Digital House on Fire
The Dire Insufficiency of Modern Data Security Tools and What to Do Next
On July 15, 2020, Twitter Inc. suffered a cyberattack during which three Florida teenagers took control of several high-profile Twitter accounts, including those of Joe Biden, Barack Obama, Elon Musk and Bill Gates. The teenagers were able to gain such high-profile access by carrying out a social engineering scheme against one of Twitter’s employees.
Software currently used to build large-scale online software was designed in a different era and for an entirely different threat model.
While this particular attack was promoting a cryptocurrency scam, a similar one just as easily could have been used to cause social unrest or even start a war, if the attackers targeted one of the world’s political leaders.
Software currently used to build large-scale online software was designed in a different era and for an entirely different threat model. It is because of this that our collective information security is coming apart at the seams, as new threats are emerging every day. This constitutes a real crisis that can only be addressed through radical innovation.
The innovation that can deliver the solution to this problem is the emerging field of containerized secure software development infrastructure. Such an infrastructure can serve to both increase the degree of data security, and to make it more transparent, enabling us to make educated choices related to our use of global information technology.
(Re)Defining data security
To the majority of us, the term “information security” evokes hacking, two-factor authentication, and the Equifax data breach. This view, however, is too narrow, and the issues at hand are far more complex and nuanced. First, proliferation of corrupt, unverifiable, an un-deletable data drains our ability to ensure safety from political and social meddling; second, high-security software is currently so hard to use, that it becomes all but inaccessible to ordinary users; third, companies such as Twitter still have the “god mode” — operator privileges that enable attackers to cause almost unlimited damage; fourth, it is not possible for users to reliably ascertain the degree of reliability of the information with which they interact, preventing coordination and collaboration. All of these are real concerns that currently fall outside of the traditional approaches to information security.
As the Cambridge Analytica scandal demonstrates, the most damaging abuses don’t involve hacking. While Facebook provides ostensible account-level security, it lacks the bigger-picture protections, such as the “do-not-forward” tagging of information or secure data deletion. As a result, Facebook was able to grant access to its user data to someone who should never have had that access. It is not relevant whether this was done by malice or by negligence: it shouldn’t have been possible at all.
What is to prevent images of fake porn, fake murders, fake police brutality from causing social and political damage?
Or take the Hillary Clinton email scandal. A busy presidential candidate, she was supposed to spend part of her overbooked schedule logging into her government-provided email account that only worked on the laptop and required a hard-to-use second-factor dongle. What Clinton did was what any of us would do: when faced with the inconvenience of maintaining a high degree of digital security, she switched to using her personal email, because it was fast and convenient. That account was subsequently hacked. Clinton’s high security email account was not insecure in the traditional sense, but because it was difficult to use, the outcome was just the same as if it were.
Or consider the fact that deep-fake videos and pictures are now reaching the new level of quality and accessibility. What is to prevent images of fake porn, fake murders, fake police brutality from causing social and political damage? We are seeing the emergence of a brand new kind of warfare, the one one in which malicious data can be used as a weapon on the global scale.
Here is how one can solve the problem of deep fakes: digital camera and smartphone manufacturers can include cryptographic chips into their devices. Such chips can securely sign every image taken, and the signature can later be used for verification. This is just one illustration of how the holistic approach to security works: it must be applied to every device out there, or it won’t work.
The need for a new approach
To begin addressing the global security crisis, we must build systems that fulfill several novel security requirements. First, security can no longer exclude the user. If the system is cumbersome to use, it must be treated as insecure. The future software systems must be good at creating complex user-centric workflows that make them appropriate for general use.
Second, security can no longer be thought of in the context of each component independently of others. All too often a system with a high degree of security sends sensitive data to a mere shell script. All data must be protected in all places it visits, and the new generation of secure software must enable such multi-node, multi-agent analysis.
Even the most trustworthy and reliable operators can be compromised.
Third, the new generation of systems must enable users to independently verify the security of the entire software stack, in a striking contrast with the current architectures that provide no transparency beyond the web-server. (Footnote: the lack of holistic software-stack-wide protection is a problem even in decentralized blockchain systems. Example: the hacks of individual accounts carried out by compromising the internet DNS infrastructure)
Fourth, we must learn to build systems without the “god mode.” Even the most trustworthy and reliable operators can be compromised. The “god mode” makes it possible for the attackers to cause unlimited damage, which is no longer acceptable. A truly secure system must instead have auditable and verifiable business rules defining the operator role.
Fifth and finally, it is critical to acknowledge that all software, almost without exception, must be treated as secure software. Building secure software must be easy and inexpensive. We can no longer afford the view that security is a narrow and specialized field.
None of this is possible with the current tools, which is why we need to build new ones. This type of innovation has happened many times before, at critical junctures when the existing approach to software engineering became unsuitable for the new usage patterns. We did this back when machine code became too complex for people to understand, and compilers were invented. Then again, when bare metal software became untenable and operating systems were created.
Docker is an interesting recent example of this kind of innovation. Difficulties of package management caused a persistent low-degree drain on engineers’ attention and diminished the overall system reliability. Docker was the difference between 99.8% reliability and 99.9999% reliability. This might not seem like a big difference, but when the cloud became the prevalent deployment modality, this meant that companies could dramatically increase the number of nodes they operated, without the decrease in reliability.
Something similar must now happen in secure software development. The new approach we take must be similar to Docker in its approach to component isolation, standardization, complexity management, and fault reduction. Two recent advances lead to our emerging ability to do so: trust technology and containerized programming models.
Trust technology enables an agent to trust a remote piece of software that the agent doesn’t control. It enables multi-system security analysis and transitive security, without which the new level of internet security is impossible. Trust technology is now widely available in the form of TEEs, hardware components that serve as the security layer around critical software. It is hard to underestimate the importance of this technology.
Containerized programming technology provides a way to develop secure business logic in the context of trust containers, such as TEEs. It is worth the effort to understand and to examine containerized programming systems at length, because they are both so new, and so important to solving the data security crisis.
Adopting the new paradigm
Containerized programming frameworks shift the emphasis from expressive power to ease of analysis and verification.
A containerized programming infrastructure is the “docker” of secure programming. It is a set of tools for development and deployment of secure software that is standardized, analysable, and specifically designed to manage complexity. It uses an approach very different from the traditional approach to software development, because it is designed to reduce, not increase, the spectrum of programming possibilities. It simplifies security analysis of complex software by turning to dry and restrictive programming models and by designing a new generation of communication protocols appropriate for multi-agent software analysis.
Containerized programming frameworks shift the emphasis from expressive power to ease of analysis and verification. This comes at a necessary cost. Software designed for holistic security typically comes with new programming languages and specialized processes, introducing a steep learning curve for developers. But to learn these models is time well spent, because it leads to systems achieving an entirely new level of security guarantees.
Here are some examples of containerized software frameworks currently being built.
- Haja Networks, a Finland-based startup is developing a highly advanced and holistically-secure framework based on the Ambients Calculus and Total Functional Programming. It is clever, and fits the profile exactly. It has all the hallmarks of security-enabling software for the next millennium in terms of multi-component analysis and complexity management. (UPD: apparently the latest on Haja is that the team has moved to a different company and is now developing a similar product under a different umbrella.)
- Urbit, a San Francisco-based startup founded in early 2000s by Curtis Yarvin, a controversial computer scientist, who has designed, and his team has implemented, an incredibly clever containerized software stack entirely from scratch. Rather than relying on existing academic work, Yarvin designed his own primitive computation calculus he called Nock, which operates on binary trees. Urbit is a fascinating project with a bright potential to address some insidious security concerns of existing consumer internet software.
- My own project, ADAPT, is being built as a system for rapid development of secure enterprise and mobile data-management components. Its primary goal is to offer companies a possibility of a deep security upgrade, by rewriting small critical components using the new framework. ADAPT will enable secure data containerization across a broad spectrum of environments: secure enclaves, browser add-ons, and IoT software.
If this work is not prioritized, everyone’s safety and wellbeing will become increasingly endangered by both mistakes and malicious cyber-activity on the rise globally.
All three of these projects are offering something radically new and advanced. Much like Docker, whose usefulness only became obvious in retrospect, containerized secure programming systems will seem like a no-brainer in the next ten years. To enable safe use of data at the modern scale, a shift must take place, marked by an increased understanding that we can no longer approach security as a matter isolated to a single software component, or exclude the user from our security reasoning.
This shift has already begun, and it will serve to ensure safety of users and indeed anyone in the world by guaranteeing that systems we use to communicate with one another, to share information, and coordinate critical activity are suitably secure for their purposes. If this work is not prioritized, everyone’s safety and wellbeing will become increasingly endangered by both mistakes and malicious cyber-activity on the rise globally.
This article does not constitute endorsement or investment advise. Special thanks to Katia Rossi for editing help.