A Perspective on Cybersecurity Research in the United States
Wm. A. Wulf*
National Academy of Engineering
Anita K. Jones
University of Virginia
This paper is a perspective on—an opinion about—the state of cybersecurity research in the United States. It is not a thorough enumeration of the ongoing research, but rather a critique of the overall state of that research. The essential conclusion of this critique is that although the nation is at great risk from cyberterrorism, we have virtually no research base on which to build secure systems. Moreover, only a tiny cadre of researchers are thinking deeply about long-term solutions to the problem of cybersecurity.
If the problem were merely a matter of implementing techniques that are known to be adequate, this might not be a serious issue. The truth is that we do not know how to build secure information systems. The only model widely used for cybersecurity is the “perimeter defense” model, which is demonstrably fragile. To be sure, many immediate problems of cybersecurity can be handled by implementing or enforcing known “best practices,” such as patching software to correct each new, successful attack. Solving the fundamental problem will require long-term, innovative basic research, and at the moment we have very few people capable of doing that research.
HOW VULNERABLE IS THE UNITED STATES?
Although we began by asserting the vulnerability of the United States to cyberterrorism (and, indeed, cybercrime), in truth no one knows how vulnerable we really are. We are probably more vulnerable than we would like to be, and
maybe a lot more vulnerable than we can survive. We know that financial cybersystems have been attacked, but the extent of damage has generally not been disclosed to preserve their image of integrity. Military systems have also been attacked, but the most serious attacks have also not been disclosed for security reasons. (It has been reported, however, that more than 60 percent of U.S. military computers have been compromised.) We know that national defense computers and networks use the same software and hardware as the public, and thus are subject to the same kinds of attacks. These military systems are, of course, an attractive target for sophisticated state-sponsored intruders who want to undermine our military preparedness. We also know that the country’s infrastructure—power, pipelines, water distribution, and so forth—is increasingly controlled by computers that communicate via networks, including the Internet, and thus are potential targets.
The U.S. legal system exacerbates the risk of cyberattack because it prevents the exchange of information among private corporations about attacks, thus preventing one company from learning from the experiences of others. In anticipation of Y2K problems, Congress passed special legislation enabling corporations to exchange information (with limited liability). However, no such legislation has been passed to permit the exchange of cybersecurity information. Other laws—laws to protect civil liberties, for example—prohibit the exchange of information among some government agencies. Although this is an admirable goal, it does make cybersecurity more difficult to achieve.
The bottom line is that no one knows exactly how vulnerable we are. We can obtain an idea of the magnitude of the problem, however, from public information. The 1997 Presidential Commission on Critical Infrastructure Protection, with access to classified and proprietary information, focused on cybersecurity. Although the commission’s charter included all critical infrastructure—power, water, communications, financial, and so forth—they chose to focus on just one, our cyberinfrastructure. In its report, the commission found that “all our infrastructures [are] increasingly dependent on information and communications systems… [that] dependence is the source of rising vulnerabilities, and therefore, it is where we concentrated our efforts.” In other words, all forms of infrastructure are so vulnerable to cyberattack that the commission decided to virtually ignore other vulnerabilities. Information technology has become crucial to every aspect of modern life, and a serious attack could cripple any system, from an emergency military deployment to health care delivery to the generation of electrical power.
Publicly reported attacks have been relatively unsophisticated and, although annoying, have not had dire consequences. The unreported attacks have been more serious, but the details have not been made known to the public—or, in some cases, not even to the responsible public officials. Potential attack scenarios are even worse, but the probability that they will happen is simply not known.
Our critical systems have many vulnerabilities, ranging from errors in software to trusted but disgruntled employees to low-bid developers outside the
United States. But the problem goes much deeper. In many cases, attackers have found clever ways to combine two or more legitimate features of a system in ways the designers had not foreseen. In these cases, undesirable behavior results from correctly implemented software. In addition, software vendors have found that the public is not willing to pay for security. Buyers do not choose more secure products over less secure ones, especially if they must pay a premium for them, so venders have not invested in security. The overriding fundamental source of vulnerability is that we do not have a deep understanding of the problem or its solution, and little if any research is being done to develop that understanding.
HOW PREPARED ARE WE TO RESPOND?
There are different answers for the short term and the long term, and to some extent there are different answers for the military, the private sector, financial institutions, and other communities. Unfortunately, the only short-term solution is to patch systems as we discover bugs in them. To be effective, this requires that every member of a vast army of system administrators and users be vigilant. Alas, the evidence shows that such widespread diligence is extraordinarily hard to achieve.
Of equal importance, the Internet is essentially a monoculture—almost all of the computers connected to it are IBM compatible. Because they use a single operating system and set of applications, a would-be attacker has to find only one vulnerability in any part of the system to attack the vast majority of computers connected to the network. That is why attacks all seem to spread rapidly.
In the long term, we will need a deep research base on cybersecurity. Unfortunately, one of the principal findings of the Presidential Commission on Critical Infrastructure Protection was that the current research base is not adequate to support infrastructure protection. For historical reasons, no U.S. federal funding agency has assumed responsibility for supporting basic research in this area—not the Defense Advanced Research Projects Agency, not the National Science Foundation, not the U.S. Department of Energy, and not the National Security Agency.
As a result, only relatively small, sporadic research projects have been funded, and the underlying assumptions on cybersecurity that were established in the 1960s mainframe environment have not been questioned. When funds are scarce, researchers become very conservative, and bold challenges to the conventional wisdom are not likely to pass peer review. Incrementalism has become the norm; thus, no long-term cybersecurity solution has been developed, or even thoroughly investigated.
Also, few researchers elect cybersecurity as a topic. It has been estimated that only seven Ph.D. students each year choose to work in the cybersecurity area.
WHAT NEEDS TO BE DONE?
Four critical needs must be met to improve cybersecurity:
the need for a new model to replace the perimeter defense model
the need for a new definition of cybersecurity
the need for an active defense
the need for coordinated activities within cybercommunities, the legal system, and regulatory systems
The Need for a New Model
Most research on cybersecurity has been based on a perimeter defense model. This model states that the object to protect is “inside” the system, the attacker is outside the system, and the system must therefore keep the attacker from breeching the system’s perimeter. It is interesting that this model is so deeply entrenched in our thinking about cybersecurity that our terminology reflects it: We have firewalls to keep outside attackers from penetrating our defenses; we build intrusion detection software to determine whether an outsider has foiled our perimeter defense; we build a DMZ (demilitarized zone) to allow both insiders and outsiders to access certain restricted facilities; etc. This perimeter defense model of computer security—sometimes called the Maginot Line model—has been used since the first mainframe operating systems were built in the 1960s. Unfortunately, it is dangerously, even fatally, flawed.
First, like the Maginot Line, it is fragile. In World War II, France fell in 35 days because of its reliance on this model. No matter how formidable the defenses, an attacker can circumvent them and, once inside, can compromise the entire system.
Second, the model fails to recognize that many security flaws are “designed in.” In other words, a system may fail by performing exactly as specified. In 1993 the Naval Research Laboratory conducted an analysis of some 50 security flaws and found that 22 of them were designed into the requirements or specifications for supposedly correct system behavior.
Third, a perimeter defense cannot protect against attacks from inside. If all of our defenses are directed outward, we remain vulnerable to the legitimate insider. An FBI study of attacks on financial systems determined that insider attacks were twice as frequent as outsider ones and that each insider attack was 50 times more costly than the average outsider attack.
Fourth, major damage can be done without penetrating a system. This was demonstrated by the distributed denial-of-service attacks on Yahoo and other Internet sites two years ago. Simply by flooding the system with false requests for service, these sites were rendered incapable of responding to legitimate requests. Such attacks need not be against Internet sites; we can be grateful that so
far denial-of-service attacks have not been directed against 911 services in a major city, for example.
Fifth, the Maginot Line model has never worked. Every system designed with a Maginot Line-type notion of security has been compromised, including the systems the authors built in the 1970s. After 40 years of trying to develop a foolproof system, it is time we realized that we are not likely to succeed.
Sixth and finally, the perimeter defense model cannot work for deep theoretical reasons. In short, to build a truly secure system, one would have to prove a theorem that no bad thing can ever happen, where bad thing is not completely defined. The experience with cryptographic protocols is interesting in this regard. These protocols are relatively small pieces of program whose function is critical to maintaining the perimeter defense model in networked systems. Because of their criticality, a number of these protocols have been “proven correct,” only to be subsequently broken by someone with a different notion of bad behavior than was presumed in the proof. For these reasons, replacing the perimeter defense model of computer security is essential to the long-term solution to cybersecurity.
The Need for a Better Definition of Security
The second critical need for cybersecurity is to redefine security. The military definition of security emphasizes protecting access to sensitive information. This is the basis of the layered (confidential, secret, top secret) and compartmentalized (code word) classification of information.
The somewhat broader definition of security used in the computing research community includes two other notions: integrity and denial of service. Integrity implies that an attacker cannot modify information in the system. In some cases, for instance, medical records, integrity is much more important than secrecy. We may not like it if other people see our medical records, but we may die if someone alters our allergy profile.
Denial of service means that the attacker does not access or modify information but denies users a service provided by it. This relatively unsophisticated form of attack can be used against phone systems, for example, 911, financial systems, and, of course, Internet hosts. Because more than 90 percent of military communications, and almost 100 percent of law enforcement and other first responder communications are sent via the public switched telephone network, attackers could seriously disrupt a military activity or response to a terrorist incident by simply tying up the phone lines at appropriate bases or municipal crisis control centers.
Practical definitions of security must be more complex than confidentiality, integrity, and denial of service and must be tailored for each kind of entity; that is, different systems are needed for credit cards, medical records, tanks, flight
plans, student examinations, and so forth. The notion of restricting access to a credit card to individuals with, say, secret clearance is nonsensical. Other factors, such as the timing (or at least the temporal order) of operations, correlative operations on related objects, and so on, are essential concepts for real-world security. (It used to be said that the best way to anticipate major U.S. military operations was to count the number of pizza deliveries to the Pentagon.)
The military concept of sensitive but unclassified information also has a counterpart in the cyberworld. Indeed, the line between sensitive and nonsensitive information is often blurred in cyberspace. In principle, one must consider how any piece of information might be combined with any other pieces of information to compromise a system. With the vast amount of information available on the Internet and the speed of modern computers, it has become all but impossible to anticipate how information will be combined or what inferences can be drawn from such combinations.
The Need for an Active Defense
The third critical need for cybersecurity is for an active defense. Not all experts agree, but based on our experience during the past 30 years, we have concluded that a passive defense alone will not work. It is unlikely that a system can be built that anticipates all possible uses, misuses, and vulnerabilities. Thus, effective cybersecurity must include some kind of active response—a threat or a cost higher than the attacker is willing to pay—to complement the passive defense.
Developing an active defense will be difficult because identifying the source of an attack is difficult. The practical and legal implications of active defenses have not been determined, and the opportunities for mistakes are legion. The international implications are especially troublesome. It is difficult, usually impossible, to pinpoint the physical location of an attacker. If it is in another country, a countermeasure by a U.S. government computer might even be considered an act of war.
Resolving these legal and related issues will require a thoughtful approach and careful international diplomacy. We desperately need long-term basic scholarship in this area, and we need to start now.
The Need for Coordinated Activities by Legal and Other Societal Mechanisms
Any plan of action must also involve a dialogue on legal issues, the fourth critical need for cybersecurity. In the United States, the coupling between the legal system and cybersecurity (and cybercrime) is only beginning to emerge. From our technically based perspective, two kinds of issues should be addressed soon: (1) issues raised in cyberspace that do not have counterparts in the physical world and (2) issues raised by place-based assumptions in current law.
The first category includes many issues from new forms of intellectual property, for example, databases, to new forms of crime, for example, spamming. Issues of particular interest to this discussion are rights and limitations on active countermeasures to intrusions—indeed, determining what constitutes an intrusion.
The second category, issues raised by place-based assumptions in current law, includes many basic questions. How does the concept of jurisdiction apply in cyberspace? For tax purposes, for example, sales taxes, where does a cyberspace transaction take place? Where do you draw the line between national security and law enforcement? How do you apply the concept of posse comitatus?1
Not all of these issues are immediately and obviously related to cybersecurity. But cyberspace protection is a “wedge issue” that will force us to rethink some fundamental ideas about the role of government, the relationship between the public and private sectors, the balance between rights of privacy and public safety, and the definition of security.
The security of our information infrastructure and other critical infrastructures will be a systems problem, as well as a significant research challenge. A particular government agency must take on the mission of revitalizing research in cybersecurity with the following objectives:
development of wholly new methods of ensuring information system security
development of a larger research community in cybersecurity
education of computer system and computer science majors in cybersecurity at the undergraduate level, which would eventually improve the state of the practice in industry
Achieving these goals will require a guarantee of sustained support over a long period as an incentive to researchers to pursue projects in this area.
In the past few months, members of the U.S. House of Representatives Committee on Science have held hearings on the state of research on cybersecurity and have introduced three acts that would provide initial funding for basic research through the National Science Foundation and the National Institute of Standards and Technology.2 Although these initiatives are heartening, their full impact will not be felt for a decade or more. Historically, policy makers have not continued to support research with such long horizons. However, in the aftermath of September 11, 2001, we are hopeful that Congress is now ready to provide stable, long-term funding for this high-risk research.
Posse Comitatus is an 1880s-era law that prohibits the federal military from functioning in the territory of the United States.
See H.R. 3316 Computer security enhancement and research act of 2001, H.R. 3394 Cyber security research and development act, and H.R. 3400 Networking and information technology research advancement act. For the text of written testimony by Wm. A. Wulf, see the NAE web site, www.nae.edu under “Site Highlights.”