The Cyber Trough of Disillusionment

I’ll call the moment: the cyber security field is now past its giddy buzzword peak.

Gartner is well known for preparing “hype cycle” analysis of technology sectors, as in their recent publication of the 2009 “Hype Cycle for Social Software.” That report got a lot of attention on Twitter and in blogs, naturally; social medians are nothing if not self-reflective regarding their community. I thought an interesting take was by an IBM developer, who compared the 2008 version against the new one, measuring the changes in predicted “time to maturity” for individual technologies, and thereby coming up with something like a measure of acceleration. By that measure, individual blogging and social search made the most rapid gains.

But I notice something missing on the full list of 79 Gartner hype cycle reports: there’s not one about “cyber security.”

To the left you can see their uber-cycle, the latest chart of all “Emerging Technologies.” Among the dozens of “technology, topic and industry areas” across all their charts, the closest thing to covering the “cyber” world is the Data and Application Security Hype Cycle, which lists no fewer than 21 contributing analysts but still can’t see fit to reflect the broadest reaches of internet security. Its abstract alludes to Internet security, but makes clear that its focus is on several specific (not to say narrow) technical approaches:

Enterprise boundaries continue to blur as data is shared across the Internet between partner organizations and unmanaged endpoints, increasing concerns about data leakage and manipulation. This is encouraging greater use of application layer and data layer security controls.

Now, those topics are of course related to information security and assurance, and yet they don’t approach the overall breadth of the tangled spaghetti of technical, policy, and political issues that make up the messy cyber-security realm.

This week I expected to get a snapshot of where that messy realm stands, by attending the “National Cyber Leap Year Summit” in Arlington, Virginia. It was a joint DoD-White House production, by invitation only, and sponsored by the White House’s Office of Science and Technology Policy (OSTP), and the Office of the Assistant Secretary of Defense for Networks and Information Integration (NII).

They wisely used as an organizational umbrella the Federal Networking and Information Technology Research and Development (NITRD) Program, the quiet but important organizing construct for federal R&D. NITRD describes itself as

the primary mechanism by which the Government coordinates its unclassified networking and information technology (IT) research and development (R&D) investments. Thirteen Federal agencies, including all of the large science and technology agencies, are formal members of the NITRD Program, whose combined 2007 IT R&D budgets totaled more than $3 billion.”

Member agencies include DARPA, DOE and the National Labs, NASA, NIH, NIST, EPA, NARA, AHRQ, NOAA, NSA, NSF, OSD, and the DOD Research Labs. All of those groups were represented at the Cyber Leap Year Summit this week – along with a panoply of top names from corporate and academic security work and research – you name ’em, they were represented.

And yet I came away slightly disappointed – not with the effort by the event’s organizers, but with the outcome. The premise of the session was to provide “leap-ahead, game-changing” ideas and proposals. Some were indeed offered in sessions, kicked around, and debated, dismissed, or set aside for further exploration. There were five tracks in the conference:

Digital Provenance → basing trust decisions on verified assertions

Moving-target Defense → attacks only work once if at all

Hardware-enabled Trust → knowing when we’ve been had

Health-inspired Network Defense → move from forensics to real-time diagnosis

Cyber Economics → crime doesn’t pay

Each track wound up having valuable brainstorming sessions, with some innovative ideas and approaches generated, all of which are now being captured in a wiki.  (Participants were provided with password access to the wiki; if it is opened to broader access I will update this post with a link.)

I mostly attended the Cyber Economics sessions, which had the closest relevance to government policies as far as I could tell.  Our ideas ranged from innovative ways to raise the economic costs to bad guys on the Internet, to establishing something like a “cyber NTSB,” which would mirror its Transportation Safety counterpart in collecting, analyzing, and reporting out data on cyber attacks and information-security incidents. Good ideas, but nothing game-changing on its face.

I stuck my head into the other groups from time to time as well, and listened closely at the wrap-up “mix ‘n’ match” discussions at yesterday’s final sessions, hoping to hear a breakthrough idea.  I’ll admit, I personally had none to contribute – cyber security is not my native field of expertise though I do my best. But unless I’m mistaken, no one else had a true “game-changing” breakthrough either.  Overall there was a sense of “heard it all before” quietly sitting like a ground-hugging fog in the conference rooms.

Now, that’s not necessarily dire; this is tough stuff and you can’t expect a single conference, even with the biggest brains in attendance, to produce elegantly brilliant policy and technical solutions to enormous challenges of long standing. But it indicates to me that the publicly-discussed field of cyber security is echoing certain stages on the Gartner Hype Cycle.

Down in the Valley

That cycle charts “Expectations” against a Time axis in the life of technologies or industries. Over the past couple of years, I would say that Cyber security has ramped quickly up the “Inflated Expectations” hype curve. I’d argue that it approached its “Peak of Inflated Expectations” the moment that presidential candidate Barack Obama pledged on the campaign trail that “I’ll declare our cyber-infrastructure a strategic asset and appoint a National Cyber Adviser who will report directly to me.”

How’s that promise coming along? Not well.  The inflated expectations crested the moment Melissa Hathaway published the much anticipated, now nearly forgotten, 60-Day Cyberspace Policy Review. You can see my previous pieces on the Cyber Czar debacle, read an adamant op-ed in this week’s Business Week titled “The U.S. Needs a Cybersecurity Czar Now,” or read one of DC’s keenest political observers, The Atlantic’s Marc Ambinder, who now believes that the leadership vacuum is increasing “jitters about whether the Obama administration is devoting enough bandwidth to the issue.” Marc’s piece (“On Cyber, Homeland Security Isn’t Waiting“) argues that DHS is picking up the baton in the vacuum, but many of the folks I know up at Ft. Meade scoff at that, and are quietly quietly burrowing away at the bureaucratic-politics game themselves.

There’s a lot of effort going on to secure things all right – things like bureaucratic turf, budget billions, and presidential face-time.

Per Gartner’s paradigm, cyber security as an issue is heading straight down into the “Trough of Disillusionment.”  That’s not an indictment of those working in the field. Indeed, in Gartner’s methodology, to be successful, technologies almost inevitably follow a path “from overenthusiasm through a period of disillusionment to an eventual understanding of the technology’s relevance and role in a market or domain.”

The Slow Climb to Enlightenment

So what is to be done, down here in the valley? Well, I’d argue that technologists just ignore the politics and the Time-magazine covers and the frenzied Twitter chronicles of who’s in and who’s out.  I’ll try to avoid that stuff as well, as a prime offender (no promises), and do a fair job of tracking the technical progress of promising research.

To that end, I’ll end with a nod to a cool Microsoft Research project being unveiled this week at the SIGCOMM 2009 conference in Spain: “De-Anonymizing the Internet Using Unreliable IDs.”  Researchers Yinglian Xie, Fang Yu, and Martin Abadi have just published a great paper (available in PDF here) detailing their “Host Tracker” work aimed at malicious traffic which cannot typically be “held accountable” in today’s open, anonymous Internet of free traffic from any host.  “HostTracker tracks dynamic bindings between hosts and IP addresses by leveraging application-level data with unreliable IDs.”

As the early coverage in Technology Review  puts it, Internet anonymity can be both a blessing and a curse, because “the same technologies allow cybercriminals to hide their tracks and pass off malicious code and spam for legitimate communications.” TR goes on in their assessment:

[HostTracker represents] a way to remove the shield of anonymity from such shadowy attackers. Using a new software tool, the three computer scientists were able to identify the machines responsible for malicious activity, even when the host’s IP address changed frequently. “What we are really trying to get at is the host responsible for an attack,” said Yinglian Xie, a member of the Microsoft team. “We are not trying to track those identifiers but associate them with a particular host.”

The prototype system, dubbed HostTracker, could result in better defenses against online attacks and spam campaigns. Security firms could, for example, build a better picture of which Internet hosts should be blocked from sending traffic to their clients, and cybercriminals would have a harder time camouflaging their activities as legitimate traffic. – Technology Review

HostTracker is squarely aimed at several of the questions across the five-track sections in the Cyber Leap Year Summit, including the “Digital Provenance” and “Moving-Target Defense” areas.  If it’s successful, it could begin to chip away at the economics of cyber attacks as well – at least until the attackers’ next innovation, which will drive the cycle of good-guy research again.

Hmm – a cycle. Gartner, get to work!

Email this post to a friend