dimensions, including correctness, reliability, safety, and survivability, in addition to security. However, the scope of this report, consistent with the committee’s charge, is somewhat narrower: it focuses on security and addresses other trustworthiness issues only to the extent that they relate to security.
Information technology (IT) is essential to the day-to-day operations of companies, organizations, and government. People’s personal lives also involve computing in areas ranging from communication with family and friends to online banking and other household and financial management activities. Companies large and small are ever more reliant on IT to support diverse business processes, ranging from payroll and accounting, to tracking of inventory, operation of sales, and support for research and development (R&D)—that is, IT systems are increasingly needed for companies to be able to operate at all. Critical national infrastructures—such as those associated with energy, banking and finance, defense, law enforcement, transportation, water systems, and government—and private emergency services also depend on IT-based systems and networks; of course, the telecommunications system itself is a critical infrastructure for the nation.
Such dependence on IT will grow. But in the future, computing and communications technologies will also be embedded in applications in which they are essentially invisible to their users. A future of “pervasive computing” will see IT ubiquitously integrated into everyday objects in order to enhance their usefulness, and these objects will be interconnected in ways that further multiply their usefulness. In addition, a growing focus on innovation in the future will require the automation and integration of various services to provide rapid response tailored to the needs of users across the entire economy.
The ability to fully realize the benefits of IT depends on these systems being secure—and yet nearly all indications of the size of the threat, whether associated with losses or damage, type of attack, or presence of vulnerability, indicate a continuously worsening problem. Moreover, it is almost certainly the case that reports understate the actual scope of the threat, since some successful attacks are not noticed and others noticed but not reported.
The gaps between commercial practice and vulnerabilities in critical infrastructure are still wide. Meanwhile, the ability of individuals, organizations, or even state actors to attack the nation’s institutions, its people’s identities, and their online lives in cyberspace has grown substantially. Industry trends toward commoditization have resulted in clear targets for