National Academies Press: OpenBook

The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop (2004)

Chapter: Communications and Computer Security

« Previous: Opening Remarks and Discussion, April 27
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 394
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 395
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 396
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 397
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 398
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 399
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 400
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 401
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 402
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 403
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 404
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 405
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 406
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 407
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 408
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 409
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 410
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 411
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 412
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 413
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 414
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 415
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 416
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 417
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 418
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 419
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 420
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 421
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 422
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 423
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 424
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 425
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 426
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 427
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 428
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 429
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 430
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 431
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 432
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 433
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 434
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 435
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 436
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 437
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 438
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 439
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 440
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 441
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 442
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 443
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 444
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 445
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 446
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 447
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 448
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 449
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 450
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 451
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 452
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 453
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 454
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 455
Suggested Citation:"Communications and Computer Security." National Research Council. 2004. The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/10940.
×
Page 456

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

394 Howard Schmidt "introduction by Session Chair" Transcript of Presentation Summary of Presentation Video Presentation Howard A. Schmidt was appo'nted by President George W. Bush as ~ god Ass'stant to the President and the Vice Chair of the Presidents Critical Infrastructure Protection Board in December 2001~ The Cyber Security Board supports Dr. Condo~a R'ce' Wat'cna~ Security Advisor and Tom Ridge' Secretary of Homeland Security. The Cyber Security Board focuses on bu'~g ~ specialized group of sonar government and private sector ~~s to focus on cyber security 'ssues and coord'nat'~n of security re~d incidents. Previously' Mr~ Schmidt: was chief security officer tor Microsoft Corp.' overseeing the Security Strategies Group' wh'ch was respons'b~e tor ensur'ng the development of ~ trusted comput'ng environment via auditing' p01i0y9 688t practices and incubation of security products and practices Before work'ng at M'crosofI:' Mr~ Schmidt was ~ supervisory spec'a~ agent and d'rector of Me A'~ Foroe Office of Special investigations (AFOSI)' Computer Forensic Lab and Computer Crime and Intorma1:~on Wartare D'v's'~. While there' he estab~d the t'rst ded'cal:~d cord torens' lab into the government. AFOS! specialized in investigating intrusions into government and merry systems by unauthorized persons 'n counter'nte~e organ'~ons and Hymns. Before working at AFOSI' Mr. Schmidt was with the FB! at the National Drug Intelligence Center' where he headed the Computer Exp~n Team. He 's recogn'~d as one of the pioneers 'n the field of computer forensics and computer evidence collection. Before working at the FBl' Mr. Schmidt was ~ city po~e off`~r from ~ 983 to ~ 994 for the po~e department 'n Chandler' A ~ ~ ;Z O ~ ~ a ~rY Schmidt served w'th the U.S. Air Force In various ro~s from ~967 to ~ 983' tech on act've duty and in the civil service He has served in the military reserves since 1989 and currently Amp 83 ~ CredentIa~ed Bugs Maggot l~ fog ENS. Army 8030~g39 Criminal i~g3~ Div's'cn~ He has testified as an expert witness In Aged and mid courts 'n the arg88 0t computer crimes computer torens'cs7 and ~ nternet act'v'ty~ Mr~ St;hm'dI hadl a~o served as the 'nternat'~na~ president of the Intormat'cn Systems Security Assoc'at'cn (ISSA) and the Init~rmatit'n Technology Intormat'cn Sharing and Analysis Center CITE iSAC). He is a former executive board member of the international Organization of Computer Evidence and served as the cocha'~ of the Federa~ Computer tnvest'gat'cns Car Me 's member of the American Academy of Forensic Scientists. He served as an advisory board member tor the Technical Research Inst'tute of the Wat'~ White Coffer Crime Center and 's ~ distinguished special lecturer at the University of Wew Haven in Connecticut' teaching a graduate cert't'caie course 'n torens'~ ComputIngD ~0 80~6 83 8~ 8~6 member of the Pres~dent's Committee of Advisors on Science and Technology in the formation of an Institute for Information Infrastructure Protectors. biro Schmidt was one of 29 Cry leaders ca~d to the White House to meet w'th President C~n ore cyUersecur'ty. He has testified before ~ joint cornm'ttee on computer security and has been instrumental in the creation of public and private partnerships and 'ntormat'cn~ar'ng 'n`~s Mr. Schmidt holds ~ bache~or's degree 'n bus~r~s adm'n'strat'~r~ and AL ~6 600~0 organIzatIona~ mar~ement~ 394

395 395

396 DR. SCHMIDT: Thank you very much. It is great to be here this morning. I think back to the first e-mail I got from Jennifer about this meeting. The title itself is somewhat very ominous as far as mathematics and sciences and homeland security. At first, I thought she was joking with me, in all honesty. As I started thinking about it, as I got the e- mail that said this really wasn't a joke, I started looking into it and thinking, what better way to solve some of the issues that we have got that aren't going to be solved with guns, gates and guards and fences and stuff like that. So I thank you for the opportunity to be here. I am joined by some extremely distinguished folks on the panel and the follow-on review and discussion. I am just going to say their names for right now. After I asked everyone give me some little talking points on your bias and everything, I am probably going to let them do it, because I think I would not do them justice by introducing them my way, so I would like to have them do it themselves. In that vein, as we go through the session this morning, I would like to start out just framing some of the things we are looking at from the White House perspective in this area. As I have talked to the panelists -- and 396

397 their presentation -- in the back of your mind, and I'm sure they will point it out specifically, look at some of the correlations between some of the things we are looking to accomplish in creating a national strategy in defending cyberspace, where is where one of our key focuses is, and some of the things that the panelists are going to be talking about. Going back to my previous comment about thinking this might be a joke, in reality this makes a lot of sense. Listening to what they are going to say, you will see whether there is so much potential in using the talent to solve some of the key problems we have got. I'm not sure if it was Dorothy or someone at one point talked about the big encryption debate that was going around. The comment was made, if you think encryption is the answer to security, you understand neither security nor encryption. So when you look at the picture from the things we are trying to solve, it is just as complex as that. So with that, let me talk about some of the things that the President's Critical Infrastructure Protection Board is looking at as priorities, and then turn it over to my distinguished colleagues here. 397

398 First and foremost, one of the things that we find to be in short supply is awareness. As we have gone around the country, we have talked to government leaders, we have talked to industry leaders. If you get outside that small sphere of security and you talk about security, you get the deer in the headlight look, so people start to drool, going, what are you talking about? Why do I care about this? So there is this component about the awareness and the education we really need to focus on, and build that piece up. One of the ways we are looking at this right now through the education component is, we have created a scholarship program called Scholarships for Service. The National Science Foundation administers it. I think our biggest customer thus far has been the Department of Defense, where they allocate funds through NSF to scholarships to people in advanced degree programs in information assurance, information security. They do a one-for-one; if we pay for one year of tuition, they come back and do one year of government service, two years and two years, et cetera. The intent is to build the cadre of expertise that we have internal to the government, because we lose it 398

399 regularly. Many go back and forth between the private sector. The discussion also goes, though, if we train these people and they come back and do two years of government service, they are going to be prime candidates to go in the public sector. My answer is, wonderful, because who are the owners and operators of the critical infrastructure that we care about? The private sector. So it is a win-win situation. We have a couple of years to beef up the government stuff, which we need desperate help on. At the same time, we have the opportunity for those folks to get some real, live, on the job training, move out into the private sector and then continue to proliferate the wonderful things they have learned. The other priority is the information sharing part. This is a wonderful forum for that as well. There is this pace of activity that goes on that you see in the newspaper all the time. I read one last night. There was a bunch of computer sites in Korea, in which the ill- intended people are doing things and using those to launch attacks on other systems around the world. That is a bad thing. But when you try to get details and you try to get some information, it is 399

400 generally a standoff approach. We are not privy to a lot of the details. We are not privy to a lot of the things that could help us better protect ourselves. So this sharing amongst professionals, and there is no group that does it better than academia, and sharing that information and saying, let's figure out how this is going on, let's figure out the defenses to make it work accordingly. The other one is the R&D component. There is a true belief, at least in the government circle, and I think it is shared by some of my colleagues, I know when I was in the private sector, many of us talked about it, that there is some wonderful R&D being done in the buildings where the walls that have no windows and being done in the venue of national security. There is some really great stuff being done by the researchers in the private sectors to generate things that can be used to bring to market to benefit the public. But there is some space in the middle that we are not sure what that space is. We think there is some really hard- core, thoughtful R&D that needs to be done that is not being funded. So we have asked the Congress to give us a boatload of money, in the tens of millions of dollars, to fund some key programs. People come to us and say, gee, : 400

401 think we can do this, and this will help the overall package and we can help fund these things on the front end. So the R&D is extremely important. I want to touch on another thing that is a priority for us, and that is some pure technology things, the way the Internet was built. That is the domain name servers and border gateway protocols. If you are not familiar with this aspect of it, the domain name servers are those things, when you type in a name, it is converted to a number, when then identifies your address on the Internet. There are about 14 of them out there. So if I wanted to disrupt activity in the online world, be it commercial or be it telecommunications, that is where I will go, because I can knock out those fairly handily because they are addressable from the Internet. They are addressable in spaces where they have to be able to have an in-band address to be able to communicate. So consequently, we have some real concerns about that. I don't think redundancy is the answer. In the border gateway protocols, the language they talk in is insecure. Many times it is done in unclear text. We see in this, particularly going back to the illustration I mentioned about career -- one of the things I cited was 401

402 being able to create denial of service attacks as a result of it. Then there is the priority we have about standards and best practices. Many of you -- and Dorothy and I were just talking about this in the lobby, about the old Orange Book that effectively said, here is the standard to which you design things. Then no one can meet the standard, so consequently they start to give exemptions. Then exemptions led to almost total obliteration of the standard and say don't worry about it anymore, because nobody can meet it. We have got to find a meaningful scientific way to say, we can bring this up. We can raise the standard so we can use the procurement power that we have both within government and outside of government to make sure that the development process meets what we need in the areas of security. Let me broaden security for just a moment, because I am almost fanatical in some cases about this. I want to use the word trust, because security is only a component of it. I will qualify that right now. You have got the security, you've got the privacy, you've got the availability component. There has been a lot of discussion of late -- this is a little bit of a digression from my 402

403 notes here, but there has been a lot of discussion that security is going to trump privacy. I oftentimes get asked, where we are going to level? I don't know. We are still in this aftershock mode after what happened last year. So am I willing to give up a little bit of my privacy for security? I don't know that I will be six months from now, so I don't know what I'll feel. But I think fundamentally, the issue always comes across as an issue of trust. You have to have the security, you have the availability. and best practices The next to have the privacy, you have to have So we are talking about the standards that we look to; those all play into it. one is something that is extremely worrisome to me as well as many of my colleagues, and that is digital control systems. Last year, there was an incident where a disgruntled employee left a company in Australia, went back in in an unauthorized manner, broke into the systems and reversed the flow of raw sewage. Instead of going into the raw sewage treatment plant, they went into one of the local parks. It is all because of accessibility to digital control systems. Look what we are seeing today. We are seeing a lot of these digital control systems being accessible or addressable from the Internet. It makes business sense, 403

404 but it doesn't make security sense. Not only do we have directly accessible from the Internet, but we are finding some that are saying, no, we don't have any addressable space on the Internet, and you find out that they have digital control systems connected to an internal administrative LAN which is then connected to the Internet on the other side, which translates into, they are addressable from the Internet. That is very worrisome. It controls the power grid, it controls the water supplies in many instances. It controls the water flowing over many dams to generate electricity. There is a whole bunch of things that are being controlled by digital control devices right now. When we talk to some of the people that are involved in the technology designing some of these things - - this is something that maybe you all can collectively help with -- they say, we would like to do more. But what happens is, even if we are looking to do a simple thing like authentication a digital control system, when we are talking nanosecond switching time, there is no way to authenticate something and still do the switching in an appropriate manner. So we need to figure out a scientific way to be able to do the authentication without losing the 404

405 gating factor, that we have to do switching of these things. It is a complex problem, and it is only going to be solved by some of the activity that you all are doing. DR. BORGS: I don't understand that. If I can go in from the Internet to reverse the flow of the sewage system, this is not necessarily to make it -- PARTICIPANT: An example. There are other examples. DR. SCHMIDT: Yes, that was a very broad example from something that was very public in the news. DR. BORGS: But where you are worried about this outside the controls, that should not -- DR. CHAYES: The electricity, for example. DR. SCHMIDT: For example, last year there was a storm in the Pacific Northwest. A tree blew down in Oregon and the lights went out in Tucson, Arizona, 1500 miles away. It is all because of the switching controls. Many of the switching controls, for example, in the power grid are based on very, very slight fluctuations in electrical usage that would cause the entire system to switch over to another grid to provide power. Those are the sort of instantaneous controls that need to be switched, but there has also got to be the ability to do 405

406 them on an authenticated mechanism. That is what I am referring to. Lastly, and by all means no less importantly, would be the issues around securing the future systems. I love wireless. I don't know how many of you use it in here, but I couldn't live without it. I did it when I was at Microsoft, I use it at my home now, and I love it, but it is not the most secure environment right now because it hasn't been designed as such. We have grave concerns about it. Many agencies are talking about outlawing the use of it. So consequently, there are issues around the authentication piece, about the encryption piece, and other future generation systems that we are looking at. So with that, I took this opportunity to talk about what we are concerned about in framing a broad perspective, before I turn it over to my distinguished colleagues to talk about their concerns. Thank you very much. I'd like to start out by asking Dorothy Denning to step up and give us her thoughts on it. Thank you. 406

407 Introduction by Session Chair Howarc! SchmicIt Mr. Schmidt ctiscussect some of the priorities of the Presiclent's Critical Infrastructure Protection Boarct. One priority is to buiict awareness of various homeianct security issues and buiict the cadre of expertise that we have internal to the government. One way the government is acictressing this problem is through a program caI1ect Scholarships for Service, which is aciministerect by the National Science Foundation and funclect in large part by the Department of Defense. Scholarships go to people in aclvancecl-clegree programs in information security, who then do a one-for-one payback if government has paid for N years of tuition, recipients return N years of government service. Another priority is information-sharing. We are not privy to a lot of the things that couict help us better protect ourselves. Government needs to be incluclect in the kind of information-sharing among professionals that is clone so well in academia. While wonderful R&D is being clone by the government ctirect~y in the area of national security and by researchers in the private sector, there is some harct-core, thoughtful R&D that needs to be clone but that is not being functect, because it falls between the traditional interests of national security and those of commercial entities. Therefore, the administration has asked Congress for funds to support competitive R&D programs that fill this gap. Other priorities inclucle improving Internet security, and reviewing security stanciarcts for digital control systems, such as power grists or water supplies, some of which are currently accessible from the Internet. Having such systems accessible from the Internet makes business sense, but it doesn't make security sense. 407

408 Dorothy Denning "A Security Challenge: Return on Security investment" Transcript of Presentation Summary of Presentation Power Point Slides Video Presentation Dorothy Denning is a professor in the Department of Defense Analysis at the Naval Postgraduate School. At the time of the workshop, she was the Patricia and Patrick Callahan Family Professor of Computer Science and Director of the Georgetown Institute of Information Assurance at Georgetown University. Dr. Denning has published 120 articles and four books, her most recent being Information Warfare and Security. She is an Association for Computing Machinery (ACM) fellow and recipient of several awards, including the Augusta Ada Lovelace Award and the National Computer Systems Security Award. 408

409 DR . DENNING: Thanks. I was wondering if the slides would magically appear, and they did. So I can relax now. DR. SCHMIDT: Vince Serf and I were at a meeting recently, and Vince in his opening comment was having a similar problem and said, power corrupts, Power Point corrupts absolutely. DR. DENNING: What I thought I would do is just start out with a little bit of data about the state of security currently. This is the data that is reported to the Computer Emergency Response Team at Carnegie-Mellon University. They receive incident reports from people who have had some kind of security incident, generally through the Internet. As you can see in the last couple of years, the number of incidents reported has gone up rather dramatically. On top of that, each incident that is reported to CENT can actually represent an attack against thousands or even hundreds of thousands of host computers. So the Code Red worm, for example, which hit hundreds of thousands of computers is one data point on that chart. It is also true that not all data is reported to CERT. So it doesn't represent all attacks.

This is some more data. This is what was collected by MI 2G in London. This is just web defacements, and again, in the last few years a dramatic Increase . This is one that was collected by Riptech. They are a local company which is a managed security firm that monitors and networks their clients. This represents data collected over a six-month period of 300 of their clients. What it shows is the average number of network attacks against each of their clients over that period. One of the things that is very interesting here is that each company on average is experiencing a greater intensity of attacks, or more attacks. So the increase in attacks on the Internet cannot just be attributed to the fact that maybe there are more computers on the Internet and he Internet is growing. The attacks on a particular company also are increasing. DR. CHAYES: Is that a seasonal thing? DR. DENNING: Who knows? I don't know. We will have to look at the next six months that they get. I hope they will continue this, particularly with those 300 clients, because it will be interesting to see what happens on a long term basis. 410

411 DR. MC CURLEY: You might also look at the release cycle of Outlook, to see if they are correlated. DR. DENNING: One of the things that is interesting is that contrary to a lot of statements that were made, attacks did not go down after September 11. DR. CHAYES: What do you mean? Some people don't know what you mean by an individual attack. DR. DENNING: What is an attack on here? DR. CHAYES: Yes. DR. DENNING: It could be anything from people just scanning their networks to actually getting in the networks, denial of service attacks, anything that involved either penetration or an attempt to penetrate a computer network. PARTICIPANT: (Comments off mike.) DR. DENNING: Ping? I don't remember exactly what DR. SCHMIDT: Some people considering pinging as a base -- for example, if you throw a thousand packets against someone, they consider that an attack. DR. DENNING: That would be definitely, in that case. 411

412 DR. BICKEL: When you break it down, do you get consistent trends? So if you look at the attacks that potentially can cause the most damage, -- DR. DENNING: They did that, too. They broke it down into different categories of attacks. I don't think I have the slide in here for that. I just put a couple of slides in, just to give you a general idea. Their whole report is on the web. If you go to riptech.com, you can get a copy of their report for free. Finally, also more vulnerabilities are being reported in products. It is not just Microsoft, it is Linux and Solaris and everything else. But the vulnerability reports have gone up. When you just think in terms of the raw numbers, over 2,000 last year, 2500, I guess it was, last year, when you think of the impact of trying to deal with all those, if you are a network administrator, that is pretty horrendous. You are looking at several vulnerabilities per day with the patches that you might have to respond to. Responding to patches is not all that straightforward, because you can start patching things up, and it changes your network, and something else might break. So it is a non-trivial exercise. Yes? 412

413 complexity vulnerable? DR. DENNING: Yes. DR. CHAYES: Or do you think that people are just seeing more of the vulnerabilities? DR. DENNING: I don't think I have the slide in here, either, but if you just look at the software itself, it is getting more complex. It is getting bigger. Like, Windows XB is 40 million lines of code, whereas if you go back a few generations, there is less millions of lines of code in it. Then there are more interactions and so on, so it is a difficult problem. So what can we conclude from all that? This is just a statement of the obvious. Either what we have installed in the way security is optimal -- and I want to throw that out as a possibility, even though no one believes that, but it could be that given what the products are that are out there, and what we know about security, right now today, we are doing the best we can, and we need to learn to live with the risk. The other alternative is that it is really not optimal, that we could be doing better. We could be reducing the risk, reducing losses from attacks at a cost DR. CHAYES: Do you think it is due to the of the programs, they actually are more 413

414 that would be lower, so we wouldn't have to spend ten million dollars in order to prevent one million dollars worth of losses. What I want to do is look at the question of return on security investment. A lot of the security that has been developed in the past is based on what we think works, intuition, wisdom, things like this. These are not bad things, but a lot of it is not really based on any empirical data. The goal. Risk security has to be cost effective. It has got to be that the cost that you spend on the security has got to be less than the expected losses that you are protecting against, because you don't have an infinite budget to spend on security, and so you have to put it in places where you are going to reduce risk in a cost effective way. DR. CHAYES: Dorothy, you are talking about the kinds of things that Howard was talking about, like the protection of our water supply and that kind of thing. So actual personal injury resulting. How hard is it to quantify? DR. DENNING: Absolutely hard to measure. Let me just keep going. 414

415 Return on security investment would measure in some way the bang that you got for your buck, so to speak. The comment like you just mentioned is that it is very difficult to measure this, because a lot of it is intangibles. Not only that, you have also got dependencies, so that a loss that you might suffer as your company may also translate into losses to other people who are depending on your business or whatever it is that you offer. So when you go down, they go as well, so there can be a lot of impact. The next slide actually is the same example is the same example that Howard used, so you can get a little more data there. One of the, I thought, very interesting aspects of that case was that this guy tried 46 times apparently to do this. It wasn't until the 46th try that he succeeded. So something was very wrong in whatever security they were deploying there that they didn't pick this up and abort it before it happened. There is some good news there, too. I think what it does suggest is, maybe these attacks aren't all that easy. Here we had an insider; he had a copy of the software, he had helped develop the software and everything else. So while he did pull it off, it wasn't something 415

that just anybody anywhere in the world could have done remotely. One other comment back on that. This particular attack actually led to loss of life. It wasn't human life, but there was wildlife that was killed by that, and it had a pretty severe impact on the environment. To me, the security challenge that has to be met is developing security better than we are doing now, but it has to be the case that it is also cost effective. What that means is that as we go forward, we have to base it on sound mathematical models so that we can do good analysis. Also, we have to base it on empirical data. A lot of the work is not based on empirical data. I can tell you, my colleagues here, one of the things that I have admired about their work is that it has in fact been -- I remember, the first paper I ever read about David Wagner's was the one where he showed that the 40-bit key that Netscape was using was -- he could break it in 30 seconds or something phenomenal. He had the data to show that he could do it, as well. That is the kind of thing we need, so that we actually can support scientifically the best practices and the standards and so on that we develop for security. When 416

you take some of the existing standards, they are not based on any empirical data. Let me just give you a couple of examples of the kind of thing that I have in mind. One of my big beefs is the systems that make me change my password every 30 days or 60 days or something. I hate these things. I would like to see somebody do a study and tell me that if you do that, you are lowering the risk by such and such and that this is a cost effective thing to do. I have never seen any studies to support that, or any of the other quote best practices that are stated for security. There are a lot of questions about what we can expect from a return on security investment if we do certain things. I would like to see research that goes more in that direction. Let me give you some very specific examples. This is an example that was done by researchers in the lab at Stake, which is a security consulting company. A lot of people have said, you should harden your server, and you should shut down the ports you are not using and get rid of the services you are not using and so on. So what they did was, they went out and measured to see what is the effect of doing all that. They looked at several different kinds of networks -- this is just the 417

418 data from one of them -- and what they showed was that you actually get better throughput on your network. So here is a great example of return on security investment. Spend a little bit of time hardening that network, and now your network performs better. So this is the kind of data I had . · , an Mona. Another example. We know that the software is vulnerable. What would be the impact if more effort is put into developing software, so that there are fewer holes in it from the beginning. We know Microsoft now is committed to doing that, trying to develop their software with less bugs in it. Here is some data that shows that in fact, the impact in terms of the cost of responding to a flaw that is found in the software is actually rather dramatic. This is just accounting for the effort required to fix the software on the part of the vendor. This is not even taking into effect the impact on the people who are using the software, and what losses they will experience as a result of the flaws in the software. They have this cost multiplier factor. If you find and fix the flaw in the design stage before you start coding, it costs unit one. When you get to the implementation stage, it is 6.5, testing 15, and when it is 418

419 all the way up to the maintenance, you are up potentially to a cost increase of a hundred fold. Then this slide here just shows again the return on security investment if you can remediate them at different stages. So if you remediate at the design stage, you have a 21 percent increase, and so on. If you want to get the details of these, these were both published in articles that were published in the Secure Business Quarterly. They are on the web. If you type in Secure Business Quarterly into Google or provide, you will probably come up with a website. Then finally, this is on a totally different topic. Since this is math sciences, I started thinking about what kinds of mathematics have been used in security over the years, and came up with a rather lengthy list. But what gave me despair about all this is that we don't teach any of this, except for probability and statistics, in most computer science curriculum, as something that anybody would get. If you take some artificial intelligence courses, you will get some of the stuff related to that, like maybe neural nets and pattern recognition and stuff, but generally, the math itself is not something that most of the students would pick up. 419

420 I don't know if there is something that needs to be done there, or if it is just appropriate to teach the math and the courses where you drop in IT cryptography and you obviously need number theory. So I teach the number theory in the course, because none of the students otherwise would have picked up the number theory from their basic curriculum. The other interesting thing is, when I started out working in security, which was around 1972, 30 years ago, none of this math was used in security at all, with the exception of probability and statistics and number theory starting to show up in cryptography. So we have in many respects come a long way in applying math to the security problems. I think that is all I've got, so thank you. 420

421 A Security Challenge: Return on Security Investment Dorothy Denning Our goad is to develop better security than we have now, in a cost-effective way. One current obstacle is that some existing practices and stanciarcts are not basest on scientific data. For example, many systems require users to change their password every 30 or 60 clays, but there is no scientific study supporting this as a best security practice. In acictition, there is a lack of forma] mathematics in computer science curricula, with the exception of probability and statistics. Security should be basest on empirical data and sound mathematical moclels as opposed to intuition. We need to scientifically support the best practices and stanciarcts. There are two examples of improved return on security investment basest on empirical data: Studies show that by hardening a server, shutting clown ports, and removing unused services, not only floes security cost-effectiveness improve but the network's throughput increases as well. Studies show that developing code with fewer bugs from the beginning is 100 times as cost-effective as fixing bugs cluring the maintenance stage. 421

422 Kevin McCurIey Session on Communications and Computer Security Dr. Kevin McCurley is a computer scientist in the Theory Group at IBM Almaden Research Center. During his career he has worked in several different fields, including number theory, cryptography, information retrieval, and Web data mining. Dr. McCurley received a Ph.D. direction of Paul T. Bateman. in mathematics from the University of Illinois in 1981, under the 422

423 David Wagner "A Few Open Problems in Computer Security" ~ ranscript of Presentation Summary of Presentation Power Point Slides Video Presentation David Wagner is a professor of computer science at the University of California, Berkeley. His research interests include computer security, especially the security of large-scale systems and networks, applications of static and dynamic program analysis to computer security, theory of cryptography, design and analysis of symmetric-key cryptosystems and operating systems, and computer science theory. He is currently working on software security, wireless security, sensor network security, cryptography, and other topics. 423

424 DR. SCHMIDT: While we are doing the mike switch, I'll just take this opportunity to make a couple of quick comments about one of the things that Dorothy had said when we talk about the analysis of the activity in the research we are seeing. One of the challenges that I think we need some help on is looking at developing a methodology to find out where the noise level is. You were asking about pinging. Pinging is basically as far as we are concerned, because there is not a real structure to attack. It can be problematic in a larger sense, but right now we see a lot of noise out there, but not a real good ability to differentiate between what we have to be concerned about and what we have to react to. David, did I give you enough time? DR. WAGNER: While we are bringing the slides up, I am Dave Wagner, and I am from UC-Berkeley. I have to apologize that I wasn't here yesterday, so for my benefit I wonder if I can take a poll just to get a sense for what the audience is like. Here is your chance to stretch. How many of you would identify yourselves as mathematicians, defined however you would like to define it? Any computer scientists? 424

425 PART IC IPANT: their hands up twice. PARTICIPANT: I ' d like to speak up for the unrepresented minority here. I am a statistician. DR . WAGNER: Okay, thanks. I wanted to show you a couple of problems that I had hoped might prove for some fruitful collaboration between the computer security folks and the mathematicians. So I think it is great to see a sprinkling here from both camps. I am not going to be nearly as prolific as Kevin McCurley was. I have only two sets of problems. Let me start off with some general remarks. I am going to say something later in this talk about cryptography, but I would like to remind you that computer security is about a lot more than cryptography. Here is a way to think about the security problem. There are two computers. They want to talk to each other, and yet they don't trust each other. They want to engage in some collaborative computation, possibly in the presence of an adversary, where they may not even have aligned interests or aligned incentives. There are two problems here for security people to solve. First, the communication channel between the two in general may not be secure, as is often the case with the I think some people are putting 425

426 Internet. The second challenge is the end points may not be secure. If you want to think at a very high level, we can think of two techniques in computer security to deal with these problems. To deal with the insecure channel problem we often use cryptography and to deal with the insecure end point problem, we often use other techniques. So let me just warn you that cryptography can't solve both problems. Cryptography isn't the silver bullet that can solve all your problems. If I have got an authenticated connection to Joe Hacker, it doesn't help much, the fact that that connection is encrypted, if he is sending me the latest virus . I'm going to move on to the first of two problem areas that I thought might be interesting to look at. One of the really nice things about this workshop setting is, I thought I could talk about problems and questions where I don't know the answers, or I don't know how to solve them. So I am hoping this will be a discussion, not just a one- way presentation. Since the topic of this workshop is homeland defense, I thought that critical infrastructure protection was an obvious problem area to talk about. If one looks at the infrastructures in the nation, one finds a number of 426

427 critical infrastructures, from the utilities like power, water, oil, gas, to the telecomm industries, your public switch telephone network, Internet and other communications mechanisms, and the financial sector and others. We have become very dependent on these systems. These systems are evolving legacy systems that weren't necessarily designed for security when they were first deployed, and continue to change on the fly. They are becoming increasingly reliant on IT, information technology, which I find troubling, because the security of information technology is not at the level that I would want to put much reliance in. So I think the defining characteristic of the critical infrastructure problem is we have got systems here that are very large scale and are tightly interdependent. If we look at the banking system, the correct functioning of the banking system depends first of all on the correct functioning of many banks, but also on a number of other critical infrastructures. If the power is not on, the banks and the ATMs are probably not going to be working. If the phones are out, then your ATM probably isn't going to work. So we have got tightly interdependent systems, and that means that security is a challenge. 427

428 So let's move on. I wanted to give an example in a little bit of detail, which is one of the critical infrastructures, the power grid. Let me warn you up front that I am definitely not an expert on the power grid. I wanted to share with you some of my recent explorations to learn more, and just be warned to take this with a big grain of salt. This is not my specialty. A quick introduction to the power grid. There are a number of key elements. First of all, there are the loads. That is my laptop, plugged into the wall over there, and your refrigerator, and so on and so forth, and the loads on the power system can vary from time to time, both predictably, seasonally, and unpredictably. There is what we might think of as the power grid the transmission system can be broken down into two parts, the local distribution mechanisms from your local area substation to your home, and there is the long distance transmission lines that span the country. Then of course, there are the generators which actually supply the power to the transmission lines, which make their way to the distribution system and finally to your home. On top of that, it is important to remember that the power grid is not a passive system. It is a system with active feedback loops. There are a number of control 428

429 centers. In fact, the picture here on the lower left is showing the control centers that try to coordinate the power grid. There is a higher level financial settling and bidding and coordination between power providers. So there are a number of issues here. All the layers of the power grid, for instance, the eligible receiver operation run by the NSA in 1997, I believe, is one of the more troubling exercises I am aware of. The NSA put together a number of computer security experts, and their charter was to take off the shelf software they could download off the Net, nothing but what they could download off the Net, without breaking any laws, in a simulated attack try to see what damage could be done in the United States. A number of critical infrastructures were ruled to be at severe risk. The referees ruled that if they had wanted, they could have taken down part of the power grids, substantial portions of the emergency 911 system and other, so that is quite troubling. PARTICIPANT: (Comments off mike.) DR. WAGNER: Unknown. DR. DENNING: They did not actually attack the power grid. This was a paper exercise. PARTICIPANT: (Comments off mike.) 429

430 DR. WAGNER: I don't know. Details are sparse. PARTICIPANT: (Comments off mike.) DR. DENNING: No, they did assume in their paper exercise that anybody with Internet access and just using tools that you could download from the Internet, so it didn't require any special access. DR. SCHMIDT: When we did that, it was just basically an escalation process, where we had a system administrator of a relatively insignificant system, which was connected to another system, connected to another system. Through escalation of privileges, it gives you the ability to reach into this backbone type of environment. DR. WAGNER: So our own vulnerability assessments have reported systems connected by modems or connected to the Internet, their administrators didn't know about, and that is an obvious risk. So I frankly don't know these kinds of details. One of the really problematic features of the power grid that makes life hard for securing the power grid is this feature of cascading filters. It is a tightly interdependent system, and a single failure can cascade and have a very significant effect, too, to affect large parts of the system.

431 Just a couple of examples. In 1989, solar storms caused a failure in Quebec. That is in yellow, the picture on the left. This failure in Quebec affected the power grid throughout all of the United States. You can see these little circles are protective breakers that were tripped by this, that if not for the protective equipment would have caused damage. In fact, some equipment was also damaged on the East Coast. So this map illustrates that local failures can cause global effects. Maybe an even better example is the 1996 blackouts in July and August, particularly the ones in August. There were two line failures that occurred nearby each other. I believe a tree fell on the line or something like this, and this led to oscillations in the power grid that caused eventually blackouts in 13 states and affected millions of folks on the West Coast. In fact, I am told, if I got my sources right, that it is not even completely understood why this caused the failure. So that is quite troubling. That means that our understanding of the power grid is really not at the level we would like it to be. This is caused by the interdependencies in the power grid. If anything, all the evidence suggests that things are going to get better, not worse. For instance, 431

432 the capacity margin, the redundancy built into the system, the over capacity in generation is built into the system. It was about a 25 percent in 1980 and now is about 12 percent, and we can expect this is going to be going down, because projected demand over the next decade is growing at 20 percent, while the projected building of new generation capacity is expected to only grow about three percent. So these are becoming very, very slim margins, and the combination of these trends and deregulation is something to be concerned about. I tried to put together some very simplistic examples that I thought would help give some intuition for how cascading failures can occur. Here is a very simple transmission system with five nodes and seven lines. The idea is that each line may have a different capacity. The lines on the left have a 100,000 volt capacity; anything above that and they fry. The orange lines have a 75,000 volt capacity, and the blue ones have a 25,000 volt capacity -- completely made-up numbers, just to illustrate an example. We can imagine that the resistance in all the lines is the same, so that the amount of current flowing through the line is proportional to the voltage difference across the line. 432

433 Here is a steady state flow through the network. We are trying to transmit 160,000 volts equivalent in current from the left-most node to the right-most node. You can see that due to symmetry, it is going to split evenly up and down. If you work out V equals IR, that tells you you will get the following flows. You can see that the flow is splitting evenly between up and down. In this node it is splitting three to one for the large line. You can check that all these flows are well within capacity. There is plenty of slack here. So we have got about 20,000 volts of capacity over here, and spare capacity may be another 15 dozen volts of spare capacity there. So there is certainly 10,000 or 15,000 or 20,000 volts of spare capacity in the system. Now let's imagine we have a line failure. A tree falls, you have lost this line right here, so this line is going to go away, it fried, it went to zero kilovolts. The load is now redistributed through the rest of the network, again following Ohm's law. We see that the load is now distributed so that more of the load flows down along the bottom half of the network. Here we have some lines in parallel. Now you expect there is no problem. We had plenty of slack laying around, plenty of spare capacity, 433

434 and we lost a line that was carrying 20,000 volts, but we had 20,000 volts of spare capacity laying around, in fact than that, so there should be no problem. If this were a flow problem, all would be well. You could arrange the flows to send this much capacity through, even though you lost the line, because there is plenty of redundancy. But this isn't a flow problem. It is constrained to follow the equipotential Ohm's law and so on and so forth. You find if you take this solution, you find the following flow numbers along the links. You notice that most of these links are well within capacity except that this poor guy right here has capacity for 25,000 volts, and now has gotten 29,000. So that is what happens. He is overloaded, he is going to fry. We lost that link, so that link is now not going to be able to carry any more current, so we have a new solution. The current redistributes itself through the network, nice and symmetric. Now we have got a problem. No problem in this link, we are well within capacity, but now this link has got too much current flowing through it. So we have got an overload there. Once again, those overloaded, and we have killed our network. 434 lines are now

435 So even though a priori it looked like we had plenty of spare capacity, nonetheless losing one line causes the network to become completely disconnected. So this is a very simplistic example, only showing you with capacities. In practice, I believe there are a number of effects you would want to model, not just the capacity. Moreover, this is only the static behavior of the network. In practice, there are also dynamic behaviors as well. When a line is lost the system oscillates a while before it hits the steady state, and those oscillations can be quite important, and I think are poorly understood. So I hope this gives some idea of what we might like to understand about a power network. Let me pose a few research questions for you. Stepping up the level now, thinking not just about power grids, but about principles that might apply to infrastructure protection in general. We have got a large scale system here. It is very interdependent. There are a number of natural questions to ask here. One natural question is, pick a system, can we build a useful predictive model? Can we build a mathematical model that allows us to analytically express some of this properties, and in particular, can we measure security against malicious attack? 435

436 I showed here a system that failed if a tree fell on one line, then the whole system failed. If we are worried about malicious attack on our power system, then we can imagine that a plausible threat model might be that an attacker who is able to figure out where that critical line is will be able to fry a line or fry three carefully chosen lines. So if you have a model, an algorhithmic question might be, is there an efficient way to detect whether there exists any three lines in the power system whose failure will cause you to become disconnected. Right now, I believe what the industry uses is the exhaustive search algorithm. They try all possible thoughts, and their focus so far has been on not so much security against malicious attack as robustness random failures. So the premise is that they only worry about a single failure and they exhaustively all possible single failures to see whether any ~~ ~ - ~ . So I think there against need to look at of them could cause a cascading failure for a lot of progress here. More generally, you might ask, rather than looking at specific systems, you might raise the level of abstraction just a bit more and look at class of systems and ask about the structural properties of such systems. 436 Is room

437 We can imagine that the attackers' capabilities give us some cost metric or some distance metric on systems. The attacker can perturb the system a little it, but not too much. Then we can ask, what are the parameters of these drafts that determine their robustness properties. Can we design systems that are inherently self stabilizing, inherently robust. Moreover, are there any local control rules that insure global stability with only local evolution. I mentioned that the power grid is an adaptive feedback loop. In fact, it is crucial right now that the industry is relying on the ability to have global knowledge of the whole grid. That doesn't scale, and it is going to run into problems with deregulation. So there are a number of research problems that I think might be exciting in this area. I wanted to tell you a little bit about some problems in cryptography that I think might be interesting, particularly to folks interested in the algebraic side of things. Let me tell you about block ciphers, which are useful in cryptography. What is a block cipher? A block cipher is a black box like this. It takes two inputs. It takes a key K and it takes a plain text X and if you fix the key, then 437

438 this is a bijective map on some space. Moreover, we insist that it be bijective for all keys. This just means -- the bijectivity means that it can be decrypted, and should be efficiently computable in both directions. This picture illustrates a common design theme for how you build block ciphers in practice. You build a number of simple transformations, call them rounds, and you compose them, just take the composition. The obvious question to ask is, when is a block cipher secure. Let me give you the definition that turns out to be useful. On the left, we have a block cipher keyed by some key K that is chosen randomly and kept secret by the parties to the conversation. On the right, I want you to imagine pi, which is permutation chosen uniformly at random from the set of all bijective maps on this space. I want you to consider the distributions on this. The block cipher is secure if intuitively it approximates the behavior of a random permutation. Let me give this to you in a very operational sense. Imagine that behind my back I am going to either decide I'm going to give you a block cipher or I am going to decide I'm going to give you a random permutation. You don't know which. If it is the block cipher I am going to pick a key at random, if it is the permutation I am going to pick a permutation at random. 438

439 I am going to build an implementation of them. I am going to stick them inside a black box, and now I hand you the black box. The black box has an input and an output. You can feed any inputs you like and observe the outputs and interact with it adaptively, and your role is to guess how do I substantiate the black box. This is a secure primitive if you can't guess. That is the object. DR. BORGS: Using one instance or several instances? DR. WAGNER: Using one instance. We want to know what is the probability you can correctly identify what kind of black box you have been given. So you can flip a coin and be right with a probability of half, and this is secure if you can't do any better than that, if you have only negligible advantage compared to flipping a coin. Here is an example of a block cipher that has been standardized, that is going to take over the world. It is called the AES. It is the new standard. It is fantastic, it is great. It follows this product cipher methodology, so it iterates the number of rounds. Here is a round. I wanted to show you this in detail, because I wanted to show you just how much 439

440 algebraic structure is present in this structure that is being used in practice. What does a round do? This operates on 16 bytes. So you can think of 16 elements from GF-256. A round we have exclusive or key material, so those are just additions in the finite field. Then we apply 16 S boxes, they are called. They are simply bijective maps. It is effectively just the inversion map in the finite field. Then we hit it with some linear transformations, which are the bottom two layers of the round. We do that about ten times, using different keys in every round. The claim is, as far as we know, the conjecture is that this is a secure block cipher. PARTICIPANT: It is secure in the prayer theoretic model. DR. WAGNER: In the prayer theoretic model. We have no proof whatsoever. In fact, there are good reasons to believe that it is not likely going to be easy to provide a proof. So you can see there is a lot of mathematical structure here. In fact, as I described it so far, this is working entirely in the finite field. That leaves so much structure that that is probably not good for security. So the S box is tweaked a little bit by adding a linear map, 440

441 composing with a linear map that -- anyhow, the details aren't too important. Let's move on. I also wanted to show you a candidate public key encryption cipher that has been proposed. Here is one such candidate. The private key is a pair of linear maps, L and L', general linear maps. They are linear over the finite field with 256 elements. This middle layer consists again of a row of S boxes, but in this case the S boxes will be a bijective map. It is just a cubing map in the finite field. That looks like it is order three; you can think of it as being close to -- remember, the squaring map is the Frobenius map, it is linear, so this is the first power map that is not a linear map. The public key will be the composition of these three layers. Given explicitly, in other words, we write this as a multivariate polynomial with 16 variables over the finite field, and then we write down the coefficients. It is easy to see there can't be too many coefficients, because this is essentially a quadratic function, so the number of coefficients is something like 16 or something. This it turns out is not a public key encryption scheme, but there are schemes much like this that are conjectured to be secure. 441

442 DR. CHAYES: So is this being used now? DR. WAGNER: Not being used yet, because cryptographers are conservative, but it is a promising candidate. It has a number of promising features. Let's move on to the next slide, which will be the conclusion of this area. Let me suggest a problem that I think will be very interesting to know something about. The problem that seems to come up in both these private key and public key settings is the following one. We have a system of N equations. An equation is a multivariate polynomial, N unknowns over some finite field. Typically the kind of finite fields we care about are the two element finite field or the 256 element finite field, or small finite fields of characteristic two. Often the multivariate polynomials are sparse and they are low degree, and we may frequently have a very over-defined system of equations, so many more equations than unknowns. The problem is to efficiently find a solution to this. Here is what is known about this problem. First you might think there is some reason to believe this is a hard problem. If you have the same number of equations as unknowns, even in the case where you have only got quadratic equations, this is empty. So there are unlikely to be efficient algorithms for it. 442

443 Yet, on the other hand, if the number of equations exceeds the square of the number of unknowns, then there is a polynomial time algorithm, linearization. You simply replace all the terms, XI, XJ. There can only be N squared such terms, and choose two such terms. Replace each one by a new linear formal unknown and you solve the linear system of equations with Gaussian elimination. Now the interesting question is, what is in between the two. This linearization led to a successful attack on some of these systems. literature there has been a number of improvements and refinements discovered. It has been found that you can replace this constant half by any other constant and you still have a polynomial time algorithm by a recursive application of linearization. By some ideas inspired from Grobner bases, there is a conjecture that if the number of equations exceeds the number of -- this is an error over here. This is supposed to say, if N exceeds N plus C. C is the number of unknowns plus a small constant. There is an algorithm that the authors have conjectured to be run in sub-exponential time. So that is a significant improvement over the naive algorithm of just guessing a solution. 443 Since then in the crypto

444 The obvious question -- PARTICIPANT: By conventional computer? DR. WAGNER: On a conventional computer. So the obvious question is, why not use Grobner basis algorithms. Let me just say, to my understanding, they are not competitive for these kinds of parameters, because they are exponential in practice and the constants are so huge, that more than 15 unknowns is infeasible, which compares very poorly to the naive exhaustive search attack. So here is a problem that I think might be very interesting to look at, because I believe there would be a number of applications for cryptography. I have used up more than my time, so I'll end here. DR. CHAYES: This is a semi-efficient algorithm, so what are you looking for exactly here? DR. WAGNER: Yes. The research question I think is to understand the complexity of this problem. DR. MC CURLEY: Actually, I think I proposed something like this as a mete problem when Abelman and I wrote this paper on open problems, because it has many facets to it. DR. SCHMIDT: Jennifer, do we take a break now and come back for discussion? 444

445 DR. CHAYES: . Yes, we'll have break, and then we'll have the discussants 445 about a 15-minute .

446 A Few Open Problems in Computer Security Davis! Wagner Two topics might react to fruitful collaboration between computer security people and . . mathematicians: i. Critical infrastructure protection. Infrastructures such as electric power, water, oil, gas, and telecommunications were not necessarily clesignect for security when they were first ctepioyect, and they continue to evolve. They are increasingly ctepenctent on information technology, which is troubling because the security of IT is not reliable enough. "Can we build a mathematical mocle! that allows us to analytically express some of the system's properties? In particular, can we measure security against malicious attack? Is there an efficient way to detect whether there exist any lines in the power system whose single failure will produce a cascading failure? Can we Reconfigure the system to eliminate or bolster these weakest finks? More abstractly, can we design systems that are inherently self-stabilizing- that is, robust? 2. Enhancing security for block ciphers. We shouIcl investigate the AES standard for secure block ciphers. We shouIct investigate a cancticiate public-key encryption cipher that is conjectured to be secure. We shouict investigate a certain po~ynomiaI-time algorithm proclucect by a recursive application of linearization. 446

447 Andrew Odlyzko "Remarks on Communications and Computer Security" Transcript of Presentation Summary of Presentation Video Presentation Andrew Odlyzko is director of the Interdisciplinary Digital Technology Center, holds an ADO professorship, and is an assistant vice president for research at the University of Minnesota. Prior to assuming that position in 2001, he devoted 26 years to research and research management at Bell Telephone Laboratories, AT&T Bell Labs, and AT&T Labs, as that organization evolved and changed its name. Dr. Odlyzko has written more than 150 technical papers in computational complexity, cryptography, number theory, combinatorics, coding theory, analysis, probability theory, and related fields, and has three patents. He has an honorary doctorate from the Universite de la Marne la Vallee and serves on the editorial boards of over 20 technical journals, as well as on several advisory and supervisory bodies. He has managed projects in such diverse areas as security, formal verification methods, parallel and distributed computation, and auction technology. In recent years he has also been working on electronic publishing, electronic commerce, and the economics of data networks, and he is the author of such widely cited papers as "Tragic loss or good riddance: The impending demise of traditional scholarly journals," "The bumpy road of electronic commerce," "Paris Metro pricing for the Internet," "Content is not king," and "The history of communications and its implications for the Internet." He may be known best for an early debunking of the myth that Internet traffic would double every three or four months. Andrew Odlyzko's e-mail address is odlyzko@umn.edu, and all his recent papers as well as other information can be found on his home page at http://www.dtc.umn.edu/~odlyzko. .l ~~ ~ ,,¢ ~~ ~ ~~ At/ - ........ ~. ~~ ::::::::::::::::::::::::::::::::::::::::::::::::: . ~ ~ >.Y~ :; · i:. <,~ . ~ A: ~ ;, >. 447

448 DR. SCHMIDT: Thanks, everyone, for coming back so rapidly. We are going to move to the next section on review and discussion. Michael and Andrew are going to be joining us from the University of Minnesota and Microsoft Research. Michael will make his comments first. Well, would you like to go first? DR. ODLYZKO: When you talk about the difficulty with big secure systems, just think how hard it is to do a very simple coordination system like this one. That is why software is hard. Let me just comment on some of the talks here, and maybe also a bit more generally. Kathy Laskey had some very good comments about general issues, that we have to think about security at a systems level in general, and the issue of what matters to people. When we do that, we also have to think about the general questions of what it is that we mean by security, or what kind of risks we are willing to accept, and look at a whole range of possibilities. Just to make it very clear that we do have a wide range, let me tell you a little joke. The story goes that back in the old days of the Soviet regime, a Western group was visiting the Soviet Union. They are being driven through the Siberian tundra, drive for miles, not a soul in 448

449 sight, deep forest, et cetera. They come to a clearing, and they see a pile of gold bricks, and not a soul in sight, and nothing else. Their tour guide says, how come you have this gold here, totally unprotected? This is a Communist regime. Gold is nothing. The real treasure of the Communist regime are the people; those we watch night and day. So there are different ways to achieve security. The question is, how do you want to do it, and what kind of security do we want. Something that Werner Stuetzle explained yesterday is that we have societies which are much more regimented than ours, which have suffered from terrorism and have managed to live with it. Indeed, while 9/~] was a striking event for us, you see many societies, some quite democratic ones such as the British dealing with the IRA, the German dealing with the Bader-Meinhof gang, the Spanish dealing with the Basques, having certain levels of insecurity and terrorism. So in many ways, one could actually say the task is not necessarily eradicating terrorism, which seems to be hard -- everybody wants to do it, but it seems to be essentially impossible with the limits of some societies -- but keeping it to a tolerable level. 449

450 You may also look at some other risks that we put up with. 40,000 people die on the roads each year, after all. Now there is a big debate about the double nickel, 55 mile per hour speed limit, what effect it would have. If you go for a single nickel, five mile per hour speed limit, you could eliminate those deaths. Well, we are not willing to do that, which says that we are willing to accept a certain level of risk. This then goes back to some of the comments people made, that we have to look at the whole system. We have to look at economics, sociology, politics, general public policy questions that are involved here. Now, to come back to the presentations in the session, Dorothy Denning's presentation was largely at the large systems level, where she is explaining that we should be looking at the economic questions, return on investment. One way I might phrase some of what she said is that one could think about these issues in terms of insurance. Other people have made the same point. I think Ross Anderson may have been first almost a decade ago when he said, when you think about security issues and if you think about what is the right level of security, ask your insurance company.

451 Unfortunately, that doesn't always work very well. The problem is that insurance is unsuccessful when you are dealing with well understood risks. Indeed, all insurance policies that I am aware of exclude war risk, and many of them increasingly are excluding terrorist risks, too. When you are talking about rapidly changing technologies, insurance may not be the right approach. There is also the issue of market failures. The general trend has been for very good reasons to rely increasingly on the markets for resource allocations, but there are market failures. We do not rely on markets to provide police protection, et cetera. There is a question whether the commercial industry is behaving optimally for society, given the incentives they face. That goes to the question of exactly what kind of assurance do we really want as a society, do we want government to either bribe or coerce companies like Microsoft and IBM into producing more secure systems. These are very important questions. These are all very high level questions, and they are also the kind of questions which go to what we might call the integrationist line of thought in science and technology. Mathematics and physics has been more the reductionist approach. This gets to the question of very 451

452 uncomfortable cultural transition that many mathematicians and computer scientists as well have to undergo when faced with these questions. These mathematicians have tended to like nice, neatly posed problems. It is also true of physicists. The theory of gravitation has been cited as one beautiful example, then of course Einstein's theory of relativity, and now we have the search for the ultimate unified theory of physics. On the other hand, if you look at where resources are going or what is happening, they are going to other areas. There is a huge shift in general funding of research and development at the federal level, but also in the commercial sector towards the biomedical sciences. What happens in the search for elementary particles or unified field theory is essentially irrelevant for those areas. Even if physicists succeed beyond their wildest imaginations, nobody can figure how that is going to impact on the bulk of the research that is going on right now not for the next few decades. So we can look at different levels. Most of the problems that society cares about, like reducing the risks of terrorist attacks, seems to be at a system level, the kind of things that Kathy Laskey has been talking about. But there are problems which are more congenial perhaps to 452

453 the traditional mode of operations of mathematicians and computer scientists, and we heard quite a few examples that she cited here. Kevin talked about a variety of problems such as detection of covert -- here we are talking about a much more manageable problem. We can perhaps model it more easily, and can talk about applying a variety of mathematical tools in that situation. General issues of limits on security, exactly how much information is protected by different kinds of crypto systems. This is a very comfortable mathematical question we can attack. David Wagner then posed a variety of questions having to do with algebraic crypt o systems, and this is straight mathematics; we understand exactly what it is. But even in David's presentation we also had questions of the other variety, the integrationist approach, namely, questions about infrastructure security. There are some questions, very nicely posed mathematical questions, that do suggest themselves very easily. others I can see coming out of his presentation. A general question is, do you build networks which are reliable but maybe with centralized controls and efficient, or do you go for redundancy. 453 Or he talked about some more ultra very

454 We see in the 9/~] events much of the success we have seen in communication was due to the fact that we had cell phones, we had wired phones and we have the Internet , . Not a single one of them was faultless, not a single one of them operated as well as we might have wished, but altogether they produced quite a satisfactory response So there is quite a variety of different problems that mathematical scientists can investigate there. DR. Michael? SCHMIDT: Thank you very much, 454 Andrew.

455 Remarks on Communications and Computer Security Andrew OcIlyzko It is important to realize that people are willing to accept some level of risk and that while it is not necessary (or possible) to eradicate risk, it is possible to keep it at a tolerable level. In acictition, when one thinks of security issues, one often thinks of insurance. However, insurance usually cleats with we11-uncterstooct risks. The risks posed by war, terrorism, and changing technology are, in general, poorly unclerstoocl. These types of questions are high-level questions and go to what we might call the intergrationist fine of thought in science and technology. In the past, however, mathematics often took reductionist approach; mathematicians tenclect to like nice, neatly posed problems. Many mathematicians, and computer scientists as well, will have to undergo a very uncomfortable cultural transition when faced with these questions. After all, most of the problems that society cares about, like reducing the risks of terrorist attacks, seem to be at a system level. Nevertheless, many problems are much more congenial to the traditional mocle of operation of mathematicians and computer scientists. Some examples proposed by other participants inclucle the detection of covert channels and questions clearing with algebraic crypto systems. The basic question is, Do you buiict networks that are uitra-reiiabie and efficient but maybe with centralized controls, or do you go for reclunciancy? The events of September ~ ~ seem to indicate the latter, as cell phones, wired phones, and the Internet all worked imperfectly but well enough in the aggregate so that communication was satisfactory. There is quite a variety of different problems that mathematical scientists can investigate without having to change their traditions, though they will have many more to consider if they aclopt, at least some of the time, a more integrationist line of thought. 455

456 Michael Freedman Session on Communications and Computer Security Michael Freedman is a member of the Theory Group at Microsoft Research. Before working at Microsoft, Dr. Freedman was the Charles Lee Powell Professor of Mathematics at the University of California at San Diego. The work for which Dr. Freedman is best known is the solution of the long-standing Poincare conjecture in four dimensions, for which he received the Fields Medal. He has received numerous other awards and honors, including Sloan and Guggenheim Fellowships, a MacArthur Fellowship, and the National Medal of Science. He is an elected member of the National Academy of Sciences, the American Academy of Arts and Sciences, and the New York Academy of Sciences. Dr. Freedman's current research focuses on fundamental problems in the theoretical computer science, in particular on the P/NP question and nonstandard models of computation. 456

Next: Data Integration and Fusion »
The Mathematical Sciences' Role in Homeland Security: Proceedings of a Workshop Get This Book
×
Buy Paperback | $147.00
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

Mathematical sciences play a key role in many important areas of Homeland Security including data mining and image analysis and voice recognition for intelligence analysis, encryption and decryption for intelligence gathering and computer security, detection and epidemiology of bioterriost attacks to determine their scope, and data fusion to analyze information coming from simultaneously from several sources.

This report presents the results of a workshop focusing on mathematical methods and techniques for addressing these areas. The goal of the workshop is to help mathematical scientists and policy makers understand the connections between mathematical sciences research and these homeland security applications.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!