Dr. John Savage
Washington, DC
March 23, 2010

Nina Fedoroff [Science and Technology Adviser to the Secretary]: Welcome to the -- wow -- to the distinguished Jefferson Lecture Series. Our speaker today is Dr. John Savage and he has much to say so my introduction is very short. He received his undergraduate and graduate degrees from MIT. He’s a professor in the Department of Computer Science at Brown University where he served as Chairman from 1985 to 1991. He’s published three books and stacks of papers. He’s a Fellow of the IEEE, the Institute of Electrical and Electronic Engineers, as well as the AAAS [American Association for the Advancement of Science] and everybody knows what that stands for. And he’s going to tell us about how to tame cyberspace.

John Savage: So before I begin I would like to make it clear that I am speaking as an individual. I’m here as a Jefferson Science Fellow, I’m not speaking for my office and I say that because my office happens to be the Cyber Affairs Office in the Bureau of Intelligence and Research. So this is a personal talk today. I’m going to give you an introduction to the Internet, explain some of the basic ideas, we’ll talk about threats, approaches we can take to these, and we’ll look ahead.

I don’t think I need to introduce you to the Internet, we know that it is used in many places to facilitate free speech, but not everywhere apparently. But it also creates opportunities for innovation, and we’re seeing many new threats. Crime is on the rise; it’s a very serious problem; the threat of terrorism is out there; and we do have threats to our critical infrastructure, which I will outline later. And we have even the possibility of cyber conflict.

It is changing; the Internet is changing our culture. But as my title suggests, it is in many ways the Wild West. We -- I liken the hackers to the gunslingers and the town to the millions of unprotected computers, and so I ask where is the sheriff? We do need a sheriff. In the old days we would slap a badge on a hacker whom we thought we could turn, and that person we brought inside, and then we would expect to be protected. We need a new approach to that now.

So one of the questions we’re going to address today is how do we protect ourselves and our assets. Now we’ll start with a little introduction to the Internet. As this graph suggests, we have here a collection of networks. We’ve got on this side, a yellow network, a red network, and a green network. We have three routers and a name server. And the Internet is characterized by the fact that we transmit packets through the Internet. This is a system that supports packet switching. We use the IP Protocol, which I’ll explain in a moment. The important part about a packet switching network is that the packets have source and destination addresses. They leave one site, they move to another site. At that site a decision is made as to which next site will be followed. In other words you don’t create an end to end path and have all the packets follow that path.

This IP Protocol packages these packets into a header and a payload. The header has a little information, it has the source address, it has the destination address. It tells you how long the packet -- the payload is, how long this packet has to live. And if the packet arrives at a node, and it’s exceeded its time to live it’s destroyed. And this basic Internet protocol only makes the best effort to transmit data.

The Transmission Control Protocol was introduced in 1974 by Cerf and Kahn, and that’s -- we call it TCP/IP. It was designed to provide reliable end to end communications, and again as I said, you take a large data stream and you packetize it, the packets are sent and they follow paths that may be very different. But the key feature here is that a packet that is sent and not acknowledged at the source gets resent, so you might have multiple copies of a packet floating through the network. It also means that these packets have to be reassembled at the destination. And it’s a building block for lots of other protocols; this transmission protocol is so important that we now will -- we often refer to Cerf and Kahn as the fathers of the Internet.

So it’s time we spent a moment or two on domain name servers. These are sites which takes the names that we like to use, such as, and translate them into numerical addresses. These numerical addresses are used to transmit packets to the network. This is important, as you’ll see in a short while. When -- before the domain name system was introduced Bob Kahn used to keep these mappings between usernames and numbers on a 3 x 5 card in his pocket, and after a while it became -- he had too many cards and he turned it over to someone else, and that person then maintained it using traditional tools, [inaudible] and so forth, but eventually, the whole system had to be automated. And now we have domain name servers that are scattered all over the world.

The Internet began with experiments with networks in the ’60s and ’70s in universities typically. And in the ’70s Bob Kahn supervised the introduction of the ARPANET. If you’re not familiar with APA it’s an acronym meaning Advanced Projects Agency; it’s a branch of the Department of Defense, and they since the ’70s have been funding a great deal of -- since the ’60s, actually -- been funding a lot of research in networks and other areas of computer science.

There were a number of commercial networks were introduced in the ’70s and ’80s, there was NSFNET. But an important event occurred in ’82 when the military decided they were going to use TCP/IP for their communications. And then you had, as you know, in the ’90s the introduction of the browser, the World Wide Web was introduced, and then the rest is history. Explosive growth.

There are a whole bunch of applications today for the Internet, you’re familiar with them al so I’m not going to run through them. There has been renewed attention given to the Internet recently, the President of the United States made this statement, he said “... our interconnected world presents us, at once, with great promise but also great peril.” You have the current Director of National Intelligence Dennis Blair saying that “Malicious cyber activities are occurring at an unprecedented scale with extraordinary sophistication.” and that “We cannot be certain that our cyber space will be available and reliable during a time of crisis.” His predecessor Mike McConnell in the Washington Post says, “As the most wired nation on earth we offer the targets of most significance yet our cyber defenses are woefully lacking. The problem is that we lack a cohesive strategy to meet this challenge.”

