Expert Comment October 2003 Sun’s CSO hails the future Whit Diffie on cryptography, the brave new world of web services and the future of infosecurity

Whitfield Diffie possesses one of those rare minds that really has been (no kidding) responsible for a paradigm shift in human thinking. Along with Marty Hellman he invented public key cryptography in 1976. As well as being a breakthrough in mathematical terms, this invention democratized a practice previously the preserve of military elites.

Diffie has worked for Sun since 1991, and serves as its chief security officer. He gave a keynote speech at this year’s ISSE conference, held in Vienna on 7–9 October. Brian McKenna spoke to him for Compsec Online about cryptography, the brave new world of web services and the future of infosecurity.

You’re famous for the discovery of public key cryptography and for helping shift that discipline from a military black art to being a popular science. How do you see the role of cryptography in information science today?

The discovery of public key cryptography made it feasible – not as easy as we had originally hoped, but nonethess feasible – to use crypto in a much broader community. And so, in part because of our work, a commercial and academic cryptographic community grew up.

The public key played an important role in that, because previous cryptographic systems were easy to design and hard to evaluate. That is, unless you have a lot of organizational discipline, there is a big tendency for people to get in and propose cipher designs that become frustrating to evaluate. Since it is so hard to design public key systems, academics could get their key teeth into it. And so the mathematicians became interested and that’s what nurtured the community.

As for the place of cryptography in information security today, it is the best-cooked piece of it. Cryptography is the only set of tools that controls communications and channels that you don’t control.

It mostly dates from the introduction of radio. You can find older cryptography, but the big developments started with radio. None of the security measures that were used for communications prior to radio were of any use – except cryptography. So it went from being a secondary technique to being a primary technique.

With the internet you see another fluid communications medium that you can’t avoid using; it’s just too useful. But it is also medium that is entirely out of your hands, and so cryptogaphy is the essential protective tool.

What’s the worst-cooked piece of information security?

Configuration control. It is in a dreadful state. The industry is based on a set of delusions. At Sun we sell Solaris 9 and pretend it is a finished product, like a car. But no sooner is it installed than a bug is found and we issue a patch. And then there is Solaris 9.1.

The description makes it look quasi-static when it isn’t because we continue to develop Solaris. The one running in building 17 in Menlo Park, where they are building it, is different to the one that is sold.

Moreover, we are developing the hardware, and that is running on Intel, which is also developing the hardware. And the customers may be developing the software, too – and the hardware!

So everything is changing. There is no generally accepted technique for saying in a formal fashion ‘we want a system that looks exactly like x’ and have that executed as a script. That is not generally available and this means that system administrators have to spend a great deal of time configuring the system. Also it is hard to test for whether it is in the right configuration. There is just no medium for discussing configurations and their consequences.

You are talking here about general IT products, and their security. Now, ‘secure products, not security products’ has been a user mantra for some time. Where do you think the IT industry stands vis-à-vis this goal?

In my mind that describes a legitimate Sun objective, but that is not necessarily everyone’s! RSA makes security products and that is fine. But Sun’s products are of such scope that the naming has to be different. Anything you do with a Sun product you ought to be able to do securely, and so that is what I would mean by saying ‘secure products not security products’.

The question really is ‘what are the security implications of the function of this object?’ And then you have to integrate the component into the overall security of the enteprise system.

Is that something that, in your view, Sun has done systematically and historically in a way which other vendors have not?

I would say, conservatively, that we have done a better job of security because of our history. Unix, even when we acquired it, was a multi-user operating system that was particularly used in some gently hostile environments. It was widely used in the academic community, for example.

We took over the operating system and immediately built a business that was about networked computers.

So, basically the operating system that we have been cultivating for over 20 years has been steadily and smoothly exposed to more and more hostile environments.

Now, the DOS-Windows family was basically serving a glorified desk calculator, in isolation, at the start. Suddenly they hit extensive network applications in the mid-1990s, after having built up a long legacy set of expecations from their customers about applications. So they are having more difficulty in adapting to security measures that are appropriate for an operating system that faces a diverse network of clients.

There are experts who are saying that, as we move to a world of web services, serious near-future threats will come further up the stack than at the network level. What’s your take on this?

I believe in web services. They will work. And they will lead to a computer-to-computer information economy that will parallel the economy as a whole. Right now corporations sub-contract many kinds of work, from advertising to cleaning, and the same thing is entailed by the ‘network is the computer’ idea. At present, computers reach out of themselves in limited ways. We distibute storage around the network, almost invisibly. Standalone computers will become rare, and many operations will be outsourced to specialists. The big challenge for security in the next decade or so is that of providing the security mechanisms necessary for that.

You say you believe in the success web services. How significant will it be?

Immensely significant. It will change the whole way that computers are used. For example, suppose you develop a new algorithm. What can you do in order to commercializie that? Well, you can write a program and sell it. But what you can’t really do is to render the algorithm as a service. That’s not served by the current infrastucture. At the moment you have to enter a manufacturing economy, with all the expensive overhead that that entails.

Do the very economics of software development mean that there will always be problems that will sustain a security industry?

There are two issues there. Is software development essentially prone to bugs? Yes, but my intuition is that great improvements will be made there over the next few years. The second issue is expressible as the question: ‘will the IT security industry always exist separate from large multi-function IT companies?’

I’m not sure. I can easily believe that the development of a web services economy will make the formation of businesses with specialized functions more viable. However, and equally, the maturing acceptance of security as a component of all information systems could sediment it down to the system manufacturers.

Will improved system architecture make viruses less viable, thereby reducing the importance of virus scanning? That’s plausible. On the other hand, will filters go away? I doubt it. Then again, we are freezing the basic cryptographic techniques so cryptography is likely to undergo less change in the next 20 years than it has done in the last two decades. So it is not clear that cryptography will support an independent industry, in the way that outfits like RSA have been supported though the 1980s and 1990s to the present.

It’s not even clear that IT generally will continue to support large companies. Improving IT has produced mergers and consolidations in the last 30 years because it has made it feasible to run larger organisations. Will that go on, or will the ability of smaller organizations to deliver services to others cause the corporate stucture to break up into smaller pieces? These are undecided questions.

Looking beyond business, what is your assessment of the plausibility of cyber-terrorism? Given the liberatarian cast of your thinking I’d have thought the rhetorical excesses around this is in the US would make you uncomfortable.

I’ve seen no evidence that cyber-warfare will be viable as an independent weapon. If you look at information operations in the US military, they are coordinated with other kinds of activity. But whether cyber-warfare will work by itself is an open question. We will see attacks on the critical information infrastucture, and we do need to make it resistant to attack. The threat of retaliation is the best way of doing that.

It would be very unfortunate if cyber-terrrorism security were to follow the path that physical security has followed in the US. We are now engaged in exactly what the Soviets were doing 50 years ago – the identification and tagging of the population with identity documents.

To extend that to the internet is, moreover, a dubious idea because the internet is such a diverse multi-national organization.

It’s increasingly said that security is becoming more holistic, with other professional groups – lawyers, senior management, HR, and so on – getting in on the act. Is this a good time to be a corporate information security professional?

Yes, it is, because while there are areas that are well cooked there are areas which are not. It’s still a growth area. As for the holistic point, well it’s like the rise of lifestyle counselling in medicine. Has that put doctors out of business? No. It’s still a good time to go into medicine. Security is an intrinsically adaptive field. Threats are refined, they don’t go away!