Trust in Cyberspace
Committee on Information Systems Trustworthiness, National Research Council (1999) 352 pages   6 x 9
    









7

Conclusions and Research Recommendations

The vulnerability of our nation's critical infrastructures is attracting considerable attention. Presidential Decision Directive 63, issued in May 1998, called for a national effort to ensure the security of the nation's critical infrastructures for communication, finance, energy distribution, and transportation. These infrastructures all exhibit a growing dependence on networked information systems (NISs) that are not sufficiently trustworthy, and that dependence is a source of vulnerability to the infrastructures and the nation. Today's NISs are too often unable to tolerate environmental disturbances, human user and operator errors, and attacks by hostile parties. Design and implementation errors mean that satisfactory operation would not be guaranteed even under ideal circumstances.

There is a gap between the state of the art and the state of the practice. More-trustworthy NISs could be built and deployed today. Why are these solutions not being implemented? The answer lies in the workings of the market, in existing federal policies regarding cryptography, in ignorance about the real costs of trustworthiness (and of not having trustworthiness) to consumers and producers, and in the difficulty of measuring trustworthiness.

There is also a gap between the needs and expectations of the public (along with parts of government) and the extant science and technology base for building trustworthy NISs. Trustworthiness is a multidimensional property of an entire system, and going beyond what is known today will require research breakthroughs. Methods to strengthen one dimension can compromise another; building trustworthy components

Conclusions and research recommendations 241

    











does not suffice, for the interconnections and interactions of components play a significant role in NIS trustworthiness.

Security is certainly important (with some data indicating that the number of attacks is growing exponentially and anecdotal evidence suggesting that attackers are becoming more sophisticated every day), but it is not all that is important. The substantial commercial off-the-shelf (COTS) makeup of an NIS, the use of extensible components, the expectation of growth by accretion, and the likely absence of centralized control, trust, or authority demand a new approach to security: risk mitigation rather than risk avoidance, technologies to hinder attacks rather than prevent them outright, add-on technologies and defense in depth, and relocation of vulnerabilities rather than their elimination. But other aspects of trustworthiness also demand progress and also will require new thinking, because the networked environment and the scale of an NIS impose novel constraints, enable new types of solutions, and change engineering tradeoffs.

Other studies related to critical infrastructures have successfully raised public awareness and advocated action. This study focuses on describing and analyzing the technical problems and how they might be solved through research, thereby providing some direction for that action. The detailed research agenda presented in the body of this report was derived by surveying the state of the art, current practice, and technological trends with respect to computer networking and software. A summary of the committee's findings, conclusions, and recommendations follows.

Protecting the Evolving Public Telephone
Network and the Internet

The public telephone network is increasingly dependent on software and databases that constitute new points of vulnerability. Business decisions are also creating new points of vulnerability. Protective measures need to be developed and implemented.

The public telephone network (PTN) is evolving. Value-added services (e.g., call forwarding) rely on call-translation databases and adjunct processors, which introduce new points of vulnerability. Some of the new services are themselves vulnerable. For example, caller ID is increasingly used by PTN customers to provide authenticated information, but the underlying telephone network is unable to provide this information with a high assurance of authenticity.

Management of the PTN is evolving as well. Technical and market

242 trust in cyberspace

    











forces have led to reductions in reserve capacity and the number of geographically diverse redundant routings. Failure of a single link can now have serious repercussions. Cross-connects and multiplexors, which are used to route calls, are becoming dependent on complex software running in operations support systems (OSSs). In addition to the intrinsic vulnerabilities associated with any complex software, information about OSSs is becoming less proprietary owing to deregulation. Information about controlling the OSSs will thus become more widespread, and the vulnerabilities of the OSSs will become known to larger numbers of attackers. Similarly, the Signaling System 7 (SS7) network used to manage central office switches was designed for a small, closed community of telephone companies; with deregulation will come increased opportunities for insider attacks. Telephone companies are also increasingly sharing facilities and technology with each other and the Internet, thereby creating yet another point of new vulnerability. Internet telephony is likely to cause the PTN to become more vulnerable, because Internet-based networks use the same channels for both user data transmission and network management and because the end points on the Internet are much more subject to failure than those of the PTN.

Attacks on the telephone network have, for the most part, been directed at perpetrating billing fraud. The frequency of those attacks is increasing, and the potential for more disruptive attacks, with harassment and eavesdropping as goals, is growing. Thus, protective measures are needed. Better protection is needed for the many number-translation and other databases used in the PTN. Telephone companies need to enhance the firewalls that connect their OSSs to the Internet and to enhance the physical security of their facilities.

In some respects, the Internet is becoming more secure as its protocols are improved and as security measures are more widely deployed at higher levels of the protocol stack. However, the increasing complexity of the Internet's infrastructure contributes to its increasing vulnerability. The end points (hosts) of the Internet continue to be vulnerable. As a consequence, the Internet is ready for some business use, but abandoning the PTN for the Internet would not be prudent for most.

The Internet is too susceptible to attacks and outages to be a
viable basis for controlling critical infrastructures. Existing
technologies could be deployed to improve the trustworthiness
of the Internet, although many questions about what measures
would suffice do not currently have answers because good basic data (e.g., on Internet outages) is scant.

Conclusions and research recommendations 243

    











The operation of the Internet today depends on routing and name-to-address translation services. The list of critical services will likely expand to include directory services and public-key certificate servers. Analogous to the PTN, these services, because they depend on databases, constitute points of vulnerability. New countermeasures for name-server attacks are thus needed. They must work well in large-scale, heterogeneous environments. Cryptographic mechanisms to secure the name service do exist; however, deployment to date has been limited.

Cryptography, while not in itself sufficient, is essential to the protection of both the Internet and its end points. Wider deployment of cryptography is needed. Authentication-only algorithms are largely free from export and usage restrictions, and they could go a long way toward helping.

There is a tension between the capabilities and vulnerabilities of routing protocols. The sharing of routing information facilitates route optimization, but such cooperation also increases the risk that malicious or malfunctioning routers can compromise routing. In any event, current Internet routing algorithms are inadequate because they do not scale well, they require central processing unit (CPU)-intensive calculations, and they cannot implement diverse or flexible policies. Furthermore, no effective means exist to secure routing protocols, especially on backbone routers. Research in these areas is urgently needed.

Networks formed by interconnecting extant independent subnetworks present unique challenges for controlling congestion (because local provider optimizations may not lead to good overall behavior) and for implementing security (because trust relationships between network components are not homogeneous). A better understanding is needed of the Internet's current traffic profile and how it will evolve. In addition, fundamental research is needed into mechanisms for managing congestion in the Internet, especially in a way that does not conflict with network security mechanisms like encryption. Attacks that result in denial of service are increasingly common, and little is known about defending against them.

Operational errors represent a major source of outages for the PTN and the Internet. Some of these errors could be prevented by implementing known techniques, whereas others require research to develop preventative measures.

Some errors could be prevented through improved operator training and contingency planning. However, the scale and complexity of both the PTN and the Internet (and NISs in general) create the need for tools and systems to improve an operator's understanding of a system's state

244 trust in cyberspace

    











and the means by which the system can be controlled. For example, research is needed into ways to meaningfully portray and display the state of a large, complex network to a human operator. Research and development are needed to develop conceptual models that will allow human operators to grasp the state of a network and to understand the consequences of actions that the operator can take. Improved routing-management tools are needed for the Internet, because they will free human operators from an activity that is error prone.

Meeting the Urgent Need for Software
That Improves Trustworthiness

The design of trustworthy networked information systems presents profound challenges for system architecture and project planning. Little is understood, and this lack of understanding ultimately compromises trustworthiness.

System-level trustworthiness requirements are typically first characterized informally. The transformation of these informal notions into precise requirements that can be imposed on individual system components is difficult and often beyond the current state of the art. Whereas a large software system such as an NIS cannot be developed defect free, it is possible to improve the trustworthiness of such a system by anticipating and targeting vulnerabilities. But to determine, analyze, and, most importantly, prioritize these vulnerabilities requires a good understanding for how subsystems interact with each other and with the other elements of the larger system—obtaining such an understanding is not possible today. The use of some systematic development processes seems to contribute to the quality of NISs. Project management, a long-standing challenge in software development, is especially problematic when building NISs because of the large and complex nature of such systems and because of the continual software changes. The challenges of software engineering, which have been formidable ones for so many years, are even more urgent in the context of networked information systems.

To develop an NIS, subsystems must be integrated, but little is known about doing this. In recent years, academic researchers have directed their focus away from large-scale integration problems; this trend must be reversed.

Conclusions and research recommendations 245

    











NISs pose new challenges for integration because of their distributed nature and the uncontrollability of most large networks. Thus, testing subsets of a system cannot adequately establish confidence in an entire NIS, especially when some of the subsystems are uncontrollable or unobservable as is likely in an NIS that has evolved to encompass legacy software. In addition, NISs are generally developed and deployed incrementally. Techniques to compose subsystems in ways that contribute directly to trustworthiness are therefore needed.

There exists a widening gap between the needs of software practitioners and the problems that are being attacked by the academic research community. In most academic computer science research today, researchers are not confronting problems related to large-scale integration and students do not develop the skills or intuition necessary for developing software that not only works but also works in the context of software written by others. A renewed emphasis on large-scale development efforts is called for.

It is clear that networked information systems will include COTS components into the foreseeable future. However, the relationship between the use of COTS components and NIS trustworthiness is unclear. Greater attention must be directed toward improving our understanding of this relationship.

COTS software offers both advantages and disadvantages to an NIS developer. COTS components can be less expensive, have greater functionality, and be better engineered and tested than is feasible for customized components. Yet, the use of COTS products could make developers dependent on outside vendors for the design and enhancement of important components. Also, specifications of COTS components tend to be incomplete and to compel user discovery of features by experimentation. COTS software originally evolved in a stand-alone environment where trustworthiness was not a primary concern. That heritage remains visible. Moreover, market pressures limit the time that can be spent on testing before releasing a piece of COTS software. The market also tends to emphasize features that add complexity but are useful only for a minority of applications.

Although there are accepted processes for component design and implementation, the novel characteristics of NISs raise questions about the utility of these processes. Modern programming languages include features that promote trustworthiness, and the potential may exist for further gains from research.

246 trust in cyberspace

    











The performance needs of NISs can be inconsistent with modular design, and this limits the applicability of various processes and tools. It is difficult to devise component-level acceptance tests that fully capture the intent of systems-level requirements statements. This is particularly true for nonfunctional and user-interface requirements. Basing the development of an NIS on libraries of reusable, trusted components and using those components in critical areas of the system can provide a cost-effective way for implementing component-level dimensions of trustworthiness. Commercial software that includes reusable components or infrastructure is now available, but it is too early to know how successful it will be.

As a practical matter, the use of higher-level languages increases trustworthiness to a degree that outweighs any risks, although there is inadequate experimental evidence to justify the utility of any specific programming language or language feature with respect to improving trustworthiness. Modern programming languages include features, such as compile-time checks and support for modularity and component integration, that promote trustworthiness. The potential may exist for further gains by developing even more-expressive type systems and other compile-time analysis techniques.

Formal methods are being used with success in commercial and industrial settings for hardware development and requirements analysis and with some success for software development. In-creased support for both fundamental research and demon-stration exercises is warranted.

Formal methods should be regarded as an important piece of technology for eliminating design errors in hardware and software; as such, they deserve increased attention. Formal methods are particularly well suited for identifying errors that only become apparent in scenarios not likely to be tested or testable. Therefore, formal methods could be viewed as a technology complementary to testing. Research directed at the improved integration of testing and formal methods is likely to have payoffs for increasing assurance in trustworthy NISs.

Conclusions and research recommendations 247

    











Reinventing Security for Computers
and Communications

Security research during the past few decades has been based on formal policy models that focus on protecting information from unauthorized access by specifying which users should have access to data or other system objects. It is time to challenge this paradigm of "absolute security" and move toward a model built on three axioms of insecurity: insecurity exists; insecurity cannot be destroyed; and insecurity can be moved around.

Formal policy models of the past few decades presuppose that security policies are static and have precise and succinct descriptions. These formal policy models cannot represent the effects of some malicious or erroneous software, nor can they completely address denial-of-service attacks. Finally, these formal policy models cannot account for defensive measures, such as virus scan software or firewalls—mechanisms that should not work or be needed in theory but, in practice, hinder attacks.

The complex and distributed nature of NISs, with their numerous subsystems that typically have their own access controls, raises the question of whether a complete formal security model could ever be specified. Even if such a model could be specified, demonstrating the correspondence between an NIS and that formal model is not likely to be feasible. An alternative to this "absolute security" philosophy is to identify the vulnerabilities in an NIS and make design changes to reposition the vulnerabilities in light of the threats being anticipated. Further research is needed to determine the feasibility of this new approach to the problem.

Cryptographic authentication and the use of hardware tokens are promising avenues for implementing authentication.

Network-based authentication technology is not amenable to high-assurance implementations. Cryptographic authentication represents a preferred approach to authentication at the granularity that might otherwise be provided by network authentication. Needs will arise for new cryptographic authentication protocols (e.g., for practical multicast communication authentication). Faster encryption and authentication/integrity algorithms will be required to keep pace with rapidly increasing communication speeds. Further research into techniques and tools should be encouraged.

The use of hardware tokens holds great promise for implementing authentication. Cost will be addressed by the inexorable advance of digital hardware technology. But interface commonality issues will somehow

248 trust in cyberspace

    











have to be overcome. The use of personal identification numbers (PINs) to enable hardware tokens is a source of vulnerability that the use of biometrics might address. When tokens are being used to digitally sign data, then an interface should be provided so that a user can know what is being signed. Biometric authentication technologies have limitations when employed in network contexts, because the compromise of the digital version of someone's biometric data could allow an attacker to impersonate a legitimate user over the network.

Obstacles exist to more widespread deployment of key-management technology and there has been little experience with public-key infrastructures, especially large-scale ones.

There are many aspects of public-key infrastructure (PKI) technology that merit further research. Issues related to the timely notification of revocation, recovery from compromise of certificate authority private keys, and name-space management require attention. Most applications that make use of certificates have poor certificate-management interfaces for users and system administrators. Toolkits for certificate processing could be developed. There has been little experience with large-scale deployment of key management technologies. Thus, the scale and nature of the difficulties associated with deploying this important technology is an unknown at this time.

Because NISs are distributed systems, network access control mechanisms play a central role in the security of NISs. Virtual private networks and firewalls have proven to be promising technologies and deserve greater attention in the future.

Virtual private network (VPN) technology is quite promising, although proprietary protocols and simplistic key-management schemes in most products have, to date, prevented adoption of VPNs in larger-scale settings. The deployment of IPsec can eliminate these impediments, facilitating VPN deployment throughout the Internet. Much work remains to further facilitate wholesale and flexible VPN deployments. Support for dynamic location of security gateways, accommodation of complex network topologies, negotiation of traffic security policies across administratively independent domains, and support for multicast communication are other topics deserving additional work. Also, better interfaces for VPN management will be critical for avoiding vulnerabilities introduced by operational errors.

Firewalls, despite their limitations, will persist into the foreseeable future as a key defense mechanism. As support for VPNs is added, fire-

Conclusions and research recommendations 249

    











wall enhancements will have to be developed for the support of sophisticated security management protocols, negotiation of traffic security policies across administratively independent domains, and management tools. The development of increasingly sophisticated network-wide applications will create a need for application-layer firewalls and a better understanding of how to define and enforce useful traffic policies at this level. Guards can be thought of as special cases of firewalls, typically focused at the application layer.

Foreign code is increasingly being used in NISs. However, NIS trustworthiness will deteriorate unless effective security mechanisms are developed and implemented to defend against attacks by foreign code.

Authenticating the author or provider of foreign code has not and likely will not prove effective for protecting against hostile foreign code. Users are unwilling and/or unable to use the source of a piece of foreign code as a basis for denying or allowing execution. Revocation of certificates is necessary should a provider be compromised, but revocation is currently not supported by the Internet, a fact that limits the scale over which the approach can be deployed.

Access control features in commercially successful operating systems are not adequate for supporting fine-grained access control (FGAC). FGAC mechanisms are needed that do not significantly affect performance. Operating system implementations of FGAC would help support the construction of systems that obey the principle of least privilege, which holds that users be accorded the minimum access that is needed to accomplish a task.

FGAC also has the potential to provide a means for supporting foreign code—an interpreter that implements FGAC is used to provide a rich access control model within which the foreign code is confined. That, in turn, could be an effective defense against a variety of attacks that might be delivered using foreign code or application programs. However, it is essential that users and administrators can correctly configure systems with FGAC structures, and that has not yet been demonstrated. (Considerably simpler access control models today are often misunderstood and misused.) Enforcing application security is increasingly likely to be a shared responsibility between the application and the lower levels of a system. Research is needed to determine how to partition this responsibility and which mechanisms are best implemented at what level. In addition, more needs to be known about the assurance limitations associated with providing application-layer security when employing a COTS operating system that offers minimum assurance.

250 trust in cyberspace

    











A variety of opportunities seem to exist to leverage programming language research in implementing system security. Software fault isolation and proof-carrying code illustrate the application of programming-language analysis techniques to security policy enforcement. But these techniques are new, and their ultimate efficacy is not yet understood.

Defending against denial-of-service attacks is often critical for the security of an NIS, because availability is often an important system property. Research in this area is urgently needed to identify general schemes for defending against such attacks.

No general mechanisms or systematic design methods exist for defending against denial-of-service attacks. For example, each request for service may appear legitimate in itself, but the aggregate number of requests in a short time period that are focused on a specific subsystem can overwhelm that subsystem because the act of checking a request for legitimacy consumes resources.

Building Trustworthy Systems from
Untrustworthy Components

Improved trustworthiness may be achieved by the careful organization of untrustworthy components. There are a number of promising ideas, but few have been vigorously pursued. "Trustworthiness from untrustworthy components" is a research area that deserves greater attention.

Replication and diversity can be employed to build systems that amplify the trustworthiness of their components, and indeed, there are successful commercial products (e.g., fault-tolerant computers) in the marketplace that do exactly this. However, the potential and limits of this approach are not understood. For example, research is needed to determine the ways in which diversity can be added to a set of replicas, thereby improving trustworthiness.

Trustworthiness functionality could reside in varying parts of an NIS. Little is known about the advantages and disadvantages of the different architectural possibilities, so an analysis of existing NISs would prove instructive. One architecture that has been suggested is based on the idea of a core minimum functionality—the minimum essential information infrastructure (MEII). But building an MEII for the nation would be a misguided initiative, because it presumes that the important "core minimum functionality" could be specifically defined, and that is unlikely to be the case.

Conclusions and research recommendations 251

    











Monitoring and detection can be employed to build systems that enhance the trustworthiness of their components. But limitations in system-monitoring technology and in technology to recognize events, like attacks and failures, impose fundamental limits on the use of monitoring and detection for implementing trustworthiness. For example, the limits and coverage of the various approaches to intruder and anomaly detection are not well understood.

A number of other promising research areas merit investigation. For example, systems could be designed to respond to an attack or failure by reducing their functionality in a controlled, graceful manner. And a variety of research directions involving new types of algorithms—self-stabilization, emergent behavior, biological metaphors—may be useful in defining systems that are trustworthy. These new research directions are highly speculative. Thus, they are plausible topics for longer-range research.

Social and Economic Factors That Inhibit the
Deployment of Trustworthy Technology

Imperfect information creates a disincentive to invest in trustworthiness for both consumers and producers, leading to a market failure. Initiatives to mitigate this problem are needed.

Decision making today about trustworthy systems occurs within the context of imperfect information. That increases the level of uncertainty regarding the benefits of trustworthiness initiatives, thereby serving as a disincentive to invest in trustworthiness and distorting the market for trustworthiness. As a result, consumers prefer to purchase greater functionality rather than to invest in improved trustworthiness. Products addressing problems that have been experienced by consumers or that are perceived to address well-known or highly visible problems have been best received.

The absence of standard metrics or a recognized organization to conduct assessments for trustworthiness is an important contributing factor to the imperfect information problem. Useful metrics for the security dimension of trustworthiness are unlikely to be developed because the corresponding formal model for any particular metric would necessarily be incomplete. Therefore, useful aggregate metrics for trustworthiness are unlikely to be developed.

Standards may mitigate some of the difficulties that arise from imperfect information because standards can simplify the decision-making process for the purchasers and producers of trustworthiness by narrowing the field of choices. The development and evolution of a standard attract scrutiny that will work toward reducing the number of remaining design

252 trust in cyberspace

    











flaws and thereby promote trustworthiness. At the same time, the existence of standards promotes the wide availability of detailed technical information about a particular technology, and therefore serves as a basis for assessing where vulnerabilities remain. Standards that facilitate interoperability increase the likelihood that successful attacks in one system might prove effective in others. The net relationship between standards and trustworthiness is therefore indeterminate. Heterogeneity tends to cause NISs to be more vulnerable because the scrutiny of experts may not take place, but the negative effects that pertain to standards are also applicable for homogeneity.

Security criteria may also improve the level of information available to both consumers and producers of components. The Common Criteria may or may not prove useful for this purpose. In any case, it is doubtful that any criteria can keep pace with the evolving threats. However, even if there are a sufficient number of security-evaluated components, there is, at present, little or no rigorous methodology for assessing the security of NISs assembled from such evaluated components.

Consumer and producer costs for trustworthiness are difficult to assess. An improved understanding, better models, and more and accurate data are needed.

Trustworthiness typically reflects systemwide characteristics of an NIS, so trustworthiness costs are often difficult to allocate to specific users or uses. Such costs are therefore often allocated to central units. Trustworthiness also involves costs that are difficult to quantify; one example is the "hassle factor," which captures the fact that trustworthy systems tend to be more cumbersome to use.

It is difficult to distinguish trustworthiness costs from other direct product costs and overhead costs. Not surprisingly, there is a paucity of data, and what little data does exist has questionable accuracy. The production costs associated with integration and testing represent a substantial proportion of total producer costs for improving trustworthiness, and it is often difficult to separate "trustworthiness" costs from other costs. Time-to-market considerations discourage the inclusion of trustworthiness features and encourage the postponement of trustworthiness to later stages of the product life cycle.

As a truly multidimensional concept, trustworthiness is dependent on all of its dimensions. However, in some sense, the problems of security are more challenging and therefore deserve special attention.

Conclusions and research recommendations 253

    











Security risks are more difficult to specify and manage than those that arise from safety or reliability concerns. There is usually an absence of malice with respect to safety and reliability risks as well as tangible and often severe consequences that can be easily articulated; these considerations facilitate the assessment of risk and measurement of consequences for safety- and reliability-related risks, in contrast to security. A precise and testable definition is required to assess whether a standard has been fulfilled or not. Such definitions may often be articulated for some trustworthiness dimensions (such as reliability) but are often difficult to articulate for security.

Export control and key-escrow policy concerns inhibit the wide-spread deployment of cryptography, but there are other impor-tant inhibitory factors that deserve increased attention and action.

The public policy controversy surrounding export controls and key recovery does indeed inhibit the widespread deployment of cryptography. However, cryptography is not more widely deployed for other reasons, which include reduced convenience and usability, possible sacrifice of interoperability, increased computational and communications requirements, lack of a national or international key infrastructure, restrictions resulting from patents, and the fact that most information is already secure enough relative to its value to an unauthorized party.

Implementing Trustworthiness
Research and Development

In its necessary efforts to pursue partnerships, the federal government also needs to work to develop trust in its relationships with the private sector, with some emphasis on U.S.-based firms.

The federal government has less influence on vendors than in the past, so cooperative arrangements are increasingly necessary. The rise of the marketplace for computing and communications products includes new and/or start-up firms that tend to be focused on marketplace demands generally, and not on the needs of the federal government. Although the federal government is the largest single customer of computing and communications products and services, its relative market share, and therefore its market power, have declined. Building trust between the private and public sectors is essential to achieving increased cooperation in efforts to improve NIS trustworthiness, because the cryptography

254 trust in cyberspace

    











policy debates concerning export controls and key escrow have created suspicion within the private sector about government intent and plans. As trustworthiness-related products are increasingly provided by non-U.S. companies, the influence of foreign firms and governments on the trustworthiness marketplace is a new concern and suggests that some priority should be placed on partnerships with U.S. firms.

The NSA R2 organization must increase its efforts devoted to outreach and recruitment and retention issues.

The National Security Agency's R2 organization has initiated several outreach efforts, but these have not significantly broadened the community of researchers that work with R2. Effective outreach efforts are those that are designed to be compatible with the interests, perspectives, and realities of potential partners (e.g., acknowledgment of the dominance of COTS technology).

Inadequate incentives currently exist within R2 to attract and retain highly skilled researchers. Improved incentives might be financial (e.g., different salary scale) and/or nonfinancial (e.g., special recognition, greater public visibility) in nature. R2 faces formidable challenges in the recruitment and retention of the very best researchers. The rotation of R2 researchers with researchers in industry and academia would help to broaden and invigorate the R2 program. Such rotation would be most effective if it involved institutions that have large numbers of top researchers. As currently constituted, the R2 university research program emphasizes relatively short-term and small projects, and it does not attract the interest of the best industrial and academic researchers and institutions.

DARPA is generally effective in its interactions with the research community, but DARPA needs to increase its focus on information security and NIS trustworthiness research, especially with regard to long-term research efforts.

The nature and scope of major Defense Advanced Research Projects Agency (DARPA) projects that were funded in the 1970s—where security work was an integral part of a large, integrated effort—seem to characterize DARPA's greatest successes in the security domain. Not all of these efforts were so successful, as is characteristic of high-risk, high-payoff research. DARPA does fund some research today in important areas for NIS trustworthiness. However, other critical topics—as articulated in this study—are not emphasized to the extent that they should be. These topics

Conclusions and research recommendations 255

    











include containment, denial-of-service attacks, and cryptographic infrastructures.

DARPA uses a number of mechanisms to communicate with the research community, which include principal investigator meetings, information science and technology activities (ISATs), and board area announcements (BAAs). These mechanisms seem to be generally effective in facilitating the exchange of ideas between DARPA and the research community.

The use of academics on temporary assignment as program managers has advantages and disadvantages. This rotation of program managers ensures that state-of-the-art thinking is constantly being infused into DARPA (assuming that the leading researchers in the field are appointed). On the other hand, such rotation does not promote long-term research agendas, because the tenure of a program manager typically is only 2 to 3 years.

An increase in expenditures for research in information security and NIS trustworthiness is warranted.

The committee believes that increased funding is warranted for both information security research in particular and NIS trustworthiness research in general. The appropriate level of increased funding should be based on a realistic assessment of the size and availability of the current population of researchers in relevant disciplines and projections of how this population of researchers may be increased in the coming years.

Blank