So, how about some examples of the severity of the problem? It is said that U.S, citizens lost almost a half a billion in 2009. I’m told that there are more than 600 million attacks per day against Department of Defense Computers. And this one, this event, attracted my attention because I have not heard many stories about computers actually being damaged. In Norfolk, Virginia, early in February, one day in February as folks were logging out, they found that their computer were taking a long time to log out. And when the staff investigated they found that a program was running and what this program did is it erased about two-thirds of the operating system. They call that a time bomb. Now, what’s also alarming is this town Norfolk happens to be home to the world’s largest Naval Base. I saw that I said, “Whoops, this can happen in Norfolk, it can happen anywhere.”

It was this attack that Google announced in early January, they announced that about 30 companies were attacked at the same they were and others have estimated that it was more than that number. Some of these companies called on McAfee to help them out, and to diagnose the problems. And what McAfee has reported publicly is that corporate repositories were attacked. They were penetrated. There is a common source code management system called Per Force, it’s an American company based in Los Angeles, I believe, whose software was used to manage these repositories at many of the companies that McAfee was familiar with. Google has said that they lost intellectual property; others are speculating that these intruders actually modified some of the programs and maybe some of the documents, non programming documents for other computers.

And this worries me because our economy is based on intellectual property. We depend on that. We’re not a large manufacturing company anymore, we generate ideas, and they get reflected in intellectual property. So if we lose that intellectual property, or if others tamper with it, degrade it in some way, I think that represents a very serious development.

So I’m going to give you a little exposure to a little introduction to the critical infrastructure that’s available online and can be attacked. The power grid is, of course, maybe the preeminent of these. There are experts, they know where the power grid is, the goal here is to put new electrical meters in your home, that are computer based, they’re computer powered, on the Internet. So that utilities can collect information about your power usage. They’re also going to invest in integrating the many hundreds of individual power generating companies across the country. But there is speculation that hackers can get inside these meters on your home, and they have many robots that they can use to do attacks on the Internet. And last Sunday there was an article that appeared in The New York Times co-authored by John Markoff, citing the fact that a Chinese student and his professor wrote a paper for an [inaudible] publication, in which they have given a scenario, described a scenario in which a portion of the U.S. power grid can be brought down, and when you bring it down it causes the rest of the grid to collapse. That’s…quite concerning.

How about the financial and banking system? I’m going to give you some facts here that are shocking. We have two principle clearance firms, clearance systems, in the United States for bank transactions. One of these is the Fedwire, the other is CHIPS, and one report that I saw said that CHIPS carries about 96 percent of the clearance traffic with U.S. banks. And I know that back in 2008, $2 trillion were cleared per day. Now let’s put that into perspective. The U.S. GDP is $14.2 trillions per year. So if this clearance system were disrupted, someone came in and brought a time bomb in and erased the memory or something of that sort, the havoc that could result would be tremendous. And as I’m sure you know, most of the communication networks in the world are privately held, at least in the United States are privately held and outside they’re held by governments, many of them. We use those; all of the nations use those strategic communications.

So I’m going to spend a few minutes here talking about the kinds of attacks one could make. These are traditional classifications here: Insider attacks, close-in attacks, and remote attacks. You as an individual can sit at your laptop, at your desk-side computer, and you can run a little program, and it will sniff the traffic that passes on the local network between your computer and that of the others in the local network. And today that traffic is unprotected. A close-in attacker can communicate through a wireless link. You know many of us will not encrypt our wireless links, or if we do we’ll use a password. The most common password in use for logins today is 123456, something like that. So, you know, breaking the security of these things is not necessarily as hard as one would think. Once you’ve violated that security, then you impersonate a user on the network, and you can steal that user’s traffic.

Remote attackers, Kevin Mitnick used to break into telephone company computers by impersonating an employee of the telephone company. Called up, say, plead, he’d say he forgot his password or whatever it took to get in and people would readily hand over the information he needed. But today you can probe a computer remotely over the Internet. You know all about -- I’m sure you all know about social engineering. We receive e-mails with links in them, fishing expeditions they’re called; spear fishing; sometimes they’re called whale fishing when it’s an individual who is very important. And you’re tempted to click on a link and you click on a link, and, bingo, your computer is now under the control of somebody else. But that’s also done with instant messaging, it’s done with Twitter, it’s done on Facebook. You know, it’s amazing what people are doing today.

And there’s another kind of attack we don’t talk about very much; that’s manipulating the domain name system. Here’s an outline of a type of attack that might be done remotely. The steps that are taken are the following: The target is enticed by a trusted source to click on a link, the effect is that the browser will then pursue, will follow that link to a remote site. At that remote site you download a program. That program now is designed to exploit a hole in the application you’re running. For example if you’re using Windows browser i.e., six or seven, you download this payload and it’s designed to find, to do perhaps a buffer for overflow attack; it’s some kind of attack that in effect takes over the computer. That little program that’s downloaded now opens up a back door, meaning it gives access to a hacker -- attacker -- to come in from the outside, and it connects to a command and control service that goes to another machine. At that machine it downloads a larger program, and now it’s ready to roll. The attacker can then move around, try to move around within the local area network, can decide what information to extract if that’s the goal, et cetera.

So the major types of attack, the ones that consist of seize and control of a computer, as I just mentioned. The second is a distributed denial of service attack where an attacker, a malicious person has controlled a large number of computers, and this individual then sends requests to one computer, so that it overwhelms the computer. This is the kind of attack that was used in Estonia in 2007. They were able to rescue themselves by moving a lot of their accounts off to I think Google servers or Akemi Servers, where they had much higher bandwidth, and it wasn’t possible to overwhelm those other sites.

You can also do a redirection attack, and you can do this down at the level of the domain name server, where you -- and I don’t want to go into details, because they’re pretty detailed attacks, but you can redirect people who are seeking to move to one website to move to another. So you might redirect people going to Bank of America site to your personal financial transactions and have them move to another site with a Web page that looks just like the Bank of America site, and they use that to capture all your information.

We’re given traditional advice on how to avoid infection; and you should follow that. I’m going to give you a few minutes on botnets because I think they’re very interesting. A bot is an infected computer, and the folks who collect these things and run them are called bot herders. Here’s a fascinating tidbit; you can buy a PC based botnet at four cents per PC. But as we all know, Mac, Apple can charge higher prices for their products. Turns out that if you want a Mac botnet it’s going to cost you 43 cents per machine. A botnet, when they were first introduced, I’m told, they were used for targeted activities, for example, it might be used to ex-filtrate financial data or they might alert unsuspecting users, or ex-filtrate intellectual properties from technology companies what have you. And then as they age, let us say, as they become better known, they will revert -- use them for spamming. They might use them eventually for denial service attacks. This is a whole lifetime; they evolve over time.

The botnets have to be run with a command and control. You have to have control. There has to be some site that is in control of these botnets, at least periodically; give them instructions, tell them when to do things, at what time to do things. And these command and control sites move around. These bot herders are very clever; so as a consequence, suppression is actually quite difficult. There is a botnet called Mariposa that was created by Spanish amateurs; these are not computer scientists, these are just basically criminals. Went out on the net and they found -- they bought the technology they needed and they managed, however, to infect machines in over 190 countries. They infected half of the Fortune 1000 companies; stole financial data from 13 million computers, and they were arrested. And they thought the botnet was shut down forever, right? But in fact the virus or whatever is still on the loose, and it’s now jumped to cell phones.

This chart you can’t see, I’m sure, so I’m going to ask you – this is a list of botnets by country, provided by Team Cormarie, which is a digital forensics company in Wales. And at the top is “Other” followed by Greece. And then the United Arab Emirates; they don’t have many botnets. The second from the bottom is Germany, and which nation do you think is on the bottom and has most of the botnets? The U.S. of A, right. Okay, now, that doesn’t mean that we -- that they’re Americans who are running these botnets. For all we know, these could be Russian hackers, or Ukrainians, or Chinese. We don’t know who owns those botnets, but it’s due to the fact that we have a lot of computers that are not protected.

I’m going to give you an example of another botnet, the Zeus botnet. It started spreading I think in 2008, and by 2009 it was very evident all over the place and they compromised by June 74,000 accounts; is said to have at least 4 million bots, and you can buy, or acquire, do-it-yourself kits to create your own Zeus botnet. In the last December, it was discovered that their command and control for this botnet were found at the Amazon Cloud.

Now do you know what the Amazon Cloud is? Amazon and a number of other companies offer cloud computing. These are large collections of PCs that are in racks, and with a cloud, what you do is you buy time and you buy storage capacity. In fact my son has a company that does exactly this. And these clouds have advantages, they use less energy, and are less expensive than owning your own computer, but they were found on the Amazon Cloud. If you wanted to stop the Zeus botnet, or a botnet like that, and you say command and control is on the Amazon Cloud, what would you have to do? If we came to a national emergency, what would you have to do? You would have to turn off the Amazon Cloud. That would have a huge impact on the economy. In fact what happened, something like this happened in Kazakhstan and a service provider out there failed, or was taken offline somehow. I don’t think it’s known how it happened but 25 percent of the Zeus botnet was cut off as a consequence.

Now here’s another interesting development. In February this year a new botnet organization appears called SpyEye, it’s thought to be Russian, and it has a Zeus killer feature. That is to say, it will steal botnets from Zeus. So the bot wars have begun [laughs]. It’s a whole culture here that’s developing.

