Click for next page ( 241


The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 240
7 Conclusions and Research Recommendations The vulnerability of our nation's critical infrastructures is attracting considerable attention. Presidential Decision Directive 63, issued in May 1998, called for a national effort to ensure the security of the nation's critical infrastructures for communication, finance, energy distribution, and transportation. These infrastructures all exhibit a growing depen- dence on networked information systems (NISs) that are not sufficiently trustworthy, and that dependence is a source of vulnerability to the infra- structures and the nation. Today's NISs are too often unable to tolerate environmental disturbances, human user and operator errors, and attacks by hostile parties. Design and implementation errors mean that satisfac- tory operation would not be guaranteed even under ideal circumstances. There is a gap between the state of the art and the state of the practice. More-trustworthy NISs could be built and deployed today. Why are these solutions not being implemented? The answer lies in the workings of the market, in existing federal policies regarding cryptography, in ig- norance about the real costs of trustworthiness (and of not having trust- worthiness) to consumers and producers, and in the difficulty of measur- ing trustworthiness. There is also a gap between the needs and expectations of the public (along with parts of government) and the extant science and technology base for building trustworthy NISs. Trustworthiness is a multidimen- sional property of an entire system, and going beyond what is known today will require research breakthroughs. Methods to strengthen one dimension can compromise another; building trustworthy components 240

OCR for page 240
CONCLUSIONS AND RESEARCH RECOMMENDATIONS 241 does not suffice, for the interconnections and interactions of components play a significant role in NIS trustworthiness. Security is certainly important (with some data indicating that the number of attacks is growing exponentially and anecdotal evidence sug- gesting that attackers are becoming more sophisticated every day), but it is not all that is important. The substantial commercial off-the-shelf (COTS) makeup of an NIS, the use of extensible components, the expecta- tion of growth by accretion, and the likely absence of centralized control, trust, or authority demand a new approach to security: risk mitigation rather than risk avoidance, technologies to hinder attacks rather than prevent them outright, add-on technologies and defense in depth, and relocation of vulnerabilities rather than their elimination. But other as- pects of trustworthiness also demand progress and also will require new thinking, because the networked environment and the scale of an NIS impose novel constraints, enable new types of solutions, and change engi- neering tradeoffs. Other studies related to critical infrastructures have successfully raised public awareness and advocated action. This study focuses on describing and analyzing the technical problems and how they might be solved through research, thereby providing some direction for that ac- tion. The detailed research agenda presented in the body of this report was derived by surveying the state of the art, current practice, and tech- nological trends with respect to computer networking and software. A summary of the committee's findings, conclusions, and recommendations follows. PROTECTING THE EVOLVING PUBLIC TELEPHONE NETWORK AND THE INTERNET The public telephone network is increasingly dependent on software and databases that constitute new points of vulner- ability. Business decisions are also creating new points of vulnerability. Protective measures need to be developed and implemented. The public telephone network (PTN) is evolving. Value-added ser- vices (e.g., call forwarding) rely on call-translation databases and adjunct processors, which introduce new points of vulnerability. Some of the new services are themselves vulnerable. For example, caller ID is increas- ingly used by PTN customers to provide authenticated information, but the underlying telephone network is unable to provide this information with a high assurance of authenticity. Management of the PTN is evolving as well. Technical and market

