Communications - June 2012

tors dominate the variety of risks we face today. Shortened development cycles and increased competition mean much of the software and configurations that are deployed have not been adequately validated. It frequently feels like many organizations are implicitly relying on hackers for their security testing.

At the same time, obsolete, bug-rid-den vulnerable systems never seem to get retired. In February 2012 approximately 30% of the computers on the Internet were still running Windows XP (down from 31% the previous month), according to W3Schools. 4 Yes, Windows 7 has vulnerabilities, but Windows XP is dramatically less secure: it should be banned from today’s cyber infrastructure.

Other factors increasing the cybersecurity risk include our difficulty attracting and retaining enough software engineers, and the failure of our schools to promote technology education from an early age.

It is important to realize that cybersecurity, despite its importance, represents only a tiny part of computer science research as a whole. Security professionals rightfully point out that a single flaw in practically any program can result in a devastating security compromise. This is troubling, because most computer professionals receive little if any training in security, most CS professors and software engineers try to ignore it, and there are few security specialists. This argues for better training and the creation of a licensing or certification process.

Some people blame pay scales. While science and engineering jobs pay better than average jobs in the

While we depend
on our computers,
we seem incapable
of making or
operating them in a
trustworthy manner.

U.S., they do not pay better than careers in medicine, law, and business, says Lindsay Lowell, director of policy studies at Georgetown University’s Institute for the Study of International Migration. Testifying in 2011 before the House Subcommittee on Immigration Policy and Enforcement, Lowell said it is the lower salary paid to science and technology professionals that is responsible for the large number of non-U.S. students enrolled in U.S. graduate science and engineering programs. 6

For generations educators have recognized that one of the primary purposes of schooling is to teach students how to write. As a result today’s high school graduates have had at least 10 year’s worth of writing instruction (and many say their writing still leaves much to be desired).

The situation is worse when it comes to technology education. Think what you want about so-called “digital natives,” but experience with Facebook and video games does not translate into algorithmic thinking. Computers are part of early education in many communities, but the courses invariably teach how to be users, and not how to understand the underlying technology. Most college graduates have essentially no ability to perform even simple office automation tasks, and the typical CS graduate has less than six years’ experience writing software. A real risk of our current educational system is that most graduates simply lack the experience to write security-critical software because they did not start programming in middle school.

We may be increasingly an infor-
mation society, but most companies
see information technology, and es-
pecially information security, as a cost
or a product rather than as an enabling
technology. Organizations balance
their security against other compet-
ing requirements. A 2011 Bloomberg
Government Survey of 172 Fortune
500 companies found they were col-
lectively spending $5.3 billion per year
on cybersecurity and stopping just
69% of all attacks. The organizations
told Bloomberg they could increase
the effectiveness of their defenses
over the next 12 to 18 months such
that they could stop 84% of cyber at-
tacks; to do so they would need to in-
crease their annual spending to $10.2
billion. Stopping 95% of cyber attacks,
which Bloomberg claimed would be
the “highest attainable level” of secu-
rity, would increase spending to $46.6
billion per year. 2

Live with Cyberinsecurity

There is no obvious solution to the problem of cybersecurity. While we depend on our computers, we seem incapable of making or operating them in a trustworthy manner. Much is known about how to build secure systems, but few of the people building and deploying systems today are versed in the literature or the techniques. We should be designing society so that we can survive the failure of our machines, but it is more cost-effective to create systems without redundancy or resiliency.

Reducing our cyber risk requires progress on both technical and political fronts. But despite the newfound attention that cybersecurity increasingly commands, our systems seem to be growing more vulnerable every year.

References

1. C compilers may silently discard some wraparound checks. us-Cert Vulnerability note Vu#162289, april 4, 2008.

2. domenici, H. and bari, a. the Price of Cybersecurity: big Investments, small Improvements. a. Holmes, ed., bloomberg Government survey (Jan. 31, 2012).

3. landwehr, C. a national goal for cyberspace: Create an open, accountable Internet. IEEE Security and Privacy 7, 3 (May 2009).

4. os Platform statistics, w3schools.com; http://www. w3schools.com/browsers/browsers_os.asp.

5. roemer, r. buchanan, e., shacham, H., and savage, s. return-oriented programming: systems, languages, and applications. ACM Trans. Info. Syst. Secur. 5, 1, article 2 (Mar. 2012).

6. “steM” the tide: should america try to Prevent and exodus of Foreign Graduates of u.s. universities with advanced science degrees. Hearing before the subcommittee on Immigration Policy and enforcement of the Committee on the Judiciary of House of representatives (oct. 5, 2011), 112–164.