So why does the problem of cyber-security just keep getting worse?   Billions of $ are poured into addressing the problem, many dozens of startups have been funded – and yet the dire cyber-security situation never seems to improve and is reminiscent of an escalating arms race with no end in sight.

The public is becoming conditioned, unfortunately, that there can be no such thing as true cyber-security and that we must become resigned to a new de facto status quo that “there is no security – get over it . . . ”  (to paraphrase Scott McNealy).

The costs of cyber-crime are frequently hidden, “baked into” business models,  but the economic drag is massive and rapidly increasing.   It is estimated that cybercrime will cost approximately $6T/yr on average through 2021 (FORBES-TRUE-COST-OF-CYBERCRIME).  For example, the credit card companies charge high interest rates (in part) to underwrite the cost of making customers whole in the event of fraud.

Of course the problem of “social engineering” will always be with us and requires steadfast education.  Not much can be done if someone gives a bad guy their credentials.   But what about most everything else that isn’t so directly related to the behavior of the wetware between the ears?  Viruses, worms, scripts, rootkits, MIM (Man-In-the-Middle) attacks, spoofing, privilege escalation, peripheral device (such as WiFi) attacks, etc.

Complexity is the enemy of security.  All the new security products and approaches have done little more than increase the complexity of our computer systems and networks and increase the system “attack surface” exploitable by the bad guys.  All of these “layered defenses” have resulted in software bloat, system performance reductions, increased power consumption, and intrusive software and security updates..  My wife’s computer was bricked after a recent Windows 10 security update.

You can’t rely on “pattern matching” or Deep Learning based behavior analysis to detect suspicious behavior after the bad guys have already climbed in through the bedroom window.   By that time it is too late.    All it takes is a blink of an eye for your critical data to be exfiltrated and/or a back door to be installed on your system.   And the buzz in the industry about “defense in depth” is mostly nonsense.

In the security world it seems you can’t do anything unless you know everything.  To me that is a symptom of a deeper fundamental problem.

Is there a root cause to the current cyber-security conundrum?    Something conceptually simple.   Well yes there is.

The Faustian Bargain of Similarity, Determinism, and Repeatability:  One of the primary reasons computers have been so successful, so widely disseminated, and have become so inexpensive – is that they are all exactly the same.  They run the same software, on the same hardware, exactly the same way the world over.   On the plus side this has enabled massive scalability, but on the negative side the determinism and the repeatability of our computer and network systems makes them excruciatingly vulnerable to “break once – break everywhere” and “break once – break always” paradigms.  They are “brittle” – if a chink in the armor is found anywhere, that exploit can be immediately applied to millions of computers the world over or become part of an exploit kit on the dark web.   All it takes is to find a weak link in the chain, a chain which grows ever longer and more complex.  This presents an irresistible target for very smart bad guys.

Side Channel Based Brute Force Attacks:  Another crucial, and not widely appreciated downside to the deterministic and repeatable behavior of our computer and network systems is that it renders them wide open to side channel based brute force attacks.  This new level of brute force attack goes well beyond classic password-guessing or dictionary attacks.   Modern brute force attacks exploit very subtle characteristics of system behavior.  Bad guys can pound away at systems, literally for days, running tens of billions of instructions to learn what they need to know to launch an exploit in ways that the original system designers either never thought were possible, or just plain never thought of.  Usually the information is obtained by observing a “side channel” such as the timing of system behavior, or a change in voltage somewhere.   An example a brute force attack that exploits a side channel can be viewed here:  INTEL-ENCLAVE-SIDE-CHANNEL-EXPLOIT    This exploit hacks a bitcoin wallet that uses Intel’s SGX (Enclave) technology that was thought to provide secure isolation.  The authors make the key statement in this talk that “if a program has secret dependent memory accesses – it can be exploited”.  Their attack leverages the fact that any running program has side effects in cache behavior, main memory timing behavior (or power consumption, or EMI/RFI signature).    I contend that as long as systems are vulnerable to brute force attack to the degree they are now, there will NEVER be true security.

So is there an approach to mitigate, at a fundamental level, the security weaknesses that are a consequence of deterministic repeatable behavior?  Well yes there is.