Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter.
Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 1
Executive Summary
The nation's security and economy rely on infrastructures for com-
munication, finance, energy distribution, and transportation all increas-
ingly dependent on networked information systems. When these net-
worked information systems perform badly or do not work at all, they
put life, liberty, and property at risk. Interrupting service can threaten
lives and property; destroying information or changing it improperly can
disrupt the work of governments and corporations; and disclosing secrets
can embarrass people or hurt organizations. The widespread intercon-
nection of networked information systems allows outages and disrup-
tions to spread from one system to others; it enables attacks to be waged
anonymously and from a safe distance; and it compounds the difficulty of
understanding and controlling these systems. With an expanding fraction
of users and operators who are technologically unsophisticated, greater
numbers can cause or fall victim to problems. Some see this as justifica-
tion for alarm; others dismiss such fears as alarmist. Most agree that the
trends warrant study and better understanding.
Recent efforts, such as those by the President's Commission on Criti-
cal Infrastructure Protection, have been successful in raising public aware-
ness and advocating action. However, taking action is constrained by
limited knowledge and technologies for ensuring that networked infor-
mation systems perform properly. Research is needed, and this report
gives, in its body, a detailed agenda for that research. Specifically, the
report addresses how the trustworthiness of networked information sys-
tems can be enhanced by improving computing and communications tech
1
OCR for page 2
2
TRUST IN CYBERSPACE
nology. The intent is to create more choices for consumers and vendors
and, therefore, for the government. The report also surveys technical and
market trends, to better inform public policy about where progress is
likely and where incentives could help. And the report discusses a larger
nontechnical context public policy, procedural aspects of how net-
worked information systems are used, how people behave because that
context affects the viability of technical solutions as well as actual risks
and losses.
TRUSTWORTHY NETWORKED INFORMATION SYSTEMS
BENEFITS, COSTS, AND CONTEXT
Networked information systems (NISs) integrate computing systems,
communication systems, people (both as users and operators), procedures,
and more. Interfaces to other systems and control algorithms are their
defining elements; communication and interaction are the currency of
their operation. Increasingly, the information exchanged between NISs
includes software (and, therefore, instructions to the systems themselves),
often without users knowing what software has entered their systems, let
alone what it can do or has done.
Trustworthiness of an NIS asserts that the system does what is re-
quired despite environmental disruption, human user and operator er-
rors, and attacks by hostile parties and that it does not do other things.
Design and implementation errors must be avoided, eliminated, or some-
how tolerated. Addressing only some aspects of the problem is not suffi-
cient. Moreover, achieving trustworthiness requires more than just as-
sembling components that are themselves trustworthy.
Laudable as a goal, ah initio building of trustworthiness into an NIS
has proved to be impractical. It is neither technically nor economically
feasible for designers and builders to manage the complexity of such
large artifacts or to anticipate all of the problems that an NIS will confront
over its lifetime. Experts now recognize steps that can be taken to en-
hance trustworthiness after a system has been deployed. It is no accident
that the market for virus detectors and firewalls is thriving. Virus detec-
tors identify and eradicate attacks embedded in exchanged files, and
firewalls hinder attacks by filtering messages between a trusted enclave
of networked computers and its environment (from which attacks might
originate). Both of these mechanisms work in specific contexts and ad-
dress problems contemplated by their designers; but both are imperfect,
with user expectations often exceeding what is prudent.
The costs of NIS trustworthiness are borne by a system's producers
and consumers and sometimes by the public at large. The benefits are
also distributed, but often differently from the costs. The market has
OCR for page 3
EXECUTIVE SUMMARY
3
responded best in dimensions, such as reliability, that are easy for con-
sumers (and producers) to evaluate, as compared with other dimensions,
such as security, which addresses exposures that are difficult to quantify
or even fully articulate. Few have an incentive to worry about security
problems since such problems rarely prevent work from getting done,
and publicizing them sometimes even tarnishes the reputation of the in-
stitution involved (as in the case of banks).
Market conditions today strongly favor the use of commercial off-the-
shelf (COTS) components over custom-built solutions, in part because
COTS technology is relatively inexpensive to acquire. The COTS market's
earliest entrants can gain a substantial advantage, so COTS producers are
less inclined to include trustworthiness functionality, which they believe
can cause delay. COTS producers are also reluctant to include in their
products mechanisms to support trustworthiness (and especially secu-
rity) that can make systems harder to configure or use. While today's
market for system trustworthiness is bigger than that of a decade ago, the
market remains small, reflecting current circumstances and perceptions:
to date, publicized trustworthiness breaches have not been catastrophic,
and consumers have been able to cope with or recover from the incidents.
Thus, existing trustworthiness solutions though needed are not being
widely deployed because often they cannot be justified.
Today's climate of deregulation will further increase NIS vulnerabil-
ity in several ways. The most obvious is the new cost pressures on what
had been regulated monopolies in the electric power and telecommunica-
tions industries. One easy way to cut costs is to reduce reserve capacity
and eliminate rarely needed emergency systems; a related way is to re-
duce diversity (a potential contributor to trustworthiness) in the technol-
ogy or facilities used. Producers in these sectors are now competing on
the basis of features, too. New features invariably lead to more complex
systems, which are liable to behave in unexpected and undesirable ways.
Finally, deregulation leads to new interconnections, as some services are
more cost-effectively imported from other providers into what once were
monolithic systems. Apart from the obvious dangers of the increased
complexity, the interconnections themselves create new weak points and
interdependencies. Problems could grow beyond the annoyance level
that characterizes infrastructure outages today, and the possibility of cata-
strophic incidents is growing.
The role of government in protecting the public welfare implies an
interest in promoting the trustworthiness of NISs. Contemporary examina-
tions of issues, ranging from information warfare to critical infrastructure,
have advanced hypotheses and assumptions about specific, substantial,
and proactive roles for government. But their rationales are incomplete.
Part of the problem stems from the difficulty of describing the appropri
OCR for page 4
4
TRUST IN CYBERSPACE
ate scope for government action when the government's own NISs are
creatures of private-sector components and services. The rise of elec-
tronic commerce and, more generally, growing publication and sharing
of all kinds of content through NISs are generating a variety of different
models for the role of government and the balance of public and private
action. In all of these contexts, debates about cryptography policy and the
alleged inhibition of the development and deployment of technology
(encryption and authentication) that can advance many aspects of trust-
worthiness make discussion of government roles particularly sensitive
and controversial. The necessary public debates have only just begun,
and they are complicated by the underlying activity to redefine concepts
of national and economic security.
Technology offers the opportunities and imposes the limits facing all
sectors. Research and development changes technological options and
the cost of various alternatives. It can provide new tools for individuals
and organizations and better inform private and public choices and strat-
egies. Once those tools have been developed, demands for trustworthi-
ness could be more readily met. Due to the customary rapid rate of
upgrade and replacement for computing hardware and software (at least
for systems based on COTS products), upgrades embodying enhanced
trustworthiness could occur over years rather than decades (impeded
mostly by needs for backward compatibility). Moreover, the predomi-
nance of COTS software allows investments in COTS software that en-
hance trustworthiness to have broad impact, and current events, such as
concern about the "year 2000" and the European Union monetary conver-
sion, are causing older software systems to be replaced with new COTS
software. Finally, communications infrastructures are likely to undergo
radical changes in the coming years: additional players in the market,
such as cable and satellite-based services, will not only lead to new pric-
ing structures, but will also likely force the introduction of new communi-
cations system architectures and services. Taken together, these trends
imply that now is the time to take steps to develop and deploy better
technology.
AN AGENDA FOR RESEARCH
The goal of further research would be to provide a science base and
engineering expertise for building trustworthy NISs. Commercial and
industrial software producers have been unwilling to pay for this re-
search, doing the research will take time, and the construction of trust-
worthy NISs presupposes appropriate technology for which this research
is still needed. Therefore, the central recommendations of this study
concern an agenda for research (outlined below). The recommendations
OCR for page 5
EXECUTIVE SUMMARY
5
are aimed at federal funders of relevant research in particular, the De-
fense Advanced Research Projects Agency (DARPA) and the National
Security Agency (NSA). But the research agenda should also be of inter-
est to policymakers who, in formulating legislation and initiating other
actions, will profit from knowing which technical problems do have solu-
tions, which will have solutions if research is supported, and which can-
not have solutions. Those who manage NISs can profit from the agenda
in much the same way as policymakers. Product developers can benefit
from the predictions of market needs and promising directions for ad-
dressing those needs.
Research to Identify and Understand NIS Vulnerabilities
Because a typical NIS is large and complex, few people are likely to
have analyzed one, much less had an opportunity to study several. The
result is a remarkably poor understanding today of design and engineer-
ing practices that foster NIS trustworthiness. Careful study of deployed
NISs is needed to inform NIS builders of problems that they are likely to
encounter, leading to more-intelligent choices about what to build and
how to build it. The President's Commission on Critical Infrastructure
Protection and other federal government groups have successfully begun
this process by putting NIS trustworthiness on the national policy agenda.