I also want to point out as I’ve suggested before that our networks really are vulnerable. You know in this country we really have a backbone that runs across country by large companies that have high capacity communication domestic channels. You’re all aware I’m sure that we have cables down to the seas, to Europe, to Asia, et cetera. They carry a lot of traffic; if those cables were taken out, that would severely disrupt the Internet. As I mentioned the routers and the DNS service can also be targeted; you know, by stealing data. The good news is that the DNS servers are being secured as we speak. I think .gov is now fully secure, they’re working on .com, and it should be, I’m told, within about two years, half of all of the different route zones associated with the last three letters in an IP address will be protected, so there is progress on that front. As I said local networks can be easily spoofed.

So let’s talk about handling attacks. Clearly nations need to improve their defenses. The bad news here, I came to the State Department, I started -- took an interest in this topic of security last year when I knew I was going to be serving as a Jefferson Science Fellow, and I thought initially that there would be a magic bullet that one could find and that you could make computers completely secure. I’m now persuaded that that’s not the case, that there’s always going to be a cat-and-mouse game. You’re going to have folks trying to fill the holes, attempting to find new defenses and the hackers are always going to be out there competing with you.

But what can be done is our systems can be -- in the short term -- is our systems can be more resilient. Back at my department at Brown we have a server that handles the mail. We also have a slave on that server, so when that server fails, the slave, that’s completely up-to-date, knows that the master has failed, and it will take over the mail service. Things of that sort are needed, you know? Increasing the bandwidth of our cables at critical locations on the Internet is also another way to deal with denial service attacks. But if that isn’t sufficient, we might just ask ourselves as a nation: What do we do next? Are we going to get aggressive? And then the question you should ask is: Does that put us at risk?

Now, before we talk about this risky aspect of things, I think it’s good to pause and ask, well: How serious could a cyber attack be? So I’m asking these as a question to you for -- these are rhetorical questions. Temporarily disabling the computers at Norfolk is not such a big deal, you know, in a couple of weeks or so they can be restored. But if you were to take out the computer systems in Washington D.C., how would you feel about that? Losing a million credit cards…that might be important to us. How many of you have lost a credit card? Had it stolen from you? Okay, me too, all right. So, you know that, we can live with that.

Here in this room, another Jefferson Science Fellow, Paul Kinter, last fall gave us a talk on space weather, and he talked about the GPS system. And pointed out that in the U.S. electrical grid, the GPS is being used to synchronize the local power suppliers. They used to use atomic clocks but they were too expensive, so they found they could do the same thing with GPS, so fine, they’re using GPS. He pointed out that if there were a major solar flare, lasting, I don’t know how long, I don’t remember how long it was, but, you know, a short while, that could disrupt these GPS receivers, and the effect could be to cause havoc with our electrical grid. If the military Internet were to be disabled, how would you feel about that? How would you think that would be an act of war, or…this is an interesting question. How about disrupting that bank clearance system? And you say okay, we’re going to freeze something like $2 or $3 trillion in transactions? That would be alarming I think, and certainly if you destroy the electrical power grid, I think that could get us quite exercised.

The U.S. response to all these challenges has been to create the Comprehensive National Cyber Security Initiative, and it has these three main goals. First is to defend against immediate threats and that’s why communicating information between states and the federal government -- within the federal government and with states, private companies, to try to defend and protect against immediate threats. But looking out a little further their goal is to enhance our counterintelligence, and to deal with supply chain issues. Now this is a new issue in this talk; supply chain. What is the supply chain? Well, the computer I have here has software on it, hardware that almost certainly is not produced in the United States. We don’t know, with many of our computers, what is in them. It’s entirely possible that there could be chips sold to the U.S. government that have a kill switch in them, which means you can cause a machine to turn off. Now, if you did that with a fighter aircraft, I think that would be very alarming. You could do the same thing with the software. So that’s a very important issue, and we certainly need to take it seriously.

The third goal of the CNCI is to deal with the future by expanding some effort on cyber education, by redirecting our research priorities, and finding strategies to deter the criminal and hostile elements we have out there.

I’m going to talk about cyber deterrents for a minute. I want to ask: Under what conditions should a government consider retaliation? But before you do that, there are several issues you need to address. First is who did it? You really need to know for sure the source of an attack before you retaliate. You should also know what collateral damage will occur, and you should understand the domestic repercussions. It’s very interesting then to know that the National Academy of Sciences is starting a new study on cyber deterrents, and you are all invited to submit proposals. They would like to have their proposals by April 1 but that is not a hard deadline so if you went out exercised and want to contribute something, you go to the National Academy’s website and you’ll see an invitation.

You’ve seen this one before: “On the Internet, nobody knows you’re a dog.” So attribution is really hard on the Internet. It is possible to direct attribution just after an attack has occurred, I say is possible, it is not always possible but it may be possible, but later it’s going to be difficult. And the reason it is that you can trace a packet backwards through the Internet. And the way that that’s done is the various nodes on the Internet had kept a log of the data that moves through that site; so you can follow that data, use those logs to find your way back through the Internet. But the data is ephemeral. They need the storage, they don’t have enough storage, so they cannot keep the information for an extended period of time; they have to discard it. So that means if you’re pursuing a crime then you have to be quick about it. And especially if that criminal element you’re dealing with is not domestically based. If that criminal element is located in Europe some place, you want to be on the phone with your counterpart in Europe to try to get them to order an issue to collect that data.

