Douglas Merrill said “All of us are smarter than any of us.” This motto of crowdsourcing – looking to the information that can arise from the combined observation by and intelligence of many – is also the prescription for a more secure cyber future. Crowdsourcing security among machines – rather than people – is our best path forward.
Attackers have the advantage online for many reasons, including the ability to leverage a simple error into a significant compromise, to scale attacks more readily than defenses can scale, and to attack at a distance. While the maxim that defenders have to be right all the time, while attackers only have to be right once, is not literally true, it conveys the dilemma of defenders. The connectivity of our devices and agents is inexorably increasing, creating more targets for attack. The complexity of the software we use and the network we must defend is also increasing, making an attack on the individual target or the network easier. And the criticality of our connected systems to our lives is also growing and will continue to grow. Together, this means that we live in a world of steadily increasing risk.
In this environment, the good guys and gals have one significant but counter-intuitive advantage: the size of the network being defended. The soaring prevalence of smart devices is a risk only until it is not, until we combine the abilities of these devices to observe, to induce, and to act to defend the network itself. The cyber ecosystem is the greatest sensor network imaginable, and the data generated by its sensors can drive collective intelligence and collective action to stem threats and isolate infections. The ability of the network components to defend the network may make the future of cybersecurity on the Internet look very much like Wikipedia – one of the best known examples of crowdsourcing – with some obvious failures, but if of importance, generally quickly corrected.
Crowdsourcing can work very effectively, bringing the capabilities of machines and people together. In one case, “[g]amers…solved the structure of a retrovirus enzyme whose configuration had stumped scientists for more than a decade. The gamers achieved their discovery by playing Foldit, an online game that allows players to collaborate and compete[.]” http://www.washington.edu/news/2011/09/19/gamers-succeed-where-scientists-fail/. People should focus on what people do best and the same for machines.
What is necessary to enable the crowdsourcing of defense among network components? A few years ago, while I was at the Department of Homeland Security, it published a paper entitled “Enabling Distributed Security in Cyberspace: Building a Healthy and Resilient Cyber Ecosystem with Automated Collective Action.” This paper posits three requirements:
- Automation so the network can act at Internet speed;
- Interoperability so the barriers to effective collective (network or “crowd”) action are those we impose by policy, as opposed to those imposed on us by technology or process; and
- Authentication to enhance the decision-making and action of the network against attacks.
It has been five years since the paper was published, and I still think these are the key elements of a more secure Internet future. Until we enable the network to defend itself, using its own wisdom of crowds (of agents), offense wins. People should do what people do best, adjust how the network defends itself, and take action when necessary based on intuition, rather than responding to alerts. So when you think about future Internet security problems, think about Stephen Colbert and Wikipedia.