Computer Emergency Response Team Coordination Center (CERT/CC) advisories.3

Reactive efforts are essential because it is impossible to replace the existing IT infrastructure in one fell swoop (and even if it were possible, we would not know what to replace it with) and because the security of any given system will require upgrading throughout its life cycle as new threats emerge and new vulnerabilities are found. Still, continuously reacting to cybersecurity problems—without new approaches to developing and deploying a stronger and more secure technological foundation—is a poor way to make progress against escalating or new threats. By their very nature, reactive efforts are incremental; vulnerabilities that flow from basic system design and architectural concepts cannot be fixed by such means, and often patching introduces additional security flaws. A focus on patching also tends to draw interest and attention away from more fundamental architectural problems that cannot be simply fixed with a patch.

Security add-ons will always be necessary to fix individual security problems as they arise, and R&D is needed to develop improved tools and techniques for dealing with near-term fixes (e.g., configuration management, audit, patch management), but ultimately there is no substitute for system- or network-wide security that is architected from initial design through deployment, easy to use, and minimally intrusive from the user’s standpoint.

Furthermore, for all practical purposes, the cybersecurity risks (the combination of adversary threats and technical or procedural vulnerabilities) of the future are impossible to predict in any but the most general terms. Because it is difficult to anticipate innovation (which changes the architecture or implementation underlying specific systems) and to comprehend complex systems (which makes understanding the systems in place today very hard), it is almost guaranteed that unforeseen applications will result in unforeseen security concerns and human beings will be unable to anticipate all of the security issues that accompany complex systems.

In short, in many ways security is an emergent property of a complex IT system that depends on both the underlying system architecture and its implementation. Consider, for example, the relatively common practice of building an application on top of an off-the-shelf operating system. Although the applications builder can in principle know all there is to know about the application, its relationship to the operating system is known only through the various application programming interfaces (APIs) of the operating system. But since the input-output behavior of

3

For more on the CERT/CC advisories, see http://www.cert.org/advisories/.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement