Toward a Safer and More Secure Cyberspace
Seymour E. Goodman and Herbert S. Lin, Editors
THE NATIONAL ACADEMIES PRESS
Washington, D.C.
www.nap.edu
THE NATIONAL ACADEMIES PRESS
500 Fifth Street, N.W. Washington, DC 20001
NOTICE: The project that is the subject of this report was approved by the Governing Board of the National Research Council, whose members are drawn from the councils of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The members of the committee responsible for the report were chosen for their special competences and with regard for appropriate balance.
Support for this project was provided by the Defense Advanced Research Projects Agency (award number N00174-03-C-0074), the National Science Foundation (award number CNS-0221722), the National Institute of Standards and Technology (contract number SB1341-03-C-0028), the Department of Homeland Security through the National Science Foundation (award number CNS-0344585), the National Academy of Engineering, the National Research Council Fund (no award number), and F. Thomas Leighton and Bonnie Berger Leighton. Any opinions, findings, conclusions, or recommendations expressed in this publication are those of the author(s) and do not necessarily reflect the views of the organizations, agencies, or individuals that provided support for the project.
Back cover: Summarized in the right-hand column of the chart is the new mind-set advocated in this report as essential to achieving a more generally secure cyberspace.
Library of Congress Cataloging-in-Publication Data
Toward a safer and more secure cyberspace / Committee on Improving Cybersecurity Research in the United States, Computer Science and Telecommunications Board, Division on Engineering and Physical Sciences, National Research Council of the National Academies ; Seymour E. Goodman and Herbert S. Lin, editors.
p. cm.
Includes bibliographical references.
ISBN 978-0-309-10395-4 (pbk.) -- ISBN 978-0-309-66741-8 (pdf) 1. Computer security. 2. Computer networks--Security measures. 3. Cyberterrorism--Prevention. I. Goodman, Seymour E. II. Lin, Herbert. III. National Research Council (U.S.). Committee on Improving Cybersecurity Research in the United States.
QA76.9.A25T695 2007
005.8--dc22
2007037982
This report is available from
Computer Science and Telecommunications Board
National Research Council
500 Fifth Street, N.W.
Washington, DC 20001
Additional copies of this report are available from the
National Academies Press,
500 Fifth Street, N.W., Lockbox 285, Washington, DC 20055; (800) 624-6242 or (202) 334-3313 (in the Washington metropolitan area); Internet, http://www.nap.edu.
Copyright 2007 by the National Academy of Sciences. All rights reserved.
Printed in the United States of America
THE NATIONAL ACADEMIES
Advisers to the Nation on Science, Engineering, and Medicine
The National Academy of Sciences is a private, nonprofit, self-perpetuating society of distinguished scholars engaged in scientific and engineering research, dedicated to the furtherance of science and technology and to their use for the general welfare. Upon the authority of the charter granted to it by the Congress in 1863, the Academy has a mandate that requires it to advise the federal government on scientific and technical matters. Dr. Ralph J. Cicerone is president of the National Academy of Sciences.
The National Academy of Engineering was established in 1964, under the charter of the National Academy of Sciences, as a parallel organization of outstanding engineers. It is autonomous in its administration and in the selection of its members, sharing with the National Academy of Sciences the responsibility for advising the federal government. The National Academy of Engineering also sponsors engineering programs aimed at meeting national needs, encourages education and research, and recognizes the superior achievements of engineers. Dr. Charles M. Vest is president of the National Academy of Engineering.
The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure the services of eminent members of appropriate professions in the examination of policy matters pertaining to the health of the public. The Institute acts under the responsibility given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, upon its own initiative, to identify issues of medical care, research, and education. Dr. Harvey V. Fineberg is president of the Institute of Medicine.
The National Research Council was organized by the National Academy of Sciences in 1916 to associate the broad community of science and technology with the Academy’s purposes of furthering knowledge and advising the federal government. Functioning in accordance with general policies determined by the Academy, the Council has become the principal operating agency of both the National Academy of Sciences and the National Academy of Engineering in providing services to the government, the public, and the scientific and engineering communities. The Council is administered jointly by both Academies and the Institute of Medicine. Dr. Ralph J. Cicerone and Dr. Charles M. Vest are chair and vice chair, respectively, of the National Research Council.
COMMITTEE ON IMPROVING CYBERSECURITY RESEARCH IN THE UNITED STATES
SEYMOUR (Sy) E. GOODMAN,
Georgia Institute of Technology,
Chair (from August 2006)
JOEL S. BIRNBAUM,
Hewlett-Packard Company,
Chair (until August 2006)
DAVID AUCSMITH,
Microsoft Corporation
STEVEN M. BELLOVIN,
Columbia University
ANJAN BOSE,
Washington State University
BARBARA FRASER,
Cisco Systems, Inc.
JAMES GOSLER,
Sandia National Laboratories
WILLIAM GUTTMAN,
Carnegie Mellon University
RUBY B. LEE,
Princeton University
FERNANDO (FRED) LUIZ,
Hewlett-Packard Company (retired)
TERESA F. LUNT,
Palo Alto Research Center
PETER G. NEUMANN,
SRI International
STEFAN SAVAGE,
University of California, San Diego
WILLIAM L. SCHERLIS,
Carnegie Mellon University
FRED B. SCHNEIDER,
Cornell University
ALFRED Z. SPECTOR, Independent Consultant
JOHN WANKMUELLER,
MasterCard International
JAY WARRIOR,
Agilent Laboratories
Staff
HERBERT S. LIN, Senior Scientist and Study Director (from September 2005)
CHARLES N. BROWNSTEIN, Study Director (until September 2005)
KRISTEN BATCH, Associate Program Officer
JENNIFER M. BISHOP, Program Associate (until November 2006)
JANICE M. SABUDA, Senior Program Assistant
TED SCHMITT, Consultant
COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD
JOSEPH F. TRAUB,
Columbia University,
Chair
ERIC BENHAMOU,
Benhamou Global Ventures, LLC
FREDERICK R. CHANG,
University of Texas, Austin
WILLIAM DALLY,
Stanford University
MARK E. DEAN,
IBM Almaden Research Center
DEBORAH ESTRIN,
University of California, Los Angeles
JOAN FEIGENBAUM,
Yale University
KEVIN KAHN,
Intel Corporation
JAMES KAJIYA,
Microsoft Corporation
MICHAEL KATZ,
University of California, Berkeley
RANDY H. KATZ,
University of California, Berkeley
SARA KIESLER,
Carnegie Mellon University
TERESA H. MENG,
Stanford University
PRABHAKAR RAGHAVAN,
Yahoo! Research
FRED B. SCHNEIDER,
Cornell University
ALFRED Z. SPECTOR, Independent Consultant
WILLIAM STEAD,
Vanderbilt University
ANDREW J. VITERBI,
Viterbi Group, LLC
PETER WEINBERGER,
Google, Inc.
JEANNETTE M. WING,
Carnegie Mellon University
Staff
JON EISENBERG, Director
KRISTEN BATCH, Associate Program Officer
RADHIKA CHARI, Administrative Coordinator
RENEE HAWKINS, Financial Associate
MARGARET MARSH HUYNH, Senior Program Assistant
HERBERT S. LIN, Senior Scientist
LYNETTE I. MILLETT, Senior Program Officer
DAVID PADGHAM, Associate Program Officer
JANICE M. SABUDA, Senior Program Assistant
TED SCHMITT, Consultant
BRANDYE WILLIAMS, Program Assistant
JOAN D. WINSTON, Program Officer
For more information on CSTB, see its Web site at http://www.cstb.org, write to CSTB, National Research Council, 500 Fifth Street, N.W., Washington, DC 20001, call (202) 334-2605, or e-mail the CSTB at cstb@nas.edu.
Preface
In the past several years, cybersecurity has been transformed from a concern chiefly of computer scientists and information system managers to an issue of pressing national importance. The nation’s critical infrastructure, such as the electric power grid, air traffic control system, financial system, and communication networks, depends extensively on information technology (IT) for its operation. Concerns about the vulnerability of this infrastructure have heightened in the security-conscious environment after the September 11, 2001, attacks. National policy makers have become increasingly concerned that adversaries backed by substantial resources will attempt to exploit the cyber-vulnerabilities in the critical infrastructure, thereby inflicting substantial harm on the nation.
Today, there is an inadequate understanding of what makes IT systems vulnerable to attack, how best to reduce these vulnerabilities, and how to transfer cybersecurity knowledge to actual practice. For these reasons, and in response to both legislative and executive branch interest, the National Research Council (NRC) established the Committee on Improving Cybersecurity Research in the United States (see Appendix A for biographies of the committee members). The committee was charged with developing a strategy for cybersecurity research in the 21st century. To develop this strategy, the committee built on a number of previous NRC reports in this area, notably, Computers at Risk (1991), Trust in Cyberspace (1998), and Information Technology for Counterterrorism (2003).1 Although
these reports were issued some years ago, the committee found that they contained valuable points of departure for the present effort. In addition, the committee undertook a set of hearings and briefings that provided information about present-day concerns and responses to those concerns. The report of the President’s Information Technology Advisory Committee on cybersecurity—Cyber Security: A Crisis of Prioritization—which lays out a research agenda and makes recommendations on how to implement it, provided a useful point of departure as well.2
Box P.1 contains the full charge to the committee. The committee’s survey of the current cybersecurity research landscape is described in Appendix B. As requested in the charge, Section B.5 contains a survey of the research effort in cybersecurity and trustworthiness to assess the current mix of topics; Sections B.4 and B.6 address level of effort, division of labor, and sources of funding; Section B.3 addresses quality. The issue related to the timescales of cybersecurity research is addressed in Section 10.2.2. Structural dimensions of a program for cybersecurity research are addressed in Section 3.3.
Two elements in the committee’s statement of task were not fully addressed. First, although Part II provides general guidance regarding appropriate areas of programmatic focus, this report does not provide a detailed explication of research priorities within or among these areas (that is, the research areas meriting federal funding). The reason, explained at greater length in Section 3.4.4, is that in the course of its deliberations, the committee concluded that the nation’s cybersecurity research agenda should be broad and that any attempt to specify research priorities in a top-down manner would be counterproductive. Second, the study’s statement of task calls for it to address appropriate levels of federal funding for cybersecurity research. As discussed in Section 10.2.2, the committee articulates a specific principle for determining the appropriate level of budgets for cybersecurity research: namely, that such budgets should be adequate to ensure that a large fraction of good ideas for cybersecurity research can be explored. It further notes that the threat is likely to grow at a rate faster than the present federal cybersecurity research program will enable us to respond to, and thus that in order to execute fully the broad strategy articulated in this report, a substantial increase in federal budgetary resources devoted to cybersecurity research will be needed.
It is important to delineate the scope of what this report does and to
2 |
President’s Information Technology Advisory Committee. February 2005. Cyber Security: A Crisis of Prioritization, National Coordination Office for Information Technology Research and Development, Washington, D.C.; available at www.nitrd.gov/pitac/reports/20050301_cybersecurity/cybersecurity.pdf. |
specify what it does not do. The committee recognizes that cybersecurity is only one element of trustworthiness, which can be defined as the property of a system whereby it does what is required and expected of it—despite environmental disruption, human user and operator errors, and attacks by hostile parties—and that it does not do other things. Trust-
BOX P.1 Statement of Task This project will involve a survey of the research effort in cybersecurity and trustworthiness to assess the current mix of topics, level of effort, division of labor, sources of funding, and quality; describe those research areas that merit federal funding, considering short-, medium-, and long-term emphases; and recommend the necessary level for federal funding in cybersecurity research. Technologies and approaches conventionally associated with cybersecurity and trustworthiness will be examined to identify those areas most deserving of attention in the future and to understand the research baseline. In addition, this project will also seek to identify and explore models and technologies not traditionally considered to be within cybersecurity and trustworthiness in an effort to generate ideas for revolutionary advances in cybersecurity. Structural alternatives for the oversight and allocation of funding (how to best allocate existing funds and how best to program new funds that may be made available) will be considered and the project committee will provide corresponding recommendations. Finally, the committee will offer some guidance on the shape of grant-making research programs. Consistent with legislative language, the committee will consider:
|
worthiness has many dimensions, including correctness, reliability, safety, and survivability, in addition to security. Nevertheless, the charge of this report is to focus on security, and other issues are addressed only to the extent that they relate to security.
This report is not confined to technical topics alone. A number of policy issues related to cybersecurity are discussed. These policy issues provide an overarching context for understanding why greater use has not been made of cybersecurity research to date. In addition, because the report concludes that cybersecurity research should not be undertaken entirely in a domain-independent manner, the report also discusses briefly a number of problem domains to which cybersecurity research is applicable.
The committee assembled for this project included individuals with expertise in the various specialties within computer security and other aspects of trustworthiness, computer networks, systems architecture, software engineering, process control systems, human-computer interaction, and information technology research and development (R&D) programs in the federal government, academia, and industry. In addition, the committee involved individuals with experience in industrial research.
The committee met first in July 2004 and four times subsequently. It held several plenary sessions to gather input from a broad range of experts in cybersecurity. Particular areas of focus included then-current federal research activity, the state of the art in usable security, and current vendor activity related to advancing the state of cybersecurity. The committee did its work through its own expert deliberations and by soliciting input from key officials at sponsoring agencies, numerous experts at federal agencies, academic researchers, and hardware and software vendors (see Appendix C). Additional input included perspectives from professional conferences, the technical literature, and government reports studied by committee members and staff (see Appendix B).
The committee appreciates the support of its sponsoring agencies and especially the numerous inputs and responses to requests for information provided by Jaynarayan Lala and Lee Badger at the Defense Advanced Research Projects Agency (DARPA), Carl Landwehr and Karl Levitt at the National Science Foundation (NSF), Edward Roback at the National Institute of Standards and Technology (NIST), Douglas Maughan at the Department of Homeland Security (DHS), and Robert Herklotz at the Air Force Office of Scientific Research (AFOSR).
PERSONAL NOTE FROM THE CHAIR
A large fraction of the American population now spends a great deal of time in cyberspace. We work and shop there. We are educated and entertained there. We socialize with family, friends, and strangers in cyber-
space. We are paid and we pay others through this medium. Millions of commercial enterprises and local, state, and federal government agencies do their business there. It has become a critical infrastructure in its own right, and it is embedded in almost all other critical infrastructures. We rely on cyberspace to help keep electricity flowing, public transportation running, and many other basic services working at levels that we have come to regard as essential elements of our society. These functions, expectations, and resulting dependencies are with us now, have been growing rapidly, and are expected to continue to grow well into the future.
The people, businesses, and governments of the rest of the world are following suit. On a per capita basis, some are even more committed to this infrastructure than the United States is. The Internet alone is now used by about a billion people and comes to ground in about 200 countries. And they are all connected to us and to one another.
It is thus very much in the public interest to have a safe and secure cyberspace. Yet cyberspace in general, and the Internet in particular, are notoriously vulnerable to a frightening and expanding range of accidents and attacks by a spectrum of hackers, criminals, terrorists, and state actors who have been empowered by unprecedented access to more people and organizations than has ever been the case with any infrastructure in history. Most of the people and organizations that increasingly depend on cyberspace are unaware of how vulnerable and defenseless they are, and all too many users and operators are poorly trained and equipped. Many learn only after suffering attacks. These people, and the nation as a whole, are paying enormous costs for relying on such an insecure infrastructure.
The Committee on Improving Cybersecurity Research in the United States was established by the National Research Council of the National Academies with the financial support of NSF, DARPA, NIST, DHS, the National Academy of Engineering, and F. Thomas and Bonnie Berger Leighton. The basic premise underlying the committee’s task is that research can produce a better understanding of why cyberspace is as vulnerable as it is and that it can lead to new technologies and policies and their effective implementation to make things better.
Cybersecurity is not a topic that is new to the national agenda. Indeed, a number of earlier reports have addressed this subject from different perspectives. Many of these reports have been concerned with specific threats (e.g., terrorism), missions (e.g., critical infrastructure protection), government agencies (e.g., how they might better protect themselves), or specific sectors (e.g., banking and finance). This study tackles the problem from the perspective of protecting all legitimate users of cyberspace, including the individual citizens, small commercial concerns, and government agencies that are particularly vulnerable to harassment and injury every
time they use the Internet or connect to other networks. The committee strongly believes that a more generally secure cyberspace would go a long way toward protecting critical infrastructure and national security.
What would a safer and more secure cyberspace look like? To address this question, the committee has formulated a Cyberspace Bill of Rights (CBoR). It consists of 10 basic provisions that the committee believes users should have as reasonable expectations for their online safety and security. The CBoR articulated in this report is distinctly user-centric, enabling individuals to draw for themselves the contrast between that vision and their own personal cyberspace experiences.
Unfortunately, the state of cyberspace today is such that it is much easier to state these provisions than it is to achieve them. No simple research project will lead to the widespread reality of any of these provisions. Indeed, even achieving something that sounds as simple as eliminating spam will require a complex, crosscutting technical and nontechnical R&D agenda. Accordingly, this report goes on to propose a comprehensive R&D agenda and to show how that agenda would help realize the provisions of the CBoR. The report also warns that there will be no shortcuts and that realizing the CBoR vision will take a long, sustained, and determined effort. There is much to accomplish.
Many of this report’s technical R&D recommendations build on and support those of earlier reports. However, they give particular emphasis to problems that have handicapped the more extensive practice of cybersecurity in the past. Thus, the report focuses substantial attention on the very real challenges of incentives, usability, and embedding advances in cybersecurity into real-world products, practices, and services.
On behalf of the committee, I would like to thank those who took the time and trouble to contribute to our deliberations by briefing the committee. This group of individuals is listed in Appendix C. In addition, those who reviewed this report in draft form played a critical and indispensable role in helping to improve the report (see “Acknowledgment of Reviewers” on page xiii). On the Computer Science and Telecommunications Board (CSTB), Ted Schmitt’s work as program officer on his first NRC project was exemplary, and Janice Sabuda provided administrative and logistical support beyond compare. Special recognition is due to Herbert S. Lin, who became the CSTB study director about halfway through the committee’s lifetime, and who worked so hard to pull this report together. His tenacity, determination, and expertise were indispensable.
Seymour E. Goodman, Chair
Committee on Improving Cybersecurity Research in the United States
Acknowledgment of Reviewers
This report has been reviewed in draft form by individuals chosen for their diverse perspectives and technical expertise, in accordance with procedures approved by the National Research Council’s Report Review Committee. The purpose of this independent review is to provide candid and critical comments that will assist the institution in making its published report as sound as possible and to ensure that the report meets institutional standards for objectivity, evidence, and responsiveness to the study charge. The review comments and draft manuscript remain confidential to protect the integrity of the deliberative process. We wish to thank the following individuals for their review of this report:
Eric Benhamou, Benhamou Global Ventures, LLC,
Earl Boebert, Sandia National Laboratories (retired),
William R. Cheswick, AT&T Research,
David D. Clark, Massachusetts Institute of Technology,
Richard A. DeMillo, Georgia Institute of Technology,
Samuel H. Fuller, Analog Devices, Inc.,
Paul A. Karger, IBM Thomas J. Watson Research Center,
Pradeep Khosla, Carnegie Mellon University,
Butler Lampson, Microsoft Corporation,
Brian Lopez, Lawrence Livermore National Laboratory,
William Lucyshyn, University of Maryland,
Clifford Neuman, University of Southern California,
Eugene Spafford, Purdue University,
Philip Venables, Goldman Sachs,
Jesse Walker, Intel Corporation, and
Jeannette M. Wing, Carnegie Mellon University.
Although the reviewers listed above have provided many constructive comments and suggestions, they were not asked to endorse the conclusions or recommendations, nor did they see the final draft of the report before its release. The review of this report was overseen by Lewis Branscomb and Brian Snow. Appointed by the National Research Council, they were responsible for making certain that an independent examination of this report was carried out in accordance with institutional procedures and that all review comments were carefully considered. Responsibility for the final content of this report rests entirely with the authoring committee and the institution.
Boxes
P.1 |
Statement of Task, |
|||
2.1 |
Lack of Exploitation Does Not Indicate Nonvulnerability, |
|||
2.2 |
Major Sources of Data Characterizing the Cyberthreat, |
|||
2.3 |
On Botnets, |
|||
2.4 |
Possible Points of Vulnerability in Information Technology Systems and Networks, |
|||
2.5 |
Foreign Sourcing of Information Technology Used in the United States, |
|||
2.6 |
The Silence of a Successful Cyberattack, |
|||
3.1 |
What Firewalls and Antivirus Products Protect Against, |
|||
3.2 |
Lessons Learned from the Technology-Transfer Effort Associated with Microsoft’s Static Driver Verifier, |
|||
4.1 |
The Saltzer-Schroeder Principles of Secure System Design and Development, |
|||
6.1 |
Fluency with Information Technology (and Cybersecurity), |
|||
6.2 |
Bug Bounties and Whistle-Blowers, |
|||
8.1 |
Issues in System Migration, |
|||
8.2 |
Secrecy of Design, |
|||
8.3 |
Attack Diffusion, |
|||
10.1 |
A Model Categorization for Understanding Budgets, |