Artificial Intelligence

Artificial intelligence, AI, is a new user interface to the computer.  Large language models (LLMs) make the computer easier to use.  They permit us to describe the result that we want in natural language. improving productivity and enabling new applications.  AI will improve intellectual productivity as much as the internal combustion did for manual productivity.  In response to internal combustion, and more specifically the tractor,  we shortened the work week from 72 hours to 44 and invented vacations and retirement.  In the process, we killed off two generations of young men and still suffered 25% unemployment.  Said another way, increases in productivity are disruptive.  

The computer, with or without AI, is a tool.  Tools vary in quality, utility, usability, and use.  The user is responsible for the selection of the tool, the purpose to which it is put, and for all the properties of the result.  This is true whether the user is an individual or a group.  An enterprise must be responsible and accountable for everything that results from its application of this powerful technology. We call this security and we forget any part of it at our peril. We must not impute authority or autonomy to the tool; we must not anthropomorphize the tool.  "The craftsman does not blame his tools."  We must hold people accountable for how we use this powerful new tool.  

In the near term we should focus on embedded application specific implementations of AI.  We should follow the example of IBM, a pioneer in the field.  IBM trains the engine, think Watson, on application specific curated data; they build in governance and transparency from the ground up.

Public policy must soften the impact of the disruption.  This will include shortening the work week to spread the work and the leisure.  It should include a guaranteed minimum income to ease transition from old jobs and skills to new ones.  Finally, it should include changes in tax policy from labor to capital, people to robots, and production to consumption, to more securely and equitably finance the social safety net.  

Securability

In 2008 the ACM sponsored a Workshop on the Application of Engineering Principles to Information System Security.  Participants were asked to submit brief notes as seed material for the Workshop.  Far and away the most useful paper submitted to the workshop was by Amund Hunstad anJonas Hallberg of the Swedish Defence Research Agency entitled “Design for securability – Applying engineering principles to the design of security architectures.” This original paper points out “that no system can be designed to be secure, but can include the necessary prerequisites to be secured during operation; the aim is design for securability.” That is to say, it is the securability of the system, not its security, which is the requirement. We found this idea to be elegant, enlightening, and empowering. Like many elegant ideas, once identified it seems patently obvious and so useful as to be brillant.

One cannot design an airplane to be safe, such that it can never be unsafe, but one can, indeed aeronautical engineers do, design them such that they can be operated safely.  Neither IBM nor Microsoft can design a system that is safe for all applications and all environments.  They can design one that can be operated safely for some applications and some environments.  As the aeronautical engineer cannot design a plane that is proof against ”pilot error,” so IBM and Microsoft cannot design a system that is proof against the infamous ”user error.”  One cannot design a plane that is proof against terrorism or a computer that is proof against brute force attacks.

In the early days we talked about the properties of secure systems, Integrity, Auditability, and Controllability, and we told product managers that the properties, features, and functions of the product must be appropriate for the intended application and environment of the product. 

Integrity speaks to the wholeness, completeness, and appropriateness of the product.  One test of Integrity is predicability, that is the product does what, and only what, is expected.  Note that very few modern computer systems meet this test, in large part because they too complex. 

Auditability is that property that provides for relative ease in inspecting, examining, demonstrating, verifying, or proving the behavior and results of a system.  The tests for Auditability include accountability and visibility or transparency.  The test of accountability is that it must be possible to fix responsibility for every significant event to the level of a single individual.  The test of visibility is that a variance from the expected behavior, use, or content of the system must come to thattention of responsible management in such a way as to permit timely and appropriate corrective action. 

Controllability is that property of a system that enables mamnagemrnt to exercise a directing or restraining influence over the behavior, use, or content of the system.   The tests are Granularity and Specificity.  The test of granularity requires that the size of the resource to be controlled must be small enough to permit management to achieve the intended level of risk.  Specificity requires that management be able to predict the effect of granting any access to any resource, privilege, or capability from the meta-data, e.g., name, properties, of the resource, privilege or capability. 

Note that these properties compliment one another, indeed are really simply different ways of looking at the property of ”securability.”  However, they may be achieved at the expense of other desiderata of the system.  How to achieve the proper balance is the subject for another day. 

Open Letter to my Congressman

Sir:

In my forty years in information security I have come to have many colleagues in the intelligence community.  I find them to be brilliant and noble.  I have also found them to be myopic, artful, and zealous.  I have watched their testimony before both the House and Senate judiciary committees.  While I have been impressed by their testimony, I have been less impressed by the questioning.   The testimony has been carefully rehearsed and very consistent.  Where the questioning has not been sympathetic, it has been inept.  Even those legislators who recognize that the testimony is misleading are prevented by secrecy and decorum from asking the questions that might really inform the citizens or even saying so when a witness lies under oath. 

