NATIONAL ACADEMY PRESS
2101 Constitution Avenue, N.W. Washington, D.C. 20418
NOTICE: The projects that are the basis of this synthesis report were approved by the Governing Board of the National Research Council, whose members are drawn from the councils of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The members of the committees responsible for the final reports of these projects and of the board that produced this synthesis were chosen for their special competences and with regard for appropriate balance.
Core support for the Computer Science and Telecommunications Board (CSTB) is provided by its public and private sponsors, which include federal agencies (the Air Force Office of Scientific Research, Defense Advanced Research Projects Agency, Department of Energy, National Aeronautics and Space Administration, National Institute of Standards and Technology, National Library of Medicine, National Science Foundation, and the Office of Naval Research); the Vadasz Family Foundation; and an evolving mix of charitable corporate and individual contributions. Sponsors enable but do not influence CSTB’s work. Any opinions, findings, conclusions, or recommendations expressed in this publication are those of the authors and do not necessarily reflect the views of the organizations or agencies that provide support for CSTB.
International Standard Book Number 0-309-08312-5
Additional copies of this report are available from the Computer Science and Telecommunications Board, National Research Council, 2101 Constitution Avenue, N.W., Washington, DC 20418. Call 202-334-2605 or e-mail the CSTB at email@example.com. This report is also available online at <http://www.cstb.org>.
Copyright 2002 by the National Academy of Sciences. All rights reserved.
Printed in the United States of America
Suggested citation: Computer Science and Telecommunications Board, Cybersecurity Today and Tomorrow: Pay Now or Pay Later, National Academy Press, Washington, D.C., 2002.
The National Academies intend for this document to be disseminated as far and as widely as possible, and you are encouraged to do so. To obtain permission to reproduce, reprint, or disseminate this document or portions of it (and it is the intent of the National Academies to grant such permission for noncommercial purposes routinely and promptly), please apply in writing to Dick Morris, Permissions Manager, National Academy Press, by e-mail (firstname.lastname@example.org) or fax (202-334-2793), or phone 202-334-3335 for further information.
THE NATIONAL ACADEMIES
National Academy of Sciences
National Academy of Engineering
Institute of Medicine
National Research Council
The National Academy of Sciences is a private, nonprofit, self-perpetuating society of distinguished scholars engaged in scientific and engineering research, dedicated to the furtherance of science and technology and to their use for the general welfare. Upon the authority of the charter granted to it by the Congress in 1863, the Academy has a mandate that requires it to advise the federal government on scientific and technical matters. Dr. Bruce M. Alberts is president of the National Academy of Sciences.
The National Academy of Engineering was established in 1964, under the charter of the National Academy of Sciences, as a parallel organization of outstanding engineers. It is autonomous in its administration and in the selection of its members, sharing with the National Academy of Sciences the responsibility for advising the federal government. The National Academy of Engineering also sponsors engineering programs aimed at meeting national needs, encourages education and research, and recognizes the superior achievements of engineers. Dr. Wm. A. Wulf is president of the National Academy of Engineering.
The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure the services of eminent members of appropriate professions in the examination of policy matters pertaining to the health of the public. The Institute acts under the responsibility given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, upon its own initiative, to identify issues of medical care, research, and education. Dr. Kenneth I. Shine is president of the Institute of Medicine.
The National Research Council was organized by the National Academy of Sciences in 1916 to associate the broad community of science and technology with the Academy’s purposes of furthering knowledge and advising the federal government. Functioning in accordance with general policies determined by the Academy, the Council has become the principal operating agency of both the National Academy of Sciences and the National Academy of Engineering in providing services to the government, the public, and the scientific and engineering communities. The Council is administered jointly by both Academies and the Institute of Medicine. Dr. Bruce M. Alberts and Dr. Wm. A. Wulf are chairman and vice chairman, respectively, of the National Research Council.
COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD
DAVID D. CLARK,
Massachusetts Institute of Technology,
AOL Time Warner
JOHN M. CIOFFI,
University of Utah
W. BRUCE CROFT,
University of Massachusetts at Amherst
THOMAS E. DARCIE,
AT&T Labs Research
University of California at Berkeley
JEFFREY M. JAFFE,
Bell Laboratories, Lucent Technologies
University of Washington
BUTLER W. LAMPSON,
EDWARD D. LAZOWSKA,
University of Washington
U.S. Venture Partners
TOM M. MITCHELL,
Carnegie Mellon University
Nielsen Norman Group
DAVID A. PATTERSON,
University of California at Berkeley
HENRY (HANK) PERRITT,
Chicago-Kent College of Law
University of California at Santa Barbara
New York University
JEANNETTE M. WING,
Carnegie Mellon University
MARJORY S. BLUMENTHAL, Director
HERBERT S. LIN, Senior Scientist
ALAN S. INOUYE, Senior Program Officer
JON EISENBERG, Senior Program Officer
LYNETTE I. MILLETT, Program Officer
CYNTHIA PATTERSON, Program Officer
STEVEN WOO, Program Officer
DAVID PADGHAM, Research Associate
JANET BRISCOE, Administrative Officer
MARGARET HUYNH, Senior Project Assistant
DAVID DRAKE, Senior Project Assistant
JANICE SABUDA, Senior Project Assistant
JENNIFER BISHOP, Senior Project Assistant
BRANDYE WILLIAMS, Staff Assistant
Starting with the publication of the report Computers at Risk: Safe Computing in the Information Age in 1991 (National Academy Press, Washington, D.C.), the Computer Science and Telecommunications Board (CSTB) has examined the issue of computer and communications security a number of times, from a number of perspectives. While there has been progress in security, it is a sad commentary on the state of the world that what CSTB wrote more than 10 years ago is still timely and relevant. For those who work in computer security, there is a deep frustration that research and recommendations do not seem to translate easily into deployment and utilization.
The events of September 11, 2001, suggest—indeed demand—that we take a renewed look at the security and robustness of our nation’s infrastructure. Now, if ever, we see the importance of having critical systems resistant to attack and serviceable in times of crisis. From our telephone system to air traffic control to the Internet, we will be greatly harmed if these systems fail us just when we need them most.
The vulnerabilities are not new, only freshly brought into focus. And the approaches that will mitigate these threats are not unknown, only underutilized. So CSTB has taken the approach of drawing on its past work to point out that much of what we need to do is available to us now, if only we choose to act.
The staff of the CSTB have assembled this report from the broad base of its existing reports. Herb Lin deserves special thanks for the effort necessary to produce this report quickly.
David D. Clark, Chair
Computer Science and
Acknowledgment of Reviewers
This report was reviewed in draft form by individuals chosen for their diverse perspectives and technical expertise, in accordance with procedures approved by the National Research Council’s (NRC’s) Report Review Committee. The purpose of this independent review is to provide candid and critical comments that will assist the institution in making the published report as sound as possible and to ensure that the report meets institutional standards for objectivity, evidence, and responsiveness to the study charge. The review comments and draft manuscript remain confidential to protect the integrity of the deliberative process. We wish to thank the following individuals for their participation in the review of this report:
Steven Bellovin, AT&T Labs Research,
Thomas Berson, Anagram Laboratories,
John Davis, Mitretek Systems Inc.,
Carl Landwehr, National Science Foundation,
Fred Schneider, Cornell University, and
Willis Ware, RAND Corporation.
Although the reviewers listed above have provided many constructive comments and suggestions, they were not asked to endorse the conclusions or recommendations, nor did they see the final draft of the report before its release. The review of this report was overseen by Gerry Dinneen. Appointed by the NRC’s Report Review Committee, he was
responsible for making certain that an independent examination of this report was carried out in accordance with institutional procedures and that all review comments were carefully considered. Responsibility for the final content of this report rests entirely with the Computer Science and Telecommunications Board and the National Research Council.