Security Management Strategies for the CIOWhen you look at today's security threats, what worries you the most?
The spread of Windows systems into critical infrastructure is most concerning. If our
infrastructure comes under attack, this could lead to serious failures. I'm talking about the world
infrastructure. We're so intertwined when you consider things like banking, airlines and
government. A big attack could happen, there would be serious global consequence and you would have
a very hard time telling where it's coming from. If you had an event that affected air traffic and
power it would be a very uncomfortable world to live in.
So you believe in the monoculture theory -- that tech diversity is needed because a
Windows-dominated world is ripe for catastrophe?
I wouldn't say that. People who say diversity improves security put themselves in a funny position.
You can't tell someone to use the most secure operating system if it doesn't let you do what you
need to get done. Security is always a supporting requirement within the enterprise. You have an
enterprise that wants to do something. The police want to stop crime. Companies want to make money.
Security is an important but subordinate requirement. If you want to run desktop applications, you
pick Windows. But when it comes to critical infrastructure, you probably shouldn't use Windows
because of too little care to coding too deep in its guts. Globalization could have a beneficial
affect. Other nations use Linux-based systems.
Requires Free Membership to View
There is more diversity around the world. But
diversity isn't the most critical question. It's the proper attention to software coding that's
critical. Security differs from reliability because someone's looking for the part you didn't get
right.
Which threats do you think are overly hyped?
Over-hype takes attention away from the most serious problem -- protecting critical infrastructure.
Less serious are the censorship applications. Worrying if employees are visiting certain Web sites
is a distraction. Censorship applications that try to control which Web sites you can visit are a
distraction from the bigger problems.
A running joke is that whatever year we're in is "The Year of PKI," meaning the technology
has yet to live up to its hype. Do you believe there will ever be a true year of PKI?
No. One day we will look around and start trying to figure out what year in the past was the year
of PKI. Widespread use of PKI is inevitable. But there has been a standardization problem that
isn't helped by the number of competitors in the field. It's fundamentally a capital development
problem. Growth is slow now but it'll pick up later. Did I think it would develop more quickly?
Yes. Am I surprised there's so little of it? No. The government uses quite a bit of it. And it's
hard to say PKI hasn't had tremendous market penetration. It just seems there's not enough of it
given the security needs out there.
 |
||||
|
|
|||
|
||||
How do you see the technology evolving over the next decade?
I expect it to develop an opposable thumb and settle into a level of standards. I think the most
glaring example of success is the Advanced Encryption Standard (AES). We now have a high-grade
crypto algorithm. Standards like AES, SHA-384 [and] ECC digital signatures… will drive out their
competition: RC4, DES, 3DES, etc., and become widely embedded in hardware and software around the
world. We are transitioning
from modular arithmetic-based key systems to elliptical curve systems. Elliptical curve is more
compact. It brings register-key sizes down. It runs faster and consumes a lot less power. In the
coming world of integrated mobile devices, this will have a big impact. People have a lot of
inertia. But things like hand-held browsers will be the motivation for a change to lower-power,
more efficient systems. Like some of the other questions, here's something Martin Hellmann was also
asked about: In December 2003 Information Security magazine called Ralph Merkle an "unsung hero,"
arguing that he had as much to do with advancing PKI technology as you and Hellmann did. Do you
think Merkle deserves more credit for his contributions than he has received in the past?
There's very little question he deserves immense credit for this. I think we have all done very
well not fighting about credit. His contribution should certainly be acknowledged. But everyone
played a part. Historians will dissect who did how much, but that's not what's important. Though
his thinking and mine aren't entirely congenial, I think he's great and has contributed much to the
field. He may also not get enough credit on nanotechnology. He's been working on that for a very
long time.
Join the conversationComment
Share
Comments
Results
Contribute to the conversation