·         Here is a short list of questions that I would like put to the administration to answer under oath.

• Does GCHQ target American citizens on behalf of the US government?  What did we get for our $152M? 
• Does the NSA target citizens of the United Kingdom?  Does it do so on behalf of the UK government? 
• What programs, besides the collection of all telephone call records, does the NSA operate under USA Patriot Act, Section 215?  What programs, other than PRISM, does it operate under the FISA, Section 702?  Are we going to be surprised by more revelations?   
• NSA has admitted that a query to the call records database implicates not only those connected directly to the "seed" number but all those associated with it to "three hops."  What is the largest number of phone numbers implicated by any single query?  How many subscribers have been implicated by the hundreds of queries made since the inception of the program?  Is it possible that there is any American citizen  that has not been swept up in this huge drag net?
• Given the density of modern digital storage, e.g., a terabyte in a shirt pocket for $100, what is NSA storing that requires 24 acres of floor space in Utah?  
• What percentage of the e-mail that crosses our borders does NSA collect?  Store?  Analyze?  Disseminate to other agencies of government?  
• Given the demonstrations by Edward Snowden and Bradley Manning as to the breadth and depth of their access, how can we rely upon the assurances of NSA  that they can protect us from abuse of the information they collect?  Doesn't the mere collection of all this information invite, not to say guarantee, abuse?
• Doesn't the mammoth budget ($75B in 2t012?) of NSA justify the conclusion that NSA operates on the premise that "Because we can, we must," and without any regard for efficiency?   Are they not spending far more than doing nothing would cost?
• Does not the Bush "Warrantless Surveillance Program" demonstrate that citizens cannot rely upon bureaucrats and spies to protect us from over-zealous, not to say rogue, politicians?  Are we building capabilities now that will empower politicians of the future? 
• Does the NSA require a warrant before they target US citizens on behalf of the FBI?  Secret Service? DEA?  MI5?  MI6?  
• Does the NSA protect American citizens from surveillance by their peers and colleagues in other nations?  
•  Is information passed to the FBI by NSA ever, usually, sufficient for the issuance of a wiretap warrant?  A National Security Letter?  
•  Do the intelligence agencies selectively share intelligence with legislators in order to curry support?
• 
  

A Leapfrog Enterprise Security Strategy

Recently I was quoted in an article on newly reported, but somewhat old, breaches.  In the report I was quoted as suggesting that these breaches suggest that security has fallen behind and that, just in order to catch up, we need a "leapfrog" strategy.  This post will suggest what such a strategy might contain.

Mine would start with strong authentication close to the users, i.e., at the end point. Strong authentication will start with privileged users and move to all employees. We have known about the limitations of passwords and what to do about them for thirty years. It is way past time to get on with it. Going forward, the end point of choice will be the mobile computer, colloquially referred to as a "smartphone."  This device already contains powerful sensors that can be used for authentication of claims to identity.  Apple Touch ID and Samsung Face Unlock are simply early examples of what can be done.  These are quick and easy to use and, in combination with possession of the device, constitute strong authentication.  

My strategy would include reducing the number of privileged users, the reduction of their privileges, and accountability for the use and exercise of privileges. It would include involving two or more people in the exercise of sensitive but rarely used privileges. We have too many privileged users and too little visibility into how those privileges are used.

It would include the automatic notification of the subjects of records and the owners and managers of accounts of all use, changes to, or transactions against those records or accounts. If we are to detect breaches on a timely basis, we must increase and improve transparency and accountability.

It will include isolating e-mail and browsing from mission critical and other sensitive systems and data. The intelligence is clear that many, not to say most, compromises begin by duping the users of these two applications.

It will include end-to-end end, end-point to application, not perimeter, not operating system, encryption. We cannot continue to operate large enterprise networks as flat spaces, as spaces in which any system may address any other system in the network.

It will include restrictive, i.e., "white list only," granular access control close to the applications and data. It will probably include access control at every layer, e.g. between the application and the database, between the database and the file system.

These measures are neither expensive nor disruptive. Google has demonstrated that even strong authentication can be flexible and convenient. They can be implemented in parallel. There are vendors recommending them and with products and services to implement them.

This is an "off-the-top of my head" list; I am sure I have omitted something important. However, it is informed by fifty years of thinking about this problem. I am sure that many of my colleagues have measures not on my list but which they would include in a leapfrog strategy.