The next step is to provide specific technical guidance for NIS designers,
implementers, and managers. A study of existing NISs can help deter-
mine what problems dominate NIS architecture and software develop-
ment, the interaction of different aspects of trustworthiness in design and
implementation or use, and how to quantify the actual benefits of using
proposed methods and techniques.
The public telephone network (PTN) and the Internet, both familiar
NISs, figure prominently in this report. Both illustrate the scope and
nature of the technical problems that will confront developers and opera-
tors of future NISs, and the high cost of building a global communications
infrastructure from the ground up implies that one or both of these two
networks will furnish communications services for most other NISs. The
trustworthiness and vulnerabilities of the PTN and the Internet are thus
likely to have far-reaching implications. But PTN trustworthiness, for
example, would seem to be eroding as the PTN becomes increasingly
dependent on complex software and databases for establishing calls and
for providing new or improved services to customers. Protective mea-
sures need to be developed and implemented. Some Internet vulnerabili-
ties are being eliminated by deploying improved protocols, but the
Internet's weak quality-of-service guarantees, along with other routing-
protocol inadequacies and dependence on a centralized naming-service
OCR for page 6
6
TRUST IN CYBERSPACE
architecture, remain sources of vulnerability for it; additional research
will be needed to significantly improve the Internet's trustworthiness.
Operational errors today represent a major source of outages for both
the PTN and the Internet. Today's methods and tools for facilitating an
operator's understanding and control of an NIS of this scale and complex-
ity are inadequate. Research and development are needed to produce
conceptual models (and ultimately methods of control) that can allow
human operators to grasp the state of an NIS and initiate actions that will
have predictable, desired consequences.
Research in Avoiding Design and Implementation Errors
The challenges of software engineering, formidable for so many
years, become especially urgent when designing and implementing an
NIS. And new problems arise in connection with all facets of the system
development process. System-level trustworthiness requirements must
be transformed from informal notions into precise requirements that
can be imposed on individual components, something that all too often
is beyond the current state of the art. When an NIS is being built,
subsystems spanning distributed networks must be integrated and
tested despite their limited visibility and limited control over their op-
eration. Yet the trend has been for researchers to turn their attention
away from such integration and testing questions a trend that needs to
be reversed by researchers and by those who fund research. Even mod-
est advances in testing methods can have a significant impact, because
testing so dominates system development costs. Techniques for com-
posing subsystems in ways that contribute directly to trustworthiness
are also badly needed.
Whereas a large software system, such as an NIS, cannot be devel-
oped defect free, it is possible to improve the trustworthiness of such a
system by anticipating and targeting vulnerabilities. But to determine,
analyze, and most importantly prioritize these vulnerabilities requires
a good understanding of how subsystems interact with each other and
with the other elements of the larger system. Obtaining such an under-
standing is not possible without further research.
NISs today and well into the foreseeable future are likely to include
large numbers of COTS components. The relationship between the use of
COTS components and NIS trustworthiness is unclear does the in-
creased use of COTS components enhance or detract from trustworthi-
ness? How can the trustworthiness of a COTS component be improved
by its developers and (when needed) by its users? Moreover, more so
than most other software systems, NISs are developed and deployed in
OCR for page 7
EXECUTIVE SUMMARY
crementally, significantly evolving in functionality and structure over a
system's lifetime. Yet little is known about architectures that can support
such growth and about development processes that facilitate it; addi-
tional research is required.
There are accepted processes for component design and implementa-
tion, although the novel characteristics of NISs raise questions about the
utility of these processes. Modern programming languages include fea-
tures that promote trustworthiness, such as compile-time checks and sup-
port for modularity and component integration, and the potential exists
for further gains from research. The performance needs of NISs can be
inconsistent with modular design, though, and this limits the applicabil-
ity of many extant software development processes and tools.
Formal methods should be regarded as an important piece of technol-
ogy for eliminating design errors in hardware and software; increased
support for both fundamental research and demonstration exercises is
warranted. Formal methods are particularly well suited for identifying
errors that only become apparent in scenarios not likely to be tested or
testable. Therefore, formal methods could be viewed as a technology that
is complementary to testing. Research directed at the improved integra-
tion of testing and formal methods is likely to have payoffs for increasing
assurance in trustworthy NISs.
New Approaches to Computer and Communications Security
Much security research during the past two decades has been based
on models that focus on protecting information from unauthorized access
by specifying which users should have access to data or other system
resources. These models oversimplify: they do not completely account
for malicious or erroneous software, they largely ignore denial-of-service
attacks, and they are unable to represent defensive measures, such as
virus scan software or firewalls mechanisms that, in theory, should not
work or be needed but do, in practice, hinder attacks. The practical im-
pacts of this "absolute security" paradigm have been largely disappoint-
ing. A new approach to security is needed, especially for environments
(like NISs) where foreign and mobile code and COTS software cannot be
ignored. The committee recommends that rather than being based on
"absolute security," future security research be based on techniques for
identifying vulnerabilities and making design changes to reposition those
vulnerabilities in light of anticipated threats. By repositioning vulner-
abilities, the likelihood and consequences of attacks can be reduced.
Effective cryptographic authentication is essential for NIS security.
But obstacles exist to more widespread deployment of key-manage
OCR for page 8
8
TRUST IN CYBERSPACE
ment technology, and there has been little experience with public-key
infrastructures especially large-scale ones. Issues related to the timely
notification of revocation, recovery from the compromise of certifica-
tion authority private keys, and name-space management all require
further attention. Most applications that make use of certificates have
poor certificate-management interfaces for users and for system ad-
ministrators. Research is also needed to support new cryptographic
authentication protocols (e.g., for practical multicast communication
authentication) and to support faster encryption and authentication/
integrity algorithms to keep pace with rapidly increasing communica-
tion speeds. The use of hardware tokens holds promise for implement-
ing authentication, although using personal identification numbers con-
stitutes a vulnerability (which might be somewhat mitigated through
the use of biometrics).
Because NISs are distributed systems, network access control mecha-
nisms, such as virtual private networks (VPNs) and firewalls, can play a
central role in NIS security. VPN technology, although promising, is not
being used today in larger-scale settings because of the proprietary proto-
cols and simplistic key-management schemes found in products. Further
work is needed before wholesale and flexible VPN deployments will be-
come realistic. Firewalls, despite their limitations, will persist into the
foreseeable future as a key defense mechanism. And as support for VPNs
is added, firewall enhancements will have to be developed for supporting
sophisticated security management protocols, negotiation of traffic secu-
rity policies across administratively independent domains, and manage-
ment tools. The development of increasingly sophisticated network-wide
applications will create a need for application-layer firewalls and a better
understanding of how to define and enforce useful traffic policies at this
level.
Operating system support for fine-grained access control would fa-
cilitate construction of systems that obey the principle of least privilege,
which holds that users be accorded the minimum access that is needed to
accomplish a task. This, in turn, would be an effective defense against a
variety of attacks that might be delivered using foreign code or hidden in
application programs. Enforcement of application-specific security poli-
cies is likely to be a responsibility shared between the application pro-
gram and the operating system. Research is needed to determine how to
partition this responsibility and which mechanisms are best implemented
at what level. Attractive opportunities exist for programming language
research to play a role in enforcing such security policies.
Finally, defending against denial-of-service attacks can be critical for
the security of an NIS, since availability is often an important system
property. This dimension of security has received relatively little atten
OCR for page 9
EXECUTIVE SUMMARY
lion up to now, and research is urgently needed to identify ways to de-
fend against such attacks.
9
Research in Building Trustworthy Systems
from Untrustworthy Components
Even when it is possible to build them, highly trustworthy compo-
nents are costly. Therefore, the goal of creating trustworthy NISs from
untrustworthy components is attractive, and research should be under-
taken that will enable the trustworthiness of components to be amplified
by the architecture and by the methods used to integrate components.
Replication and diversity can be employed to build systems that am-
plify the trustworthiness of their components, and there are successful
commercial products (e.g., hardware fault-tolerant computers) in the mar-
ketplace that do exactly this. However, the potential and limits of the
approach are not understood. For example, research is needed to deter-
mine the ways in which diversity can be added to a set of software repli-
cas, thereby improving their trustworthiness.
Trustworthiness functionality could be positioned at different places
within an NIS. Little is known about the advantages and disadvantages
of the various possible positionings and system architectures, and an
analysis of existing NISs should prove instructive along these lines. One
architecture that has been suggested is based on the idea of a broadly
useful core minimum functionality a minimum essential information
infrastructure (MEII). But building an MEII would be a misguided initia-
tive, because it presumes that such a "core minimum functionality" could
be identified, and that is unlikely to be the case.
Monitoring and detection can be employed to build systems that en-
hance the trustworthiness of their components. But limitations intrinsic
in system monitoring and in technology to recognize incidents such as
attacks and failures impose fundamental limits on the use of monitoring
and detection for implementing trustworthiness. In particular, the limits
and coverage of the various approaches to intruder and anomaly detec-
tion are necessarily imperfect; additional study is needed to determine
their practicality.
A number of other promising research areas merit investigation. For
example, systems could be designed to respond to an attack or failure by
reducing their functionality in a controlled, graceful manner. And a vari-
ety of research directions involving new types of algorithms self-stabili-
zation, emergent behavior, biological metaphors may be useful in de-
signing systems that are trustworthy. These new research directions are
speculative. Thus, they are plausible topics for longer-range research that
should be pursued.
OCR for page 10
10
TRUST IN CYBERSPACE
IMPLEMENTING THE RESEARCH AGENDA
Research in NIS trustworthiness is supported by the U.S. govern-
ment, primarily through DARPA and NSA, but also through other De-
partment of Defense and civilian agencies. Much of DARPA and NSA
funding goes to industry research, in part because of the nature of the
work (i.e., fostering the evaluation and deployment of research ideas)
and, in part, because the academic personnel base is relatively limited in
areas relating to security. There is also industry-funded research and
development work in NIS trustworthiness; that work understandably
tends to have more direct relevance to existing or projected markets (it
emphasizes development relative to research). A firm calibration of fed-
eral funding for trustworthiness research is difficult, both because of con-
ventional problems in understanding how different projects are accounted
for and because this is an area where some relevant work is classified. In
addition, the nature of relevant research often implies a necessary sys-
tems-development component, and that can inflate associated spending
levels.
DARPA's Information Technology Office provides most of the
government's external research funding for NIS trustworthiness. Increas-
ingly, DOD is turning to COTS products, which means that DARPA can
justifiably be concerned with a much broader region of the present-day
computing landscape. But DARPA-funded researchers are being sub-
jected to pressure to produce short-term research results and rapid transi-
tions to industry so much so that the pursuit of high-risk theoretical and
experimental investigations is seemingly discouraged. This influences
what research topics get explored. Many of the research problems out-
lined above are deep and difficult, and expecting short-term payoff can
only divert effort from the most critical areas. In addition, DARPA has
Reemphasized its funding of certain security-oriented topics (e.g., con-
tainment, defending against denial-of-service attacks, and the design of
cryptographic infrastructures), which has caused researcher effort and
interest to shift away from these key problems. Therefore, DARPA needs
to increase its focus on information security and NIS trustworthiness re-
search, especially with regard to long-term research efforts. DARPA's
mechanisms for communicating and interacting with the research com-
munity are generally effective.
NSA funds information security research through R2 and other of its
organizational units. The present study deals exclusively with R2. In
contrast to DARPA, NSA R2 consumes a large portion of its budget inter-
nally, including significant expenditures on nonresearch activities. NSA's
two missions protecting U.S. sensitive information and acquiring for-
eign intelligence information can confound its interactions with others
OCR for page 11
EXECUTIVE SUMMARY
11
in the promotion of trustworthiness. Its defensive mission makes know-
ing how to protect systems paramount; its offensive need to exploit sys-
tem vulnerabilities can inhibit its sharing of knowledge. This tension is
not new. What is relevant for future effort is the lingering distrust for the
agency in the academic research community and some quarters of indus-
try, which has had a negative impact on R2's efforts at outreach. The rise
of NISs creates new needs for expertise in computer systems that NSA is
challenged to develop internally and procure externally. R2's difficulty in
recruiting and retaining highly qualified technical research staff is a rea-
son for "outsourcing" research, when highly skilled research staff are
available elsewhere. R2's effectiveness depends on better leveraging of
talent both outside and inside the organization.
The committee believes that increased funding is warranted for both
information security research in particular and NIS trustworthiness re-
search in general. The appropriate level of increased funding should be
based on a realistic assessment of the size and availability of the current
population of researchers in relevant disciplines and projections of how
this population of researchers may be increased in the coming years.
TRUST IN CYBERSPACE?
Cyberspace is no longer science fiction. Today, networked informa-
tion systems transport millions of people there to accomplish routine as
well as critical tasks. And the current trajectory is clear: increased depen-
dence on networked information systems. Unless these systems are made
trustworthy, such dependence may well lead to disruption and disaster.
The aphorism "Where there's a will, there's a way" provides a succinct
way to summarize the situation. The "way," which today is missing, will
require basic components, engineering expertise, and an expanded sci-
ence base necessary for implementing trustworthy networked informa-
tion systems. This study articulates a research agenda so that there will
be a way when there is a will.
Representative terms from entire chapter:
nis trustworthiness
