Transcript of Akamai-sponsored BriefingsDirect podcast with Dana Gardner, recorded June 2, 2006.
Listen to the podcast here.
Dana Gardner: Hi, this is Dana Gardner, Principal Analyst of Interarbor Solutions, and you’re listening to BriefingsDirect[TM]. Today, a sponsored podcast and an important issue facing many nations around the world: cyber security and vulnerability.
With us is Professor Tom Leighton, Co-founder and Chief Scientist at Akamai Technologies. He’s also professor of Applied Mathematics at MIT and -- especially in the context of this discussion -- the former chairman of the Cyber Security Sub-Committee of the President’s IT Advisory Committee (PITAC). Welcome back to the show, Professor Leighton.
Tom Leighton: Thank you very much, Dana.
Gardner: We’ve talked in the past about the role of the Internet, how it’s important and particularly how its performance is important. I wanted to start our discussion by trying to understand the role of the Internet for society in Western culture. Increasingly across the globe, we seem to be more dependent on wide area networks, and networks like the Internet, or what we know as the Internet. How deep is this dependency, how intrinsic is it to our lifestyle and our security, and do you think this is only the beginning or is it a mature depth of dependency that we’re into now?
Leighton: I think we're critically dependent on the Internet today, and the depth of that dependence is constantly increasing. Aside from the obvious media and entertainment use of the Internet, from which we derive pleasure, the Internet is now central for communications, for commerce, for government, and for defense and utility industries. Pretty much all sectors of our society today have embraced the Internet and are now critically dependent on it -- and this will only increase going forward.
Gardner: So, if there were some disruption of this system we would see a significant negative impact across the economy, in politics, lifestyle, as well as the business of many companies. Are there any areas that you can think of that aren’t deeply impacted by the Internet?
Leighton: No, you are absolutely right. In fact we are already seeing some of the problems today that result from the lack of security in the Internet, through phishing and pharming, and cyber crimes -- personal identity theft -- that’s already happening today. We haven't seen large examples of cyber terrorism, or warfare on the Internet, or the takeover or loss of control of key utility facilities, although that's within the realm of possibility.
Gardner: We are seeing an increase in news about lists of important data being mislaid or misappropriated. We have heard about cyber extortion, as well as pharming and phishing, as you say, which are various forms of misidentifying or taking over seemingly secure communications. Does this really mean that our IT infrastructure is fundamentally insecure?
Leighton: That’s precisely what it means. Today we have evolved to a state where software is ubiquitous. Millions and millions of users have the same kind of software. That software is full of vulnerabilities, and it’s connected ubiquitously through networks that ultimately connect into the Internet. This enables cyber criminals great flexibility and power in launching attacks to exploit the vulnerabilities.
Gardner: Do you expect that there will be a sort of spy-versus-spy situation going back and forth, with remediation, patching, and band aids on one hand, and then more sophisticated nefarious activities on the other? How do I know that what I'm clicking on is getting to the right server?
Leighton: You really have no way of knowing that today, and I think we're pretty far from a state from where you will have an idea. If you're using SSL, and you're doing everything to verify what keys are being used in the SSL you’re using and who you're talking to, you can have some confidence. But it is very easy for the bad guys today to spoof you into thinking you are running an SSL connection when you are not -- or spoof you into thinking you are running an SSL connection with a trusted party, say a bank, when in fact you are running an SSL connection with a bad guy.
Today, you really have no idea -- at least 99 percent of Americans really have no way of telling who you're communicating with, and where you're packets are going on the Internet. This is what makes pharming attacks so successful. The person who is being victimized has no idea what’s happening.
Gardner: I have to say even though my email is filtered rigorously, I still get plenty of emails from folks claiming to be my bank, the people who do my stock trading, and my retirement account oversight, asking me to go in and re-affirm my password. I'm savvy enough not to do that, but they are pretty clever and very convincing.
Leighton: Those are examples of phishing attacks, and there are millions and millions of those a day. According to the statistics, about one percent of Americans fall victims to phishing attacks annually. What are much more difficult to spot are pharming attacks. In a pharming attack, the end result is the same: you lose your personal information. But in pharming attacks, you don’t have to do anything wrong. You don’t have to click a URL that was sent to you by a phishing email. Your just enter your bank’s URL as you normally would in your browser -- only you don’t end up at the bank. You end up at the bad guy’s site, and he delivers to you the normal signing page. Everything looks normal to you. You did nothing unusual. You sign in, and now he has your personal information.
There are a lot of ways he can make that happen. The basic protocols of the Internet don’t have any security. For example, consider the BGP, the Bordered Gateway Protocol. That’s the protocol that directs the path your packets take as they traverse the Internet. It’s easy for a bad guy to inject false information into the BGP protocol to send those packets to him. One way he can do this is to simply tell an ISP that he owns the IP address of the bank, and he will set the parameters so that, that information doesn’t spread more broadly than the particular ISP that he is attacking. And then, anyone in that ISP who dials up or gets broadband connectivity to that ISP will go to the bad guy, when they think they are going to the bank -- just because BGP doesn’t think to check whether the bad guy is really the owner of that IP address.
Another protocol that is now being exploited is DNS, or the Domain Name Server. DNS is like the 411 service of the Internet. When you type the bank’s name into your browser, the first thing your browser does is translate that name into an IP address. Just as when you make a phone call, you key in a phone number. You don’t type in a person’s name. The Internet uses DNS to do that conversion between a name and an IP address. There is a technique now that’s being widely exploited called “DNS cache poisoning” in which the bad guy goes into the DNS tables and changes the resolution for the bank -- or for any website -- to his IP address. When your browser tries to look up the IP address for the bank, it gets the bad guy’s IP address instead, and transparently goes there, without you having any knowledge that this took place.
Gardner: Now, is this a case of a double-edged sword? In an open and free society we are always going to have some vulnerability that we can do nothing about. Is this something we need to live with in order to enjoy the full functionality and openness of the Internet?
Leighton: No, that’s not the case. It should be possible to develop enough technology to preserve the openness that we cherish in our society, without leaving ourselves exposed to the criminals.
Gardner: I suppose part of the reason this goes on, this vulnerability, is that the risk seems to be acceptable, or the price seem to be acceptable. You would think that banks and retail and e-commerce organizations would be on the forefront of trying to stanch any risks, but e-commerce goes on, more and more people are on the Internet using it actively, and application activities are more robust. Do you think that we will soon reach a point where the risks become unacceptable -- and would that be a gradual type of event or some kind of a cataclysmic event?
Leighton: That’s an interesting question, and there are a lot of factors in play today that drive the answer. First, the banks, e-commerce players, and the commerce players that moved to e-commerce have already made the switch. There is no easy way to go back. The call centers are gone. The traditional methods of doing business aren't supported anymore at the levels they used to be in the past. The switch was made because the Internet offers tremendous economies. It’s much cheaper to handle the transactions over the Internet than it is by the traditional methods.
So, it’ not easy for them to go back. At the same time, the banks and financial institutions are very concerned about the level of fraud and cyber crime, and their exposure to it, yet they don’t have an incentive to be screaming about it publicly. In fact it’s just the reverse.
They don’t want to instill fear in the population, and the industries that have moved to e-commerce are in the same situation. They are successful, if people aren’t fearful to use e-commerce. If people would become afraid to use it, it wouldn’t be beneficial to business. Today, the financial institutions are backstopping the billions of dollars in losses. I think the statistics show that 80 to 90 percent of the losses are being covered by the financial institutions and not by the person who’s been victimized. But, there have been some well-publicized events recently where the person at home was left to pay. As that happens more, I think you’ll see an increased chance of a backlash against using the Internet. So, it is a double-edged sword. As criminals become more successful in exploiting the Internet, the costs go up, the need to get a solution increases, and the pressure increases there.
Gardner: So, this really is a case of an elephant in the room -- only the room is really the whole globe. I alluded in your introduction to your being chair of the cyber security subcommittee of PITAC or the President’s IT Advisory Committee. A number of findings were derived from that, and you delivered some testimony before Congress, the U.S. House of Representatives, in particular. You argued, I read in the transcript, that government funding needs to play an increased role, if not the lion’s share, in solving this. Yet DARPA, the defense research funding organization – which, by the way, helped Akamai to get its start in some basic research – doesn’t seem to be aware of this elephant in the room. Can you fill us in a little bit on what the issues are vis-à-vis research and development in order to try to ameliorate this before it become a crisis.
Leighton: DARPA is certainly aware of the problem. In fact, if you talk to officials of DARPA they will tell you that what keeps them up most at nights is our vulnerability in the cyber infrastructure that the defense department and armed forces rely on. At the same time, DARPA is now interpreting its mission to be one of a short-term nature to deliver products to the armed forces based on the research that’s funded by others. As a result, DARPA has dramatically cut its basic research program, for example, in universities. This has been felt particularly hard in the area of cyber security research.
In addition, much of this research has now been classified, which makes it impossible for the vast majority of researchers to work on the problem. It also makes technology transfer virtually impossible. Even if they were to discover something, it becomes classified, making it very hard to get it into the commercial sector.
