Resetting the System: Why Highly Secure Computing Should Be The

Resetting the System Why highly secure computing should be the priority of cybersecurity policies Resetting the System

Why highly secure computing should be the priority of cybersecurity policies

By Sandro Gaycken & Greg Austin

January 2014

About the Authors

Dr. Sandro Gaycken is a senior researcher in computer science at the Free Univeristy of Berlin, with a focus on cyber war. He is a senior fellow at the EastWest Institute, a fellow of Oxford University’s Martin School, a director in NATO’s SPS program on cyber defense, and he has served as a strategist to the German Foreign Ministry on international policy for cybersecurity in 2012-2013.

Dr. Greg Austin, based in London, is a professorial fellow at the EastWest Institute and a visiting senior fellow in the Department of War Studies at King’s College London. _

The authors would like to thank Felix FX Lindner (Recurity Labs Berlin), John Mallery (MIT), Neil Fisher (Unisys), Doug Mackie (Georgia Tech), Kamlesh Bajaj (DSCI), and, from EWI, John Mroz, Bruce McConnell, Karl Rauscher, James Creighton, Andrew Nagorski, Sarah Stern and Franz-Stefan Gady, for a critical review and their helpful comments.

The views expressed in this publication do not necessarily reflect the position of the EastWest Institute, its Board of Directors or staff. _

The EastWest Institute seeks to make the world a safer place by addressing the seemingly intractable problems that threaten regional and global stability. Founded in 1980, EWI is an international, non-partisan organization with offices in New York, Brussels, Moscow and Washington. EWI’s track record has made it a global go-to place for building trust, influencing policies and delivering solutions. _

The EastWest Institute 11 East 26th Street, 20th Floor New York, NY 10010 U.S.A. +1-212-824-4100 _

[email protected] www.ewi.info Resetting the System 5 - executiveumm ar s y s state-sponsored intrusions and high-end they are producing evolved, kinds novel of Our risks. security present paradigms fail criminal activity in cyberspace to protect have us from those risks. These paradigms have tolerated inherent structural security deficitsof informationtechnology for too long; they create the impression

- reassess a on based is approach Our privacy. and freedom preserve to helps also It tribution. ment of the the four components of public balance between cybersecurity: needs in the face of novel and serious risks; the relative security levels of commercially available technology; and behavior of policy and technologies; patterns market options high for security disruptive persistent overcome to intervention government strategic recommend will It sector. ICT the in and in and to and market wider stimulate policy application investment failures of - the neces technologies. sary computing secure highly propose we alternatives, its of light in and urgency growing its to Due as a new priority for cybersecurity policies internationally. Governments should send clear signals to enable security-driven IT innovation, starting top-down with the highest security requirements in the highest value targets. They should cooperate internationally to realize this new quickly paradigm and to they stem of the high-end evolution before cyber attackers by adjust to market the help would paradigm new this adopted, Once damage. more inflict can win-win- a becoming thus opportunity, commercial of lines new interesting up open and itself and prosperity. freedom security, for win strategy We call for a new ecology of cybersecurity. It is based firmly on the disruptive concept of highly of concept disruptive the on firmly based is It cybersecurity. of ecology new a for call We relying computing, primarily secure independent on of security measures, passive attack at that policy is simply captive to this highly vulnerable A new environment. remedy in favored may some be but countries seems ineffective this to be emerging preference defense, active helpful. than dangerous and more A Introduction economic security depend.1 They can undertake sabotage and espionage in many seg- nternational peace and economic stability ments of any digital society, producing dif- depend ever more greatly on critical infor- ferent kinds of strategic damage while being mation infrastructures. Unsurprisingly, in- almost invisible. They pose a huge challenge, creasingly sophisticated attackers emerge, one that should be tackled urgently. In addi- I tion, societies also need to develop more ef- willing to exploit these dependencies. Yet at the same time, security is not growing more fective cyber defenses against larger criminal mature. Most of the security industry and re- organizations and terrorist groups—as well search still focus strongly on the cybersecu- as against a handful of irresponsible states. For a long time rity problems and tactics of the 1990s—hit- For a long time now, the dominant approach now, the domi- and-run, end-user-oriented computer fraud, hacktivists’ website defacements, denials of to cybersecurity has been based on the pub- nant approach service, and similar petty cyber crimes and lic health model in which education, monitor- low tech intrusions. The challenges present- ing, epidemiology, immunization and incident to cybersecu- 2 ed by a permanently altered, novel security response were the key planks. This model rity has been environment with an entirely new set of re- did not provide sufficient security, not even against petty criminals. It may now be time to based on the quirements are largely unappreciated. As a result, insecurity and cyber risks are rising devote far greater attention to the creation of public health significantly. healthier, more resilient systems with inherent immunity even against high-end attack- model in which As the technical chapter of the International ers. education, Telecommunication Unit (ITU) High Level In fact, we face such a rapidly changing threat monitoring, Experts’ Group report said in 2008: “Today’s computing environment is global, with data that leading actors now prefer a military mod- epidemiology, flows traversing many geographies, and us- el to a public health model. To compensate for the lack of technical protection, many immunization ers accessing networks and application from virtually anywhere. Security requirements states and corporations are looking at active and incident vary widely in different segments of global defense (“hack back & deter”). But this ap- response were computing environments, ranging from acceptable (but not impregnable) to environ- the key planks. ments where security is frequently over- 1 In this article, the authors want to follow looked.” Even the assumed high security in a the advice of Brookings’ Allan Friedman who handful of sectors in a few advanced econo- suggested “caution against conflating different mies (such as civil nuclear power or financial threats simply because they all involve informa- services in the United States or Europe) is tion technology. He added: “Crime, espionage and now in question, with U.S. security agencies international conflict are very different threats, reporting rising concern about the possible and grouping them together can lead to poorly vulnerabilities of information systems that framed solutions.” The authors are interested in were previously understood to be high secu- addressing nationally significant cyber threats, rity. Those concerns even extend to the mili- such as cyber warfare and cyber espionage, while tary and intelligence domains. noting that many of the solutions in this domain

ystem might have relevance to lower level threats at an State actors have emerged as the greatest enterprise or personal level. See Allan Friedman, potential threat to critical information infra- “Economic and Policy Frameworks for Cyber- structures on which international peace and security Risks,” Center for Technology Innova- tion, Brookings Institution, 2011, p. 1. Friedman advocated the need to disambiguate cybersecurity as a multi-level problem by focusing on an

Resetting the S “economic approach”: “The economic approach to information security focuses on the incentives 6 of these actors, and whether these incentives align with a socially optimal level of security” (p.5). We very much agree with this approach. 2 The EastWest Institute, “The Inter- net Health Model for Cybersecurity.” 2012, http://issuu.com/ewipublications/docs/ internethealth?e=1954584/2708658 Resetting the System 7 The concept of of concept The secure highly computing become to has of focus a renewed scientific research, industrial and design policy. public - - -

6 But, significant But, , , which was the 5 Reliability of Global Communi- IEEE and the EastWest Institute, “Reliabil Institute, IEEE and the EastWest J. E. Dobson and B. Randell, “Build E. Dobson J. 6 5 ity of Global Undersea Cables Communications Cables Communications ity of Global Undersea 2010, http://www.ieee-rogucci. Infrastructure,” org/files/The%20ROGUCCI%20Report.pdf. ing reliable secure computing systems out systems computing secure ing reliable IEEE, components,” insecure of unreliable republished in the published in 1986, first Annual Computer of the 17th Proceedings 2001. Conference, Security Applications cations Cable Infrastructure product product of multi-sector consultations which and called for - internation new secure and robust reliable, highly measures to ensure infrastructure. al communications This paper will: (1) comment briefly on systemic the information security threats from reality; dominating and enduring an as states (2) argue why active defense is more gerous dan- than helpful; (3) propose a different paradigm, that of highly secure computing, which matches the actual threat; (4) discuss in prominent been not has paradigm this why the past; (5) detail suggestions for possible and response; (6) the review international or diplomatic dimension. and Brian Randell, who were critical of those who believed it possible “construct to totally systems.” computing secure ly, ly, these two scholars are also among those as computing secure highly up held have who a worthwhile goal for scientificresearch and public policy. This EWI discussion paper also takes some inspiration from the joint IEEE-EWI report of 2010 on the We 4 - - It is politically politically is It 3 Another, more common term could could term common more Another, See Jody Westby, “Caution: Active Re- 4 3 proach is beset with problems. with beset is proach understand understand it to mean “information - technol ogy with with high “highly security,” secure” - only to be in “likely breached excep implying tional and rare circumstances and costs at and We agree risk.” with high John Dobson sponse to Cyber Attacks Has High Risk,” Forbes. com, November 29, 2012, www.forbes.com/sites/ jodywestby/2012/11/29/caution-active-response- to-cyber-attacks-has-high-risk/. be “trustworthy computing,” but this notion computing,” be “trustworthy on the high end of a computer’s doesn’t focus much of our that note Also, security. inherent is not about the Inter approach proposed net. Securing the endpoints, the hosts of the the hosts endpoints, Securing the net. effec and more important is more networks, leading there. than securing the paths tive The authors are aware that “highly computing” is secure not a widely used term. fraught, and is viewed negatively in and countries is negatively fraught, viewed where public opinion is opposed to the mas- sive surveillance capability that goes with it. it as destabilizing, strategically is it Moreover, And invites its is escalation. - effectiveness re attribution is not fully clear. whenever duced A different, more solid paradigm would highly be desirable. It would depart from - tradi tional IT security and acknowledge the - exis tence of very powerful new attackers, while bolstering online privacy and Internet - free dom and avoiding the concept the problems approach, an such create of To - attribu tion. of highly secure computing has to become a focus of renewed scientific research, indus- and public policy. trial design The Threat Trend: erations, with an optimization of the exploita- tion of results or with novel kinds of strategic Cyber War May Take Place cyber-operations. Such operations might aim to manipulate the digital flow of facts and As mentioned above, state actors and their opinions (information operations). Or they strategic cyber operations should be the could weaken an adversary’s economic and main security concern of those seeking in- Cyber war- geostrategic power through economic espio- ternational collaboration in cyberspace. Or- nage and sabotage or financial manipulation. fare is already ganized crime and terrorists will also remain All of this is possible and, if executed properly, among the high-grade threats as their ca- judged to be could produce the desired strategic outcome pabilities continue to shift toward systemic at reasonable cost. strategically threats with the potential to disrupt national security, economic prosperity or social stabil- valuable, and The second kind of evolution is operational. ity on a larger scale. The activities that pose This level is concerned with techniques and even essen- national-level security threats are currently tactics below the strategic level. Here there undergoing two kinds of evolution. tial by at least is considerable room to believe that past incidents might not be strong indicators of the 10 countries. The first kind of evolution is conceptual. It is efficiency of future cyber operations. They concerned with strategic ideas and doctrines. Once it has were bulky, complicated and expensive, with Signals intelligence (intercept and decoding uncertain outcomes and a limited under- been profes- of secret communications) and electronic standing of long-term collateral damages.8 warfare (disrupting and altering signals and sionalized and Their cost relative to gain had been seen as data on the battlefield) were the principal ap- so questionable that it has prompted authors further com- plications of offensive national cyber capa- like Thomas Rid and Peter McBurney to ar- bility until 15 years ago. But now it is clear to modified, its gue that cyber warfare will be too expensive most strategists and tacticians alike that cy- and attacks too monolithic to ever form a efficiency will ber operations can do much more. They are solid new paradigm.9 a golden key to any kind of digital society—a be multiplied multi-purpose tool to manipulate it, a mag- But these scholars may have looked more and it will be- nifying glass to observe it and a hammer to at an isolated piece of recent history, mis- disrupt it. come a golden taking it to be state-of-the-art rather than a prototype. Assuming this latter view, military tool for many. One new avenue of strategic thought is con- cyber attacks may yet be a new paradigm in cerned with deterrence doctrine, which al- IT, merely nascent and not yet in some final lowed for a favorable military balance of pow- stage. Hacking in the service of state security, er. It is currently undergoing a transformation broadly defined, is just another IT market. It in a number of ways under the influence of consists of programming software (known a spectrum of emerging offensive cyber-at- as “exploits”) and of constructing hardware tack capabilities. A “targeted capability” can (such as an infected supply chain) for a spe- demonstrate mastery to attack only systems cific and in this case novel and demanding used for specific military, economic or politi- purpose (defeating target security systems). cal purposes. A “general capability” can dem- Viewed as such, military hacking is presently onstrate mastery to attack any kind of sys- in its infant, “backyard garage” stage of mar- ystem tem, posing a broader threat, with an ability ket-readiness, which may yet be developed of “assured disruption” of the vital IT services and data highways. The ability to create a “forced transparency” can lead to the collection of secret information. Many other such postures for deterrence are conceivable.7 8 Regarding the aspect of collateral damages, see Austin, The Costs of American Cyber

Resetting the S Other kinds of novel strategic thinking are Superiority, (http://ewipolicy.tumblr.com/ concerned with the higher-order conse- post/57507054358/costs-of-american-cyber- 8 quences of military or intelligence cyber-op- superiority) and Gaycken,“Stuxnet and Prism – Symptoms of a Policy Failure,” International 7 See: S. Gaycken, “Cyber as Deter- Politics Journal, July 2013. Online at: https:// rent” in: Maurizio Martellini (ed.), Cyber ip-journal.dgap.org/en/ip-journal/topics/ Security: Deterrence and IT Protection for stuxnet-and-prism-symptoms-policy-failure. Critical Infrastructures, Springer Briefs in 9 Thomas Rid & Peter McBurney (2012): Computer Security, December 2013. Cyber-Weapons, The RUSI Journal, 157:1, 6-13. Resetting the System 9 How can this this can How kind new hacker, of state- the sponsored attacker, cyber confronted? be Traditional security IT social its and management not clearly are task. this to up - - - - - ad hoc - reac and (detection-focused haracter and And the supporting ecosystem 12 Including “venus traps” or the very old or the very traps” Including “venus 12 ex post facto kinetic means of security, as the recent shooting recent as the of security, means kinetic See: suggests. of Iran of the cybercommander http://www.telegraph.co.uk/news/worldnews/ middleeast/iran/10350285/Iranian-cyber-war - fare-commander-shot-dead-in-suspected-assas 18, 2013. , accessed November sination.html sabotage. is being generated as well. A cyber-military market is presently evolving, with interest ing fusions of small hacker firms, traditional IT corporations and defense industry enter prises. These actors are looking to take ad- vantage of legal loopholes or create legal in- novations for cyber attack and are adapting accordingly. structures their organizational If this operational evolution in state hacking is taken into account and its strategic value is there of evidence - the acknowledged, feasi bility and efficiency of cyber warfare. Cyber warfare is already judged to be strategically valuable, and even essential by at countries. Once least it has 10 been professionalized be will efficiency its commodified, further and for tool golden a become will it and multiplied many. How How can this new kind of hacker, the state- sponsored cyber attacker, be IT security and its social - Traditional manage confronted? ment are clearly not up to this task. Leading computer corporations, - scien governments, tists and - said civil so have leaders society re Current peatedly. policies are mostly or Active Defense: C Political Risks Operational tive) tive) and overly accepting of a highly vulner existing the of few where environment, IT able vulnerabilities and vectors can be secured in advance. These security paradigms do only a mediocre job against teenagers and petty criminals and provide no against highly serious organized, well-resourced at defense tackers. There is some According proof to of material this Snowden, the leaked U.S. hypothesis. conducted 231 by offensive Edward cyberoperations in 2011, while ously investing simultane- $652 million to plant thou------10 The concept of megacorporation is of megacorporation The concept Involving concepts and procedures from from and procedures concepts Involving with the development of specific tech- specific of development the with 11 11 10 reconnaissance and footprinting, acquisition, de and footprinting, reconnaissance infiltration to field-testing, and testing velopment, exploit of privileges, escalation and penetration, infor discovery-evasion, deception, maintenance, de- exfiltration, to sabotage, or extraction mation traces, and quality assurance. of or planting letion ing a corporation that rivals the power of the power rivals that ing a corporation to act inde power sufficient with a state or social norms. of the law pendently a term of modern political discourse mean discourse of modern political a term ible and adaptable, reusable modularized at of view systematic A toolsets. and tools tacks, not only covering attacks is being developed, the but aspect a of penetration, whole attack cycle, This systematic development involves a of number of hacking steps. Methods commercial, from team-oriented, agile software development are applied to the illicit exploit- development process, producing highly flex There There are in fact many indicators for this development, and they already sketch a scary picture for our future experienced has hacking cybersecurity. years, In 10 to five past the the most well-funded and systematic - devel opment in its history in some 15 We countries. know more about this in the case of the United States because it is an open society. - Presiden U.S. Secret As in stated Top a 2012 tial Directive on cyber operations, its goal is - capa unconventional and “unique develop to around national objectives advance to bilities the world with little or no warning to the adversary or target and with potential effects damaging.” severely subtle to from ranging into a mature, “megacorp” stage. “megacorp” a mature, into nologies nologies and Attacks expertise at step. every (like system software a as conceptualized are a standing warfare unit that and and not are again), over over confinedto can deployed attack The event. one-off specific single a just system can fulfill many functions- simultane ously and threaten many different layers of the target—among those most notably - secu the and safety organizational and technical rity environment. These methods are fused - profes from days, old the from methods with sional intelligence collection and systematic sands of backdoors in our IT-ecosystem.13 eign networks simply to get better monitor- Given the NSA‘s budget and expertise, this ing coverage not linked to specific threats; it sounds quite plausible. China, Russia and is seen as an unacceptable assault on nation- other countries are almost certainly un- al sovereignty and citizens’ privacy. dertaking similar activities. Yet only one of these operations has been detected to date More fundamentally, the profiling and retalia- (the espionage operation dubbed “Flame tion approach is not effective. It assumes that “) and not a single backdoor has been found. it is not so difficult to prove the identity of an Activities from other states are equally invis- attacker, and that attribution through profil- ible. This clearly points out the severe inca- ing can be plausibly defended. The Mandiant Identifying pacities of passive defense based on com- report14 of February 2013 focusing on China’s mercially available detection and monitoring economic espionage is an excellent example nation-state techniques. Apart from an awful detection of this approach. The company profiled and attackers who rate, detection times are equally disturbing. identified Chinas APT-1 group, a military- cy In the few cases which have been detected, ber espionage unit. But it also demonstrated care about the first detection took place several months, the limits of its underlying techniques of anal- camouflaging or more commonly, several years after the ysis, as the identification wasn’t very hard. A initial infection, and it was mostly by happen- number of traces were quite obvious. The re- their cyber stance or crude mistakes of the attacker, not port rather supports the impression that the espionage by the sets of sensors and analyses. attackers did not seem to have cared about covering up their tracks. They only applied a and sabotage At the same time, militaries around the world, very rudimentary set of disguising measures efforts is critical infrastructures, and the global and na- to begin with, although Chinese technical and tional economies are highly dependent on the military writing suggests that the country’s extremely underlying, highly vulnerable systems. This cyber experts have a thorough knowledge of difficult. problem is well known to governmental cyber techniques for spoofing and hiding. The little strategists. As a result, there is increased em- care applied to camouflage seems an expres- phasis on active defense. If passive defense sion of strategic impunity—“What are you is not possible, the thinking goes, active de- going to do about it anyway?” In conclusion, fense has to compensate. Mandiant’s effort has not proven the effectiveness of profiling. It has only proven the ef- At the strategic level, the prevailing doctrine fectiveness of profiling attackers who do not of active defense reflects an operational pref- care about their traces. erence which can be characterized as “profiling and retaliation.” Attackers are identified Identifying nation-state attackers who care through a collection of forensic data traces at about camouflaging their cyber espionage the scene of the attacks and in the networks. and sabotage efforts is extremely difficult. The goal is then to threaten and discourage They will never operate from home, and if or deter them. This approach entails surveil- they apply the full range of state-of-the-art lance on a scale and reach not fully revealed techniques for deception and disguise, false to the public, despite the recent cascade of indicators are always more numerous and leaks, and even a pre-emptive hacking of convincing than the true ones. And this is just foreign IT environments for closer observa- today’s situation. Advanced techniques for ystem tion. While the countermeasures are aimed evasion and deception will be an important primarily at foreign adversaries, others—in- part of the evolution of offensive weapons. cluding allies—are also targeted. The recent The first signs of such a move toward more furor in Germany and Brazil in reaction to the systematized deception can be seen in some NSA programs revealed by Edward Snowden current research. For example, one avenue illustrates the kind of the backlash such mea- of investigation applies artificial intelligence, sures can produce. There is global disquiet big data analytics and machine learning al- Resetting the S about widespread preemptive hacking of for- gorithms to generate automated, systematic deception of profilers. 10 13 See: http://www.washingtonpost. How does this work? The deceiver monitors com/world/national-security/us-spy-agencies- mounted-231-offensive-cyber-operations- in-2011-documents-show/2013/08/30/ 14 Mandiant Intelligence Center Report, d090a6ae-119e-11e3-b4cb-fd7ce041d814_sto- “APT1: Exposing One of China’s Cyber Espionage ry.html, accessed November, 18 2013. Units,” 2013, intelreport.mandiant.com. Resetting the System 11 A security security A based strategy active on and defense, narrowly, more and profiling on is retaliation idea, good a not even fact in dangerous. ------But cy 16 on those - occa Cyber War Will Not Take Will Not Take Cyber War precisely omputing Thomas Rid, 16 sions when the attacker is not Visible identifiable. attacks could trigger instant ation, - retali possibly including armed nullifying tacks, counterat activities the from attacker’s the outset. ac- on based strategy security a up, Summing tive and defense, on more narrowly, profiling even in fact is idea, not a and good retaliation dangerous. Profiling is simplytoo uncertain, and it might lead to intended or unintended escalations, destabilizing international - secu at large. rity , Hurst & Co, London, 2013, p. 159. Rid offers London, 2013, p. 159. Rid offers & Co, , Hurst Place problem, attribution of the a nuanced evaluation problem is almost “the attribution that conceding as argued (p. 156). Yet solved” perfectly never with not agree would authors the present above, example best as the emphasis on espionage Rid’s be iden to not want would states where of cases (p.158). of a cyber operation tified as the source of of attribution is not relevant for cyber war fare, as the military attacker always to wants be identified: “The notion that a powerful actor another coerce try to would actor state anonymously is highly unrealistic.” ber is a novel kind impact of geostrategic significant warfare. more It of havoc can wreak non-attributable through invisible, manipulation, creating silent and secret erosions an of economy, of military technology, through “anony through even or operations, flag false mous and hint pseudonymous deterrence,” ing that any kind of activity might cyber have consequences. These cyber operations may be most effective he Alternative of Highly The Alternative Secure C we Fortunately, are not out of options. Why not get the basic technology secured so no one can attack strategically critical systems place? in the first ways in devastating For decades, computer science has large had array a of unconventional how ideas to reach about very high already (inherent, are ideas not these of Many - reac security. tive) visible in a range of applications from secret research laboratories to computer designs, new and from the mainframe control and command to of facilities power nuclear civil nucle- planet-threatening for systems control - - And they can be hidden very well. well. be hidden can very And they 15 In IT-lingo, a wizard is someone who can is someone who can a wizard In IT-lingo, 15 code intuitively and so outstandingly well that well that and so outstandingly intuitively code outsiders. magic to he does seems like what Some Some authors have argued that the problem Getting human insiders into all of high- these ly secret teams and activities will be close to impossible—especially since offensive cyber capabilities are not limited to just the most powerful nations. Sooner or later—if not already—there will be hundreds of such units the world. around all activities of the profiler for a while by sitting sitting by while a for profiler the of activities all as a hidden “middle man” between him and the while, a After analyzing. is he attacker the looking is profiler the what know will deceiver and for, he will know how typical adversaries of the profilerwork. Then thedeceiver takes and systems profiler’s the attack can He over. leave fabricated deceiving traces the profiler could readily accept, emulating coding - prac tices, even using entire sequences from the inter can He attacker. previous the of arsenal be ever found among traces “real” So will the the overwhelming evidence pointing more “natural” to foe? a Will through the traps the and understand analyst them as Could the de- the of a deceiver? work master see fender then sufficienthave confidence to act politically or militarily against the deceiver? This uncertainty may become even more ex As long as digital traces are the main lead to an the attacker, goal of establishing attribution at the level of confidence necessary to unreachable. be may retaliation official justify U.S. intelligence sources have suggested - re peatedly in private and in public that they do there Yet traces. digital on exclusively rely not are doubts about the availability of non-digital corroborating data from classical human intelligence. Offensive cyber units very small. A team of can 15 to 20 attackers can be already be if very led effective, by one or two “wizards.” cept cept the attemptsprofiler’s to find out more and redirect those investigations onto - auto which match false traces, matically prepared the profiler’s preconceptions about the- pre sumed adversary. Most of that will be automated. fully Of course there might be some traces of the original attacker out. be filtered to noise some as is always there well. But with aggerated “big the - data advent of profil Ever ing.” more data to analyze can lead to confusion. more ever ar missile systems. If applied more widely, the security are available as well, such as “mov- high security computing technologies could ing target” architectures, which change some solve a large part of the cybersecurity prob- their configurations every now and then, lem for good. making it harder for attackers to keep their attacks from malfunctioning. These ideas have just never been very prominent. In the past, the threats were not as se- All architectural measures can offer security rious as the ones we face today, which was on a very basic level, thus providing good se- why traditional IT security was deemed suf- curity scaling effects throughout the system. ficient. Besides, most of these high security technologies have been associated with high Data flows: It would also be possible to large- Hacking has costs and loss of easy functionality. But times ly disable a flow of illegitimate activity from grown into a have changed. Hacking has grown into a pro- one area of an IT environment onto another, fessional, serious threat, and our prevalent making it harder for an attacker to move in- professional, paradigms of IT security are failing us. The side a penetrated system. One such attempt serious threat, time is ripe for high-security IT. It has to leave consists of “separation and partition kernels.” the universities, the research centers and These are operating systems that are not and our preva- ministries of national defense and take root able to execute different kinds of code in dif- lent paradigms in the broader community. Below are sev- ferent functional segments of a computer. eral fundamental elements of “highly secure These kernels have been researched since of IT security computing” and a brief discussion on why the 1980s,18 but, again, there are only a very are failing us. they were never implemented on a mass con- few examples of implementation of this idea sumer basis: and these are in very specific niche markets.19 Another approach, “information flow control,” Architectural redesign: Architectural rede- seeks to hinder the movement of an attacker sign of computers aims to enable the technol- and of stolen data inside a computer. This ogy to distinguish between data (the informa- idea, dating back to the 1970s,20 aims to tag tion being manipulated) and programs. The and control the flow of information inside a present infrastructure is based predominant- computer or a smaller network of computers, ly on a “von Neumann” design, which doesn’t by recognizing which data is trying to flow and provide this option. Consequently, attackers disrupting unauthorized or illegitimate flows can abuse a computer mechanism causing it of data either for propagation or exfiltration. to read data that will make it execute a pro- But information flow control is not frequently gram differently, and thereby install an at- implemented. It consumes resources, delays tack. This kind of architecture triumphed over the data streams (which is unacceptable to the so-called “Harvard architecture” back in most users) and makes sharing more com- the mid-1940s. The latter was an alterna- plicated, rendering this approach costly and tive design which would have enforced the unattractive. distinction between data and executables, rendering attacks much more difficult. But Minimal complexity: Another set of ideas von Neumann architectures had less need of aims to reduce computational complexity—a memory, so they were significantly cheaper distinct priority for efforts to enhance securi- and performed better at the time.17 Over the ty. Microkernels are the most prominent idea ystem past decades, varieties of novel architectural in this strategic approach. These kernels are approaches have been proposed to move tiny operating systems consisting of much away from von Neumann and back towards a Harvard architecture. Thus far, however, they 18 See John Rushby, “The Design and have only been implemented in a selection Verification of Secure Systems,” Eighth ACM of “embedded systems”—computers, which Symposium on Operating System Principles, are controlling parts of machines. Leading Resetting the S pp. 12-21, Asilomar, CA, December 1981. (ACM private sector firms, such as Intel and Texas Operating Systems Review, Vol. 15, No. 5). Instruments, have used elements of Harvard 12 19 One example is Green Hill’s “Integ- architecture in some of their products, but rity-178B,” a separation kernel used in avia- not broadly. Other architectural ideas for high tion. See for technical specifications: http:// www.niap-ccevs.org/st/st_vid10362-st.pdf. 17 Paul E. Ceruzzi. A History of Mod- 20 Dorothy E. (& Peter) Denning. 1976. ern Computing, 2nd ed., MIT Press, Cam- A lattice model of secure information flow. bridge MA, 2003, pp. 21 and 23. Commun. ACM 19, 5 (May 1976), 236-243. Resetting the System 13 A system with with system A tens or millions of millions of code of lines as have may tens as many thousands of exploitable of programming it. in errors - - - - This idea 24 Another high-security idea comes comes idea high-security Another See http://langsec.org/. 24 Yet Yet again, even though such operating - sys tems are much more secure, they are rarely used. Some have found reasons, safety though for mostly aerospace, an application in - sys complex less A security. for primarily not tem is also less likely to crash due to some But outsideof internal overloads. conflicts or there is environments, safety-heavy little - tol erance for this idea. Producers fear a loss of and functionality, any transition from the ex isting monocultures of operating systems to costly. too kind is considered a new Language: from the “LangSec” movement. relies relies on findingsecurity through application of the philosophy of language. not only Computers do things they are not supposed to do based on the many mistakes in their - pro their but input because also from code, gram is a on networks humans or other computers language of its own. Languages, natural and formal, have a meaning, and meaning - duces pro misunderstandings. A good example “If a half-joking remark: diplomat is Voltaire’s says he ‘yes,’ says diplomat means a If If ‘maybe.’ ‘no.’ a means he diplomat ‘maybe,’ says idea underlying The diplomat.” a not is he ‘no,’ of this joke is that the same expression can mean things different on occasions. different The same applies to computer Depending languages. on the code tics”) or on context the practical context (“pragmat - (“seman ics”), a similar expression can do divergent a such causing Intentionally things. different interpretation is the basis for the majority of today’s attacks on computer networks. The - prac advocates actively LangSec movement tical means to reduce language complexity and expressiveness in computer - communi cation, much like early diplomacy developed the concept of protocols in order to reduce - misinterpre caused culturally the for chance tation. Reducing network dependency: another rather simple Finally, step to much tighter security consists of “disconnecting the net A works.” non-networked or just lightly-net worked computer (and information society) is much harder to attack than one which is connected to everything. And a lot of cal criti- systems like power plants or production facilities do not really have to be accessible through large external networks—be those

- - - 23 - - http:// and it creates a lot of of lot a creates it and Proceedings of the Proceedings 22 (pp. 207-220). ACM. or removed, or 21 Klein, G., Elphinstone, K., Heiser, G., K., Heiser, Klein, G., Elphinstone, Removing a single vulnerability can can a single vulnerability Removing As all current computers are Turing Turing are computers As all current 23 22 21 , accessed 30th November 2013. , accessed 30th November This difference is hugely important for control and the of transparency the the comput less less code than conventional operating - sys tems. Microsoft’s Windows 7 consists of an estimated 80 million lines of code and Apple OS X of a similar number; an seL4 microkernel by consists of just roughly comparison, to 7,000 10,000 lines of code (SLOC can be understood in different ways and the mates used here are meant - only esti to illustrate difference.) magnitude of of orders A er. system with millions or tens of millions of lines of code may as have many as tens of thousands of exploitable programming rors er in it, which cannot be discovered - auto matically Andronick, J., Cock, D., Derrin, P., ... & Win Derrin, P., Cock, D., J., Andronick, - verifi seL4: Formal S. (2009, October). wood, kernel. In an OS of cation Operating on SIGOPS 22nd symposium ACM principles systems cost up to $400,000. Removing tens of thou tens $400,000. Removing up to cost kilby.stanford.edu/~rvg/154/handouts/Rice. 2013. , accessed 30th November html – a reason ruin companies sands will likely has never errors programming for liability why Gaycken See also: Sandro been introduced. – An Governance Day “Zero FX, & Lindner, tot he Cyber-security Solution (Inexpensive Harvard/MIT of Toronto, University Problem,” on- Papers, Cyber Dialogue 2012 Stewardship http://www.cyberdialogue.citizenlab. line at: org/wp-content/uploads/2012/2012papers/ CyberDialogue2012_gaycken-lindner. pdf machines, Rice’s theorem applies. See: theorem machines, Rice’s Such an is assurance process hardly imagin- able for most current commercial software of only The verification systems. or operating these few lines of code in the verified- micro ex qualified highly of team large a took kernel perts several tedious months, costing about only holds and the verification million, US$10 as long as the system is not significantly altered. noise, while a system with only 10,000 lines of of lines 10,000 only with system a while noise, observable clear-cut, more a in behaves code manner and can be checked rigorously any for kind of exploitable weakness. The latter technical option is available now. One seL4 microkernel has just recently become what computer scientists call “formally verified.” military networks like the U.S.-GIG25 or the and analysis tools that scale up to entire sys- Internet. Upon critical review, in some cases, tems. Thoroughly worked examples of trust- the net value of the “progressivist” impulse worthy systems are needed that can clearly to network everything and everyone may be demonstrate that well-conceived compos- close to zero or even negative. ability can enhance both trustworthiness and scalability.”27 It argued that “formally inspired Thus, “we have the technology” for highly se- approaches may be more promising than any cure computing. Much of it has been available of the less formal approaches attempted to for a long time. It will not provide 100 percent date.” It admitted that building new scalable security. This is not the goal. But a more ag- secure systems from the ground up may Getting the gressive take up of these ideas could help us seem like a Herculean task, but then went on do a lot better than we have been doing in in- to say that it would be even harder to build technology formation and systems security so far. such a system on the foundations of the vul- right for highly nerable systems we have today. This much higher level of basic security in secure com- software, OSs and hardware would render a puting is quite lot of malicious hacking activity extremely expensive and carry more risk of discovery, Market Pressures and possible. And it discouraging most actors and activities. The Policy Failures is desired. problem of economic cyber espionage, for instance, is one that could be controlled by So why isn’t this done? If all of this has been a set of high security computing measures. well known for decades, why is highly secure And what is even better about a high security computing rarely proposed as a priority goal? IT approach is that it leaves much less room Why isn’t it the focus of more attention in for pressure, in the name of political security, major policy statements, such as the United on existing standards of liberty and privacy. States’ International Strategy in Cyberspace Highly secure computing is a concept of “de- of 2011? In a few words, the necessary chang- terrence by denial,” crafted to render attribu- es are expensive, and the choices lie largely in tion strategically irrelevant. There will auto- the traditionally free and largely unregulated matically be less use for active defense and market. much less need for surveillance and Internet control. Thus, highly secure computing is a The persistence of insecurity we are seeing win-win strategy for security and civil liber- globally is caused by a combination of mar- ties. ket pressures and policy failures in critical areas.28 This is the essence of cyber insecurity, In summary, getting the technology right for and it is not technical. Business consumers highly secure computing is quite possible. do not yet see the value of high security IT de- And it is desired. Look at the United States. spite the heightened corporate risks and new The Department of Homeland Security de- international tensions. Many changes such as clared in 2009 that scalable secure comput- a move from von Neumann to Harvard archi- ing should be the first of 11 national priorities tectures, or the shift from commercial oper- for research and commercial development ating systems to microkernels, are deeply ar- against the background of the need to “trans- chitectural and would require an entirely new ystem form the cyber-infrastructure so that critical kind of computer. As the DHS research plan national interests are protected from cata- mentioned above, the more highly technolo- strophic damage and our society can confi- gies could not be bolted on top of the existing dently adopt new technological advances.”26 ones. Much of the auxiliary equipment would The DHS pointed out that “many gaps remain have to be redesigned, too. Other changes in reusable requirements for trustworthiness, such as disconnecting networks and control- system architectures, software engineering ling data streams could affect performance. Resetting the S practices, sound programming languages So by and large, this kind of IT would require that avoid many of the characteristic flaws, a gigantic initial investment, and it would be 14 more expensive to operate in some respects, 25 GIG is the U.S.-military network “Global Information Grid.” 27 Ibid., 4. 26 Department of Homeland Se- 28 For a more detailed analysis curity (DHS), “A Roadmap for Cyber- of the question of market failures in cy- security Research,” 2009, p. Vii. bersecurity, see Friedman op. cit. Resetting the System 15 The necessary necessary The are changes and expensive, lie choices the the in largely traditionally largely and free unregulated market. - - - - , Economics Economics Shailendra Shailendra and In most market economies, 30 Any government intervention for See Peter Kell, “Market Failure: Failure: “Market Kell, See Peter Ross Anderson Ross 31 , “Security Economics and Critical and Critical , “Security Economics 31 30 military hardware and personnel. and personnel. hardware military Typically, a market failure—where markets do private not provide goods needed or services by customers them or in adequate quantities at an affordable do not price—triggers provide the question of government intervention. Fuloria Tyler Moore, in Infrastructure” National Ioannidis, Pym and Christos David Security and Privacy of Information Springer, Dordrecht NL, 2010. Dordrecht Springer, more generalized application of highly secure secure highly of application generalized more computing technologies will not be received well by some industry leaders in most - coun tries. The traditional IT and IT security industry is not likely to be a friend of “new computing” Even either. if such computers, systems and only introduced were standards in critical ar eas, that intervention would be regarded as When Should Policymakers Act?,” Per Per Act?,” When Should Policymakers was 2009. Kell Exchange Policy Capita Consumer Deputy Chair of the Australian Commission. and Competition considerable considerable care is taken to craft that policies address the national interest (or public test interest) without unduly constraining innovation and competitiveness in the private sector. But once a government chooses to intervene, the inevitable complete by course reversal the private result—absent - sec a tor—must be some with compromise and by private sector Just interests. how this might play out in particular economies is well be- yond the scope of this It paper. is worth not ing that the inevitable outcome is “imper an policy.” fect variations. national some noted study 2010 A Having observed an that emerging protection of consensus critical national - informa tion infrastructure was no longer a - techno - but one logical problem of public policy (eco nomics and regulation), it went on that to “the note USA is regulating cybersecurity in the but electric not power industry, in oil and gas, while the UK is not regulating at all It but efforts.“ own industry’s encouraging rather reported that “some European governments are intervening, while others are leaving cy bersecurity entirely to plant owners to worry about.“ - - - - - con So 29 It has to be mentioned that high that be mentioned It has to 29 security computing is also less expensive in expensive is also less security computing be to It does not have some other respects. and there as often, and updated maintained versions. novel to upgrades less need for is far also claim researchers high-security Many decline in speed will not be any there that cost-benefit overall But the or functionality. as properly be estimated cannot comparison not implemented. are long as these systems less convenient and less functional. less and convenient less In addition, critical infrastructure operators usually don’t have to inter sustained The directly failures. security of bear costs the full Even many militaries are caught up conspiracy in this of circumstance against secure highly computing. Only a small handful countries of can begin to think a for to transition computing highly in secure about paying the defense sectors. Most are already being to find newforced money at a timeof shrink sumers—firms and individuals—will not rush of insecurity The costs to adopt it voluntarily. to each actor would have to be higher than the but necessary investments, many actors Cy not analysis. benefit made that have cost ber risk assessments are hard to undertake, with no well-researched methodologies hand and at a lot of higher-level consequences paucity a is also There foresee. to difficult are threats. serious the most of many data on of ruption of electricity supply caused by a cy ber attack (or something else) may prevent mobilization of a vitally or important forestall military unit stationed in the only a small bears dollar cost. operator area, utility but the In the current debate over intellectual - prop erty theft by cyber espionage, the argument unfolds at two levels that don’t necessarily intersect in terms of responses. One level is cost is other the and company, the to cost the to the national economy. Many companies with sensitive intellectual property, and the professional service firms supporting them, have not moved to prevent their knowledge from being stolen by a foreign government because of a lack of willingness to bear the monetary consequences of IT. high security implementing ing military They know budgets. they will not receive extra money for a re-engineering of their entire IT suite if only because no other military is force doing it. Heavy new - expendi ture on highly secure computing would only reduce capital investment in conventional a threat by suppliers, since they would dem- approach could be to simply standardize and onstrate how insecure and obsolete much produce high security IT for particular niches, of their traditional equipment is. They would which cannot do without it anyway—such be challenged, in particular as some of these as militaries, aerospace or nuclear power new competitors might want to expand into plants—and modify those systems for envi- the broader consumer market. As a result, ronments with lower security needs. counter-disruptive lobbyism is a problem. For example, in the United States, the TechAmer- But this is the point at which policy failure ica web page on cybersecurity reveals the plays a crucial role. Most senior politicians— intensity of differences between the indus- or senior decision makers at large—are not as try lobby group and the U.S. Congress and familiar with the technologies as the situation Obama administration, as well as with the seems to demand. Nor are many users as lit- Most senior European Union.32 While all this is normal be- erate in the area of high security computing politicians—or havior for market economies in democratic as they need to be. Policy makers may prefer systems, the end result is slow progress to- discussions on “soft” measures such as in- senior deci- wards the goal of higher security. formation sharing or international norms and sion makers at contracts. This sort of activity is essential, but Many strategists and computer scientists are it should not be taken as a substitute for dis- large—are not concerned about this slow, incremental pace cussion of the economic and technological as familiar with of reform, in part because alternative ap- issues at the root of the problem. proaches are not the subject of the economic the technolo- study they need.33 In the absence of detailed Yet another problem arises from blurred defi- gies as the sit- studies, we are inclined to believe that a new nitions or empirical uncertainties about the mass market for highly secure computing scale of the threat, enabling some to inter- uation seems technologies could be generated, with high pret reality in their particular fashion and to to demand. returns and strong growth, once operational. render their product as the ideal solution.35 But to initiate this market, clear policy sig- An antidote to many of these problems would nals would be required. Political forces would be to insist on security audits undertaken by have to indicate that they would require the independent, high-end red teaming to rigor- implementation of high security IT in critical ous standards, with the results published—as areas. If that doesn’t happen, there may be is now the case in many other safety-critical no change. areas such as aviation or medical technology and pharmacology. But, again, this would en- A few options to influence the market were tail interference with the market, and it would canvassed at a conference in February 2013: require strong, independent, knowledgeable international tariffs, regulations, taxes, insur- politicians. ance, legal liability, reputation damage and criminalization are among the means com- Anyone seeking to implement new policies monly used to shape markets and to com- will need to work through the firmly estab- pensate for negative externalities.34 Another lished approach of multi-stakeholder consultations. Yet it will be important that such consultations not lose sight of the main goal 32 See http://www.techame- (highly secure computing) and compromise ystem rica.org/public-policy-advocacy/ it by settling for lowest common denominator all-industry-priorities/cybersecurity/. solutions. It is important to diffuse decision- 33 A part of it is even well researched in making among parties with legitimate inter- its own discipline of computer science called ests, but at some point a paradigm shift to “Economics of IT-Security” (EIS). This research is highly secure computing will require political still focussed very strongly on petty cyber crimes leaders to ignore some part of the market’s and thus not applicable to the debate around high current shared opinions. They will need to be Resetting the S level attackers and international cyberstability. 34 John Mallery, “Rebalancing Cyber 16 Defense and Offense: Can incremental techni- 35 As the famous computer scientist Mor- cal evolution achieve sufficient work factor rie Gasser already noted in 1988 in his chapter impacts or are clean-slate transformational “False Solutions Impede Progress” [sic]: “Since architectures required?,” Presentation at the few people have a good understanding of security, Expert Workshop on “Advanced Strategies in security fixes are particular subject to snake-oil Cybersecurity,” Federal Foreign Office, Berlin, salesmanship” (p. 12). (see: Morrie Gasser, Build- February 13, 2013. Explicit quotation permitted. ing a Secure Computer System, New York 1988). Resetting the System 17 Highly secure secure Highly has computing prioritized be to specifications in critical of national infrastructure. - Highly secure computing has to be has to computing Highly secure of criti- in specifications prioritized Germany infrastructure. national cal determine about to is currently to this steps strategic first some corresponding end and incentivize German industry; from responses methodologies Risk assessment to or refined be developed to have the overall of view enable a broader - and conse costs and higher-order insecurity; cyber of quences incidents cyber regarding Honesty can cybersecurity of and the state on incident laws by be enforced and by checks regular by disclosure, according testing rigid penetration demands; security to decision-makers National security open with the pub- be more to have active of lic about the implications - exploi intrusive and overly defense tation (espionage); be used to have cycles Innovation detailing by security enhance to as new specifications high security demands; other technology from Money aimed at security-relevant projects high to might be redirected areas

