Cybersecurity TODAY and TOMORROW

PAY NOW OR PAY LATER

Computer Science and Telecommunications Board

Division on Engineering and Physical Sciences

National Research Council

NATIONAL ACADEMY PRESS
Washington, D.C.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page R1
Cybersecurity Today and Tomorrow: Pay Now or Pay Later Cybersecurity TODAY and TOMORROW PAY NOW OR PAY LATER Computer Science and Telecommunications Board Division on Engineering and Physical Sciences National Research Council NATIONAL ACADEMY PRESS Washington, D.C.

OCR for page R1
Cybersecurity Today and Tomorrow: Pay Now or Pay Later NATIONAL ACADEMY PRESS 2101 Constitution Avenue, N.W. Washington, D.C. 20418 NOTICE: The projects that are the basis of this synthesis report were approved by the Governing Board of the National Research Council, whose members are drawn from the councils of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The members of the committees responsible for the final reports of these projects and of the board that produced this synthesis were chosen for their special competences and with regard for appropriate balance. Core support for the Computer Science and Telecommunications Board (CSTB) is provided by its public and private sponsors, which include federal agencies (the Air Force Office of Scientific Research, Defense Advanced Research Projects Agency, Department of Energy, National Aeronautics and Space Administration, National Institute of Standards and Technology, National Library of Medicine, National Science Foundation, and the Office of Naval Research); the Vadasz Family Foundation; and an evolving mix of charitable corporate and individual contributions. Sponsors enable but do not influence CSTB’s work. Any opinions, findings, conclusions, or recommendations expressed in this publication are those of the authors and do not necessarily reflect the views of the organizations or agencies that provide support for CSTB. International Standard Book Number 0-309-08312-5 Additional copies of this report are available from the Computer Science and Telecommunications Board, National Research Council, 2101 Constitution Avenue, N.W., Washington, DC 20418. Call 202-334-2605 or e-mail the CSTB at cstb@nas.edu. This report is also available online at <http://www.cstb.org>. Copyright 2002 by the National Academy of Sciences. All rights reserved. Printed in the United States of America Suggested citation: Computer Science and Telecommunications Board, Cybersecurity Today and Tomorrow: Pay Now or Pay Later, National Academy Press, Washington, D.C., 2002. The National Academies intend for this document to be disseminated as far and as widely as possible, and you are encouraged to do so. To obtain permission to reproduce, reprint, or disseminate this document or portions of it (and it is the intent of the National Academies to grant such permission for noncommercial purposes routinely and promptly), please apply in writing to Dick Morris, Permissions Manager, National Academy Press, by e-mail (dmorris@nas.edu) or fax (202-334-2793), or phone 202-334-3335 for further information.

OCR for page R1
Cybersecurity Today and Tomorrow: Pay Now or Pay Later THE NATIONAL ACADEMIES National Academy of Sciences National Academy of Engineering Institute of Medicine National Research Council The National Academy of Sciences is a private, nonprofit, self-perpetuating society of distinguished scholars engaged in scientific and engineering research, dedicated to the furtherance of science and technology and to their use for the general welfare. Upon the authority of the charter granted to it by the Congress in 1863, the Academy has a mandate that requires it to advise the federal government on scientific and technical matters. Dr. Bruce M. Alberts is president of the National Academy of Sciences. The National Academy of Engineering was established in 1964, under the charter of the National Academy of Sciences, as a parallel organization of outstanding engineers. It is autonomous in its administration and in the selection of its members, sharing with the National Academy of Sciences the responsibility for advising the federal government. The National Academy of Engineering also sponsors engineering programs aimed at meeting national needs, encourages education and research, and recognizes the superior achievements of engineers. Dr. Wm. A. Wulf is president of the National Academy of Engineering. The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure the services of eminent members of appropriate professions in the examination of policy matters pertaining to the health of the public. The Institute acts under the responsibility given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, upon its own initiative, to identify issues of medical care, research, and education. Dr. Kenneth I. Shine is president of the Institute of Medicine. The National Research Council was organized by the National Academy of Sciences in 1916 to associate the broad community of science and technology with the Academy’s purposes of furthering knowledge and advising the federal government. Functioning in accordance with general policies determined by the Academy, the Council has become the principal operating agency of both the National Academy of Sciences and the National Academy of Engineering in providing services to the government, the public, and the scientific and engineering communities. The Council is administered jointly by both Academies and the Institute of Medicine. Dr. Bruce M. Alberts and Dr. Wm. A. Wulf are chairman and vice chairman, respectively, of the National Research Council.

OCR for page R1
Cybersecurity Today and Tomorrow: Pay Now or Pay Later COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD DAVID D. CLARK, Massachusetts Institute of Technology, Chair DAVID BORTH, Motorola Labs JAMES CHIDDIX, AOL Time Warner JOHN M. CIOFFI, Stanford University ELAINE COHEN, University of Utah W. BRUCE CROFT, University of Massachusetts at Amherst THOMAS E. DARCIE, AT&T Labs Research JOSEPH FARRELL, University of California at Berkeley JEFFREY M. JAFFE, Bell Laboratories, Lucent Technologies ANNA KARLIN, University of Washington BUTLER W. LAMPSON, Microsoft Corporation EDWARD D. LAZOWSKA, University of Washington DAVID LIDDLE, U.S. Venture Partners TOM M. MITCHELL, Carnegie Mellon University DONALD NORMAN, Nielsen Norman Group DAVID A. PATTERSON, University of California at Berkeley HENRY (HANK) PERRITT, Chicago-Kent College of Law BURTON SMITH, Cray Inc. TERRY SMITH, University of California at Santa Barbara LEE SPROULL, New York University JEANNETTE M. WING, Carnegie Mellon University MARJORY S. BLUMENTHAL, Director HERBERT S. LIN, Senior Scientist ALAN S. INOUYE, Senior Program Officer JON EISENBERG, Senior Program Officer LYNETTE I. MILLETT, Program Officer CYNTHIA PATTERSON, Program Officer STEVEN WOO, Program Officer DAVID PADGHAM, Research Associate JANET BRISCOE, Administrative Officer MARGARET HUYNH, Senior Project Assistant DAVID DRAKE, Senior Project Assistant JANICE SABUDA, Senior Project Assistant JENNIFER BISHOP, Senior Project Assistant BRANDYE WILLIAMS, Staff Assistant     NOTE: For more information on CSTB, see its Web site at <http://www.cstb.org>, or write to CSTB, National Research Council, 2101 Constitution Avenue, N.W., Washington, DC 20418, call at (202) 334-2605, or e-mail the CSTB at cstb@nas.edu.

OCR for page R1
Cybersecurity Today and Tomorrow: Pay Now or Pay Later Preface Starting with the publication of the report Computers at Risk: Safe Computing in the Information Age in 1991 (National Academy Press, Washington, D.C.), the Computer Science and Telecommunications Board (CSTB) has examined the issue of computer and communications security a number of times, from a number of perspectives. While there has been progress in security, it is a sad commentary on the state of the world that what CSTB wrote more than 10 years ago is still timely and relevant. For those who work in computer security, there is a deep frustration that research and recommendations do not seem to translate easily into deployment and utilization. The events of September 11, 2001, suggest—indeed demand—that we take a renewed look at the security and robustness of our nation’s infrastructure. Now, if ever, we see the importance of having critical systems resistant to attack and serviceable in times of crisis. From our telephone system to air traffic control to the Internet, we will be greatly harmed if these systems fail us just when we need them most. The vulnerabilities are not new, only freshly brought into focus. And the approaches that will mitigate these threats are not unknown, only underutilized. So CSTB has taken the approach of drawing on its past work to point out that much of what we need to do is available to us now, if only we choose to act. The staff of the CSTB have assembled this report from the broad base of its existing reports. Herb Lin deserves special thanks for the effort necessary to produce this report quickly. David D. Clark, Chair Computer Science and Telecommunications Board

OCR for page R1
Cybersecurity Today and Tomorrow: Pay Now or Pay Later This page in the original is blank.

OCR for page R1
Cybersecurity Today and Tomorrow: Pay Now or Pay Later Acknowledgment of Reviewers This report was reviewed in draft form by individuals chosen for their diverse perspectives and technical expertise, in accordance with procedures approved by the National Research Council’s (NRC’s) Report Review Committee. The purpose of this independent review is to provide candid and critical comments that will assist the institution in making the published report as sound as possible and to ensure that the report meets institutional standards for objectivity, evidence, and responsiveness to the study charge. The review comments and draft manuscript remain confidential to protect the integrity of the deliberative process. We wish to thank the following individuals for their participation in the review of this report: Steven Bellovin, AT&T Labs Research, Thomas Berson, Anagram Laboratories, John Davis, Mitretek Systems Inc., Carl Landwehr, National Science Foundation, Fred Schneider, Cornell University, and Willis Ware, RAND Corporation. Although the reviewers listed above have provided many constructive comments and suggestions, they were not asked to endorse the conclusions or recommendations, nor did they see the final draft of the report before its release. The review of this report was overseen by Gerry Dinneen. Appointed by the NRC’s Report Review Committee, he was

OCR for page R1
Cybersecurity Today and Tomorrow: Pay Now or Pay Later responsible for making certain that an independent examination of this report was carried out in accordance with institutional procedures and that all review comments were carefully considered. Responsibility for the final content of this report rests entirely with the Computer Science and Telecommunications Board and the National Research Council.

OCR for page R1
Cybersecurity Today and Tomorrow: Pay Now or Pay Later Contents 1   CYBERSECURITY TODAY AND TOMORROW   1     Background and Introduction,   1     The Nature of Cyberthreats,   2     Causes of System and Network Problems,   3     The Harm from Breaches of Cybersecurity,   6     What Do We Know About Cybersecurity?,   7     General Observations,   7     Management,   8     Operational Considerations,   10     Design and Architectural Considerations,   11     What Can Be Done?,   12     Individual Organizations,   13     Vendors of Computer Systems,   13     Policy Makers,   14 2   EXCERPTS FROM EARLIER CSTB REPORTS   17     Computers at Risk: Safe Computing in the Information Age (1991),   18     The Cybersecurity Challenge,   18     Fundamentals of Cybersecurity,   18     The Security Experience: Vulnerability, Threat, and Countermeasure,   20     The Asymmetry Between Offense and Defense,   20     Confidence in Countermeasures,   21

OCR for page R1
Cybersecurity Today and Tomorrow: Pay Now or Pay Later     On Network Vulnerabilities,   21     Market Influences on Cybersecurity,   22     Nontechnical Dimensions of Cybersecurity,   22     Realizing the Potential of C4I: Fundamental Challenges (1999),   24     On What a Defense Must Do,   24     On Practice in the Field,   31     Trust in Cyberspace (1999),   33     Cybersecurity and Other Trustworthiness Qualities Interact,   33     On Managing Risk,   33     Vulnerabilities in the Public Telephone Network and the Internet,   35     On Building Secure Systems and Networks,   36     On the Impact of System Homogeneity (“Monoculture”),   37     WHAT IS CSTB?   39