So, DARPA, which historically has had a wonderful role in supporting basic research that’s led to all sorts of major advances including the Internet itself, is withdrawing from this area. At the same time, DHS, the U.S. Department of Homeland Security, which is tasked with the nation’s civilian infrastructure defense, is very focused on weapons of mass destruction -- and rightly so -- but to the point of having very little funding for basic research and cyber security. I think of their two billion dollar S&T budget, less then two million dollars goes to basic research and cyber security. And this leaves only NSF, which is way over-subscribed.
Gardner: And that’s the National Science Foundation.
Leighton: That’s correct, and the number of proposals they are seeing is overwhelming them. They can't begin to fund everything that needs to be funded to make advances in cyber security.
Gardner: So, we’ve established the stakes are high. DARPA doesn't seem to have a quibble with that. Investment is low relative to the risk, and yet there are so many proposals for research that the organizations that are in a position to fund can't keep up with the demand. Does that summarize the situation?
Gardner: Well, tell me a little bit about what the private sector can do. Obviously businesses have a lot of stake here. Akamai sponsored this podcast, so obviously there's some story here about what Akamai brings to the table. What do you expect that Akamai can do in the short term, and what do you as a businessman, educator, and a scientist think needs to happen beyond the short-term remediation?
Leighton: There really are two questions there. The first is what can businesses do, and one thing that they can do is work with the government to help encourage the government to do its job to fund basic research in this area and foster the development of new technologies which the commercial sector can implement and productize.
In the area of cyber security, the government is in a unique position to fund long-term and to even play a leadership role in adoption of better security practices, as well as to help standardize and adopt those security practices. I think industry, of course, has an important role to play, but we are at a point where we really need government leadership.
Now, in terms of what Akamai can do, we obviously can't solve the problem ourselves. This is a problem that took decades to make. We can help in certain areas in terms of a company’s Web infrastructure and application infrastructure. We can help shelter that infrastructure from cyber attack and we can help them by off-loading their public-facing material and getting it out of their critical infrastructure. Today there are many corporations and government agencies that poke holes in their firewall to let the world come in to access their websites and their applications.
In fact, if you go to any military base today, you will discover there are hundreds of websites sitting on the critical infrastructure, and there are all sorts of holes poked in the firewall to let the whole world come in. And, when you let the whole world come in beyond the firewall to your military infrastructure, that's not a good thing, because the bad guys can come in, too.
The software is so vulnerable that once they can come in, they can attack the infrastructure. Once they have done that, they can get across the local area network to critical infrastructure. And, then, very bad things can happen.
Gardner: It seems part of the issue, at least in the short term -- before we can get to the point of having research to go to a new generation of Internet infrastructure, protocols and security -- that this is managing permeability at its essence. What is Akamai bring to the table in terms of managing the permeability of the world as you put it getting into these important sites?
Leighton: We offer a solution wherein the public-facing website and the public-facing applications can be off loaded onto our infrastructure. Then, it's possible to close up the firewalls and not let the public come in any more. Akamai may need to come in, or may need to come to a staging point to get the content the first time or to get the applications, but we can be authenticated. So, it greatly improves the effectiveness of intrusion-detection systems and intrusion-prevention systems, because you are not by default inviting the world in. Then, Akamai will, through it's platform, deliver the content in the applications and do the interface with the world at large. At the same time, we put a lot of effort into making that infrastructure withstand denial of service attacks and various criminal attacks, such as theft of traffic. So, generally we can do a much better job of delivering that content securely.
Gardner: But as we pointed out, this is a fairly short-term. The real solution here is to come up with new science and put it in place. And as part of that, the committee we referred to earlier, the President’s IT Advisory Committee (PITAC), almost a year and a half ago had four recommendations for how to solve some of these issues. Do you have a sense of what the status is of these changes? What sort of progress has been made?
Leighton: Unfortunately, the progress is not as good as we might have hoped for. Of the four recommendations, the first recommendation had to do with funding and for basic research. The funding at NSF has improved but not to the measure that we requested and recommended. The situation at DARPA has not changed, nor has the situation at DHS. The recommendations to do with the size, increasing the size of the cyber security research community, and the tech transfer from the research community into the commercial community; there hasn’t been real progress there. On the last recommendation, dealing with coordination and oversight of federal cyber security R&D, there has been progress there, and that recommendation seems to have been adopted. We’re hopeful that the committee that has undertaken the charge to try and get an idea of what’s going on with cyber security funding will make some progress in that regard.
