The Unwired Society: Flexible and Robust but Dangerously Vulnerable Jan A Audestad Senior adviser, Telenor Corporate Management Professor, Norwegian University.

The Unwired Society: Flexible and Robust but Dangerously

Vulnerable

Jan A Audestad

•Senior adviser, Telenor Corporate Management•Professor, Norwegian University of Science and Technology•Professor, Gjøvik University college

2

The grand picture 1:Size of computer infrastructure

• 1 billion personal computers• Between 1000 and 10 000 billion CPUs• Most of them are autonomous

– Sensors, accessories, terminals, smart cards, factories, utilities, vehicles, aircraft, infrastructure, RFIDs …

• They are ubiquitous– Industrial and societal management, work processes,

logistics, transport, banking and finance, production and dissemination of information, entertainment …

• They are interconnected – directly or indirectly• They are getting more and more mobile

3

The grand picture 2:The disruptive history of ICT

1995 2005

Simplicity Transition Complexity

1995 2005 1995 2005

100%

Dependence on ICTInterconnectivity of CPUs

# of CPUsComputational power

factor ofincrease

1

1000 000

1000

4

Texas Instruments: http://www.ti.com/rfid/docs/images.shtml

Reality – not fiction

5

The grand picture 3:Network upon network upon network

Software

CPUs

Internet500 000?

10 000 billion?

1000 000 billion?Not just one network but many (web, email, banking…)

6

Characteristics

Vertical independence• Independent growth and evolution• Independent dynamics• Stochastically independent• Independent complexity

Two things in common:• Scale-freeness (or thick-tailedness)• Small-worldness: short distance between pages on the

web (about 20 mouse-clicks), few routers in any connection between CPUs

Software

CPUs

Internet

7

Scale-free graphs• Discovered by Albert and Barabási in 1999• First comprehensive theories 2000-02• Natural growth algorithms

– E.g., add one new node and connect it to a previous node with probability proportional to the degrees of that node

Degree g # of links ( 5)

• Nature: metabolism, food web, sex, AIDS…• Social: influence, co-ownership, co-authorship…• Technical: internt, web, email…

8

Characteristics of scale-free networks• Degree distributed as g ( is constant). (In ordinary

random graphs, degree is Poisson distributed.)• thick-tailed distribution large probability for large g

• In the previous example: 2 average degree !

log(#)

log(degree)

()

Scale-free

Ordinary random

9

Structure of scale-free graph

Some nodes are more important than other: search engines on the web, companies with large email address lists, large banks, politically influential people. These nodes are called hubs.

10

Random attack

• Take away random nodes and the network is still connected

11

Targeted attack

• If the hubs are attacked, the network disintegrates

12

Observations

• Scale-free networks are robust against random attacks– This is why they are so frequent in nature – nature is

random. Internet is very robust by design

• Scale-free networks are very vulnerable for targeted attacks

– The ICT infrastructure is vulnerable because an adversary may find out how it looks like and direct the attack against the hubs

• Scale-free networks are thus structurally vulnerable!!

13

Protection of society

• Fault avoidance– Firewalls, access control

– Protects against the known but not the unknown

– Does not protect the structure of the network

• Fault tolerance– Automatic recovery (restart, reboot, checkpointing),

isolation, redundancy, degeneracy

– Identify ICT dependence of infrastructures and remove/reduce structural vulnerability by

– identifying the network structures at all layers– reshaping one or more of these structures

14

Structure of physical network

Fixed but dynamic network kernel

Fixed periphery Mobile periphery

Internet

Access

Fixed

Mobile100%

1995 2005

Fixed vs mobile1995 2005

Access#

Internet

Growth

15

Effect on vulnerability

Number of CPU accesses increases More contamination points

Increasing mobility

Every access is a potential contamination point

More contamination relations

Scale-freeness No epidemic threshold

16

From fixed to mobile periphery

Network

Stationary periphery

Network

Dynamic periphery

Local system

Our own devices: who is inside and who is outside the local system?With whom do we communicate and how?

17

Three fundamentally different accesses

• CPU access to physical network – this is what we usually understand by access– Based on user and terminal characteristics

• CPU access to other CPUs– This is what actually happens– IP security (confidentiality)

• Access to software (applications)– This is what we want!– And actually gets!– User profile access screening– TCP security (confidentiality, integrity)

Software

CPUs

Internet

18

What the user wants from wireless access systems

• Openness – allowing easy access to as many networks and

applications as possible

• Security– against fraud, damage, theft, misuse etc

• Anonymousness– access without disclosing identity

– Untraceability

• Accountability– prove that transactions took place as specified (non-

repudiation)The first easy to build into the system – the other three difficult

19

What the designer and the operator must provide

• Secure protocols between CPUs• Tamper-resistant electronics for storing profiles and

encryption/authentication keys in devices• Device identification and access profiles• Platforms allowing user profiles (e.g., access rights) to

be stored in secure databases that are accessible by the network or remote CPUs

• Protocols and algorithms that ensure both anonymity and accountability

• This must be built into the design and not fitted afterwards!!!

20

… in an environment with these characteristics

• Supporting a versatile set of applications with several levels of security requirement and operating characteristics

• Autonomous creation and reconfiguration of network topologies

• Automatic presence detection, and autonomous connection and verification of devices

• Automatic enforcement of security profiles• Automatic restoration after failures