The National Academies Press

Currently Skimming:

4 Moving Forward
Pages 61-74

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.

From page 61... ... Phil Reitinger, former deputy chief of the Computer Crime and Intellectual Property Section of the U.S. Department of Justice, argues that critical information infrastructure requires a multidisciplinary response. Read the entire page →
From page 62... ... 2Studies such as Trust in Cyberspace conclude that many vulnerabilities in large, networked information systems are not attributed to poor computer security per se, but to inadequate software engineering methodology and practices and insufficient consideration of robustness in system architectures. Companies often fail to follow standard security practices, such as implementing and enforcing access controls, implementing patches on a timely basis, and implementing normal preventative and diagnostic technologies such as firewalls and intrusion detection systems (Computer Science and Telecommunications Board. Read the entire page →
From page 63... ... For example, residential users of cable modems have been encouraged to install firewall software to compensate for the vulnerability they incur as a result of cable-Internet system designs; a different approach by cable system operators would diminish the investment needed by residential users, but if more residential users make this investment, it lowers the incentive for the cable operator. 7From this perspective, software vendors may create bugs, but their customers and distributors bear the cost of dealing with them; Internet service providers sell access to the entire Internet but guarantee only their part of the network; or individual users can create security hazards but bear no consequences of their actions. Read the entire page →
From page 64... ... Dr. Semancik argues that there is no economic theory that can calculate the actual benefit from the deployment of computer security technology (i.e., that a certain investment will increase security by some amount) Read the entire page →
From page 65... ... Many policies also require companies to pass ongoing random red-team intrusion detection tests in order to maintain coverage. The insurance premium often depends on the security measures implemented. Read the entire page →
From page 66... ... Benhamou reported that PITAC contemplated recommending increased funding in fundamental R&D in the field of computer network security, specifically calling for research focusing on protecting and securing the information infrastructure and creating hacker-proof networks. Meanwhile, the Office of Science and Technology Policy has moved to coordinate and plan for research relating to CIP and homeland security aid, while the major funders of computer science R&D have been exploring ways to increase their attention to these issues.l3 Industry and the intelligence community, suggests Mr. Read the entire page →
From page 67... ... Such research may lead to lowercost computer network security solutions, benefiting industry and improving the protection of critical infrastructures. But it raises challenging technical and legal issues in a world featuring interconnections among networks administered by a growing number and variety of parties in differing jurisdictions. Read the entire page →
From page 69... ... Similarly, protection of personal data and 15James Dempsey, deputy director of the Center for Democracy and Technology, noted that there are disagreements about what should be disclosed and to whom. For example, Senator Bennett has called for more public disclosure by companies about their information system vulnerabilities while at the same time promoting less public disclosure through support of a FOIA exemption for critical infrastructure information. Read the entire page →
From page 70... ... For example, an individual using the system might be monitored for a non-security-related purpose or information about the user made available through the user verification process might permit computerized linking of the user's financial, employment, medical and other personal data. In the wake of September 11, the increasing number of measures aimed at protecting homeland security has fostered an increase in surveillance and intelligence-gathering activities, arousing concerns among privacy advocates. Read the entire page →
From page 71... ... At the symposium, speakers and participants argued that the seriousness and urgency of the problem make it even more important to consider the value of privacy in crafting a solution. For example, Harriett Pearson noted that a researcher at the IBM Privacy Research Institute has developed a technology called "privacy preserving data mining," which allows information to be mined for patterns while preserving personally identifiable information. Read the entire page →
From page 72... ... 72 CRITICAL INFORMATION INFRASTRUCTURE PROTECTION AND THE LAW A TRUST NETWORK A common theme at the symposium was the importance of trust. Trust provides the foundation for approaches based on procedure or business practice, as opposed to law or technical mechanisms. Read the entire page →
From page 73... ... One argument is that the government's message to the private sector has varied, ranging from national security to the economic delivery of vital services to mixed messages in between. The transition from a focus on CIP to the larger concept of homeland security compounds the challenge of communicating what is wanted and why; it presents a bigger picture, which can be a good thing, but it may also make the objective so big and unfocused as to cause confusion. Read the entire page →
From page 74... ... to encourage information sharing in light of FOIA and antitrust concerns in the private sector. A clear and consistent message from the government to the private sector will go a long way toward building the trust that is necessary to protect the nation's critical information infrastructures. Read the entire page →

From page 61...

... Phil Reitinger, former deputy chief of the Computer Crime and Intellectual Property Section of the U.S. Department of Justice, argues that critical information infrastructure requires a multidisciplinary response.

Read the entire page →

From page 62...

... 2Studies such as Trust in Cyberspace conclude that many vulnerabilities in large, networked information systems are not attributed to poor computer security per se, but to inadequate software engineering methodology and practices and insufficient consideration of robustness in system architectures. Companies often fail to follow standard security practices, such as implementing and enforcing access controls, implementing patches on a timely basis, and implementing normal preventative and diagnostic technologies such as firewalls and intrusion detection systems (Computer Science and Telecommunications Board.

Read the entire page →

From page 63...

... For example, residential users of cable modems have been encouraged to install firewall software to compensate for the vulnerability they incur as a result of cable-Internet system designs; a different approach by cable system operators would diminish the investment needed by residential users, but if more residential users make this investment, it lowers the incentive for the cable operator. 7From this perspective, software vendors may create bugs, but their customers and distributors bear the cost of dealing with them; Internet service providers sell access to the entire Internet but guarantee only their part of the network; or individual users can create security hazards but bear no consequences of their actions.

Read the entire page →

From page 64...

... Dr. Semancik argues that there is no economic theory that can calculate the actual benefit from the deployment of computer security technology (i.e., that a certain investment will increase security by some amount)

Read the entire page →

From page 65...

... Many policies also require companies to pass ongoing random red-team intrusion detection tests in order to maintain coverage. The insurance premium often depends on the security measures implemented.

Read the entire page →

From page 66...

... Benhamou reported that PITAC contemplated recommending increased funding in fundamental R&D in the field of computer network security, specifically calling for research focusing on protecting and securing the information infrastructure and creating hacker-proof networks. Meanwhile, the Office of Science and Technology Policy has moved to coordinate and plan for research relating to CIP and homeland security aid, while the major funders of computer science R&D have been exploring ways to increase their attention to these issues.l3 Industry and the intelligence community, suggests Mr.

Read the entire page →

From page 67...

... Such research may lead to lowercost computer network security solutions, benefiting industry and improving the protection of critical infrastructures. But it raises challenging technical and legal issues in a world featuring interconnections among networks administered by a growing number and variety of parties in differing jurisdictions.

Read the entire page →

From page 69...

... Similarly, protection of personal data and 15James Dempsey, deputy director of the Center for Democracy and Technology, noted that there are disagreements about what should be disclosed and to whom. For example, Senator Bennett has called for more public disclosure by companies about their information system vulnerabilities while at the same time promoting less public disclosure through support of a FOIA exemption for critical infrastructure information.

Read the entire page →

From page 70...

... For example, an individual using the system might be monitored for a non-security-related purpose or information about the user made available through the user verification process might permit computerized linking of the user's financial, employment, medical and other personal data. In the wake of September 11, the increasing number of measures aimed at protecting homeland security has fostered an increase in surveillance and intelligence-gathering activities, arousing concerns among privacy advocates.

Read the entire page →

From page 71...

... At the symposium, speakers and participants argued that the seriousness and urgency of the problem make it even more important to consider the value of privacy in crafting a solution. For example, Harriett Pearson noted that a researcher at the IBM Privacy Research Institute has developed a technology called "privacy preserving data mining," which allows information to be mined for patterns while preserving personally identifiable information.

Read the entire page →

From page 72...

... 72 CRITICAL INFORMATION INFRASTRUCTURE PROTECTION AND THE LAW A TRUST NETWORK A common theme at the symposium was the importance of trust. Trust provides the foundation for approaches based on procedure or business practice, as opposed to law or technical mechanisms.

Read the entire page →

From page 73...

... One argument is that the government's message to the private sector has varied, ranging from national security to the economic delivery of vital services to mixed messages in between. The transition from a focus on CIP to the larger concept of homeland security compounds the challenge of communicating what is wanted and why; it presents a bigger picture, which can be a good thing, but it may also make the objective so big and unfocused as to cause confusion.

Read the entire page →

From page 74...

... to encourage information sharing in light of FOIA and antitrust concerns in the private sector. A clear and consistent message from the government to the private sector will go a long way toward building the trust that is necessary to protect the nation's critical information infrastructures.

Read the entire page →

← Previous Chapter Skim

Next Chapter Skim →

This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More information on Chapter Skim is available.

4 Moving Forward Pages 61-74

4 Moving Forward
Pages 61-74