"It is like riding a cannonball" - Professor Jörn Müller-Quade on the fight for security and privacy in cyberspace
The Head of the Institute of Cryptography and Security at the KIT, Professor Jörn Müller-Quade, conducts research into data protection, IT security, and cryptography. He is the founder of the KASTEL Competence Center, one of three nationwide centers of competence in cybersecurity in Germany initiated by the German Federal Ministry of research in 2011.
The text was conducted in English, an excerpt is available in German at the end of the text
lookKIT: A regular war is occurring on the Internet. Unfortunately, the extent of the hazard, especially for smaller companies, is still underestimated. The players behind these attacks are no longer the classical hackers. They have been replaced by highly professional illegal service providers. What do we know about them?
Professor Müller-Quade: “There are still those ‘script kiddies’ who exploit some well-known security gaps for attacks out of sheer boredom. However, we also find increasing professionalization of the attackers and growing participation of organized crime. A real black market has arisen in the Darknet for the tools needed for hacking. In addition, there is a group of politically motivated ‘hacktivists’ modeled on the ‘Anonymus Group’ example. They are highly motivated and, as a rule, excellently trained. Finally, state-operated cyber espionage units have been set up which can do a lot more because, quite frequently, they are in cahoots with hardware manufacturers, providers or mobile service providers.”
lookKIT: Early this year, the Central Bank of Bangladesh lost 80 million dollars in a single hacker attack. Your colleague, Professor John Walker of Nottingham Trent University, says that hacking had meanwhile become a flourishing service industry generating billions in profits. Most of the incidents, however, were not even reported by the companies affected. Is there a lack of attention with respect to the new dramatic dimensions of cybercrime?
Jörn Müller-Quade: “The problem does not become manifest because hazards in cyberspace cannot be experienced directly. A bank robbery with masked, armed criminals entering the main hall is perceived in a very different way. If, on the other hand, 80 million disappear which exist only as numbers on a computer screen, this has a very abstract meaning to people.”
lookKIT: From your point of view, what are the most important weak spots which sometimes seem to invite attackers into corporate networks?
Prof. Müller-Quade: “Terminal security is the biggest problem. It is a scandal that the whole computer can be dominated by means of e-mail attachments that are clicked on. Unfortunately, we are in a schizophrenic situation. Not all parties are seriously interested in terminal security, as vulnerability also offers advantages, for instance, to criminal authorities or secret services. As long as even governments exploit weak spots, for instance, by using government Trojans, the situation remains complicated and we are not all moving in the same direction. For private use, it is mostly sufficient to use the latest operating system and install the most recent security patches. Businesses need professional solutions, but even those are of limited use against highly professional attackers. Yet we must not give up. I keep hearing that it was impossible anyway to do anything against the NSA, which makes people resign. However, a lot can be done against organized crime. Life can be made difficult even for the NSA. For this purpose, however, one must invest in IT security. One major problem is that the benefit of IT security is hard to measure, and this is why there is a general tendency to save money in that respect.”
lookKIT: What are the basic ideas on which to start risk management in cyberspace?
Jörn Müller-Quade: “The company must decide which parts of IT are really important. Providing a very high level of security for everything does not make sense economically. One should use different levels of security and have an IT security officer, if possible, directly attached to top management so that the subject will be taken seriously.”
lookKIT: Moving sensitive data into a cloud is considered a workable way of coming to grips with the security problem at relatively low cost. Of course, it requires trust and confidence in the cloud. Your “MimoSecco” middleware developed on behalf of the German Federal Ministry of Research is your way of showing how secure cloud computing could be made.
Jörn Müller-Quade: “In actual fact, cloud computing is a possibility to enhance security at least against hacker attacks. Provided, of course, that you have confidence in the cloud vendor. As you can see in the USA, there is no security in this case against intervention by government players. Our ‘MimoSecco’ solution therefore is based on the assumption that we must not have blind confidence in the provider either. The data are distributed over various clouds in such a way that an attacker penetrating one of these clouds could not make much use of the data. We have been able to offer a very precise definition of protection by ‘MimoSecco.’ It is absolutely clear in what sense a hacker will not ‘learn much.’ This precise definition allows users to assess whether this level of security would be sufficient for their situation. In addition, data transfer from the cloud to the terminals is protected by encryption and authentication procedures. When you want to work with the data, they are recombined from various clouds until the database is available in plain text. This is done either on a trustworthy server or on your own terminal. This means, above all, that a fully satisfactory solution absolutely requires security of the terminals to be taken into account as well. Stronger protection than by ‘MimoSecco’ can be achieved by encrypting the database en bloc. However, this also implies that it needs to be downloaded and decoded completely for each transaction. This is very expensive. Consequently, a security performance tradeoff is needed for moving databases into the cloud as a workable compromise between security and usability. If the expense of providing security exceeds the savings attainable by cloud computing, cloud computing makes no economic sense.
lookKIT: What kind of security performance tradeoff are you thinking of?
