up, we will get too many questions we can’t answer”, or other excuses.  (See Josh Corman’s post on the folly of relying on security vendors for your threat intelligence.  Vendors only have incentive to inform you about threats they can mitigate.)

If you want a good methodology for threat intelligence, look at Intel’s.    It was adapted for use by the Information Technology Sector Coordinating Council in their risk assessment for critical IT industry infrastructure.

As good as it is, it could even be better if they had some systematic methods to actively seek out contradictory information and contrary hypotheses about threats.  One simple way to do this is to create a “Mental Model Red Team” whose primary job is to disprove everything you think you know, or at least generate and validate contrary hypotheses.  (For social and cultural reasons, you should probably rotate your staff through this team rather than keeping the team membership fixed.)    Formal methods exist, including “Analysis of Competing Hypotheses” (slides).  (I’m in the process of evaluating a tool for this called SHEBA.  I hope to have a demo read for Mini-metricon, something like this.)  Another possible method is prediction markets, but I’ve never seen them used for this purpose.

You: “We’d like to define a metric for overall security and risk, and then publish it to stakeholders and business partners…”

Executive: “Wait right there!  No way!  That’s too confidential!”

You: “Excuse me?  Confidential?  You mean you already know what the number is, and revealing it will seriously harm your business?”

Executive: “No, we don’t know the number.  It’s so confidential, that even we don’t know what it is.”

Of course, the conversation never goes like this exactly, but I hope you get the drift.   The executive asserts the importance and critical nature of an overall metric for security and risk, but uses that as an excuse to not even try to estimate it in the first place.

I’m going to coin a label for this:  “meta-taboo”.   The topic itself is not taboo, but any discussion about how to actually get there or deal with the topic is taboo.  (Another example: a humorous label for a design document from my early days in engineering: “Burn before reading.”)

Of course, this is a sign of an unresolved inner conflict in the executive, or more likely a blind spot in the social psychology where we bury our collective fears, our collective fictions, and our quid pro quo’s.

The Cone of Silence from "Get Smart" TV program. It was so effective that it prevented all communication!

Anyone else encounter this?

From Business Insider:

Instead of asking the gamers to try a product the way Netflix would, “Get Health Reform Right” requires gamers to take a survey, which, upon completion, automatically sends the following email to their Congressional Rep:

“I am concerned a new government plan could cause me to lose the employer coverage I have today. More government bureaucracy will only create more problems, not solve the ones we have.”

When looking at the “Who we are” tab on the GetHealthReformRight.org. Here is the excerpt from this page below.

Get Health Reform Right is a project of organizations whose shared mission is to ensure consumers continue to have access to employer-sponsored healthcare plans. We are concerned about federal legislation that would create new government bureaucracies that would unravel the workplace healthcare system where more than 160 million people get their coverage.

* Association of Health Insurance Advisors
* America’s Health Insurance Plans
* American Benefits Council
* BlueCross BlueShield Association
* Council of Insurance Agents & Brokers
* Healthcare Leadership Council
* Independent Insurance Agents & Brokers
* National Association of Health Underwriters
* National Association of Insurance and Financial Advisors
* National Retail Association

I call it a “botnet” because the people playing the game don’t really know what’s being done with their personal information and what actions are being taken in the world, under the illusion that the person consciously initiated the action (which they did not).  This is a form of “soft control”, where incentives, peer influence, and appearances are manipulated to get the player to do what the controller wants them to do.

I call this an emerging threat because of the proliferation of virtual worlds and virtual currency systems, where the individuals participating are highly motivated to maximize their virtual earnings.  Any virtual world+currency system is vulnerable to this sort of social botnet if a link can be made between some in-world activity (both fun, lucrative, and social) and some real world mass action (petition letters, flash mob, download, or what ever).  Your organization may be far outside this virtual world, but your organization may still be the target of the mass action.  One more thing to add to your threat model.

Full report is here.  A quick overview from a Wired magazine article:

The supplement provides case studies, involving anonymous Verizon clients, that detail some of the tools and methods hackers used to compromise the more than 285 million sensitive records that were breached in 90 forensic cases Verizon handled last year.

[Disclosure: Alex's paw prints are on this report somewhere.]

Let me compare the widespread and often mandatory use of client scripts in websites (e.g., JavaScript) to CDOs [Collateralized Debt Obligations]: they both are designed by others with little interest in your security, they leverage your resources for their benefit, they are opaque, complex, nearly impossible to audit, and therefore untrustworthy. They have also both caused a lot of damage, as having scripting enabled is required for many attacks on browsers. How much smaller would botnets be without scripting? Like CDOs, scripting is a financial affair; it is needed to support advertising and measure the number of visitors and click-throughs. Scripting will stay with us because there’s money involved, and if advertisers had their way, there would be no option to disable plugins and JavaScript, nor would there be extensions like NoScript. To be fair, there are beneficial uses for JavaScript, but it’s a tangled mess with a disputable net value.  [emphasis added]

By the way, here’s a beautiful set of animations explaining how CDOs went wrong.