But hiding packet sources has been easy, it’s very easy when you send a packet, as the sender, you can supply any source address. You should supply as your address the name of your site, but you don’t need to do that. But I’m told that spoofing is not often done these days, at least you know botnets they don’t bother hiding where they’re coming from. There is a technique called Fastblocks that can be used, but they generally don’t try to spoof their addresses it takes too much time and they’re in the interest of sending as much spam out there or doing whatever they do.

But there are also anonymizers, this is a network of computers, the purpose of which is to hide the packets so that you can’t find where they come from. And there will be a number of nodes that will participate in this; they will encrypt the information so that it gets encrypted multiple times as it passes through the network, and then it gets decrypted, that’s an onion. And these are apparently very effective in hiding sources from destinations. With traffic analysis, if you know, if you can watch all the traffic going into the onion router, such are the set of networks, the set of machines that fall under this onion router, and you watch the traffic coming out, then you may be able to determine who sent a particular message. But what we do need to do is develop smarter routers and better traffic analysis.

Let’s talk about collateral damage and repercussions. Many of the Internet attacks are really difficult to control because they’re based on viruses and worms, and when you launch a worm, you don’t know where it’s going to go. It’s given instructions to try and move to another machine, and so they’re progress is not predictable. You can damage yourself as well as your friends, so if we are going to employ cyber tech, it’s pretty clear that we need to have good deterrence capability. We may suffer more than others as a consequence; deterrence is not likely to be credible if the retaliation is not sure.

So I want to bring your attention now to a couple of issues that I think are really at the root of many of these problems. Microsoft has been very successful as a company, hasn’t it? And as a consequence we have in essence a kind of monoculture; you have one type of operating system on most of the platforms around the world. People say that you don’t have to have antivirus software on your Mac because the hackers are not interested in Macs. That’s because there are too few Macs out there in the world; it’s not because the Mac cannot be penetrated. Any computer can be penetrated. But if the point here is if you have a monoculture, you have one type of software, one operating system, one type of application such as Adobe -- the application Adobe Reader now has more penetrations, it’s said, than Microsoft Word. The reason for this -- so if you learn how to attack one of these applications, one of these operating systems, then you can attack them all. And that’s the reason why we often say that the network is as weak as its weakest link.

We also concentrate resources for efficiency. The Internet has -- suppose we took down, someone took down Google. A lot of us would be unhappy for quite a while. We’d have to use somebody else’s search engines, we might move to Bing for example, which is said to be equally as good. But there are a lot of choke points in the Internet, and disabling those could create problems. And as I mentioned before, cloud computing has become very popular. I could explain this to you but I don’t want to spend the time right now. Clouds do save energy, and they do reduce the cost of maintaining computer systems. But they also do concentrate resources in one place, and to me that’s very dangerous. And I mentioned the high bandwidth cables carry a lot of traffic.

Also the Internet is a new medium, and as a new medium it requires, I think, some deep thought. How many of you remember Marshall McLuhan? The medium is the message? It’s not the younger generation but he was studying television when he made a big deal of studying it as a subject. As I mentioned, National Academy of Sciences has a cyber deterrent study underway, last year they finished a cyber attack study. They didn’t consult any classified information; they produced a book that is available.

So, you know, we’re in an interesting position here. You can ask: What do we do next? Well, I think the cyber space issue is sufficiently important in challenging that the U.S. Government itself to a serious study of the subject. We have a Cyber Security Coordinator in the White House; unfortunately I don’t think that person has a very large staff. You know the Office of Science and Technology Policy; again, I don’t think there’s a large staff there either. I think it would be desirable to study this issue in the large and the broad context, and bring all of the players to the table; I’m not talking just about computer scientists, but policy makers, economists, people from business, industry, the banking community. Certainly we should encourage [unintelligible] to continue to improve security.

I think we also are going to need some legislation. Because, you know, there was this CNN broadcast, this program about three or four weeks ago in which they had a team simulate a nation under cyber attack. It was a very interesting broadcast. They concluded that the federal government didn’t have enough legislation to really deal with the problem. There is legislation passing through Congress at the moment, and we’ll see what that produces.

We also have to increase our engagement with international partners, and the reason for that is the Internet is global as we know; the crime on the Internet is global. We do need to establish norms of conduct for cyberspace, and we have to encourage our partners, our international partners, to try to seek adoption of these norms or maybe even enforcement. Dare I say that? And we should be, frankly, discussing the limits on aggressive use of cyber technology; I think the National Academy of Science is going to help in that regard, but I think more of us should be engaged. And we do need to educate the public. Right now the spear fishing attacks are -- we have no defense against them. I think one defense could be that we purchase a reputational service from a company that does track the spam out there, and if our reputational services don’t follow that link then we shouldn’t do that. We do have something akin to this now; your browser. If you use the Internet browser, you know that if you try to move to a site that does not have a certificate that’s been granted by one of the certificate authorities, the address bar turns bright red. And I’ve -- that’s happened to me recently. Firefox yesterday put up a nice dialogue box saying, this is an untrusted site, do you really want to go there? It’s that kind of service that will help all of us I think from creating a problem for ourselves by clicking the wrong links.

