Computer systems are coming of age. As computer systems become more prevalent, sophisticated, embedded in physical processes, and interconnected, society becomes more vulnerable to poor system design, accidents that disable systems, and attacks on computer systems. Without more responsible design and use, system disruptions will increase, with harmful consequences for society. They will also result in lost opportunities from the failure to put computer and communications systems to their best use.
Many factors support this assessment, including the proliferation of computer systems into ever more applications, especially applications involving networking; the changing nature of the technology base; the increase in computer system expertise within the population, which increases the potential for system abuse; the increasingly global environment for business and research; and the global reach and interconnection of computer networks, which multiply system vulnerabilities. Also relevant are new efforts in Europe to promote and even mandate more trustworthy computer systems; European countries are strengthening their involvement in this arena, while the United States seems caught in a policy quagmire. Although recent and highly publicized abuses of computer systems may seem exceptional today, each illustrates potential problems that may be undetected and that are expected to become more common and even more disruptive. The nature and the magnitude of computer system problems are changing dramatically.
The nation is on the threshold of achieving a powerful information infrastructure that promises many benefits. But without adequate safeguards, we risk intrusions into personal privacy (given the grow-
ing electronic storage of personal information) and potential disasters that can cause economic and even human losses. For example, new vulnerabilities are emerging as computers become more common as components of medical and transportation equipment or more interconnected as components of domestic and international financial systems. Many disasters may result from intentional attacks on systems, which can be prevented, detected, or recovered from through better security. The nation needs computer technology that supports substantially increased safety, reliability, and, in particular, security.
Security refers to protection against unwanted disclosure, modification, or destruction of data in a system and also to the safeguarding of systems themselves. Security, safety, and reliability together are elements of system trustworthiness—which inspires the confidence that a system will do what it is expected to do.
In many ways the problem of making computer and communications systems more secure is a technical problem. Unlike a file cabinet, a computer system can help to protect itself; there exists technology to build a variety of safeguards into computer systems. As a result, software, hardware, and system development presents opportunities for increasing security. Yet known techniques are not being used, and development of better techniques is lagging in the United States. From a technical perspective, making computer system technology more secure and trustworthy involves assessing what is at risk, articulating objectives and requirements for systems, researching and developing technology to satisfy system requirements, and providing for independent evaluation of the key features (to assess functionality) and their strength (to provide assurance). All of these activities interact.
Attaining increased security, in addition to being a technical matter is also a management and social problem: what is built and sold depends on how systems are designed, purchased, and used. In today's market, demand for trustworthy systems is limited and is concentrated in the defense community and industries, such as banking, that have very high levels of need for security. That today's commercial systems provide only limited safeguards reflects limited awareness among developers, managers, and the general population of the threats, vulnerabilities, and possible safeguards. Most consumers have no real-world understanding of these concepts and cannot choose products wisely or make sound decisions about how to use them. Practical security specialists and professional societies have emerged and have begun to affect security practice from inside organizations, but their impact is constrained by lack of both management
awareness and public awareness of security risks and options. Even when consumers do try to protect their own systems, they may be connected via networks to others with weaker safeguards—like a polluting factory in a densely populated area, one person's laxness in managing a computer system can affect many. As long as demand remains at best inconsistent, vendors have few incentives to make system products more secure, and there is little evidence of the kind of fundamental new system development necessary to make systems highly trustworthy. The market does not work well enough to raise the security of computer systems at a rate fast enough to match the apparent growth in threats to systems.
The U.S. government has been involved in developing technology for computer and communications security for some time. Its efforts have related largely to preserving national security and, in particular, to meeting one major security requirement, confidentiality (preserving data secrecy). But these programs have paid little attention to the other two major computer security requirements, integrity (guarding against improper data modification or destruction) and availability (enabling timely use of systems and the data they hold). These requirements are important to government system users, and they are particularly and increasingly important to users of commercial systems. Needed is guidance that is more wide-ranging and flexible than that offered by the so-called Orange Book published by the National Security Agency, and it should be guidance that stimulates the production of more robust, trustworthy systems at all levels of protection.
Overall, the government's efforts have been hamstrung by internecine conflict and underfunding of efforts aimed at civilian environments. These problems currently appear to be exacerbated, at precisely the time that decisive and concerted action is needed. A coherent strategy must be established now, given the time, resources, planning, and coordination required to achieve adequate system security and trustworthiness. The reorganization of and perceived withdrawal from relevant computer security-related activities at the National Security Agency and the repeated appropriations of minimal funding for relevant activities at the National Institute of Standards and Technology are strong indications of a weak U.S. posture in this area. A weak posture is especially troubling today, because of the momentum that is building overseas for a new set of criteria and associated system evaluation schemes and standards. Influencing what can be sold or may be required in overseas markets, these developments and the U.S. response will affect the competitiveness of U.S. vendors and the
options available to users of commercial computer systems worldwide. They will also affect the levels of general safety and security experienced by the public.
This report characterizes the computer security problem and advances recommendations for containing it (Chapter 1). It examines concepts of and requirements for computer security (Chapter 2), the technology necessary to achieve system security and trustworthiness, and associated development issues (Chapter 3), programming methodology (Chapter 4), the design and use of criteria for secure computer system development and evaluation of computer system security relative to a set of criteria (Chapter 5), and problems constraining the market for trustworthy systems (Chapter 6). The System Security Study Committee concluded that several steps must be taken to achieve greater computer system security and trustworthiness, and that the best approach to implementing necessary actions is to establish a new organization, referred to in the report as the Information Security Foundation (ISF). The concept of the ISF and the roles and limitations of organizations that currently have significant responsibilities in the computer security arena are discussed together (Chapter 7). Topics and tactics for research to enable needed technology development are outlined (Chapter 8). Supporting the individual chapters are appendixes that provide further details on selected technical and conceptual points.
The committee urges that its recommendations be considered together as integral to a coherent national effort to encourage the widespread development and deployment of security features in computer systems, increase public awareness of the risks that accompany the benefits of computer systems, and promote responsible use and management of computer systems. Toward the end of increasing the levels of security in new and existing computer and communications systems, the committee developed recommendations in six areas. These are outlined below and developed further in the full report.
Promulgation of a comprehensive set of Generally Accepted System Security Principles, referred to as GSSP, which would provide a clear articulation of essential security features, assurances, and practices. The committee believes that there is a basic set of security-related principles for the design, use, and management of systems that are of such broad applicability and effectiveness that they ought to be a part of any system with significant operational requirements. This set will grow with research and experience in new areas of concern, such as integrity and availability, and can also grow beyond the specifics of security to deal with other related aspects of system trust, such as safety. GSSP should enunciate and codify
these principles. Successful GSSP would establish a set of expectations about and requirements for good practice that would be well understood by system development and security professionals, accepted by government, and recognized by managers and the public as protecting organizational and individual interests against security breaches and associated lapses in the protection of privacy. GSSP, which can be built on existing material (e.g., the Orange Book), would provide a basis for resolving differences between U.S. and other national and transnational criteria for trustworthy systems and for shaping inputs to international security and safety standards discussions.
A set of short-term actions for system vendors and users that build on readily available capabilities and would yield immediate benefits, including (for users) formation of security policy frameworks and emergency response teams, and (for vendors) universal implementation of specific minimal acceptable protections for discretionary and mandatory control of access to computing resources, broader use of modern software development methodology, implementation of security standards and participation in their further development, and procedures to prevent or anticipate the consequences of inadvisable actions by users (e.g., systems should be shipped with security features turned on, so that explicit action is needed to disable them).
Establishment of a system-incident data repository and appropriate education and training programs to promote public awareness.
Clarification of export control criteria and procedures for secure or trusted systems and review for possible relaxation of controls on the export of implementations of the Data Encryption Standard (DES).
Funding and directions for a comprehensive program of research.
Establishment of a new organization to nurture the development, commercialization, and proper use of trust technology, referred to as the Information Security Foundation, or ISF. The committee concludes that existing organizations active in the security arena have made important contributions but are not able to make the multifaceted and large-scale efforts that are needed to truly advance the market and the field. The proposed ISF would be a private, not-for-profit organization. It would be responsible for implementing much of what the committee has recommended, benefiting from the inherent
synergies: ISF should develop GSSP, develop flexible evaluation techniques to assess compliance with GSSP, conduct research related to GSSP and evaluation, develop and maintain an incident-tracking system, provide education and training services, broker and enhance communications between commercial and national security interests, and participate in international standardization and harmonization efforts for commercial security practice. In doing these things it would have to coordinate its activities with agencies and other organizations significantly involved in computer security. The ISF would need the highest level of governmental support; the strongest expression of such support would be a congressional charter.
Although the System Security Study Committee focused on computer and communications security, its recommendations would also support efforts to enhance other aspects of systems such as reliability and safety. It does not make sense to address these problems separately. Many of the methods and techniques that make systems more secure make them more trustworthy in general. The committee has framed several of its recommendations so as to recognize the more general objective of making systems more Strustworthy, and specifically to accommodate safety as well as security. The committee believes it is time to consider all of these issues together, to benefit from economies in developing multipurpose safeguards, and to minimize any trade-offs.
With this report, the committee underscores the need to launch now a process that will unfold over a period of years, and that, by limiting the incidence and impact of disruptions, will help society to make the most of computer and communications systems.