Is the network defendable?

This serious question is often conveniently left unasked because the answer is uncomfortable.

On June 3, 1983, the day before I graduated from high school, MGM released the movie “War Games”.  For those who never saw the movie, the plot is essentially a teenage hacker accidentally kicks off an AI computer tasked to determine the best way to win a nuclear war, and if need be, autonomously wage it.  The story ended with the computer learning that atomic war was unwinnable, that chess was a more rewarding game, the world was saved, and of course, like most movies, the boy wins the girl’s heart.

That same weekend President Reagan watched the movie. That next week he asked the Chairman of the Joint Chiefs of Staff about what we now would call cybersecurity, resulting in the military standard answer, “Sir, I don’t know, but I will find out”.  To make a long story short back then the answer was not good.  And today any honest answer to the same question is still not good, perhaps worse.

That was over 40 years ago, and the entire computing industry has been wrestling with cybersecurity since then, with realistically zero lasting success.  This takes us to the original question – “Is the network defendable?”

For 40 years the industry answer has been an optimistic “yes” (including me).  Based on the amount of time, money, and people’s entire careers, there has to have been a basic belief that the answer was out there, discoverable if only enough effort was expended.

Maybe the Network is not Defendable

But maybe we were wrong.  Maybe the answer is in fact no, it is NOT defendable.  Maybe, the tenants of modern computing, network and encryption technologies are based upon an incorrect underlying assumption(s) that make overall cybersecurity success impossible while holding to them.

A famous Vince Lombardi moment was when he walked into a room of professional football players, holding a ball, and instructed them with the seemingly obvious “Gentlemen, this is a football”.  It was a call to best of the best to go back to the basics, tear down your assumptions and look at the problem with a fresh set of eyes.

The DoD’s zero-trust strategy lays out seven capability pillars with eight “executive enablers” extrapolated to 45 associated “zero-trust capabilities” which further explode out to 152 “zero-trust Activities”.  A strong case could be made that not one of those 152 activities represents a true shift in how that activity is performed today, instead a call for better implementation of current activities.  The strategy if read in an unintended way could be “It would take concurrently implementing these 152 “evolutionary” activities to achieve the requisite cybersecurity level – and then cybersecurity will have been achieved.

Zero-trust is a laudable concept, but the basic concept of limiting trust between computers and users is unreputable, as is the interactions between a policy enforcement point (PEP) and a policy decision point (PDP) as described in the NIST 800-207 document.  The problem though is that in most respects zero-trust has turned into a repackaged push to implement what the military refers to as “network hygiene”.  Improving network hygiene is essentially a call to properly implement the current technologies, assuming that if only the operators and admins would do their jobs better “things” would fall into place.

Instead, we need to take up Vince Lombardi’s call, in the face of new calls for even more complexity to add onto an already too complex technological landscape, instead go back to the basics.  Perhaps the call of the 2020s should instead be “Ladies and gentlemen, this is a byte, or this is a file, this is an encryption key,  or even, this is an integer or string.

The bottom line, endless layers of increased complexity have not solved cybersecurity, maybe we need to start looking at the problem through a different lens, maybe multiple lenses, because the paradigms standards (OSI, TCP/IP, encryption, etc.) and assumptions we have been using since 1983 haven’t worked, and perhaps they are just fated never to work.