From time to time, you read an article and come across a phrase or sentence or two that strikes you as very a propos information security even though the phrase or sentences are describing a completely different situation. So it was when I read Michael Kaplan’s article “Sharkbot: The machine that taught itself to be all but invincible at poker,” which appeared in the September 8, 2013 issue of The New York Times Magazine.
The particular section that caught my attention was a quotation by Fredrik Dahl, who was an engineer at the Norwegian Defense Research Establishment working on artificial intelligence and who developed a neural net program that plays poker. His statement is as follows:
“Ordinarily, you figure out weaknesses in your opponent and find ways to exploit those weaknesses … But because our program needs to be stable, it can’t do that. So instead it does everything it can to prevent itself from being exploited. The theory behind it is almost paranoid.”
While the analogy is not exact, what this suggests to me is that we in InfoSec often try to determine how the bad guys might attack our systems and try to defend against those specific attacks, whereas what we should be doing is strengthening the systems from being successfully attacked by any means. The argument might appear to be somewhat obscure since much of what is done in InfoSec has to do with preventing attacks from succeeding by putting up barriers and diversions. However, defending against attacks is very different from hardening software systems so that they are able to resist attacks. The former approach comprises hard and brittle exteriors and soft and vulnerable interiors (memories of the Gary Larson cartoon in which a couple of polar bears are chomping on igloos with one commenting to the other “Oh hey! I love these things! Crunchy on the outside and a chewy center”) whereas the latter is resistant to attack (here another Gary Larson cartoon comes to mind, namely, the one where a chicken is serving a steaming bowl of soup to another chicken lying in bed sick and the server says to the sick one “Quit complaining and eat it. Number one, chicken soup is good for the flu and number two, it’s nobody we know”).
In reality, you really need a combination of approaches—protective outer layers and defensive inner strength. Note that this is not the same as defense in depth. As in the Sharkbot case, quoted above, it is virtually impossible to know and anticipate all weaknesses and ways in which systems can be attacked, so one has to take an approach where success of unexpected attacks can be thwarted. While there may be other approaches, the most obvious method is to immunize systems against attacks that get through the protective layers. Such hardening can be effective even if one is confronted with new and evolving forms of attack. We need to ensure that software systems can prevent themselves from being exploited rather than dwell on weaknesses that attackers might exploit. Maybe it is paranoid … but it has been shown to be very effective with machines playing poker, so why not with cyber security?