Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter.
Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 240
7
Conclusions and Research
Recommendations
The vulnerability of our nation's critical infrastructures is attracting
considerable attention. Presidential Decision Directive 63, issued in May
1998, called for a national effort to ensure the security of the nation's
critical infrastructures for communication, finance, energy distribution,
and transportation. These infrastructures all exhibit a growing depen-
dence on networked information systems (NISs) that are not sufficiently
trustworthy, and that dependence is a source of vulnerability to the infra-
structures and the nation. Today's NISs are too often unable to tolerate
environmental disturbances, human user and operator errors, and attacks
by hostile parties. Design and implementation errors mean that satisfac-
tory operation would not be guaranteed even under ideal circumstances.
There is a gap between the state of the art and the state of the practice.
More-trustworthy NISs could be built and deployed today. Why are
these solutions not being implemented? The answer lies in the workings
of the market, in existing federal policies regarding cryptography, in ig-
norance about the real costs of trustworthiness (and of not having trust-
worthiness) to consumers and producers, and in the difficulty of measur-
ing trustworthiness.
There is also a gap between the needs and expectations of the public
(along with parts of government) and the extant science and technology
base for building trustworthy NISs. Trustworthiness is a multidimen-
sional property of an entire system, and going beyond what is known
today will require research breakthroughs. Methods to strengthen one
dimension can compromise another; building trustworthy components
240
OCR for page 241
CONCLUSIONS AND RESEARCH RECOMMENDATIONS
241
does not suffice, for the interconnections and interactions of components
play a significant role in NIS trustworthiness.
Security is certainly important (with some data indicating that the
number of attacks is growing exponentially and anecdotal evidence sug-
gesting that attackers are becoming more sophisticated every day), but it
is not all that is important. The substantial commercial off-the-shelf
(COTS) makeup of an NIS, the use of extensible components, the expecta-
tion of growth by accretion, and the likely absence of centralized control,
trust, or authority demand a new approach to security: risk mitigation
rather than risk avoidance, technologies to hinder attacks rather than
prevent them outright, add-on technologies and defense in depth, and
relocation of vulnerabilities rather than their elimination. But other as-
pects of trustworthiness also demand progress and also will require new
thinking, because the networked environment and the scale of an NIS
impose novel constraints, enable new types of solutions, and change engi-
neering tradeoffs.
Other studies related to critical infrastructures have successfully
raised public awareness and advocated action. This study focuses on
describing and analyzing the technical problems and how they might be
solved through research, thereby providing some direction for that ac-
tion. The detailed research agenda presented in the body of this report
was derived by surveying the state of the art, current practice, and tech-
nological trends with respect to computer networking and software. A
summary of the committee's findings, conclusions, and recommendations
follows.
PROTECTING THE EVOLVING PUBLIC TELEPHONE
NETWORK AND THE INTERNET
The public telephone network is increasingly dependent on
software and databases that constitute new points of vulner-
ability. Business decisions are also creating new points of
vulnerability. Protective measures need to be developed and
implemented.
The public telephone network (PTN) is evolving. Value-added ser-
vices (e.g., call forwarding) rely on call-translation databases and adjunct
processors, which introduce new points of vulnerability. Some of the
new services are themselves vulnerable. For example, caller ID is increas-
ingly used by PTN customers to provide authenticated information, but
the underlying telephone network is unable to provide this information
with a high assurance of authenticity.
Management of the PTN is evolving as well. Technical and market
OCR for page 242
242
TRUST IN CYBERSPACE
forces have led to reductions in reserve capacity and the number of geo-
graphically diverse redundant toutings. Failure of a single link can now
have serious repercussions. Cross-connects and multiplexors, which are
used to route calls, are becoming dependent on complex software run-
ning in operations support systems (OSSs). In addition to the intrinsic
vulnerabilities associated with any complex software, information about
OSSs is becoming less proprietary owing to deregulation. Information
about controlling the OSSs will thus become more widespread, and the
vulnerabilities of the OSSs will become known to larger numbers of at-
tackers. Similarly, the Signaling System 7 (SS7) network used to manage
central office switches was designed for a small, closed community of
telephone companies; with deregulation will come increased opportuni-
ties for insider attacks. Telephone companies are also increasingly shar-
ing facilities and technology with each other and the Internet, thereby
creating yet another point of new vulnerability. Internet telephony is
likely to cause the PTN to become more vulnerable, because Internet-
based networks use the same channels for both user data transmission
and network management and because the end points on the Internet are
much more subject to failure than those of the PTN.
Attacks on the telephone network have, for the most part, been di-
rected at perpetrating billing fraud. The frequency of those attacks is
increasing, and the potential for more disruptive attacks, with harass-
ment and eavesdropping as goals, is growing. Thus, protective measures
are needed. Better protection is needed for the many number-translation
and other databases used in the PTN. Telephone companies need to
enhance the firewalls that connect their OSSs to the Internet and to en-
hance the physical security of their facilities.
In some respects, the Internet is becoming more secure as its
protocols are improved and as security measures are more widely
deployed at higher levels of the protocol stack. However, the
increasing complexity of the Internet's infrastructure contributes
to its increasing vulnerability. The end points (hosts) of the
Internet continue to be vulnerable. As a consequence, the
Internet is ready for some business use, but abandoning the PTN
for the Internet would not be prudent for most.
The Internet is too susceptible to attacks and outages to be a
viable basis for controlling critical infrastructures. Existing
technologies could be deployed to improve the trustworthiness
of the Internet, although many questions about what measures
would suffice do not currently have answers because good basic
data (e.g., on Internet outages) is scant.
OCR for page 243
CONCLUSIONS AND RESEARCH RECOMMENDATIONS
243
The operation of the Internet today depends on routing and name-to-
address translation services. The list of critical services will likely expand
to include directory services and public-key certificate servers. Analo-
gous to the PTN, these services, because they depend on databases, con-
stitute points of vulnerability. New countermeasures for name-server
attacks are thus needed. They must work well in large-scale, heteroge-
neous environments. Cryptographic mechanisms to secure the name ser-
vice do exist; however, deployment to date has been limited.
Cryptography, while not in itself sufficient, is essential to the protec-
tion of both the Internet and its end points. Wider deployment of cryp-
tography is needed. Authentication-only algorithms are largely free from
export and usage restrictions, and they could go a long way toward help-
ing.
There is a tension between the capabilities and vulnerabilities of rout-
ing protocols. The sharing of routing information facilitates route optimi-
zation, but such cooperation also increases the risk that malicious or mal-
functioning routers can compromise routing. In any event, current
Internet routing algorithms are inadequate because they do not scale well,
they require central processing unit (CPU)-intensive calculations, and they
cannot implement diverse or flexible policies. Furthermore, no effective
means exist to secure routing protocols, especially on backbone routers.
Research in these areas is urgently needed.
Networks formed by interconnecting extant independent subnet-
works present unique challenges for controlling congestion (because local
provider optimizations may not lead to good overall behavior) and for
implementing security (because trust relationships between network com-
ponents are not homogeneous). A better understanding is needed of the
Internet's current traffic profile and how it will evolve. In addition, fun-
damental research is needed into mechanisms for managing congestion in
the Internet, especially in a way that does not conflict with network secu-
rity mechanisms like encryption. Attacks that result in denial of service
are increasingly common, and little is known about defending against
them.
Operational errors represent a major source of outages for the
PTN and the Internet. Some of these errors could be prevented
by implementing known techniques, whereas others require
research to develop preventative measures.
Some errors could be prevented through improved operator training
and contingency planning. However, the scale and complexity of both
the PTN and the Internet (and NISs in general) create the need for tools
and systems to improve an operator's understanding of a system's state
OCR for page 244
244
TRUST IN CYBERSPACE
and the means by which the system can be controlled. For example,
research is needed into ways to meaningfully portray and display the
state of a large, complex network to a human operator. Research and
development are needed to develop conceptual models that will allow
human operators to grasp the state of a network and to understand the
consequences of actions that the operator can take. Improved routing-
management tools are needed for the Internet, because they will free
human operators from an activity that is error prone.
MEETING THE URGENT NEED FOR SOFTWARE
THAT IMPROVES TRUSTWORTHINESS
The design of trustworthy networked information systems pre-
sents profound challenges for system architecture and project
planning. Little is understood, and this lack of understanding
ultimately compromises trustworthiness.
System-level trustworthiness requirements are typically first char-
acterized informally. The transformation of these informal notions
into precise requirements that can be imposed on individual system
components is difficult and often beyond the current state of the art.
Whereas a large software system such as an NIS cannot be developed
defect free, it is possible to improve the trustworthiness of such a
system by anticipating and targeting vulnerabilities. But to deter-
mine, analyze, and, most importantly, prioritize these vulnerabilities
requires a good understanding for how subsystems interact with each
other and with the other elements of the larger system obtaining
such an understanding is not possible today. The use of some system-
atic development processes seems to contribute to the quality of NISs.
Project management, a long-standing challenge in software develop-
ment, is especially problematic when building NISs because of the
large and complex nature of such systems and because of the con-
tinual software changes. The challenges of software engineering,
which have been formidable ones for so many years, are even more
urgent in the context of networked information systems.
To develop an NIS, subsystems must be integrated, but little is
known about doing this. In recent years, academic researchers
have directed their focus away from large-scale integration
problems; this trend must be reversed.
OCR for page 245
CONCLUSIONS AND RESEARCH RECOMMENDATIONS
245
NISs pose new challenges for integration because of their distributed
nature and the uncontrollability of most large networks. Thus, testing
subsets of a system cannot adequately establish confidence in an entire
NIS, especially when some of the subsystems are uncontrollable or unob-
servable as is likely in an NIS that has evolved to encompass legacy soft-
ware. In addition, NISs are generally developed and deployed incremen-
tally. Techniques to compose subsystems in ways that contribute directly
to trustworthiness are therefore needed.
There exists a widening gap between the needs of software practitio-
ners and the problems that are being attacked by the academic research
community. In most academic computer science research today, research-
ers are not confronting problems related to large-scale integration and
students do not develop the skills or intuition necessary for developing
software that not only works but also works in the context of software
written by others. A renewed emphasis on large-scale development ef-
forts is called for.
It is clear that networked information systems will include
COTS components into the foreseeable future. However, the
relationship between the use of COTS components and NIS
trustworthiness is unclear. Greater attention must be directed
toward improving our understanding of this relationship.
COTS software offers both advantages and disadvantages to an NIS
developer. COTS components can be less expensive, have greater func-
tionality, and be better engineered and tested than is feasible for custom-
ized components. Yet, the use of COTS products could make developers
dependent on outside vendors for the design and enhancement of impor-
tant components. Also, specifications of COTS components tend to be
incomplete and to compel user discovery of features by experimentation.
COTS software originally evolved in a stand-alone environment where
trustworthiness was not a primary concern. That heritage remains vis-
ible. Moreover, market pressures limit the time that can be spent on
testing before releasing a piece of COTS software. The market also tends
to emphasize features that add complexity but are useful only for a mi-
nority of applications.
Although there are accepted processes for component design
and implementation, the novel characteristics of NISs raise
questions about the utility of these processes. Modern program-
ming languages include features that promote trustworthiness,
and the potential may exist for further gains from research.
OCR for page 246
246
TRUST IN CYBERSPACE
The performance needs of NISs can be inconsistent with modular
design, and this limits the applicability of various processes and tools. It
is difficult to devise component-level acceptance tests that fully capture
the intent of systems-level requirements statements. This is particularly
true for nonfunctional and user-interface requirements. Basing the devel-
opment of an NIS on libraries of reusable, trusted components and using
those components in critical areas of the system can provide a cost-effec-
tive way for implementing component-level dimensions of trustworthi-
ness. Commercial software that includes reusable components or infra-
structure is now available, but it is too early to know how successful it
will be.
As a practical matter, the use of higher-level languages increases trust-
worthiness to a degree that outweighs any risks, although there is inad-
equate experimental evidence to justify the utility of any specific pro-
gramming language or language feature with respect to improving
trustworthiness. Modern programming languages include features, such
as compile-time checks and support for modularity and component inte-
gration, that promote trustworthiness. The potential may exist for further
gains by developing even more-expressive type systems and other com-
pile-time analysis techniques.
Formal methods are being used with success in commercial and
industrial settings for hardware development and requirements
analysis and with some success for software development. In-
creased support for both fundamental research and demon-
stration exercises is warranted.
Formal methods should be regarded as an important piece of technol-
ogy for eliminating design errors in hardware and software; as such, they
deserve increased attention. Formal methods are particularly well suited
for identifying errors that only become apparent in scenarios not likely to
be tested or testable. Therefore, formal methods could be viewed as a
technology complementary to testing. Research directed at the improved
integration of testing and formal methods is likely to have payoffs for
increasing assurance in trustworthy NISs.
OCR for page 247
CONCLUSIONS AND RESEARCH RECOMMENDATIONS
REINVENTING SECURITY FOR COMPUTERS
AND COMMUNICATIONS
Security research during the past few decades has been based
on formal policy models that focus on protecting information
from unauthorized access by specifying which users should
have access to data or other system objects. It is time to chal-
lenge this paradigm of "absolute security" and move toward a
model built on three axioms of insecurity: insecurity exists;
insecurity cannot be destroyed; and insecurity can be moved
around.
247
Formal policy models of the past few decades presuppose that secu-
rity policies are static and have precise and succinct descriptions. These
formal policy models cannot represent the effects of some malicious or
erroneous software, nor can they completely address denial-of-service
attacks. Finally, these formal policy models cannot account for defensive
measures, such as virus scan software or firewalls mechanisms that
should not work or be needed in theory but, in practice, hinder attacks.
The complex and distributed nature of NISs, with their numerous
subsystems that typically have their own access controls, raises the ques-
tion of whether a complete formal security model could ever be specified.
Even if such a model could be specified, demonstrating the correspon-
dence between an NIS and that formal model is not likely to be feasible.
An alternative to this "absolute security" philosophy is to identify the
vulnerabilities in an NIS and make design changes to reposition the vul-
nerabilities in light of the threats being anticipated. Further research is
needed to determine the feasibility of this new approach to the problem.
Cryptographic authentication and the use of hardware tokens
are promising avenues for implementing authentication.
Network-based authentication technology is not amenable to high-
assurance implementations. Cryptographic authentication represents a
preferred approach to authentication at the granularity that might other-
wise be provided by network authentication. Needs will arise for new
cryptographic authentication protocols (e.g., for practical multicast com-
munication authentication). Faster encryption and authentication/integ-
rity algorithms will be required to keep pace with rapidly increasing
communication speeds. Further research into techniques and tools should
be encouraged.
The use of hardware tokens holds great promise for implementing
authentication. Cost will be addressed by the inexorable advance of digi-
tal hardware technology. But interface commonality issues will somehow
OCR for page 248
248
TRUST IN CYBERSPACE
have to be overcome. The use of personal identification numbers (PINs)
to enable hardware tokens is a source of vulnerability that the use of
biometrics might address. When tokens are being used to digitally sign
data, then an interface should be provided so that a user can know what is
being signed. Biometric authentication technologies have limitations
when employed in network contexts, because the compromise of the digi-
tal version of someone's biometric data could allow an attacker to imper-
sonate a legitimate user over the network.
Obstacles exist to more widespread deployment of key-
management technology and there has been little experience
with public-key infrastructures, especially large-scale ones.
There are many aspects of public-key infrastructure (PKI) technology
that merit further research. Issues related to the timely notification of
revocation, recovery from compromise of certificate authority private
keys, and name-space management require attention. Most applications
that make use of certificates have poor certificate-management interfaces
for users and system administrators. Toolkits for certificate processing
could be developed. There has been little experience with large-scale
deployment of key management technologies. Thus, the scale and nature
of the difficulties associated with deploying this important technology is
an unknown at this time.
Because NISs are distributed systems, network access control
mechanisms play a central role in the security of NISs. Virtual
private networks and firewalls have proven to be promising
technologies and deserve greater attention in the future.
Virtual private network (VPN) technology is quite promising, al-
though proprietary protocols and simplistic key-management schemes in
most products have, to date, prevented adoption of VPNs in larger-scale
settings. The deployment of IPsec can eliminate these impediments, fa-
cilitating VPN deployment throughout the Internet. Much work remains
to further facilitate wholesale and flexible VPN deployments. Support for
dynamic location of security gateways, accommodation of complex net-
work topologies, negotiation of traffic security policies across administra-
tively independent domains, and support for multicast communication
are other topics deserving additional work. Also, better interfaces for
VPN management will be critical for avoiding vulnerabilities introduced
by operational errors.
Firewalls, despite their limitations, will persist into the foreseeable
future as a key defense mechanism. As support for VPNs is added, fire
OCR for page 249
CONCLUSIONS AND RESEARCH RECOMMENDATIONS
249
wall enhancements will have to be developed for the support of sophisti-
cated security management protocols, negotiation of traffic security poli-
cies across administratively independent domains, and management
tools. The development of increasingly sophisticated network-wide ap-
plications will create a need for application-layer firewalls and a better
understanding of how to define and enforce useful traffic policies at this
level. Guards can be thought of as special cases of firewalls, typically
focused at the application layer.
Foreign code is increasingly being used in NISs. However, NIS
trustworthiness will deteriorate unless effective security mecha
nisms are developed and implemented to defend against attacks
by foreign code.
Authenticating the author or provider of foreign code has not and
likely will not prove effective for protecting against hostile foreign code.
Users are unwilling and/or unable to use the source of a piece of foreign
code as a basis for denying or allowing execution. Revocation of certifi-
cates is necessary should a provider be compromised, but revocation is
currently not supported by the Internet, a fact that limits the scale over
which the approach can be deployed.
Access control features in commercially successful operating systems
are not adequate for supporting fine-grained access control (FGAC).
FGAC mechanisms are needed that do not significantly affect perfor-
mance. Operating system implementations of FGAC would help support
the construction of systems that obey the principle of least privilege, which
holds that users be accorded the minimum access that is needed to accom-
plish a task.
FGAC also has the potential to provide a means for supporting for-
eign code an interpreter that implements FGAC is used to provide a rich
access control model within which the foreign code is confined. That, in
turn, could be an effective defense against a variety of attacks that might
be delivered using foreign code or application programs. However, it is
essential that users and administrators can correctly configure systems
with FGAC structures, and that has not yet been demonstrated. (Consid-
erably simpler access control models today are often misunderstood and
misused.) Enforcing application security is increasingly likely to be a
shared responsibility between the application and the lower levels of a
system. Research is needed to determine how to partition this responsi-
bility and which mechanisms are best implemented at what level. In
addition, more needs to be known about the assurance limitations associ-
ated with providing application-layer security when employing a COTS
operating system that offers minimum assurance.
OCR for page 250
250
TRUST IN CYBERSPACE
A variety of opportunities seem to exist to leverage programming
language research in implementing system security. Software fault isola-
tion and proof-carrying code illustrate the application of programming-
language analysis techniques to security policy enforcement. But these
techniques are new, and their ultimate efficacy is not yet understood.
Defending against denial-of-service attacks is often critical for
the security of an NIS, because availability is often an impor-
tant system property. Research in this area is urgently needed
to identify general schemes for defending against such attacks.
No general mechanisms or systematic design methods exist for de-
fending against denial-of-service attacks. For example, each request for
service may appear legitimate in itself, but the aggregate number of re-
quests in a short time period that are focused on a specific subsystem can
overwhelm that subsystem because the act of checking a request for legiti-
macy consumes resources.
BUILDING TRUSTWORTHY SYSTEMS FROM
UNTRUSTWORTHY COMPONENTS
Improved trustworthiness may be achieved by the careful
organization of untrustworthy components. There are a num-
ber of promising ideas, but few have been vigorously pursued.
"Trustworthiness from untrustworthy components" is a research
area that deserves greater attention.
Replication and diversity can be employed to build systems that am-
plify the trustworthiness of their components, and indeed, there are suc-
cessful commercial products (e.g., fault-tolerant computers) in the mar-
ketplace that do exactly this. However, the potential and limits of this
approach are not understood. For example, research is needed to deter-
mine the ways in which diversity can be added to a set of replicas, thereby
improving trustworthiness.
Trustworthiness functionality could reside in varying parts of an NIS.
Little is known about the advantages and disadvantages of the different
architectural possibilities, so an analysis of existing NISs would prove
instructive. One architecture that has been suggested is based on the idea
of a core minimum functionality the minimum essential information
infrastructure (MEII). But building an MEII for the nation would be a
misguided initiative, because it presumes that the important "core mini-
mum functionality" could be specifically defined, and that is unlikely to
be the case.
OCR for page 251
CONCLUSIONS AND RESEARCH RECOMMENDATIONS
251
Monitoring and detection can be employed to build systems that en-
hance the trustworthiness of their components. But limitations in system-
monitoring technology and in technology to recognize events, like attacks
and failures, impose fundamental limits on the use of monitoring and
detection for implementing trustworthiness. For example, the limits and
coverage of the various approaches to intruder and anomaly detection are
not well understood.
A number of other promising research areas merit investigation. For
example, systems could be designed to respond to an attack or failure by
reducing their functionality in a controlled, graceful manner. And a vari-
ety of research directions involving new types of algorithms self-stabili-
zation, emergent behavior, biological metaphors may be useful in defin-
ing systems that are trustworthy. These new research directions are
highly speculative. Thus, they are plausible topics for longer-range re-
search.
SOCIAL AND ECONOMIC FACTORS THAT INHIBIT THE
DEPLOYMENT OF TRUSTWORTHY TECHNOLOGY
Imperfect information creates a disincentive to invest in trust
worthiness for both consumers and producers, leading to a
market failure. Initiatives to mitigate this problem are needed.
Decision making today about trustworthy systems occurs within the
context of imperfect information. That increases the level of uncertainty
regarding the benefits of trustworthiness initiatives, thereby serving as a
disincentive to invest in trustworthiness and distorting the market for trust-
worthiness. As a result, consumers prefer to purchase greater functionality
rather than to invest in improved trustworthiness. Products addressing
problems that have been experienced by consumers or that are perceived to
address well-known or highly visible problems have been best received.
The absence of standard metrics or a recognized organization to con-
duct assessments for trustworthiness is an important contributing factor
to the imperfect information problem. Useful metrics for the security
dimension of trustworthiness are unlikely to be developed because the
corresponding formal model for any particular metric would necessarily
be incomplete. Therefore, useful aggregate metrics for trustworthiness
are unlikely to be developed.
Standards may mitigate some of the difficulties that arise from imper-
fect information because standards can simplify the decision-making pro-
cess for the purchasers and producers of trustworthiness by narrowing
the field of choices. The development and evolution of a standard attract
scrutiny that will work toward reducing the number of remaining design
OCR for page 252
252
TRUST IN CYBERSPACE
flaws and thereby promote trustworthiness. At the same time, the exist-
ence of standards promotes the wide availability of detailed technical
information about a particular technology, and therefore serves as a basis
for assessing where vulnerabilities remain. Standards that facilitate
interoperability increase the likelihood that successful attacks in one sys-
tem might prove effective in others. The net relationship between stan-
dards and trustworthiness is therefore indeterminate. Heterogeneity
tends to cause NISs to be more vulnerable because the scrutiny of experts
may not take place, but the negative effects that pertain to standards are
also applicable for homogeneity.
Security criteria may also improve the level of information available
to both consumers and producers of components. The Common Criteria
may or may not prove useful for this purpose. In any case, it is doubtful
that any criteria can keep pace with the evolving threats. However, even
if there are a sufficient number of security-evaluated components, there
is, at present, little or no rigorous methodology for assessing the security
of NISs assembled from such evaluated components.
Consumer and producer costs for trustworthiness are difficult
to assess. An improved understanding, better models, and more
and accurate data are needed.
Trustworthiness typically reflects systemwide characteristics of an
NIS, so trustworthiness costs are often difficult to allocate to specific users
or uses. Such costs are therefore often allocated to central units. Trust-
worthiness also involves costs that are difficult to quantify; one example
is the "hassle factor," which captures the fact that trustworthy systems
tend to be more cumbersome to use.
It is difficult to distinguish trustworthiness costs from other direct
product costs and overhead costs. Not surprisingly, there is a paucity of
data, and what little data does exist has questionable accuracy. The pro-
duction costs associated with integration and testing represent a substan-
tial proportion of total producer costs for improving trustworthiness, and
it is often difficult to separate "trustworthiness" costs from other costs.
Time-to-market considerations discourage the inclusion of trustworthi-
ness features and encourage the postponement of trustworthiness to later
stages of the product life cycle.
As a truly multidimensional concept, trustworthiness is depen-
dent on all of its dimensions. However, in some sense, the
problems of security are more challenging and therefore deserve
special attention.
OCR for page 253
CONCLUSIONS AND RESEARCH RECOMMENDATIONS
253
Security risks are more difficult to specify and manage than those that
arise from safety or reliability concerns. There is usually an absence of
malice with respect to safety and reliability risks as well as tangible and
often severe consequences that can be easily articulated; these consider-
ations facilitate the assessment of risk and measurement of consequences
for safety- and reliability-related risks, in contrast to security. A precise
and testable definition is required to assess whether a standard has been
fulfilled or not. Such definitions may often be articulated for some trust-
worthiness dimensions (such as reliability) but are often difficult to ar-
ticulate for security.
Export control and key-escrow policy concerns inhibit the wide-
spread deployment of cryptography, but there are other impor-
tant inhibitory factors that deserve increased attention and
action.
The public policy controversy surrounding export controls and key
recovery does indeed inhibit the widespread deployment of cryptogra-
phy. However, cryptography is not more widely deployed for other rea-
sons, which include reduced convenience and usability, possible sacrifice
of interoperability, increased computational and communications require-
ments, lack of a national or international key infrastructure, restrictions
resulting from patents, and the fact that most information is already se-
cure enough relative to its value to an unauthorized party.
IMPLEMENTING TRUSTWORTHINESS
RESEARCH AND DEVELOPMENT
In its necessary efforts to pursue partnerships, the federal gov
ernment also needs to work to develop trust in its relationships
with the private sector, with some emphasis on U.S.-based firms.
The federal government has less influence on vendors than in the
past, so cooperative arrangements are increasingly necessary. The rise of
the marketplace for computing and communications products includes
new and/or start-up firms that tend to be focused on marketplace de-
mands generally, and not on the needs of the federal government. A1-
though the federal government is the largest single customer of comput-
ing and communications products and services, its relative market share,
and therefore its market power, have declined. Building trust between
the private and public sectors is essential to achieving increased coopera-
tion in efforts to improve NIS trustworthiness, because the cryptography
OCR for page 254
254
TRUST IN CYBERSPACE
policy debates concerning export controls and key escrow have created
suspicion within the private sector about government intent and plans.
As trustworthiness-related products are increasingly provided by non-
U.S. companies, the influence of foreign firms and governments on the
trustworthiness marketplace is a new concern and suggests that some
priority should be placed on partnerships with U.S. firms.
The NSA R2 organization must increase its efforts devoted to
outreach and recruitment and retention issues.
The National Security Agency's R2 organization has initiated several
outreach efforts, but these have not significantly broadened the commu-
nity of researchers that work with R2. Effective outreach efforts are those
that are designed to be compatible with the interests, perspectives, and
realities of potential partners (e.g., acknowledgment of the dominance of
COTS technology).
Inadequate incentives currently exist within R2 to attract and retain
highly skilled researchers. Improved incentives might be financial (e.g.,
different salary scale) and/or nonfinancial (e.g., special recognition,
greater public visibility) in nature. R2 faces formidable challenges in the
recruitment and retention of the very best researchers. The rotation of R2
researchers with researchers in industry and academia would help to
broaden and invigorate the R2 program. Such rotation would be most
effective if it involved institutions that have large numbers of top re-
searchers. As currently constituted, the R2 university research program
emphasizes relatively short-term and small projects, and it does not at-
tract the interest of the best industrial and academic researchers and insti-
tutions.
DARPA is generally effective in its interactions with the research
community, but DARPA needs to increase its focus on informa-
tion security and NIS trustworthiness research, especially with
regard to long-term research efforts.
The nature and scope of major Defense Advanced Research Projects
Agency (DARPA) projects that were funded in the 1970s where security
work was an integral part of a large, integrated effort seem to character-
ize DARPA's greatest successes in the security domain. Not all of these
efforts were so successful, as is characteristic of high-risk, high-payoff
research. DARPA does fund some research today in important areas for
NIS trustworthiness. However, other critical topics as articulated in this
study are not emphasized to the extent that they should be. These topics
OCR for page 255
CONCLUSIONS AND RESEARCH RECOMMENDATIONS
255
include containment, denial-of-service attacks, and cryptographic infra-
structures.
DARPA uses a number of mechanisms to communicate with the re-
search community, which include principal investigator meetings, infor-
mation science and technology activities (ISATs), and board area an-
nouncements (BAAs). These mechanisms seem to be generally effective
in facilitating the exchange of ideas between DARPA and the research
community.
The use of academics on temporary assignment as program managers
has advantages and disadvantages. This rotation of program managers
ensures that state-of-the-art thinking is constantly being infused into
DARPA (assuming that the leading researchers in the field are appointed).
On the other hand, such rotation does not promote long-term research
agendas, because the tenure of a program manager typically is only 2 to 3
years.
An increase in expenditures for research in information security
and NIS trustworthiness is warranted.
The committee believes that increased funding is warranted for both
information security research in particular and NIS trustworthiness re-
search in general. The appropriate level of increased funding should be
based on a realistic assessment of the size and availability of the current
population of researchers in relevant disciplines and projections of how
this population of researchers may be increased in the coming years.
OCR for page 256
Representative terms from entire chapter:
foreign code
