Trust in Cyberspace: Findings, Recommendations

By

The public telephone network is increasingly dependent on software and databases that constitute new points of vulnerability. Business decisions are also creating new points of vulnerability. Protective measures need to be developed and implemented.


  • The public telephone network is increasingly dependent on software and databases that constitute new points of vulnerability. Business decisions are also creating new points of vulnerability. Protective measures need to be developed and implemented.


  • In some respects, the Internet is becoming more secure as its protocols are improved and as security measures are more widely deployed at higher levels of the protocol stack. However, the increasing complexity of the Internet's infrastructure contributes to its increasing vulnerability. The end points (hosts) of the Internet continue to be vulnerable. As a consequence, the Internet is ready for some business use, but abandoning the phone network for the Internet would not be prudent for most.

  • The Internet is too susceptible to attacks and outages to be a viable basis for controlling critical infrastructures. Existing technologies could be deployed to improve the trustworthiness of the Internet, although many questions about what measures would suffice do not have answers because good basic data (e.g., on Internet outages) is scant.

  • Operational errors are a major source of outages for the phone network and Internet. Some of these could be prevented by implementing known techniques, whereas others require research to develop preventative measures.

  • The design of trustworthy networked information systems presents profound challenges for system architecture and project planning. Little is understood, and this lack of understanding compromises trustworthiness.

  • To develop an NIS, subsystems must be integrated, but little is known about this. In recent years, academic researchers have directed their focus away from large-scale integration problems; this trend must be reversed.

  • It is clear that networked information systems will include commercial, off-the-shelf components into the foreseeable future. However, the relationship between the use of COTS components and NIS trustworthiness is unclear. Greater attention must be directed toward improving our understanding of this relationship.

  • Although there are accepted processes for component design and implementation, the novel characteristics of NIS raise questions about the utility of these processes. Modern programming languages include features that promote trustworthiness, and the potential may exist for further gains from research.

  • Formal methods are being used with success in commercial and industrial settings for hardware development and requirements analysis, and with some success for software development. Increased support for both fundamental research and demonstration exercises is warranted.

  • Security research during the past few decades has been based on formal policy models that focus on protecting information from unauthorized access by specifying which users should have access to data or other system objects. It is time to challenge this paradigm of "absolute security" and move toward a model built on three axioms of insecurity: Insecurity exists, it cannot be destroyed, and it can be moved around.

  • Cryptographic authentication and using hardware tokens are promising avenues for implementing authentication.

  • Obstacles exist to more widespread deployment of key management technology, and there has been little experience with public key infrastructures, especially large-scale ones.

  • Because NIS are distributed systems, network access control mechanisms play a central role in the security of NIS. Virtual private networks and firewalls have proven to be promising technologies and deserve greater attention in the future.

  • Foreign code is increasingly being used in NIS. However, NIS trustworthiness will deteriorate unless effective security mechanisms are developed and implemented to defend against attacks by foreign code.

  • Defending against denial of service attacks is often critical for the security of an NIS, since availability is often an important system property. Research in this area is urgently needed to identify general schemes for defending against such attacks.

  • Improved trustworthiness may be achieved by the careful organization of untrustworthy components. There are a number of promising ideas, but few have been vigorously pursued. "Trustworthiness from untrustworthy components" is a research area that deserves greater attention.

  • Imperfect information creates a disincentive to invest in trustworthiness for both consumers and producers, leading to a market failure. Initiatives to mitigate this problem are needed.

  • Consumer and producer costs for trustworthiness are difficult to assess. An improved understanding, better models, and more and accurate data are needed.

  • As a truly multidimensional concept, trustworthiness is dependent on all of its dimensions. However, in some sense, the problems of security are more challenging and therefore deserve special attention.

  • Export control and key-escrow policy concerns inhibit the widespread deployment of cryptography, but there are other important inhibitory factors that deserve increased attention and action.

  • In its necessary efforts to pursue partnerships, the federal government also needs to work to develop trust in its relationships with the private sector, with some emphasis on U.S.-based firms.

  • The National Security Agency R2 organization must increase its efforts devoted to outreach and recruitment and retention issues.

  • The Defense Advanced Research Projects Agency generally is effective in its interactions with the research community, but it needs to increase its focus on information security and NIS trustworthiness research, especially with regard to long-term research efforts.

  • An increase in expenditure for research in information security and NIS trustworthiness is warranted.

NEXT STORY: what does it all mean?