And then we also need as a nation to invest in innovative R&D. I’m actually sitting on a couple of committees that are doing just that, as well as policy development. You know it’s not all gloom and doom, there are some leap-ahead technologies, these Comprehensive National Cyber Security Initiatives, CNCSI said we should look for leap-ahead technologies, and the Office of Science and Technology Policy last year conducted a study, they brought in academics, industrial people, and asked them to propose new technologies, and they did that; and amongst those that they proposed are ways to take the common software we use, and to produce variants of those. They perform the same function, but from the point of view of an attacker look different. So if an attacker has spent some time doing reconnaissance in your machine, and finds that it has certain vulnerabilities, the new variant of this machine will have different vulnerabilities; and so the reconnaissance will not be useful. If you change the operating system periodically, if every night you went to bed, your computer replaced the operating system, then if that operating system had been affected during the day that infection would be eliminated. That botnet, if you’re part of a botnet, you would drop out of the botnet.

Another leap-ahead technology that’s being discussed is cyber economics, finding ways to use economics incentives to businesses to clean up their computers. So here’s an example: You go to an insurance company and say, we’d like you to introduce a cyber fraud insurance policy. If the company would then offer that policy to insurance company, or offer it to a company saying, “Listen, if you give us the incident data that you have received, the attacks that you have received, we will give you a lower rate.” Then those insurance companies can collect that data, pool it, in fact, amongst all the insurance companies, create actuarial tables, and based on that they can then reprice the insurance. And in addition, they could do what’s been done in a lot of businesses. If you sell insurance against injury to workers, those companies selling that kind of insurance will go into the workplace, and try to improve the workplace to reduce the number of accidents that occur. Well, insurance companies should do the same thing. So we could create an incentive system that would be designed to improve security.

There’s another effort underway in the government, the Cyber Security Coordinator has created this committee and sub-committee structure, one of which is dealing with identity management, I happen to sit on that as well. And there are proposals to integrate secure identity management into our computer systems, into our applications. And identity management means that everyone has digital identities, you might have multiple, not just one, and they may be say a trusted third party that issues you those credentials, you use those to travel on the Internet, make purchases, things of that sort. If that can be integrated into operating systems, into applications, which is not done today, that may lead to more secure systems.

I’ve mentioned supply chain; we really may have to do a lot more work on this, there is work being done in the advanced research projects agency to do analysis of CHIPS to see if they are doing what they’re supposed to be doing. There’s one development that occurred last year, this is crypto computing. The crypto computing problem was actually defined about 30 years ago by Ron Rivest and a few other people. And what they proposed is they asked the following question: They said is it possible to encrypt the data on which we compute, so that as we compute, we never have to decrypt it, and the results we get are still correct. That problem had no solution until May of last year when Craig Gentry, who just got his Ph.D. at Stanford University, presented a paper at a computer science theory conference. There is now a way to do this. You can not only encrypt the data, but you can also encrypt the programs, so that a person watching -- if your computer might have been compromised to the point where all the data is visible to an attacker, all of it, an attacker looking at this would not be able to determine what data you’re working with or what programs you’re running. Now, that’s the good news. The bad news is, right now, his techniques are very, very inefficient; very inefficient. But the good news is now he’s given inspiration to a lot of bright young minds who will, I hope, pursue this problem, and find either better complete solutions or partial solutions. So that’s very encouraging.

So I only have a last word on security before closing here. Security is very difficult to establish. I’ve found -- I’ve read a paper in which the authors show that if you change one bit in memory, a standard program that’s in use today will malfunction when you should not have access granted to you. It illustrates how sensitive security really is. And then proving that a method that someone introduces to securitize the computation is secure, that in itself is challenging. When this Craig Gentry solved the crypto computing problem he had to rely on the security of another method of encryption called lattice encryption, lattice-based encryption. And that took a lot of work to prove. And this kind of thing requires mathematical thinking; it’s done by theoretical computer scientists and mathematicians. And my last point here is that it’s probably not prudent to assume that the world as it’s -- cyber space as we know it today is going to be the cyber space that we’ll live with in the future. And I make that point not just to give me a role to play because I am a theoretical computer scientists, but also because I think it is -- we should be thoughtful about the kinds of policy formulations we make because we don’t -- we want to know if policy as we formulate it is going to restrict us in the future, maybe prevent us from having secure solutions that we need, or not. But in any case, I think good policy formulation is probably it does require both good technologists and policy makers at the table.

I thought I’d lighten things up with this one here: “Phil thought of the middle name, QX12PGY100, so he would always have a secure password that he could remember.”

