Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 12
1 Introduction The security of our nation, the viability of our economy, and the health and well-being of our citizens rely today on infrastructures for communication, finance, energy distribution, and transportation. All of these infrastructures depend increasingly on networked information sys- tems. That dependence, with its new levels and kinds of vulnerabilities, is attracting growing attention from government and industry. Within the last 2 years, the Office of Science and Technology Policy in the White House, the President's National Security Telecommunications Advisory Committee, the President's Commission on Critical Infrastructure Protec- tion, the Defense Science Board, and the General Accounting Office have each issued reports on the vulnerabilities of networked information sys- tems.~ Congressional hearings,2 articles in the popular press, and concern 1See Cybernation: The American Infrastructure in the Information Age: A Technical Primer on Risks and Reliability (Executive Office of the President, 1997), Reports from the Eight NSTAC Subcommittee Investigations (NSTAC, 1997), Critical Foundations: Protecting America's Infra- structures (PCCIP, 1997), Report of the Defense Science Board Task Force on Information Warfare Defense (IW-D) (Defense Science Board, 1996), and Information Security Computer Attacks at Department of Defense Pose Increasing Risks: A Report to Congressional Requesters (U.S. GAO, 1996~. 2Such as testimony titled "Weak Computer Security in Government: Is the Public at Risk?" presented before the Senate Governmental Affairs Committee on May 19, 1998, and testi- mony titled "Future Threats to the Department of Defense Information Systems: Y2K & Frequency Spectrum Reallocation," presented before the Senate Armed Services Committee on June 4, 1998. 12
OCR for page 13
INTRODUCTION 13 about the impending year 2000 problem have further heightened public awareness. Most recently, Presidential Decision Directive 633 has called for a national effort to assure the security of our increasingly vulnerable critical infrastructures. Although proposals for action are being advanced, their procedural emphasis reflects the limitations of available knowledge and technolo- gies for tackling the problem. These limitations constrain effective deci- sion making in an area that is clearly vital to all sectors of society. Creating a broader range of choices and more robust tools for build- ing trustworthy networked information systems is essential. To accom- plish this, new research is required. And since research takes time to bear fruit, the nation's dependence on networked information systems will greatly exceed their trustworthiness unless this research is initiated soon. Articulating an agenda for that research is the primary goal of this study; that detailed agenda and its rationale constitute the core of this report. TRUSTWORTHY NETWORKED INFORMATION SYSTEMS Networked information systems (NISs) integrate computing systems, communications systems, and people (both as users and operators). The defining elements are interfaces to other systems along with algorithms to coordinate those systems. Economics dictates the use of commercial off- the-shelf (COTS) components wherever possible, which means that de- velopers of an NIS have neither control over nor detailed information about many system components. The use of system components whose functionality can be changed remotely and while the system is running is increasing. Users and designers of an NIS built from such extensible system components thus cannot know with any certainty what software has entered system components or what actions those components might take. (Appendix E contains a detailed discussion of likely developments in software for those readers unfamiliar with current trends.) A trustworthy NIS does what people expect it to do and not some- thing else despite environmental disruption, human user and operator errors, and attacks4 by hostile parties. Design and implementation errors must be avoided, eliminated, or somehow tolerated. It is not sufficient to 3Available online at . 4In the computer security literature, '~vulnerability,,, ''attack,,, and ''threat,, are technical terms. A vulnerability is an error or weakness in the design, implementation, or operation of a system. An attack is a means of exploiting some vulnerability in a system. A threat is an adversary that is motivated and capable of exploiting a vulnerability.
OCR for page 14
4 TRUST IN CYBERSPACE address only some of these dimensions, nor is it sufficient simply to as- semble components that are themselves trustworthy. Trustworthiness is holistic and multidimensional. Trustworthy NISs are challenging systems to build, operate, and maintain. There is the intrinsic difficulty of understanding what can and cannot happen within any complex system and what can be done to control the behavior of such a system. With the environment only par- tially specified, one can never know what kinds of attacks will be launched or what manifestations failures may take. Modeling and planning for the behavior of a sentient adversary are especially hard. The trustworthiness of an NIS encompasses correctness, reliability, security (conventionally including secrecy, confidentiality, integrity, and availability), privacy, safety, and survivability (see Appendix K for defi- nitions of these terms). These dimensions are not independent, and care must be taken so that one is not obtained at the expense of another. For example, protection of confidentiality or integrity by denying all access trades one aspect of security availability for others. As another ex- ample, replication of components enhances reliability but may increase exposure to attack owing to the larger number of sites and the vulnerabili- ties implicit in the protocols to coordinate them. Integrating the diverse dimensions of trustworthiness and understanding how they interact are central challenges in building a trustworthy NIS. Various isolated dimensions of trustworthiness have become defining themes within professional communities and government pro- grams: · Correctness stipulates that proper outputs are produced by the system for each input. · Availability focuses on ensuring that a system continues to operate in the face of certain anticipated events (failures) whose occurrences are uncorrelated. · Security is concerned with ensuring that a system resists poten- tially correlated events (attacks) that can compromise the secrecy, integ- rity, or availability of data and services. While individual dimensions of trustworthiness are certainly impor- tant, building a trustworthy system requires more. Consequently, a new term "trustworthiness" and not some extant technical term (with its accompanying intellectual baggage of priorities) was selected for use in this report. Of ultimate concern is how people perceive and engage a system. People place some level of trust in any system, although they may neither think about that trust explicitly nor gauge the amount realis- tically. Their trust is based on an aggregation of dimensions, not on a few
OCR for page 15
INTRODUCTION 15 narrowly defined or isolated technical properties. The term "trustworthi- ness" herein denotes this aggregation. To be labeled as trustworthy, a system not only must behave as ex- pected but also must reinforce the belief that it will continue to produce expected behavior and will not be susceptible to subversion. The ques- tion of how to achieve assurance has been the target of several research programs sponsored by the Department of Defense and others. Yet cur- rently practiced and proposed approaches for establishing assurance are still imperfect and/or impractical. Testing can demonstrate only that a flaw exists, not that all flaws have been found; deductive and analytical methods are practical only for certain small systems or specific proper- ties.5 Moreover, all existing assurance methods are predicated on an unrealistic assumption that system designers and implementers know what it means for a system to be "correct" before and during develop- ment.6 The study committee believes that progress in assurance for the foreseeable future will most likely come from figuring out (1) how to combine multiple approaches and (2) how best to leverage add-on tech- nologies and other approaches to enhance existing imperfect systems. Improved assurance, without any pretense of establishing a certain or a quantifiable level of assurance, should be the aim. WHAT ERODES TRUST The extent to which an NIS comes to be regarded as trustworthy is influenced, in large part, by people's experiences in using that system. However, generalizations from individual personal experience can be misleading. The collection of incidents in Neumann (1995) and its associ- ated online database suggests something about the lay of the land, al- though many kinds of attacks are not chronicled there (for various rea- sons). Other compilations of information on the trustworthiness of specific infrastructures can be found at the CERT/CC Web site7 and other sources. But absent scientific studies that measure dominant detractors of NIS trustworthiness, it is hard to know what vulnerabilities are the most significant or how resources might best be allocated in order to enhance a system's trustworthiness. Rigorous empirical studies of system outages and their causes are a necessary ingredient of any research agenda in 5see Chapter 3 for a more detailed discussion. Requirements invariably change through the development process, and the definition of system correctness changes accordingly. 7The computer Emergency Response Team ~CERTy/Coordination center ~cc' is an ele- ment of the Networked systems Survivability Program in the Software Engineering Insti- tute at Carnegie Mellon university. see .
OCR for page 16
16 TRUST IN CYBERSPACE tended to further NIS trustworthiness. Empirical studies of normal sys- tem operations are also important, because having baseline data can be helpful for detecting failures and attacks by monitoring usage (Ware, 1998~. But perceptions of trustworthiness are just that and, therefore, can be shaped by the popular press and information from organizations that have particular advocacy agendas. A predominant cause of NIS outages might not be a good topic for newspaper stories, although anecdotes of attacks perpetrated by hackers seem to be.8 Trust in an NIS is not unduly eroded when catastrophic natural phe- nomena in a region, such as earthquakes or storms, disrupt the operation of NISs only in that region. But when environmental disruption has disproportionate consequences, trust is eroded. Regional and long-dis- tance telephone outages caused by a backhoe accidentally severing a fi- ber-optic cable (Neumann, 1995) and a power outage disrupting Internet access in the Silicon Valley area as a result of rodents chewing cable insulation (Neumann, 1996) are just two illustrations. The good news is that the frequency and scope of accidental man-made and natural disrup- tions are not likely to change in the foreseeable future. Building a trust- worthy NIS for tomorrow that can tolerate today's levels of such disrup- tions should suffice. Errors made in the operation of a system also can lead to systemwide disruption. NISs are complex, and human operators err: an operator installing a corrupted top-level domain name server database at Network Solutions effectively wiped out access to roughly a million sites on the Internet in fuly 1997 (Wayner, 1997~; an employee's uploading of an in- correct set of translations into a Signaling System 7 processor led to a 90- minute network outage for AT&T toll-free telephone service in Septem- ber 1997 (Perillo, 1997~. Automating the human operator's job is not necessarily a solution, for it simply exchanges one vulnerability (human operator error) for another (design and implementation errors in the con- trol automation). Controlling a complex system is difficult, even under the best of cir- cumstances. Whether or not human operators are involved, the geo- graphic scope and the speed at which an NIS operates mean that assem- bling a current and consistent view of the system is not possible. The control theory that characterizes the operation of such systems (if known at all) is likely to be fraught with instabilities and to be highly nonlinear. When operators are part of the picture, details of the system's operating 8The classification and restricted distribution of many government studies about vulner- ability and the frequency of hostile attacks, rather than informing the public about real risks, serve mostly to encourage speculation.
OCR for page 17
INTRODUCTION 17 status must be distilled into a form that can be understood by humans. Moreover, there is the difficulty of designing an operator interface that facilitates human intervention and control. The challenge of implementing software that satisfies its specification is well known, and failing to meet that challenge invariably compromises system trustworthiness. NIS software is no exception. An oft-cited ex- ample is the January 1990 9-hour-long outage (blocking an estimated 5 million calls) that AT&T experienced due to a programming error in soft- ware for its electronic switching systems (Neumann, 1995~. More re- cently, software flaws caused an April 1998 outage in the AT&T frame- relay network (a nationwide high-speed data network used by business) (Mills, 1998), and in February 1998 the operation of the New York Mer- cantile Exchange and telephone service in several major East Coast cities were interrupted by a software failure in Illuminet, a private carrier (Kalish, 1998~. The challenges of developing software can also be responsible for project delays and cost overruns. Problems associated with software thus can undermine confidence and trust in a system long before the system has been deployed. NIS software is especially difficult to write, because it typically integrates geographically separated system components that execute concurrently, have idiosyncratic interfaces, and are sensitive to execution timings. Finally, there are the effects of hostile attacks on NIS trustworthiness and on perceptions of NIS trustworthiness. Evidence abounds that the Internet and the public telephone networks not only are vulnerable to attacks but also are being penetrated with some frequency. In addition, hackers seeking the challenge and insiders seeking personal gain or re- venge have been successful in attacking business and critical infrastruc- ture computing systems. Accounts of successful attacks on computer systems at military sites are perhaps the most disturbing, since tighter security might be expected there; Box 1.1 contains just a few examples of recent attacks on both critical and noncritical DOD computers. The De- fense Information Systems Agency (DISA) estimates that DOD may have experienced as many as 250,000 attacks on its computer systems in a recent year and that the number of such attacks may be doubling9 each year (U.S. GAO, 1996~. The exact number of attacks is not known because DISA's own penetration attempts on these systems indicate that only about 1 in 150 attacks is actually detected and reported (U.S. GAO, 1996~. Specifically, defense installations reported 53 attacks in 1992,115 in 1993, 255 in 1994, and 559 in 1995.
OCR for page 18
18 TRUST IN CYBERSPACE Similarly troubling statistics about private-sector computer break-ins have been reported (Hardy, 1996; Power, 1996; War Room Research LLC, 1996~. Attacks specifically directed at NISs running critical infrastructures are not frequent at present, but they do occur. According to FBI Director Louis Freeh speaking at the March 1997 Computer Crime Conference in New York City, a Swedish hacker shut down a 911 emergency call system in Florida for an hour (Milton, 1997~. And in March of 1997, a series of commands sent from a hacker's personal computer disabled vital services to the Federal Aviation Administration control tower at the Worcester, Massachusetts, airport (Boston Globe, 1998~.
OCR for page 19
INTRODUCTION 19 To a first approximation "everything" is becoming interconnected. The June 1997 Pentagon cyber-war game "Eligible Receiver" (Gertz, 1998; Myers, 1998) demonstrated that computers controlling electric power dis- tribution are, in fact, accessible from the Internet. It is doubtless only a matter of time before the control network for the public telephone net- work is discovered to be similarly connected having just one computer connected (directly or indirectly) to both networks suffices. Thus, the Internet will ultimately give ever larger numbers and increasingly sophis- ticated attackers access to the computer systems that control critical infra- structures. The study committee therefore concluded that resisting attack is a dimension of trustworthiness that, although not a significant source of disruption today, has the potential to become a significant cause of outages in the future. Interconnection within and between critical infrastructures further amplifies the consequences of disruptions, making the trustworthiness of one system conditional on that of another. The lesson of the Northeast power blackout in the late 1960s was that disruptions can propagate through a system with catastrophic consequences. Three decades later, in July 1998, a tree shorting a powerline running to a power plant in Idaho brought about cascading outages that ultimately took down all three of the main California-Oregon transmission trunks and interrupted ser- vice for 2 million customers (Sweet and Geppert, 1997~. Was the lesson learned? The interdependence of critical infrastructures also enables disrup- tion to propagate. An accidental fiber cut in January 1991 (Neumann, 1995) blocked 60 percent of the long-distance calls into and out of New York City but also disabled air traffic control functions in New York, Washington, D.C., and Boston (because voice and data links to air traffic control centers use telephone circuits) and disrupted the operation of the New York Mercantile Exchange and several commodity exchanges (be- cause buy and sell orders, as well as pricing information, are communi- cated using those circuits). The impact of such a disruption could easily extend to national defense functions.~° Furthermore, a climate of deregu- lation is promoting cost control and product enhancements in electric power distribution, telecommunications (Board on Telecommunications and Computer Applications, 1989), and other critical infrastructures )°In March 1997, DISA disclosed that a contract had been awarded to Sprint for a global telecommunications network designed primarily to carry signal intelligence data to Fort Meade (Brewin, 1997~. According to the Defense Science Board (1996), the U.S. government procures more than 95 percent of its domestic telecommunications network services from U.S. commercial carriers.
OCR for page 20
20 TRUST IN CYBERSPACE actions that increase vulnerability to disruption by diminishing the cush- ions of reserve capacity and increasing the complexity of these systems. THIS STUDY IN CONTEXT Network security, information warfare, and critical-infrastructure protection have already been the subject of other national studies. The most visible of these studies summarized in Appendix F have focused on the expected shape and consequences of widespread networking, de- fending against information warfare and other cyber-threats, the coordi- nation of federal and private-sector players in such a defense, and na- tional policies affecting the availability of certain technological building blocks (e.g., cryptography). The absence of needed technology has been noted, and aggressive programs of research to fill broadly characterized gaps are invariably recommended. A Computer Science and Telecommunications Board study almost a decade ago anticipated the role networked computers would play in our society along with the problems that they could create (CSTB, 1991~. Its opening paragraph summarized the situation then and today with re- markable clarity: We are at risk. Increasingly, America depends on computers. They control power delivery, communications, aviation, and financial servic They are used to store vital information, from medical records to business plans to criminal records. Although we trust them, they are vulnerable to the effects of poor design and insufficient quality con- trol, to accident, and perhaps most alarmingly, to deliberate attack. The modern thief can steal more with a computer than with a gun. Tomor- row's terrorist may be able to do more damage with a keyboard than with a bomb. More recently, in October 1997, the President's Commission on Criti- cal Infrastructure Protection released a report (PCCIP, 1997) that discusses the vulnerability of U.S. infrastructures to physical as well as cyber- threats. Based substantially on the commission's recommendations and findings, Presidential Decision Directive 63 (White House National Secu- rity Council, 1998) outlines a procedure and administrative structure for developing a national infrastructure protection plan. The directive orders immediate federal government action, with the goal that, within 5 years, our nation's critical infrastructures will be protected from intentional acts that would diminish the functioning of government, public services, the orderly functioning of the economy, and the delivery of essential telecom- munications, energy, financial, and transportation services. Among the directive's general principles and guidelines is a request that research for protecting critical infrastructures be undertaken.
OCR for page 21
INTRODUCTION 21 The present study offers a detailed agenda for that research. It is an agenda that was developed by analyzing current approaches to trustwor- thiness and by identifying science and technology that currently do not, but could, play a significant role. The agenda thus fills the gap left by predecessor studies, with their focus on infrastructure vulnerabilities and the wider consequences. Articulating a research agenda is a necessary first step in obtaining better methods of infrastructure protection. The research agenda should be of interest to researchers, who will ultimately execute the agenda, and to funders of research, who will want to give priority to research problems that are urgent and approaches that are promising. The research agenda should also be of interest to policy- makers who, in formulating legislation and initiating other actions, will profit from knowing which technical problems do have solutions, which will have solutions if research is supported, and which cannot have solu- tions. NIS operators can profit from the agenda in much the same way as policymakers will. And product developers should be interested in the research agenda for its predictions of market needs and promising direc- tions to address those needs. SCOPE OF THIS STUDY The premise of this report is that a "trust gap" is emerging between the expectations of the public (along with parts of government) and the capabilities of NISs. The report is organized around an agenda and call for research aimed at improving the trustworthiness of NISs and thereby narrowing this gap. To develop this agenda, the study committee sur- veyed the state of the art, current practice, and trends with respect to computer networking and software. The committee also studied connec- tions between these technical topics and current economic and political forces; those investigations, too, are summarized in the report. Some of the research problems in the proposed agenda are new. Oth- ers are not new but warrant revisiting in light of special requirements and circumstances that NIS developers and operators face. The networked environment imposes novel constraints, enables new types of solutions, and changes engineering trade-offs. Characteristic elements of NISs (COTS software, extensible components, and evolution by accretion) af- fect software development practices. And the need to simultaneously support all of the dimensions of trustworthiness invites reconsidering known approaches for individual dimensions of trustworthiness with an eye toward possible interactions. The Internet and public telephone network figured prominently in the study committee's thinking, and that emphasis is reflected in Chapter 2 of this report. The attention is justified on two grounds. First, the
OCR for page 22
22 TRUST IN CYBERSPACE Internet and public telephone network are themselves large and complex NISs. Studying extant NISs is an obvious way to understand the technical problems that will be faced by developers and operators of future NISs. Second, the high cost of building a global communications infrastructure from the ground up implies that one or both of these two networks is likely to furnish communications services for most other NISs.ll With such a pivotal role, the trustworthiness and vulnerabilities of these com- munications fabrics need to be understood. Commercial software packages and systems and not systems cus- tom-built from scratch are also a central subject of this report, as is most evident in Chapter 3 on software development. This focus is sensible given the clear trend in government and military procurement to adapt and depend on commodities and services intended for the mass market.l2 Research that ignores COTS software could have little impact on trust- worthiness for tomorrow's NISs.l3 In the past, computer science research programs serving military needs could safely ignore commercial software products and practices; that course now invites irrelevance. Chapter 4 concerns security. The extensive treatment of this single dimension of trustworthiness merits comment, especially given the relative infrequency with which attacks today are responsible for NIS outages. A research agenda must anticipate tomorrow's needs. Hostile attacks are the fastest-growing source of NIS disturbances. Indications are that this trend will continued and that, because they can be coordinated, attacks are po- tentially the most destabilizing form of trustworthiness breach. Further- more, the study committee found that past approaches to security (i.e., the 1lFor example, during the Persian Gulf conflict, the Internet was used to disseminate intelligence and counterintelligence information. Moreover, defense experts believe that public messages originating within regions of conflict will, in the future, provide warnings of significant political and military developments earlier than normal intelligence gather- ing. These experts also envision the Internet as a back-up communications medium if other conventional channels are disrupted during conflicts (U.S. GAO, 1996~. 12According to the Report of the Defense Science Board Task Force on Information Warfare Defense (IW-D) (Defense Science Board, 1996), COTS systems constitute over 90 percent of the information systems procured by DOD. Moreover, the widespread use of COTS sys- tems in military systems for the coming century is urged in National Defense Panel (1997~. 13Research that takes into account COTS commodities and services is likely to be appli- cable to the development of custom-designed systems as well. Methods suitable for systems built from scratch, however, may not apply in the presence of the added constraints that COTS purchases impose. 14The present study was conducted without access to classified material. Unclassified studies, such as U.S. General Accounting Office (1996), point to the growing incentive to attack infrastructure and defense computing systems, as these systems become more criti- cal, and to the expanding base of potential attackers that is accompanying the growth of the Internet.
OCR for page 23
INTRODUCTION 23 "Orange Book" [U.S. DOD, 1985] and its brethren) are less and less relevant to building a trustworthy NIS: inappropriate disclosure of information is only one of many security policies of concern, and custom construction and/or complete analysis of an entire NIS or even significant parts of an NIS is impractical. The typically complex trust relationships that exist among the parts of an NIS add further complication. The "holy grail" for developers of trustworthy systems is technology to build trustworthy systems from untrustworthy components. The subject of Chapter 5, this piece of the research agenda is the most ambitious. What is being sought can be achieved today for single dimensions of trustworthi- ness, lending some credibility to the vision being articulated. For example, highly reliable computing systems are routinely constructed from unreli- able components (by using replication). As another example, firewalls enable networks of insecure processors to be protected from certain forms of attack. And new algorithmic paradigms and system architectures could result in the emergence of desirable system behavior from seemingly ran- dom behaviors of system components. Without further research, though, it is impossible to know whether approaches like these will actually bear fruit for NIS trustworthiness. Fleshing out highly speculative research direc- tions with details is impossible without actually doing some of the research, so the discussions in Chapter 5 are necessarily brief. The viability of technological innovations is invariably determined by the economic and political context, the subject of Chapter 6. The econom- ics of building, selling, and operating trustworthy systems is discussed, because economics determines the extent to which technologies for trust- worthiness can be embraced by system developers and operators, and it determines whether users can justify investments in supporting trustwor- thiness. The dynamics of the COTS marketplace and an implied limited diversity have become important for trustworthiness so they, too, are discussed. Risk avoidance is but a single point in a spectrum of risk management strategies; for NISs (because of their size and complexity) it is most likely an unrealistic one. Thus, alternatives to risk avoidance are presented in the hope of broadening the perspectives of NIS designers and operators. Finally, since there is more to getting research done than articulating an agenda, the chapter reviews the workings of DARPA and NSA (likely candidates to administer this agenda), U.S. cryptography policy, and the general climate in government regarding regulation and trustworthiness. REFERENCES Associated Press. 1997. "Fifteen Year Old Hacker Discusses How He Accessed U.S. Mili- tary Files," Associated Press, March 1.
OCR for page 24
OCR for page 25
Representative terms from entire chapter:
24 TRUST IN CYBERSPACE Board on Telecommunications and Computer Applications, National Research Council. 1989. Growing Vulnerability of the Public Switched Networks: Implications for National Security Emergency Preparedness. Washington, DC: National Academy Press. Boston Globe. 1998. "Youth Faces Computer Crime Charges: U.S. Attorney Says Federal Case Is First Involving a Juvenile," Boston Globe, March 18. Available online at . Brewin, Bob. 1997. "DISA Discloses Secret NSA Pact with Sprint," Federal Computer Week, March 10. Available online at
INTRODUCTION 25 U.S. Department of Defense (DOD). 1985. Trusted Computer System Evaluation Criteria, Department of Defense 5200.28-STD, the "Orange Book." Ft. Meade, MD: National Computer Security Center, December. U.S. General Accounting Office (GAO). 1996. Information Security Computer Attacks at Department of Defense Pose Increasing Risks: A Report to Congressional Requesters. Wash- ington, DC: U.S. GAO, May. War Room Research LLC. 1996. 1996 Information Systems Security Survey. Baltimore, MD: War Room Research LLC, November 21. Ware, Willis H. 1998. The Cyber-posture of the National Information Infrastructure. Wash- ington, DC: RAND Critical Technologies Institute. Available online at
OCR for page 25
Representative terms from entire chapter:
Representative terms from entire chapter: