Friday, January 5, 2018

Cybersecurity's Biggest Mistake - The Daystrom Syndrome

I've been very fortunate to be part of the design team of the Virginia Cyber Range (www.virginiacyberrange.org). The range is designed to a) be a course repository (full course material,  individual course modules, individual lab exercises) for NSA CAE schools in VA and K-12 school in VA and b) provide an environment to run these classes and exercises from any location in the world. I'll have more on that in a later blog. One of the unexpected surprises in the project is the enthusiastic adoption of the Range by the K-12 schools. K-12 teachers were caught in the middle of a number of competing worlds:
  • Federal and state political pressure on school systems to include cybersecurity concepts in K-12 classes
  • School system pressure on K-12 schools to do the same
  • Local (principal) pressure on local faculty to develop these courses
  • Teachers are unable to create these environments because of school system and local IT resistance to build the environment needed to teach these classes.
That last bullet item turned out to be the major stumbling block in implementing these education programs. Why? As you probably know, local school systems have tightly regulated, locked down and restricted access to the internet from their school networks. Some of the reasons have to do with parental concern on questionable material/people on the net getting access to K-12 students; general concerns of the school IT staff to protect systems and data from unauthorized access. I suspect the real reason is a lack of funding to increase IT staff sizes  and provide training to said staff. When you're 1 admin for 1000 machines, you're not going to allow special cases simply because you don't have the cycles to provide the required support.

I came from the sysadmin world and remember the "prime directive" of sysadmins: "Keep the systems running at all costs". This directive, while noble, has caused more security headaches over the past 25 years. Simple things like patching OS, applications and hardware for security issues run into the sysadmin prime directive which resulted in security vulnerabilities not being corrected in a timely manner.

This reminds me of the "Ultimate Computer" episode of Star Trek (TOS). The Enterprise was fitted with the new M5 computer which automated the ship's handling, offensive and defensive capabilities. When things went south quickly because the M5 started behaving in a dangerous manner, Dr. Daystrom was blind to what the machines was doing because of his loyalty to a particular train of thought ("You don't shut a child off when it makes a mistake. M-5 is growing, learning."
"Learning to kill." "To defend itself. It's quite a different thing.")

 Sysadmins were infected with the "Daystrom syndrome" where we became so involved (enamored?) with our technology that we lost sight of the real goal of our technology: to allow people to use the technology in a meaningful way to themselves and to business.  Some examples of this Daystrom Syndrome variant include:
  • making systems harder to use for the sake of "security" of the system
  • restricting how users can access information that is "questionable" to the IT person but not the user. We're not talking about porn here. We're talking about using the Internet as a research tool to get software, algorithms, etc. that make our business more efficient and how this behavior is restricted by IT because of security issues.
  • not patching systems because that would required them being unavailable for a period of time. This downtime violates the 24x7 availability rule that is one of the governing things that sets sysadmin behavior.
  • Anything that causes the user to say "IT won't let me do this"
  • Anything that causes sysadmins to say " users will wreck our security, availability, stability".
Sysadmins and their upper mgt have forgotten the prime reason why IT exists in business is to allow the business to make more money (grow the business) by making business processes more efficient.

Let me come back to the Range and K-12 scenario. The conundrum is the K-12 teachers need to build machines that can connect to the net and be able to be configured, modified by teachers and students. Let's also face the fact that most school IT suffers from low budgets and the IT machine/staff ratio is frighteningly high. These factors combined with the Daystrom syndrome means the K-12 teachers are told they can't use the school systems or net to build these cybersecurity classes. The Range provides an environment that allows teachers to actually create a space for their classes without IT interference. The school IT just have to allow web access to the Range. Unfortunately, this sometimes is easier said than done.

This brings me back to my premise - IT has created a worse security problem than the one they were trying to solve by imposing unnecessary restrictions on user behavior thereby preventing them from doing their jobs which encourages them to bypass these restrictions.

It's time for us to rethink the model.