When presented with a systemic security problem, the cybersecurity community often turns to a product or tool for a solution. Sandy Clark is moving in an entirely different direction — she wants to change the system.
A researcher at the University of Pennsylvania’s Security Laboratory (SECLAB), Clark has a different vision of the security ecosystem. With the Internet of Things growing at a nonstop pace, Clark is researching ways to measure the long-term health of the interconnected systems that continue to come online.
Clark has tackled these high-level, complicated issues in the past. During her time at Penn, Clark has examined legacy code being used in zero-day vulnerabilities, described how security should be baked into software engineering and done early work on the flaws in election systems.
CyberScoop: What has been top of mind for you, what have you been working on and what has been so important about the work that you’ve been recently doing?
Sandy Clark: What I am interested in doing is trying to move us away from trying to fix security problems to thinking about security over the long term. You see, what we have are extremely complex systems. That sort of complexity is not something that either the theoretical computer science community or the engineering computer science community has ever experienced or has any models to think about. The complexity that we built into our devices, we understand how to make these devices function the way we want them to. They function so well, we have completely changed how the world works. Our economy across the entire globe is digital. We understand how to make things work extremely well, but we have no really good understanding of how to keep them from not working the way we don’t want them to work. What we’ve relied on in order to make things work well is that we’ve understood the properties of what is involved to make “X” do “Y.” We know how to measure those things very well. We don’t have the equivalent metrics for security.
CS: Are you working to create those metrics? What do you think those metrics would look like?
SC: I am very much looking toward creating those metrics. I think we need to understand what is not just the property of things we are making but the properties of the system that it lives in. This is one of the reasons why IoT has become such a problem. We understood possibly the properties of each individual device or product but we never planned on any of the unexpected interactions that we would have when we connected them all together. No one considered that each product that they were building was going to be added to a system that already contained hostility. What security really is nowadays is a living ecosystem that has a finite set of resources and a whole bunch of organisms, some of which are beneficial, some of which are neutral and some of which are hostile. And in order to have any sort of measurement of how secure you might be at this moment, you’ve got to understand what role you play in that ecosystem and what role those other organisms play in your world. That is something I am trying to do. It is not an easy problem to solve.
CS: There is so much new tech out there with the advantage of the Internet of Things, yet we are still trying to secure so much legacy technology that is still being used. Do you think we will ever reach a balance where things are secure by design?
No, because our adversaries are just as smart as we are and to make that assumption is to assume that you are smarter than they are. What I think is entirely possible is for individual companies, individual products and individual users of devices to have enough understanding about what it is they have to protect and what it is they risk. How much do I spend to do this, how much do I spend to do that? Do I put up an extra firewall? Do I make sure that this particular device is only on an internal network and never touches the outside world? Can I have a set of devices that I am ok on because I never put personal information on those devices? Can I have one password that I am really careful about because it protects my banking but can I have another password that I just use for all the sites that I don’t care about because I’m never going to be spending money on those sites? You can make those sort of trade-offs, but that requires understanding what your risks are and that requires metrics.
CS: There’s a lot of effort to take humans out of the equation when it comes to security. Do you think that we are making progress? What more could be done by the cybersecurity community to take the human out of the equation in order to make things more secure?
SC: We have made extraordinary progress. All of the big companies have changed things in such a way that they have raised the level of difficulty to a point that the skills required to get anything of real value is much higher than it used to be. When I was a lot younger, if you found a vulnerability in anything, you had a working exploit in 30 minutes. As early as five or six years ago, if you found a vulnerability it was still three hours to have a working exploit. Now you have to daisy-chain several of them together to get something that actually works, right? There is still a lot of low-hanging fruit because of backward compatibility issues and those from people who are unable to or unwilling to update. We are going to see a lot of that in the IoT world and particularly in the medical device world, because of the kind of regulations they’ll have to go through in order to change the software. We have made the easy stuff go away.