Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 1
Executive Summary The nation's security and economy rely on infrastructures for com- munication, finance, energy distribution, and transportation all increas- ingly dependent on networked information systems. When these net- worked information systems perform badly or do not work at all, they put life, liberty, and property at risk. Interrupting service can threaten lives and property; destroying information or changing it improperly can disrupt the work of governments and corporations; and disclosing secrets can embarrass people or hurt organizations. The widespread intercon- nection of networked information systems allows outages and disrup- tions to spread from one system to others; it enables attacks to be waged anonymously and from a safe distance; and it compounds the difficulty of understanding and controlling these systems. With an expanding fraction of users and operators who are technologically unsophisticated, greater numbers can cause or fall victim to problems. Some see this as justifica- tion for alarm; others dismiss such fears as alarmist. Most agree that the trends warrant study and better understanding. Recent efforts, such as those by the President's Commission on Criti- cal Infrastructure Protection, have been successful in raising public aware- ness and advocating action. However, taking action is constrained by limited knowledge and technologies for ensuring that networked infor- mation systems perform properly. Research is needed, and this report gives, in its body, a detailed agenda for that research. Specifically, the report addresses how the trustworthiness of networked information sys- tems can be enhanced by improving computing and communications tech 1
OCR for page 2
2 TRUST IN CYBERSPACE nology. The intent is to create more choices for consumers and vendors and, therefore, for the government. The report also surveys technical and market trends, to better inform public policy about where progress is likely and where incentives could help. And the report discusses a larger nontechnical context public policy, procedural aspects of how net- worked information systems are used, how people behave because that context affects the viability of technical solutions as well as actual risks and losses. TRUSTWORTHY NETWORKED INFORMATION SYSTEMS BENEFITS, COSTS, AND CONTEXT Networked information systems (NISs) integrate computing systems, communication systems, people (both as users and operators), procedures, and more. Interfaces to other systems and control algorithms are their defining elements; communication and interaction are the currency of their operation. Increasingly, the information exchanged between NISs includes software (and, therefore, instructions to the systems themselves), often without users knowing what software has entered their systems, let alone what it can do or has done. Trustworthiness of an NIS asserts that the system does what is re- quired despite environmental disruption, human user and operator er- rors, and attacks by hostile parties and that it does not do other things. Design and implementation errors must be avoided, eliminated, or some- how tolerated. Addressing only some aspects of the problem is not suffi- cient. Moreover, achieving trustworthiness requires more than just as- sembling components that are themselves trustworthy. Laudable as a goal, ah initio building of trustworthiness into an NIS has proved to be impractical. It is neither technically nor economically feasible for designers and builders to manage the complexity of such large artifacts or to anticipate all of the problems that an NIS will confront over its lifetime. Experts now recognize steps that can be taken to en- hance trustworthiness after a system has been deployed. It is no accident that the market for virus detectors and firewalls is thriving. Virus detec- tors identify and eradicate attacks embedded in exchanged files, and firewalls hinder attacks by filtering messages between a trusted enclave of networked computers and its environment (from which attacks might originate). Both of these mechanisms work in specific contexts and ad- dress problems contemplated by their designers; but both are imperfect, with user expectations often exceeding what is prudent. The costs of NIS trustworthiness are borne by a system's producers and consumers and sometimes by the public at large. The benefits are also distributed, but often differently from the costs. The market has
OCR for page 3
EXECUTIVE SUMMARY 3 responded best in dimensions, such as reliability, that are easy for con- sumers (and producers) to evaluate, as compared with other dimensions, such as security, which addresses exposures that are difficult to quantify or even fully articulate. Few have an incentive to worry about security problems since such problems rarely prevent work from getting done, and publicizing them sometimes even tarnishes the reputation of the in- stitution involved (as in the case of banks). Market conditions today strongly favor the use of commercial off-the- shelf (COTS) components over custom-built solutions, in part because COTS technology is relatively inexpensive to acquire. The COTS market's earliest entrants can gain a substantial advantage, so COTS producers are less inclined to include trustworthiness functionality, which they believe can cause delay. COTS producers are also reluctant to include in their products mechanisms to support trustworthiness (and especially secu- rity) that can make systems harder to configure or use. While today's market for system trustworthiness is bigger than that of a decade ago, the market remains small, reflecting current circumstances and perceptions: to date, publicized trustworthiness breaches have not been catastrophic, and consumers have been able to cope with or recover from the incidents. Thus, existing trustworthiness solutions though needed are not being widely deployed because often they cannot be justified. Today's climate of deregulation will further increase NIS vulnerabil- ity in several ways. The most obvious is the new cost pressures on what had been regulated monopolies in the electric power and telecommunica- tions industries. One easy way to cut costs is to reduce reserve capacity and eliminate rarely needed emergency systems; a related way is to re- duce diversity (a potential contributor to trustworthiness) in the technol- ogy or facilities used. Producers in these sectors are now competing on the basis of features, too. New features invariably lead to more complex systems, which are liable to behave in unexpected and undesirable ways. Finally, deregulation leads to new interconnections, as some services are more cost-effectively imported from other providers into what once were monolithic systems. Apart from the obvious dangers of the increased complexity, the interconnections themselves create new weak points and interdependencies. Problems could grow beyond the annoyance level that characterizes infrastructure outages today, and the possibility of cata- strophic incidents is growing. The role of government in protecting the public welfare implies an interest in promoting the trustworthiness of NISs. Contemporary examina- tions of issues, ranging from information warfare to critical infrastructure, have advanced hypotheses and assumptions about specific, substantial, and proactive roles for government. But their rationales are incomplete. Part of the problem stems from the difficulty of describing the appropri
OCR for page 4
4 TRUST IN CYBERSPACE ate scope for government action when the government's own NISs are creatures of private-sector components and services. The rise of elec- tronic commerce and, more generally, growing publication and sharing of all kinds of content through NISs are generating a variety of different models for the role of government and the balance of public and private action. In all of these contexts, debates about cryptography policy and the alleged inhibition of the development and deployment of technology (encryption and authentication) that can advance many aspects of trust- worthiness make discussion of government roles particularly sensitive and controversial. The necessary public debates have only just begun, and they are complicated by the underlying activity to redefine concepts of national and economic security. Technology offers the opportunities and imposes the limits facing all sectors. Research and development changes technological options and the cost of various alternatives. It can provide new tools for individuals and organizations and better inform private and public choices and strat- egies. Once those tools have been developed, demands for trustworthi- ness could be more readily met. Due to the customary rapid rate of upgrade and replacement for computing hardware and software (at least for systems based on COTS products), upgrades embodying enhanced trustworthiness could occur over years rather than decades (impeded mostly by needs for backward compatibility). Moreover, the predomi- nance of COTS software allows investments in COTS software that en- hance trustworthiness to have broad impact, and current events, such as concern about the "year 2000" and the European Union monetary conver- sion, are causing older software systems to be replaced with new COTS software. Finally, communications infrastructures are likely to undergo radical changes in the coming years: additional players in the market, such as cable and satellite-based services, will not only lead to new pric- ing structures, but will also likely force the introduction of new communi- cations system architectures and services. Taken together, these trends imply that now is the time to take steps to develop and deploy better technology. AN AGENDA FOR RESEARCH The goal of further research would be to provide a science base and engineering expertise for building trustworthy NISs. Commercial and industrial software producers have been unwilling to pay for this re- search, doing the research will take time, and the construction of trust- worthy NISs presupposes appropriate technology for which this research is still needed. Therefore, the central recommendations of this study concern an agenda for research (outlined below). The recommendations
OCR for page 5
EXECUTIVE SUMMARY 5 are aimed at federal funders of relevant research in particular, the De- fense Advanced Research Projects Agency (DARPA) and the National Security Agency (NSA). But the research agenda should also be of inter- est to policymakers who, in formulating legislation and initiating other actions, will profit from knowing which technical problems do have solu- tions, which will have solutions if research is supported, and which can- not have solutions. Those who manage NISs can profit from the agenda in much the same way as policymakers. Product developers can benefit from the predictions of market needs and promising directions for ad- dressing those needs. Research to Identify and Understand NIS Vulnerabilities Because a typical NIS is large and complex, few people are likely to have analyzed one, much less had an opportunity to study several. The result is a remarkably poor understanding today of design and engineer- ing practices that foster NIS trustworthiness. Careful study of deployed NISs is needed to inform NIS builders of problems that they are likely to encounter, leading to more-intelligent choices about what to build and how to build it. The President's Commission on Critical Infrastructure Protection and other federal government groups have successfully begun this process by putting NIS trustworthiness on the national policy agenda. The next step is to provide specific technical guidance for NIS designers, implementers, and managers. A study of existing NISs can help deter- mine what problems dominate NIS architecture and software develop- ment, the interaction of different aspects of trustworthiness in design and implementation or use, and how to quantify the actual benefits of using proposed methods and techniques. The public telephone network (PTN) and the Internet, both familiar NISs, figure prominently in this report. Both illustrate the scope and nature of the technical problems that will confront developers and opera- tors of future NISs, and the high cost of building a global communications infrastructure from the ground up implies that one or both of these two networks will furnish communications services for most other NISs. The trustworthiness and vulnerabilities of the PTN and the Internet are thus likely to have far-reaching implications. But PTN trustworthiness, for example, would seem to be eroding as the PTN becomes increasingly dependent on complex software and databases for establishing calls and for providing new or improved services to customers. Protective mea- sures need to be developed and implemented. Some Internet vulnerabili- ties are being eliminated by deploying improved protocols, but the Internet's weak quality-of-service guarantees, along with other routing- protocol inadequacies and dependence on a centralized naming-service
OCR for page 6
6 TRUST IN CYBERSPACE architecture, remain sources of vulnerability for it; additional research will be needed to significantly improve the Internet's trustworthiness. Operational errors today represent a major source of outages for both the PTN and the Internet. Today's methods and tools for facilitating an operator's understanding and control of an NIS of this scale and complex- ity are inadequate. Research and development are needed to produce conceptual models (and ultimately methods of control) that can allow human operators to grasp the state of an NIS and initiate actions that will have predictable, desired consequences. Research in Avoiding Design and Implementation Errors The challenges of software engineering, formidable for so many years, become especially urgent when designing and implementing an NIS. And new problems arise in connection with all facets of the system development process. System-level trustworthiness requirements must be transformed from informal notions into precise requirements that can be imposed on individual components, something that all too often is beyond the current state of the art. When an NIS is being built, subsystems spanning distributed networks must be integrated and tested despite their limited visibility and limited control over their op- eration. Yet the trend has been for researchers to turn their attention away from such integration and testing questions a trend that needs to be reversed by researchers and by those who fund research. Even mod- est advances in testing methods can have a significant impact, because testing so dominates system development costs. Techniques for com- posing subsystems in ways that contribute directly to trustworthiness are also badly needed. Whereas a large software system, such as an NIS, cannot be devel- oped defect free, it is possible to improve the trustworthiness of such a system by anticipating and targeting vulnerabilities. But to determine, analyze, and most importantly prioritize these vulnerabilities requires a good understanding of how subsystems interact with each other and with the other elements of the larger system. Obtaining such an under- standing is not possible without further research. NISs today and well into the foreseeable future are likely to include large numbers of COTS components. The relationship between the use of COTS components and NIS trustworthiness is unclear does the in- creased use of COTS components enhance or detract from trustworthi- ness? How can the trustworthiness of a COTS component be improved by its developers and (when needed) by its users? Moreover, more so than most other software systems, NISs are developed and deployed in
OCR for page 7
EXECUTIVE SUMMARY crementally, significantly evolving in functionality and structure over a system's lifetime. Yet little is known about architectures that can support such growth and about development processes that facilitate it; addi- tional research is required. There are accepted processes for component design and implementa- tion, although the novel characteristics of NISs raise questions about the utility of these processes. Modern programming languages include fea- tures that promote trustworthiness, such as compile-time checks and sup- port for modularity and component integration, and the potential exists for further gains from research. The performance needs of NISs can be inconsistent with modular design, though, and this limits the applicabil- ity of many extant software development processes and tools. Formal methods should be regarded as an important piece of technol- ogy for eliminating design errors in hardware and software; increased support for both fundamental research and demonstration exercises is warranted. Formal methods are particularly well suited for identifying errors that only become apparent in scenarios not likely to be tested or testable. Therefore, formal methods could be viewed as a technology that is complementary to testing. Research directed at the improved integra- tion of testing and formal methods is likely to have payoffs for increasing assurance in trustworthy NISs. New Approaches to Computer and Communications Security Much security research during the past two decades has been based on models that focus on protecting information from unauthorized access by specifying which users should have access to data or other system resources. These models oversimplify: they do not completely account for malicious or erroneous software, they largely ignore denial-of-service attacks, and they are unable to represent defensive measures, such as virus scan software or firewalls mechanisms that, in theory, should not work or be needed but do, in practice, hinder attacks. The practical im- pacts of this "absolute security" paradigm have been largely disappoint- ing. A new approach to security is needed, especially for environments (like NISs) where foreign and mobile code and COTS software cannot be ignored. The committee recommends that rather than being based on "absolute security," future security research be based on techniques for identifying vulnerabilities and making design changes to reposition those vulnerabilities in light of anticipated threats. By repositioning vulner- abilities, the likelihood and consequences of attacks can be reduced. Effective cryptographic authentication is essential for NIS security. But obstacles exist to more widespread deployment of key-manage
OCR for page 8
8 TRUST IN CYBERSPACE ment technology, and there has been little experience with public-key infrastructures especially large-scale ones. Issues related to the timely notification of revocation, recovery from the compromise of certifica- tion authority private keys, and name-space management all require further attention. Most applications that make use of certificates have poor certificate-management interfaces for users and for system ad- ministrators. Research is also needed to support new cryptographic authentication protocols (e.g., for practical multicast communication authentication) and to support faster encryption and authentication/ integrity algorithms to keep pace with rapidly increasing communica- tion speeds. The use of hardware tokens holds promise for implement- ing authentication, although using personal identification numbers con- stitutes a vulnerability (which might be somewhat mitigated through the use of biometrics). Because NISs are distributed systems, network access control mecha- nisms, such as virtual private networks (VPNs) and firewalls, can play a central role in NIS security. VPN technology, although promising, is not being used today in larger-scale settings because of the proprietary proto- cols and simplistic key-management schemes found in products. Further work is needed before wholesale and flexible VPN deployments will be- come realistic. Firewalls, despite their limitations, will persist into the foreseeable future as a key defense mechanism. And as support for VPNs is added, firewall enhancements will have to be developed for supporting sophisticated security management protocols, negotiation of traffic secu- rity policies across administratively independent domains, and manage- ment tools. The development of increasingly sophisticated network-wide applications will create a need for application-layer firewalls and a better understanding of how to define and enforce useful traffic policies at this level. Operating system support for fine-grained access control would fa- cilitate construction of systems that obey the principle of least privilege, which holds that users be accorded the minimum access that is needed to accomplish a task. This, in turn, would be an effective defense against a variety of attacks that might be delivered using foreign code or hidden in application programs. Enforcement of application-specific security poli- cies is likely to be a responsibility shared between the application pro- gram and the operating system. Research is needed to determine how to partition this responsibility and which mechanisms are best implemented at what level. Attractive opportunities exist for programming language research to play a role in enforcing such security policies. Finally, defending against denial-of-service attacks can be critical for the security of an NIS, since availability is often an important system property. This dimension of security has received relatively little atten
OCR for page 9
EXECUTIVE SUMMARY lion up to now, and research is urgently needed to identify ways to de- fend against such attacks. 9 Research in Building Trustworthy Systems from Untrustworthy Components Even when it is possible to build them, highly trustworthy compo- nents are costly. Therefore, the goal of creating trustworthy NISs from untrustworthy components is attractive, and research should be under- taken that will enable the trustworthiness of components to be amplified by the architecture and by the methods used to integrate components. Replication and diversity can be employed to build systems that am- plify the trustworthiness of their components, and there are successful commercial products (e.g., hardware fault-tolerant computers) in the mar- ketplace that do exactly this. However, the potential and limits of the approach are not understood. For example, research is needed to deter- mine the ways in which diversity can be added to a set of software repli- cas, thereby improving their trustworthiness. Trustworthiness functionality could be positioned at different places within an NIS. Little is known about the advantages and disadvantages of the various possible positionings and system architectures, and an analysis of existing NISs should prove instructive along these lines. One architecture that has been suggested is based on the idea of a broadly useful core minimum functionality a minimum essential information infrastructure (MEII). But building an MEII would be a misguided initia- tive, because it presumes that such a "core minimum functionality" could be identified, and that is unlikely to be the case. Monitoring and detection can be employed to build systems that en- hance the trustworthiness of their components. But limitations intrinsic in system monitoring and in technology to recognize incidents such as attacks and failures impose fundamental limits on the use of monitoring and detection for implementing trustworthiness. In particular, the limits and coverage of the various approaches to intruder and anomaly detec- tion are necessarily imperfect; additional study is needed to determine their practicality. A number of other promising research areas merit investigation. For example, systems could be designed to respond to an attack or failure by reducing their functionality in a controlled, graceful manner. And a vari- ety of research directions involving new types of algorithms self-stabili- zation, emergent behavior, biological metaphors may be useful in de- signing systems that are trustworthy. These new research directions are speculative. Thus, they are plausible topics for longer-range research that should be pursued.
OCR for page 10
10 TRUST IN CYBERSPACE IMPLEMENTING THE RESEARCH AGENDA Research in NIS trustworthiness is supported by the U.S. govern- ment, primarily through DARPA and NSA, but also through other De- partment of Defense and civilian agencies. Much of DARPA and NSA funding goes to industry research, in part because of the nature of the work (i.e., fostering the evaluation and deployment of research ideas) and, in part, because the academic personnel base is relatively limited in areas relating to security. There is also industry-funded research and development work in NIS trustworthiness; that work understandably tends to have more direct relevance to existing or projected markets (it emphasizes development relative to research). A firm calibration of fed- eral funding for trustworthiness research is difficult, both because of con- ventional problems in understanding how different projects are accounted for and because this is an area where some relevant work is classified. In addition, the nature of relevant research often implies a necessary sys- tems-development component, and that can inflate associated spending levels. DARPA's Information Technology Office provides most of the government's external research funding for NIS trustworthiness. Increas- ingly, DOD is turning to COTS products, which means that DARPA can justifiably be concerned with a much broader region of the present-day computing landscape. But DARPA-funded researchers are being sub- jected to pressure to produce short-term research results and rapid transi- tions to industry so much so that the pursuit of high-risk theoretical and experimental investigations is seemingly discouraged. This influences what research topics get explored. Many of the research problems out- lined above are deep and difficult, and expecting short-term payoff can only divert effort from the most critical areas. In addition, DARPA has Reemphasized its funding of certain security-oriented topics (e.g., con- tainment, defending against denial-of-service attacks, and the design of cryptographic infrastructures), which has caused researcher effort and interest to shift away from these key problems. Therefore, DARPA needs to increase its focus on information security and NIS trustworthiness re- search, especially with regard to long-term research efforts. DARPA's mechanisms for communicating and interacting with the research com- munity are generally effective. NSA funds information security research through R2 and other of its organizational units. The present study deals exclusively with R2. In contrast to DARPA, NSA R2 consumes a large portion of its budget inter- nally, including significant expenditures on nonresearch activities. NSA's two missions protecting U.S. sensitive information and acquiring for- eign intelligence information can confound its interactions with others
OCR for page 11
EXECUTIVE SUMMARY 11 in the promotion of trustworthiness. Its defensive mission makes know- ing how to protect systems paramount; its offensive need to exploit sys- tem vulnerabilities can inhibit its sharing of knowledge. This tension is not new. What is relevant for future effort is the lingering distrust for the agency in the academic research community and some quarters of indus- try, which has had a negative impact on R2's efforts at outreach. The rise of NISs creates new needs for expertise in computer systems that NSA is challenged to develop internally and procure externally. R2's difficulty in recruiting and retaining highly qualified technical research staff is a rea- son for "outsourcing" research, when highly skilled research staff are available elsewhere. R2's effectiveness depends on better leveraging of talent both outside and inside the organization. The committee believes that increased funding is warranted for both information security research in particular and NIS trustworthiness re- search in general. The appropriate level of increased funding should be based on a realistic assessment of the size and availability of the current population of researchers in relevant disciplines and projections of how this population of researchers may be increased in the coming years. TRUST IN CYBERSPACE? Cyberspace is no longer science fiction. Today, networked informa- tion systems transport millions of people there to accomplish routine as well as critical tasks. And the current trajectory is clear: increased depen- dence on networked information systems. Unless these systems are made trustworthy, such dependence may well lead to disruption and disaster. The aphorism "Where there's a will, there's a way" provides a succinct way to summarize the situation. The "way," which today is missing, will require basic components, engineering expertise, and an expanded sci- ence base necessary for implementing trustworthy networked informa- tion systems. This study articulates a research agenda so that there will be a way when there is a will.
Representative terms from entire chapter: