Two months ago, Debora Plunkett director of the Information Assurance Directorate (IAD) at the U.S. National Security Agency (NSA), made headlines when she told attendees at a cyber security forum that there is "no such thing as 'secure' anymore."
What Plunkett meant, according to Dickie George, technical director of the NSA's IAD, is that there has been a paradigm shift in network and computer security: rather than focusing all efforts on keeping intruders out, the reality of today's world forces security teams to assume that adversaries can and do access their networks.
While keeping intruders out is still the primary objective, George said during the annual Cryptographers' Panel at the RSA Conference 2011 in San Francisco, monitoring today's networks requires keeping a vigilant eye out within for uncharacteristic or "inappropriate" behavior.
"If you assume they haven't been [inside your network], you are setting yourself up for a shock," George said.
George and fellow panelists, including Ronald Rivest, the Viterbi professor of electrical engineering and computer science at MIT, said cryptography remains the best tool available for ensuring network security. But they noted that cryptography has its limitations.
"Cryptography provides the tools, but I think the problem we are facing is the rash of technology development," Rivest said. "We keep building fences, but the universe keeps growing."
Adi Shamir, professor of computer science at Israel's Weizmann Institute of Science, noted that the two biggest network security issues of the past year—the WikiLeaks controversy and the Stuxnet computer worm attack that reportedly damaged as many as one fifth of Iran's nuclear centrifuges—could not have been prevented with cryptography.
"It's interesting to me that the two biggest attacks of the last year had nothing to do with cryptography," Shamir said.
But though they acknowledged that cryptographer has its limitations, panelists—pioneers in field—also emphasized that ongoing cryptography research is still of great value.
Martin Hellman, professor emeritus of electrical engineer at Stanford University, pointed to the work done by security technology firm Cryptography Research Inc. in identifying the threat of differential power analysis attacks as an example of the tangible value of ongoing research in the field.
"There are attacks yet to be found," Dickie said.
Whitfield Diffie, a visiting professor at the University of London's Royal Holloway College and a visiting scholar at Stanford, defined the first phase of cryptography's existence as the period between roughly 1915 when the first Enigma machine was created until the February 2005 release of the NSA's Suite B set of cryptographic algorithms. The application of secure computing only existed for about half of that roughly 90-year period, Diffie noted, suggesting that there is plenty of room for continued research.
Despite the gravity of the topic, the panelists found time for a few laughs. In a separate Q&A session held after the Cryptographers' Panel, Shamir added that he was not convinced that embedding cryptographic elements within semiconductors is the solution to the security issue.
"I'm not convinced that a security mechanism embedded on chips is going to make the situation much better," Shamir said, adding that a Trojan horse that makes it onto a computer is going to record keystrokes regardless of whether the security is in the hardware, the software, or both.
"My only hope is that the Russian Trojans on my computer and the Chinese Trojans on my computer will fight each other and block each other [from a successful attack]," Shamir joked.