Click for next page ( 395


The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 394
394 Howard Schmidt "introduction by Session Chair" Transcript of Presentation Summary of Presentation Video Presentation Howard A. Schmidt was appo'nted by President George W. Bush as ~ god Ass'stant to the President and the Vice Chair of the Presidents Critical Infrastructure Protection Board in December 2001~ The Cyber Security Board supports Dr. Condo~a R'ce' Wat'cna~ Security Advisor and Tom Ridge' Secretary of Homeland Security. The Cyber Security Board focuses on bu'~g ~ specialized group of sonar government and private sector ~~s to focus on cyber security 'ssues and coord'nat'~n of security re~d incidents. Previously' Mr~ Schmidt: was chief security officer tor Microsoft Corp.' overseeing the Security Strategies Group' wh'ch was respons'b~e tor ensur'ng the development of ~ trusted comput'ng environment via auditing' p01i0y9 688t practices and incubation of security products and practices Before work'ng at M'crosofI:' Mr~ Schmidt was ~ supervisory spec'a~ agent and d'rector of Me A'~ Foroe Office of Special investigations (AFOSI)' Computer Forensic Lab and Computer Crime and Intorma1:~on Wartare D'v's'~. While there' he estab~d the t'rst ded'cal:~d cord torens' lab into the government. AFOS! specialized in investigating intrusions into government and merry systems by unauthorized persons 'n counter'nte~e organ'~ons and Hymns. Before working at AFOSI' Mr. Schmidt was with the FB! at the National Drug Intelligence Center' where he headed the Computer Exp~n Team. He 's recogn'~d as one of the pioneers 'n the field of computer forensics and computer evidence collection. Before working at the FBl' Mr. Schmidt was ~ city po~e off`~r from ~ 983 to ~ 994 for the po~e department 'n Chandler' A ~ ~ ;Z O ~ ~ a ~rY Schmidt served w'th the U.S. Air Force In various ro~s from ~967 to ~ 983' tech on act've duty and in the civil service He has served in the military reserves since 1989 and currently Amp 83 ~ CredentIa~ed Bugs Maggot l~ fog ENS. Army 8030~g39 Criminal i~g3~ Div's'cn~ He has testified as an expert witness In Aged and mid courts 'n the arg88 0t computer crimes computer torens'cs7 and ~ nternet act'v'ty~ Mr~ St;hm'dI hadl a~o served as the 'nternat'~na~ president of the Intormat'cn Systems Security Assoc'at'cn (ISSA) and the Init~rmatit'n Technology Intormat'cn Sharing and Analysis Center CITE iSAC). He is a former executive board member of the international Organization of Computer Evidence and served as the cocha'~ of the Federa~ Computer tnvest'gat'cns Car Me 's member of the American Academy of Forensic Scientists. He served as an advisory board member tor the Technical Research Inst'tute of the Wat'~ White Coffer Crime Center and 's ~ distinguished special lecturer at the University of Wew Haven in Connecticut' teaching a graduate cert't'caie course 'n torens'~ ComputIngD ~0 80~6 83 8~ 8~6 member of the Pres~dent's Committee of Advisors on Science and Technology in the formation of an Institute for Information Infrastructure Protectors. biro Schmidt was one of 29 Cry leaders ca~d to the White House to meet w'th President C~n ore cyUersecur'ty. He has testified before ~ joint cornm'ttee on computer security and has been instrumental in the creation of public and private partnerships and 'ntormat'cn~ar'ng 'n`~s Mr. Schmidt holds ~ bache~or's degree 'n bus~r~s adm'n'strat'~r~ and AL ~6 600~0 organIzatIona~ mar~ement~ 394

OCR for page 394
395 395

OCR for page 394
396 DR. SCHMIDT: Thank you very much. It is great to be here this morning. I think back to the first e-mail I got from Jennifer about this meeting. The title itself is somewhat very ominous as far as mathematics and sciences and homeland security. At first, I thought she was joking with me, in all honesty. As I started thinking about it, as I got the e- mail that said this really wasn't a joke, I started looking into it and thinking, what better way to solve some of the issues that we have got that aren't going to be solved with guns, gates and guards and fences and stuff like that. So I thank you for the opportunity to be here. I am joined by some extremely distinguished folks on the panel and the follow-on review and discussion. I am just going to say their names for right now. After I asked everyone give me some little talking points on your bias and everything, I am probably going to let them do it, because I think I would not do them justice by introducing them my way, so I would like to have them do it themselves. In that vein, as we go through the session this morning, I would like to start out just framing some of the things we are looking at from the White House perspective in this area. As I have talked to the panelists -- and 396

OCR for page 394
397 their presentation -- in the back of your mind, and I'm sure they will point it out specifically, look at some of the correlations between some of the things we are looking to accomplish in creating a national strategy in defending cyberspace, where is where one of our key focuses is, and some of the things that the panelists are going to be talking about. Going back to my previous comment about thinking this might be a joke, in reality this makes a lot of sense. Listening to what they are going to say, you will see whether there is so much potential in using the talent to solve some of the key problems we have got. I'm not sure if it was Dorothy or someone at one point talked about the big encryption debate that was going around. The comment was made, if you think encryption is the answer to security, you understand neither security nor encryption. So when you look at the picture from the things we are trying to solve, it is just as complex as that. So with that, let me talk about some of the things that the President's Critical Infrastructure Protection Board is looking at as priorities, and then turn it over to my distinguished colleagues here. 397

OCR for page 394
398 First and foremost, one of the things that we find to be in short supply is awareness. As we have gone around the country, we have talked to government leaders, we have talked to industry leaders. If you get outside that small sphere of security and you talk about security, you get the deer in the headlight look, so people start to drool, going, what are you talking about? Why do I care about this? So there is this component about the awareness and the education we really need to focus on, and build that piece up. One of the ways we are looking at this right now through the education component is, we have created a scholarship program called Scholarships for Service. The National Science Foundation administers it. I think our biggest customer thus far has been the Department of Defense, where they allocate funds through NSF to scholarships to people in advanced degree programs in information assurance, information security. They do a one-for-one; if we pay for one year of tuition, they come back and do one year of government service, two years and two years, et cetera. The intent is to build the cadre of expertise that we have internal to the government, because we lose it 398

OCR for page 394
399 regularly. Many go back and forth between the private sector. The discussion also goes, though, if we train these people and they come back and do two years of government service, they are going to be prime candidates to go in the public sector. My answer is, wonderful, because who are the owners and operators of the critical infrastructure that we care about? The private sector. So it is a win-win situation. We have a couple of years to beef up the government stuff, which we need desperate help on. At the same time, we have the opportunity for those folks to get some real, live, on the job training, move out into the private sector and then continue to proliferate the wonderful things they have learned. The other priority is the information sharing part. This is a wonderful forum for that as well. There is this pace of activity that goes on that you see in the newspaper all the time. I read one last night. There was a bunch of computer sites in Korea, in which the ill- intended people are doing things and using those to launch attacks on other systems around the world. That is a bad thing. But when you try to get details and you try to get some information, it is 399

OCR for page 394
400 generally a standoff approach. We are not privy to a lot of the details. We are not privy to a lot of the things that could help us better protect ourselves. So this sharing amongst professionals, and there is no group that does it better than academia, and sharing that information and saying, let's figure out how this is going on, let's figure out the defenses to make it work accordingly. The other one is the R&D component. There is a true belief, at least in the government circle, and I think it is shared by some of my colleagues, I know when I was in the private sector, many of us talked about it, that there is some wonderful R&D being done in the buildings where the walls that have no windows and being done in the venue of national security. There is some really great stuff being done by the researchers in the private sectors to generate things that can be used to bring to market to benefit the public. But there is some space in the middle that we are not sure what that space is. We think there is some really hard- core, thoughtful R&D that needs to be done that is not being funded. So we have asked the Congress to give us a boatload of money, in the tens of millions of dollars, to fund some key programs. People come to us and say, gee, : 400

OCR for page 394
401 think we can do this, and this will help the overall package and we can help fund these things on the front end. So the R&D is extremely important. I want to touch on another thing that is a priority for us, and that is some pure technology things, the way the Internet was built. That is the domain name servers and border gateway protocols. If you are not familiar with this aspect of it, the domain name servers are those things, when you type in a name, it is converted to a number, when then identifies your address on the Internet. There are about 14 of them out there. So if I wanted to disrupt activity in the online world, be it commercial or be it telecommunications, that is where I will go, because I can knock out those fairly handily because they are addressable from the Internet. They are addressable in spaces where they have to be able to have an in-band address to be able to communicate. So consequently, we have some real concerns about that. I don't think redundancy is the answer. In the border gateway protocols, the language they talk in is insecure. Many times it is done in unclear text. We see in this, particularly going back to the illustration I mentioned about career -- one of the things I cited was 401

