Friday, July 22, 2011

It’s just an analogy, get over it

We in the cybersec business explain technically difficult concepts by using analogies with things people are familiar with. For example, we say “cyber security” to convey the notion that what we do is similar to physical security (armed guards, bank vaults, keys to you front door) but in cyberspace.

But these are just analogies. You really can’t take them to far without looking the fool.

A great example is this article claiming that since computer viruses are a disease, the government should treat them that way with something like the CDC. The CDC, the “Centers for Disease Control”, is the government agency that decides what’s in the yearly flu vaccine, or prevents the next ebola oubreak.

But viruses are not really diseases. Extending the simple analogy doesn’t work.

The analogy was first made because cyber viruses shared a few traits with real-world viruses. Real-world viruses aren’t “alive” like biological cells, but are instead just a strand of DNA, or a strand of “code” as it were. Viruses replicate by infecting cells, incorporating that DNA into the cell’s DNA, then hijacking the cell to produce more strands of the virus DNA. This kills the cell, releasing billions of strands of virus DNA that go onto infect other cells.

Cyber viruses likewise are just code that hijacks the computer to produce more copies of itself, which it sends to other computers.

Or at least, they did in the past. The most dangerous modern “viruses” (aka. “malware”) no longer replicate themselves. Modern networks have gotten good at detecting something that is replicating and stopping it.

Instead, modern computer viruses are targeted. A hacker picks a victim, scopes the defenses (such as which anti-virus product they use), then designs a virus to evade those defenses. The hacker then sends a “phishing” e-mail to everyone in the company, such as pretending to be from the IT department telling people to download and run that software. The hacker gets in, steals the information he wants, and gets out, sometimes removing the computer virus as he leaves.

According to Verizon’s latest data breach analysis, 97% of serious virus infections are of this targeted type. This is what happened in the “Aurora” attacks. Chinese hackers (or so Google claims) broke into Google’s network using a custom, targeted virus, and stole a lot of Google’s secrets.

The failure of the “free market” anti-virus companies is not a failure of the “free market” (as the left-leaning author of the above article suggests), but a failure of the analogy. When viruses mindlessly replicate, it’s easy for the CDC (or anti-virus companies) to get a sample and create a vaccine. When they don’t, when they are targeted, the CDC (or anti-virus companies) will never get a sample, and won’t be able to create a defense or “wipe it out”.

There are ways of solving the virus problem, but it means treating the technical problem, not the metaphor.

A good example is what Apple does with the iPhone and what it’s trying to do with their latest operating system, Mac OS X (Lion). You can’t download any arbitrary software on your iPhone. Instead, you can only install those applications that Apple allows you to. Apple’s competitor, Android phones, behaves differently, allowing users to install any software they want. The consequence is that Apple’s iPhones are largely free of hostile “viruses”, but “viruses” plague Android phones.

Apple hopes to do the same with their desktop computers. Their “Lion” release of Mac OS X has an app store feature similar to the phone. You can still download arbitrary software from other sources, but you can be more assured that software downloaded from their app store isn’t a virus.

But there are some people who don’t like Apple’s 1984 Orwellian future, where Apple controls everything you do. One cyber activist claims that he won’t make the switch to Lion, and will instead switch to Linux.

That reflects the true reason why viruses are hard to eradicate: security is a tradeoff. A police state can solve the crime problem for you -- at the expense of forcing you to live in a police state. We can solve cyber crime -- at the expense of enormous tradeoffs like Lion’s. That’s what Tom Henderson (the left-leaning author of the article I linked at the top) fail to understand about the free-market. The free-market isn’t about the choices anti-virus companies make, but the choices individuals make. It’s about the sacrifices individuals are willing to tolerate in the name of cyber security. Computer viruses exist because individuals want the ability to download arbitrary software for their computer. They would rather get infected with the occasional virus than give up that ability to install new software. The state of cyber security today is exactly the balance between costs and benefits that customers want. If you don’t believe me, then configure your Windows machine so that no new software can be installed on it. This will protect you from viruses far better than any anti-virus product.

It’s not just fools outside the computer industry that take analogies too far, but also people who should know better.

General Keith Alexander, the head of our Cyber Command (the part of the U.S. military dedicated to “cyber”), thinks that we should have a cyber weapons arms control treaty. Again, a “cyber weapon” is just an analogy, one worse than a “cyber virus”. The true threat in a “cyber war” isn’t from nation-states like China, but from their people. China promotes an intense nationalism among their people, who see the United States as their primary adversary (although not necessarily enemy). This causes millions of Chinese teenagers to try hacking into American computers. They do so without any particular weapon, but by typing things like SQL injection into the browser.

Hacking isn’t about the “weapons” or tools that hackers use. It’s what goes on in their heads. It’s like how a single unarmed Navy SEAL is more dangerous than 10 armed soldiers of most of the world’s armies.

The best cyber analogy is the Anglo-Zulu wars, where a small British Army with guns tried to fight huge Zulu armies armed with nothing more than leather shields and wooden spears. The British often lost battles as the Zulu overwhelmed them when they stopped to reload. A cyber weapon treaty today would be as stupid as an arms control treaty between the British and the Zulu. It’s the United States that stands the most to lose from such treaty. We don’t have nationalism -- our hackers oppose the American government and big business as much as hackers everywhere else in the world. All we have are technical measures, like “Stuxnet”, a virus type thing created by the American government to attack Iran’s nuclear program, and the so far the only real example of a cyber weapon to date.

Yet another analogy is automobile safety. Government has laws ensuring the safety of automobiles, with such things as mandatory recalls if there is a safety problem. Shouldn’t the government do the same with software?

The answer is “no”, the analogy doesn’t work. The safety threat to cars are those things that happen by accident. The security threat for computers are those things that happen on purpose, caused by sentient beings.

The better analogy is the government telling manufacturers to recall cars because people can slash tires, cut brake lines, or smash windows by throwing rocks from the overpass onto the freeway.


I’m frequently frustrate the way that analogies take a life of their own. The non-technical believe strongly in them, as children believe in Santa Claus. Rational thought is powerless: their eyes glaze over when I try to explain the technical details, in much the same way kids don’t want to hear about the impracticalities of Santa visiting a billion children in one night.

You phrase it better than me "use analogies to make points not policy".

Calling them "computer STDs" is a more apt analogy than "computer viruses". It better reflects what's really happening. In much the same way men won't wear a condom "just this once" because "she looks clean" is the same decision making when running software from a phishing e-mail.

No comments: