Fame, but No Riches, For Cybersecurity

This is part of IEEE Spectrum's special report: What's Wrong—What's Next: 2003 Technology Forecast & Review.

Protecting computers from intrusion or destruction was once the largely esoteric province of computer scientists, mid-level information technology (IT) managers, and the occasional policy wonk. Now, suddenly, cybersecurity is on the lips of senior government officials, high-level corporate executives, and even casual computer users who hadn't a clue what it was six months ago.

There's no mystery why. Scattered terrorist attacks over the past year and a half have frayed nerves and heightened awareness of vulnerabilities of all kinds. So when hackers last October attacked the 13 computers that play a key role in translating domain names (such as www.ieee.org) to numerical Internet addresses, it made front-page news [see "Took a Licking, Kept on Ticking," IEEE Spectrum, December, p. 49]. Never mind that the attack was unsuccessful and had nothing to do with international terrorism.

In the United States that same month, the White House itself issued a long-awaited report, the "National Strategy to Secure Cyberspace," which, among other things, proposed a Network Operations Center, a single data-collection and analysis point for cybersecurity incidents. Meanwhile, the Markle Foundation (New York City), a communications media and information-technology think tank, reached almost the opposite conclusion, arguing in its report, "Freedom in the Information Age," against a "centralized, 'mainframe' information architecture in Washington, D.C." (The author was a member of the Markle report's advisory committee.)

The U.S. National Academy of Sciences also weighed in last fall with a 500-page report. Its "Making the Nation Safer: The Role of Science and Technology in Countering Terrorism" examined "the application of science and technology for countering terrorism" and prepared research agendas in nine key areas, including infosecurity.

But amid all the white papers and all the solemn pronouncements, we've seen little real action, while the sources of cybervulnerability have hardly changed in years.

Cybersecurity encompasses most of the domain of computer communications technology and management. To protect a cyberinfrastructure, you must protect each building block. For example, it does little good to protect the computer system hardware and software if untrustworthy operators and programmers can make compromising changes. Every facet of the infrastructure must be examined and protected. These include physical locations, computer hardware, networking, operating systems, applications, and management practices.

The one thing that has changed is the ubiquity of the Internet. It is no longer enough for us to protect individual systems--we're all connected now. Indeed, if nothing else, the attacks on the World Trade Center made that abundantly clear. Among other things, the Internet was for some people the only way to get news immediately afterward. It was also the best way to contact family and friends in the northeast United States, as the telephone system overloaded, in part because of the destruction of a key installation at Ground Zero that handled local and cellular service. Had the Internet also crashed that day, the communications chaos would have been compounded.

Who pays?

The Internet belongs to everybody and nobody, making it especially difficult to secure. The embarrassing truth is that buyers of computer systems have been unwilling to pay extra for security even for their own systems, and thus have dispensed with devices that foster trusted, secure environments. But this attitude is changing. For one thing, a post-9/11 rise in requests for insurance against cyberfailures has led insurance carriers to ask questions and adjust rates in the light of security issues. This is an economic forcing function--if one's insurance rates go down because demonstrably secure systems are in place, security becomes a money saver instead of an expense.

Not all secure systems proposals are without controversy. The Trusted Computer Platform Alliance (TCPA), launched in 1999, by now has been joined by almost 200 leading hardware and software vendors, whose goal is to create a foundation for a secure trusted hardware environment for individual computers and networks. The TCPA is a useful first step, and much of its work derives from the simple observations that only a secure computer system can securely host software, and only a secure host can protect and control the information that flows increasingly through computer systems.

A good deal of the controversy stems from some TCPA vendors' support for digital rights management systems governing the use of digital media such as books, software, movies, and music, and because of the support that large media trade groups have given the TCPA. Many believe that such systems will harm traditional fair uses of copyrighted information, and would spell the death of open software, in the course of protecting and limiting the use of certain commercial software products.

So the hazy debate forming about this area ends up sounding like a choice between no secure computer systems and damage to established copyright mechanisms and freedom of speech. What we need is a discussion within the cybersecurity community of how to have both. After all (to once again state the obvious), without secure systems, it is hard to see how we can really protect our infrastructure.

Size matters

Even given secure trusted hardware, we still have the problem that our software systems have grown in size and complexity. No major software product--especially an operating system--is without problems. Some stem from sloppy coding practices, but some from nothing more than the enormous size of these products. Information technology managers may say they care as much about security as new features, but for years their spending patterns have said the opposite. The result: ever more options, power, and complexity--and flaws.

Systems never have the chance to become even relatively bug free before being replaced with still more complicated systems with a new set of critical bugs. Our understanding of software design methodology has improved--but at nowhere near the pace needed to match the rapid increase in complexity.

At the same time, many network administrators have eschewed security mechanisms for other reasons. When first designed, the Internet was an extremely complex and novel research effort. To have added comprehensive security would not only have been difficult, it would have violated the mores of a group of people who knew and trusted each other. The Internet protocols evolved with little worry about cyberattacks. As with all complex systems, it is hard--maybe impossibly hard--to retroactively patch security into a design that did not initially plan for it.

So the firmament of any new cyberstructure sits, in fact, on muddy ground. Shore it up in one place, and it sinks in another. We have bandaids to help with the wound--such as virtual private networks--but they are local solutions difficult to scale up in size. Meanwhile, research money tends to be invested in short-term payoffs (more bandaids) rather than in any kind of fundamental look into long-term re-design. (Mechanisms proposed by the TCPA for the network may hold promise here.)

Thus the road to a secure computer infrastructure still has lots of potholes. Perhaps the deepest and widest is the attitude of senior management in government and industry toward cybersecurity. Often they say the right words as they scale back the research support and manpower needed to study the issues involved and start to fix it. Financial institutions, which are among our most vulnerable, lay off people with security backgrounds. Computer professionals with excellent skills are walking the streets with no job prospects. There is a striking disconnect between the problems these institutions face and their willingness to make an investment in protecting themselves. Meanwhile, the clock is ticking. The time for report-writing is past.