Marcus Ranum on cyberwarfare, infosec careersDate: Oct 29, 2009
At 2009's Information Security Decisions conference, security expert Marcus Ranum sat down to answer some of readers' security questions, which range from whether enterprises should fear cyberwarfare to the prospects for a career in information security.
About the speaker:
Marcus Ranum is Chief of Security for Tenable Security, Inc.
Read the full transcript from this video below:
Please note the full transcript is for reference only and may include errors. To report an error, contact email@example.com.
Marcus Ranum on cyberwarfare, infosec careers
Mike Mimoso: Hi, I'm Mike Mimoso and joining me today is Marcus
Ranum, and we're
going to talk about a variety of security topics. So, thanks for joining me
Marcus Ranum: Thanks for having me.
Mike Mimoso: My first question is about cyber warfare and cyber terror. Are those
Marcus Ranum: Well, it's really funny that you asked that topic. Cyber war is one
that I've been notoriously and very publicly skeptical about. I think there
are some huge logistical problems that undermine the entire concept as far
as military usefulness. That being said, cyber terror, I'm really puzzled
about that because there's a huge potential for it. I think when you get
five or six security practitioners around some beer at a conference, it
takes us about five or six minutes to come up with all these really
scarifying scenarios where if I was a cyber terrorist, I would do this or
I'd do that. It would be expensive and damaging.
So the question is, why is that not happening? I really don't know. There
are two theories that I have. One is that the bad guys aren't technically
sophisticated enough to really be able to do it which means inevitably
we're going to have some serious problems, and the other is just that cyber
terror is really not that scary. I don't know whether you could affect
people's lives if Twitter went offline for 48 hours. I think most people
would just shrug and productivity would skyrocket, but terrorists feed off
of fear. And so, one of the real questions then is, is cyber terror going
to be practical until there's a time when Internet-based attacks are
capable of causing really massive human casualties and fire and destruction
and stuff like that. So I think, maybe, eventually, but not in the short term.
Companies need to protect against this anyway because obviously, we can't
start fixing our infrastructure once it's too late. And so, besides cyber
crime is going to be a problem, and the tools of the criminal and the tools
of the terrorist are ultimately the same. They're going to be looking for
vulnerability. So I think, whether cyber terror or even cyber war is a
problem, we should be doing more to protect our critical infrastructure. I
think the financial threat is a huge one. We're losing gigantic amounts of
money to crime, and whenever there's an incident like in Estonia or
something like that, so far it hasn't been turning out to be state
sponsored. It's usually just some individual who gets angry at government
and decides to declare war against it, which is an interesting thing
I'm kind of, almost looking forward to it as we're moving into an
environment, maybe, where an activist citizen of any country can take
offense at what any other country is doing and possibly affect their
political policy from their own desktop. And that's kind of interesting to
me. I think that may open up some new avenues for personal communication
between individuals and governments.
Mike Mimoso: What kind of threats worry you?
Marcus Ranum: What worries me is really a strange thing. What worries me is the
creation of effective software. Unlike what most of the most engineering
humans do, software can continue to build bad layers on top of bad layers
on top of bad layers, and there's never really any impetus to go and clean
all those bad layers up. And so, I think what can happen is we could
potentially build some kind of real Achilles heel into something someday.
Unbeknownst to us, there could be some leftover protocol from the early
1980s that's built into some application that gets carried forward and
embedded in the bottom of Web 2.0, and then some day somebody uses that to
accidentally screw up our power grid.
I'm much more concerned about accidents and the insane complexity and the
potential for insanely complex accidents. We're moving into an environment
now with some of the newer Web 2.0 and grid computing stuff that I've seen
where people can have a software accident that makes your application not
function in ways that they're not capable of understanding. And so, we've
moved into an environment where software is now no longer a predictable
thing. It's no longer Allen Turing's automaton. Now it's become almost this
organic thing that you put together and you hit reload in your browser and
you pray it works, and I think that's a very dangerous environment. So
that's what I'm afraid of. That's what I'm worried about. I think we've
completely lost control or are about to lose control of how computing
I think the answer is twofold. Obviously, we need to educate better, but
that's really a non-answer because I don't know what percentage of software
is coming out of people who have been through a computer science curriculum
versus how much was somebody who was self-taught like me. We can't control
that, and I think that would actually be very counter to innovation if we
did try to control that. So education may not be the answer. I think what
should be the answer is to be vastly more aggressive about retroactively
pruning out pieces of the software evolution tree of what we're running. We
should be going back and hacking off some of those bad branches instead of
carrying them forward, and right now there's nobody to do that.
Mike Mimoso: You've been pretty outspoken on the fact that user awareness programs
don't work. Can you explain why you believe that?
Marcus Ranum: Well, I'm not a fan of user education programs simply because if
you look at the fact that we've been trying it for 15, 20 years, and it
hasn't worked, and today's new and upcoming kids are much more technically
sophisticated anyway, if it was going to work, it would have started to work
by now, and it hasn't, so I don't think that's really the right way to go.
What is the right way to go? Well, the problem is giving people too many
options when those options are bad. If your mission is to have a weapons
control system or something like that, that software and hardware that
you're controlling your piece of technology with is there for one purpose,
and principally for one purpose only. You don't need to run Twitter on it.
You don't need to access Facebook from it. I think that's really kind of
where the industry is going to wind up going in the next decade or so.
I had a really interesting case a couple of years ago where I was talking
to a client that had this massive robotic machine that cost about $13
million that produced some very important things on a very tight time
schedule, and the field service technicians that worked on these devices
would just take their corporate laptop and plug it right into the back
plane so they could run diagnostic software on it. Of course, these guys
were running World of Warcraft in their hotel rooms at night on their
corporate laptops. You can guess what happened. There were all sorts of
worms and viruses loose inside the back planes of these insanely expensive
and very important systems.
Well, the obvious answer to that is to not do that, and finally I asked the
all-important question, which is, "Well, how many field service guys do you
actually have?" The answer that came back was six. For the cost of six
laptops, you can make this entire problem disappear. So now they bought six
Netbooks, and they're all locked down when they're running. So you have the
diagnostic Netbook and you have the one that you do all of your other stuff
on. This isn't very difficult. I think we have a tendency to want to just
do everything with the same hardware because it's convenient, and people
don't really understand the ramifications of those decisions.
Mike Mimoso: In a recent session that you did with Bruce Schneier, you were asked
what you would do if you were named the cyber security coordinator. Can you
go over your answer again?
Marcus Ranum: Well, I have to give my caveat, too, if I get to give my answer.
Mike Mimoso: Sure.
Marcus Ranum: Which is you wouldn't want me to be the cyber security czar. I'm
totally not qualified for that position because I don't play politics. And
as Bruce so aptly pointed out, that's a political position not a technical
position. But, of course, if I was the cyber security czar, I would have
the actual power to change things, and I would trigger a lot of
reassessment of a lot of stuff. I would ask questions like, "Why does the
U. S. Marine Corps need to be able to send and receive e-mail?" Is that an
appropriate thing to be able to do? I can understand that it's desirable;
the question is, is it necessary. A lot of these things would be
reassessed, and I would actually start from ground zero.
I would unplug probably most of the federal agencies' systems that are not
citizen facing information distribution or things that exist there for the
citizen, and that would solve a lot of problems. It would create a few
other problems, but it would solve a lot of other problems. I think
ultimately though what the federal government needs is...there's been a
pathetic lack of leadership in cyber security and in technology as well.
The federal government needs an office of the chief technology officer,
somebody who can specify this is the kind of software that we're going to
use, and this is how we're going to use it, to make those decisions. Does
somebody in the field in Afghanistan need to be able to tweet to their
friends back home in real-time or whatever? Yes, it's useful for morale,
but there are military implications for everything, and do we need to share
so much information about certain things or not?
What's fascinating to me in general with the whole Internet security
problem is that many of the problems that we've brought upon ourselves were
brought upon ourselves because nobody ever asked the question of, "Is this
business justification that you've given me really just a flimsy one, or is
there actually a business justification behind it? One of the things I like
recommending to people is that if somebody comes along and says, "Oh, we
need to allow access to this system because it's going to make us a lot of
money." Great, in two years let's schedule an after action report, and
let's review and see if it actually did bring in the benefits that you
claimed that it was going to.
I've seen organizations that have spent huge amounts of money doing Web 2.0
redesigns for their websites because somebody in the marketing organization
said, "Well, it will be really cool." And nobody's able to say how much
it's affected customer reception. Has it brought new customers? Has it
brought new business? These are all questions that executives should be
asking, and I think a lot of the time, either because they're not
technically sophisticated enough or whatever, executives just let this
stuff get steamrollered past them, and that's how we get in the situation
we're in today.
Mike Mimoso: Do you think that it's okay for the government to mandate that
company's enterprises, mid-market companies, do something about information
security? Granted, they shouldn't get very specific about what technologies
you implement, but do you think it's okay for them to mandate a baseline of
Marcus Ranum: I think it is necessary in a situation where there's endemic vast
losses and ignorance. I think it's appropriate and necessary for the
government to step in. I think it's appropriate for the government to step
in and say children have flu vaccine because we've looked at the problem,
and we've concluded that there's a herd immunity issue, yada, yada,
yada. We've got the same problems with computing where it's appropriate to
say, "Yeah, if you're doing this kind of thing, your mission critical or
your critical infrastructure for the country, you need to do this kind of
thing correctly." That's why we have accepted, in the past, things like
controls on cigarette smoking and requirements to wear seat belts in cars.
And in most rational states, motorcyclists wear helmets and things like
Mike Mimoso: Do you think that traditional security controls on the network level,
like firewalls and intrusion prevention, do you think they're eventually
going to become a thing of the past as security moves more to the bit level
and the data level?
Marcus Ranum: So the question of, are firewalls and perimeter security going to
be obsolete because we're moving security to the date level, is one I get
a lot, and there's been a lot of play for that theory. The problem is that
it's a really bad question because before I can say that my data is going
to self-secure, I have to be able to run an operating system that is going
to give me guarantees enough that the data can trust that my data is not
being exposed through a trap door in the device driver that pulls stuff in
and out of my video card. Or that it's not being pulled out of my keyboard
and so forth. So if we were actually going to push data security to the
data level, we need operating systems that are vastly better than what
we've got. I apologize at this point. I'm sure there's people out there who
are going to say, "No, no, we have a solution for that." Well, if you
actually think that you've solved the whole security problem, you just
don't understand security very well. That's my observation to that.
And so, there's going to be a role for firewalls. There was a time where we
probably could have obviated the requirement for firewalls if we had simply
allowed all systems to just be directly connected to public networks
without putting in firewalls in place. They would have evolved to be hard
enough to survive, and that would have had some dramatic impacts on the
future of software engineers. I look back, and I really don't know whether
firewalls were a tremendous mistake or not. They're here and they're going
to be here. As long as we have deal with backwards compatibility, they're
going to be here. When we first started installing firewalls, the reason we did it
was because there were all of these systems that had absolutely no security
whatsoever, and you couldn't plug those into the Internet. So you had to do
something, and along comes the firewall. Maybe, in a hundred years, this
won't be an issue, but I think we're really looking at a very long-term
Mike Mimoso: Now for a final question. Let's say you were leaving college today,
and you were very interested in information security. What career avenue
would you try to exploit to make yourself somewhat sustainable for the next
four or five years?
Marcus Ranum: Well, if I was coming out of college today, I wouldn't look at
information security as a career, and that's mostly because security
consistently gets big chunks of itself chipped off and thrown into just
operations. As you said earlier, these firewalls and IDS and stuff. Most of
the firewalls and IDS are not run by security practitioners; they're run by
network managers. As a piece of the security landscape matures, it gets
knocked off and moved into system administration or network operations. And
then there's always going to be a niche for pure play security
practitioners who exist to worry about policies and procedures and
practices and theory and stuff like that. I personally find that to just be
So, if I was talking to somebody who wanted to pursue a technical route
into information security, I would say, "You have to understand network
administration and system administration because ultimately the reason we
have a security problem at all is because security sits at the intersection
between bad administration, bad network administration and poor software
development. If we really are going to make any progress in security, you
need to understand that." So that's where most of the play in security will
always be. Why are applications so bad? Why are systems so bad, and why are
networks so bad? Unless you understand the answers to those questions and
what to do about them, you can't play in the security space.
Mike Mimoso: All right. Well, thanks for joining us today, Marcus.
Marcus Ranum: It's been my pleasure.
Mike Mimoso: And thank you for watching. I'm Mike Mimoso, and for more security
news and advice, please go to SearchSecurity.com.