OCR for page 240
242 TRUST IN CYBERSPACE forces have led to reductions in reserve capacity and the number of geo- graphically diverse redundant toutings. Failure of a single link can now have serious repercussions. Cross-connects and multiplexors, which are used to route calls, are becoming dependent on complex software run- ning in operations support systems (OSSs). In addition to the intrinsic vulnerabilities associated with any complex software, information about OSSs is becoming less proprietary owing to deregulation. Information about controlling the OSSs will thus become more widespread, and the vulnerabilities of the OSSs will become known to larger numbers of at- tackers. Similarly, the Signaling System 7 (SS7) network used to manage central office switches was designed for a small, closed community of telephone companies; with deregulation will come increased opportuni- ties for insider attacks. Telephone companies are also increasingly shar- ing facilities and technology with each other and the Internet, thereby creating yet another point of new vulnerability. Internet telephony is likely to cause the PTN to become more vulnerable, because Internet- based networks use the same channels for both user data transmission and network management and because the end points on the Internet are much more subject to failure than those of the PTN. Attacks on the telephone network have, for the most part, been di- rected at perpetrating billing fraud. The frequency of those attacks is increasing, and the potential for more disruptive attacks, with harass- ment and eavesdropping as goals, is growing. Thus, protective measures are needed. Better protection is needed for the many number-translation and other databases used in the PTN. Telephone companies need to enhance the firewalls that connect their OSSs to the Internet and to en- hance the physical security of their facilities. In some respects, the Internet is becoming more secure as its protocols are improved and as security measures are more widely deployed at higher levels of the protocol stack. However, the increasing complexity of the Internet's infrastructure contributes to its increasing vulnerability. The end points (hosts) of the Internet continue to be vulnerable. As a consequence, the Internet is ready for some business use, but abandoning the PTN for the Internet would not be prudent for most. The Internet is too susceptible to attacks and outages to be a viable basis for controlling critical infrastructures. Existing technologies could be deployed to improve the trustworthiness of the Internet, although many questions about what measures would suffice do not currently have answers because good basic data (e.g., on Internet outages) is scant.

OCR for page 240
CONCLUSIONS AND RESEARCH RECOMMENDATIONS 243 The operation of the Internet today depends on routing and name-to- address translation services. The list of critical services will likely expand to include directory services and public-key certificate servers. Analo- gous to the PTN, these services, because they depend on databases, con- stitute points of vulnerability. New countermeasures for name-server attacks are thus needed. They must work well in large-scale, heteroge- neous environments. Cryptographic mechanisms to secure the name ser- vice do exist; however, deployment to date has been limited. Cryptography, while not in itself sufficient, is essential to the protec- tion of both the Internet and its end points. Wider deployment of cryp- tography is needed. Authentication-only algorithms are largely free from export and usage restrictions, and they could go a long way toward help- ing. There is a tension between the capabilities and vulnerabilities of rout- ing protocols. The sharing of routing information facilitates route optimi- zation, but such cooperation also increases the risk that malicious or mal- functioning routers can compromise routing. In any event, current Internet routing algorithms are inadequate because they do not scale well, they require central processing unit (CPU)-intensive calculations, and they cannot implement diverse or flexible policies. Furthermore, no effective means exist to secure routing protocols, especially on backbone routers. Research in these areas is urgently needed. Networks formed by interconnecting extant independent subnet- works present unique challenges for controlling congestion (because local provider optimizations may not lead to good overall behavior) and for implementing security (because trust relationships between network com- ponents are not homogeneous). A better understanding is needed of the Internet's current traffic profile and how it will evolve. In addition, fun- damental research is needed into mechanisms for managing congestion in the Internet, especially in a way that does not conflict with network secu- rity mechanisms like encryption. Attacks that result in denial of service are increasingly common, and little is known about defending against them. Operational errors represent a major source of outages for the PTN and the Internet. Some of these errors could be prevented by implementing known techniques, whereas others require research to develop preventative measures. Some errors could be prevented through improved operator training and contingency planning. However, the scale and complexity of both the PTN and the Internet (and NISs in general) create the need for tools and systems to improve an operator's understanding of a system's state

OCR for page 240
244 TRUST IN CYBERSPACE and the means by which the system can be controlled. For example, research is needed into ways to meaningfully portray and display the state of a large, complex network to a human operator. Research and development are needed to develop conceptual models that will allow human operators to grasp the state of a network and to understand the consequences of actions that the operator can take. Improved routing- management tools are needed for the Internet, because they will free human operators from an activity that is error prone. MEETING THE URGENT NEED FOR SOFTWARE THAT IMPROVES TRUSTWORTHINESS The design of trustworthy networked information systems pre- sents profound challenges for system architecture and project planning. Little is understood, and this lack of understanding ultimately compromises trustworthiness. System-level trustworthiness requirements are typically first char- acterized informally. The transformation of these informal notions into precise requirements that can be imposed on individual system components is difficult and often beyond the current state of the art. Whereas a large software system such as an NIS cannot be developed defect free, it is possible to improve the trustworthiness of such a system by anticipating and targeting vulnerabilities. But to deter- mine, analyze, and, most importantly, prioritize these vulnerabilities requires a good understanding for how subsystems interact with each other and with the other elements of the larger system obtaining such an understanding is not possible today. The use of some system- atic development processes seems to contribute to the quality of NISs. Project management, a long-standing challenge in software develop- ment, is especially problematic when building NISs because of the large and complex nature of such systems and because of the con- tinual software changes. The challenges of software engineering, which have been formidable ones for so many years, are even more urgent in the context of networked information systems. To develop an NIS, subsystems must be integrated, but little is known about doing this. In recent years, academic researchers have directed their focus away from large-scale integration problems; this trend must be reversed.

OCR for page 240
CONCLUSIONS AND RESEARCH RECOMMENDATIONS 245 NISs pose new challenges for integration because of their distributed nature and the uncontrollability of most large networks. Thus, testing subsets of a system cannot adequately establish confidence in an entire NIS, especially when some of the subsystems are uncontrollable or unob- servable as is likely in an NIS that has evolved to encompass legacy soft- ware. In addition, NISs are generally developed and deployed incremen- tally. Techniques to compose subsystems in ways that contribute directly to trustworthiness are therefore needed. There exists a widening gap between the needs of software practitio- ners and the problems that are being attacked by the academic research community. In most academic computer science research today, research- ers are not confronting problems related to large-scale integration and students do not develop the skills or intuition necessary for developing software that not only works but also works in the context of software written by others. A renewed emphasis on large-scale development ef- forts is called for. It is clear that networked information systems will include COTS components into the foreseeable future. However, the relationship between the use of COTS components and NIS trustworthiness is unclear. Greater attention must be directed toward improving our understanding of this relationship. COTS software offers both advantages and disadvantages to an NIS developer. COTS components can be less expensive, have greater func- tionality, and be better engineered and tested than is feasible for custom- ized components. Yet, the use of COTS products could make developers dependent on outside vendors for the design and enhancement of impor- tant components. Also, specifications of COTS components tend to be incomplete and to compel user discovery of features by experimentation. COTS software originally evolved in a stand-alone environment where trustworthiness was not a primary concern. That heritage remains vis- ible. Moreover, market pressures limit the time that can be spent on testing before releasing a piece of COTS software. The market also tends to emphasize features that add complexity but are useful only for a mi- nority of applications. Although there are accepted processes for component design and implementation, the novel characteristics of NISs raise questions about the utility of these processes. Modern program- ming languages include features that promote trustworthiness, and the potential may exist for further gains from research.

OCR for page 240
246 TRUST IN CYBERSPACE The performance needs of NISs can be inconsistent with modular design, and this limits the applicability of various processes and tools. It is difficult to devise component-level acceptance tests that fully capture the intent of systems-level requirements statements. This is particularly true for nonfunctional and user-interface requirements. Basing the devel- opment of an NIS on libraries of reusable, trusted components and using those components in critical areas of the system can provide a cost-effec- tive way for implementing component-level dimensions of trustworthi- ness. Commercial software that includes reusable components or infra- structure is now available, but it is too early to know how successful it will be. As a practical matter, the use of higher-level languages increases trust- worthiness to a degree that outweighs any risks, although there is inad- equate experimental evidence to justify the utility of any specific pro- gramming language or language feature with respect to improving trustworthiness. Modern programming languages include features, such as compile-time checks and support for modularity and component inte- gration, that promote trustworthiness. The potential may exist for further gains by developing even more-expressive type systems and other com- pile-time analysis techniques. Formal methods are being used with success in commercial and industrial settings for hardware development and requirements analysis and with some success for software development. In- creased support for both fundamental research and demon- stration exercises is warranted. Formal methods should be regarded as an important piece of technol- ogy for eliminating design errors in hardware and software; as such, they deserve increased attention. Formal methods are particularly well suited for identifying errors that only become apparent in scenarios not likely to be tested or testable. Therefore, formal methods could be viewed as a technology complementary to testing. Research directed at the improved integration of testing and formal methods is likely to have payoffs for increasing assurance in trustworthy NISs.

OCR for page 240
CONCLUSIONS AND RESEARCH RECOMMENDATIONS REINVENTING SECURITY FOR COMPUTERS AND COMMUNICATIONS Security research during the past few decades has been based on formal policy models that focus on protecting information from unauthorized access by specifying which users should have access to data or other system objects. It is time to chal- lenge this paradigm of "absolute security" and move toward a model built on three axioms of insecurity: insecurity exists; insecurity cannot be destroyed; and insecurity can be moved around. 247 Formal policy models of the past few decades presuppose that secu- rity policies are static and have precise and succinct descriptions. These formal policy models cannot represent the effects of some malicious or erroneous software, nor can they completely address denial-of-service attacks. Finally, these formal policy models cannot account for defensive measures, such as virus scan software or firewalls mechanisms that should not work or be needed in theory but, in practice, hinder attacks. The complex and distributed nature of NISs, with their numerous subsystems that typically have their own access controls, raises the ques- tion of whether a complete formal security model could ever be specified. Even if such a model could be specified, demonstrating the correspon- dence between an NIS and that formal model is not likely to be feasible. An alternative to this "absolute security" philosophy is to identify the vulnerabilities in an NIS and make design changes to reposition the vul- nerabilities in light of the threats being anticipated. Further research is needed to determine the feasibility of this new approach to the problem. Cryptographic authentication and the use of hardware tokens are promising avenues for implementing authentication. Network-based authentication technology is not amenable to high- assurance implementations. Cryptographic authentication represents a preferred approach to authentication at the granularity that might other- wise be provided by network authentication. Needs will arise for new cryptographic authentication protocols (e.g., for practical multicast com- munication authentication). Faster encryption and authentication/integ- rity algorithms will be required to keep pace with rapidly increasing communication speeds. Further research into techniques and tools should be encouraged. The use of hardware tokens holds great promise for implementing authentication. Cost will be addressed by the inexorable advance of digi- tal hardware technology. But interface commonality issues will somehow

OCR for page 240
248 TRUST IN CYBERSPACE have to be overcome. The use of personal identification numbers (PINs) to enable hardware tokens is a source of vulnerability that the use of biometrics might address. When tokens are being used to digitally sign data, then an interface should be provided so that a user can know what is being signed. Biometric authentication technologies have limitations when employed in network contexts, because the compromise of the digi- tal version of someone's biometric data could allow an attacker to imper- sonate a legitimate user over the network. Obstacles exist to more widespread deployment of key- management technology and there has been little experience with public-key infrastructures, especially large-scale ones. There are many aspects of public-key infrastructure (PKI) technology that merit further research. Issues related to the timely notification of revocation, recovery from compromise of certificate authority private keys, and name-space management require attention. Most applications that make use of certificates have poor certificate-management interfaces for users and system administrators. Toolkits for certificate processing could be developed. There has been little experience with large-scale deployment of key management technologies. Thus, the scale and nature of the difficulties associated with deploying this important technology is an unknown at this time. Because NISs are distributed systems, network access control mechanisms play a central role in the security of NISs. Virtual private networks and firewalls have proven to be promising technologies and deserve greater attention in the future. Virtual private network (VPN) technology is quite promising, al- though proprietary protocols and simplistic key-management schemes in most products have, to date, prevented adoption of VPNs in larger-scale settings. The deployment of IPsec can eliminate these impediments, fa- cilitating VPN deployment throughout the Internet. Much work remains to further facilitate wholesale and flexible VPN deployments. Support for dynamic location of security gateways, accommodation of complex net- work topologies, negotiation of traffic security policies across administra- tively independent domains, and support for multicast communication are other topics deserving additional work. Also, better interfaces for VPN management will be critical for avoiding vulnerabilities introduced by operational errors. Firewalls, despite their limitations, will persist into the foreseeable future as a key defense mechanism. As support for VPNs is added, fire

OCR for page 240
CONCLUSIONS AND RESEARCH RECOMMENDATIONS 249 wall enhancements will have to be developed for the support of sophisti- cated security management protocols, negotiation of traffic security poli- cies across administratively independent domains, and management tools. The development of increasingly sophisticated network-wide ap- plications will create a need for application-layer firewalls and a better understanding of how to define and enforce useful traffic policies at this level. Guards can be thought of as special cases of firewalls, typically focused at the application layer. Foreign code is increasingly being used in NISs. However, NIS trustworthiness will deteriorate unless effective security mecha nisms are developed and implemented to defend against attacks by foreign code. Authenticating the author or provider of foreign code has not and likely will not prove effective for protecting against hostile foreign code. Users are unwilling and/or unable to use the source of a piece of foreign code as a basis for denying or allowing execution. Revocation of certifi- cates is necessary should a provider be compromised, but revocation is currently not supported by the Internet, a fact that limits the scale over which the approach can be deployed. Access control features in commercially successful operating systems are not adequate for supporting fine-grained access control (FGAC). FGAC mechanisms are needed that do not significantly affect perfor- mance. Operating system implementations of FGAC would help support the construction of systems that obey the principle of least privilege, which holds that users be accorded the minimum access that is needed to accom- plish a task. FGAC also has the potential to provide a means for supporting for- eign code an interpreter that implements FGAC is used to provide a rich access control model within which the foreign code is confined. That, in turn, could be an effective defense against a variety of attacks that might be delivered using foreign code or application programs. However, it is essential that users and administrators can correctly configure systems with FGAC structures, and that has not yet been demonstrated. (Consid- erably simpler access control models today are often misunderstood and misused.) Enforcing application security is increasingly likely to be a shared responsibility between the application and the lower levels of a system. Research is needed to determine how to partition this responsi- bility and which mechanisms are best implemented at what level. In addition, more needs to be known about the assurance limitations associ- ated with providing application-layer security when employing a COTS operating system that offers minimum assurance.

OCR for page 240
250 TRUST IN CYBERSPACE A variety of opportunities seem to exist to leverage programming language research in implementing system security. Software fault isola- tion and proof-carrying code illustrate the application of programming- language analysis techniques to security policy enforcement. But these techniques are new, and their ultimate efficacy is not yet understood. Defending against denial-of-service attacks is often critical for the security of an NIS, because availability is often an impor- tant system property. Research in this area is urgently needed to identify general schemes for defending against such attacks. No general mechanisms or systematic design methods exist for de- fending against denial-of-service attacks. For example, each request for service may appear legitimate in itself, but the aggregate number of re- quests in a short time period that are focused on a specific subsystem can overwhelm that subsystem because the act of checking a request for legiti- macy consumes resources. BUILDING TRUSTWORTHY SYSTEMS FROM UNTRUSTWORTHY COMPONENTS Improved trustworthiness may be achieved by the careful organization of untrustworthy components. There are a num- ber of promising ideas, but few have been vigorously pursued. "Trustworthiness from untrustworthy components" is a research area that deserves greater attention. Replication and diversity can be employed to build systems that am- plify the trustworthiness of their components, and indeed, there are suc- cessful commercial products (e.g., fault-tolerant computers) in the mar- ketplace that do exactly this. However, the potential and limits of this approach are not understood. For example, research is needed to deter- mine the ways in which diversity can be added to a set of replicas, thereby improving trustworthiness. Trustworthiness functionality could reside in varying parts of an NIS. Little is known about the advantages and disadvantages of the different architectural possibilities, so an analysis of existing NISs would prove instructive. One architecture that has been suggested is based on the idea of a core minimum functionality the minimum essential information infrastructure (MEII). But building an MEII for the nation would be a misguided initiative, because it presumes that the important "core mini- mum functionality" could be specifically defined, and that is unlikely to be the case.

OCR for page 240
CONCLUSIONS AND RESEARCH RECOMMENDATIONS 251 Monitoring and detection can be employed to build systems that en- hance the trustworthiness of their components. But limitations in system- monitoring technology and in technology to recognize events, like attacks and failures, impose fundamental limits on the use of monitoring and detection for implementing trustworthiness. For example, the limits and coverage of the various approaches to intruder and anomaly detection are not well understood. A number of other promising research areas merit investigation. For example, systems could be designed to respond to an attack or failure by reducing their functionality in a controlled, graceful manner. And a vari- ety of research directions involving new types of algorithms self-stabili- zation, emergent behavior, biological metaphors may be useful in defin- ing systems that are trustworthy. These new research directions are highly speculative. Thus, they are plausible topics for longer-range re- search. SOCIAL AND ECONOMIC FACTORS THAT INHIBIT THE DEPLOYMENT OF TRUSTWORTHY TECHNOLOGY Imperfect information creates a disincentive to invest in trust worthiness for both consumers and producers, leading to a market failure. Initiatives to mitigate this problem are needed. Decision making today about trustworthy systems occurs within the context of imperfect information. That increases the level of uncertainty regarding the benefits of trustworthiness initiatives, thereby serving as a disincentive to invest in trustworthiness and distorting the market for trust- worthiness. As a result, consumers prefer to purchase greater functionality rather than to invest in improved trustworthiness. Products addressing problems that have been experienced by consumers or that are perceived to address well-known or highly visible problems have been best received. The absence of standard metrics or a recognized organization to con- duct assessments for trustworthiness is an important contributing factor to the imperfect information problem. Useful metrics for the security dimension of trustworthiness are unlikely to be developed because the corresponding formal model for any particular metric would necessarily be incomplete. Therefore, useful aggregate metrics for trustworthiness are unlikely to be developed. Standards may mitigate some of the difficulties that arise from imper- fect information because standards can simplify the decision-making pro- cess for the purchasers and producers of trustworthiness by narrowing the field of choices. The development and evolution of a standard attract scrutiny that will work toward reducing the number of remaining design

OCR for page 240
252 TRUST IN CYBERSPACE flaws and thereby promote trustworthiness. At the same time, the exist- ence of standards promotes the wide availability of detailed technical information about a particular technology, and therefore serves as a basis for assessing where vulnerabilities remain. Standards that facilitate interoperability increase the likelihood that successful attacks in one sys- tem might prove effective in others. The net relationship between stan- dards and trustworthiness is therefore indeterminate. Heterogeneity tends to cause NISs to be more vulnerable because the scrutiny of experts may not take place, but the negative effects that pertain to standards are also applicable for homogeneity. Security criteria may also improve the level of information available to both consumers and producers of components. The Common Criteria may or may not prove useful for this purpose. In any case, it is doubtful that any criteria can keep pace with the evolving threats. However, even if there are a sufficient number of security-evaluated components, there is, at present, little or no rigorous methodology for assessing the security of NISs assembled from such evaluated components. Consumer and producer costs for trustworthiness are difficult to assess. An improved understanding, better models, and more and accurate data are needed. Trustworthiness typically reflects systemwide characteristics of an NIS, so trustworthiness costs are often difficult to allocate to specific users or uses. Such costs are therefore often allocated to central units. Trust- worthiness also involves costs that are difficult to quantify; one example is the "hassle factor," which captures the fact that trustworthy systems tend to be more cumbersome to use. It is difficult to distinguish trustworthiness costs from other direct product costs and overhead costs. Not surprisingly, there is a paucity of data, and what little data does exist has questionable accuracy. The pro- duction costs associated with integration and testing represent a substan- tial proportion of total producer costs for improving trustworthiness, and it is often difficult to separate "trustworthiness" costs from other costs. Time-to-market considerations discourage the inclusion of trustworthi- ness features and encourage the postponement of trustworthiness to later stages of the product life cycle. As a truly multidimensional concept, trustworthiness is depen- dent on all of its dimensions. However, in some sense, the problems of security are more challenging and therefore deserve special attention.

OCR for page 240
CONCLUSIONS AND RESEARCH RECOMMENDATIONS 253 Security risks are more difficult to specify and manage than those that arise from safety or reliability concerns. There is usually an absence of malice with respect to safety and reliability risks as well as tangible and often severe consequences that can be easily articulated; these consider- ations facilitate the assessment of risk and measurement of consequences for safety- and reliability-related risks, in contrast to security. A precise and testable definition is required to assess whether a standard has been fulfilled or not. Such definitions may often be articulated for some trust- worthiness dimensions (such as reliability) but are often difficult to ar- ticulate for security. Export control and key-escrow policy concerns inhibit the wide- spread deployment of cryptography, but there are other impor- tant inhibitory factors that deserve increased attention and action. The public policy controversy surrounding export controls and key recovery does indeed inhibit the widespread deployment of cryptogra- phy. However, cryptography is not more widely deployed for other rea- sons, which include reduced convenience and usability, possible sacrifice of interoperability, increased computational and communications require- ments, lack of a national or international key infrastructure, restrictions resulting from patents, and the fact that most information is already se- cure enough relative to its value to an unauthorized party. IMPLEMENTING TRUSTWORTHINESS RESEARCH AND DEVELOPMENT In its necessary efforts to pursue partnerships, the federal gov ernment also needs to work to develop trust in its relationships with the private sector, with some emphasis on U.S.-based firms. The federal government has less influence on vendors than in the past, so cooperative arrangements are increasingly necessary. The rise of the marketplace for computing and communications products includes new and/or start-up firms that tend to be focused on marketplace de- mands generally, and not on the needs of the federal government. A1- though the federal government is the largest single customer of comput- ing and communications products and services, its relative market share, and therefore its market power, have declined. Building trust between the private and public sectors is essential to achieving increased coopera- tion in efforts to improve NIS trustworthiness, because the cryptography

OCR for page 240
254 TRUST IN CYBERSPACE policy debates concerning export controls and key escrow have created suspicion within the private sector about government intent and plans. As trustworthiness-related products are increasingly provided by non- U.S. companies, the influence of foreign firms and governments on the trustworthiness marketplace is a new concern and suggests that some priority should be placed on partnerships with U.S. firms. The NSA R2 organization must increase its efforts devoted to outreach and recruitment and retention issues. The National Security Agency's R2 organization has initiated several outreach efforts, but these have not significantly broadened the commu- nity of researchers that work with R2. Effective outreach efforts are those that are designed to be compatible with the interests, perspectives, and realities of potential partners (e.g., acknowledgment of the dominance of COTS technology). Inadequate incentives currently exist within R2 to attract and retain highly skilled researchers. Improved incentives might be financial (e.g., different salary scale) and/or nonfinancial (e.g., special recognition, greater public visibility) in nature. R2 faces formidable challenges in the recruitment and retention of the very best researchers. The rotation of R2 researchers with researchers in industry and academia would help to broaden and invigorate the R2 program. Such rotation would be most effective if it involved institutions that have large numbers of top re- searchers. As currently constituted, the R2 university research program emphasizes relatively short-term and small projects, and it does not at- tract the interest of the best industrial and academic researchers and insti- tutions. DARPA is generally effective in its interactions with the research community, but DARPA needs to increase its focus on informa- tion security and NIS trustworthiness research, especially with regard to long-term research efforts. The nature and scope of major Defense Advanced Research Projects Agency (DARPA) projects that were funded in the 1970s where security work was an integral part of a large, integrated effort seem to character- ize DARPA's greatest successes in the security domain. Not all of these efforts were so successful, as is characteristic of high-risk, high-payoff research. DARPA does fund some research today in important areas for NIS trustworthiness. However, other critical topics as articulated in this study are not emphasized to the extent that they should be. These topics

OCR for page 240
CONCLUSIONS AND RESEARCH RECOMMENDATIONS 255 include containment, denial-of-service attacks, and cryptographic infra- structures. DARPA uses a number of mechanisms to communicate with the re- search community, which include principal investigator meetings, infor- mation science and technology activities (ISATs), and board area an- nouncements (BAAs). These mechanisms seem to be generally effective in facilitating the exchange of ideas between DARPA and the research community. The use of academics on temporary assignment as program managers has advantages and disadvantages. This rotation of program managers ensures that state-of-the-art thinking is constantly being infused into DARPA (assuming that the leading researchers in the field are appointed). On the other hand, such rotation does not promote long-term research agendas, because the tenure of a program manager typically is only 2 to 3 years. An increase in expenditures for research in information security and NIS trustworthiness is warranted. The committee believes that increased funding is warranted for both information security research in particular and NIS trustworthiness re- search in general. The appropriate level of increased funding should be based on a realistic assessment of the size and availability of the current population of researchers in relevant disciplines and projections of how this population of researchers may be increased in the coming years.

OCR for page 240