National Academy Press
2101 Constitution Avenue, N.W. Washington, D.C. 20418
NOTICE: The project that is the subject of this report was approved by the Governing Board of the National Research Council, whose members are drawn from the councils of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The members of the committee responsible for the report were chosen for their special competences and with regard for appropriate balance.
This report has been reviewed by a group other than the authors according to procedures approved by a Report Review Committee consisting of members of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine.
The National Academy of Sciences is a private, nonprofit, self-perpetuating society of distinguished scholars engaged in scientific and engineering research, dedicated to the furtherance of science and technology and to their use for the general welfare. Upon the authority of the charter granted to it by the Congress in 1863, the Academy has a mandate that requires it to advise the federal government on scientific and technical matters. Dr. Frank Press is president of the National Academy of Sciences.
The National Academy of Engineering was established in 1964, under the charter of the National Academy of Sciences, as a parallel organization of outstanding engineers. It is autonomous in its administration and in the selection of its members, sharing with the National Academy of Sciences the responsibility for advising the federal government. The National Academy of Engineering also sponsors engineering programs aimed at meeting national needs, encourages education and research, and recognizes the superior achievements of engineers. Dr. Robert M. White is president of the National Academy of Engineering.
The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure the services of eminent members of appropriate professions in the examination of policy matters pertaining to the health of the public. The Institute acts under the responsibility given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, upon its own initiative, to identify issues of medical care, research, and education. Dr. Samuel O. Thier is president of the Institute of Medicine.
The National Research Council was organized by the National Academy of Sciences in 1916 to associate the broad community of science and technology with the Academy's purposes of furthering knowledge and advising the federal government. Functioning in accordance with general policies determined by the Academy, the Council has become the principal operating agency of both the National Academy of Sciences and the National Academy of Engineering in providing services to the government, the public, and the scientific and engineering communities. The Council is administered jointly by both Academies and the Institute of Medicine. Dr. Frank Press and Dr. Robert M. White are chairman and vice chairman, respectively, of the National Research Council.
Support for this project was provided by the Defense Advanced Research Projects Agency under Contract No. N00014-89-J-1731. However, the content does not necessarily reflect the position or the policy of the Defense Advanced Research Projects Agency or the government, and no official endorsement should be inferred.
Library of Congress Cataloging-in-Publication Data
Computers at risk: safe computing in the information age / System Security Study Committee, Computer Science and Telecommunications Board, Commission on Physical Sciences, Mathematics, and Applications, National Research Council.
p. cm.
Includes bibliographical references.
ISBN 0-309-04388-3
1. Computer security. I. National Research Council (U.S.).
Computer Science and Telecommunications Board. System Security Study Committee.
QA76.9.A25C6663 1990
005.8—dc20 90-22329
CIP
Copyright © 1991 by the National Academy of Sciences
No part of this book may be reproduced by any mechanical, photographic, or electronic process, or in the form of a phonographic recording, nor may it be stored in a retrieval system, transmitted, or otherwise copied for public or private use, without written permission from the publisher, except for the purposes of official use by the U.S. government.
Printed in the United States of America
First Printing, December 1990
Second Printing, March 1991
Third Printing, April 1992
Fourth Printing, January 1992
Fifth Printing, March 1994
SYSTEM SECURITY STUDY COMMITTEE
DAVID D. CLARK,
Massachusetts Institute of Technology,
Chairman
W. EARL BOEBERT,
Secure Computing Technology Corporation
SUSAN GERHART,
Microelectronics and Computer Technology Corporation
JOHN V. GUTTAG,
Massachusetts Institute of Technology
RICHARD A. KEMMERER,
University of California at Santa Barbara
STEPHEN T. KENT,
BBN Communications
SANDRA M. MANN LAMBERT,
Security Pacific Corporation
BUTLER W. LAMPSON,
Digital Equipment Corporation
JOHN J. LANE,
Shearson, Lehman, Hutton, Inc.
M. DOUGLAS McILROY,
AT&T Bell Laboratories
PETER G. NEUMANN,
SRI International
MICHAEL O. RABIN,
Harvard University
WARREN SCHMITT,
Sears Technology Services
HAROLD F. TIPTON,
Rockwell International
STEPHEN T. WALKER,
Trusted Information Systems, Inc.
