How do we secure everything? Fundamentally improving technology security
This paper was published in June 2015. The ideas and recommendations within it are among dozens of suggestions that arose from the Stanford Engineering Future process. Share your thoughts with us at
[email protected].
How do we secure everything?
Today, birthday cards have tiny processors that play songs, citizen scientists fold proteins on their laptops and people obtain routine government records in minutes from their homes. For all the good this digital revolution is producing, it also is bringing new threats and increasingly sophisticated attacks. Large-scale credit card data theft, government and industry disruptions, and automobile and drone hacking are only a few vulnerabilities we face now and going forward. Technology continually reshapes the security landscape. As a result, security concerns increasingly limit what technology is developed and whether we can realize its full potential benefits. Large, strategic strides in security are needed to create a safer, more trustworthy, more efficient and more productive world. Foundational advances in securing digital systems alone will not be enough. Securing the next electricity grid, autonomous vehicles, air traffic control systems, on-demand manufacturing and homes will require a deep understanding of how information and physical and human systems interact. The ongoing growth of information networks drives these changes in the security landscape. Before the Internet, many systems could be secured physically. But in a connected world, anything with software is a potential target that someone across the globe can access directly. Very soon information, computing and connectivity will permeate most things, but we lack a deep enough understanding of how to engineer such systems securely. Many physical systems, once deployed, will remain in place for decades or longer. We must therefore figure out today how to ensure security in the future. Stanford is positioned to fundamentally improve technology security. We have some of the best security researchers in the world, and they have made foundational breakthroughs in cryptography in addition to exposing and fixing numerous vulnerabilities in systems today. These technological efforts are synergistic with public policy and legal and economic efforts. The Stanford Cyber Initiative is the national leader in such cross-disciplinary efforts and is aided by its proximity to Silicon Valley. One tremendously powerful aspect of security research is that it is inherently cross-disciplinary. There are already numerous collaborations within the School of Engineering, as well as collaborations with other schools in areas such as privacy implications in social networks, secure voting and DNA synthesis screening guidelines. In addition to advancing our understanding of secure engineering, Stanford should promote the adoption of accepted techniques. This includes education as well as research. Today, we teach students to write software but not how to write secure software. Courses in security attract hundreds of students, but we can only offer a small number, each once a year. We want to encourage student “makers” who design and prototype new devices that integrate computing with physical objects, and to ensure these devices are secure and safe, with no glaring security vulnerabilities. |2|
RECOMMENDATIONS
How do we secure everything?
Hire additional faculty focused on security. SoE should significantly increase (e.g., double) the number of engineering faculty who work on security, both its foundations and applications. This would not only increase the number of collaborations — it would also create a critical mass of security research that could more easily allow collaboration with Stanford IT Services and Silicon Valley.
Collaborate with other securityrelated efforts at Stanford. SoE should explicitly partner with and support efforts across campus advancing securityrelated scholarship and policy development. For example, Stanford’s Center for International Security and Cooperation (CISAC) is the university’s hub for researchers tackling some of the world’s most pressing security and international-cooperation problems. We could quickly partner with CISAC to create a sustaining venue supporting scholarship on IT and biological security policy.
Educate our students on security. SoE should explicitly partner with and support efforts across campus advancing securityrelated scholarship and policy development. For example, Stanford’s Center for International Security and Cooperation (CISAC) is the university’s hub for researchers tackling some of the world’s most pressing security and international-cooperation problems. We could quickly partner with CISAC to create a sustaining venue supporting scholarship on IT and biological security policy.
|3|
RECOMMENDATIONS
How do we secure everything?
Create a forum for discussing security. The Cyber Initiative has shown how there is simultaneously tremendous pull from applications and problems, and push from technology. Ensuring that users and providers have a long-term forum to come together would create a sound foundation for future advances and impact.
Adopt open-source policy for security mechanisms and tools. We need resources to think about impact and benefit to society at large. Stanford should become the go-to institution for open, free, reference implementations of new security mechanisms and tools.
|4|