Gardner: Clearly, this is an international issue. There have been some reports in the media about other countries asking the United States for it to relinquish some of its control and influence over Internet infrastructure. That's coming at a time, as you describe it, not enough is being done to address long-term basic research issues. Should it be the United States government, DARPA, and the National Science Foundation (NSF) that are the leaders in this drive for advancement? Or is this something that has to be brought into an international organization or at least the some sort of federation?
Leighton: The United States does not control the Internet, so that's probably a misconception. There are clearly large companies here and, because of our economic power, we exert influence over the Internet.
In terms of fixing the problems, which will take a long time to do, that is a global problem. Fixing the problems of the Internet and to develop new protocols will ultimately require global agreement to really get to a much better state. That said, I think the U.S. government can play a leading role. Agencies like DHS, NIST [National Institute of Standards and Technology], or DARPA can play a leadership role, just as they have for example in IPv6 in saying that they want that protocol supported by contractors who do business with the government. DHS could fund the development of improved protocols for DNS, for example, that are more secure. Then, they could implement those protocols in government networks. They could then provide a leadership role where industry could say: “Yes, I want to have that protection, and I am going to implement that.” And before you know it, it becomes a de-facto standard.
Standard bodies themselves have not been particularly effective in the last one to two decades in improving the situation. There is a protocol called DNS Sec, which is a protocol that is meant to make DNS be more secure. It solved some of the problems, but not all the problems. That's been debated in the standards agencies for probably 15 years now, with no outcome. So, they have not proven themselves to be effective in changing the way the Internet works.
Gardner: Well, governments, both in the United States and elsewhere, seem to be responsive to the call of industry and the special interest that often represent them, and they also respond to the calls of the citizenry, particularly in election periods. What, from your perspective, should individuals and businesses do to try to increase the emphasis and understanding of this problem, and not let it sit on the back burner until it becomes, as we pointed out, a crisis?
Leighton: That's a complicated challenge. If industry were more outspoken about it, that would be helpful. You know as part of PITAC, we spoke with leading figures at several financial institutions. Behind closed doors and off the record they would tell you stories that made your hair stand on end about the problems we are facing and that they are facing today, but none of them would speak on the record.
I think if these officials would speak on the record and speak with Congress, that could be helpful. If they could speak with the Bush Administration, that would be helpful. There is an education process that needs to happen. There are a lot of folks in the day-to-day battle with cyber crime that are all-too-aware of the vulnerabilities we face, but in many cases the most senior officials in Washington and in corporations don’t understand that. They think by and large their systems are secure and they don’t fully understand the vulnerabilities they are facing.
So, I think education can also be helpful, and then once the people at the highest levels understand the vulnerabilities, there is a greater chance that the right prioritizations will be made and actions taken. The folks at home are stuck -- stuck until the problems get fixed. There is only so much they can do.
One report I remember said that if only mom and dad at home would keep their firewall up-to-date and their anti-virus software up-to-date, we wouldn’t have a problem. And that's a really naive statement, especially when you look at the biggest financial institutions and the Fortune 100 companies. Virtually all of them are routinely penetrated. They are buying every kind of the cyber defense that exists in the marketplace today and they can’t keep themselves from being vulnerable, and being infected. So, how are mom and dad at home going to figure it out? It’s just not reasonable to say that that's the main problem.
Gardner: Is it reasonable to expect that content and application delivery providers like Akamai can deploy services in order to keep this problem at bay, or do you think that eventually the bad guys, as you refer to them, will get the upper hand at some point?
Leighton: It’s a combination. Akamai is certainly a part of the solution. We can provide solutions to some of the problems. We can make corporations be more secure with their infrastructure by the steps that we have talked about earlier. That said, it’s not the entire solution, and we need to fix the underlying vulnerabilities in the infrastructure. That needs to be addressed. Today, the bad guys do have a big upper hand. There are a few companies like Akamai that help, but the vulnerabilities are severe. We have built the Internet over the last 30 years without really thinking about security at all, and core protocols we use are fully vulnerable today.
Gardner: Well, some sobering thoughts, but educational nonetheless. We are about out of ttime. I want to thank you for sponsoring the podcast and joining me here today, Professor Tom Leighton, the Co-founder and Chief Scientist of Akamai Technologies. This is Dana Gardner, Principal Analyst at Interarbor Solutions. You have been listening to BriefingsDirect. Thank you very much, professor.
Leighton: Thank you.
Listent to the podcast here.
Transcript of Akamai-sponsored BriefingsDirect podcast, recorded June 2, 2006. Copyright Interarbor Solutions, LLC, 2006. All rights reserved.