WILLIS H. WARE,
The RAND Corporation
MARJORY S. BLUMENTHAL, Staff Director
FRANK PITTELLI, CSTB Consultant
DAMIAN M. SACCOCIO, Staff Officer
MARGARET A. KNEMEYER, Staff Associate
DONNA F. ALLEN, Administrative Secretary
CATHERINE A. SPARKS, Senior Secretary
COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD
JOSEPH F. TRAUB,
Columbia University,
Chairman
ALFRED V. AHO,
AT&T Bell Laboratories
JOHN SEELY BROWN,
Xerox Corporation Palo Alto Research Center
FRANK P. CARRUBBA,
Hewlett-Packard Company
DAVID J. FARBER,
University of Pennsylvania
SAMUEL H. FULLER,
Digital Equipment Corporation
JAMES FREEMAN GILBERT,
University of California at San Diego
WILLIAM A. GODDARD III,
California Institute of Technology
JOHN L. HENNESSY,
Stanford University
JOHN E. HOPCROFT,
Cornell University
MITCHELL D. KAPOR,
ON Technology, Inc.
SIDNEY KARIN,
San Diego Supercomputer Center
LEONARD KLEINROCK,
University of California at Los Angeles
ROBERT LANGRIDGE,
University of California at San Francisco
ROBERT L. MARTIN,
Bell Communications Research
WILLIAM F. MILLER,
SRI International
ABRAHAM PELED,
IBM T.J. Watson Research Center
RAJ REDDY,
Carnegie Mellon University
JEROME H. SALTZER,
Massachusetts Institute of Technology
MARY SHAW,
Carnegie Mellon University
ERIC E. SUMNER,
Institute of Electrical and Electronics Engineers
IVAN E. SUTHERLAND,
Sutherland, Sproull & Associates
GEORGE L. TURIN,
Teknekron Corporation
VICTOR VYSSOTSKY,
Digital Equipment Corporation
WILLIS H. WARE,
The RAND Corporation
WILLIAM WULF,
University of Virginia
MARJORY S. BLUMENTHAL, Staff Director
ANTHONY M. FORTE, Senior Staff Officer
HERBERT LIN, Staff Officer
DAMIAN M. SACCOCIO, Staff Officer
RENEE A. HAWKINS, Staff Associate
DONNA F. ALLEN, Administrative Secretary
LINDA L. JOYNER, Project Assistant
CATHERINE A. SPARKS, Senior Secretary
COMMISSION ON PHYSICAL SCIENCES, MATHEMATICS, AND APPLICATIONS*
NORMAN HACKERMAN,
Robert A. Welch Foundation,
Chairman
PETER J. BICKEL,
University of California at Berkeley
GEORGE F. CARRIER,
Harvard University
HERBERT D. DOAN,
The Dow Chemical Company
(retired)
DEAN E. EASTMAN,
IBM T.J. Watson Research Center
MARYE ANNE FOX,
University of Texas
PHILLIP A. GRIFFITHS,
Duke University
NEAL F. LANE,
Rice University
ROBERT W. LUCKY,
AT&T Bell Laboratories
CHRISTOPHER F. McKEE,
University of California at Berkeley
RICHARD S. NICHOLSON,
American Association for the Advancement of Science
JEREMIAH P. OSTRIKER,
Princeton University Observatory
ALAN SCHRIESHEIM,
Argonne National Laboratory
ROY F. SCHWITTERS,
Superconducting Super Collider Laboratory
KENNETH G. WILSON,
Ohio State University
NORMAN METZGER, Executive Director
* |
The project that is the subject of this report was initiated under the predecessor group of the Commission on Physical Sciences, Mathematics, and Applications, which was the Commission on Physical Sciences, Mathematics, and Resources, whose members are listed in Appendix G. |
Preface
The Computer Science and Technology Board, which became the Computer Science and Telecommunications Board in September 1990, formed the System Security Study Committee in response to a fall 1988 request from the Defense Advanced Research Projects Agency (DARPA) to address the security and trustworthiness of U.S. computing and communications systems. The committee was charged with developing a national research, engineering, and policy agenda to help the United States achieve a more trustworthy computing technology base by the end of the century. DARPA asked the committee to take a broad outlook—to consider the interrelationship of security and other qualities (e.g., safety and reliability), commercialization as well as research, and the diverse elements of the research and policy communities. In keeping with DARPA's initial request, the committee focused on security aspects but related them to other elements of trustworthiness.
