Trustworthiness: A New Approach to Security

By John MakulowichIf you think the year 2000 problem is the biggest headache you face in the coming year, look again. A true migraine just around the corner is the wide range of issues sparked by the complex notion of the trustworthiness of your networked information systems (NIS). It demands, in the words of a new report on the subject, nothing less than a whole new approach to security.The lion's share of media attention focuses on what is called critical infrastructures ? that is, NIS for transportation, energy distribution, telecommunications, essential government services, banking and finance. However, that attention will soon trickle down to private industry and the not-for-profit sectors, to companies and organizations large and small.Part of the reason is Presidential Decision Directives 62 and 63 (PDD-62 and PDD-63), which were announced May 22 in President Clinton's commencement remarks at the U.S. Naval Academy. That statement of policy called for a national effort to assure the security of critical U.S. infrastructures. It set in motion a flurry of appointments and initiatives whose effects will filter through the information technology environment in the months and years to come.The combating terrorism directive (PDD-62) adopted a program management approach to U.S. counterterrorism efforts and set up the Office of the National Coordinator for Security, Infrastructure Protection and Counter-Terrorism. Richard Clarke was named national coordinator, and he oversees areas such as counterterrorism, protection of critical infrastructures, preparedness and consequence management for weapons of mass destruction. Working within the National Security Council, Clarke reports to the president through the assistant to the president for national security affairs and must produce an annual security preparedness report. The other policy initiative, the critical infrastructure protection directive (PDD-63), required immediate federal government action, which included risk assessment and planning to reduce exposure to attack. Stressing the critical importance of cooperation between the government and the private sector, it linked designated agencies with private sector representatives. And it created the Critical Infrastructure Assurance Office (CIAO) under the Department of Commerce and named Jeffrey Hunker as director.According to Paul Rodgers, CIAO senior executive, the role of the critical infrastructure office is to support the national coordinator, integrate the various sector plans into the National Infrastructure Assurance Plan, coordinate the analyses of the federal government's own dependencies on critical infrastructures, and coordinate a national education and awareness program as well as legislative and public affairs.When Clinton announced PDD-63 in May, it called for the establishment of a time frame for federal agency response, with Nov. 18 (180 days after the issuance of PDD-63) the deadline for submitting the first deliverable. That project milestone was an initial plan for protecting each agency's own critical infrastructure. The plans would be reviewed by the nine-member inter-agency Critical Infrastructure Coordination Group (CICG), set up for that purpose and chaired by Clarke, who also oversees development of the National Infrastructure Assurance Plan. Also due to the president Nov. 18 was a schedule with milestones for completing the National Infrastructure Assurance Plan prepared by the 20-member principals committee. It includes the heads of the 12 so-called lead agencies (Commerce, Treasury, Environmental Protection Agency, Transportation, Justice/FBI, Federal Emergency Management Agency, Health and Human Services, Energy, Office of Science and Technology Policy, CIA, State and Defense ), the vice president, Veterans Affairs, the Office of Management and Budget, the Joint Chiefs of Staff, National Security Agency, and assistants to the president for national security affairs, economic policy and science and technology.According to Rodgers, all but four of the lead agencies submitted their plans by the deadline. Those that did not ? Health and Human Services, Federal Emergency Management Agency, CIA and National Security Agency ? were expected to file by the following week. "We now have the expert review team of nine members in place," Rodgers said. "By Dec. 11, we hope to have all plans read and reviewed. From Dec. 11 to 23, we hope to have response meetings. And by Dec. 24, we plan to send responses to the lead agencies. There will be no grading or ranking of their plans [about how they are going to minimize their vulnerability]. We intend to handle each agency's plans with a great deal of diplomacy."Under the individual plans, each agency will determine its minimum essential infrastructure protection requirements and lay out the milestones for making the May 22, 2000, deadline to achieve an initial operating capacity to protect themselves, as well as the May 22, 2003, deadline for full operating capacity.XXXSPLITXXX-While movement on PDD-63 is gaining momentum, some agencies appear behind the curve. One case in point is the Commerce Department, home of the CIAO. The federal job vacancy announcement bulletin carried