National Academies Press: OpenBook
« Previous: 4. Technology, Present and Future
Suggested Citation:"5. Options for CSTB." National Research Council. 2001. Summary of Discussions at a Planning Meeting on Cyber-Security and the Insider Threat to Classified Information. Washington, DC: The National Academies Press. doi: 10.17226/10197.
×

unsophisticated hackers and concentrate on how to protect against sophisticated, well-financed attackers. If the costs of attacking a system can be made sufficiently high as to deter all but the most determined, then attention can be paid to the more difficult challenge presented by the truly skilled and motivated adversary (who in many case may well be an insider). Participants who have studied computer security over many years noted that, unfortunately, hacking information systems is becoming easier rather than more difficult. This is due to a number of factors, including the decline in the quality of COTS software, easily obtainable hacking toolsets and information, increased expertise in the general population, and poor default configurations that are not corrected by users.

5. Options for CSTB

A lively discussion took place about how a CSTB study in this area might best be oriented. As noted in the introduction, participants were nearly unanimous in their agreement that focusing exclusively on classified systems would not be appropriate. Several participants indicated that the Office of the Secretary of Defense (OSD) and the intelligence community can be (and likely already are) persuaded that this is a serious concern, and they would therefore be a good audience for such a study. However, limiting a study to classified networks and the classified aspects of information security would not produce as widely applicable a result as a broader conceptualization would. As has been described, corporations have very sensitive data and systems, and they invest in substantial protection just as the government does. Unclassified networks are often just as important (even in terms of national security) and just as likely to be attacked by a sophisticated adversary as are classified systems.

Participants argued that limiting such a project to classified systems would artificially constrain its sphere of influence. While acknowledging that much could be learned from a limited study that was, nonetheless, broadly applicable in the range of security issues it addressed, participants were concerned that such a limitation would also unnecessarily inhibit the size of the audience for such a report. The government currently uses COTS systems and any examination of such systems in a classified context will also likely produce useful results for those who use such systems in unclassified situations. More troubling is the possibility that a report focused only on classified systems (and the weaknesses in security thereof) could be used against the government were the report to lay out best practices that are not currently in place. CSTB has a history of examining governmental requirements versus commercial requirements and explicating the similarities and differences thereof, making a project of this scope feasible.

NEXT STEPS:

The participants in this meeting encouraged CSTB to develop a proposal for a study to examine high-grade threats (including insider threats) to high-value information systems. The study should focus both on national security concerns and classified systems as well as non-classified, commercial enterprises.

Suggested Citation:"5. Options for CSTB." National Research Council. 2001. Summary of Discussions at a Planning Meeting on Cyber-Security and the Insider Threat to Classified Information. Washington, DC: The National Academies Press. doi: 10.17226/10197.
×

Meeting participants generated questions that such a study might address. They include, in no particular order:

  • What is an appropriate characterization of ‘high-grade threat’ and ‘high-value target’?

  • What are useful techniques to aid those who find themselves in charge of a high-value information system? What are good strategies to employ when a system is under attack by sophisticated adversaries (either self-motivated or organized and well-funded)?

  • What is the extent to which insider and other serious threats are an unacknowledged or unreported issue within various communities?

  • Is there information that should never be placed in electronic form?

  • What is the responsibility of the industry when it comes to building secure systems and what role do recent laws such as the Uniform Computer Information Transactions Act (UCITA) and the Digital Millennium Copyright Act (DMCA) play?

  • What are the sociological and managerial aspects of defending against high-grade threats?

  • What data and what metrics are needed in order to begin modeling the problem of high-grade threats against high-grade targets?

  • What are the upcoming technologies designed to help combat serious threats to high-value systems and what is their potential impact (e.g., what might be the future impact of quantum computing on these issues)?

  • Given the new kinds of system and social organization becoming prevalent (e.g. peer-to-peer) are there changes in the security business model that need to be taken into account?

  • Is software quality declining and therefore making the jobs of those likely to be attacked by serious, well-funded adversaries more difficult? If so, what can be done?

Suggested Citation:"5. Options for CSTB." National Research Council. 2001. Summary of Discussions at a Planning Meeting on Cyber-Security and the Insider Threat to Classified Information. Washington, DC: The National Academies Press. doi: 10.17226/10197.
×
Page 10
Suggested Citation:"5. Options for CSTB." National Research Council. 2001. Summary of Discussions at a Planning Meeting on Cyber-Security and the Insider Threat to Classified Information. Washington, DC: The National Academies Press. doi: 10.17226/10197.
×
Page 11
Next: Appendix A: On the National Academies »
Summary of Discussions at a Planning Meeting on Cyber-Security and the Insider Threat to Classified Information Get This Book
×
MyNAP members save 10% online.
Login or Register to save!

This is a summary of discussions at a planning meeting held November 1-2, 2000 to examine the prospects of initiating an NRC study on cyber-security and the insider threat to classified information. The meeting's focus was on the threat to classified systems and information because the political and organizational issues that often arise with protection policies and practices (e.g., rights to privacy) are considerably fewer and less intense than if sensitive unclassified information (especially non-governmental information) is involved. The meeting also addressed threats other than insider threats as well as non-classified computer systems.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    Switch between the Original Pages, where you can read the report as it appeared in print, and Text Pages for the web version, where you can highlight and search the text.

    « Back Next »
  6. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  7. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  8. ×

    View our suggested citation for this chapter.

    « Back Next »
  9. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!