Jörn Müller-Quade: “The company must define clearly what it wants to protect and what not. In our ‘MimoSecco’ solution, for instance, we protect the data stored. The patterns of access, however, remain unprotected. When the data are used, the provider will be able to see those parts of the database which are accessed more frequently. If this implies a risk, “MimoSecco” cannot be used. Protection including access patterns would be more sophisticated. Intuitively, additional expense must be incurred for each and every query in order to disguise the access pattern. There is very interesting research available in this field. So, you can protect different things at different levels of expense. Unfortunately, the security performance tradeoff is not a control which can be adapted continuously to the respective economic optimum. There is still need for more research, for instance, in security metrics.”
lookKIT: Is there a possibility to demonstrate the effectiveness of a security system once implemented?
Jörn Müller-Quade: “It will not be possible to demonstrate security for real systems. The entire bandwidth of possible attacks cannot be assessed reliably. Even your business partner could be a spy. Yet, there is a systematic access. You start from clearly defined assumptions and try to demonstrate, in a mathematical model, that there are no possibilities for attack within the model. Of course, this still leaves us far from the possibility to exclude all attacks in reality. Reality is infinitely more complex than any underlying model. However, we did exclude all attacks which can be modeled. This may be a very large class of attacks, including even those one did not have in mind initially. This systematic access is the ideal way, compared to patching as frequently used today. If gaps in security appear in systematic access, this means a gain in perception. You perceive the shortcomings of the model chosen or see that specific fundamental assumptions were wrong. In that case, either the model or the assumptions can be matched. This scientific approach is going to provide progress in the entire complex of cyber security. It also will generate a more comprehensive understanding of what security actually means.”
lookKIT: Is this what you mean by a holistic security concept?
Jörn Müller-Quade: “Holistic refers to an approach which, basically, encompasses the entire system, not just integrating individual security components somewhere but securing the entire system. Take the network of a company in which everything is encrypted end to end. Even this complete encryption does not mean that the IT of this company is secure. There could be weak spots in the terminals. There even could be an external access which need not penetrate encryption because it has direct access to the company’s server. It is a problem when you think only of security mechanisms like a firewall, leaving out security properties of complete systems. What we need are clear security definitions to discuss meaningfully whether a specific, defined level of security has
been achieved.”
lookKIT: Is this not like riding a cannonball? Just consider how technical developments result in new threats all the time. Take the example of the complete dissemination of smartphones. In many companies, staff use them to directly log into the networks, thus opening up new possibilities for hackers to attack.
Jörn Müller-Quade: “This image of riding a cannonball is absolutely correct. Another impressive example are passenger cars equipped with keyless-go systems. It is sufficient for a driver of those cars to stand by the side of the vehicle in order to open the door. Once you sit in the car, you can start the engine by pushing a button. The car then checks wirelessly whether the key is nearby. This certainly is an advance in comfort. However, as far as security goes, it means a step back. The keys transmit at very low energy. When the vehicle receives the signals, it assumes that the key is nearby. Car thieves now make use of powerful antennas directed at the living rooms of the owner. The signals, once received from the key somewhere in the house, are then amplified technically and transmitted to the parking car. The car doors will open and the car may be started easily. This proves that the imagination of car manufacturers was not sufficient to see what could go wrong. Instead of looking for more and more comfort, we should also demand more and more security. In that case, doubtful progress would be given up in many places.”
lookKIT: This ideology, which equates progress mainly with more and more comfort, has also dramatically changed the Internet proper. We are experiencing a profound erosion of the private sphere, which is made possible by the data gathering craze of the large Internet companies and government players, such as the NSA. The tools needed to handle the huge data volumes arising in this way are also available: Big Data analysis programs are able today to generate large numbers of user profiles to an appalling degree of precision. Are we already living in a post-privacy era in which insisting on a private sphere is like the proverbial fight against windmills?
Jörn Müller-Quade:
“Unfortunately, the impression seems to be correct that something like a private sphere has become impossible nowadays. We have largely lost control over our data. Whenever we want to use a new app or a new code, we must accept business conditions at a mouse click in which we find expressed in very complicated terms the way in which the vendor is going to use our personal data. The privacy paradox will apply to the vast majority: Everybody emphasizes how important his or her private sphere is to him or her, but as soon as he or she is promised any kind of benefit in exchange for making available his or her personal data, this pledge is quickly forgotten. We are going to lose privacy unless we demand it proactively. The data collections of companies mean cash to them. In previous times, for instance, prices were defined in the light of general market conditions. One knew very little about individual customers. In the meantime, on-line dealers can adapt their prices to a buyer profile once recognized. In that case, we may pay the maximum price that providers feel we can be expected to pay. Once people realize that this craze of data gathering also serves to make them pay through the nose, the insight could gain ground that seemingly free-of-charge apps are a Trojan horse inviting access to our private sphere.”
lookKIT: Programs for analyzing Big Data have advanced immensely. The data of images and videos have been made accessible. And prognostic tools have been produced which predict future behavior.
Jörn Müller-Quade: “Big Data technologies explicitly devote their attention to this glimpse into the future. They would like to predict whether an individual will buy a specific product or what price he or she would be willing to pay. Of course, there are also very many positive potential applications of these technologies. However, as regards private data, this is very dangerous. Above and beyond the generation of user profiles there is also the objective of predicting the development of markets or individual companies. Anybody succeeding in these efforts will reap enormous economic benefits, such as identifying candidates for acquisitions, firms undergoing a weak phase although they are economically sound and solid. They can early on recognize future consumer trends. It will be possible for them to define so-called high potentials, highly talented people a company would like to recruit.”
lookKIT: An Internet company like Google has more in-depth knowledge of what makes the world’s societies tick than all sociological research institutions taken together. Does this not have a dangerous political connotation as well?
Jörn Müller-Quade: “Many companies are now handling their patent searches via Google. In this way, Google learns what other companies are working on. No industrial spy need take the trouble any more to penetrate a company. Also the possibilities of companies such as Google to exert political influence are growing. There is the ‘nudging’ phenomenon both in politics and in the economy. It is about intensifying existing trends in a group of people. This can be achieved by presenting to a group engaged in Internet searches lists of findings tailored to their respective profiles. Existing convictions can be reinforced in this way. Given the present strong political polarization of our societies, nudging could produce a decision, for instance in elections, without this manipulation being recognized properly.”
lookKIT: How are user profiles produced?
Jörn Müller-Quade: “Much of this is reminiscent of the searches for wanted persons by screening techniques developed in the early computer age. However, immensely more subtle statistical methods are now available for this purpose. Also pattern recognition techniques have improved decisively. The classical techniques of finding wanted persons by screening were not able to analyze image data. Progress became possible as a result of the coincidence of major advances in pattern recognition and improved statistical clustering tools. Clustering allows the identification of developing trends and their extrapolation. In this technique, data are regarded like points in a large multidimensional feature space. The distance between points in this abstract space is a measure of the relatedness of data. If many new, closely related points are added, this is indicative of the emergence of a new trend. For instance, there was a service searching twitter news for pairs of words. It was possible to use decreasing or increasing frequencies of pairs of words found for conclusions about rising or falling trends. In classical search for wanted persons by means of screening, you had to know the specific features you were looking for. Today’s analytical tools, however, define, by clustering, what can be considered standard behavior. Any deviating behavior can then be recognized by means of the distance from the clusters. Credit card companies, for instance, know that payment losses are frequently initiated by marriage problems. Married women buying jewelry can be considered early indications of an imminent divorce. It is possible to use these clusters to predict future behavior with a relatively high probability. Conversely, the user profiles produced in this way can work also as self-fulfilling prophecies reinforcing stereotypes.”
looKIT: Would anonymization of private data be a suitable antidote?
Jörn Müller-Quade: “Ideal anonymization would get the data into a format which would make any conclusions to specific persons impossible. In reality, however, many people see anonymization only as a process making a name illegible or reducing the refinement of other individual features. However, when a profile knows a lot about a person, it will identify that person with high probability even if the associated name is unknown. Although we may not like it, people are highly predictable in their behavior. Private characteristics of a person can be deduced even from a database in which that person does not even exist. A database of friends is sufficient. A lot about an individual can be learned from that source. In most cases, friends are approximately the same age, have comparable educational backgrounds, and have many interests in common.”
lookKIT: You are asking for more attention to be given to the many traces we leave as soon as we enter cyberspace. How can we understand more precisely how grave the loss of private sphere is as the result of a specific pattern of behavior in the Internet?
Jörn Müller-Quade: “If we gave more priority to the need for a private sphere, there would be possibilities to determine its loss more precisely. There are concepts of anonymity which imply adding noise to data and making them coarser. It is possible, in this way, also to measure at least in part the intensity of an intervention into one’s private sphere. One determines the increase in probability of something being said about a specific person if the noisy or coarse data are known. The larger the increment in probability, the more the data will tell.
Of course, this does not yet say anything about the subjective experience of a loss of private sphere. This kind of evaluation of information is still missing in the models.”
lookKIT: Does existing data protection have to be adapted?
Jörn Müller-Quade: “Future data protection must take into account modern privacy concepts. There is the term of ‘differential privacy’ taken from cryptography. At present, this is the gold standard in protecting the private sphere. It means that data published by way of a database are compared with the same excerpt from the same database from which, however, one specific individual was taken out. When the two database excerpts show practically no difference, this is a strong guarantee of this publication not yielding any private data of the individual. Differential privacy provides this kind of guarantee for each individual in a database. Unfortunately, this is very hard to achieve. More research needs to be conducted. It must be found out whether a less strict standard would do as well. The biggest problem is the combination of data from various sources. It is hard to assess the general knowledge and the additional knowledge about de-anonymization available to an attacker. It must be safeguarded technically so that data from different sources cannot be combined unless this were to take place in a very secure environment for a purpose important to society at large.”
lookKIT: You designed a camera surveillance system within the framework of KASTEL which ensures this “privacy by design.”
Jörn Müller-Quade: “The ‘Nurse Eye’ system was developed at the Fraunhofer Institute of Optronics, System Technologies and Image Exploitation within the framework of KASTEL for patient monitoring. It is to initiate an alarm when a person falls. The basic principle in this case is to process the data, if possible, already in the surveillance camera. In this way, private data will not be transmitted at all. The decision whether somebody fell is then taken at the very point of observation. You could think of it as a secure container holding the private data.
What leaves the container is only a binary signal either indicating that everything is all right or producing an alarm. Only in the latter case has the switchboard operator the possibility to look at the camera image proper. This gives rise to an interesting paradox: The more private data can be collected and processed in this contained environment, the more easily anonymization of what leaves the container is possible. More data must be acquired so that they may be better protected afterwards.”
lookKIT: ”Database Privacy“ emerges as a new research area. How would you describe its future challenges?
Jörn Müller-Quade: ”‘Differential Privacy’ has shown that the concept of a private sphere, which is so difficult to grasp in any other way, can be formalized precisely in mathematical terms. However, the definition found is too strict and not sufficiently specific for application. We need more definitions relating to specific applications, such as power consumption data, as we want to investigate energy status data in our current research training group.
Moreover, we need more experience to be able to determine the parameters telling us how much private sphere should be guaranteed in a mathematical model and beyond what point disclosure of data represents a serious breach of privacy. In principle, the scientists working on privacy must cooperate with their colleagues advancing the development of tools for analyzing Big Data.”
Exzerpt auf Deutsch
„Es ist ein Ritt auf der Kanonenkugel” – Professor Jörn Müller-Quade über das Ringen um Sicherheit und Privatsphäre im Cyberspace
Übersetzung: Ralf Friese
Professor Jörn Müller-Quade leitet mit KASTEL eines der drei deutschen Kompetenzzentren für Cybersicherheit. Er ist überzeugt, dass die Herausforderungen in diesem Bereich durch neue Akteure und neue technologische Entwicklungen dramatisch anwachsen werden. Das Ausmaß des Problems aber werde in der Öffentlichkeit nicht ausreichend zur Kenntnis genommen, die Budgets für IT-Sicherheit allzu oft eingeschränkt. Leider werde auch der Sicherheit der Endgeräte nicht von allen die oberste Priorität eingeräumt. Die Auslagerung sensibler Daten in die Cloud biete in dieser Situation einen gewissen Schutz. Mit der im Rahmen von KASTEL entwickelten „MimoSecco“ Middleware sogar dann, wenn man kein hundertprozentiges Vertrauen zu Cloud-Anbietern haben könne. Entscheidend sei ein möglichst bewusst geschlossener Kompromiss zwischen Sicherheit und Praktikabilität. Professor Müller-Quade sieht in diesem Bereich der sogenannten Sicherheitsmetriken großen Forschungsbedarf. Tatsächlich ist es in der Praxis sehr schwer relevante Risiken konkret zu messen und den Schutz in ökonomisch verträglicher Weise anzupassen. Der systematische Ansatz, von klar definierten Annahmen ausgehend ein mathematisches Modell zu erarbeiten, ist für den IT-Sicherheitsexperten dennoch
der einzig gangbare Weg zu einem wissenschaftlich fundierten Verständnis von Cybersicherheit. Ein solcher systematischer Ansatz ist für Jörn Müller-Quade auch im Bereich des Datenschutzes unerlässlich. Die schleichende Aushöhlung der Privatsphäre durch das Tracking und die Analyse-Elemente von Big Data zeige eindringlich, wie wichtig das neue Forschungsfeld „Database Privacy“ sei. Auch hier bedürfe es mathematischer Modellbildungen. Vage Begriffe wie „Datensparsamkeit“ müssten durch eindeutig falsifizierbare Begriffe wie „Differential Privacy“ abgelöst werden.
Artikel aus der aktuellen Ausgabe des Wissenschaftsmagazins LooKIT, Edition 3/2016, Schwerpunkt Mobilität.
Article within the current edition of the science magazine LooKIT on mobility at the Karlsruhe Institute of Technology, Edition 3/2016.
Interview conducted by Dr. Stefan Fuchs.