unsophisticated hackers and concentrate on how to protect against sophisticated, well-financed attackers. If the costs of attacking a system can be made sufficiently high as to deter all but the most determined, then attention can be paid to the more difficult challenge presented by the truly skilled and motivated adversary (who in many case may well be an insider). Participants who have studied computer security over many years noted that, unfortunately, hacking information systems is becoming easier rather than more difficult. This is due to a number of factors, including the decline in the quality of COTS software, easily obtainable hacking toolsets and information, increased expertise in the general population, and poor default configurations that are not corrected by users.

5. Options for CSTB

A lively discussion took place about how a CSTB study in this area might best be oriented. As noted in the introduction, participants were nearly unanimous in their agreement that focusing exclusively on classified systems would not be appropriate. Several participants indicated that the Office of the Secretary of Defense (OSD) and the intelligence community can be (and likely already are) persuaded that this is a serious concern, and they would therefore be a good audience for such a study. However, limiting a study to classified networks and the classified aspects of information security would not produce as widely applicable a result as a broader conceptualization would. As has been described, corporations have very sensitive data and systems, and they invest in substantial protection just as the government does. Unclassified networks are often just as important (even in terms of national security) and just as likely to be attacked by a sophisticated adversary as are classified systems.

Participants argued that limiting such a project to classified systems would artificially constrain its sphere of influence. While acknowledging that much could be learned from a limited study that was, nonetheless, broadly applicable in the range of security issues it addressed, participants were concerned that such a limitation would also unnecessarily inhibit the size of the audience for such a report. The government currently uses COTS systems and any examination of such systems in a classified context will also likely produce useful results for those who use such systems in unclassified situations. More troubling is the possibility that a report focused only on classified systems (and the weaknesses in security thereof) could be used against the government were the report to lay out best practices that are not currently in place. CSTB has a history of examining governmental requirements versus commercial requirements and explicating the similarities and differences thereof, making a project of this scope feasible.

NEXT STEPS:

The participants in this meeting encouraged CSTB to develop a proposal for a study to examine high-grade threats (including insider threats) to high-value information systems. The study should focus both on national security concerns and classified systems as well as non-classified, commercial enterprises.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 10
Summary of Discussions at a Planning Meeting on Cyber-Security and the Insider Threat to Classified Information unsophisticated hackers and concentrate on how to protect against sophisticated, well-financed attackers. If the costs of attacking a system can be made sufficiently high as to deter all but the most determined, then attention can be paid to the more difficult challenge presented by the truly skilled and motivated adversary (who in many case may well be an insider). Participants who have studied computer security over many years noted that, unfortunately, hacking information systems is becoming easier rather than more difficult. This is due to a number of factors, including the decline in the quality of COTS software, easily obtainable hacking toolsets and information, increased expertise in the general population, and poor default configurations that are not corrected by users. 5. Options for CSTB A lively discussion took place about how a CSTB study in this area might best be oriented. As noted in the introduction, participants were nearly unanimous in their agreement that focusing exclusively on classified systems would not be appropriate. Several participants indicated that the Office of the Secretary of Defense (OSD) and the intelligence community can be (and likely already are) persuaded that this is a serious concern, and they would therefore be a good audience for such a study. However, limiting a study to classified networks and the classified aspects of information security would not produce as widely applicable a result as a broader conceptualization would. As has been described, corporations have very sensitive data and systems, and they invest in substantial protection just as the government does. Unclassified networks are often just as important (even in terms of national security) and just as likely to be attacked by a sophisticated adversary as are classified systems. Participants argued that limiting such a project to classified systems would artificially constrain its sphere of influence. While acknowledging that much could be learned from a limited study that was, nonetheless, broadly applicable in the range of security issues it addressed, participants were concerned that such a limitation would also unnecessarily inhibit the size of the audience for such a report. The government currently uses COTS systems and any examination of such systems in a classified context will also likely produce useful results for those who use such systems in unclassified situations. More troubling is the possibility that a report focused only on classified systems (and the weaknesses in security thereof) could be used against the government were the report to lay out best practices that are not currently in place. CSTB has a history of examining governmental requirements versus commercial requirements and explicating the similarities and differences thereof, making a project of this scope feasible. NEXT STEPS: The participants in this meeting encouraged CSTB to develop a proposal for a study to examine high-grade threats (including insider threats) to high-value information systems. The study should focus both on national security concerns and classified systems as well as non-classified, commercial enterprises.

OCR for page 10
Summary of Discussions at a Planning Meeting on Cyber-Security and the Insider Threat to Classified Information Meeting participants generated questions that such a study might address. They include, in no particular order: What is an appropriate characterization of ‘high-grade threat’ and ‘high-value target’? What are useful techniques to aid those who find themselves in charge of a high-value information system? What are good strategies to employ when a system is under attack by sophisticated adversaries (either self-motivated or organized and well-funded)? What is the extent to which insider and other serious threats are an unacknowledged or unreported issue within various communities? Is there information that should never be placed in electronic form? What is the responsibility of the industry when it comes to building secure systems and what role do recent laws such as the Uniform Computer Information Transactions Act (UCITA) and the Digital Millennium Copyright Act (DMCA) play? What are the sociological and managerial aspects of defending against high-grade threats? What data and what metrics are needed in order to begin modeling the problem of high-grade threats against high-grade targets? What are the upcoming technologies designed to help combat serious threats to high-value systems and what is their potential impact (e.g., what might be the future impact of quantum computing on these issues)? Given the new kinds of system and social organization becoming prevalent (e.g. peer-to-peer) are there changes in the security business model that need to be taken into account? Is software quality declining and therefore making the jobs of those likely to be attacked by serious, well-funded adversaries more difficult? If so, what can be done?