Trust in Cyberspace (1999) / Chapter Skim
Currently Skimming:
6 The Economic and Public Policy Context
6 The Economic and Public Policy Context
Pages 171-239
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 171... ...
In a number of instances, research and development efforts have yielded state-of-the-art technological solutions that could be deployed to enhance NIS trustworthiness. Why are such technological solutions not used more widely in practice?
|
From page 172... ...
As the broader concept of trustworthiness becomes increasingly important, especially in light of the recent concern for protection of critical infrastructures, increased attention to the nonsecurity dimensions of trustworthiness by the federal government may be warranted. This is not to say that attention to security is or will become unimportant indeed, security vulnerabilities are expected to increase in both number and severity in the future.
|
From page 173... ...
In the Internet era, a vulnerability may even be publicized to the world in PA hypothetical example could entail the use of trustworthiness as a marketing advantage, akin to the Federal Express creed of "when it absolutely, positively has to be there." 2There is also the notion that some forms of business activities require or are facilitated by a particular level of trustworthiness te.g., security as an enablers. In the electronic commerce area, as an example, the availability of secure socket layer (SSL)
|
From page 174... ...
If this one-line command works, it is because there is a flawed version of PHF in the /cgi-bin directory. PHF allows users to gain remote access to files "including the /etc/passwd file' over the Web.
|
From page 175... ...
Failure of a single Internet service provider (ISP) may or may not affect transfer of information outside the area of disruption, depending on how the ISP has configured its communications.
|
From page 176... ...
In both cases, the service provider loses revenue. Under some circumstances, a legitimate caller may be denied service if illegitimate users saturate the network.l° In the case of telephone cloning, if the clone user does not saturate the network, the provider loses revenue but users do not incur an immediate cost.ll Understanding consequences is essential to forming baseline expectations of private action and what incentives may be effective for changing private action, but that understanding is often hampered by the difficulty of quantifying or otherwise specifying the costs and consequences associated with risks.
|
From page 177... ...
Risk avoidance strategies, in general, incorporate every protection mechanism and invoke every possible assurance step. Many of these assurance steps, which are discussed in detail in Chapter 3, can handle only certain classes of designs or implementation technologies.
|
From page 178... ...
Another example is an instance in which a hacker expends great effort to take over an innocuous machine, not because it contains interesting data but because it provides computing resources and network connectivity that can be used to mount attacks on highervalue targets.l5 In the case of the work factor model, it is notoriously difficult to assess the capabilities of a potential adversary in a field as unstructured as that of discovering vulnerabilities, which involves seeing aspects of a system that were overlooked by its designers. 14If the cryptography is easily broken (e.g., because the keys are stored in shared memory)
|
From page 179... ...
Risk mitigation carries with it the danger of underengineering to the point at which the system is defeated, very possibly over and over again. The compound uncertainties of risk management preclude any rigorous method, but it is possible to articulate a few guidelines: · Understand how long the system will be used in harm's way.
|
From page 180... ...
2. Although a risk-avoidance strategy may maximize trustworthiness, the prohibitive cost of that strategy suggests that risk mitigation is the pragmatic strategy for most situations.
|
From page 181... ...
Consumer costs may be divided into direct costs, indirect costs, and failure costs. Direct Costs Direct costs are those expenditures that can be associated unambiguously with trustworthiness.
|
From page 182... ...
For example, security controls may compel users to take additional steps and time to log in and access information and remember more elaborate policies and practices. Another form of indirect cost is incurred when an element of trustworthiness prevents the consumer from performing some important function.
|
From page 183... ...
mishaps. A1though that market remains immature,24 recent developments have suggested growing interest among insurers.25 Traditional commercial insurance frameworks intended for physical property, equipment, and liability are being adapted for electronic contexts, although the difficulties in valuing information assets, diagnosing and reporting problems, and lack of historical data have constrained the growth of computer and telecommunications-related insurance.
|
From page 184... ...
. Imperfect Information Consumers operate within an environment in which a great deal is unknown.
|
From page 185... ...
See Noll (1996~. 29The International Computer Security Association does "certify" security-oriented products and services, but so far its testing does not appear to be rigorous.
|
From page 186... ...
34For example, in 1997, the Council on competitiveness hosted a workshop for the Presidential commission on Critical Infrastructure Protection on education and training issues relating to development and use of critical systems. A theme of the discussion was that corporate security officers and academic experts found little interest in or motivation for increasing trustworthiness by good practice.
|
From page 187... ...
The concepts of control inherent in traditional approaches to security, reliability, and safety may be less and less applicable during the coming years. In contrast to established NISs, where users are often preselected in some way (e.g., bank automated teller machines or the air traffic control system)
|
From page 188... ...
188 TRUST IN CYBERSPACE pressures associated with Y2K and the ECU phenomena illustrate how businesses scramble to solve problems, even though these problems could have been anticipated well beforehand. Moreover, businesses are unlikely to apply relevant extant knowledge to their problems.40 These pressures also foster shifts from custom solutions to selection of recognized, major third-party software systems, such as SAP, thereby contributing to the increasing popularity of commercial off-the-shelf (COTS)
|
From page 189... ...
5. The combination of more open and decentralized networking environments and an increasing use of electronic communications and transactions suggests an increasing demand for major business automation systems.
|
From page 190... ...
An important reason for this decrease in heterogeneity is the rising popularity of COTS software that is driven by cost considerations and risk reduction, insofar as COTS products are known entities and readily available. Scripting languages and COTS software provide the context 42In 1997, a significant majority of computer systems sold (85 percent of personal computers and servers by unit volume)
|
From page 191... ...
The success of large middleware packages underscores the economic and other benefits that users perceive in COTS software. The continued use of SAP, the Web (e.g., Hypertext Transfer Protocol [HTTP]
|
From page 192... ...
Some vendors also incur research-related expenditures in their efforts to bring trustworthiness products to market, although most of this "research" is actually development. The costs associated with security mechanisms are emphasized in this section because of the pivotal role that security controls play as enablers of other aspects of trustworthiness and the expectation that, in the future, trustworthiness problems will be associated increasingly with security concerns.
|
From page 193... ...
The controls contribute to the complexity of the system; the debugging activity is more difficult and may require a longer period. Identifying the Specific Costs Associated with Trustworthiness Accurate estimation of the direct costs associated with specific project features requires a complex and time-consuming analysis that seems to be seldom performed.45 Except in the case of stand-alone products, it is often difficult to separate the costs of "regular" functionality from the costs of "enhanced trustworthiness capability." This allocation can be arbitrary.
|
From page 194... ...
, a well-developed cost model for software engineering, is the centerpiece of Barry Boehm's book, Software Engineering Economics (Boehm, 1981~. Boehm discusses security and privacy issues and the reasons these are excluded in COCOMO (p.
|
From page 195... ...
The difficulty of demonstrating and sustaining success in achieving trustworthiness one can, at best, test a product or practice against a recognized risk imply a dynamic process of iteration.48 In some cases, a lot of care goes into anticipating risks and addressing them preemptively,49 in other cases the trial and error process seems less systematic, and in all cases actual experience drives improvement. Antivirus software provides an example of the inherent limit of anticipation since virus producers continually introduce new strains against which anti-virus software might not work.
|
From page 196... ...
Some technologies, such as those associated with virtual private networks and higher-quality user authentication, do impose some per-user or per-computer costs. Another important reason that security expenditures, as separately identifiable data, are likely to decline results from the integration of security features into general-purpose information technology products.
|
From page 197... ...
Niches exist for targeted products, such as firewalls and antivirus software, and for services such as online updates of antivirus software. These two niches are very competitive; satisfying third-party assessment is provided through trade magazines54 or the International Computer Security's Association certification requirements and constitutes an important competitive advantage.
|
From page 198... ...
Additional influences include competitive pressures that are driving prices down and the potential to understate security expenditures as they become more difficult to identify specifically from general expenditures for information technology products and services.
|
From page 199... ...
Trusted Computer System Evaluation Criteria [TCSEC]
|
From page 200... ...
In the Internet environment, the Internet Engineering Task Force (IETF; see Box 6.2) has focused on the security aspects of Internet standards, addressing both specific security standards and the larger problem of reviewing other standards to ensure that they either are secure or can have security added when needed.58 In other venues, such as trade associations, standards setting for computing and communications is intended to foster interoperability and/or proactively forestall government intervention.
|
From page 201... ...
THE ECONOMIC AND PUBLIC POLICY CONTEXT 20 Standards and Trustworthiness The notion of specification is at the core of all characterizations of trustworthiness attributes. Unless a precise, testable definition for an attribute such as reliability exists, it will not be possible to determine whether the requirements of the definition have been fulfilled.
|
From page 202... ...
There are exceptions, as is illustrated by the DES, whose presence and widespread adoption clearly benefited all concerned. Yet security experts
|
From page 203... ...
THE ECONOMIC AND PUBLIC POLICY CONTEXT 203 consider DES to be an unusual case, given other experiences with standards, which illustrate the risk of treating standards as indicators of assurance (see Box 6.4~.
|
From page 204... ...
Security-based Criteria and Evaluation European and North American governments60 are moving to establish a unified security criteria, called the Common Criteria for Information Technology Security Evaluation. The Common Criteria (CCv2~61 attempts to reconcile the requirements of the Canadian Trusted Computer Product Evaluation Criteria (CTCPEC)
|
From page 205... ...
Interestingly, this is the zone in which nearly all commer cial security products lie today, because features sell, whereas assurance is the concern of the specialist. On the other side of the diagonal is the "conservative zone," in which mechanisms are placed under a high degree of scrutiny relative to functionality, such as a [fl,a3]
|
From page 206... ...
206 TRUST IN CYBERSPACE the vendor to invest in satisfying the criteria and, in some cases, in paying for the evaluation process itself. The investments can be substantial, particularly in terms of opportunity cost and lost sales because the extended time to market is added to the direct cost of becoming "evaluation ready." A rating is also useful as a reflection of the ability of a product to resist analysis and manipulation by the threat; in this context, the value of a rating is called the "operational value." As noted before, threats are ever increasing, and therefore, the operational value of a rating correspondingly decreases over time.
|
From page 207... ...
A similar phenomenon occurs on the assurance axis. Assurance steps attempt to uncover flaws before a product is exposed to the threat; in some sense they attempt to take a "deeper look" at a mechanism than any element of the threat could afford.
|
From page 208... ...
The CLEF-based evaluations are less expensive and more expeditious than governmentally operated evaluations.63 The NIST, building on a broad program of commercial evaluation of standards compliance, the National Voluntary Laboratory Accreditation Program, has guided commercial evaluation procedures for PIPS 140-1, and it will also build on that program for evaluation of information security products using the Common Criteria under the new National Information Assurance Partnership.64 62Concerns about completeness revolve around the evaluation process, as opposed to the criteria per se. Note that in criteria or standards, completeness concerns tend to arise in specifications for cryptography.
|
From page 209... ...
There is an increasing interest in the standards associated with trustworthiness by governments, industry associations, and the Internet Engineering Task Force.
|
From page 210... ...
, U.S. export controls have also hindered the domestic availability of products incorporating encryption.66 However, if for 66See Computer Science and Telecommunications Board (1991, 1996~.
|
From page 211... ...
To the extent that public policy is unsettled and does not set clear direction, the resulting uncertainty, fear, and doubt affect the marketplace by making it difficult for users and producers to plan for the future. Vendors are reluctant to bring to market products that support security, and potential users are reluctant to adopt information security products that may become obsolete if and when the legal and regulatory environment changes.
|
From page 212... ...
A third point is that cryptographically based information security measures often consume computational resources, such as execution time or memory. For example, routine encryption often slows down a server that provides encryption services.
|
From page 213... ...
THE ECONOMIC AND PUBLIC POLICY CONTEXT 213 and exchanging keys. Without such an infrastructure, encryption may remain a niche feature that is usable only through ad hoc methods replicating some of the functions that an infrastructure would provide and for which demand would thus be limited (CSTB, 1996~.
|
From page 214... ...
Since 1990 (and before 1990, informally) , liberal rules have governed the export of information security products whose functionality is limited to authentication or integrity,7~ a fact that suggests that on balance, national security interests are not significantly affected by widespread foreign access to such products.
|
From page 215... ...
The Computer Security Act74 and the Paperwork Reduction Act75 resulted in Office of Management and Budget Circular A-130, Appendix III, which provides guidance for all federal agencies on their responsibilities regarding computer security. In addition to mission-based goals and activities, two important trends are influencing government interest in NIS trustworthiness.
|
From page 216... ...
The awareness of information systems trustworthiness issues has been heightened by recent initiatives aimed at promoting the development and use of information systems generally, such as the High Performance Computing and Communications Initiative, which coordinated research and development and has become the Computing, Information, and Communications R&D program; the National Information Infrastructure initiative and the Information Infrastructure Task Force, which promoted research and economy-wide use of information infrastructure;77 and the presidential framework for electronic commerce (Office of the President, 1997~. On May 22, 1998, the President signed Presidential Decision Directive 63 (PDD-63)
|
From page 217... ...
, the predecessor of the CIAO and the first national effort to address the vulnerabilities created in the new information age, was established in fuly 1996 by Executive Order 13010.78 Across the federal government, the DOD conducts the largest effort in information systems trustworthiness, through its work on information security as it relates to the nation's security interests. For example, in communications security, the National Communications System group and its parent Defense Information Systems Agency (DISA)
|
From page 218... ...
This act also provided for the provision of technical expertise and advice by the NSA for NIST, where appropriate. Although NIST does carry out its mission within budget constraints, the reality is that NIST's budget is too limited for it to acquire or use significant levels of expertise, with the result of perpetuating NSA's de facto authority and influence in the information security domain.81 In 1997, advisors to the NSA and PCCIP called for greater involvement of NIST with NSA in areas of mutual interest which, given the dependence of the defense information infrastructure on the national information infrastructure, could be quite extensive.
|
From page 219... ...
At the same time, neither the Computer Security Act nor any other legislation assigns responsibility for assisting nongovernmental entities to protect their information systems and networks.83 The PCCIP has called expressly for public-private partnerships to increase information systems trustworthiness, as has the White House Office of Science and Technology Policy (Executive Office of the President, 1997~. Complementary work was undertaken earlier and concurrently by the NSTAC and its Information Assurance Task Force, which drew on participants from private firms.
|
From page 220... ...
support this prospect. The PCCIP endorsed a greater role for NIST while calling for more involvement of a number of agencies in the information assurance cause.
|
From page 221... ...
THE ROLES OF THE NSA, DARPA, AND OTHER FEDERAL AGENCIES IN NIS TRUSTWORTHINESS RESEARCH AND DEVELOPMENT Research relating to NIS trustworthiness is conducted and supported by many federal government organizations. Some agencies conduct research directly (e.g., NSA, Department of Energy national laboratories)
|
From page 222... ...
The Lawrence Livermore National Laboratory is the host for the Computer Security Technology Center, which serves the entire federal government with respect to information security needs. Sandia National Laboratories conducts a variety of research activities that support the development of high-assurance software, more from a reliability and safety rather than a security standpoint.
|
From page 223... ...
The federal government has sought to promote coordination among entities on trustworthiness R&D, and it has linked defense and civilian and mission and research agencies through the HCS working group. There is also an evolving information security (infosec)
|
From page 224... ...
and ultimate source selection decision making to those agencies. 89See "Memorandum of Agreement Between the Advanced Research Projects Agency, the Defense Information Systems Agency, and the National Security Agency Concerning the Information Systems Security Research Joint Technology Office"; MOA effective April 2, 1995.
|
From page 225... ...
As the boundary between communications and computing has blurred, the NSA has focused its protection on information security rather than more narrowly on communications security (see Box 6.6~. The growing dependence on COTS technology in the DOD necessitates a strong NSA interest in COTS trustworthiness and the integration of cryptography into COTS products.
|
From page 226... ...
The National Computer Security Center was formed by NSA in the early 1980s as a communications conduit for information security technology. More recently, the NSA National Cryptologic Strategy92 described and encouraged a "zone of cooperation" among the law enforcement and national security communities, the public sector generally, and the private sector.
|
From page 227... ...
The effectiveness of such outreach efforts has been limited in the past by such factors as public mistrust of a historically secretive agency; the lack of public awareness, understanding, and support for the TCSEC and Evaluated Product List; and the ambiguity inherent in a public outreach arm in an agency constrained by statute to national security interests (CSTB, 1991~. Current efforts may prove more successful, but they must overcome a legacy of suspicion originating in NSA's traditional secrecy as well as its role in controversies surrounding such efforts as the TCSEC, Clipper chip/Fortezza, and its desires for controls on exports of information security devices.95 Other factors inhibit cooperation between NSA and the private sector.
|
From page 228... ...
R2 is the NSA research subunit responsible for information security research programs; it is organized into three research divisions: cryptography, engineering, and computer science. In 1997, R2 had more than 100 staff members and a contracting budget in the tens of millions of dollars, a portion of which is coordinated with DARPA.
|
From page 229... ...
. R2 also supports several efforts to modify COTS products to incorporate new or expanded security functionality (e.g., biometrics access controls and intrusion detection for Windows NT)
|
From page 230... ...
Because NSA both funds external infosec research and performs internal infosec research, questions arise as to the appropriate allocation of effort (internal and external) and its coordination.
|
From page 231... ...
It can encourage a closed community of workers who do not communicate with others in the community either to seek or contribute information. Although R2 has increased its outreach, the conferences in which it seems most active as an organization, the NSA-NIST-sponsored National Information System Security Conference and its own Tech Fest, tend to attract a small community of researchers with long-standing connections to NSA.
|
From page 232... ...
, which supports research disinformation about DARPA is available online at |
From page 233... ...
Other programs within ITO also support research that impinges on NIS trustworthiness in areas such as software engineering, programming languages, computer networks, and mobile communications. For example, encryption, reliability, and various aspects of information security are all concerns in the mobile communications (Global-Mobile)
|
From page 234... ...
For example, in the early to mid-1970s, there was strong interest in DARPA security research, sparked in part by a Defense Science Board task force established to address the security problems of multiaccess, resource-sharing computer systems. In an effort to attain the widely shared goal of creating a multilevel secure operating system, the DOD aggressively funded an external research program that yielded many fun ~02Interview conducted by Jean E
|
From page 235... ...
In any event, the number of computer security researchers is small compared to the number in other specialties, such as operating systems or networks. Among the consequences are a paucity of educational programs in security and a dearth of security experts.
|
From page 236... ...
DARPA funds some research in important areas for NIS trustworthiness. However, other critical topics including containment, denialof-service attacks, and cryptographic infrastructures are not emphasized to the extent that they should be.
|
From page 237... ...
5. The committee believes that increased funding is warranted for both information security research in particular and NIS trustworthiness research in general.
|
From page 238... ...
414422 in Proceedings of the Thirteenth National Computer Security Conference. Washington, DC: NIST/NCSC.
|
From page 239... ...
582-588 in Proceedings of the Eighteenth National Information Systems Security Conference. Baltimore, MD: National Institute of Standards and Technology/National Computer Security Center.
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.