attention can be turned to forensics in an attempt to identify the attacker23 and acquire evidence suitable for prosecution or retaliation. In the end, this ability is critical to long-term deterrence.
Given that penetration of computer and telecommunications networks is likely to continue despite our best efforts to build better perimeter security, more resilient and robust systems are necessary, with backup and recovery as essential elements.
New approaches to decontamination are also needed, especially when a system cannot be shut down for decontamination purposes. At present, much of the activity associated with a properly running system interferes with decontamination efforts (particularly with respect to identifying a source of contamination and eliminating it).
Recommendation 5.6: Recovery Research
Develop schemes for backing up large systems, in real time and under “hostile” conditions, that can capture the most up-to-date, but correct, snapshot of the system state.
Create new decontamination approaches for discarding as little good data as possible, and for removing active and potential infections, on a system that cannot be shut down for decontamination.
A number of issues cut across the basic taxonomy of detect and identify, contain, and recover described above.
Reducing Buggy Code. Progress in making systems more reliable will almost certainly make them more resistant to deliberate attack as well. But buggy code underlies many reliability problems, and no attempt to secure systems can succeed if it does not take this basic fact into account.24
Buggy software is largely a result of the fact that despite many years of serious and productive research in software engineering, the creation of software is still more craft than science-based engineering. Furthermore, the progress that has been made is only minimally relevant to the legacy software systems that remain in all infrastructure.
Software-system bugs can result from a variety of causes, ranging from low-level syntax errors (e.g., a mathematical expression uses a “plus” sign when it should use a “minus” sign) to fundamental design flaws (e.g., the system functions as it was designed to function, but it does so in an inappropriate place).