Yesterday at an event on Capitol Hill, I had the opportunity to formally release a paper I co-wrote with my colleague Braden Cox called “Hardening the Security Stack.” Joining me on the panel were VeriSign Chief Technology Officer Ken Silva, and Michael Kaiser, the Executive Director of the National Cyber Security Alliance (NCSA), which co-hosted the event.
The “stack” is a common sense concept, but one that seems to get lost in the rhetoric about Internet security. The idea is that there is no monolithic thing called “Internet security,” nor any monolithic entity that can single-handedly provide it. Internet security relies an interdependent network of tools, technologies and behaviors; and succeeds or fails based on the efforts of a wide range of stakeholders, from infrastructure providers at the core of the Internet, to end users at the edge.
Those stakeholders make up the security “stack.”
It sounds simple enough, but when policymakers and members of the high-tech community get it in their heads that one tool — or one stakeholder group — has the silver bullet to solve all of our Internet security woes, it can lead to some unfortunate outcomes.
The latest example of this has been the recent furor over DNS Security Extensions or “DNSSEC.” A worthwhile technology that has been in development for more than a decade, DNSSEC plays an important role in the security stack, helping to prevent the “cache poisoning” that is central to a certain type of Internet exploit.
As we discuss in the paper, DNSSEC is valuable, but is hardly the one-stop-solution to Internet security that its been billed as in some circles. DNSSEC may stop “cache poisoning” but it doesn’t do a thing to stop users from turning over information to a fraudulent site that happens to be properly resolved in the DNS.
Which is where the stack comes in. Real cybersecurity demands effort from all layers of the security stack. Even as companies like VeriSign move forward with developing DNSSEC, infrastructure and applications providers need to do their part to safeguard their infrastructure, and individual users must do more to protect the aspects of the network under their control.
For those of you who weren’t able to make it, we hope to have a transcript of the event available soon. Ken Silva gave a fascinating and sobering assessment of the attacks pounding the Internet infrastructure every minute of every day. Michael Kaiser added invaluable perspective about the challenges of educating ordinary Internet users about the complicated threats they face in a simple, accessible way.
As more and more allies come to understand the stack, and their critical role in it, hopefully we’ll develop a more comprehensive approach to cybersecurity.