Okay, in the near term things are improving. Vendors do have robust securitization efforts. My son and my son-in-law are both at Microsoft. And my son is a developer and he has explained to me the techniques they use; they put a lot of money and effort into doing this since about 2001 or 2, and the number of bugs that have been reported is not going up; it seems to be going down.

As I said earlier the DNS service which are a crucial part of the Internet are being hardened. And I think the prospects for improvement are good. I think academics -- I know academics are engaged in security research. I think they need more motivation. I think they need to hear from those of us who worry about this a lot; the U.S. Government is going to launch this leap-ahead research initiative in 2012. That holds a lot of promise. There are actually efforts under way now that look very promising. And certainly advanced discussions are under way as you may know, Michele Markoff and David Edelman of the Cyber Affairs Office have successfully launched a -- had a resolution passed on developing a global culture of cyber security. So in conclusion cyber space is really a new, a complex new medium; I think we’re coming to grips with it but it still presents lots of challenges. I think we’re going to be at it for decades, but the bottom line for me is that while it won’t be easy I think it’s going to be fun. Thank you very much.


Female Speaker: If you have questions…

Male Speaker: I had a question. Could you go into more depth about the dangers facing smart grids, and…

John Savage: Well, I’m not an expert in this but what I do know is that each of our homes is going to have a little computer built into the meter. These are going to be on the Internet. It could be -- I don’t know whether there will be an actual -- whether the Internet cable itself will be the power network, which it might be. So they could be a source of denial service attacks. There’s also, it also means that there could be people playing around with your bill; could affect the amount you’re charged. And there’s also talk of integrating all these electrical companies. You know when the grid was deregulated a number of years back. A lot of our companies are actually operating with smaller margins than they used to. And a lot of you know -- many of the -- I’m told that the computers that control the electrical power generation, the generators themselves, are on the Internet. And DHS, a few years ago I’m told, conducted an experiment in which they demonstrated that it’s possible to use such a computer controlling an electrical power generator to cause it to actually be -- to destroy itself. So, you know, there are risks out there. But I’m certainly not an expert on the smart grid.

Male Speaker: Thank you.

John Savage: You’re welcome.

Male Speaker: Hello, thanks for the great lecture. You briefly mentioned cloud computing, and indications are that there’s going to be a fairly large scale shift toward a lot of stuff moving to clouds and use of clouds by major operators. Some of these operators also claim that if they concentrate the information on the cloud that they own, they’re able to put additional protection on it that you wouldn’t have if you were starting it on your own local network. So I would be interested in a few more words about what the implications of a widespread move towards cloud computing is.

John Savage: Well if a -- cloud again is a large collection of computers. And if you can concentrate the computing power one place, you can manage that resource with fewer staff. You can also have more expert staff. You can also maintain -- you can keep the operating systems, the applications running in that cloud up-to-date. And so it is, I think, if you contrast a cloud; if you took all the computers that people have in their homes, and replaced them with clouds, it’s probably true that the security of those systems would go up. That individuals -- because individuals don’t take the time, unless they’ve got an automatic backup feature on their operating system, they wouldn’t otherwise take the time to do an upgrade.

The flipside of that is it’s a big target; and for those, you get inside -- it’s like the Maginot wall -- the Maginot line. You get inside the Maginot line or if you go around the Maginot line, you have full access. And that’s what worries a lot of people in the security industry. This is -- I myself worry about that a lot; just simply because it’s relatively easy to violate the security of a system. So as a consequence I feel like we should be moving cautiously in that direction.

There are -- there’s a powerful case for saving energy, and the reason for that is that what these clouds do is that on each of the processors they run multiple virtual machines. A virtual machine simulates a real machine, looks just like, almost like a real machine. And you can then buy a virtual machine, you know that all of you who have computers realize that your computers are sitting idle at the moment; and those cycles could then be harvested and used as a, on a cloud. So I’m not sure how it’s going to shake out. It looks like this train is moving now and it may be difficult to stop it. But there is, as you probably know, there’s a push within the U.S. Government to move a lot of U.S. Government computing out to clouds, and it’s going to be interesting to see how people inside the react to that.

Female Speaker: If speakers could please identify themselves…

Anthony Nolan: My name is Anthony Nolan, ISN/CATR . You talked a little bit earlier about there being a sheriff for the Internet. If you could tell us a little bit more about that possibly, you know, who would issue the badge, what county would he work for, you know --

John Savage: [laughs] Okay.

Anthony Nolan: -- what the governance might possibly look like. And furthermore, everybody in this room has, we’ll just say, several passwords. If you can talk about the future of passwords --

John Savage: Sure. On the first question, I’m available.


You can’t have a sheriff unless you have some laws. I mean, otherwise, you engage in a gunfight every time you want to deal with a criminal element. So I think what’s needed is we need to better understand the Internet, better control the Internet, and gradually over time establish a set of rules, laws maybe, regulations perhaps, so that we can police what’s going on there. And, has the time come on the public estimating that? I don’t know; I don’t think so yet.