The System Security Study Committee was composed of sixteen individuals from industry and academia, including computer and communications security researchers and practitioners and software engineers. It met in May, August, and November of 1989 and in February, April, and July of 1990. Its deliberations were complemented by briefings from and interviews with a variety of federal government researchers and officials and security experts and others from industry. A central feature of the committee's work was the forging of a consensus in the face of different technical and professional perspectives. While the committee drew on both the research literature and publications aimed at security practitioners, it sought to combine the research and practitioner perspectives to provide a more unified as-
sessment than might perhaps be typical. Given the goal of producing an unclassified report, the committee focused on the protection of sensitive but unclassified information in computer and communications systems. The orientation toward an unclassified report also limited the extent to which the committee could probe tensions in federal policy between intelligence-gathering and security-providing objectives.
This report of the System Security Study Committee presents its assessment of key computer and communications security issues and its recommendations for enhancing the security and trustworthiness of the U.S. computing and communications infrastructure.
David D. Clark, Chairman
System Security Study Committee
Acknowledgments
The System Security Study Committee appreciates the generous assistance provided by Carl Landwehr of the Naval Research Laboratory and a group of federal liaisons that he coordinated, including Anthony Adamski of the Federal Bureau of Investigation, Dennis Branstad of the National Institute of Standards and Technology, Leon Breault of the Department of Energy, Richard Carr of the National Aeronautics and Space Administration, Richard DeMillo of the National Science Foundation (preceded by John Gannon), C. Terrance Ireland of the National Security Agency, Stuart Katzke of the National Institute of Standards and Technology, Robert Morris of the National Security Agency, Karen Morrissette of the Department of Justice, Mark Scher of the Defense Communications Agency, and Kermith Speierman of the National Security Agency. These individuals made themselves and their associates available to the committee to answer questions, provide briefings, and supply valuable reference materials.
The committee is grateful for special briefings provided by William Vance of IBM, John Michael Williams of Unisys, and Peter Wild of Coopers and Lybrand. Additional insight into specific issues was provided by several individuals, including in particular Mark Anderson of the Australian Electronics Research Laboratory, Carolyn Conn of GE Information Services, Jay Crawford of the Naval Weapons Center at China Lake, California, George Dinolt of Ford Aerospace Corporation, Morrie Gasser and Ray Modeen of Digital Equipment Corporation, James Giffin of the Federal Trade Commission, J. Thomas Haigh of Secure Computing Technology Corporation, James Hearn of the National Security Agency, Frank Houston of the Food and Drug Administration, Christian Jahl of the German Industrie Anlagen Betriebs
Gesellschaft, Ian King of the U.K. Communications-Electronics Security Group, Stewart Kowalski of the University of Stockholm, Milan Kuchta of the Canadian Communications Security Establishment, Timothy Levin of Gemini Computers, Inc., Michael Nash representing the U.K. Department of Trade and Industry, Stephen Purdy and James Bauer of the U.S. Secret Service, John Shore of Entropic Research Laboratory, Inc., Linda Vetter of Oracle Corporation, Larry Wills of IBM, and the group of 30 corporate security officers who participated in a small, informal survey of product preferences.
The committee appreciates the encouragement and support of Stephen Squires and William Scherlis of DARPA, who provided guidance, insights, and motivation. It is particularly grateful for the literally hundreds of suggestions and criticisms provided by the ten anonymous reviewers of an early draft. Those inputs helped the committee to tighten and strengthen its presentation, for which it, of course, remains responsible.
Finally, the committee would like to acknowledge the major contribution that the staff of the Computer Science and Telecommunications Board has made to this report, in particular thanking Marjory Blumenthal, Damian Saccocio, Frank Pittelli, and Catherine Sparks. They supplied not only very capable administrative support, but also substantial intellectual contributions to the development of the report. The committee also received invaluable assistance from its editor, Susan Maurizi, who labored under tight time constraints to help it express its ideas on a complex and jargon-filled subject. It could not have proceeded effectively without this level of support from the National Research Council.
David D. Clark, Chairman
System Security Study Committee