May 22, 2008
The Internet Immune System
Metaphors can be useful constructs. When employed properly, they can help us understand something that is complex and confounding by comparing it to something analogous and familiar. In the Taipei deep dive on Security and Society, we tapped into the immune system metaphor, diligently comparing Internet security to the security systems that govern the human body. And the exercise helped us identify some undeniable weaknesses in the world of digital security.
We spent most of our time in Taipei talking about digital security (though we did touch on the intersection of digital and physical security…more on that later). And the immune system analogy is certainly not a new one. After all, we call malicious code “viruses.” Computers get “infected” and need to be “quarantined.” So when participants began comparing network security to the SARS outbreak that hit this area hard 5 years ago, it wasn’t all that surprising.
But what was surprising was how the conversation illuminated some of the gaps in today’s digital security, and how we might take a lesson from the marvelous human immune system. For example, our immune system is not overly concerned with preventing viruses from entering the body. It is concerned, however, with controlling, containing, and assimilating the virus as quickly as possible once it is discovered. One participant called it “an ecological view of security, rather than an absolute view.” By that he meant, we should be focused on maintaining the overall health of the body, keeping the immune system strong, rather than tilting at windmills by trying to prevent any and all attacks.
The “body” in this case could be seen as an individual computer system, or the entire network. And the concept is that by allowing a steady series of small attacks on different parts of the system, we gradually strengthen the overall network. It’s not unlike biological evolution, and you could argue that we are in the midst of an accelerated version of digital Darwinian as we speak.
Another area in which the immune system analogy worked was that of detection and response. When the human body is infected, there are a series of universally recognized signs: fever, cough, sneezing, fatigue, nausea. These symptoms alert us that our immune system has been engaged, and we know to get extra rest, avoid other humans, or go to a doctor. But in the Internet world, victims rarely even know they’ve been victimized. Data gets stolen, PCs are compromised, and credit card numbers are bought and sold, but most people are lucky if they ever find out, let alone with an early warning. The symptoms are subtle, and sometimes undetectable.
If you are one of the lucky ones (and I say that with tongue firmly in cheek), and you are somehow made aware you’ve been victimized online, then what? The human body kicks an elaborate defense system into gear. A virus is reported to the authorities (the immune system) and then immediately acted upon. But where is the analog in the digital world? If you bring your PC to the police station, and file a report that says “someone has accessed my system illegally,” they would probably laugh you out of the station. But why? Who are the authorities on digital crime? And why shouldn’t there be an enforcement body that is as powerful as cops walking the neighborhood beat?
“We really need to work on systems that can alert someone when they have been victimized,” said Rama Subramaniam of Valiant Technologies, a digital forensics company based in Chennai. “The police also need to take on a role so that these crimes can be properly investigated and prosecuted.” This sentiment mirrored the thoughts of Tokyo’s participants; that legislation around digital crime is severely lacking.
It also shed light on the fact that the worlds of digital and physical security are not all that different, but for some reason remain separate. Crimes that take place online have very real consequences in the physical world. Which begs the question of why the same law enforcement agencies that police the physical world should not also be policing the digital world?
We ran this immune system metaphor into the ground before it was all over, but that’s not to say that it wasn’t useful. For instance, one participant noted that right now we have a hodgepodge of security systems for the various constituents on the network. Each has wildly varying levels of quality and effectiveness (not to mention cost.) But there is no international immune system, a security system that is looking after the overall health of the system. And that could cost us all dearly some day.
TrackBack URL for this entry:
Listed below are links to weblogs that reference The Internet Immune System:
Dan Geer has applied the concept of biological ecosystems to security and has some very insightful things to say on the theme. (http://geer.tinho.net/geer.sourceboston.txt)
As I mentioned during the Taipei GIO meet, the new cyber police needs to be put together as a virtual organisation, by drawing from the traditional federal police organisations, CERTs, ISPs and Telcos, Web Service Providers and Financial Services Institutions. New linkages have to be set up and made effective quickly.
Posted by: Nandkumar Saravade | May 31, 2008 9:17:14 PM
Issues surrounding cyberspace are fertile ground for analogies of all kinds. My personal favorites are from anthropology and the history of civilization.
There are already structures in place that can be utilized to create secure subsets of cyberspace, with little more than a restructuring of ICANN. My personal feeling is that the mentality of the monolithic cyber-arena, in which restrictions in one area imply restrictions all around is artificial, and hampering security efforts.
Maybe we should be looking more closely at analogies to the fortified town, or walled city, and attempting to create subspaces where activity essential to the daily functioning of society is secured, and individuals are protected from predators. Much of the problem in establishing security structures may be conceptual, and philosophical - Related to the dramatic development of the internet in ways that could not be anticipated. There isn't one internet, or two, but as many internets as there are nodes on the system.
Posted by: Tim R. | Jun 5, 2008 9:46:24 AM
-Nandkumar-, please forgive the spelling error.
Posted by: Tim R. | Jun 5, 2008 9:48:29 AM
The comments to this entry are closed.