OCR for page 394
402 being able to create denial of service attacks as a result of it. Then there is the priority we have about standards and best practices. Many of you -- and Dorothy and I were just talking about this in the lobby, about the old Orange Book that effectively said, here is the standard to which you design things. Then no one can meet the standard, so consequently they start to give exemptions. Then exemptions led to almost total obliteration of the standard and say don't worry about it anymore, because nobody can meet it. We have got to find a meaningful scientific way to say, we can bring this up. We can raise the standard so we can use the procurement power that we have both within government and outside of government to make sure that the development process meets what we need in the areas of security. Let me broaden security for just a moment, because I am almost fanatical in some cases about this. I want to use the word trust, because security is only a component of it. I will qualify that right now. You have got the security, you've got the privacy, you've got the availability component. There has been a lot of discussion of late -- this is a little bit of a digression from my 402

OCR for page 394
403 notes here, but there has been a lot of discussion that security is going to trump privacy. I oftentimes get asked, where we are going to level? I don't know. We are still in this aftershock mode after what happened last year. So am I willing to give up a little bit of my privacy for security? I don't know that I will be six months from now, so I don't know what I'll feel. But I think fundamentally, the issue always comes across as an issue of trust. You have to have the security, you have the availability. and best practices The next to have the privacy, you have to have So we are talking about the standards that we look to; those all play into it. one is something that is extremely worrisome to me as well as many of my colleagues, and that is digital control systems. Last year, there was an incident where a disgruntled employee left a company in Australia, went back in in an unauthorized manner, broke into the systems and reversed the flow of raw sewage. Instead of going into the raw sewage treatment plant, they went into one of the local parks. It is all because of accessibility to digital control systems. Look what we are seeing today. We are seeing a lot of these digital control systems being accessible or addressable from the Internet. It makes business sense, 403

OCR for page 394
404 but it doesn't make security sense. Not only do we have directly accessible from the Internet, but we are finding some that are saying, no, we don't have any addressable space on the Internet, and you find out that they have digital control systems connected to an internal administrative LAN which is then connected to the Internet on the other side, which translates into, they are addressable from the Internet. That is very worrisome. It controls the power grid, it controls the water supplies in many instances. It controls the water flowing over many dams to generate electricity. There is a whole bunch of things that are being controlled by digital control devices right now. When we talk to some of the people that are involved in the technology designing some of these things - - this is something that maybe you all can collectively help with -- they say, we would like to do more. But what happens is, even if we are looking to do a simple thing like authentication a digital control system, when we are talking nanosecond switching time, there is no way to authenticate something and still do the switching in an appropriate manner. So we need to figure out a scientific way to be able to do the authentication without losing the 404

OCR for page 394
446 A Few Open Problems in Computer Security Davis! Wagner Two topics might react to fruitful collaboration between computer security people and . . mathematicians: i. Critical infrastructure protection. Infrastructures such as electric power, water, oil, gas, and telecommunications were not necessarily clesignect for security when they were first ctepioyect, and they continue to evolve. They are increasingly ctepenctent on information technology, which is troubling because the security of IT is not reliable enough. "Can we build a mathematical mocle! that allows us to analytically express some of the system's properties? In particular, can we measure security against malicious attack? Is there an efficient way to detect whether there exist any lines in the power system whose single failure will produce a cascading failure? Can we Reconfigure the system to eliminate or bolster these weakest finks? More abstractly, can we design systems that are inherently self-stabilizing- that is, robust? 2. Enhancing security for block ciphers. We shouIcl investigate the AES standard for secure block ciphers. We shouIct investigate a cancticiate public-key encryption cipher that is conjectured to be secure. We shouict investigate a certain po~ynomiaI-time algorithm proclucect by a recursive application of linearization. 446

OCR for page 394
447 Andrew Odlyzko "Remarks on Communications and Computer Security" Transcript of Presentation Summary of Presentation Video Presentation Andrew Odlyzko is director of the Interdisciplinary Digital Technology Center, holds an ADO professorship, and is an assistant vice president for research at the University of Minnesota. Prior to assuming that position in 2001, he devoted 26 years to research and research management at Bell Telephone Laboratories, AT&T Bell Labs, and AT&T Labs, as that organization evolved and changed its name. Dr. Odlyzko has written more than 150 technical papers in computational complexity, cryptography, number theory, combinatorics, coding theory, analysis, probability theory, and related fields, and has three patents. He has an honorary doctorate from the Universite de la Marne la Vallee and serves on the editorial boards of over 20 technical journals, as well as on several advisory and supervisory bodies. He has managed projects in such diverse areas as security, formal verification methods, parallel and distributed computation, and auction technology. In recent years he has also been working on electronic publishing, electronic commerce, and the economics of data networks, and he is the author of such widely cited papers as "Tragic loss or good riddance: The impending demise of traditional scholarly journals," "The bumpy road of electronic commerce," "Paris Metro pricing for the Internet," "Content is not king," and "The history of communications and its implications for the Internet." He may be known best for an early debunking of the myth that Internet traffic would double every three or four months. Andrew Odlyzko's e-mail address is odlyzko@umn.edu, and all his recent papers as well as other information can be found on his home page at http://www.dtc.umn.edu/~odlyzko. .l ~~ ~ ,, ~~ ~ ~~ At/ - ........ ~. ~~ ::::::::::::::::::::::::::::::::::::::::::::::::: . ~ ~ >.Y~ :; i:. . 447

