Information Security has Failed What Next? Professor Richard Walton CB Royal Holloway 6 September 2014

Infosec has failed Infosec defined in mid-1980s  Generalisation of Comsec  Crypto Technology of 1970's – solved the major technical Comsec challenge  Infosec should have followed with technical solutions to: – Availability – Confidentiality – Integrity

Infosec has failed Today  Technical Cyber attacks abound  Software quality is abysmal  Criminals download commoditised malware  Mobile devices exacerbate the problems  Security is permanently reactive  We can't PREVENT successful attacks

Information Security Today and Tomorrow Today  Business Dependency  Criminal Threat  Some Control of assets  Poor 'professional' software Tomorrow Personal Dependency Increased Threat Ubiquitous uncontrolled assets Amateur software

Response - More of the Same (only better this time)  Awareness - must keep banging on  Law – must improve – must enforce  Better Authentication  Better Risk Management

Software Quality Bespoke still required at the High end - But will be resisted Must accept that most Apps will be written by incompetent progammers Vital to harden the building blocks

Software Quality  Software Libraries require a total rewrite  Documentation must be improved – and simplified – to cater for the dummed down programming  Education of the elite must be upgunned  Education of the masses also needs attention  Strengthen acceptance criteria for Apps

Change the Goals Prevention Cure Detection Diagnosis Recovery Damage Limitation

Detection - Transparency  Better Documentation from Developers – enforced by regulation/strict liability  Transparency of actions - what and why  More user control  Revelation of hidden processes  Integrity checks available to users

Call to Arms  Government  Developers  Academia  Professional Institutions

Government  The Law - strengthen enforcement  Spearhead Public Awareness  Seed-corn funding  Strengthen consumer power

Developers  Improve documentation and other aids to transparency  Strengthen acceptance critieria for public Apps  Provide for more user control  Meaningful monitoring and diagnostics to detect problems

Academia and Researchers  Education of programmers  Hardening Software  Assurance mechanisms to support the non- expert user

Professional Institutions  Advice on technical risks - lobbying Government  Engineering standards  Mitigating the amateur threat  Provide a counter to vested interests from industry

Conclusions 1  Infosec has failed to prevent or cure the ill- effects of the security challenges of the past 30 years  The environment is getting more challenging  The priority needs to shift to detection, recovery and damage limitation  The challenge from ubiquitous threat must be met by ubiquitous defence aimed at the non- expert consumer

Conclusions 2  Actions are needed to arm the consumer  This requires Government to act to counter the vested interests  In some areas Software Quality must improve; elsewhere an environment must be created to limit the damage from low-quality Apps.  The playing field must be tillted to protect the general non-expert user.