
We Need a Manhattan Project for Cybersecurity - steven
https://medium.com/backchannel/we-need-a-manhattan-project-for-cyber-security-76e6d8fc6447
======
e12e
The use of the term "Manhattan Project" is a bit unfortunate. If there was
such a program, most would not know about it -- those that did would be
forbidden to talk about it. In other words, if there were a "Manhattan Project
for Cybersecurity" \-- it would look like NSAs Bluffdale facility, and would
have as much publicity and official comment on what it was, who was working
there and on what.

Security is different from offensive capability -- I don't think the best way
to secure infrastructure is through threat of mutual assured destruction -- if
anything, being the worlds prime nuclear power (and conventional weapons
power) -- the USA already have "assured destruction" covered. Sure, a country
wide blackout would be devastating, but so would dropping a few terra-tons
worth of nukes on the offender.

I think what's needed in terms of "cybersecurity" is more openness, better
education and perhaps most important: better and more correct incentives.
There's a huge gap between what is available (secure coding, secure systems,
best practices (or even half-decent practices)) -- and what we see companies,
governments and organizations do. I also think it is absurd to promote the
Sony hack as a threat to national security -- talk about hyperbole. Some
personal data and a little intellectual property was leaked. It pales in
comparison to the allegations of commercial secrets stolen by the NSA on
behalf of US industry, for example.

~~~
danielweber
Everyone wants a "Manhattan Project" for their own pet technology.

The real MP was building technology that they theoretically knew was possible.
Most modern calls for an MP are "just throw a lot of money at this thing,"
which is how it works in games like "Civilization" but doesn't actually in the
real world.

From TFA:

 _A real Manhattan Project for cyber would draw together some of the greatest
minds of our time, from government, academia, the private sector, and civil
society_

. . . who would proceed to bitch at each other endlessly. I firsthand saw what
should have been a nice cordial introductory meeting turn into an hour-long
shitstorm about which person at the table invented the term "firewall" (since
more than one of them had claimed credit).

~~~
mattybrennan
Exactly. The manhattan project was throwing money and brains at a specific
idea, knowing it was theoretically possible and a game-changer if it worked.
What's the Cyber Security equivalent?

~~~
ams6110
I don't think there is one. Cybersecurity requires pefection. The old saying
that to keep systems secure you have to win every battle with your attackers,
but the attackers only need to win one.

I think we're fundamentally doing it wrong. We work to try to make things more
secure, but perfection is not possible for humans. We need to accept that
complex computer systems and networks cannot be secure. And find ways to make
them useful dispite that.

------
ChuckMcM
I think the challenge here is that one definition of success here would be the
prevention of unauthorized access to data by _all_ parties, and that would of
necessity, include the government.

The reason you need to protect data from nation-states is that there are enemy
nation-states trying to get it, and there is no physical barrier between the
data and them, so the only answer is to protect it from _all_ nation-states,
even the one where it is located.

The reason it has to be authorized is because data access is a 'rights' sort
of thing (akin to property) and the processes that we put in place which
insert a due process between data and a government agency need to be just as
strong at the ones between property and a government agency.

For me, that is why the metaphor of a 'Manhattan' project doesn't work for me.
If this effort were the Manhatten project we would be building a nuclear bomb
that the people could use against any government but that the governments
could not control. And well they would never sign up for that because they
have nothing to gain from it.

I would much prefer to call the effort a 'Magna Carta' effort that forces the
monarch in power to submit to the data privacy demands of the subjects.

------
sandworm
We already have one. Look at the NSA's budget. Look at the money being
shoveled into Microsoft/Google/Apple. All the people in position to fix things
are positively flush with cash.

And off in the corner, a few non-paid developers of F/OSS are creating better
security products than all the above combined. Manhattan-style money throwing
is not the answer.

And I take issue with the article's depiction of the Manhattan Project. "Those
working on the Manhattan Project were dead serious about the threat before
them." ... um ya well the vast majority of those working on it had absolutely
no idea of what the project was all about. They all operated within a
disconnected web of secrecy, not the best model for security imho.

The author "has served as a street police officer, senior adviser to Interpol
and futurist-in-residence with the FBI. " He isn't a security professional.
And his twitter feed doesn't give the impression of someone with any deep
understanding beyond headlines and talking points.

------
tyoma
We have one:
[http://www.darpa.mil/cybergrandchallenge/](http://www.darpa.mil/cybergrandchallenge/)

~~~
dguido
I'm happy to be a funded team in that challenge. There's another website with
highlevel info for those casually interested in the challenge. If you want the
hard details, there's a lot of code up on Github.

[http://www.cybergrandchallenge.com/](http://www.cybergrandchallenge.com/)

[https://github.com/CyberGrandChallenge](https://github.com/CyberGrandChallenge)

AMA?

------
jxm262
This might be unrelated. But I'm curious if the new US Digital Service has any
good projects related to cybersecurity? There was a posting a few days ago for
this new initiative
[https://news.ycombinator.com/item?id=8988819](https://news.ycombinator.com/item?id=8988819)

I don't know what you'd formally call this. It's not really an agency and I'm
not sure how it's funded. I'm curious if something like this could spearhead
this kind of project.

------
abecedarius
On the one hand, yes, computer security is a disaster in urgent need of
reform. On the other, "a true national cyber-defense capability, one that
could detect and respond to threats against our national critical
infrastructures in real time" sounds like a proposal to arrogate root access
to all of the 'critical' computers at once, to some one central group. Am I
imagining things?

------
tessierashpool
my healthcare provider (Anthem) was just hacked, so my SS number and other
identifying details are probably being traded on some Russian web site right
now.

Anthem did not encrypt the data which was stolen.

Sony did not show any signs of basic competence in its data security either.

a Manhattan Project is useful if you have a really tight deadline, a very
specific and achievable goal, and the problem you face is one where the
technology you want does not exist yet.

but everybody in technology knows that the technology exists, and the problem
is widespread incompetence and indifference.

the solution for that is not a Manhattan Project. it is class-action lawsuits.

think how fucked up this situation is. everybody in infosec knows that Anthem
and Sony were ridiculous and 100% at fault in their negligence. yet people who
get their info on this from the mainstream media have probably never even
heard that point of view.

so you get utterly uninformed commentators who think that Anthem and Sony must
employ geniuses of the first caliber, and that we need to take the "new" and
"unprecedented" step of classified crypto research.

~~~
ams6110
I don't think the plain text data is the problem. Data has to be in the clear
at some point to be usable. That's the point that will be attacked. And it
will eventually be compromised.

~~~
fl0wenol
The trick here is to have as _few_ places as possible where that data is
operating in the clear as possible, and try to provide as much isolation
across them where feasible or where concerns are naturally separated.

The problem is that few think like this, except in a few special industries
where they live and die by not getting this wrong.

Ease of use and whatever gets things working fastest is generally the name of
the game (and I don't blame businesses for this attitude, the market punishes
anyone who is too careful or slow-moving in almost every industry)

------
SwellJoe
Security is not one project. It is _every project_ that faces the world. A
"Manhattan Project" isn't a useful analogy or approach to the security
problem.

The problems we have are:

1\. High capability attackers (states, corporations) have a high motivation to
compromise privacy and security and low motivation to improve privacy and
security for users.

2\. The tools relied on by users for security and privacy are often built by
people with very limited resources (GnuPG, OpenSSL, nearly every other Open
Source thing in the world).

Fixing security online requires audits and maintenance across a huge spectrum
of projects, and historically there has been very little funding for such
things. It's almost dumb luck that we have tools that are as good as they are,
and we shouldn't be surprised by bugs like Heartbleed and Ghost and others.
They're what happens when there is very little profit in maintaining core
infrastructure.

------
siliconc0w
We just need the government to contribute more to FOSS projects. They are
clear public goods with huge economic impact but the funding sucks. That is
what happens to private public goods - no one wants to pay for them but
everyone uses them. That is why we have taxes.

------
vezzy-fnord
It seems to me like the bulk of "security research" these days is
vulnerability discovery. This is certainly important. However, more profound
solutions like capability-based operating systems (e.g. CoyotOS), and in
general forward-thinking projects that aim to provide comprehensive
foundations for secure systems seem to be left behind and neglected in favor
of continuing the present rat race of applying band-aids and bug hunting our
existing cruft.

Unfortunately, a "Manhattan Project" for cybersecurity wouldn't really work
because the problem is a highly multi-tiered one without a clear end goal,
with a lot of individual bits and pieces that are visible and have potential
to be refined or started anew.

------
bo1024
I think the analogy completely falls down. The Manhattan project was about a
technical breakthrough, a big step forward that hadn't happened before.

Where is the analogue in crypto and security? There is no unsolved holy grail.
Frankly, we have all the technical tools we need to make the web an extremely
secure place.

What we are lacking instead is general investment in FOSS tools, regulations
that hold a company responsible for leaking user data and encourage corporate
prioritization of security, and national education about security risks and
basic Internet dos and donts (phishing etc).

------
Kalium
All of this is doable. And none of this will happen. At least, none of this
will happen until consumers and buyers start caring more about security than
about the newest and shiniest feature.

~~~
Terr_
There's also a supplier-angle: They'll care more if they must disclose/be-
liable-for major leaks or flaws on their product.

~~~
Kalium
Now _that_ would change everything.

And probably do a lot of damage to Silicon Valley. It would make startups much
less risk-friendly.

~~~
Terr_
Obviously it's possible to go overboard, but it's a bit like pollution or
other externalities.

"Sure, the new EPA dumping regulations would harm "small petrochemical
startups", but if the river really _is_ getting undrinkable..."

~~~
Kalium
If history is any guide, we'll have to wait for the metaphorical river to
catch fire before anything is done.

------
norswap
The idea that there is a magical technological improvement that will solve all
(or "most", or even just "more than two") is about as plausible as the
heralded arrival of the singularity.

The solution is to harden a bunch of stuff. Clearly, the ideal solution is to
just remake it with security in mind, but that still leaves a ton of ground to
cover.

------
higherpurpose
> This Manhattan Project would help generate the associated tools we need to
> protect ourselves, including more robust, secure, and privacy-enhanced
> operating systems.

That's a nice thought, and I agree with it. Too bad the current and likely
future administration as well as all the "cybersecurity" guys in the
government right now support the _exact opposite of that_ \- because
"terrorists". Just 2 weeks from now Obama is likely to announce policy to
introduce backdoors in tech products. Yay "cybersecurity"!

------
zAy0LfpBZLC8mAC
No, we don't, not only because "cyber" is bullshit anyhow, but in particular
because security is not a product. Security is a property of systems that has
to be built in, and security usually is lacking because people don't care,
that cannot be fixed with a magic security device.

It's about as sensible as suggesting a Manhattan Project for Mindliteracy--but
I would suggest that teaching people to read and calling it just that might be
more effective than trying to build a mindliteracy bomb against
mindilliteracy.

------
paulsutter
Back when the U.S. Was accusing China of widespread corporate espionage, I
wondered why the U.S. didn't have a major effort to harden common OSs.

Then Snowden came out, and we learned the U.S. government is doing the
opposite, trying to keep all systems readily exploitable.

Surely the defense and intelligence departments already have hardened versions
of OSs. As taxpayers, we actually own that software. We should all have
access. Where's the EFF on this one?

~~~
bediger4000
The DoD has at least researched hardened OSes in the past: I attended a
seminar in 1990 or 1991 where they talked about "hardened Solaris" or maybe
hardened SunOS. One of the talks was about how Sun had to rewrite the
windowing system to avoid information moving up or down a level
inappropriately.

Also, if you read Fred Cohen's 1984 paper, "Computer Viruses - Theory and
Experiments", in section 5 "Experiments with computer viruses"
([http://all.net/books/virus/part5.html](http://all.net/books/virus/part5.html)),
Cohen mentions a "Bell-LaPadula based system implemented on a Univac 1108." No
real details are given, but the sentence " The virus demonstrated the ability
to cross user boundaries and move from a given security level to a higher
security level" appears in the write up. I have to conclude Cohen is talking
about some proprietary system.

There's also the famed Multics, known to have been used by the NSA on into the
1990s ([http://www.multicians.org/site-
dockmaster.html](http://www.multicians.org/site-dockmaster.html)). The only
certified multi-level-secure OS or some such. It did run on some odd hardware,
though.

I conclude that the NSA at least has some weird, "hardened" or otherwise
unusual operating systems. They're not widely used, it seems.

~~~
walterbell
Secure system design history:
[https://www.schneier.com/blog/archives/2014/11/friday_squid_...](https://www.schneier.com/blog/archives/2014/11/friday_squid_bl_451.html#c6683396)

------
Animats
The last government guy who said that was Amit Yoran, Homeland Security's
first head of cybersecurity. He made statements some people didn't like,
including stating that Microsoft Windows was the biggest problem around. His
replacement was a lobbyist for Cisco who could be relied on not to rock the
boat.

Technically, this is quite do-able. I think we'll see it on the server side in
a few years.

------
notreal
What credentials this guy has for anyone to listen to him on topics of cyber
security? Did he build some impressive secure software or protected some large
networks? Looking at his bio or his twitter feed, I don't get the impression
that he is an expert in this topic.

------
miguelrochefort
1\. Relying on any form of secret is unsustainable. Credit Card, Social
Security, Password, PIN, Secret Key. Information wants to be free, and it
will. Secrets must be kept secret at ALL time. With the coming death of
privacy, keeping a secret will be ridiculously complicated and expensive.
Secrets make a system fragile.

2\. We need fewer systems. Having each bank, each hospital, each government,
each shop, each school, each business build their own custom systems and
application by default is a huge mistake. Custom shouldn't be the default, it
should be last resort. The existence of these custom systems is the very cause
of all the inefficiencies, fragmentation, bugs, increasing demand for
programmers, etc. That's some Tower of Babel shit all over again.

3\. We need a common language. A language that makes sense to use in the 21st
century. A language that help us think, a language that's computer assisted.
Text? What a goddamn joke.

4\. We don't know yet what an identity is. Am I one person? Can I play the
role of two people? Can two people act as one person? Can a robot or an API
have their own identity? In a future that's going be a lot like a distributed
semantic marketplace, what we need is not security. What we need is
accountability. Identity and fraud is what must be solved.

5\. You tinfoil hat people should really take a step back and consider your
paranoia. Privacy is not a good thing. At best, it's a necessary evil
(temporarily). Browsing behind 7 proxies, encrypting the air your breath,
praying Lord Snowden, demonizing the government you keep wanting to get bigger
(you know, welfare and free stuff). Guess what, you're missing the entire
point. If anything, your focus on these insignificant symptoms give the
disease the opportunity to grow. You're the reason you might be right at the
end. You're self-fulfilling prophets.

Sheeps be disagreeing.

~~~
zAy0LfpBZLC8mAC
"Relying on any form of secret is unsustainable. [...] Identity and fraud is
what must be solved."

Would you mind explaining your concept of identity? I have a hard time
grasping what an "identity" would look like when it can be used by everyone as
they wish by virtue of not relying on any secrets.

------
yourad_io
> Last month President Obama acknowledged “no foreign nation, no hacker* ,
> should be able to shut down our networks, steal our trade secrets or invade
> the privacy of American families.”

* Present company excluded.

------
dicroce
I'd rather we had a clean energy Manhattan project...

