Security Notes: Security Newton, Cyber Oppenheimer

Gideon Samid • Gideon@BitMint.com

In a presentation for Congressional leaders in the office of Sen. Richard Durbin, D-Ill., I flashed a slide entitled “This Requires Action.” This was the historic phrase uttered by President Franklin Roosevelt to Gen. Edwin M. Watson, his military adviser, while passing on to Watson Einstein’s famous 1939 letter in which the great physicist alerted Washington to the emergence of a new and unprecedented technology (atomic energy).

“Certain aspects of the situation which has arisen, seem to call for watchfulness, and, if necessary, quick action on the part of the Administration,” said Einstein’s letter. “I believe therefore that it is my duty to bring to your attention the following facts and recommendations.”

Word for word, this applies today in the payments industry. An emerging and unprecedented technology is upon us. A tsunami code-named “digital currency” is rushing to our shores, and where are we?

We are busy plugging the holes hackers punctured in Target’s state-of-the-art (not state-of-the-science) financial system. We are overloaded with patching up software products that look like a block of Swiss cheese. We rush to program a few dozen “checks and tests” to ensure that data filed in an e-commerce form are not malware—only those “checks” look for yesterday’s signatures while the bad guys come at us with tomorrow’s inventions. In short, we are so busy with tactics that nobody seems to notice that—hello!—this most critical of sciences, computer-security science, is no science at all. In fact, we have no computer-security science. We have no first principles to guide us.

And, as we speak, the bad guys are perfecting their version of a digital currency. No, not Bitcoin, that’s for gamers, but non-speculative, durable, reliable stealth currency that flows undetected through cyberspace, incurs no taxes, leaves no fingerprints, and challenges the very fiber of our civil order.

 

We are not ready for this in the least. Our cyber-nemesis has managed to keep us bogged down with the tactics of the situation. That’s where they are strong and we are weak. We have to move the ball to strategy, to science.

Bridges kept falling until Newton framed his famous three laws and gave us the tools to build non-falling bridges, high-rise buildings, fast cars, and high-flying rockets. Maxwell did the same with his four equations for everything electric and electromagnetic. Can you imagine that we would repeatedly rebuild fallen bridges, and patch them with a few more trusses? But that is what we do with security, absent a “Security Newton.”

It is not enough to lament the asymmetric war, or to complain about our enemies using obscure crypto while we use the same old crypto devices that serve as sitting ducks for our opposite numbers across the moral fence.

Having been recruited after the Heartland breach in 2009, I was unable to persuade my cohorts to take a bird’s-eye view of the problem. It is not enough to fortify the SQL code. We need to reach into the fundamentals of computer science. Early on, computer designers made a fateful decision to share memory between data and code. This very decision, now entrenched practice, allows for malware to be sneaked in as lame data, then to be invoked as harmful code.

Nothing in our design should be taken for granted. We need a far-reaching framework, steely resolve, steadfast commitment, and well-grounded leadership.

In short, we desperately need a “Cyber Oppenheimer,” after the famed “father” of America’s first atomic bombs, Robert Oppenheimer. No, we don’t need to uproot thousands of computer scientists and move them to a remote location in New Mexico. But we need to cyber-co-locate a team of dedicated primaries who can elevate the battle with the bad guys to the strategy plane, where the war will be asymmetric in our favor.

When? Yesterday. All those shady characters whom we at BitMint rejected are likely building their version of a robust, durable, non-speculative currency, and if we are shocked about Target, well, we ain’t seen nothing yet. All the bad money will soon flow around in complete stealth, wielding unprecedented power.

Like atomic energy, digital currency is both a threat and a promise. If we act now, this new technology will flush out the evildoers and reconstitute life in cyberspace on a solid, progressive footing. Let the search for “Security Newton” and “Cyber Oppenheimer” be announced forthwith!