OCR for page 394
448 DR. SCHMIDT: Thanks, everyone, for coming back so rapidly. We are going to move to the next section on review and discussion. Michael and Andrew are going to be joining us from the University of Minnesota and Microsoft Research. Michael will make his comments first. Well, would you like to go first? DR. ODLYZKO: When you talk about the difficulty with big secure systems, just think how hard it is to do a very simple coordination system like this one. That is why software is hard. Let me just comment on some of the talks here, and maybe also a bit more generally. Kathy Laskey had some very good comments about general issues, that we have to think about security at a systems level in general, and the issue of what matters to people. When we do that, we also have to think about the general questions of what it is that we mean by security, or what kind of risks we are willing to accept, and look at a whole range of possibilities. Just to make it very clear that we do have a wide range, let me tell you a little joke. The story goes that back in the old days of the Soviet regime, a Western group was visiting the Soviet Union. They are being driven through the Siberian tundra, drive for miles, not a soul in 448

OCR for page 394
449 sight, deep forest, et cetera. They come to a clearing, and they see a pile of gold bricks, and not a soul in sight, and nothing else. Their tour guide says, how come you have this gold here, totally unprotected? This is a Communist regime. Gold is nothing. The real treasure of the Communist regime are the people; those we watch night and day. So there are different ways to achieve security. The question is, how do you want to do it, and what kind of security do we want. Something that Werner Stuetzle explained yesterday is that we have societies which are much more regimented than ours, which have suffered from terrorism and have managed to live with it. Indeed, while 9/~] was a striking event for us, you see many societies, some quite democratic ones such as the British dealing with the IRA, the German dealing with the Bader-Meinhof gang, the Spanish dealing with the Basques, having certain levels of insecurity and terrorism. So in many ways, one could actually say the task is not necessarily eradicating terrorism, which seems to be hard -- everybody wants to do it, but it seems to be essentially impossible with the limits of some societies -- but keeping it to a tolerable level. 449

OCR for page 394
450 You may also look at some other risks that we put up with. 40,000 people die on the roads each year, after all. Now there is a big debate about the double nickel, 55 mile per hour speed limit, what effect it would have. If you go for a single nickel, five mile per hour speed limit, you could eliminate those deaths. Well, we are not willing to do that, which says that we are willing to accept a certain level of risk. This then goes back to some of the comments people made, that we have to look at the whole system. We have to look at economics, sociology, politics, general public policy questions that are involved here. Now, to come back to the presentations in the session, Dorothy Denning's presentation was largely at the large systems level, where she is explaining that we should be looking at the economic questions, return on investment. One way I might phrase some of what she said is that one could think about these issues in terms of insurance. Other people have made the same point. I think Ross Anderson may have been first almost a decade ago when he said, when you think about security issues and if you think about what is the right level of security, ask your insurance company.

OCR for page 394
451 Unfortunately, that doesn't always work very well. The problem is that insurance is unsuccessful when you are dealing with well understood risks. Indeed, all insurance policies that I am aware of exclude war risk, and many of them increasingly are excluding terrorist risks, too. When you are talking about rapidly changing technologies, insurance may not be the right approach. There is also the issue of market failures. The general trend has been for very good reasons to rely increasingly on the markets for resource allocations, but there are market failures. We do not rely on markets to provide police protection, et cetera. There is a question whether the commercial industry is behaving optimally for society, given the incentives they face. That goes to the question of exactly what kind of assurance do we really want as a society, do we want government to either bribe or coerce companies like Microsoft and IBM into producing more secure systems. These are very important questions. These are all very high level questions, and they are also the kind of questions which go to what we might call the integrationist line of thought in science and technology. Mathematics and physics has been more the reductionist approach. This gets to the question of very 451

OCR for page 394
452 uncomfortable cultural transition that many mathematicians and computer scientists as well have to undergo when faced with these questions. These mathematicians have tended to like nice, neatly posed problems. It is also true of physicists. The theory of gravitation has been cited as one beautiful example, then of course Einstein's theory of relativity, and now we have the search for the ultimate unified theory of physics. On the other hand, if you look at where resources are going or what is happening, they are going to other areas. There is a huge shift in general funding of research and development at the federal level, but also in the commercial sector towards the biomedical sciences. What happens in the search for elementary particles or unified field theory is essentially irrelevant for those areas. Even if physicists succeed beyond their wildest imaginations, nobody can figure how that is going to impact on the bulk of the research that is going on right now not for the next few decades. So we can look at different levels. Most of the problems that society cares about, like reducing the risks of terrorist attacks, seems to be at a system level, the kind of things that Kathy Laskey has been talking about. But there are problems which are more congenial perhaps to 452

OCR for page 394
453 the traditional mode of operations of mathematicians and computer scientists, and we heard quite a few examples that she cited here. Kevin talked about a variety of problems such as detection of covert -- here we are talking about a much more manageable problem. We can perhaps model it more easily, and can talk about applying a variety of mathematical tools in that situation. General issues of limits on security, exactly how much information is protected by different kinds of crypto systems. This is a very comfortable mathematical question we can attack. David Wagner then posed a variety of questions having to do with algebraic crypt o systems, and this is straight mathematics; we understand exactly what it is. But even in David's presentation we also had questions of the other variety, the integrationist approach, namely, questions about infrastructure security. There are some questions, very nicely posed mathematical questions, that do suggest themselves very easily. others I can see coming out of his presentation. A general question is, do you build networks which are reliable but maybe with centralized controls and efficient, or do you go for redundancy. 453 Or he talked about some more ultra very

OCR for page 394
454 We see in the 9/~] events much of the success we have seen in communication was due to the fact that we had cell phones, we had wired phones and we have the Internet , . Not a single one of them was faultless, not a single one of them operated as well as we might have wished, but altogether they produced quite a satisfactory response So there is quite a variety of different problems that mathematical scientists can investigate there. DR. Michael? SCHMIDT: Thank you very much, 454 Andrew.

OCR for page 394
455 Remarks on Communications and Computer Security Andrew OcIlyzko It is important to realize that people are willing to accept some level of risk and that while it is not necessary (or possible) to eradicate risk, it is possible to keep it at a tolerable level. In acictition, when one thinks of security issues, one often thinks of insurance. However, insurance usually cleats with we11-uncterstooct risks. The risks posed by war, terrorism, and changing technology are, in general, poorly unclerstoocl. These types of questions are high-level questions and go to what we might call the intergrationist fine of thought in science and technology. In the past, however, mathematics often took reductionist approach; mathematicians tenclect to like nice, neatly posed problems. Many mathematicians, and computer scientists as well, will have to undergo a very uncomfortable cultural transition when faced with these questions. After all, most of the problems that society cares about, like reducing the risks of terrorist attacks, seem to be at a system level. Nevertheless, many problems are much more congenial to the traditional mocle of operation of mathematicians and computer scientists. Some examples proposed by other participants inclucle the detection of covert channels and questions clearing with algebraic crypto systems. The basic question is, Do you buiict networks that are uitra-reiiabie and efficient but maybe with centralized controls, or do you go for reclunciancy? The events of September ~ ~ seem to indicate the latter, as cell phones, wired phones, and the Internet all worked imperfectly but well enough in the aggregate so that communication was satisfactory. There is quite a variety of different problems that mathematical scientists can investigate without having to change their traditions, though they will have many more to consider if they aclopt, at least some of the time, a more integrationist line of thought. 455

OCR for page 394
456 Michael Freedman Session on Communications and Computer Security Michael Freedman is a member of the Theory Group at Microsoft Research. Before working at Microsoft, Dr. Freedman was the Charles Lee Powell Professor of Mathematics at the University of California at San Diego. The work for which Dr. Freedman is best known is the solution of the long-standing Poincare conjecture in four dimensions, for which he received the Fields Medal. He has received numerous other awards and honors, including Sloan and Guggenheim Fellowships, a MacArthur Fellowship, and the National Medal of Science. He is an elected member of the National Academy of Sciences, the American Academy of Arts and Sciences, and the New York Academy of Sciences. Dr. Freedman's current research focuses on fundamental problems in the theoretical computer science, in particular on the P/NP question and nonstandard models of computation. 456