the somewhat awkward position description Oct. 6 for a deputy director of the Communications and Information Infrastructure Assurance Program, with an annual salary that ranged from $77,798 to $101,142.Among the duties called for were serving "as an alter ego to the director, Communications and Information Infrastructure Assurance Program (CIIAP), sharing fully with the director in managing all phases of the program. As deputy director of the program, the incumbent manages program resources, including supervising staff in ... the development and management of national programs to protect the telecommunications and information infrastructure from compromise."Overall, the advent of PDD-63 has drawn generally favorable response from the private sector, with a number of players putting their own spin on its likely impact. Mark Fabro, information security expert and worldwide director of the Professional Services Group for Secure Computing Corp., San Jose, Calif., welcomes PDD-63 as the dawn of a new era."PDD-63 is absolutely outstanding. There is a fragility and insecurity in the overall infrastructure in the United States. PDD-63 forces organizations to be knowledgeable and proactive with information security," Fabro said. "It takes them to an added level of understanding of information security. I have had more people come to me to discuss PDD-63. People are actually saying, 'I need to understand info security.' That's a welcome change."However, he finds critical the need to build awareness of the importance of the problem as well as the need for restructuring NIS. "The biggest problem is the massive infusion of education. That is mandatory," Fabro said. "The networked system itself is a living, breathing machine. The infusion of education that is necessary is the biggest problem, for example, understanding the mind-set of attackers and understanding new technologies and methodologies. Solution providers are going to find themselves facing a lot of whys from clients."For Ken Mendelson, managing director of government relations and channels for TriStrata Inc., Redwood Shores, Calif., PDD-63 is indicative of something that had to happen simply because government, like industry, is moving everything online and exposing itself to a whole new set of vulnerabilities. His company offers the Random KeyStream Technology to secure the Internet based on the Vernam Cipher one-time pad invented in 1917."It would be a profound mistake not to explore ways to protect critical infrastructures," he said. "However, PDD-63 is not specific in its mandate. It does not say how a specific agency should protect its network. We may wind up with inconsistent requirements that pose challenges to vendors and solution providers."Vendors need to be aware of potential compatibility issues on the horizon, Mendelson said. The only thing worse than a lack of guidance would be specific requirements that close markets for some security vendors, he said. He feels in the very near future there will be a focus on securing the enterprise rather than securing particular applications."There are two sides to the whole [cryptography] debate. Business wants to control corporate information. The government wants a centralized recovery mechanism," Mendelson said. "While security technology has been evolving toward a decentralized control model, that does not work for business. Business wants centralized control. In that sense, the client-server distributed model does not work with the business model. "What you will find is the administration's push for [public key infrastructure] solutions is going to hamper the agency's requirements for PDD-63. Manageability issues are going to be difficult," Mendelson said.XXXSPLITXXX-Looking at the issues involved with PDD-63 from the vantage point of trustworthiness are three members of the committee that produced the National Research Council report, "Trust in Cyberspace," AT&T's Steven Bellovin, GTE Internetworking's Stephen Kent and Microsoft's George Spix.Bellovin, AT&T fellow in the Communications Information Systems Research Department at AT&T Labs Research in Florham Park, N.J., recalls that the industry was alerted to the risk of networked computers in the 1991 NRC report, "Computers at Risk: Safe Computing in the Information Age." For him, the change now is the depth of the networked world since 1991. As he notes, the Internet back then was a research toy, the graphical World Wide Web was not yet invented, and intercompany e-mail was not a problem."Today, whatever vulnerabilities there were are vastly exacerbated. A lot of the problem that was not a problem years ago comes from vastly increased connectivity," said Bellovin. He points to the expanding use of commercial, off-the-shelf software and extensible applications that accept plug-ins and add-ons and the attendant problems of mobile code. You reach a situation, he said, where you cannot build a secure system, where you do not have control over the most important components. "What are the security properties of all these components? The security model does not work when you assemble systems from parts. The integrator has replaced the programmer in many cases," said Bellovin.Another cause of the problems NIS faces today is what Bellovin calls "the lack of biodiversity in computing systems, the fact that genetic material is so sparse." What that amounts to is that a failure in an operating system that is so widely used, like Microsoft's Windows, affects a lot of equipment since so much common code is shared. Looking at the problem from the Unix side, most of the networking code comes from BSD. An example Bellovin cited is the failure in 1990, when AT&T network systems failed because most of the switches affected were running the same software release.While there would be benefits to systems with more diversity, Bellovin said the computer industry is one in which users benefit from mono-culture, from a common platform. The result is a delicate tension. For Stephen Kent, chief scientist for information security for BBN Technologies and chief technical officer for CyberTrust Solutions, both part of GTE Internetworking in Boston, the new NRC report is a logical follow-up to the 1991 risk study. It was a report he helped prepare, having served on the 1990 committee.XXXSPLITXXX-"With the focus on security and NIS, I see a lot of continuity in the sorts of issues we raised. In the new report, there is a slightly different spin since we were commissioned by [the Defense Advanced Research Projects Agency] and NSA to look at research directions," Kent said.He highlighted two trends that have emerged in the eight years between studies. First, we are a much more networked society with tremendous numbers of NIS today. Second, changes in business, such as deregulation in the power industry, are bringing more attention to the value of NIS. Kent noted the effort by firms to achieve economies by reducing staff as well as by allowing staff remote access to NIS. With a lot of the movement by business onto the Internet being economically motivated, the trend of reliance on NIS will continue and accelerate. It is likely to become a critical dependence for many on both telecommunications and the Internet. "Today, e-commerce is not always mission-critical. While the Internet is not yet ready for prime time for mission-critical operations, it could become so for more companies," Kent said. "Take L.L. Bean, for example. Initially, they used the Internet to cut down on the production of catalogs and use of telephone operators and to bring more and more business online. Their effort could easily transition into having the Internet as the primary medium for selling their wares."For Kent's own company, GTE Internetworking, the Internet is a critical resource since it is highly dependent on the technology. He feels, however, the trend is pretty clear: Over the next five to 10 years, lots of businesses will rely on the Internet in the way they rely on other utilities today. Are companies ready to make the move to the Internet and accept the problems associated with NIS? "The vast majority of companies are not ready. They do not have in-house expertise. Cluefulness is not exactly abundant," said Kent. And while he applauded the notion of PDD-63, Kent has some questions about how effective it can be."Policy statements like PDD-63 that are not accompanied by money frequently don't have the required effect. There is a history in the government of telling you that we are behind it but there is nothing in the budget to implement it," he said. "However, the notion is good, and the stated objective is good." Kent noted that in the past, people developing NIS have not given security a high priority, either accepting risk in the system or being swayed by budget issues. In fact, more often than not, functionality and features have held sway over the assurance side of the equation. The security issue is made more difficult because today there are no cookbook solutions."We desperately need to develop a methodology for assembling trustworthy NIS based on new paradigms, based on theories of insecurity. We need to explore defense in depth, the concept of layers of security. Yet we have no methodology for building such systems. What was done in the past was built on an ad hoc basis. Frankly, we do not know how to build these systems. The point solutions will not work in the NIS environment," said Kent. For George Spix, Microsoft's chief architect in the consumer platforms division, the NRC report underscores how little we know and highlights the need for research in the nature of complex systems."Trustworthiness means availability, that is, can I do what I need to do, more today than ever. In this context, security is a footnote," said Spix. He feels many of the issues in infrastructure vulnerability are not dissimilar to the competitive tensions that existed between, for example, token ring and Ethernet or telephony and the Internet, with the former making guarantees while the latter proved more reliable in actual operation."The evidence suggests the answer to vulnerable hierarchies are more hierarchies, the answer to unreliable/untrusted humans are more humans, untrusted networks are more networks, untrusted 'systems [devices]' are more 'systems' ? with more owners, more eyeballs, more distribution of the challenge, less impact of a failure," Spix said. "But this is all empirical and hypothesis until we have definitive results from our research investments."