11-3: Hot to Fix and Not to Fix Vulnerabilities

In the introduction to “Cyberdeterrence and Cyberwar”, Martin Libicki states “Cyberattacks Are Possible Only Because Systems Have Flaws.” While in some sense this is true, it fails to distinguish between the different sources of these flaws. Libicki goes on to describe systems that behave contrary to their design, or that can be forced to do so. However, there are a large number of flaws in systems that arise from design-performance-security trade offs, regardless of implementation. The five vulnerabilities of the Internet that Richard Clarke analyzes in Chapter 3 of Cyber War exhibit this property. Specifically, vulnerability #4, the ability of the Internet to “propagate intentionally malicious traffic designed to attack computers,” is the result of nearly three decades of trying to achieve complete end-to-end design. A naive solution, deep packet inspection (DPI), involves reading the contents of IP packets as they pass through routers and filtering out any that are deemed malicious. Clarke notes that ISPs generally do not want to implement DPI “in part because it is expensive and can slow down the traffic, and also because of privacy concerns.” Even if we deploy DPI network-wide, attackers can disguise malware by encrypting it before sending it across the Internet, bypassing the filters. As a more concrete example, let’s quickly analyze e-mail spam. E-mail was designed to allow any message properly addressed to your account to be accepted and stored, a feature which spammers continue to take advantage of. The current solution is the use of ‘smart’ spam filters, which are sometimes even personalized. But imagine for a second Google filtered an e-mail before it ever reached your account, which it considered spam or malicious, but was actually a legitimate message. If the sender has no other way of contacting you (which probably isn’t the case, but makes more sense when dealing with machine-to-machine communication), filtering e-mail before it reaches your inbox would be a design failure. Though I don’t think we should allow all traffic to freely flow across the Internet, a solution, not just a patch, must be well planned out, and in my opinion, can only result from collaboration between security experts, systems designers, and policy makers. — Craig