lengthens the schedule in several ways; for example, adding redundancy increases both hardware and software costs.

Finally, the knowledge that a high-grade threat is waiting to attack a system or component leads developers of high-grade countermeasures to surround their system development with the most extreme forms of secrecy, so as to deny the attacker lead time in analyzing the design and developing attacks.

Because of the extreme cost, short ''security life," and difficult tradeoffs associated with high-grade countermeasures, operations that assess a high-grade threat as possible but not likely should seriously consider strategies that focus on recovery from, rather than prevention of, attack.



Designers of countermeasures who anticipate hacker or common criminal attacks can ignore large classes of vulnerabilities on the grounds that there are easier ways to attack a system, because the low-grade threat will look for the easiest way in.


For example, as high-speed digital encryption system chips become more readily available, they may be used to encrypt specific data channels within a computer system. However, they may also be used by attackers to build special-purpose machines capable of breaking the encryption algorithm itself.

The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement