Trust in Cyberspace

Fred B. Schneider, Editor

Committee on Information Systems Trustworthiness

Computer Science and Telecommunications Board
Commission on Physical Sciences, Mathematics, and Applications
National Research Council

National Academy Press
Washington, D.C. 1998



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page R1
Trust in Cyberspace Fred B. Schneider, Editor Committee on Information Systems Trustworthiness Computer Science and Telecommunications Board Commission on Physical Sciences, Mathematics, and Applications National Research Council National Academy Press Washington, D.C. 1998

OCR for page R1
Page ii NOTICE: The project that is the subject of this report was approved by the Governing Board of the NationalResearch Council, whose members are drawn from the councils of the National Academy of Sciences, the NationalAcademy of Engineering, and the Institute of Medicine. The members of the committee responsible for the reportwere chosen for their special competences and with regard for appropriate balance. The National Academy of Sciences is a private, nonprofit, self-perpetuating society of distinguishedscholars engaged in scientific and engineering research, dedicated to the furtherance of science and technology andto their use for the general welfare. Upon the authority of the charter granted to it by the Congress in 1863, theAcademy has a mandate that requires it to advise the federal government on scientific and technical matters. Dr.Bruce Alberts is president of the National Academy of Sciences. The National Academy of Engineering was established in 1964, under the charter of the National Academyof Sciences, as a parallel organization of outstanding engineers. It is autonomous in its administration and in theselection of its members, sharing with the National Academy of Sciences the responsibility for advising the federalgovernment. The National Academy of Engineering also sponsors engineering programs aimed at meeting nationalneeds, encourages education and research, and recognizes the superior achievements of engineers. Dr. William A.Wulf is president of the National Academy of Engineering. The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure theservices of eminent members of appropriate professions in the examination of policy matters pertaining to the healthof the public. The Institute acts under the responsibility given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, upon its own initiative, to identify issues ofmedical care, research, and education. Dr. Kenneth I. Shine is president of the Institute of Medicine. The National Research Council was organized by the National Academy of Sciences in 1916 to associatethe broad community of science and technology with the Academy's purposes of furthering knowledge and advisingthe federal government. Functioning in accordance with general policies determined by the Academy, the Councilhas become the principal operating agency of both the National Academy of Sciences and the National Academy ofEngineering in providing services to the government, the public, and the scientific and engineering communities.The Council is administered jointly by both Academies and the Institute of Medicine. Dr. Bruce Alberts and Dr.William A. Wulf are chairman and vice chairman, respectively, of the National Research Council. Support for this project was provided by the Defense Advanced Research Projects Agency and the NationalSecurity Agency. Any opinions, findings, conclusions, or recommendations expressed in this material are those ofthe authors and do not necessarily reflect the views of the sponsors. Library of Congress Catalog Card Number 98-xxx International Standard Book Number xxx Additional copies of this report are available from: National Academy Press 2101 Constitution Avenue, N.W. Box 285 Washington, DC 20055 800/624-6242 202/334-3313 (in the Washington Metropolitan Area) Copyright 1998 by the National Academy of Sciences. All rights reserved. Printed in the United States of America

OCR for page R1
Page iii COMMITTEE ON INFORMATION SYSTEMS TRUSTWORTHINESS FRED B. SCHNEIDER, Cornell University, Chair STEVEN M. BELLOVIN, AT&T Labs Research MARTHA BRANSTAD, Trusted Information Systems Inc. J. RANDALL CATOE, MCI Telecommunications Inc. STEPHEN D. CROCKER, CyberCash Inc. CHARLIE KAUFMAN, Iris Associates Inc. STEPHEN T. KENT, BBN Corporation JOHN C. KNIGHT, University of Virginia STEVEN McGEADY, Intel Corporation RUTH R. NELSON, Information System Security ALLAN M. SCHIFFMAN, SPYRUS GEORGE A. SPIX, Microsoft Corporation DOUG TYGAR, University of California, Berkeley Special Advisor W. EARL BOEBERT, Sandia National Laboratories Staff MARJORY S. BLUMENTHAL, Director JANE BORTNICK GRIFFITH, Interim Director (1998) HERBERT S. LIN, Senior Scientist ALAN S. INOUYE, Program Officer MARK BALKOVICH, Research Associate (until July 1998) LISA L. SHUM, Project Assistant (until August 1998) RITA A. GASKINS, Project Assistant

OCR for page R1
Page iv COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD DAVID D. CLARK, Massachusetts Institute of Technology, Chair FRANCES E. ALLEN, IBM T.J. Watson Research Center JAMES CHIDDIX, Time Warner Cable JOHN M. CIOFFI, Stanford University W. BRUCE CROFT, University of Massachusetts, Amherst A.G. FRASER, AT&T Corporation SUSAN L. GRAHAM, University of California at Berkeley JAMES GRAY, Microsoft Corporation PATRICK M. HANRAHAN, Stanford University JUDITH HEMPEL, University of California at San Francisco BUTLER W. LAMPSON, Microsoft Corporation EDWARD D. LAZOWSKA, University of Washington DAVID LIDDLE, Interval Research JOHN MAJOR, QUALCOMM Inc. TOM M. MITCHELL, Carnegie Mellon University DONALD NORMAN, Hewlett-Packard Company RAYMOND OZZIE, Groove Networks DAVID A. PATTERSON, University of California at Berkeley DONALD SIMBORG, KnowMed Systems LEE SPROULL, Boston University LESLIE L. VADASZ, Intel Corporation MARJORY S. BLUMENTHAL, Director JANE BORTNICK GRIFITH, Interim Director (1998) HERBERT S. LIN, Senior Staff Officer JERRY R. SHEEHAN, Program Officer ALAN S. INOUYE, Program Officer JON EISENBERG, Program Officer JANET BRISCOE, Administrative Associate NICCI DOWD, Project Assistant RITA GASKINS, Project Assistant DAVID PADGHAM, Project Assistant

OCR for page R1
Page v COMMISSION ON PHYSICAL SCIENCES, MATHEMATICS, AND APPLICATIONS ROBERT J. HERMANN, United Technologies Corporation, Co-chair W. CARL LINEBERGER, University of Colorado, Co-chair PETER M. BANKS, Environmental Research Institute of Michigan WILLIAM BROWDER, Princeton University LAWRENCE D. BROWN, University of Pennsylvania RONALD G. DOUGLAS, Texas A&M University JOHN E. ESTES, University of California at Santa Barbara MARTHA P. HAYNES, Cornell University L. LOUIS HEGEDUS, Elf Atochem North America Inc. JOHN E. HOPCROFT, Cornell University CAROL M. JANTZEN, Westinghouse Savannah River Company PAUL G. KAMINSKI, Technovation, Inc. KENNETH H. KELLER, University of Minnesota KENNETH I. KELLERMANN, National Radio Astronomy Observatory MARGARET G. KIVELSON, University of California at Los Angeles DANIEL KLEPPNER, Massachusetts Institute of Technology JOHN KREICK, Sanders, a Lockheed Martin Company MARSHA I. LESTER, University of Pennsylvania NICHOLAS P. SAMIOS, Brookhaven National Laboratory CHANG-LIN TIEN, University of California at Berkeley NORMAN METZGER, Executive Director

OCR for page R1
The National Academy of Sciences is a private, nonprofit, self-perpetuating society of distinguished scholars engaged in scientific and engineering research, dedicated to the fur- therance of science and technology and to their use for the general welfare. Upon the authority of the charter granted to it by the Congress in 1863, the Academy has a mandate that requires it to advise the federal government on scientific and technical matters. Dr. Bruce Alberts is president of the National Academy of Sciences. The National Academy of Engineering was established in 1964, under the charter of the National Academy of Sciences, as a parallel organization of outstanding engineers. It is autonomous in its administration and in the selection of its members, sharing with the National Academy of Sciences the responsibility for advising the federal government. The National Academy of Engineering also sponsors engineering programs aimed at meeting national needs, encourages education and research, and recognizes the superior achievements of engi- neers. Dr. William A. Wulf is president of the National Academy of Engineering. The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure the services of eminent members of appropriate professions in the examination of policy matters pertaining to the health of the public. The Institute acts under the responsibil- ity given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, upon its own initiative, to identify issues of medical care, research, and education. Dr. Kenneth I. Shine is president of the Institute of Medicine. The National Research Council was organized by the National Academy of Sciences in 1916 to associate the broad community of science and technology with the Academy's purposes of furthering knowledge and advising the federal government. Functioning in accordance with general policies determined by the Academy, the Council has become the principal operating agency of both the National Academy of Sciences and the National Academy of Engineering in providing services to the government, the public, and the scien- tific and engineering communities. The Council is administered jointly by both Academies and the Institute of Medicine. Dr. Bruce Alberts and Dr. William A. Wulf are chairman and vice chairman, respectively, of the National Research Council. Al

OCR for page R1
Page vii Preface Experts have known for some time that networked information systems are not trustworthy and that the technology needed to make them trustworthy was, by and large, not at hand. Our nation is nevertheless becoming dependent on such systems for operating its critical infrastructures (e.g., transportation, communication, finance, and energy distribution). Over the past 2 years, the implications of this dependence—vulnerability to attack and susceptibility to disaster—have become a part of the national agenda. Concerns first voiced from within the defense establishment (under the rubric of "information warfare") led the executive branch to create the President's Commission on Critical Infrastructure Protection and, later, the Critical Infrastructure Assurance Office. The popular press embraced the issues, carrying them to a public already sensitized by direct and collateral experience with the failings of computing systems and networks. So a subject once discussed only in the technical literature is now regularly appearing on the front pages of newspapers and being debated in the Congress. And the present study, initiated at the request of the Defense Advanced Research Projects Agency (DARPA) and the National Security Agency (NSA) some 2 years ago, today informs a discussion of national significance. In particular, this study moves the focus of the discussion forward from matters of policy and procedure and from vulnerabilities and their consequences toward questions about the richer set of options that only new science and technology can provide. The study committee was convened by the Computer Science and Telecommunications Board (CSTB) of the National Research Council (NRC) to assess the nature of information systems trustworthiness and the prospects for technology that increase it. The committee was asked to examine, discuss, and report on interrelated issues associated with the research, development, and commercialization of technologies for trustworthy systems and to use its assessment to develop recommendations for research to enhance information systems trustworthiness (see Box P.1). This volume contains the results of that study: a detailed research agenda that examines the many dimensions of trustworthiness (e.g., correctness, security, reliability, safety, survivability), the state of the practice, and the available technology and science base. Since the economic and political context is critical to the successful deployment of new technologies, that too is discussed. The alert reader will have noted that the volume's title Trust in Cyberspace admits two interpretations. This ambiguity was intentional. Parse "trust" as a noun (as in "confidence" or "reliance") and the title succinctly describes the contents of the volume—technologies that help make networked information systems more trustworthy. Parse "trust'' as a verb (as in "to believe") and the title is an invitation to contemplate a future where networked information systems have become a safe place for conducting parts of our daily lives.1 Whether "trust" is being parsed as a noun or the verb, more research is key for trust in cyberspace. 1 One reviewer, contemplating the present, suggested that a question mark be placed at the end of the title to raise questions about the trustworthiness of cyberspace today. And this is a question that the report does raise.

OCR for page R1
Page viii Committee Composition And Process The study committee included experts on computing and communications systems from industry and academia whose expertise spanned computer and communications security, software engineering, fault-tolerance, systems design and implementation, and networking (see Appendix A). The committee did its work through its own expert deliberations and by soliciting input and discussion from key officials in its sponsoring agencies, other government officials, academic experts, and representatives of a wide range of developers and users of information systems in industry (see Appendix B). The committee did not make use of classified information, believing that detailed knowledge of threats was not important to the task at hand. The committee first met in June 1996 and eight times subsequently. Three workshops were held to obtain input from a broad range of experts in systems security, software, and networking drawn primarily from industry (see Appendixes C and D). Since information about the NSA R2 research program is less-widely available than for relevant programs at DARPA and other federal agencies, the entire committee visited NSA for a more in-depth examination of R2's research program; subsequent meetings involving NSA R2 personnel and a subset of the committee provided still further input to the study. Staff tracked the progress of relevant activities in the legislative and executive branches in government, including the President's Commission on Critical Infrastructure Protection, Critical Information Assurance Office, and congressional hearings. Staff also sought input from other governmental and quasi-governmental organizations with relevant emphases. Additional inputs included perspectives from professional conferences, technical literature, and government reports gleaned by committee members and staff. In April 1997, the committee released an interim report that outlined key concepts and known technologies. That report, subject to the NRC review process, generated a number of follow-up comments that helped to guide the committee in its later work. Acknowledgments The committee is grateful to the many thoughtful reviewers of its interim and final reports, and it appreciates the efforts of the review coordinator. The committee would like to acknowledge Thomas A. Berson (Anagram Laboratories), Dan Boneh (Stanford University), Eric A. Brewer (University of California, Berkeley), Dorothy Denning (Georgetown University), Bruce Fette (Motorola), John D. Gannon (University of Maryland), Li Gong (JavaSoft Inc., Sun Microsystems Inc.), Russ Housley (Spyrus Inc.), John C. Klensin (MCI Communications Corporation), Jimmy Kuo (McAfee Associates Inc.), Steven B. Lipner (Mitretek Systems), Keith Marzullo (University of California at San Diego), Alan J. McLaughlin (Massachusetts Institute of Technology), Robert Morris, Sr. (National Security Agency (retired)), Peter G. Neumann (SRI International), Jimmy Omura (Cylink Corporation), Stewart Personick (Drexel University), Roy Radner (New York University), Morteza Rahimi (Northwestern University), Jeffrey I. Schiller (Massachusetts Institute of Technology), Michael St. Johns (@Home Network), Joseph Sventek (Hewlett-Packard Laboratories), J. Marty Tenenbaum (CNgroup, Inc.), Abel Weinrib (Intel Corporation), Jeannette M. Wing (Carnegie Mellon University), and Mary Ellen Zurko (The Open Group Research Institute). The committee appreciates the support of its sponsoring agencies, and especially the numerous inputs and responses to requests for information provided by Howard Frank and Teresa Lunt at DARPA, Robert Meushaw at NSA, and John Davis at NSA and the Critical Infrastructure Assurance Office. The support of K. David Nokes at Sandia National Laboratories was extremely helpful in facilitating this study and the preparation of this report. In addition, the committee would like to thank Jeffrey Schiller for his valuable perspective on Internet standards-setting. The committee would also like to thank individuals who contributed their expertise to the committee's deliberations: Robert H. Anderson (RAND Corp.), Ken Birman (Cornell University), Chip Boylan (Hilb, Rogal, and Hamilton Co.), Robert L. Constable (Cornell University), Dale

OCR for page R1
Page ix Drew (MCI Security Services), Bill Flanagan (Perot Systems Corporation), Fred Howard (Bell Atlantic Voice Operations), Keith Marzullo (University of California at San Diego), J.S. Moore (University of Texas at Austin), Peter G. Neumann (SRI International), John Pescatore (Trusted Information Systems), John Rushby (SRI International), Sami Saydjari (Defense Advanced Research Projects Agency), Dan Shoemaker (Bell Atlantic Data Operations), Steve Sigmond (Wessels Arnold Investment Banking), Gadi Singer (Intel), Steve Smaha (Haystack, Inc.), Kevin Sullivan (University of Virginia), L. Nick Trefethen (Oxford University), and Werner Vogels (Cornell University). Several members of the Computer Science and Telecommunications Board provided valuable guidance to the committee and were instrumental in the response to review process. For these contributions, the committee would like to thank David D. Clark, Jim Gray and Butler Lampson. The committee also acknowledges the helpful feedback from Board members Donald Norman and Ed Lazowska. Special thanks are owed Steve Crocker for his seminal role in launching this study and in helping to shape the committee. The committee—and the chairman especially—benefited from Steve's involvement. Finally, the committee would like to acknowledge all the hard work by the staff of the National Research Council. Marjory Blumenthal's role in the content and conduct of this study was pivotal. Not only was Marjory instrumental in moving the committee from its initial discussions through the production of an Interim Report and then to a first draft of this report, but her insights into the nontechnical dimensions of trustworthiness were critical in developing Chapter 6. This committee was truly fortunate to have the benefit of Marjory's insights concerning content and process; and this chairman was thankful to have such a master in the business as a teacher and advisor. Alan Inouye joined the project mid-stream. To him fell the enormous task of assembling this final report. Alan did a remarkable job, remaining unfailingly up-beat despite the long hours required and the frustrations that accompanied working to a deadline. First Leslie Wade and later Lisa Shum supported the logistics for the committee's meetings, drafts, and reviews in a careful yet cheery fashion. As a research associate, Mark Balkovich enthusiastically embraced a variety of research and fact-finding assignments. Thanks to Jane Bortnick Griffith for her support as the Interim Director of CSTB who inherited this challenging project mid-stream and did the right thing. Herb Lin was available when we needed him despite his numerous other commitments. The contributions of Laura Ost (editor-consultant) are gratefully acknowledged. Rita Gaskins, David Padgham, and Cris Banks also assisted in completing the report. Fred B. Schneider, Chair Committee on Information Systems Trustworthiness

OCR for page R1
Page x BOX P-1: Synopsis of Task Statement • Propose a research agenda that identifies ideas for relevant long-term research and the promotion of fundamental or revolutionary (as opposed to incremental) advances to foster increased trustworthiness of networked information systems. Perspectives on where and what kinds of research are needed should be sought from across the relevant technical and business communities. • Assess, in part by undertaking dialogue within relevant segments of the technical and business communities, and make recommendations on how to further the development and deployment of trustworthy networked information systems, subsystems, and components. • Assess and make recommendations concerning the effectiveness and directions of the existing research programs in ARPA and NSA R2 as they affect the development of trustworthy networked information systems. • Examine the state of the market for security products and capabilities and the extent and emphases of private sector research activities with an eye toward illuminating where federal R&D efforts can best be targeted. • Assess and develop recommendations for technology policy options to improve the commercial security product base (availability, quality, and affordability), expand awareness in industry of the security problem and of available technology and tools for enhancing protections, and foster technology transfer.

OCR for page R1
Page xi Contents EXECUTIVE SUMMARY ES-1 1 INTRODUCTION 1-1   Trustworthy Networked Information Systems     What Erodes Trust     This Study in Context     Scope of This Study     References   2 PUBLIC TELEPHONE NETWORK AND INTERNET TRUSTWORTHINESS 2-1   Network Design     The Public Telephone Network     Network Services and Design     Authentication     Progress of a Typical Call     The Internet     Network Services and Design     Authetication (and other Security Protocols)     Progress of a Typical Connection     Findings     Network Failures and Fixes     Environmental Disruption     Link Failures     Congestion     Findings     Operational Errors     Findings     Software and Hardware Failures     Finding     Malicious Attacks     Attacks on the Telephone System     Routing Attacks     Database Attacks     Facilities     Findings     Attacks on the Internet     Name Server Attacks     Routing System Attacks     Protocol Design and Implementation Flaws     Findings     Emerging Issues     Internet Telephony     Finding     Is the Internet Ready for "Prime Time"?     Findings     References  

OCR for page R1
Page xii 3 SOFTWARE FOR NETWORKED INFORMATION SYSTEMS 3-1   Introduction     Background     The Role of Software     Development of an NIS     System Planning, Requirements, and Top-Level Design     Planning and Program Management     Requirements at the System Level     Background     The System Requirements Document     Notation and Style     Where to Focus Effort in Requirements Analysis and Documentation     Top-Level Design     Critical Components     The Integration Plan     Project Structure, Standards, and Process     Barriers to Acceptance of New Software Technologies     Findings     Building and Acquiring Components     Component-Level Requirements     Component Design and Implementation     Programming Languages     Systematic Reuse     COTS Software     The Changing Role of COTS Software     General Problems with COTS Components     Interfacing Legacy Software     Findings     System Integration     System Assurance     Review and Inspection     Formal Methods     Testing     System Evolution     Findings     References   4 REINVENTING SECURITY 4-1   Introduction     Evolution of Security Needs and Mechanisms     Access Control Policies     Shortcomings of Formal Policy Models     A New Approach     Findings     Identification and Authentication Mechanisms     Network-Based Authentication     Cryptographic Authentication     Token-Based Mechanisms     Biometric Techniques     Findings     Cryptography and Public-Key Infrastructure  

OCR for page R1
Page xiii   Findings     The Key-Management Problem     Key-Distribution Centers     Certification Authorities     Actual Large-Scale KDC and CA Deployments     Public-Key Infrastructure     Findings     Network Access Control Mechanisms     Closed User Groups     Virtual Private Networks     Firewalls     Limitations of Firewalls     Guards     Findings     Foreign Code and Application-Level Security     The ActiveX Approach     The Java Approach     Findings     Fine-Grained Access Control and Application Security Findings     Language-Based Security: Software Fault Isolation and Proof Carrying Code Findings     Denial of Service     Findings     References   5 TRUSTWORTHY SYSTEMS FROM UNTRUSTWORTHY COMPONENTS 5-1   Introduction     Replication and Diversity     Amplifying Reliability     Amplifying Security     Findings     Monitor, Detect, Respond     Limitations in Detection     Response and Reconfiguration     Perfection and Pragmatism     Findings     Placement of Trustworthiness Functionality     Public Telephone Network     Internet     Minimum Essential Information Infrastructure     Findings     Nontraditional Paradigms     Finding     References   6 THE ECONOMIC AND PUBLIC POLICY CONTEXT 6-1   Risk Management  

OCR for page R1
Page xiv   Risk Assessment     Nature of Consequences     Risk Management Strategies     Selecting a Strategy     Findings     Consumers and Trustworthiness     Consumer Costs     Direct Costs     Indirect Costs     Failure Costs     Imperfect Information     Issues Affecting Risk Management     Some Market Observations     Findings     Producers and Trustworthiness     The Larger Marketplace and the Trend Toward Homogeneity     Risks of Homogeneity     Producers and Their Costs     Costs of Integration and Testing     Identifying the Specific Costs Associated with Trustworthiness     Time to Market     Other Issues     The Market for Trustworthiness     Supply and Demand Considerations     Findings     Standards and Criteria     The Character and Context of Standards     Standards and Trustworthiness     Security-Based Criteria and Evaluation     Findings     Cryptography and Trustworthiness     Export Controls     Key Recovery     Factors Inhibiting Widespread Cryptography Deployment     Cryptography and Confidentiality     Findings     Federal Government Interests in NIS Trustworthiness     Public-Private Partnerships     The Changing Market-Government Relationship     Findings     The Roles of the NSA, DARPA, and other Federal Agencies in NIS Trustworthiness Research and Development     National Security Agency     Partnerships with Industry     R2 Program     Issues for the Future     Findings     Defense Advanced Research Projects Agency     Issues for the Future     Findings   References   Notes  

OCR for page R1
Page xv 7 CONCLUSIONS AND RESEARCH RECOMMENDATIONS 7-1   Protecting the Evolving Public Telephone Network     Meeting the Urgent Need for Software that Improves Trustworthiness     Reinventing Security for Computers and Communications     Building Trustworthiness form Untrustworthy Components     Social and Economic Factors that Inhibit the Deployment of Trustworthy Technology     Implementing Trustworthiness Research and Development, the Public Policy Role   APPENDIXES   A Study Committee Biographies A-1 B Briefers to the Committee B-1 C Workshop Participants and Agenda C-1 D List of Position Papers Prepared for the Workshop D-1 E Trends in Software E-1 F Some Related Trustworthiness Studies F-1 G Some Operating System Security Examples G-1 H Types of Firewalls H-1 I Secrecy of Design I-1 J Research in Information System Security and Survivability Funded by the NSA and DARPA J-1 K Glossary K-1

OCR for page R1
Page xvi This is the tale of the infosys folk: Multics to UNIX to DOS. We once had protection that wasn't a joke Multics to UNIX to DOS. Now hackers and crackers and similar nerds Pass viruses, horses, and horrible words Through access controls that are for the birds. Multics to UNIX to DOS. With apologies to Franklin P. Adams

OCR for page R1
CONTENTS Findings, 180 Consumers and Trustworthiness, 180 Consumer Costs, 181 Direct Costs, 181 Indirect Costs, 182 Failure Costs, 183 Imperfect Information, 184 Issues Affecting Risk Management, 186 Some Market Observations, 188 Findings, 189 Producers and Trustworthiness, 190 . . XVII The Larger Marketplace and the Trend Toward Homogeneity, 190 Risks of Homogeneity, 191 Producers and Their Costs, 192 Costs of Integration and Testing, 193 Identifying the Specific Costs Associated with Trustworthiness, 193 Time to Market, 194 Other Issues, 194 The Market for Trustworthiness, 196 Supply and Demand Considerations, 197 Findings, 198 Standards and Criteria, 199 The Character and Context of Standards, 199 Standards and Trustworthiness, 201 Security-based Criteria and Evaluation, 204 Findings, 209 Cryptography and Trustworthiness, 210 Export Controls, 210 Key Recovery, 211 Factors Inhibiting Widespread Deployment of Cryptography, 211 Cryptography and Confidentiality, 214 Findings, 214 Federal Government Interests in NIS Trustworthiness, 215 Public-Private Partnerships, 219 The Changing Market-Government Relationship, 220 Findings, 221 The Roles of the NSA, DARPA, and other Federal Agencies in NIS Trustworthiness Research and Development, 221 National Security Agency, 224 Partnerships with Industry, 226

OCR for page R1
. . . xvit! CONTENTS R2 Program, 228 Issues for the Future, 230 Findings, 232 Defense Advanced Research Projects Agency, 232 Issues for the Future, 235 Findings, 236 References, 237 7 CONCLUSIONS AND RESEARCH RECOMMENDATIONS 240 Protecting the Evolving Public Telephone Network and the Internet, 241 Meeting the Urgent Need for Software That Improves Trustworthiness, 244 Reinventing Security for Computers and Communications, 247 Building Trustworthy Systems from Untrustworthy Components, 250 Social and Economic Factors That Inhibit the Deployment of Trustworthy Technology, 251 Implementing Trustworthiness Research and Development, 253 APPENDIXES A Study Committee Biographies B Briefers to the Committee C Workshop Participants and Agendas D List of Position Papers Prepared for the Workshops Trends in Software Some Related Trustworthiness Studies Some Operating System Security Examples H Types of Firewalls I Secrecy of Design I Research in Information System Security and Survivability Funded by the NSA and DARPA Glossary INDEX 259 267 269 279 281 285 291 293 296 298 300 319

OCR for page R1
HI L] t in cyberspace

OCR for page R1
This is the tale of the infosys folk: Multics to UNIX to DOS. We once had protection that wasn't a joke Multics to UNIX to DOS. Now hackers and crackers and similar nerds Pass viruses, horses, and horrible words Through access controls that are for the birds. Multics to UNIX to DOS. With apologies to Franklin P. Adams