1. 2. 3. 4. 5. 6. scape scape look very different from various - capi tals. What will work well in one country may we are all, Above in unworkable others. prove obliged to observe that for different very be may the response the countries, majority of from that which works in the United States. The political priorities and social values will shape the responses. There is new everywhere about these debate values. Scientists in the United States are reserving the right to produce NSA-resistant encryption - capabil ity. Europe and the United States appear to be even further apart on the of these because least not issues ago, year a were than they Snowden revelations. And China is drawing up new plans to strengthen its domestic cy is relatively which today industry, bersecurity equivalent. U.S. with its compared weak A number of activities could be envisioned to this realize new paradigm of highly secure computing and to overcome market sures and - pres policy failures. Whether they can be adopted on any sort of consensus basis within the major national jurisdictions is yet of some courses priority are Here to be seen. action:

- 36 - http://www.darpa.mil/Our_Work/ See: 36 tough tough enough to make controversial, costly decisions about technical settings that will opposition. strong run into As As suggested the above, responses will vary from country to country. It is worth ing - recall that views of the cybersecurity land- However, as this paper aims However, to demonstrate, such efforts have been made before. Many ideas have been laid down decades the before current crisis. If the failures policy and combined pressures market of nisms mecha- open- and honestly clearly, addressed not are ly, it is unlikely that any effort at substantial reform of our insecure IT environments will actually ever take off. Disruptive innovation by accompanied and initiated be to need may regulation. disruptive For For example, in 2010 and 2011, the Defense Advanced Research Projects Agency - (DAR launched PA) new to programs - tech explore nological options that did compatibility not with legacy depend - pro architectures “CRASH” and on DARPA The systems. operating gram is most notable among these efforts. The answer to many global cybersecurity di- lemmas may be found in the new disruptive technology of highly secure computing. It is within reach, and it has to happen anyhow. would and corporations communities States, - pro are There in not demanding be it. remiss projects research new Some there. out viders a investigating shift are already underway, at view. point of a technical from least bersecurity. bersecurity. Possible Responses Possible harsh. sound may making are we critique The We do not mean to widespread or market traditional the suggest of cerns that the - con dependencies on existing systems consequential. are But in in- times of rising tensions cyber and growing numbers of attackers and attacks, the international debate needs to be more informed about options. Highly secure computing is an important option. It a privacy- towards pathway a new represents reliable more feasible, peaceable, preserving, cy to path profitable more even and possibly I2O/Programs/Clean-slate_design_of_Resili ent_Adaptive_Secure_Hosts_%28CRASH%29. 2013) (accessed 28th of March, aspx As long as the price signal can be clear and appropri- ately foreshadowed, based on consultation with stakeholders, the private sector will adjust in a way that de- security IT projects, as the DHS re- like-minded nations trying to solve the prob- search priorities of 2009 suggested lem for themselves inside their own camp or livers a more in the case of the United States; alliances, making more universal internation- acceptable bal- 7. Computer science has to receive in- al agreements on significant issues less likely. centives to invest more in research A side effect of this nationalism and alliance ance between on highly secure computing; building has been to resort to strategies of commercial 8. The market potential of high secu- technological sovereignty. There is increas- rity, verifiable IT has to be assessed ing mistrust in some countries of “foreign” and public in- more consistently by economists computers, networks or components. While terest. and business advisers; this is understandable, we have through such 9. Policy makers and decision-makers lines of thinking all too readily fallen back into from industry need to become more the paradigm of East vs. West. Ironically, the knowledgeable about the econom- indivisible security promised by the end of ics of highly secure computing. the Cold War no longer appears to be the goal even as we move more deeply into this most globalized and borderless domain.

The Diplomatic Dimension Looking to the future, we have to find a new common pathway. There are several drivers It is important to understand the interna- for this need. The single most persuasive one tional dimension of the possible elevation of

ystem is the high level of economic interdependence the paradigm of highly secure computing to a among the major economies. There are tech- central position in policy. We asserted early in nological, economic and political reasons for the paper that active defense was ineffective, global standards. We contend that a drive for controversial and destabilizing, and that we cooperative, highly secure computing tech- need more attention to defensive options. We nologies as a major plank of international believe that the idea of highly secure comput- strategy by all states would, in and of itself, ing might become a unifying defensive prin-

Resetting the S have a significant and immediate dampening ciple of cyberspace cooperation. effect on existing inter-state tensions in cyberspace. 18 If put forward as a common international goal, highly secure computing could help to What should states do next? Securing cy- ease the tensions created by the current, berspace may not be as important an inter- prevalent active defense approaches of sev- national priority as mitigating global climate eral leading countries. Current approaches change, but we can learn from the way that have seen a resort to cyber nationalism, with process has unfolded. We will see political - - -

Resetting the System 19 - ria might be. might ria holders and civil civil and holders what on society, crite new those There is an an is There and urgent compelling need diplomatic sustained for productive and intergovern conver mental including sation, stake industry

- - 37 - CCMC, “Vision statement for the future the future for “Vision CCMC, statement 37 direction of the application of the CC and the of the CC of the application direction 1, 2012, http://www.common September CCRA,” criteriaportal.org/files/ccfiles/2012-09-001_Visi on_statement_of_the_CC_and_the_CCRAv2.pdf. This is probably not where the international community needs to be—only 27 countries agreeing to the current market The position. vision statement did hold out the idea “certification that may not always for be sufficient acceptance of certifiedproducts for use or requirements Other context. particular a in be applicable.” also may regulations there is believe an We and urgent compelling diplomatic need for sustained and - produc tive intergovernmental conversation, including industry stakeholders and idea The civil be. might criteria new those what on society, is for them to promote urgent for pressure a disruptive innovation towards highly secure computing and for a recommitment to indivisible security. common, principle of the of of existing international arrangements. For example, the Common Criteria Recognition Agreement, which helps to set international industry security standards, counts only 26 countries as members, of which 17 are cer tificate authorizing members. Vision In Statement 2012 the issued by Criteria the Management Committee, Common all - mem bers agreed that “The general security level needs products certified COTS ICT general of impacting price to be without raised severely and timely availability of these products.” - - The international community sig price a of value should possible the about talking start explicit more be may point departure first The recognition of the slow pace of development agendas agendas that will be every bit as contested and will replay the same arguments over-regulation and about retarding the economy. Yet the domestic divisions gridlock inside different and countries on the cli- legislative mate change issue do not speak to the - seri or at the level that global of problem ousness to states of the the of majority determination act. Similar domestic divisions and legislative gridlock on issues of high security - com puting, or the principled positions of disput ing parties inside different countries, do not invalidate the importance of that goal at the global level either. As with climate mitigation policies, such change as a carbon tax, as long as the price signal can be clear and ap- propriately foreshadowed, based on - consul tation with stakeholders, the private sector will adjust in a way that delivers a more acceptable balance between commercial and public interest. nal to of the regardless the ICT industry, flag of registration of the corporations. In the future, products and systems that continue to perpetuate inherent low security might face administrative discrimination in the form of higher taxation or legal liabilities. a jurisdictions, policy like that In may un- prove some But helpful. other countries will go down that path. EastWest Institute Board of Directors

OFFICE OF THE CHAIRMEN OFFICERS MEMBERS

Ross Perot, Jr. (U.S.) John Edwin Mroz (U.S.) Martti Ahtisaari (Finland) Chairman President, Co-Founder and CEO Former Chairman EastWest Institute EastWest Institute EastWest Institute Chairman 2008 Nobel Peace Prize Laureate Hillwood Development Co. LLC R. William Ide III (U.S.) Former President of Finland Board of Directors Council and Secretary Dell Inc. Chair of the Executive Committee Tewodros Ashenafi (Ethiopia) EastWest Institute Chairman and CEO Armen Sarkissian (Armenia) Partner Southwest Energy (HK) Ltd. Vice Chairman McKenna Long and Aldridge LLP EastWest Institute Jerald T. Baldridge (U.S.) President Leo Schenker (U.S.) Chairman Eurasia House International Treasurer Republic Energy Inc. Former Prime Minister of EastWest Institute Armenia Senior Executive Vice President Peter Bonfield (U.K.) Central National-Gottesman Inc. Chairman NXP Semiconductors

Matt Bross (U.S.) Chairman and CEO IP Partners

Robert N. Campbell III (U.S.) Founder and CEO Campbell Global Services LLC

Peter Castenfelt (U.K.) Chairman Archipelago Enterprises Ltd.

Maria Livanos Cattaui (Switzerland) Former Secretary-General International Chamber of Commerce

Michael Chertoff (U.S.) Co-founder and Managing Principal Chertoff Group David Cohen (U.K.) Anurag Jain (India) Amb. Yousef Al Otaiba (U.A.E.) Chairman Chairman Ambassador F&C REIT Property Management Laurus Edutech Pvt. Ltd. Embassy of the United Arab Emirates in Washington, D.C. Joel Cowan (U.S.) Gen. (ret) James L. Jones (U.S.) Professor Former Advisor Admiral (ret) William A. Owens Georgia Institute of Technology U.S. National Security (U.S.) Former Supreme Allied Chairman Addison Fischer (U.S.) Commander AEA Holdings Asia Chairman and Co-Founder Europe Former Vice Chairman Planet Heritage Foundation Former Commandant U.S. Joint Chiefs of Staff Marine Corps Stephen B. Heintz (U.S.) Sarah Perot (U.S.) President Haifa Al Kaylani (Lebanon/ Director and Co-Chair for Rockefeller Brothers Fund Jordan.) Development Founder and Chairperson Dallas Center for Performing Arts Hu Yuandong (China) Arab International Women’s Forum Chief Representative Louise Richardson (U.S.) UNIDO ITPO-China Zuhal Kurt (Turkey) Principal CEO University of St. Andrews Emil Hubinak (Slovak Republic) Kurt Enterprises Chairman and CEO John Rogers (U.S.) Logomotion General (ret) T. Michael Managing Director Moseley (U.S.) Goldman Sachs and Co. John Hurley (U.S.) Moseley and Associates, LLC Managing Partner Former Chief of Staff Cavalry Asset Management United States Air Force

Amb. Wolfgang Ischinger F. Francis Najafi (U.S.) (Germany) CEO Chairman Pivotal Group Munich Security Conference Global Head of Amb. Tsuneo Nishida (Japan) Governmental Affairs Permanent Representative Allianz SE of Japan to the U.N.

Ralph Isham (U.S.) Ronald P. O’Hanley (U.S.) Managing Director President,Asset Management GH Venture Partners LLC and Corporate Services Fidelity Invesments George F. Russell, Jr. (U.S.) CO-FOUNDER DIRECTORS EMERITI Former Chairman EastWest Institute Ira D. Wallach* (U.S.) Jan Krzysztof Bielecki (Poland) Chairman Emeritus Former Chairman CEO Russell Investment Group Central National-Gottesman Inc. Bank Polska Kasa Opieki S.A. Founder Co-Founder Former Prime Minister of Poland Russell 20-20 EastWest Institute Emil Constantinescu (Romania) Ramzi H. Sanbar (U.K.) President Chairman CHAIRMEN EMERITI Institute for Regional Cooperation SDC Group Inc. and Conflict Prevention (INCOR) Berthold Beitz* (Germany) Former President of Romania Ikram ul-Majeed Sehgal President (Pakistan) Alfried Krupp von Bohlen William D. Dearstyne (U.S.) Chairman und Halbach-Stiftung Former Company Group Chairman Security & Management Johnson & Johnson Services Ltd. Ivan T. Berend (Hungary) Professor John W. Kluge* (U.S.) Amb. Kanwal Sibal (India) University of California, Los Angeles Former Chairman of the Board Former Foreign Secretary of India Metromedia International Group Francis Finlay (U.K.) Kevin Taweel (U.S.) Former Chairman Maria-Pia Kothbauer Chairman Clay Finlay LLC (Liechtenstein) Asurion Ambassador Hans-Dietrich Genscher Embassy of Liechtenstein to Amb. Pierre Vimont (France) (Germany) Austria, OSCE and the UN in Vienna Executive Secretary General Former Vice Chancellor and European External Action Service Minister of Foreign Affairs William E. Murray* (U.S.) Former Ambassador Former Chairman Embassy of the Republic of France Donald M. Kendall (U.S.) The Samuel Freeman Trust in Washington, D.C. Former Chairman and CEO PepsiCo. Inc. John J. Roberts (U.S.) Alexander Voloshin (Russia) Senior Advisor Chairman of the Board Whitney MacMillan (U.S.) American International Group (AIG) OJSC Uralkali Former Chairman and CEO Cargill Inc. Daniel Rose (U.S.) Amb. Zhou Wenzhong (China) Chairman Secretary-General Mark Maletz (U.S.) Rose Associates Inc. Boao Forum for Asia Chairman, Executive Committee EastWest Institute Mitchell I. Sonkin (U.S.) Senior Fellow Managing Director NON-BOARD Harvard Business School MBIA Insurance Corporation COMMITTEE MEMBERS Thorvald Stoltenberg (Norway) Laurent Roux (U.S.) President Founder Norwegian Red Cross Gallatin Wealth Mangement, LLC Liener Temerlin (U.S.) Hilton Smith, Jr. (U.S.) Chairman President and CEO Temerlin Consulting East Bay Co., LTD John C. Whitehead (U.S.) Former Co-Chairman Goldman Sachs Former U.S. Deputy Secretary of State

* Deceased EastWest Institute Policy Report Series

2013 Afghan Narcotrafficking Enhancing Security in Afghanistan and A Joint Threat Assessment Central Asia through Regional Policy Report 2013—1 [EN | RU] Cooperation on Water Amu Darya Basin Consultation Report The Path to Zero Policy Report 2011—4 Report of the 2013 Nuclear Discussion Forum Policy Report 2013—2 Fighting Spam to Build Trust China-U.S. Bilateral on Cybersecurity Threading the Needle Policy Report 2011—5 [EN | CH] Proposals on U.S. and Chinese Actions on Arms Sales to Taiwan Seeking Solutions for Afghanistan, Part 3 Policy Report 2013—3 Policy Report 2011—6

Measuring the Cybersecurity Problem Policy Report 2013—4 2010

Economic Development and 2012 Security for Afghanistan Increasing Jobs and Income with the Help Bridging the Fault Lines of the Gulf States Collective Security in Southwest Asia Policy Report 2010—1 Policy Report 2012—1 Making the Most of Afghanistan’s River Basins Priority International Communications Opportunities for Regional Cooperation Staying Connected in Times of Crisis Policy Report 2010—2 Policy Report 2012—2 The Reliability of Global Undersea 2011 Communications Cable Infrastructure Policy Report 2010—3 Working Towards Rules for Governing Cyber Conflict Rights and Responsibilities in Cyberspace Rendering the Geneva and Hague Balancing the Need for Security and Liberty Conventions in Cyberspace Policy Report 2010—4 Policy Report 2011—1 [EN | RU] Seeking Solutions for Afghanistan, Part 1 Seeking Solutions for Afghanistan, Part 2 Policy Report 2010—5 Policy Report 2011—2

Critical Terminology Foundations Russia-U.S. Bilateral on Cybersecurity Policy Report 2011—3 Building Trust Delivering Solutions

Learn more at www.ewi.info

EWInstitute EastWestInstitute