On the second question about passwords: If you have a lot of passwords, as many of us in this room do, you’ve got to find some clever method of creating passwords because if they -- especially if they have to be changed frequently. Otherwise it becomes very difficult and people resort to writing them down which is not a good thing either. One step to move away from lots of passwords is to have a very secure method of identity associated with an individual, which then can be used through a service, a trusted agent, to produce those passwords to be used in these various contexts. And the jury’s still out on how that’s going to be done, people are suggesting biometrics, you know, a fingerprint, a retinal scan; you know things of that sort. I saw a movie the other night in which biometric scan of a retina was used to gain entry into a lab, and what struck me -- think it was the program NCIS -- was that one person had their retina scanned, and walked through the door, and everybody else followed suit.


So you have to ask yourself what value biometrics have in that context. Cyberspace is a mess right now and it needs a lot thoughtful attention. You know we also have to pay a price for security; security is not cheap. Those of us who live in secure environments know that you just can’t open the door and walk in; you got to have a badge, there are various procedures you have to have to follow to get in there. And as someone who is new to government it’s been, it took me a while to get used to this. I also don’t have in my environment all the rich things that are available on my home computer. But I’m willing to give that up for the better; for the good. Okay, any other questions? Yes.

Carl Miller: Hi, Carl Miller, Oceans Environment and Science. Considering security emanates from the idea of the control of the system, as does censorship emanate from the control of the system –

John Savage: Yeah.

Carl Miller: In light of the fact of the recent decision of Google to redirect its website to its Hong Kong affiliate, how successful do you think the world can be in establishing a global security regime for the Internet considering we don’t have a global regime for censorship or freedom of speech?

John Savage: Well it’s very difficult, you know there are nations that do want to control speech, and in some cases we read the newspaper that the amount of traffic coming out of Iran is down because they just restricted the bandwidth of the services of the pipes that lead, come out of Iran. You can throttle back service and speeds that way. I think what’s needed is countries need to come to an understanding that their freedom of expression that the Internet is capable of providing is in their interests. According to press reports from China over the Google story, the Chinese government is -- you know I heard around on television something that the -- that they want Google to continue to practice this censorship even from their operations outside the country. They’re not doing it now but they would like them to do that. I tell you I think it’s just going to require some time, some international discussions, negotiations, before that comes to pass, if it ever does.

Chris Herrick: Chris Herrick, ISNSPO, can we talk just a little bit more about the telecommunications industry and the potential vulnerabilities there? Particularly given in the industry towards more of an IP based technology?

John Savage: Right, so, you know in the past we had a -- telephone networks were switched; that is to say you had a set of switches arrayed across the country, and you would establish a path, and once you had that path, unless there was someone or some point at which there was a possibility to eavesdrop, those calls were secure. And I myself have often felt that the switch network was more secure than the computer. Now on computers what you can do is you can use technology that must be 50 years old, and you can sample the speech, convert that speech into bits, and send those bits over the Internet. It’s called voice-over Internet protocol, it’s used. Now that you have voice being transferred in that way, it’s as insecure as anything else travelling over the Internet. What was the last part of your question?

Chris Herrick: [inaudible]

John Savage: Have I answered your question?

Chris Herrick: I was thinking in terms of the types of attacks that are possible, you know, affecting -- how could that potentially affect say the larger telecommunications providers, is that sort of thing a possibility down the road?

John Savage: Affecting the telecommunications providers? Well, if they -- for example, losing a cable; losing [unintelligible] cables, that kind of thing happens because ships are dragging anchors, things of that sort? Oh you’re asking how are the telecommunications companies going to survive in the face of competition from voiceover Internet protocol?

Chris Herrick: I was thinking more in terms of their protection from a software standpoint.

John Savage: Well, they run computers like everybody else, and anybody who runs computers and is on the Internet, even if there is an air gap between the computer and the Internet, those air gaps can be breached. So they’re at risk too.

Female Speaker: Last question.

Pete Kelly: Hello, Pete Kelly. You mentioned early on that the TCP protocol was adopted in the early ’80s and everything is flowing through there. I was wondering are there alternative architectures out there which perhaps could be adopted that might mitigate against some of these things, and of course the huge legacy issues involved here, but I was wondering if, say for example the electric companies, if they’re wont to use an Internet to control the SCADA devices that control their breakers. Perhaps they could use an alternative that would be standalone from the common Internet.

John Savage: Well they don’t need -- the computers running these SCADA systems don’t need to be on the Internet. They are often put on the Internet because the operators want to be able to access these controllers from home, at night, on weekends. Or they want to have data immediately from these systems so that they can write their reports, do things of that sort. On the first point -- but the point still is it’s been shown that even with air-gapped computers that people will move data from one machine that’s on the Internet to one that’s not using a flash drive. Last spring there was a person who gave a talk at MIT who described this as a threat. That it was a real threat. On the matter of TCPIP there are more to protocols than just TCPIP, there are many of them that are used; I don’t know that I can say hundreds but there are certainly many tens of different protocols that are used. Unfortunately I don’t think that’s the solution, changing those is the solution to the problem. Thank you.

Female Speaker: Thanks very much.