There are severe and unsolved problems in our industry that justify a sustained effort and substantial investment. It's worth picking one.

Adam Shostack, Leading expert in threat modeling

February 19, 2019

4 Min Read
Apollo 11 splashdown. Courtesy NASA.

There's been a lot of talk lately of a cybersecurity moon shot. Unfortunately, the model seems to be the war on cancer, not the Apollo program. Both are worthwhile, but they are meaningfully different.

Allow me to start with a line from a speech by President Kennedy on May 25, 1961. Odds are you've heard these words:

… This nation should commit itself to achieving the goal, before this decade is out, of landing a man on the moon and returning him safely to the Earth. No single space project in this period will be more impressive to mankind, or more important for the long-range exploration of space; and none will be so difficult or expensive to accomplish.

That's what a moon shot is: a clear, measurable milestone with reasons for doing it and challenges to overcome. And so the image to recall is not the iconic first footstep, but this:

Unlike JFK's moonshot, explained Grant Schneider, federal CISO, at the recent 9th Annual Billington Cybersecurity Summit, "there isn’t going to be an instant where we say we've achieved success in cybersecurity. We're not blasting anyone into cyberspace." Instead, Jeannette Manfra, assistant secretary for cybersecurity and communications at the Department of Homeland Security, put forth a different vision:

Within 10 years, I'd like to see a true fundamental shift in how the Internet is operated in. I'd like to be in a place where we have move passed the "whack-a-mole" approach to cybersecurity incidents.

This is not the way to put a woman on the moon and return her safely to earth. But getting away from whack-a-mole is certainly a worthwhile goal for cybersecurity.

Defining a Moon-Shot Goal for Cybersecurity
The Apollo missions did not do everything that space exploration enthusiasts wanted. We did not establish a permanent presence outside the atmosphere, even if you count the International Space Station. (It makes no claim to being self-sustaining.) It's been 46 years since a person went to the moon. No one has been to Mars. Of the many goals expressed by the engineers and visionaries, we executed on one. 

On the other hand, we can and should define moon-shot goals for cybersecurity. My goal is to define game-changers, with objectives that are imaginable and with the criteria:

  • No single project will be more impressive or impactful.

  • No single project will be more important for our long-term ability to operate a resilient cyberspace.

  • The result thus justifies the effort and expense.

Some possibilities:

  • Payloads attached to email will not result in an attacker's code running on a computer, or the compromise of credentials needed to log in to it. (That is, phishing, either with a URL, an executable attachment, or an exploit-bearing attachment, will fail. We have many of the parts, such as execution whitelists, anti-execution mitigations, password managers, and MFA, but we rarely deploy them all in an integrated, usable package.)

  • Red teams given execution access to a standard desktop cannot move laterally without setting off alarms that are not lost because the SOC is a sea of tranquility.

  • Investigators digging into a compromise six months after it's started can enumerate 90% of the actions taken by a red team.

These goals do not solve every problem in security any more than the moon shot solved every problem on earth, or even within the exploration of space.

My success criteria could be usefully refined, but such refinement distracts from the importance of setting and reaching for a moon-shot-style goal. The goal need not be that every computer has these properties, but it would be useful to achieve them with the most-deployed desktop configuration in the federal government. We need criteria about usability. We need to stop complaining about people, and give people technologies that allow them to safely do their jobs. We need to ensure that if a red team is part of the criteria, the goal is not made meaningless by rules placed on their work.

Focusing our attention on a moon shot can be a powerful technique. There are severe and unsolved problems in our field that may be solvable with the right attention. It is worth picking one.

What other goals are worthy of the name "moon shot"?  Share your thoughts in the comments.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

About the Author(s)

Adam Shostack

Leading expert in threat modeling

Adam Shostack is a leading expert on threat modeling. He's a member of the BlackHat Review Board, and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and helps startups become great businesses as an advisor and mentor. While at Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of the SDL Threat Modeling Tool v3 and created the "Elevation of Privilege" game. Adam is the author of Threat Modeling: Designing for Security, and the co-author of The New School of Information Security. His personal home page can be found here

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights