Computers at Risk - Safe Computing in the Information Age
- No tags were found...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
We ship pr<strong>in</strong>ted books with<strong>in</strong> 1 bus<strong>in</strong>ess day; personal PDFs are available immedi<strong>at</strong>ely.<br />
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong><br />
Inform<strong>at</strong>ion <strong>Age</strong><br />
System Security Study Committee, Commission on<br />
Physical Sciences, M<strong>at</strong>hem<strong>at</strong>ics, and Applic<strong>at</strong>ions,<br />
N<strong>at</strong>ional Research Council<br />
ISBN: 0-309-57460-9, 320 pages, 6 x 9, (1991)<br />
This PDF is available from <strong>the</strong> N<strong>at</strong>ional Academies Press <strong>at</strong>:<br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
Visit <strong>the</strong> N<strong>at</strong>ional Academies Press onl<strong>in</strong>e, <strong>the</strong> authorit<strong>at</strong>ive source for all books<br />
from <strong>the</strong> N<strong>at</strong>ional Academy of Sciences, <strong>the</strong> N<strong>at</strong>ional Academy of Eng<strong>in</strong>eer<strong>in</strong>g,<br />
<strong>the</strong> Institute of Medic<strong>in</strong>e, and <strong>the</strong> N<strong>at</strong>ional Research Council:<br />
• Download hundreds of free books <strong>in</strong> PDF<br />
• Read thousands of books onl<strong>in</strong>e for free<br />
• Explore our <strong>in</strong>nov<strong>at</strong>ive research tools – try <strong>the</strong> “Research Dashboard” now!<br />
• Sign up to be notified when new books are published<br />
• Purchase pr<strong>in</strong>ted books and selected PDF files<br />
Thank you for download<strong>in</strong>g this PDF. If you have comments, questions or<br />
just want more <strong>in</strong>form<strong>at</strong>ion about <strong>the</strong> books published by <strong>the</strong> N<strong>at</strong>ional<br />
Academies Press, you may contact our customer service department tollfree<br />
<strong>at</strong> 888-624-8373, visit us onl<strong>in</strong>e, or send an email to<br />
feedback@nap.edu.<br />
This book plus thousands more are available <strong>at</strong> http://www.nap.edu.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.<br />
Unless o<strong>the</strong>rwise <strong>in</strong>dic<strong>at</strong>ed, all m<strong>at</strong>erials <strong>in</strong> this PDF File are copyrighted by <strong>the</strong> N<strong>at</strong>ional<br />
Academy of Sciences. Distribution, post<strong>in</strong>g, or copy<strong>in</strong>g is strictly prohibited without<br />
written permission of <strong>the</strong> N<strong>at</strong>ional Academies Press. Request repr<strong>in</strong>t permission for this book.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong><br />
<strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> In <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
System Security Study Committee<br />
Computer Science and Telecommunic<strong>at</strong>ions Board<br />
Commission on Physical Sciences, M<strong>at</strong>hem<strong>at</strong>ics, and Applic<strong>at</strong>ions<br />
N<strong>at</strong>ional Research Council<br />
NATIONAL ACADEMY PRESS<br />
1991<br />
i<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
N<strong>at</strong>ional Academy Press 2101 Constitution Avenue, N.W. Wash<strong>in</strong>gton, D.C. 20418<br />
NOTICE: The project th<strong>at</strong> is <strong>the</strong> subject of this report was approved by <strong>the</strong> Govern<strong>in</strong>g Board of <strong>the</strong><br />
N<strong>at</strong>ional Research Council, whose members are drawn from <strong>the</strong> councils of <strong>the</strong> N<strong>at</strong>ional Academy<br />
of Sciences, <strong>the</strong> N<strong>at</strong>ional Academy of Eng<strong>in</strong>eer<strong>in</strong>g, and <strong>the</strong> Institute of Medic<strong>in</strong>e. The members of<br />
<strong>the</strong> committee responsible for <strong>the</strong> report were chosen for <strong>the</strong>ir special competences and with regard<br />
for appropri<strong>at</strong>e balance.<br />
This report has been reviewed by a group o<strong>the</strong>r than <strong>the</strong> authors accord<strong>in</strong>g to procedures<br />
approved by a Report Review Committee consist<strong>in</strong>g of members of <strong>the</strong> N<strong>at</strong>ional Academy of Sciences,<br />
<strong>the</strong> N<strong>at</strong>ional Academy of Eng<strong>in</strong>eer<strong>in</strong>g, and <strong>the</strong> Institute of Medic<strong>in</strong>e.<br />
The N<strong>at</strong>ional Academy of Sciences is a priv<strong>at</strong>e, nonprofit, self-perpetu<strong>at</strong><strong>in</strong>g society of dist<strong>in</strong>guished<br />
scholars engaged <strong>in</strong> scientific and eng<strong>in</strong>eer<strong>in</strong>g research, dedic<strong>at</strong>ed to <strong>the</strong> fur<strong>the</strong>rance of<br />
science and technology and to <strong>the</strong>ir use for <strong>the</strong> general welfare. Upon <strong>the</strong> authority of <strong>the</strong> charter<br />
granted to it by <strong>the</strong> Congress <strong>in</strong> 1863, <strong>the</strong> Academy has a mand<strong>at</strong>e th<strong>at</strong> requires it to advise <strong>the</strong> federal<br />
government on scientific and technical m<strong>at</strong>ters. Dr. Frank Press is president of <strong>the</strong> N<strong>at</strong>ional<br />
Academy of Sciences.<br />
The N<strong>at</strong>ional Academy of Eng<strong>in</strong>eer<strong>in</strong>g was established <strong>in</strong> 1964, under <strong>the</strong> charter of <strong>the</strong><br />
N<strong>at</strong>ional Academy of Sciences, as a parallel organiz<strong>at</strong>ion of outstand<strong>in</strong>g eng<strong>in</strong>eers. It is autonomous<br />
<strong>in</strong> its adm<strong>in</strong>istr<strong>at</strong>ion and <strong>in</strong> <strong>the</strong> selection of its members, shar<strong>in</strong>g with <strong>the</strong> N<strong>at</strong>ional Academy of Sciences<br />
<strong>the</strong> responsibility for advis<strong>in</strong>g <strong>the</strong> federal government. The N<strong>at</strong>ional Academy of Eng<strong>in</strong>eer<strong>in</strong>g<br />
also sponsors eng<strong>in</strong>eer<strong>in</strong>g programs aimed <strong>at</strong> meet<strong>in</strong>g n<strong>at</strong>ional needs, encourages educ<strong>at</strong>ion and<br />
research, and recognizes <strong>the</strong> superior achievements of eng<strong>in</strong>eers. Dr. Robert M. White is president<br />
of <strong>the</strong> N<strong>at</strong>ional Academy of Eng<strong>in</strong>eer<strong>in</strong>g.<br />
The Institute of Medic<strong>in</strong>e was established <strong>in</strong> 1970 by <strong>the</strong> N<strong>at</strong>ional Academy of Sciences to<br />
secure <strong>the</strong> services of em<strong>in</strong>ent members of appropri<strong>at</strong>e professions <strong>in</strong> <strong>the</strong> exam<strong>in</strong><strong>at</strong>ion of policy m<strong>at</strong>ters<br />
perta<strong>in</strong><strong>in</strong>g to <strong>the</strong> health of <strong>the</strong> public. The Institute acts under <strong>the</strong> responsibility given to <strong>the</strong><br />
N<strong>at</strong>ional Academy of Sciences by its congressional charter to be an adviser to <strong>the</strong> federal government<br />
and, upon its own <strong>in</strong>iti<strong>at</strong>ive, to identify issues of medical care, research, and educ<strong>at</strong>ion. Dr.<br />
Samuel O. Thier is president of <strong>the</strong> Institute of Medic<strong>in</strong>e.<br />
The N<strong>at</strong>ional Research Council was organized by <strong>the</strong> N<strong>at</strong>ional Academy of Sciences <strong>in</strong> 1916 to<br />
associ<strong>at</strong>e <strong>the</strong> broad community of science and technology with <strong>the</strong> Academy's purposes of fur<strong>the</strong>r<strong>in</strong>g<br />
knowledge and advis<strong>in</strong>g <strong>the</strong> federal government. Function<strong>in</strong>g <strong>in</strong> accordance with general policies<br />
determ<strong>in</strong>ed by <strong>the</strong> Academy, <strong>the</strong> Council has become <strong>the</strong> pr<strong>in</strong>cipal oper<strong>at</strong><strong>in</strong>g agency of both <strong>the</strong><br />
N<strong>at</strong>ional Academy of Sciences and <strong>the</strong> N<strong>at</strong>ional Academy of Eng<strong>in</strong>eer<strong>in</strong>g <strong>in</strong> provid<strong>in</strong>g services to<br />
<strong>the</strong> government, <strong>the</strong> public, and <strong>the</strong> scientific and eng<strong>in</strong>eer<strong>in</strong>g communities. The Council is adm<strong>in</strong>istered<br />
jo<strong>in</strong>tly by both Academies and <strong>the</strong> Institute of Medic<strong>in</strong>e. Dr. Frank Press and Dr. Robert M.<br />
White are chairman and vice chairman, respectively, of <strong>the</strong> N<strong>at</strong>ional Research Council.<br />
Support for this project was provided by <strong>the</strong> Defense Advanced Research Projects <strong>Age</strong>ncy<br />
under Contract No. N00014-89-J-1731. However, <strong>the</strong> content does not necessarily reflect <strong>the</strong> position<br />
or <strong>the</strong> policy of <strong>the</strong> Defense Advanced Research Projects <strong>Age</strong>ncy or <strong>the</strong> government, and no<br />
official endorsement should be <strong>in</strong>ferred.<br />
Library of Congress C<strong>at</strong>alog<strong>in</strong>g-<strong>in</strong>-Public<strong>at</strong>ion D<strong>at</strong>a<br />
<strong>Computers</strong> <strong>at</strong> risk: safe comput<strong>in</strong>g <strong>in</strong> <strong>the</strong> <strong>in</strong>form<strong>at</strong>ion age / System Security Study Committee,<br />
Computer Science and Telecommunic<strong>at</strong>ions Board, Commission on Physical Sciences, M<strong>at</strong>hem<strong>at</strong>ics,<br />
and Applic<strong>at</strong>ions, N<strong>at</strong>ional Research Council.<br />
p. cm.<br />
Includes bibliographical references.<br />
ISBN 0-309-04388-3<br />
1. Computer security. I. N<strong>at</strong>ional Research Council (U.S.).<br />
Computer Science and Telecommunic<strong>at</strong>ions Board. System Security Study Committee.<br />
QA76.9.A25C6663 1990<br />
005.8—dc20 90-22329<br />
CIP<br />
Copyright © 1991 by <strong>the</strong> N<strong>at</strong>ional Academy of Sciences<br />
No part of this book may be reproduced by any mechanical, photographic, or electronic process,<br />
or <strong>in</strong> <strong>the</strong> form of a phonographic record<strong>in</strong>g, nor may it be stored <strong>in</strong> a retrieval system, transmitted,<br />
or o<strong>the</strong>rwise copied for public or priv<strong>at</strong>e use, without written permission from <strong>the</strong> publisher,<br />
except for <strong>the</strong> purposes of official use by <strong>the</strong> U.S. government.<br />
Pr<strong>in</strong>ted <strong>in</strong> <strong>the</strong> United St<strong>at</strong>es of America<br />
First Pr<strong>in</strong>t<strong>in</strong>g, December 1990 Second Pr<strong>in</strong>t<strong>in</strong>g, March 1991<br />
Third Pr<strong>in</strong>t<strong>in</strong>g, April 1992 Fourth Pr<strong>in</strong>t<strong>in</strong>g January 1992 Fifth Pr<strong>in</strong>t<strong>in</strong>g March 1994<br />
ii<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
SYSTEM SECURITY STUDY COMMITTEE<br />
DAVID D. CLARK, Massachusetts Institute of Technology, Chairman<br />
W. EARL BOEBERT, Secure <strong>Comput<strong>in</strong>g</strong> Technology Corpor<strong>at</strong>ion<br />
SUSAN GERHART, Microelectronics and Computer Technology Corpor<strong>at</strong>ion<br />
JOHN V. GUTTAG, Massachusetts Institute of Technology<br />
RICHARD A. KEMMERER, University of California <strong>at</strong> Santa Barbara<br />
STEPHEN T. KENT, BBN Communic<strong>at</strong>ions<br />
SANDRA M. MANN LAMBERT, Security Pacific Corpor<strong>at</strong>ion<br />
BUTLER W. LAMPSON, Digital Equipment Corpor<strong>at</strong>ion<br />
JOHN J. LANE, Shearson, Lehman, Hutton, Inc.<br />
M. DOUGLAS McILROY, AT&T Bell Labor<strong>at</strong>ories<br />
PETER G. NEUMANN, SRI Intern<strong>at</strong>ional<br />
MICHAEL O. RABIN, Harvard University<br />
WARREN SCHMITT, Sears Technology Services<br />
HAROLD F. TIPTON, Rockwell Intern<strong>at</strong>ional<br />
STEPHEN T. WALKER, Trusted Inform<strong>at</strong>ion Systems, Inc.<br />
WILLIS H. WARE, The RAND Corpor<strong>at</strong>ion<br />
MARJORY S. BLUMENTHAL, Staff Director<br />
FRANK PITTELLI, CSTB Consultant<br />
DAMIAN M. SACCOCIO, Staff Officer<br />
MARGARET A. KNEMEYER, Staff Associ<strong>at</strong>e<br />
DONNA F. ALLEN, Adm<strong>in</strong>istr<strong>at</strong>ive Secretary<br />
CATHERINE A. SPARKS, Senior Secretary<br />
iii<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
COMPUTER SCIENCE AND TELECOMMUNICATIONS<br />
BOARD<br />
JOSEPH F. TRAUB, Columbia University, Chairman<br />
ALFRED V. AHO, AT&T Bell Labor<strong>at</strong>ories<br />
JOHN SEELY BROWN, Xerox Corpor<strong>at</strong>ion Palo Alto Research Center<br />
FRANK P. CARRUBBA, Hewlett-Packard Company<br />
DAVID J. FARBER, University of Pennsylvania<br />
SAMUEL H. FULLER, Digital Equipment Corpor<strong>at</strong>ion<br />
JAMES FREEMAN GILBERT, University of California <strong>at</strong> San Diego<br />
WILLIAM A. GODDARD III, California Institute of Technology<br />
JOHN L. HENNESSY, Stanford University<br />
JOHN E. HOPCROFT, Cornell University<br />
MITCHELL D. KAPOR, ON Technology, Inc.<br />
SIDNEY KARIN, San Diego Supercomputer Center<br />
LEONARD KLEINROCK, University of California <strong>at</strong> Los Angeles<br />
ROBERT LANGRIDGE, University of California <strong>at</strong> San Francisco<br />
ROBERT L. MARTIN, Bell Communic<strong>at</strong>ions Research<br />
WILLIAM F. MILLER,SRI Intern<strong>at</strong>ional<br />
ABRAHAM PELED, IBM T.J. W<strong>at</strong>son Research Center<br />
RAJ REDDY, Carnegie Mellon University<br />
JEROME H. SALTZER, Massachusetts Institute of Technology<br />
MARY SHAW, Carnegie Mellon University<br />
ERIC E. SUMNER, Institute of Electrical and Electronics Eng<strong>in</strong>eers<br />
IVAN E. SUTHERLAND, Su<strong>the</strong>rland, Sproull & Associ<strong>at</strong>es<br />
GEORGE L. TURIN, Teknekron Corpor<strong>at</strong>ion<br />
VICTOR VYSSOTSKY, Digital Equipment Corpor<strong>at</strong>ion<br />
WILLIS H. WARE, The RAND Corpor<strong>at</strong>ion<br />
WILLIAM WULF, University of Virg<strong>in</strong>ia<br />
MARJORY S. BLUMENTHAL, Staff Director<br />
ANTHONY M. FORTE, Senior Staff Officer<br />
HERBERT LIN, Staff Officer<br />
DAMIAN M. SACCOCIO, Staff Officer<br />
RENEE A. HAWKINS, Staff Associ<strong>at</strong>e<br />
DONNA F. ALLEN, Adm<strong>in</strong>istr<strong>at</strong>ive Secretary<br />
LINDA L. JOYNER, Project Assistant<br />
CATHERINE A. SPARKS, Senior Secretary<br />
iv<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
COMMISSION ON PHYSICAL<br />
SCIENCES,MATHEMATICS, AND APPLICATIONS*<br />
NORMAN HACKERMAN, Robert A. Welch Found<strong>at</strong>ion, Chairman<br />
PETER J. BICKEL, University of California <strong>at</strong> Berkeley<br />
GEORGE F. CARRIER, Harvard University<br />
HERBERT D. DOAN, The Dow Chemical Company (retired)<br />
DEAN E. EASTMAN, IBM T.J. W<strong>at</strong>son Research Center<br />
MARYE ANNE FOX, University of Texas<br />
PHILLIP A. GRIFFITHS, Duke University<br />
NEAL F. LANE, Rice University<br />
ROBERT W. LUCKY, AT&T Bell Labor<strong>at</strong>ories<br />
CHRISTOPHER F. McKEE, University of California <strong>at</strong> Berkeley<br />
RICHARD S. NICHOLSON, American Associ<strong>at</strong>ion for <strong>the</strong> Advancement of<br />
Science<br />
JEREMIAH P. OSTRIKER, Pr<strong>in</strong>ceton University Observ<strong>at</strong>ory<br />
ALAN SCHRIESHEIM, Argonne N<strong>at</strong>ional Labor<strong>at</strong>ory<br />
ROY F. SCHWITTERS, Superconduct<strong>in</strong>g Super Collider Labor<strong>at</strong>ory<br />
KENNETH G. WILSON, Ohio St<strong>at</strong>e University<br />
NORMAN METZGER, Executive Director<br />
* The project th<strong>at</strong> is <strong>the</strong> subject of this report was <strong>in</strong>iti<strong>at</strong>ed under <strong>the</strong> predecessor<br />
group of <strong>the</strong> Commission on Physical Sciences, M<strong>at</strong>hem<strong>at</strong>ics, and Applic<strong>at</strong>ions, which<br />
was <strong>the</strong> Commission on Physical Sciences, M<strong>at</strong>hem<strong>at</strong>ics, and Resources, whose<br />
members are listed <strong>in</strong> Appendix G.<br />
v<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
vi<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
PREFACE<br />
Preface<br />
The Computer Science and Technology Board, which became <strong>the</strong><br />
Computer Science and Telecommunic<strong>at</strong>ions Board <strong>in</strong> September 1990, formed<br />
<strong>the</strong> System Security Study Committee <strong>in</strong> response to a fall 1988 request from<br />
<strong>the</strong> Defense Advanced Research Projects <strong>Age</strong>ncy (DARPA) to address <strong>the</strong><br />
security and trustworth<strong>in</strong>ess of U.S. comput<strong>in</strong>g and communic<strong>at</strong>ions systems.<br />
The committee was charged with develop<strong>in</strong>g a n<strong>at</strong>ional research, eng<strong>in</strong>eer<strong>in</strong>g,<br />
and policy agenda to help <strong>the</strong> United St<strong>at</strong>es achieve a more trustworthy<br />
comput<strong>in</strong>g technology base by <strong>the</strong> end of <strong>the</strong> century. DARPA asked <strong>the</strong><br />
committee to take a broad outlook—to consider <strong>the</strong> <strong>in</strong>terrel<strong>at</strong>ionship of security<br />
and o<strong>the</strong>r qualities (e.g., safety and reliability), commercializ<strong>at</strong>ion as well as<br />
research, and <strong>the</strong> diverse elements of <strong>the</strong> research and policy communities. In<br />
keep<strong>in</strong>g with DARPA's <strong>in</strong>itial request, <strong>the</strong> committee focused on security<br />
aspects but rel<strong>at</strong>ed <strong>the</strong>m to o<strong>the</strong>r elements of trustworth<strong>in</strong>ess.<br />
The System Security Study Committee was composed of sixteen<br />
<strong>in</strong>dividuals from <strong>in</strong>dustry and academia, <strong>in</strong>clud<strong>in</strong>g computer and<br />
communic<strong>at</strong>ions security researchers and practitioners and software eng<strong>in</strong>eers.<br />
It met <strong>in</strong> May, August, and November of 1989 and <strong>in</strong> February, April, and July<br />
of 1990. Its deliber<strong>at</strong>ions were complemented by brief<strong>in</strong>gs from and <strong>in</strong>terviews<br />
with a variety of federal government researchers and officials and security<br />
experts and o<strong>the</strong>rs from <strong>in</strong>dustry. A central fe<strong>at</strong>ure of <strong>the</strong> committee's work was<br />
<strong>the</strong> forg<strong>in</strong>g of a consensus <strong>in</strong> <strong>the</strong> face of different technical and professional<br />
perspectives. While <strong>the</strong> committee drew on both <strong>the</strong> research liter<strong>at</strong>ure and<br />
public<strong>at</strong>ions aimed <strong>at</strong> security practitioners, it sought to comb<strong>in</strong>e <strong>the</strong> research<br />
and practitioner perspectives to provide a more unified as<br />
vii<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
PREFACE<br />
sessment than might perhaps be typical. Given <strong>the</strong> goal of produc<strong>in</strong>g an<br />
unclassified report, <strong>the</strong> committee focused on <strong>the</strong> protection of sensitive but<br />
unclassified <strong>in</strong>form<strong>at</strong>ion <strong>in</strong> computer and communic<strong>at</strong>ions systems. The<br />
orient<strong>at</strong>ion toward an unclassified report also limited <strong>the</strong> extent to which <strong>the</strong><br />
committee could probe tensions <strong>in</strong> federal policy between <strong>in</strong>telligence-g<strong>at</strong>her<strong>in</strong>g<br />
and security-provid<strong>in</strong>g objectives.<br />
This report of <strong>the</strong> System Security Study Committee presents its<br />
assessment of key computer and communic<strong>at</strong>ions security issues and its<br />
recommend<strong>at</strong>ions for enhanc<strong>in</strong>g <strong>the</strong> security and trustworth<strong>in</strong>ess of <strong>the</strong> U.S.<br />
comput<strong>in</strong>g and communic<strong>at</strong>ions <strong>in</strong>frastructure.<br />
David D. Clark, Chairman<br />
System Security Study Committee<br />
viii<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
ACKNOWLEDGMENTS<br />
Acknowledgments<br />
The System Security Study Committee appreci<strong>at</strong>es <strong>the</strong> generous assistance<br />
provided by Carl Landwehr of <strong>the</strong> Naval Research Labor<strong>at</strong>ory and a group of<br />
federal liaisons th<strong>at</strong> he coord<strong>in</strong><strong>at</strong>ed, <strong>in</strong>clud<strong>in</strong>g Anthony Adamski of <strong>the</strong> Federal<br />
Bureau of Investig<strong>at</strong>ion, Dennis Branstad of <strong>the</strong> N<strong>at</strong>ional Institute of Standards<br />
and Technology, Leon Breault of <strong>the</strong> Department of Energy, Richard Carr of<br />
<strong>the</strong> N<strong>at</strong>ional Aeronautics and Space Adm<strong>in</strong>istr<strong>at</strong>ion, Richard DeMillo of <strong>the</strong><br />
N<strong>at</strong>ional Science Found<strong>at</strong>ion (preceded by John Gannon), C. Terrance Ireland<br />
of <strong>the</strong> N<strong>at</strong>ional Security <strong>Age</strong>ncy, Stuart K<strong>at</strong>zke of <strong>the</strong> N<strong>at</strong>ional Institute of<br />
Standards and Technology, Robert Morris of <strong>the</strong> N<strong>at</strong>ional Security <strong>Age</strong>ncy,<br />
Karen Morrissette of <strong>the</strong> Department of Justice, Mark Scher of <strong>the</strong> Defense<br />
Communic<strong>at</strong>ions <strong>Age</strong>ncy, and Kermith Speierman of <strong>the</strong> N<strong>at</strong>ional Security<br />
<strong>Age</strong>ncy. These <strong>in</strong>dividuals made <strong>the</strong>mselves and <strong>the</strong>ir associ<strong>at</strong>es available to<br />
<strong>the</strong> committee to answer questions, provide brief<strong>in</strong>gs, and supply valuable<br />
reference m<strong>at</strong>erials.<br />
The committee is gr<strong>at</strong>eful for special brief<strong>in</strong>gs provided by William Vance<br />
of IBM, John Michael Williams of Unisys, and Peter Wild of Coopers and<br />
Lybrand. Additional <strong>in</strong>sight <strong>in</strong>to specific issues was provided by several<br />
<strong>in</strong>dividuals, <strong>in</strong>clud<strong>in</strong>g <strong>in</strong> particular Mark Anderson of <strong>the</strong> Australian Electronics<br />
Research Labor<strong>at</strong>ory, Carolyn Conn of GE Inform<strong>at</strong>ion Services, Jay Crawford<br />
of <strong>the</strong> Naval Weapons Center <strong>at</strong> Ch<strong>in</strong>a Lake, California, George D<strong>in</strong>olt of Ford<br />
Aerospace Corpor<strong>at</strong>ion, Morrie Gasser and Ray Modeen of Digital Equipment<br />
Corpor<strong>at</strong>ion, James Giff<strong>in</strong> of <strong>the</strong> Federal Trade Commission, J. Thomas Haigh<br />
of Secure <strong>Comput<strong>in</strong>g</strong> Technology Corpor<strong>at</strong>ion, James Hearn of <strong>the</strong> N<strong>at</strong>ional<br />
Security <strong>Age</strong>ncy, Frank Houston of <strong>the</strong> Food and Drug Adm<strong>in</strong>istr<strong>at</strong>ion,<br />
Christian Jahl of <strong>the</strong> German Industrie Anlagen Betriebs<br />
ix<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
ACKNOWLEDGMENTS<br />
Gesellschaft, Ian K<strong>in</strong>g of <strong>the</strong> U.K. Communic<strong>at</strong>ions-Electronics Security<br />
Group, Stewart Kowalski of <strong>the</strong> University of Stockholm, Milan Kuchta of <strong>the</strong><br />
Canadian Communic<strong>at</strong>ions Security Establishment, Timothy Lev<strong>in</strong> of Gem<strong>in</strong>i<br />
<strong>Computers</strong>, Inc., Michael Nash represent<strong>in</strong>g <strong>the</strong> U.K. Department of Trade and<br />
Industry, Stephen Purdy and James Bauer of <strong>the</strong> U.S. Secret Service, John<br />
Shore of Entropic Research Labor<strong>at</strong>ory, Inc., L<strong>in</strong>da Vetter of Oracle<br />
Corpor<strong>at</strong>ion, Larry Wills of IBM, and <strong>the</strong> group of 30 corpor<strong>at</strong>e security<br />
officers who particip<strong>at</strong>ed <strong>in</strong> a small, <strong>in</strong>formal survey of product preferences.<br />
The committee appreci<strong>at</strong>es <strong>the</strong> encouragement and support of Stephen<br />
Squires and William Scherlis of DARPA, who provided guidance, <strong>in</strong>sights, and<br />
motiv<strong>at</strong>ion. It is particularly gr<strong>at</strong>eful for <strong>the</strong> literally hundreds of suggestions<br />
and criticisms provided by <strong>the</strong> ten anonymous reviewers of an early draft.<br />
Those <strong>in</strong>puts helped <strong>the</strong> committee to tighten and streng<strong>the</strong>n its present<strong>at</strong>ion, for<br />
which it, of course, rema<strong>in</strong>s responsible.<br />
F<strong>in</strong>ally, <strong>the</strong> committee would like to acknowledge <strong>the</strong> major contribution<br />
th<strong>at</strong> <strong>the</strong> staff of <strong>the</strong> Computer Science and Telecommunic<strong>at</strong>ions Board has<br />
made to this report, <strong>in</strong> particular thank<strong>in</strong>g Marjory Blumenthal, Damian<br />
Saccocio, Frank Pittelli, and C<strong>at</strong>her<strong>in</strong>e Sparks. They supplied not only very<br />
capable adm<strong>in</strong>istr<strong>at</strong>ive support, but also substantial <strong>in</strong>tellectual contributions to<br />
<strong>the</strong> development of <strong>the</strong> report. The committee also received <strong>in</strong>valuable<br />
assistance from its editor, Susan Maurizi, who labored under tight time<br />
constra<strong>in</strong>ts to help it express its ideas on a complex and jargon-filled subject. It<br />
could not have proceeded effectively without this level of support from <strong>the</strong><br />
N<strong>at</strong>ional Research Council.<br />
David D. Clark, Chairman<br />
System Security Study Committee<br />
x<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CONTENTS<br />
Contents<br />
EXECUTIVE SUMMARY 1<br />
1 OVERVIEW AND RECOMMENDATIONS 7<br />
Computer System Security Concerns 8<br />
Trends—<strong>the</strong> Grow<strong>in</strong>g Potential for System 10<br />
Abuse<br />
The Need to Respond 11<br />
Toward a Planned Approach 13<br />
Achiev<strong>in</strong>g Understand<strong>in</strong>g 13<br />
The N<strong>at</strong>ure of Security: Vulnerability, 13<br />
Thre<strong>at</strong>, and Countermeasure<br />
Special Security Concerns Associ<strong>at</strong>ed 15<br />
with <strong>Computers</strong><br />
Security Must Be Holistic—Technology, 17<br />
Management, and Social Elements<br />
Commercial and Military Needs Are Different<br />
18<br />
Putt<strong>in</strong>g <strong>the</strong> Need for Secrecy <strong>in</strong>to Perspective 20<br />
Build<strong>in</strong>g on Exist<strong>in</strong>g Found<strong>at</strong>ions 21<br />
Scope, Purpose, Contents, and Audience 24<br />
Recommend<strong>at</strong>ions 26<br />
Recommend<strong>at</strong>ion 1: Promulg<strong>at</strong>e Comprehensive Generally 27<br />
Accepted System Security Pr<strong>in</strong>ciples<br />
(GSSP)<br />
Recommend<strong>at</strong>ion 2: Take Specific Short-term Actions Th<strong>at</strong> 32<br />
Build on Readily Available Capabilities<br />
Recommend<strong>at</strong>ion 3: G<strong>at</strong>her Inform<strong>at</strong>ion and Provide Educ<strong>at</strong>ion 36<br />
Recommend<strong>at</strong>ion 4: Clarify Export Control Criteria, and Set Up<br />
a Forum for Arbitr<strong>at</strong>ion<br />
37<br />
xi<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CONTENTS<br />
Recommend<strong>at</strong>ion 5: Fund and Pursue Needed Research 39<br />
Recommend<strong>at</strong>ion 6: Establish an Inform<strong>at</strong>ion Security Found<strong>at</strong>ion 43<br />
Conclusion 45<br />
Notes 45<br />
2 CONCEPTS OF INFORMATION SECURITY 49<br />
Security Policies—Respond<strong>in</strong>g to Requirements<br />
52<br />
for Confidentiality, Integrity, and<br />
Availability<br />
Confidentiality 52<br />
Integrity 54<br />
Availability 54<br />
Examples of Security Requirements for Different<br />
55<br />
Applic<strong>at</strong>ions<br />
Management Controls—Choos<strong>in</strong>g <strong>the</strong> Means 56<br />
to Secure Inform<strong>at</strong>ion and Oper<strong>at</strong>ions<br />
Prevent<strong>in</strong>g Breaches of Security—Basic 56<br />
Pr<strong>in</strong>ciples<br />
Respond<strong>in</strong>g to Breaches of Security 59<br />
Develop<strong>in</strong>g Policies and Appropri<strong>at</strong>e Controls 59<br />
<strong>Risk</strong>s and Vulnerabilities 61<br />
Secur<strong>in</strong>g <strong>the</strong> Whole System 65<br />
Appendix 2.1— Privacy 66<br />
Appendix 2.2— Informal Survey to Assess Security Requirements<br />
69<br />
Notes 72<br />
3 TECHNOLOGY TO ACHIEVE SECURE COM- 74<br />
PUTER SYSTEMS<br />
Specific<strong>at</strong>ion vs. Implement<strong>at</strong>ion 75<br />
Specific<strong>at</strong>ion: Policies, Models, and Services 76<br />
Policies 77<br />
Models 80<br />
Flow Model 80<br />
Access Control Model 81<br />
Services 83<br />
Au<strong>the</strong>ntic<strong>at</strong>ion 84<br />
Authoriz<strong>at</strong>ion 87<br />
Audit<strong>in</strong>g 88<br />
Implement<strong>at</strong>ion: The Trusted <strong>Comput<strong>in</strong>g</strong> Base 88<br />
<strong>Comput<strong>in</strong>g</strong> 91<br />
Hardware 91<br />
Oper<strong>at</strong><strong>in</strong>g System 92<br />
Applic<strong>at</strong>ions and <strong>the</strong> Problem of Malicious<br />
Code<br />
93<br />
xii<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CONTENTS<br />
Communic<strong>at</strong>ions 93<br />
Secure Channels 94<br />
Au<strong>the</strong>ntic<strong>at</strong><strong>in</strong>g Channels 96<br />
Security Perimeters 98<br />
Methodology 99<br />
Conclusion 99<br />
Notes 100<br />
4 PROGRAMMING METHODOLOGY 102<br />
Software Is More Than Code 104<br />
Simpler Is Better 106<br />
The Role of Programm<strong>in</strong>g Languages 107<br />
The Role of Specific<strong>at</strong>ions 108<br />
Rel<strong>at</strong><strong>in</strong>g Specific<strong>at</strong>ions to Programs 109<br />
Formal Specific<strong>at</strong>ion and Verific<strong>at</strong>ion 111<br />
Hazard Analysis 113<br />
Structur<strong>in</strong>g <strong>the</strong> Development Process 114<br />
Manag<strong>in</strong>g Software Procurement 115<br />
Schedul<strong>in</strong>g Software Development 116<br />
Educ<strong>at</strong>ion and Tra<strong>in</strong><strong>in</strong>g 117<br />
Management Concerns <strong>in</strong> Produc<strong>in</strong>g Secure 118<br />
Software<br />
Wh<strong>at</strong> Makes Secure Software Different 119<br />
Recommended Approaches to Sound Development<br />
120<br />
Methodology<br />
Notes 122<br />
5 CRITERIA TO EVALUATE COMPUTER AND 124<br />
NETWORK SECURITY<br />
Security Evalu<strong>at</strong>ion Criteria <strong>in</strong> General 125<br />
Security Characteristics 125<br />
Assurance Evalu<strong>at</strong>ion 127<br />
Trade-offs <strong>in</strong> Group<strong>in</strong>g of Criteria 130<br />
Compar<strong>in</strong>g N<strong>at</strong>ional Criteria Sets 133<br />
Reciprocity Among Criteria Sets 135<br />
System Certific<strong>at</strong>ion vs. Product Evalu<strong>at</strong>ion 137<br />
Recommend<strong>at</strong>ions for Product Evalu<strong>at</strong>ion and 139<br />
System Certific<strong>at</strong>ion Criteria<br />
Notes 141<br />
6 WHY THE SECURITY MARKET HAS NOT 143<br />
WORKED WELL<br />
The Market for Trustworthy Systems 143<br />
A Soft Market: Concerns of Vendors 146<br />
xiii<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CONTENTS<br />
Federal Government Influence on <strong>the</strong> Market 149<br />
Procurement 149<br />
Str<strong>at</strong>egic Federal Investments <strong>in</strong> Research 150<br />
and Development<br />
Export Controls as a Market Inhibitor 152<br />
Technology Transfer: R<strong>at</strong>ionale for Controll<strong>in</strong>g<br />
153<br />
Security Exports<br />
Export Control of Cryptographic Systems<br />
154<br />
and Components<br />
Export Control of Trusted Systems 156<br />
The Commercial Imper<strong>at</strong>ive 157<br />
Consumer Awareness 159<br />
Insurance as a Market Lever 161<br />
Educ<strong>at</strong>ion and Incident Track<strong>in</strong>g for Security<br />
162<br />
Awareness<br />
Educ<strong>at</strong>ion 162<br />
Incident Report<strong>in</strong>g and Track<strong>in</strong>g 163<br />
Technical Tools to Compens<strong>at</strong>e for Limited 164<br />
Consumer Awareness<br />
Regul<strong>at</strong>ion as a Market Influence: Product 165<br />
Quality and Liability<br />
Product Quality Regul<strong>at</strong>ions 166<br />
Product Liability as a Market Influence 167<br />
Software and Systems Present Special 170<br />
Problems<br />
Toward Equitable Alloc<strong>at</strong>ion of Liability 171<br />
Appendix 6.1— Export Control Process 173<br />
Appendix 6.2— Insurance 174<br />
Notes 176<br />
7 THE NEED TO ESTABLISH AN INFORMA- 179<br />
TION SECURITY FOUNDATION<br />
Actions Needed to Improve Computer Security 179<br />
Attributes and Functions of <strong>the</strong> Proposed New 180<br />
Institution<br />
O<strong>the</strong>r Organiz<strong>at</strong>ions Cannot Fulfill ISF's Mission<br />
183<br />
Government Organiz<strong>at</strong>ions 183<br />
Priv<strong>at</strong>e Organiz<strong>at</strong>ions 184<br />
Why ISF's Mission Should Be Pursued Outside 185<br />
of <strong>the</strong> Government<br />
A New Not-for-profit Organiz<strong>at</strong>ion 186<br />
Critical Aspects of an ISF Charter 187<br />
Start-up Consider<strong>at</strong>ions 188<br />
Fund<strong>in</strong>g <strong>the</strong> ISF 188<br />
Altern<strong>at</strong>ives to <strong>the</strong> ISF 190<br />
xiv<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CONTENTS<br />
Appendix 7.1— A History of Government Involvement 192<br />
Appendix 7.2 — Security Practitioners 201<br />
Notes 204<br />
8 RESEARCH TOPICS AND FUNDING 206<br />
A Proposed <strong>Age</strong>nda for Research to Enhance 208<br />
Computer Security<br />
Directions for Fund<strong>in</strong>g Security Research 211<br />
Fund<strong>in</strong>g by <strong>the</strong> Defense Advanced<br />
212<br />
Research Projects <strong>Age</strong>ncy<br />
Fund<strong>in</strong>g by <strong>the</strong> N<strong>at</strong>ional Science Found<strong>at</strong>ion 212<br />
Promot<strong>in</strong>g Needed Collabor<strong>at</strong>ion 213<br />
Notes 214<br />
BIBLIOGRAPHY 216<br />
APPENDIXES<br />
A The Orange Book 243<br />
B Selected Topics <strong>in</strong> Computer Security Technology<br />
246<br />
C Emergency Response Teams 276<br />
D Models for GSSP 278<br />
E High-grade Thre<strong>at</strong>s 283<br />
F Glossary 286<br />
G List of Members of <strong>the</strong> Former Commission on<br />
Physical Sciences, M<strong>at</strong>hem<strong>at</strong>ics, and<br />
Resources<br />
303<br />
xv<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CONTENTS<br />
xvi<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
EXECUTIVE SUMMARY 1<br />
Executive Summary<br />
Computer systems are com<strong>in</strong>g of age. As computer systems become more<br />
prevalent, sophistic<strong>at</strong>ed, embedded <strong>in</strong> physical processes, and <strong>in</strong>terconnected,<br />
society becomes more vulnerable to poor system design, accidents th<strong>at</strong> disable<br />
systems, and <strong>at</strong>tacks on computer systems. Without more responsible design<br />
and use, system disruptions will <strong>in</strong>crease, with harmful consequences for<br />
society. They will also result <strong>in</strong> lost opportunities from <strong>the</strong> failure to put<br />
computer and communic<strong>at</strong>ions systems to <strong>the</strong>ir best use.<br />
Many factors support this assessment, <strong>in</strong>clud<strong>in</strong>g <strong>the</strong> prolifer<strong>at</strong>ion of<br />
computer systems <strong>in</strong>to ever more applic<strong>at</strong>ions, especially applic<strong>at</strong>ions <strong>in</strong>volv<strong>in</strong>g<br />
network<strong>in</strong>g; <strong>the</strong> chang<strong>in</strong>g n<strong>at</strong>ure of <strong>the</strong> technology base; <strong>the</strong> <strong>in</strong>crease <strong>in</strong><br />
computer system expertise with<strong>in</strong> <strong>the</strong> popul<strong>at</strong>ion, which <strong>in</strong>creases <strong>the</strong> potential<br />
for system abuse; <strong>the</strong> <strong>in</strong>creas<strong>in</strong>gly global environment for bus<strong>in</strong>ess and<br />
research; and <strong>the</strong> global reach and <strong>in</strong>terconnection of computer networks, which<br />
multiply system vulnerabilities. Also relevant are new efforts <strong>in</strong> Europe to<br />
promote and even mand<strong>at</strong>e more trustworthy computer systems; European<br />
countries are streng<strong>the</strong>n<strong>in</strong>g <strong>the</strong>ir <strong>in</strong>volvement <strong>in</strong> this arena, while <strong>the</strong> United<br />
St<strong>at</strong>es seems caught <strong>in</strong> a policy quagmire. Although recent and highly<br />
publicized abuses of computer systems may seem exceptional today, each<br />
illustr<strong>at</strong>es potential problems th<strong>at</strong> may be undetected and th<strong>at</strong> are expected to<br />
become more common and even more disruptive. The n<strong>at</strong>ure and <strong>the</strong> magnitude<br />
of computer system problems are chang<strong>in</strong>g dram<strong>at</strong>ically.<br />
The n<strong>at</strong>ion is on <strong>the</strong> threshold of achiev<strong>in</strong>g a powerful <strong>in</strong>form<strong>at</strong>ion<br />
<strong>in</strong>frastructure th<strong>at</strong> promises many benefits. But without adequ<strong>at</strong>e safeguards, we<br />
risk <strong>in</strong>trusions <strong>in</strong>to personal privacy (given <strong>the</strong> grow<strong>in</strong>g<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
EXECUTIVE SUMMARY 2<br />
electronic storage of personal <strong>in</strong>form<strong>at</strong>ion) and potential disasters th<strong>at</strong> can cause<br />
economic and even human losses. For example, new vulnerabilities are<br />
emerg<strong>in</strong>g as computers become more common as components of medical and<br />
transport<strong>at</strong>ion equipment or more <strong>in</strong>terconnected as components of domestic<br />
and <strong>in</strong>tern<strong>at</strong>ional f<strong>in</strong>ancial systems. Many disasters may result from <strong>in</strong>tentional<br />
<strong>at</strong>tacks on systems, which can be prevented, detected, or recovered from<br />
through better security. The n<strong>at</strong>ion needs computer technology th<strong>at</strong> supports<br />
substantially <strong>in</strong>creased safety, reliability, and, <strong>in</strong> particular, security.<br />
Security refers to protection aga<strong>in</strong>st unwanted disclosure, modific<strong>at</strong>ion, or<br />
destruction of d<strong>at</strong>a <strong>in</strong> a system and also to <strong>the</strong> safeguard<strong>in</strong>g of systems<br />
<strong>the</strong>mselves. Security, safety, and reliability toge<strong>the</strong>r are elements of system<br />
trustworth<strong>in</strong>ess—which <strong>in</strong>spires <strong>the</strong> confidence th<strong>at</strong> a system will do wh<strong>at</strong> it is<br />
expected to do.<br />
In many ways <strong>the</strong> problem of mak<strong>in</strong>g computer and communic<strong>at</strong>ions<br />
systems more secure is a technical problem. Unlike a file cab<strong>in</strong>et, a computer<br />
system can help to protect itself; <strong>the</strong>re exists technology to build a variety of<br />
safeguards <strong>in</strong>to computer systems. As a result, software, hardware, and system<br />
development presents opportunities for <strong>in</strong>creas<strong>in</strong>g security. Yet known<br />
techniques are not be<strong>in</strong>g used, and development of better techniques is lagg<strong>in</strong>g<br />
<strong>in</strong> <strong>the</strong> United St<strong>at</strong>es. From a technical perspective, mak<strong>in</strong>g computer system<br />
technology more secure and trustworthy <strong>in</strong>volves assess<strong>in</strong>g wh<strong>at</strong> is <strong>at</strong> risk,<br />
articul<strong>at</strong><strong>in</strong>g objectives and requirements for systems, research<strong>in</strong>g and<br />
develop<strong>in</strong>g technology to s<strong>at</strong>isfy system requirements, and provid<strong>in</strong>g for<br />
<strong>in</strong>dependent evalu<strong>at</strong>ion of <strong>the</strong> key fe<strong>at</strong>ures (to assess functionality) and <strong>the</strong>ir<br />
strength (to provide assurance). All of <strong>the</strong>se activities <strong>in</strong>teract.<br />
Atta<strong>in</strong><strong>in</strong>g <strong>in</strong>creased security, <strong>in</strong> addition to be<strong>in</strong>g a technical m<strong>at</strong>ter is also<br />
a management and social problem: wh<strong>at</strong> is built and sold depends on how<br />
systems are designed, purchased, and used. In today's market, demand for<br />
trustworthy systems is limited and is concentr<strong>at</strong>ed <strong>in</strong> <strong>the</strong> defense community<br />
and <strong>in</strong>dustries, such as bank<strong>in</strong>g, th<strong>at</strong> have very high levels of need for security.<br />
Th<strong>at</strong> today's commercial systems provide only limited safeguards reflects<br />
limited awareness among developers, managers, and <strong>the</strong> general popul<strong>at</strong>ion of<br />
<strong>the</strong> thre<strong>at</strong>s, vulnerabilities, and possible safeguards. Most consumers have no<br />
real-world understand<strong>in</strong>g of <strong>the</strong>se concepts and cannot choose products wisely<br />
or make sound decisions about how to use <strong>the</strong>m. Practical security specialists<br />
and professional societies have emerged and have begun to affect security<br />
practice from <strong>in</strong>side organiz<strong>at</strong>ions, but <strong>the</strong>ir impact is constra<strong>in</strong>ed by lack of<br />
both management<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
EXECUTIVE SUMMARY 3<br />
awareness and public awareness of security risks and options. Even when<br />
consumers do try to protect <strong>the</strong>ir own systems, <strong>the</strong>y may be connected via<br />
networks to o<strong>the</strong>rs with weaker safeguards—like a pollut<strong>in</strong>g factory <strong>in</strong> a<br />
densely popul<strong>at</strong>ed area, one person's laxness <strong>in</strong> manag<strong>in</strong>g a computer system<br />
can affect many. As long as demand rema<strong>in</strong>s <strong>at</strong> best <strong>in</strong>consistent, vendors have<br />
few <strong>in</strong>centives to make system products more secure, and <strong>the</strong>re is little evidence<br />
of <strong>the</strong> k<strong>in</strong>d of fundamental new system development necessary to make systems<br />
highly trustworthy. The market does not work well enough to raise <strong>the</strong> security<br />
of computer systems <strong>at</strong> a r<strong>at</strong>e fast enough to m<strong>at</strong>ch <strong>the</strong> apparent growth <strong>in</strong><br />
thre<strong>at</strong>s to systems.<br />
The U.S. government has been <strong>in</strong>volved <strong>in</strong> develop<strong>in</strong>g technology for<br />
computer and communic<strong>at</strong>ions security for some time. Its efforts have rel<strong>at</strong>ed<br />
largely to preserv<strong>in</strong>g n<strong>at</strong>ional security and, <strong>in</strong> particular, to meet<strong>in</strong>g one major<br />
security requirement, confidentiality (preserv<strong>in</strong>g d<strong>at</strong>a secrecy). But <strong>the</strong>se<br />
programs have paid little <strong>at</strong>tention to <strong>the</strong> o<strong>the</strong>r two major computer security<br />
requirements, <strong>in</strong>tegrity (guard<strong>in</strong>g aga<strong>in</strong>st improper d<strong>at</strong>a modific<strong>at</strong>ion or<br />
destruction) and availability (enabl<strong>in</strong>g timely use of systems and <strong>the</strong> d<strong>at</strong>a <strong>the</strong>y<br />
hold). These requirements are important to government system users, and <strong>the</strong>y<br />
are particularly and <strong>in</strong>creas<strong>in</strong>gly important to users of commercial systems.<br />
Needed is guidance th<strong>at</strong> is more wide-rang<strong>in</strong>g and flexible than th<strong>at</strong> offered by<br />
<strong>the</strong> so-called Orange Book published by <strong>the</strong> N<strong>at</strong>ional Security <strong>Age</strong>ncy, and it<br />
should be guidance th<strong>at</strong> stimul<strong>at</strong>es <strong>the</strong> production of more robust, trustworthy<br />
systems <strong>at</strong> all levels of protection.<br />
Overall, <strong>the</strong> government's efforts have been hamstrung by <strong>in</strong>ternec<strong>in</strong>e<br />
conflict and underfund<strong>in</strong>g of efforts aimed <strong>at</strong> civilian environments. These<br />
problems currently appear to be exacerb<strong>at</strong>ed, <strong>at</strong> precisely <strong>the</strong> time th<strong>at</strong> decisive<br />
and concerted action is needed. A coherent str<strong>at</strong>egy must be established now,<br />
given <strong>the</strong> time, resources, plann<strong>in</strong>g, and coord<strong>in</strong><strong>at</strong>ion required to achieve<br />
adequ<strong>at</strong>e system security and trustworth<strong>in</strong>ess. The reorganiz<strong>at</strong>ion of and<br />
perceived withdrawal from relevant computer security-rel<strong>at</strong>ed activities <strong>at</strong> <strong>the</strong><br />
N<strong>at</strong>ional Security <strong>Age</strong>ncy and <strong>the</strong> repe<strong>at</strong>ed appropri<strong>at</strong>ions of m<strong>in</strong>imal fund<strong>in</strong>g<br />
for relevant activities <strong>at</strong> <strong>the</strong> N<strong>at</strong>ional Institute of Standards and Technology are<br />
strong <strong>in</strong>dic<strong>at</strong>ions of a weak U.S. posture <strong>in</strong> this area. A weak posture is<br />
especially troubl<strong>in</strong>g today, because of <strong>the</strong> momentum th<strong>at</strong> is build<strong>in</strong>g overseas<br />
for a new set of criteria and associ<strong>at</strong>ed system evalu<strong>at</strong>ion schemes and<br />
standards. Influenc<strong>in</strong>g wh<strong>at</strong> can be sold or may be required <strong>in</strong> overseas markets,<br />
<strong>the</strong>se developments and <strong>the</strong> U.S. response will affect <strong>the</strong> competitiveness of<br />
U.S. vendors and <strong>the</strong><br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
EXECUTIVE SUMMARY 4<br />
options available to users of commercial computer systems worldwide. They<br />
will also affect <strong>the</strong> levels of general safety and security experienced by <strong>the</strong><br />
public.<br />
This report characterizes <strong>the</strong> computer security problem and advances<br />
recommend<strong>at</strong>ions for conta<strong>in</strong><strong>in</strong>g it (Chapter 1). It exam<strong>in</strong>es concepts of and<br />
requirements for computer security (Chapter 2), <strong>the</strong> technology necessary to<br />
achieve system security and trustworth<strong>in</strong>ess, and associ<strong>at</strong>ed development issues<br />
(Chapter 3), programm<strong>in</strong>g methodology (Chapter 4), <strong>the</strong> design and use of<br />
criteria for secure computer system development and evalu<strong>at</strong>ion of computer<br />
system security rel<strong>at</strong>ive to a set of criteria (Chapter 5), and problems<br />
constra<strong>in</strong><strong>in</strong>g <strong>the</strong> market for trustworthy systems (Chapter 6). The System<br />
Security Study Committee concluded th<strong>at</strong> several steps must be taken to achieve<br />
gre<strong>at</strong>er computer system security and trustworth<strong>in</strong>ess, and th<strong>at</strong> <strong>the</strong> best<br />
approach to implement<strong>in</strong>g necessary actions is to establish a new organiz<strong>at</strong>ion,<br />
referred to <strong>in</strong> <strong>the</strong> report as <strong>the</strong> Inform<strong>at</strong>ion Security Found<strong>at</strong>ion (ISF). The<br />
concept of <strong>the</strong> ISF and <strong>the</strong> roles and limit<strong>at</strong>ions of organiz<strong>at</strong>ions th<strong>at</strong> currently<br />
have significant responsibilities <strong>in</strong> <strong>the</strong> computer security arena are discussed<br />
toge<strong>the</strong>r (Chapter 7). Topics and tactics for research to enable needed<br />
technology development are outl<strong>in</strong>ed (Chapter 8). Support<strong>in</strong>g <strong>the</strong> <strong>in</strong>dividual<br />
chapters are appendixes th<strong>at</strong> provide fur<strong>the</strong>r details on selected technical and<br />
conceptual po<strong>in</strong>ts.<br />
The committee urges th<strong>at</strong> its recommend<strong>at</strong>ions be considered toge<strong>the</strong>r as<br />
<strong>in</strong>tegral to a coherent n<strong>at</strong>ional effort to encourage <strong>the</strong> widespread development<br />
and deployment of security fe<strong>at</strong>ures <strong>in</strong> computer systems, <strong>in</strong>crease public<br />
awareness of <strong>the</strong> risks th<strong>at</strong> accompany <strong>the</strong> benefits of computer systems, and<br />
promote responsible use and management of computer systems. Toward <strong>the</strong> end<br />
of <strong>in</strong>creas<strong>in</strong>g <strong>the</strong> levels of security <strong>in</strong> new and exist<strong>in</strong>g computer and<br />
communic<strong>at</strong>ions systems, <strong>the</strong> committee developed recommend<strong>at</strong>ions <strong>in</strong> six<br />
areas. These are outl<strong>in</strong>ed below and developed fur<strong>the</strong>r <strong>in</strong> <strong>the</strong> full report.<br />
1. Promulg<strong>at</strong>ion of a comprehensive set of Generally Accepted<br />
System Security Pr<strong>in</strong>ciples, referred to as GSSP, which would<br />
provide a clear articul<strong>at</strong>ion of essential security fe<strong>at</strong>ures,<br />
assurances, and practices. The committee believes th<strong>at</strong> <strong>the</strong>re is a<br />
basic set of security-rel<strong>at</strong>ed pr<strong>in</strong>ciples for <strong>the</strong> design, use, and<br />
management of systems th<strong>at</strong> are of such broad applicability and<br />
effectiveness th<strong>at</strong> <strong>the</strong>y ought to be a part of any system with significant<br />
oper<strong>at</strong>ional requirements. This set will grow with research and<br />
experience <strong>in</strong> new areas of concern, such as <strong>in</strong>tegrity and availability,<br />
and can also grow beyond <strong>the</strong> specifics of security to deal with o<strong>the</strong>r<br />
rel<strong>at</strong>ed aspects of system trust, such as safety. GSSP should enunci<strong>at</strong>e<br />
and codify<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
EXECUTIVE SUMMARY 5<br />
<strong>the</strong>se pr<strong>in</strong>ciples. Successful GSSP would establish a set of expect<strong>at</strong>ions<br />
about and requirements for good practice th<strong>at</strong> would be well<br />
understood by system development and security professionals,<br />
accepted by government, and recognized by managers and <strong>the</strong> public<br />
as protect<strong>in</strong>g organiz<strong>at</strong>ional and <strong>in</strong>dividual <strong>in</strong>terests aga<strong>in</strong>st security<br />
breaches and associ<strong>at</strong>ed lapses <strong>in</strong> <strong>the</strong> protection of privacy. GSSP,<br />
which can be built on exist<strong>in</strong>g m<strong>at</strong>erial (e.g., <strong>the</strong> Orange Book), would<br />
provide a basis for resolv<strong>in</strong>g differences between U.S. and o<strong>the</strong>r<br />
n<strong>at</strong>ional and transn<strong>at</strong>ional criteria for trustworthy systems and for<br />
shap<strong>in</strong>g <strong>in</strong>puts to <strong>in</strong>tern<strong>at</strong>ional security and safety standards discussions.<br />
2. A set of short-term actions for system vendors and users th<strong>at</strong> build<br />
on readily available capabilities and would yield immedi<strong>at</strong>e<br />
benefits, <strong>in</strong>clud<strong>in</strong>g (for users) form<strong>at</strong>ion of security policy frameworks<br />
and emergency response teams, and (for vendors) universal<br />
implement<strong>at</strong>ion of specific m<strong>in</strong>imal acceptable protections for<br />
discretionary and mand<strong>at</strong>ory control of access to comput<strong>in</strong>g resources,<br />
broader use of modern software development methodology,<br />
implement<strong>at</strong>ion of security standards and particip<strong>at</strong>ion <strong>in</strong> <strong>the</strong>ir fur<strong>the</strong>r<br />
development, and procedures to prevent or anticip<strong>at</strong>e <strong>the</strong> consequences<br />
of <strong>in</strong>advisable actions by users (e.g., systems should be shipped with<br />
security fe<strong>at</strong>ures turned on, so th<strong>at</strong> explicit action is needed to disable<br />
<strong>the</strong>m).<br />
3. Establishment of a system-<strong>in</strong>cident d<strong>at</strong>a repository and<br />
appropri<strong>at</strong>e educ<strong>at</strong>ion and tra<strong>in</strong><strong>in</strong>g programs to promote public<br />
awareness.<br />
4. Clarific<strong>at</strong>ion of export control criteria and procedures for secure<br />
or trusted systems and review for possible relax<strong>at</strong>ion of controls on<br />
<strong>the</strong> export of implement<strong>at</strong>ions of <strong>the</strong> D<strong>at</strong>a Encryption Standard<br />
(DES).<br />
5. Fund<strong>in</strong>g and directions for a comprehensive program of research.<br />
6. Establishment of a new organiz<strong>at</strong>ion to nurture <strong>the</strong> development,<br />
commercializ<strong>at</strong>ion, and proper use of trust technology, referred to<br />
as <strong>the</strong> Inform<strong>at</strong>ion Security Found<strong>at</strong>ion, or ISF. The committee<br />
concludes th<strong>at</strong> exist<strong>in</strong>g organiz<strong>at</strong>ions active <strong>in</strong> <strong>the</strong> security arena have<br />
made important contributions but are not able to make <strong>the</strong> multifaceted<br />
and large-scale efforts th<strong>at</strong> are needed to truly advance <strong>the</strong> market and<br />
<strong>the</strong> field. The proposed ISF would be a priv<strong>at</strong>e, not-for-profit<br />
organiz<strong>at</strong>ion. It would be responsible for implement<strong>in</strong>g much of wh<strong>at</strong><br />
<strong>the</strong> committee has recommended, benefit<strong>in</strong>g from <strong>the</strong> <strong>in</strong>herent<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
EXECUTIVE SUMMARY 6<br />
synergies: ISF should develop GSSP, develop flexible evalu<strong>at</strong>ion<br />
techniques to assess compliance with GSSP, conduct research rel<strong>at</strong>ed<br />
to GSSP and evalu<strong>at</strong>ion, develop and ma<strong>in</strong>ta<strong>in</strong> an <strong>in</strong>cident-track<strong>in</strong>g<br />
system, provide educ<strong>at</strong>ion and tra<strong>in</strong><strong>in</strong>g services, broker and enhance<br />
communic<strong>at</strong>ions between commercial and n<strong>at</strong>ional security <strong>in</strong>terests,<br />
and particip<strong>at</strong>e <strong>in</strong> <strong>in</strong>tern<strong>at</strong>ional standardiz<strong>at</strong>ion and harmoniz<strong>at</strong>ion<br />
efforts for commercial security practice. In do<strong>in</strong>g <strong>the</strong>se th<strong>in</strong>gs it would<br />
have to coord<strong>in</strong><strong>at</strong>e its activities with agencies and o<strong>the</strong>r organiz<strong>at</strong>ions<br />
significantly <strong>in</strong>volved <strong>in</strong> computer security. The ISF would need <strong>the</strong><br />
highest level of governmental support; <strong>the</strong> strongest expression of such<br />
support would be a congressional charter.<br />
Although <strong>the</strong> System Security Study Committee focused on computer and<br />
communic<strong>at</strong>ions security, its recommend<strong>at</strong>ions would also support efforts to<br />
enhance o<strong>the</strong>r aspects of systems such as reliability and safety. It does not make<br />
sense to address <strong>the</strong>se problems separ<strong>at</strong>ely. Many of <strong>the</strong> methods and<br />
techniques th<strong>at</strong> make systems more secure make <strong>the</strong>m more trustworthy <strong>in</strong><br />
general. The committee has framed several of its recommend<strong>at</strong>ions so as to<br />
recognize <strong>the</strong> more general objective of mak<strong>in</strong>g systems more Strustworthy,<br />
and specifically to accommod<strong>at</strong>e safety as well as security. The committee<br />
believes it is time to consider all of <strong>the</strong>se issues toge<strong>the</strong>r, to benefit from<br />
economies <strong>in</strong> develop<strong>in</strong>g multipurpose safeguards, and to m<strong>in</strong>imize any tradeoffs.<br />
With this report, <strong>the</strong> committee underscores <strong>the</strong> need to launch now a<br />
process th<strong>at</strong> will unfold over a period of years, and th<strong>at</strong>, by limit<strong>in</strong>g <strong>the</strong><br />
<strong>in</strong>cidence and impact of disruptions, will help society to make <strong>the</strong> most of<br />
computer and communic<strong>at</strong>ions systems.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 7<br />
1<br />
Overview and Recommend<strong>at</strong>ions<br />
We are <strong>at</strong> risk. Increas<strong>in</strong>gly, America depends on computers. They control<br />
power delivery, communic<strong>at</strong>ions, avi<strong>at</strong>ion, and f<strong>in</strong>ancial services. They are used<br />
to store vital <strong>in</strong>form<strong>at</strong>ion, from medical records to bus<strong>in</strong>ess plans to crim<strong>in</strong>al<br />
records. Although we trust <strong>the</strong>m, <strong>the</strong>y are vulnerable—to <strong>the</strong> effects of poor<br />
design and <strong>in</strong>sufficient quality control, to accident, and perhaps most<br />
alarm<strong>in</strong>gly, to deliber<strong>at</strong>e <strong>at</strong>tack. The modern thief can steal more with a<br />
computer than with a gun. Tomorrow's terrorist may be able to do more damage<br />
with a keyboard than with a bomb.<br />
To d<strong>at</strong>e, we have been remarkably lucky. Yes, <strong>the</strong>re has been <strong>the</strong>ft of<br />
money and <strong>in</strong>form<strong>at</strong>ion, although how much has been stolen is impossible to<br />
know. 1 Yes, lives have been lost because of computer errors. Yes, computer<br />
failures have disrupted communic<strong>at</strong>ion and f<strong>in</strong>ancial systems. But, as far as we<br />
can tell, <strong>the</strong>re has been no successful system<strong>at</strong>ic <strong>at</strong>tempt to subvert any of our<br />
critical comput<strong>in</strong>g systems. Unfortun<strong>at</strong>ely, <strong>the</strong>re is reason to believe th<strong>at</strong> our<br />
luck will soon run out. Thus far we have relied on <strong>the</strong> absence of malicious<br />
people who are both capable and motiv<strong>at</strong>ed. We can no longer do so. We must<br />
<strong>in</strong>stead <strong>at</strong>tempt to build computer systems th<strong>at</strong> are secure and trustworthy.<br />
In this report, <strong>the</strong> committee considers <strong>the</strong> degree to which a computer<br />
system and <strong>the</strong> <strong>in</strong>form<strong>at</strong>ion it holds can be protected and preserved. This<br />
requirement, which is referred to here as computer security, is a broad concept;<br />
security can be compromised by bad system design, imperfect implement<strong>at</strong>ion,<br />
weak adm<strong>in</strong>istr<strong>at</strong>ion of procedures, or through accidents, which can facilit<strong>at</strong>e<br />
<strong>at</strong>tacks. Of course, if we are to trust our systems, <strong>the</strong>y must survive accidents as<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 8<br />
well as <strong>at</strong>tack. Security supports overall trustworth<strong>in</strong>ess, and vice versa.<br />
COMPUTER SYSTEM SECURITY CONCERNS<br />
Security is a concern of organiz<strong>at</strong>ions with assets th<strong>at</strong> are controlled by<br />
computer systems. By access<strong>in</strong>g or alter<strong>in</strong>g d<strong>at</strong>a, an <strong>at</strong>tacker can steal tangible<br />
assets or lead an organiz<strong>at</strong>ion to take actions it would not o<strong>the</strong>rwise take. By<br />
merely exam<strong>in</strong><strong>in</strong>g d<strong>at</strong>a, an <strong>at</strong>tacker can ga<strong>in</strong> a competitive advantage, without<br />
<strong>the</strong> owner of <strong>the</strong> d<strong>at</strong>a be<strong>in</strong>g any <strong>the</strong> wiser.<br />
Computer security is also a concern of <strong>in</strong>dividuals, <strong>in</strong>clud<strong>in</strong>g many who<br />
nei<strong>the</strong>r use nor possess computer systems (Box 1.1). If d<strong>at</strong>a can be accessed<br />
improperly, or if systems lack adequ<strong>at</strong>e safeguards, harm may come not only to<br />
<strong>the</strong> owner of <strong>the</strong> d<strong>at</strong>a, but also to those to whom <strong>the</strong> d<strong>at</strong>a refers. The volume and<br />
n<strong>at</strong>ure of computerized d<strong>at</strong>a-bases mean th<strong>at</strong> most of us run <strong>the</strong> risk of hav<strong>in</strong>g<br />
our privacy viol<strong>at</strong>ed <strong>in</strong> serious ways. This is particularly worrisome, s<strong>in</strong>ce those<br />
<strong>in</strong> a position to protect our privacy may have little <strong>in</strong>centive to do so (Turn,<br />
1990).<br />
The thre<strong>at</strong>s to U.S. computer systems are <strong>in</strong>tern<strong>at</strong>ional, and sometimes also<br />
political. The <strong>in</strong>tern<strong>at</strong>ional n<strong>at</strong>ure of military and <strong>in</strong>telligence thre<strong>at</strong>s has always<br />
been recognized and addressed by <strong>the</strong> U.S. government. But a broader<br />
<strong>in</strong>tern<strong>at</strong>ional thre<strong>at</strong> to U.S. <strong>in</strong>form<strong>at</strong>ion resources is emerg<strong>in</strong>g with <strong>the</strong><br />
prolifer<strong>at</strong>ion of <strong>in</strong>tern<strong>at</strong>ional computer network<strong>in</strong>g—<strong>in</strong>volv<strong>in</strong>g systems for<br />
researchers, companies, and o<strong>the</strong>r organiz<strong>at</strong>ions and <strong>in</strong>dividuals—and a shift<br />
from conventional military conflict to economic competition. 2 The<br />
concentr<strong>at</strong>ion of <strong>in</strong>form<strong>at</strong>ion and economic activity <strong>in</strong> computer systems makes<br />
those systems an <strong>at</strong>tractive target to hostile entities. This prospect raises<br />
questions about <strong>the</strong> <strong>in</strong>tersection of economic and n<strong>at</strong>ional security <strong>in</strong>terests and<br />
<strong>the</strong> design of appropri<strong>at</strong>e security str<strong>at</strong>egies for <strong>the</strong> public and priv<strong>at</strong>e sectors.<br />
F<strong>in</strong>ally, politically motiv<strong>at</strong>ed <strong>at</strong>tacks may also target a new class of system th<strong>at</strong><br />
is nei<strong>the</strong>r commercial nor military: computerized vot<strong>in</strong>g systems. 3<br />
Outside of <strong>the</strong> government, <strong>at</strong>tention to computer and communic<strong>at</strong>ions<br />
security has been episodic and fragmented. It has grown by spurts <strong>in</strong> response to<br />
highly publicized events, such as <strong>the</strong> politically motiv<strong>at</strong>ed <strong>at</strong>tacks on computer<br />
centers <strong>in</strong> <strong>the</strong> 1960s and 1970s and <strong>the</strong> more recent rash of computer viruses<br />
and penetr<strong>at</strong>ions of networked computer systems. 4 Commercial organiz<strong>at</strong>ions<br />
have typically concentr<strong>at</strong>ed on abuses by <strong>in</strong>dividuals authorized to use <strong>the</strong>ir<br />
systems, which typically have a security level th<strong>at</strong> prevents only <strong>the</strong> most<br />
straightforward of <strong>at</strong>tacks.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 9<br />
BOX 1.1 SAMPLER OF COMPUTER SYSTEM PROBLEMS:<br />
EVIDENCE OF INADEQUATE TRUSTWORTHINESS<br />
Failures of system reliability, safety, or security are <strong>in</strong>creas<strong>in</strong>gly serious—<br />
and apparently <strong>in</strong>creas<strong>in</strong>g <strong>in</strong> number. Notable are <strong>the</strong> follow<strong>in</strong>g:<br />
• A $259 million Volkswagen currency exchange scam <strong>in</strong>volv<strong>in</strong>g phony<br />
transactions;<br />
• The nearly successful <strong>at</strong>tempt to use thousands of phony Bank of<br />
America autom<strong>at</strong>ic teller mach<strong>in</strong>e cards fabric<strong>at</strong>ed with personal<br />
identific<strong>at</strong>ion numbers pir<strong>at</strong>ed from an on-l<strong>in</strong>e d<strong>at</strong>abase;<br />
• An almost-successful $15.2 million Pennsylvania Lottery fraud <strong>at</strong>tempt <strong>in</strong><br />
which <strong>the</strong> d<strong>at</strong>abase of unclaimed ticket numbers was used <strong>in</strong> <strong>the</strong><br />
fabric<strong>at</strong>ion of a ticket about to expire; and<br />
• Thousands of reported virus <strong>at</strong>tacks and hundreds of different viruses<br />
identified (e.g., Stoned, Devil's Dance, 1260, Jerusalem, Yankee<br />
Doodle, Pakistani Bra<strong>in</strong>, Icelandic-2, P<strong>in</strong>g Pong, December 24, to cite<br />
just a few).<br />
Penetr<strong>at</strong>ions and disruptions of communic<strong>at</strong>ion systems appear to be<br />
<strong>in</strong>creas<strong>in</strong>g:<br />
• A software design error freez<strong>in</strong>g much of AT&T's long-distance network;<br />
• The German Chaos Computer Club break-<strong>in</strong>s to <strong>the</strong> N<strong>at</strong>ional<br />
Aeronautics and Space Adm<strong>in</strong>istr<strong>at</strong>ion's Space Physics Analysis Network;<br />
• The West German Wily Hacker <strong>at</strong>tacks (<strong>in</strong>volv<strong>in</strong>g <strong>in</strong>tern<strong>at</strong>ional<br />
espionage) on Lawrence Berkeley Labor<strong>at</strong>ory;<br />
• The Internet worm <strong>in</strong>cident <strong>in</strong> which several thousand computers were<br />
penetr<strong>at</strong>ed; and<br />
• Several takeovers of TV s<strong>at</strong>ellite up-l<strong>in</strong>ks.<br />
Individual privacy has been compromised. For example, deficient<br />
security measures <strong>at</strong> major credit agencies have allowed brows<strong>in</strong>g and<br />
surreptitious assignment of thousands of <strong>in</strong>dividuals' credit histories to o<strong>the</strong>rs.<br />
Health care has been jeopardized by <strong>in</strong>adequ<strong>at</strong>e system quality as well<br />
as by breaches of security:<br />
• An error <strong>in</strong> <strong>the</strong> computer software controll<strong>in</strong>g a radi<strong>at</strong>ion <strong>the</strong>rapy<br />
mach<strong>in</strong>e, a Therac 25 l<strong>in</strong>ear acceler<strong>at</strong>or, resulted <strong>in</strong> <strong>at</strong> least three<br />
separ<strong>at</strong>e p<strong>at</strong>ient de<strong>at</strong>hs when doses were adm<strong>in</strong>istered th<strong>at</strong> were more<br />
than 100 times <strong>the</strong> typical tre<strong>at</strong>ment dose.<br />
• A Michigan hospital reported th<strong>at</strong> its p<strong>at</strong>ient <strong>in</strong>form<strong>at</strong>ion had been<br />
scrambled or altered by a virus th<strong>at</strong> came with a vendor's image display<br />
system.<br />
• A Cleveland man allegedly mailed over 26,000 virus-<strong>in</strong>fected diskettes<br />
with AIDS prevention <strong>in</strong>form<strong>at</strong>ion to hospitals, bus<strong>in</strong>esses, and<br />
government agencies worldwide.<br />
NOTE: None of <strong>the</strong> cases cited above <strong>in</strong>volved any classified d<strong>at</strong>a.<br />
References to all of <strong>the</strong>m can be found <strong>in</strong> Neumann (1989).<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 10<br />
While weak computer security obviously affects direct and <strong>in</strong>direct users<br />
of computer systems, it may have less obvious but still important impacts on<br />
vendors of computer systems. The role of security and trust <strong>in</strong> product<br />
development and market<strong>in</strong>g should grow, and not only because it is <strong>in</strong> <strong>the</strong><br />
public <strong>in</strong>terest. In particular, failure to supply appropri<strong>at</strong>e security may put<br />
vendors <strong>at</strong> a serious competitive disadvantage. Even though U.S. firms lead<br />
overall <strong>in</strong> <strong>the</strong> computer and communic<strong>at</strong>ions market, several European<br />
governments are now promot<strong>in</strong>g product evalu<strong>at</strong>ion schemes and standards th<strong>at</strong><br />
<strong>in</strong>tegr<strong>at</strong>e o<strong>the</strong>r elements of trust, notably safety, with security. These<br />
developments may make it difficult for American <strong>in</strong>dustry to sell products <strong>in</strong><br />
<strong>the</strong> European market. 5<br />
Although <strong>the</strong> committee focuses on technical, commercial, and rel<strong>at</strong>ed<br />
social concerns, it recognizes th<strong>at</strong> <strong>the</strong>re are a number of rel<strong>at</strong>ed legal issues,<br />
notably those associ<strong>at</strong>ed with <strong>the</strong> <strong>in</strong>vestig<strong>at</strong>ion and prosecution of computer<br />
crimes, th<strong>at</strong> are outside of its scope. It is important to balance technical and<br />
nontechnical approaches to enhanc<strong>in</strong>g system security and trust. Accord<strong>in</strong>gly,<br />
<strong>the</strong> committee is concerned th<strong>at</strong> <strong>the</strong> development of legisl<strong>at</strong>ion and case law is<br />
be<strong>in</strong>g outpaced by <strong>the</strong> growth of technology and changes <strong>in</strong> our society. In<br />
particular, although law can be used to encourage good practice, it is difficult to<br />
m<strong>at</strong>ch law to <strong>the</strong> circumstances of computer system use. Never<strong>the</strong>less, <strong>at</strong>tacks<br />
on computer and communic<strong>at</strong>ion systems are com<strong>in</strong>g to be seen as punishable<br />
and often crim<strong>in</strong>al acts (Holl<strong>in</strong>ger and Lanza-Kaduce, 1988) with<strong>in</strong> countries,<br />
and <strong>the</strong>re is a movement toward <strong>in</strong>tern<strong>at</strong>ional coord<strong>in</strong><strong>at</strong>ion of <strong>in</strong>vestig<strong>at</strong>ion and<br />
prosecution. However, <strong>the</strong>re is by no means a consensus about wh<strong>at</strong> uses of<br />
computers are legitim<strong>at</strong>e and socially acceptable. Free speech questions have<br />
been raised <strong>in</strong> connection with recent crim<strong>in</strong>al <strong>in</strong>vestig<strong>at</strong>ions <strong>in</strong>to dissem<strong>in</strong><strong>at</strong>ion<br />
of certa<strong>in</strong> computer-rel<strong>at</strong>ed <strong>in</strong>form<strong>at</strong>ion. 6 There are also controversies<br />
surround<strong>in</strong>g <strong>the</strong> privacy impacts of new and proposed computer systems,<br />
<strong>in</strong>clud<strong>in</strong>g some proposed security safeguards. Disagreement on <strong>the</strong>se<br />
fundamental questions exists not only with<strong>in</strong> society <strong>at</strong> large but also with<strong>in</strong> <strong>the</strong><br />
community of computer specialists. 7<br />
TRENDS-THE GROWING POTENTIAL FOR SYSTEM ABUSE<br />
Overall, emerg<strong>in</strong>g trends, comb<strong>in</strong>ed with <strong>the</strong> spread of relevant expertise<br />
and access with<strong>in</strong> <strong>the</strong> country and throughout <strong>the</strong> world, po<strong>in</strong>t to growth <strong>in</strong> both<br />
<strong>the</strong> level and <strong>the</strong> sophistic<strong>at</strong>ion of thre<strong>at</strong>s to major U.S. computer and<br />
communic<strong>at</strong>ions systems. There is reason to believe th<strong>at</strong> we are <strong>at</strong> a<br />
discont<strong>in</strong>uity: with respect to computer<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 11<br />
security, <strong>the</strong> past is not a good predictor of <strong>the</strong> future. Several trends underlie<br />
this assessment:<br />
• Network<strong>in</strong>g and embedded systems are prolifer<strong>at</strong><strong>in</strong>g, radically chang<strong>in</strong>g<br />
<strong>the</strong> <strong>in</strong>stalled base of computer systems and system applic<strong>at</strong>ions. 8<br />
• <strong>Computers</strong> have become such an <strong>in</strong>tegral part of American bus<strong>in</strong>ess th<strong>at</strong><br />
computer-rel<strong>at</strong>ed risks cannot be separ<strong>at</strong>ed from general bus<strong>in</strong>ess risks.<br />
• The widespread use of d<strong>at</strong>abases conta<strong>in</strong><strong>in</strong>g <strong>in</strong>form<strong>at</strong>ion of a highly<br />
personal n<strong>at</strong>ure, for example, medical and credit records, leaves <strong>the</strong><br />
privacy of <strong>in</strong>dividuals <strong>at</strong> risk.<br />
• The <strong>in</strong>creased trust placed <strong>in</strong> computers used <strong>in</strong> safety-critical applic<strong>at</strong>ions<br />
(e.g., medical <strong>in</strong>struments) <strong>in</strong>creases <strong>the</strong> likelihood th<strong>at</strong> accidents or<br />
<strong>at</strong>tacks on computer systems can cost people <strong>the</strong>ir lives.<br />
• The ability to use and abuse computer systems is becom<strong>in</strong>g widespread.<br />
In many <strong>in</strong>stances (e.g., design of computer viruses, penetr<strong>at</strong>ion of<br />
communic<strong>at</strong>ions systems, credit card system fraud) <strong>at</strong>tacks are becom<strong>in</strong>g<br />
more sophistic<strong>at</strong>ed.<br />
• The <strong>in</strong>tern<strong>at</strong>ional political environment is unstable, rais<strong>in</strong>g questions<br />
about <strong>the</strong> potential for transn<strong>at</strong>ional <strong>at</strong>tacks <strong>at</strong> a time when <strong>in</strong>tern<strong>at</strong>ional<br />
corpor<strong>at</strong>e, research, and o<strong>the</strong>r computer networks are grow<strong>in</strong>g.<br />
THE NEED TO RESPOND<br />
Use of computer systems <strong>in</strong> circumstances <strong>in</strong> which we must trust <strong>the</strong>m is<br />
widespread and grow<strong>in</strong>g. But <strong>the</strong> trends identified above suggest th<strong>at</strong> wh<strong>at</strong>ever<br />
trust was justified <strong>in</strong> <strong>the</strong> past will not be justified <strong>in</strong> <strong>the</strong> future unless action is<br />
taken now. (Box 1.2 illustr<strong>at</strong>es how chang<strong>in</strong>g circumstances can profoundly<br />
alter <strong>the</strong> effective trustworth<strong>in</strong>ess of a system designed with a given set of<br />
expect<strong>at</strong>ions about <strong>the</strong> world.) Computer system security and trustworth<strong>in</strong>ess<br />
must become higher priorities for system developers and vendors, system<br />
adm<strong>in</strong>istr<strong>at</strong>ors, general management, system users, educ<strong>at</strong>ors, government, and<br />
<strong>the</strong> public <strong>at</strong> large.<br />
This observ<strong>at</strong>ion th<strong>at</strong> we are <strong>at</strong> a discont<strong>in</strong>uity is key to understand<strong>in</strong>g <strong>the</strong><br />
focus and tone of this report. In a time of slow change, prudent practice may<br />
suggest th<strong>at</strong> it is reasonable to wait for explicit evidence of a thre<strong>at</strong> before<br />
develop<strong>in</strong>g a response. Such th<strong>in</strong>k<strong>in</strong>g is widespread <strong>in</strong> <strong>the</strong> commercial<br />
community, where it is hard to justify expenditures based on specul<strong>at</strong>ion.<br />
However, <strong>in</strong> this period of rapid change, significant damage can occur if one<br />
waits to develop a countermeasure until after an <strong>at</strong>tack is manifest. On <strong>the</strong> one<br />
hand, it may<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 12<br />
BOX 1.2 PERSONAL COMPUTERS: SECURITY<br />
DETERIORATES WITH CIRCUMSTANCES<br />
Personal computers (PCs), such as <strong>the</strong> popular IBM PC runn<strong>in</strong>g <strong>the</strong> MS/<br />
DOS oper<strong>at</strong><strong>in</strong>g system, or those comp<strong>at</strong>ible with it, illustr<strong>at</strong>e th<strong>at</strong> wh<strong>at</strong> was<br />
once secure may no longer be. Security was not a major consider<strong>at</strong>ion for<br />
developers and users of early PCs. D<strong>at</strong>a was stored on floppy disks th<strong>at</strong><br />
could be locked up if necessary, and <strong>in</strong>form<strong>at</strong>ion stored <strong>in</strong> vol<strong>at</strong>ile memory<br />
disappeared once <strong>the</strong> mach<strong>in</strong>e was turned off. Thus <strong>the</strong> oper<strong>at</strong><strong>in</strong>g system<br />
conta<strong>in</strong>ed no fe<strong>at</strong>ures to ensure <strong>the</strong> protection of d<strong>at</strong>a stored <strong>in</strong> <strong>the</strong><br />
computer. However, <strong>the</strong> <strong>in</strong>troduction of hard disks, which can store large<br />
amounts of potentially sensitive <strong>in</strong>form<strong>at</strong>ion <strong>in</strong> <strong>the</strong> computer, <strong>in</strong>troduced new<br />
vulnerabilities. S<strong>in</strong>ce <strong>the</strong> hard disk, unlike <strong>the</strong> floppy disk, cannot be removed<br />
from <strong>the</strong> computer to protect it, whoever turns on <strong>the</strong> PC can have access to<br />
<strong>the</strong> d<strong>at</strong>a and programs stored on <strong>the</strong> hard disk. This <strong>in</strong>creased risk can still<br />
be countered by lock<strong>in</strong>g up <strong>the</strong> entire mach<strong>in</strong>e. However, while <strong>the</strong> mach<strong>in</strong>e<br />
is runn<strong>in</strong>g, all <strong>the</strong> programs and d<strong>at</strong>a are subject to corruption from a<br />
malfunction<strong>in</strong>g program, while a dismounted floppy is physically isol<strong>at</strong>ed.<br />
The most damag<strong>in</strong>g change <strong>in</strong> <strong>the</strong> oper<strong>at</strong><strong>in</strong>g assumptions underly<strong>in</strong>g <strong>the</strong><br />
PC was <strong>the</strong> advent of network <strong>at</strong>tachment. External connection via networks<br />
has cre<strong>at</strong>ed <strong>the</strong> potential for broader access to a mach<strong>in</strong>e and <strong>the</strong> d<strong>at</strong>a it<br />
stores. So long as <strong>the</strong> mach<strong>in</strong>e is turned on, <strong>the</strong> network connection can be<br />
exercised by a remote <strong>at</strong>tacker to penetr<strong>at</strong>e <strong>the</strong> mach<strong>in</strong>e. Unfortun<strong>at</strong>ely, MS/<br />
DOS does not conta<strong>in</strong> security fe<strong>at</strong>ures th<strong>at</strong>, for example, can protect aga<strong>in</strong>st<br />
unwanted access to or modific<strong>at</strong>ion of d<strong>at</strong>a stored on PCs.<br />
A particularly dangerous example of compromised PC security arises<br />
from <strong>the</strong> use of telecommunic<strong>at</strong>ion packages th<strong>at</strong> support connect<strong>in</strong>g from<br />
<strong>the</strong> PC to o<strong>the</strong>r systems. As a convenience to users, some of <strong>the</strong>se<br />
packages offer to record and remember <strong>the</strong> user's password for o<strong>the</strong>r<br />
systems. This means th<strong>at</strong> any user penetr<strong>at</strong><strong>in</strong>g <strong>the</strong> PC ga<strong>in</strong>s access not only<br />
to <strong>the</strong> PC itself but also to all <strong>the</strong> systems for which <strong>the</strong> user has stored his<br />
password. The problem is compounded by <strong>the</strong> common practice of <strong>at</strong>tach<strong>in</strong>g<br />
a modem to <strong>the</strong> PC and leav<strong>in</strong>g it turned on <strong>at</strong> night to permit <strong>the</strong> user to dial<br />
up to <strong>the</strong> PC from home: s<strong>in</strong>ce <strong>the</strong> PC has no access control (unless <strong>the</strong><br />
software support<strong>in</strong>g <strong>the</strong> modem provides <strong>the</strong> service), any <strong>at</strong>tacker guess<strong>in</strong>g<br />
<strong>the</strong> telephone number can <strong>at</strong>tach to <strong>the</strong> system and steal all <strong>the</strong> passwords.<br />
Stor<strong>in</strong>g passwords to secure mach<strong>in</strong>es on a mach<strong>in</strong>e with no security<br />
might seem <strong>the</strong> height of folly. However, major software packages for PCs<br />
<strong>in</strong>vite <strong>the</strong> user to do just th<strong>at</strong>, a clear example of how vendors and users<br />
ignore security <strong>in</strong> <strong>the</strong>ir search for ease of use.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 13<br />
take years to deploy a countermeasure th<strong>at</strong> requires a major change to a<br />
basic system. Thus, for example, <strong>the</strong> current concern about virus <strong>at</strong>tacks derives<br />
not from <strong>the</strong> <strong>in</strong>tr<strong>in</strong>sic difficulty of resist<strong>in</strong>g <strong>the</strong> <strong>at</strong>tacks, but from <strong>the</strong> total lack of<br />
a countermeasure <strong>in</strong> such popular systems as MS/DOS and <strong>the</strong> Apple<br />
Mac<strong>in</strong>tosh oper<strong>at</strong><strong>in</strong>g system. It will take years to upgrade <strong>the</strong>se environments to<br />
provide a technical means to resist virus <strong>at</strong>tacks. Had such <strong>at</strong>tacks been<br />
anticip<strong>at</strong>ed, <strong>the</strong> means to resist <strong>the</strong>m could have been <strong>in</strong>tr<strong>in</strong>sic to <strong>the</strong> systems.<br />
On <strong>the</strong> o<strong>the</strong>r hand, <strong>the</strong> thre<strong>at</strong>s are chang<strong>in</strong>g qualit<strong>at</strong>ively; <strong>the</strong>y are more likely to<br />
be c<strong>at</strong>astrophic <strong>in</strong> impact than <strong>the</strong> more ord<strong>in</strong>ary thre<strong>at</strong> familiar to security<br />
officers and managers. This report focuses on <strong>the</strong> newer breed of thre<strong>at</strong> to<br />
system trustworth<strong>in</strong>ess.<br />
The committee concludes, for <strong>the</strong> various reasons outl<strong>in</strong>ed above and<br />
developed <strong>in</strong> this report, th<strong>at</strong> we cannot wait to see wh<strong>at</strong> <strong>at</strong>tackers may devise,<br />
or wh<strong>at</strong> accident may happen, before we start our defense. We must develop a<br />
long-term plan, based on our predictions of <strong>the</strong> future, and start now to develop<br />
systems th<strong>at</strong> will provide adequ<strong>at</strong>e security and trustworth<strong>in</strong>ess over <strong>the</strong> next<br />
decade.<br />
TOWARD A PLANNED APPROACH<br />
Tak<strong>in</strong>g a coherent approach to <strong>the</strong> problem of achiev<strong>in</strong>g improved system<br />
security requires understand<strong>in</strong>g <strong>the</strong> complexity of <strong>the</strong> problem and a number of<br />
<strong>in</strong>terrel<strong>at</strong>ed consider<strong>at</strong>ions, balanc<strong>in</strong>g <strong>the</strong> sometimes conflict<strong>in</strong>g needs for<br />
security and secrecy, build<strong>in</strong>g on ground-work already laid, and formul<strong>at</strong><strong>in</strong>g<br />
and implement<strong>in</strong>g a new plan for action.<br />
Achiev<strong>in</strong>g Understand<strong>in</strong>g<br />
The N<strong>at</strong>ure of Security: Vulnerability, Thre<strong>at</strong>, and Countermeasure<br />
The field of security has its own language and mode of thought, which<br />
focus on <strong>the</strong> processes of <strong>at</strong>tack and on prevent<strong>in</strong>g, detect<strong>in</strong>g, and recover<strong>in</strong>g<br />
from <strong>at</strong>tacks. In practice, similar th<strong>in</strong>k<strong>in</strong>g is accorded to <strong>the</strong> possibility of<br />
accidents th<strong>at</strong>, like <strong>at</strong>tacks, could result <strong>in</strong> disclosure, modific<strong>at</strong>ion, or<br />
destruction of <strong>in</strong>form<strong>at</strong>ion or systems or a delay <strong>in</strong> system use. Security is<br />
traditionally discussed <strong>in</strong> terms of vulnerabilities, thre<strong>at</strong>s, and countermeasures.<br />
A vulnerability is an aspect of some system th<strong>at</strong> leaves it open to <strong>at</strong>tack. A<br />
thre<strong>at</strong> is a hostile party with <strong>the</strong> potential to exploit th<strong>at</strong> vulnerability and cause<br />
damage. A countermeasure or safeguard is an added step or improved design<br />
th<strong>at</strong> elim<strong>in</strong><strong>at</strong>es <strong>the</strong> vulnerability and renders <strong>the</strong> thre<strong>at</strong> impotent.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 14<br />
A safe conta<strong>in</strong><strong>in</strong>g valuables, for example, may have a noisy comb<strong>in</strong><strong>at</strong>ion<br />
lock—a vulnerability—whose click<strong>in</strong>g can be recorded and analyzed to recover<br />
<strong>the</strong> comb<strong>in</strong><strong>at</strong>ion. It is surmised th<strong>at</strong> safecrackers can make contact with experts<br />
<strong>in</strong> illegal eavesdropp<strong>in</strong>g—a thre<strong>at</strong>. A policy is <strong>the</strong>refore <strong>in</strong>stituted th<strong>at</strong><br />
record<strong>in</strong>gs of random click<strong>in</strong>g must be played <strong>at</strong> loud volume when <strong>the</strong> safe is<br />
opened—a countermeasure.<br />
Thre<strong>at</strong>s and countermeasures <strong>in</strong>teract <strong>in</strong> <strong>in</strong>tric<strong>at</strong>e and often counter<strong>in</strong>tuitive<br />
ways: a thre<strong>at</strong> leads to a countermeasure, and <strong>the</strong> countermeasure spawns a new<br />
thre<strong>at</strong>. Few countermeasures are so effective th<strong>at</strong> <strong>the</strong>y actually elim<strong>in</strong><strong>at</strong>e a<br />
thre<strong>at</strong>. New means of <strong>at</strong>tack are devised (e.g., computerized signal process<strong>in</strong>g to<br />
separ<strong>at</strong>e ''live" clicks from recorded ones), and <strong>the</strong> result is a more sophistic<strong>at</strong>ed<br />
thre<strong>at</strong>.<br />
The <strong>in</strong>teraction of thre<strong>at</strong> and countermeasure poses dist<strong>in</strong>ctive problems<br />
for security specialists: <strong>the</strong> <strong>at</strong>tacker must f<strong>in</strong>d but one of possibly multiple<br />
vulnerabilities <strong>in</strong> order to succeed; <strong>the</strong> security specialist must develop<br />
countermeasures for all. The advantage is <strong>the</strong>refore heavily to <strong>the</strong> <strong>at</strong>tacker until<br />
very l<strong>at</strong>e <strong>in</strong> <strong>the</strong> mutual evolution of thre<strong>at</strong> and countermeasure. 9<br />
If one waits until a thre<strong>at</strong> is manifest through a successful <strong>at</strong>tack, <strong>the</strong>n<br />
significant damage can be done before an effective countermeasure can be<br />
developed and deployed. Therefore countermeasure eng<strong>in</strong>eer<strong>in</strong>g must be based<br />
on specul<strong>at</strong>ion. Effort may be expended <strong>in</strong> counter<strong>in</strong>g <strong>at</strong>tacks th<strong>at</strong> are never<br />
<strong>at</strong>tempted. 10 The need to specul<strong>at</strong>e and to budget resources for countermeasures<br />
also implies a need to understand wh<strong>at</strong> it is th<strong>at</strong> should be protected, and why;<br />
such understand<strong>in</strong>g should drive <strong>the</strong> choice of a protection str<strong>at</strong>egy and<br />
countermeasures. This th<strong>in</strong>k<strong>in</strong>g should be captured <strong>in</strong> security policies<br />
gener<strong>at</strong>ed by management; poor security often reflects both weak policy and<br />
<strong>in</strong>adequ<strong>at</strong>e forethought. 11<br />
Security specialists almost uniformly try to keep <strong>the</strong> details of<br />
countermeasures secret, thus <strong>in</strong>creas<strong>in</strong>g <strong>the</strong> effort an <strong>at</strong>tacker must expend and<br />
<strong>the</strong> chances th<strong>at</strong> an <strong>at</strong>tack will be detected before it can succeed. Discussion of<br />
countermeasures is fur<strong>the</strong>r <strong>in</strong>hibited because a detailed explan<strong>at</strong>ion of<br />
sophistic<strong>at</strong>ed fe<strong>at</strong>ures can be used to <strong>in</strong>fer <strong>at</strong>tacks aga<strong>in</strong>st lesser systems. 12 As<br />
long as secrecy is considered important, <strong>the</strong> dissem<strong>in</strong><strong>at</strong>ion, without motiv<strong>at</strong>ion,<br />
of guidel<strong>in</strong>es developed by security experts will be a key <strong>in</strong>strument for<br />
enhanc<strong>in</strong>g secure system design, implement<strong>at</strong>ion, and oper<strong>at</strong>ion. The need for<br />
secrecy regard<strong>in</strong>g countermeasures and thre<strong>at</strong>s also implies th<strong>at</strong> society must<br />
trust a group of people, security experts, for advice on how to ma<strong>in</strong>ta<strong>in</strong> security.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 15<br />
Confidence <strong>in</strong> countermeasures is generally achieved by submitt<strong>in</strong>g <strong>the</strong>m<br />
for evalu<strong>at</strong>ion by an <strong>in</strong>dependent team; this process <strong>in</strong>creases <strong>the</strong> lead times and<br />
costs of produc<strong>in</strong>g secure systems. The existence of a successful <strong>at</strong>tack can be<br />
demonstr<strong>at</strong>ed by an experiment, but <strong>the</strong> adequacy of a set of countermeasures<br />
cannot. Security specialists must resort to analysis, yet m<strong>at</strong>hem<strong>at</strong>ical proofs <strong>in</strong><br />
<strong>the</strong> face of constantly chang<strong>in</strong>g systems are impossible.<br />
In practice, <strong>the</strong> effectiveness of a countermeasure often depends on how it<br />
is used; <strong>the</strong> best safe <strong>in</strong> <strong>the</strong> world is worthless if no one remembers to close <strong>the</strong><br />
door. The possibility of legitim<strong>at</strong>e users be<strong>in</strong>g hoodw<strong>in</strong>ked <strong>in</strong>to do<strong>in</strong>g wh<strong>at</strong> an<br />
<strong>at</strong>tacker cannot do for himself cautions aga<strong>in</strong>st plac<strong>in</strong>g too much faith <strong>in</strong> purely<br />
technological countermeasures.<br />
The evolution of countermeasures is a dynamic process. Security requires<br />
ongo<strong>in</strong>g <strong>at</strong>tention and plann<strong>in</strong>g, because yesterday's safeguards may not be<br />
effective tomorrow, or even today.<br />
Special Security Concerns Associ<strong>at</strong>ed with <strong>Computers</strong><br />
Computeriz<strong>at</strong>ion presents several special security challenges th<strong>at</strong> stem<br />
from <strong>the</strong> n<strong>at</strong>ure of <strong>the</strong> technology, <strong>in</strong>clud<strong>in</strong>g <strong>the</strong> programmability of computers,<br />
<strong>in</strong>terconnection of systems, and <strong>the</strong> use of computers as parts of complex<br />
systems. A comput<strong>in</strong>g system may be under <strong>at</strong>tack (e.g., for <strong>the</strong>ft of d<strong>at</strong>a) for an<br />
<strong>in</strong>def<strong>in</strong>ite length of time without any noticeable effects, <strong>at</strong>tacks may be<br />
disguised or may be executed without clear traces be<strong>in</strong>g left, or <strong>at</strong>tacks may be<br />
rel<strong>at</strong>ed to seem<strong>in</strong>gly benign events. Thus "no danger signals" does not mean<br />
th<strong>at</strong> everyth<strong>in</strong>g is <strong>in</strong> order. 13 A fur<strong>the</strong>r complic<strong>at</strong>ion is <strong>the</strong> need to balance<br />
security aga<strong>in</strong>st o<strong>the</strong>r <strong>in</strong>terests, such as impacts on <strong>in</strong>dividual privacy. For<br />
example, autom<strong>at</strong>ed detection of <strong>in</strong>trusion <strong>in</strong>to a system, and o<strong>the</strong>r safeguards,<br />
can make available to system adm<strong>in</strong>istr<strong>at</strong>ors significant <strong>in</strong>form<strong>at</strong>ion about <strong>the</strong><br />
behavior of <strong>in</strong>dividual system users.<br />
To some extent, those <strong>at</strong>tributes of comput<strong>in</strong>g th<strong>at</strong> <strong>in</strong>troduce vulnerabilities<br />
can also be used to implement countermeasures. A computer system (unlike a<br />
file cab<strong>in</strong>et) can take active measures <strong>in</strong> its defense, by monitor<strong>in</strong>g its activity<br />
and determ<strong>in</strong><strong>in</strong>g which user and program actions should be permitted<br />
(Anderson, 1980). Unfortun<strong>at</strong>ely, as discussed l<strong>at</strong>er <strong>in</strong> this report, this potential<br />
is far from realized.<br />
Programmability The power of a general-purpose computer lies <strong>in</strong> its<br />
ability to become an <strong>in</strong>f<strong>in</strong>ity of different mach<strong>in</strong>es through programm<strong>in</strong>g. 14 This<br />
is also a source of gre<strong>at</strong> vulnerability, because if a system can be programmed,<br />
it can be programmed to do bad th<strong>in</strong>gs.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 16<br />
Thus by alter<strong>in</strong>g program text a computer virus can transform a familiar<br />
and friendly mach<strong>in</strong>e <strong>in</strong>to someth<strong>in</strong>g else entirely (Cohen, 1984).<br />
The vulnerability <strong>in</strong>troduced by programmability is compounded by <strong>the</strong><br />
degree to which <strong>the</strong> oper<strong>at</strong>ion of a computer is hidden from its user. Whereas an<br />
<strong>in</strong>dividual concerned about security can <strong>in</strong>spect a mechanical typewriter and<br />
safely conclude th<strong>at</strong> <strong>the</strong> effects of press<strong>in</strong>g a key are <strong>the</strong> appearance of a letter<br />
on <strong>the</strong> paper and <strong>the</strong> impr<strong>in</strong>t of a letter on <strong>the</strong> ribbon, he can ga<strong>in</strong> no such<br />
confidence about <strong>the</strong> oper<strong>at</strong>ion of a word processor. It is clear th<strong>at</strong> <strong>the</strong> press<strong>in</strong>g<br />
of a word processor's key causes <strong>the</strong> appearance of a letter on <strong>the</strong> screen. It is <strong>in</strong><br />
no sense clear wh<strong>at</strong> else is happen<strong>in</strong>g—whe<strong>the</strong>r, for <strong>in</strong>stance, <strong>the</strong> letters are<br />
be<strong>in</strong>g saved for subsequent transmission or <strong>the</strong> <strong>in</strong>ternal clock is be<strong>in</strong>g<br />
monitored for a "trigger d<strong>at</strong>e" for <strong>the</strong> alter<strong>at</strong>ion or destruction of files.<br />
Embeddedness and Interconnection The potential for tak<strong>in</strong>g improper<br />
irreversible actions <strong>in</strong>creases with <strong>the</strong> degree to which computers are embedded<br />
<strong>in</strong> processes. 15 The absence of human particip<strong>at</strong>ion removes checks for <strong>the</strong><br />
reasonableness of an action. And <strong>the</strong> time scale of autom<strong>at</strong>ic decisions may be<br />
too short to allow <strong>in</strong>tervention before damage is done.<br />
Interconnection enables <strong>at</strong>tacks to be mounted remotely, anonymously, and<br />
aga<strong>in</strong>st multiple vulnerabilities concurrently, cre<strong>at</strong><strong>in</strong>g <strong>the</strong> possibility of<br />
overwhelm<strong>in</strong>g impacts if <strong>the</strong> <strong>at</strong>tacks are successful. This risk may not be<br />
understood by managers and system users. If a particular node on a massive,<br />
heterogeneous network does not conta<strong>in</strong> any sensitive <strong>in</strong>form<strong>at</strong>ion, its owners<br />
may not be motiv<strong>at</strong>ed to <strong>in</strong>stall any countermeasures. Yet such "wide-open"<br />
nodes can be used to launch <strong>at</strong>tacks on <strong>the</strong> network as a whole, and little can be<br />
done <strong>in</strong> response, aside from disconnect<strong>in</strong>g. The "Wily Hacker," for example,<br />
laundered his calls to defense-rel<strong>at</strong>ed <strong>in</strong>stall<strong>at</strong>ions through various university<br />
computers, none of which suffered any perceptible loss from his activities. The<br />
Internet worm of November 1988 also showed how network<strong>in</strong>g externalizes<br />
risk. Many of <strong>the</strong> more than 2,000 affected nodes were entered easily once a<br />
"neighbor" node had been entered, usually through <strong>the</strong> electronic equivalent of<br />
an unlocked door.<br />
In many cases, communic<strong>at</strong>ion and <strong>in</strong>terconnection have passed well<br />
beyond <strong>the</strong> simple exchange of messages to <strong>the</strong> cre<strong>at</strong>ion of controlled<br />
opportunities for outsiders to access an organiz<strong>at</strong>ion's systems to facilit<strong>at</strong>e ei<strong>the</strong>r<br />
organiz<strong>at</strong>ion's bus<strong>in</strong>ess. On-l<strong>in</strong>e access by major telephone customers to<br />
telephone system management d<strong>at</strong>a and by large bus<strong>in</strong>esses to bank systems for<br />
treasury management<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 17<br />
functions are two examples of this phenomenon. A rel<strong>at</strong>ed development is<br />
electronic d<strong>at</strong>a <strong>in</strong>terchange (EDI), <strong>in</strong> which companies have computercommunic<strong>at</strong>ions<br />
l<strong>in</strong>ks with suppliers and customers to autom<strong>at</strong>e order<strong>in</strong>g,<br />
queries about <strong>the</strong> st<strong>at</strong>us of orders, <strong>in</strong>ventory management, market research, and<br />
even electronic funds transfer (EFT). EDI and EFT may add an additional<br />
system layer or <strong>in</strong>terconnection where systems are medi<strong>at</strong>ed by third-party<br />
suppliers th<strong>at</strong> collect, store, and forward messages between various parties <strong>in</strong><br />
various organiz<strong>at</strong>ions. This situ<strong>at</strong>ion illustr<strong>at</strong>es <strong>the</strong> need for trustworth<strong>in</strong>ess <strong>in</strong><br />
common carriage. In short, a wide range of organiz<strong>at</strong>ions are connected to each<br />
o<strong>the</strong>r through computer systems, sometimes without know<strong>in</strong>g <strong>the</strong>y are<br />
<strong>in</strong>terconnected.<br />
Interconnection gives an almost ecological flavor to security; it cre<strong>at</strong>es<br />
dependencies th<strong>at</strong> can harm as well as benefit <strong>the</strong> community of those who are<br />
<strong>in</strong>terconnected. An analogy can be made to pollution: <strong>the</strong> pollution gener<strong>at</strong>ed as<br />
a byproduct of legitim<strong>at</strong>e activity causes damage external to <strong>the</strong> polluter. A<br />
recognized public <strong>in</strong>terest <strong>in</strong> elim<strong>in</strong><strong>at</strong><strong>in</strong>g <strong>the</strong> damage may compel <strong>the</strong><br />
<strong>in</strong>stall<strong>at</strong>ion of pollution control equipment for <strong>the</strong> benefit of <strong>the</strong> community,<br />
although <strong>the</strong> <strong>in</strong>stall<strong>at</strong>ion may not be justified by <strong>the</strong> narrow self-<strong>in</strong>terest of <strong>the</strong><br />
polluter. Just as average citizens have only a limited technical understand<strong>in</strong>g of<br />
<strong>the</strong>ir vulnerability to pollution, so also <strong>in</strong>dividuals and organiz<strong>at</strong>ions today have<br />
little understand<strong>in</strong>g of <strong>the</strong> extent to which <strong>the</strong>ir computer systems are put <strong>at</strong> risk<br />
by those systems to which <strong>the</strong>y are connected, or vice versa. The public <strong>in</strong>terest<br />
<strong>in</strong> <strong>the</strong> safety of networks may require some assurances about <strong>the</strong> quality of<br />
security as a prerequisite for some k<strong>in</strong>ds of network connection.<br />
Security Must Be Holistic—Technology, Management, and Social Elements<br />
Computer security does not stop or start <strong>at</strong> <strong>the</strong> computer. It is not a s<strong>in</strong>gle<br />
fe<strong>at</strong>ure, like memory size, nor can it be guaranteed by a s<strong>in</strong>gle fe<strong>at</strong>ure or even a<br />
set of fe<strong>at</strong>ures. It comprises <strong>at</strong> a m<strong>in</strong>imum computer hardware, software,<br />
networks, and o<strong>the</strong>r equipment to which <strong>the</strong> computers are connected, facilities<br />
<strong>in</strong> which <strong>the</strong> computer is housed, and persons who use or o<strong>the</strong>rwise come <strong>in</strong>to<br />
contact with <strong>the</strong> computer. Serious security exposures may result from any<br />
weak technical or human l<strong>in</strong>k <strong>in</strong> <strong>the</strong> entire complex. For this reason, security is<br />
only partly a technical problem: it has significant procedural, adm<strong>in</strong>istr<strong>at</strong>ive,<br />
physical facility, and personnel components as well. The General Account<strong>in</strong>g<br />
Office's recent criticisms of f<strong>in</strong>ancial computer systems, for example,<br />
highlighted <strong>the</strong> risks associ<strong>at</strong>ed with poor physical<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 18<br />
and adm<strong>in</strong>istr<strong>at</strong>ive security (GAO, 1990a), which sets <strong>the</strong> stage for even<br />
am<strong>at</strong>eur <strong>at</strong>tacks on critical systems.<br />
BOX 1.3 SECURITY VS. RELIABILITY: A TELEPHONE<br />
BILLING SYSTEM AS AN EXAMPLE<br />
Consider, for example, a telephone bill<strong>in</strong>g system th<strong>at</strong> computes <strong>the</strong><br />
dur<strong>at</strong>ion of a call by record<strong>in</strong>g <strong>the</strong> time but not <strong>the</strong> d<strong>at</strong>e <strong>at</strong> <strong>the</strong> start and end of<br />
a call. The system cannot bill calls over 24 hours. Thus a call of 24 hours and<br />
3 m<strong>in</strong>utes would be billed for 3 m<strong>in</strong>utes. In <strong>the</strong> normal course of events, such<br />
calls are very rare, and <strong>in</strong> <strong>the</strong> absence of an active thre<strong>at</strong> it is possible to<br />
visualize an analysis whose conclusion is th<strong>at</strong> <strong>the</strong> error is not worth fix<strong>in</strong>g.<br />
Th<strong>at</strong> is, <strong>the</strong> revenue lost from th<strong>at</strong> t<strong>in</strong>y number of calls th<strong>at</strong> "n<strong>at</strong>urally" last<br />
more than 24 hours would not cover <strong>the</strong> cost of mak<strong>in</strong>g <strong>the</strong> fix. But <strong>the</strong><br />
discovery of this error by an active thre<strong>at</strong> (e.g., bookies) turns it immedi<strong>at</strong>ely<br />
<strong>in</strong>to a vulnerability th<strong>at</strong> will be exploited actively and persistently until it is<br />
fixed. The tolerance for error is <strong>the</strong>refore very much less when one considers<br />
"security" than it is when one is simply concerned with "reliability."<br />
Parallel<strong>in</strong>g concerns about security are concerns about system safety and<br />
<strong>the</strong> need for assurance th<strong>at</strong> a system will not jeopardize life or limb. Steps th<strong>at</strong><br />
enhance computer security will enhance safety, and vice versa. 16 Mechanisms<br />
used to achieve security are often similar to those used to achieve safety,<br />
reliability, and predictability. For example, cont<strong>in</strong>gency plann<strong>in</strong>g (which may<br />
<strong>in</strong>volve system backup activities and altern<strong>at</strong>ive equipment and facilities) can<br />
protect an organiz<strong>at</strong>ion from <strong>the</strong> disruption associ<strong>at</strong>ed with fires and o<strong>the</strong>r<br />
n<strong>at</strong>ural disasters, and it can help an organiz<strong>at</strong>ion to recover from a security<br />
breach.<br />
Never<strong>the</strong>less, <strong>the</strong> environment <strong>in</strong> which those mechanisms oper<strong>at</strong>e differs<br />
when <strong>the</strong> pr<strong>in</strong>cipal concern is security. In particular, traditional risk analysis<br />
relies on st<strong>at</strong>istical models th<strong>at</strong> assume th<strong>at</strong> unlikely events rema<strong>in</strong> unlikely<br />
after <strong>the</strong>y have occurred once. Security analyses cannot <strong>in</strong>clude such<br />
assumptions (see Box 1.3). Security is also dist<strong>in</strong>guished from safety <strong>in</strong> th<strong>at</strong> it<br />
<strong>in</strong>volves protection aga<strong>in</strong>st a conscious action r<strong>at</strong>her than random unfortun<strong>at</strong>e<br />
circumstances. 17<br />
Commercial and Military Needs are Different<br />
There has been much deb<strong>at</strong>e about <strong>the</strong> difference between military and<br />
commercial needs <strong>in</strong> <strong>the</strong> security area. Some analyses (OTA, 1987b) have<br />
characterized so-called military security policies (i.e., those<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 19<br />
concerned with n<strong>at</strong>ional security or classified d<strong>at</strong>a) as be<strong>in</strong>g largely or<br />
exclusively concerned with secrecy, and commercial security policies (i.e.,<br />
those of <strong>in</strong>terest to <strong>the</strong> priv<strong>at</strong>e sector) as be<strong>in</strong>g concerned with <strong>the</strong> <strong>in</strong>tegrity or<br />
reliability of d<strong>at</strong>a. This dist<strong>in</strong>ction is both superficial and mislead<strong>in</strong>g. N<strong>at</strong>ional<br />
security activities, such as military oper<strong>at</strong>ions, rely heavily on <strong>the</strong> <strong>in</strong>tegrity of<br />
d<strong>at</strong>a <strong>in</strong> such contexts as <strong>in</strong>telligence reports, target<strong>in</strong>g <strong>in</strong>form<strong>at</strong>ion, and<br />
command and control systems, as well as <strong>in</strong> more mundane applic<strong>at</strong>ions such as<br />
payroll systems. Priv<strong>at</strong>e sector organiz<strong>at</strong>ions are concerned about protect<strong>in</strong>g <strong>the</strong><br />
confidentiality of merger and divestiture plans, personnel d<strong>at</strong>a, trade secrets,<br />
sales and market<strong>in</strong>g d<strong>at</strong>a and plans, and so on. Thus <strong>the</strong>re are many common<br />
needs <strong>in</strong> <strong>the</strong> defense and civilian worlds.<br />
Commonalities are especially strong when one compares <strong>the</strong> military to<br />
wh<strong>at</strong> could be called <strong>in</strong>frastructural <strong>in</strong>dustries—bank<strong>in</strong>g, <strong>the</strong> telephone system,<br />
power gener<strong>at</strong>ion and distribution, airl<strong>in</strong>e schedul<strong>in</strong>g and ma<strong>in</strong>tenance, and<br />
securities and commodities exchanges. Such <strong>in</strong>dustries both rely on computers<br />
and have strong security programs because of <strong>the</strong> l<strong>in</strong>kage between security and<br />
reliability. Nonsecure systems are also potentially unreliable systems, and<br />
unreliability is an<strong>at</strong>hema to <strong>in</strong>frastructure.<br />
Never<strong>the</strong>less, specific military concerns affect <strong>the</strong> tack taken to achieve<br />
security <strong>in</strong> military contexts. Thus far, system <strong>at</strong>tacks mounted by n<strong>at</strong>ional<br />
<strong>in</strong>telligence organiz<strong>at</strong>ions have been qualit<strong>at</strong>ively different from <strong>at</strong>tacks<br />
mounted by o<strong>the</strong>rs (see Appendix E). This qualit<strong>at</strong>ive difference has led to basic<br />
differences <strong>in</strong> system design methodology, system vulnerability assessment,<br />
requirements for secrecy vs. openness <strong>in</strong> system design, and so on.<br />
O<strong>the</strong>r differences stem from <strong>the</strong> consequences of a successful <strong>at</strong>tack.<br />
N<strong>at</strong>ional security countermeasures stress prevention of <strong>at</strong>tack, and only<br />
secondarily <strong>in</strong>vestig<strong>at</strong>ion and pursuit of <strong>the</strong> <strong>at</strong>tackers, s<strong>in</strong>ce <strong>the</strong> concept of<br />
compens<strong>at</strong>ory or punitive damages is rarely mean<strong>in</strong>gful <strong>in</strong> a n<strong>at</strong>ional security<br />
context. Priv<strong>at</strong>e sector countermeasures, however, are frequently oriented<br />
toward detection—develop<strong>in</strong>g audit trails and o<strong>the</strong>r cha<strong>in</strong>s of evidence th<strong>at</strong> can<br />
be used to pursue <strong>at</strong>tackers <strong>in</strong> <strong>the</strong> courts.<br />
A f<strong>in</strong>al set of differences stem from vari<strong>at</strong>ions <strong>in</strong> <strong>the</strong> ability to control who<br />
has access to computer systems. Thre<strong>at</strong>s can come from outsiders, <strong>in</strong>dividuals<br />
who have little or no legitim<strong>at</strong>e access to <strong>the</strong> systems <strong>the</strong>y are <strong>at</strong>tack<strong>in</strong>g, or from<br />
<strong>in</strong>siders, <strong>in</strong>dividuals who abuse <strong>the</strong>ir right to legitim<strong>at</strong>e access. Embezzlement<br />
and <strong>the</strong>ft of trade secrets by employees are familiar <strong>in</strong>sider thre<strong>at</strong>s. Effective<br />
<strong>at</strong>tacks often comb<strong>in</strong>e <strong>the</strong> two forms: a determ<strong>in</strong>ed and competent group of<br />
outsiders aided by a subverted <strong>in</strong>sider (Early, 1988).<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 20<br />
The n<strong>at</strong>ional security community conducts extensive background checks<br />
on <strong>in</strong>dividuals before it grants access to systems or <strong>in</strong>form<strong>at</strong>ion. Its<br />
countermeasures, <strong>the</strong>refore, tend to emphasize <strong>at</strong>tacks by outsiders.<br />
None<strong>the</strong>less, recognition of its own <strong>in</strong>sider thre<strong>at</strong>s has led to an <strong>in</strong>creased<br />
emphasis on accountability, audit<strong>in</strong>g, and o<strong>the</strong>r measures to follow up on<br />
improper as well as accidental <strong>in</strong>cidents. The priv<strong>at</strong>e sector, by contrast, is<br />
limited by privacy and civil rights legisl<strong>at</strong>ion <strong>in</strong> its ability to deny employment<br />
to <strong>in</strong>dividuals based on <strong>in</strong>-depth background <strong>in</strong>vestig<strong>at</strong>ions. This situ<strong>at</strong>ion,<br />
toge<strong>the</strong>r with <strong>the</strong> fact th<strong>at</strong> most commercial applic<strong>at</strong>ions are wide open to<br />
simple physical <strong>at</strong>tacks and also have lacked external system connections,<br />
contributes to <strong>the</strong> priv<strong>at</strong>e sector's historic emphasis on <strong>the</strong> thre<strong>at</strong>s posed by<br />
<strong>in</strong>siders (employees). Of course, <strong>the</strong> <strong>in</strong>creas<strong>in</strong>g <strong>in</strong>terconnection and<br />
globaliz<strong>at</strong>ion of bus<strong>in</strong>ess, research, and o<strong>the</strong>r activities should raise <strong>the</strong> level of<br />
concern felt by all segments of <strong>the</strong> economy about outside thre<strong>at</strong>s.<br />
The security needs of both commercial and defense sectors are m<strong>at</strong>ters of<br />
public <strong>in</strong>terest. Partly because understand<strong>in</strong>g of security is uneven, <strong>the</strong><br />
computer and communic<strong>at</strong>ions market has moved slowly and unevenly. Like<br />
o<strong>the</strong>r complex and sophistic<strong>at</strong>ed products, computer software and systems are<br />
difficult for <strong>the</strong> average consumer to understand and evalu<strong>at</strong>e. This situ<strong>at</strong>ion has<br />
depressed potential demand for security, and it has resulted <strong>in</strong> public and<br />
priv<strong>at</strong>e efforts to stimul<strong>at</strong>e and guide <strong>the</strong> market th<strong>at</strong>, while well <strong>in</strong>tended, fall<br />
short of wh<strong>at</strong> is needed. This is one area where it is generally agreed th<strong>at</strong> some<br />
form of <strong>in</strong>stitutional support is not only desirable but also most valuable.<br />
Putt<strong>in</strong>g <strong>the</strong> Need for Secrecy <strong>in</strong>to Perspective<br />
There is a tension between <strong>the</strong> need for prudent limits on <strong>the</strong> dissem<strong>in</strong><strong>at</strong>ion<br />
of <strong>in</strong>form<strong>at</strong>ion on vulnerabilities and <strong>the</strong> need to <strong>in</strong>form those <strong>at</strong> risk of specific<br />
security problems. The secrecy imper<strong>at</strong>ive has historically dom<strong>in</strong><strong>at</strong>ed <strong>the</strong><br />
communic<strong>at</strong>ions security field. Cryptology (<strong>the</strong> science of mak<strong>in</strong>g and break<strong>in</strong>g<br />
codes), for <strong>in</strong>stance, is one of two sciences (<strong>the</strong> o<strong>the</strong>r be<strong>in</strong>g <strong>at</strong>omic energy) th<strong>at</strong><br />
is given special st<strong>at</strong>us under federal st<strong>at</strong>ute (Kahn, 1967). Secrecy has also been<br />
self-imposed; government <strong>in</strong>vestig<strong>at</strong>ors, prosecutors, and <strong>in</strong>surance<br />
represent<strong>at</strong>ives have noted <strong>the</strong> reluctance of companies th<strong>at</strong> have experienced<br />
computer system <strong>at</strong>tacks to report <strong>the</strong>ir experiences.<br />
Concern for secrecy affects <strong>the</strong> way computer systems are built and used.<br />
Open discussion of <strong>the</strong> design of a system offers <strong>the</strong> benefit of collegial review<br />
(see Chapter 4) but also <strong>in</strong>volves <strong>the</strong> risk th<strong>at</strong> <strong>at</strong>tackers may be immedi<strong>at</strong>ely<br />
<strong>in</strong>formed of vulnerabilities. Evalu<strong>at</strong>ion<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 21<br />
and analysis may also yield a list of residual vulnerabilities th<strong>at</strong> cannot be<br />
countered for technical or economic reasons, and <strong>the</strong>se become <strong>the</strong> most<br />
important secrets associ<strong>at</strong>ed with <strong>the</strong> system. The more complex <strong>the</strong> system, <strong>the</strong><br />
more difficult <strong>the</strong> trade-off becomes because of <strong>the</strong> <strong>in</strong>creased likelihood th<strong>at</strong><br />
those close to <strong>the</strong> system will overlook someth<strong>in</strong>g. General educ<strong>at</strong>ion <strong>in</strong> <strong>the</strong><br />
proper use of countermeasures leads to a better-<strong>in</strong>formed user community, but it<br />
also leads to a better-<strong>in</strong>formed community of potential <strong>at</strong>tackers. Publiciz<strong>in</strong>g<br />
specific vulnerabilities will lead some users to correct <strong>the</strong>m, but will also<br />
provide a cookbook for <strong>at</strong>tack<strong>in</strong>g sites th<strong>at</strong> do not hear about or are not<br />
motiv<strong>at</strong>ed to <strong>in</strong>stall <strong>the</strong> countermeasure.<br />
Concern for secrecy also impedes technological progress <strong>in</strong> <strong>the</strong> security<br />
area. It has deterred research <strong>in</strong> <strong>the</strong> academic community, which places a<br />
premium on open discussion and public<strong>at</strong>ion. It <strong>in</strong>creases <strong>the</strong> difficulties faced<br />
by people new to <strong>the</strong> field, who cannot readily f<strong>in</strong>d out wh<strong>at</strong> has been done and<br />
wh<strong>at</strong> <strong>the</strong> real problems are; <strong>the</strong>re is much re<strong>in</strong>vent<strong>in</strong>g of wheels. F<strong>in</strong>ally,<br />
concern for secrecy makes it hard for <strong>the</strong> few who are well <strong>in</strong>formed to seek <strong>the</strong><br />
counsel and collabor<strong>at</strong>ion of o<strong>the</strong>rs.<br />
Perhaps <strong>the</strong> most damag<strong>in</strong>g aspect of <strong>the</strong> secrecy associ<strong>at</strong>ed with computer<br />
and communic<strong>at</strong>ions security is th<strong>at</strong> it has led many to assume th<strong>at</strong> no problems<br />
exist. "Tomorrow will be pretty much like today," is <strong>the</strong> r<strong>at</strong>ionale th<strong>at</strong> guides<br />
most government, corpor<strong>at</strong>e, and <strong>in</strong>dividual activities. However, with respect to<br />
computer security, secrecy makes it extremely hard to know wh<strong>at</strong> today is<br />
really like.<br />
Build<strong>in</strong>g on Exist<strong>in</strong>g Found<strong>at</strong>ions<br />
A number of government agencies have addressed portions of <strong>the</strong><br />
computer system security problem, ei<strong>the</strong>r by develop<strong>in</strong>g relevant technology or<br />
apply<strong>in</strong>g relevant tools and practices (see Box 1.4). Two government agencies,<br />
<strong>the</strong> N<strong>at</strong>ional Security <strong>Age</strong>ncy (NSA)—most recently through one of its arms,<br />
<strong>the</strong> N<strong>at</strong>ional Computer Security Center (NCSC)—and <strong>the</strong> N<strong>at</strong>ional Institute of<br />
Standards and Technology (NIST; formerly <strong>the</strong> N<strong>at</strong>ional Bureau of Standards)<br />
have been particularly active for some 20 years, but nei<strong>the</strong>r is positioned to<br />
adequ<strong>at</strong>ely address <strong>the</strong> n<strong>at</strong>ion's needs.<br />
The N<strong>at</strong>ional Security <strong>Age</strong>ncy has been <strong>the</strong> more active of <strong>the</strong> two<br />
organiz<strong>at</strong>ions. The establishment of <strong>the</strong> NCSC represented an effort to stimul<strong>at</strong>e<br />
<strong>the</strong> commercial marketplace. Through <strong>the</strong> NCSC and <strong>the</strong> public<strong>at</strong>ion of <strong>the</strong><br />
Trusted Computer System Evalu<strong>at</strong>ion Criteria, or Orange Book (U.S. DOD,<br />
1985d), which outl<strong>in</strong>es different levels of computer security and a process for<br />
evalu<strong>at</strong><strong>in</strong>g <strong>the</strong> security of computer<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 22<br />
systems (see Appendix A), <strong>the</strong> NSA has had a noticeable effect (Box 1.5).<br />
Because of its defense-oriented charter, <strong>the</strong> NSA cannot, however, more<br />
actively foster development or widespread dissem<strong>in</strong><strong>at</strong>ion of technology for use<br />
<strong>in</strong> <strong>the</strong> nonclassified or commercial world. Indeed, its defense-rel<strong>at</strong>ed focus—<br />
specifically, a focus on systems th<strong>at</strong> process classified <strong>in</strong>form<strong>at</strong>ion—has been<br />
narrowed <strong>in</strong> recent years.<br />
BOX 1.4 RECENT MAJOR COMPUTER SECURITY<br />
INITIATIVES UNDERTAKEN BY THE U.S. GOVERNMENT<br />
• Establishment of <strong>the</strong> N<strong>at</strong>ional Computer Security Center<br />
• The Orange Book, Trusted Network Interpret<strong>at</strong>ion, rel<strong>at</strong>ed public<strong>at</strong>ions,<br />
and <strong>the</strong> Trusted Products Evalu<strong>at</strong>ion Program<br />
• N<strong>at</strong>ional Security Decision Directive 145; revised and recast as NSD 42<br />
• The Computer Fraud and Abuse Act of 1986<br />
• The Computer Security Act of 1987<br />
• N<strong>at</strong>ional Telecommunic<strong>at</strong>ions and Inform<strong>at</strong>ion System Security Policy<br />
200—C2 by '92<br />
• The Secure D<strong>at</strong>a Network System project<br />
• NIST's Integrity Workshop program<br />
• DARPA's Computer Emergency Response Team program<br />
The N<strong>at</strong>ional Institute of Standards and Technology's impact on computer<br />
security has been concentr<strong>at</strong>ed with<strong>in</strong> <strong>the</strong> federal government. NIST has limited<br />
technical expertise and funds; <strong>in</strong> FY 1990 its appropri<strong>at</strong>ions for <strong>the</strong> computer<br />
security program totaled only $2.5 million. Although it can organize<br />
workshops, develop procedural guidel<strong>in</strong>es, and sanction standards efforts, it is<br />
not <strong>in</strong> a position to develop technology <strong>in</strong>ternally or to provide direct support to<br />
external technology development efforts. The newest (FY 1991) NIST budget<br />
request called for a doubl<strong>in</strong>g of funds to support activities rel<strong>at</strong>ed to computer<br />
security, and NIST has made plans to undertake some <strong>in</strong>iti<strong>at</strong>ives (e.g., an<br />
<strong>in</strong>dustry-oriented program to comb<strong>at</strong> computer viruses). However, <strong>the</strong> denial of<br />
NIST's FY 1990 request for modest additional funds <strong>in</strong> this area is symptom<strong>at</strong>ic<br />
of <strong>the</strong> lack of stability and predictability of <strong>the</strong> political process for government<br />
fund<strong>in</strong>g <strong>in</strong> general and fund<strong>in</strong>g for NIST <strong>in</strong> particular. 18<br />
Tension between commercial and military <strong>in</strong>terests dom<strong>in</strong><strong>at</strong>ed public<br />
policymak<strong>in</strong>g rel<strong>at</strong><strong>in</strong>g to computer security dur<strong>in</strong>g <strong>the</strong> 1980s. N<strong>at</strong>ional Security<br />
Decision Directive (NSDD) 145, <strong>the</strong> Computer Security Act of 1987, and <strong>the</strong><br />
mid-1990 revision of NSDD 145 (result<strong>in</strong>g <strong>in</strong> NSD 42) have progressively<br />
restricted NSA to an emphasis on defense systems, leav<strong>in</strong>g civilian (notably<br />
civil government) system security<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 23<br />
BOX 1.5 THE RAINBOW SERIES<br />
S<strong>in</strong>ce its form<strong>at</strong>ion <strong>in</strong> 1981, <strong>the</strong> N<strong>at</strong>ional Computer Security Center has<br />
dissem<strong>in</strong><strong>at</strong>ed a collection of criteria and guidel<strong>in</strong>es to assist developers,<br />
evalu<strong>at</strong>ors, and users <strong>in</strong> <strong>the</strong> development of trusted systems. This set of<br />
documents has become known as <strong>the</strong> Ra<strong>in</strong>bow Series because of <strong>the</strong><br />
different colors used for each volume's cover. Of <strong>the</strong>se documents, perhaps<br />
<strong>the</strong> most widely known is <strong>the</strong> so-called Orange Book, which is formally<br />
known as <strong>the</strong> Department of Defense Trusted Computer System Evalu<strong>at</strong>ion<br />
Criteria. The follow<strong>in</strong>g are brief descriptions of some of <strong>the</strong> documents th<strong>at</strong><br />
form <strong>the</strong> Ra<strong>in</strong>bow Series:<br />
Trusted Computer System Evalu<strong>at</strong>ion Criteria (TCSEC) (Orange)<br />
The TCSEC def<strong>in</strong>es criteria for evalu<strong>at</strong><strong>in</strong>g <strong>the</strong> security functionality and<br />
assurance provided by a computer system. The TCSEC formalizes <strong>the</strong><br />
concept of a trusted comput<strong>in</strong>g base (TCB) and specifies how it should be<br />
constructed and used <strong>in</strong> order to ensure a desired level of trust.<br />
Trusted Network Interpret<strong>at</strong>ion (TNI) (Red)<br />
The TNI <strong>in</strong>terprets <strong>the</strong> TCSEC with regard to networked computer<br />
systems. The TNI has been particularly controversial due to <strong>the</strong> complex<br />
security issues th<strong>at</strong> arise when computer networks are used. It has been<br />
undergo<strong>in</strong>g revision.<br />
Trusted D<strong>at</strong>abase Management System Interpret<strong>at</strong>ion (TDI) (forthcom<strong>in</strong>g)<br />
The TDI <strong>in</strong>terprets <strong>the</strong> TCSEC with regard to d<strong>at</strong>abase management<br />
systems. The TDI is expected to be released <strong>in</strong> l<strong>at</strong>e 1990 or early 1991.<br />
Password Management Guidel<strong>in</strong>e (Light Green)<br />
This document describes a set of good practices for us<strong>in</strong>g passwordbased<br />
authoriz<strong>at</strong>ion schemes. A similar set of guidel<strong>in</strong>es has also been<br />
issued by <strong>the</strong> N<strong>at</strong>ional Institute of Standards and Technology as a Federal<br />
Inform<strong>at</strong>ion Process<strong>in</strong>g Standards public<strong>at</strong>ion.<br />
Glossary of Computer Security Terms (Dark Green)<br />
This document def<strong>in</strong>es <strong>the</strong> acronyms and terms used by computer<br />
security specialists, focus<strong>in</strong>g on DOD contexts.<br />
Magnetic Remanence Security Guidel<strong>in</strong>es (Dark Blue)<br />
This document provides procedures and guidance for sanitiz<strong>in</strong>g<br />
magnetic storage media (e.g., disks and tapes) prior to <strong>the</strong>ir release to<br />
nonsecure environments.<br />
Guidance for Apply<strong>in</strong>g <strong>the</strong> Department of Defense Trusted Computer<br />
System Evalu<strong>at</strong>ion Criteria <strong>in</strong> Specific Environments (Yellow)<br />
This volume provides guidance for apply<strong>in</strong>g <strong>the</strong> TCSEC to specific<br />
environments.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 24<br />
concerns to NIST. Partly as a result of <strong>the</strong> chang<strong>in</strong>g policy context, NSA<br />
has moved to dim<strong>in</strong>ish its <strong>in</strong>teraction with commercial organiz<strong>at</strong>ions, most<br />
notably by scal<strong>in</strong>g back <strong>the</strong> NCSC. The full implic<strong>at</strong>ions of <strong>the</strong>se moves are yet<br />
to be appreci<strong>at</strong>ed <strong>at</strong> <strong>the</strong> time this report is be<strong>in</strong>g completed.<br />
Meanwhile, no <strong>in</strong>dustry-based organiz<strong>at</strong>ion or professional associ<strong>at</strong>ion has<br />
stepped forward to play a leadership role <strong>in</strong> <strong>in</strong>creas<strong>in</strong>g computer system<br />
security, although <strong>the</strong> 1980s saw <strong>the</strong> birth or streng<strong>the</strong>n<strong>in</strong>g of a number of<br />
volunteer professional associ<strong>at</strong>ions, and over <strong>the</strong> past couple of years major<br />
computer-rel<strong>at</strong>ed trade associ<strong>at</strong>ions (e.g., <strong>the</strong> Computer and Bus<strong>in</strong>ess<br />
Equipment Manufacturers Associ<strong>at</strong>ion (CBEMA) and <strong>the</strong> computer software<br />
and services <strong>in</strong>dustry associ<strong>at</strong>ion ADAPSO) have begun to explore steps <strong>the</strong>y<br />
can take to better track security problems, notably virus <strong>in</strong>cidents, and to<br />
encourage better systems development. However valuable, <strong>the</strong>se efforts are<br />
piecemeal.<br />
Common technical <strong>in</strong>terests, complementary objectives, and significant<br />
differences <strong>in</strong> resources comb<strong>in</strong>e to make <strong>the</strong> exist<strong>in</strong>g separ<strong>at</strong>e activities aimed<br />
<strong>at</strong> <strong>in</strong>creas<strong>in</strong>g computer security <strong>in</strong> commercial and military environments an<br />
<strong>in</strong>complete solution to <strong>the</strong> problem of <strong>in</strong>creas<strong>in</strong>g <strong>the</strong> overall level of system<br />
security and trust. A more complete solution calls for <strong>the</strong> formul<strong>at</strong>ion and<br />
implement<strong>at</strong>ion of a new, more comprehensive plan th<strong>at</strong> would <strong>in</strong>ject gre<strong>at</strong>er<br />
resources <strong>in</strong>to meet<strong>in</strong>g commercial computer security needs.<br />
/div><br />
SCOPE, PURPOSE, CONTENTS, AND AUDIENCE<br />
This report provides an agenda for public policy, computer and<br />
communic<strong>at</strong>ions security research, technology development, evalu<strong>at</strong>ion, and<br />
implement<strong>at</strong>ion. It focuses on <strong>the</strong> broad base of deployed computers <strong>in</strong> <strong>the</strong><br />
United St<strong>at</strong>es; it does not emphasize <strong>the</strong> special problems of government<br />
classified <strong>in</strong>form<strong>at</strong>ion systems. This committee is particularly concerned about<br />
rais<strong>in</strong>g <strong>the</strong> security floor, mak<strong>in</strong>g sure th<strong>at</strong> <strong>the</strong> commercial environment on<br />
which <strong>the</strong> economy and public safety depend has a better m<strong>in</strong>imum level of<br />
protection.<br />
A number of actions are needed to <strong>in</strong>crease <strong>the</strong> availability of computer<br />
and communic<strong>at</strong>ions systems with improved security, <strong>in</strong>clud<strong>in</strong>g:<br />
• A clear articul<strong>at</strong>ion of essential security fe<strong>at</strong>ures, assurances, and practices;<br />
• Enhanced <strong>in</strong>stitutional support and coord<strong>in</strong><strong>at</strong>ion for security; and<br />
• Research and development of trustworthy computer-based technology.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 25<br />
This <strong>the</strong> appropri<strong>at</strong>e time to develop a new str<strong>at</strong>egy th<strong>at</strong> blends research,<br />
establishment of requirements and criteria, and commercial <strong>in</strong>centives. The<br />
committee's recommend<strong>at</strong>ions <strong>in</strong> each of <strong>the</strong> above areas are presented below <strong>in</strong><br />
<strong>the</strong> ''Recommend<strong>at</strong>ions" section of this chapter. These <strong>in</strong>clude recommend<strong>at</strong>ions<br />
for both short- and long-term actions.<br />
This report is <strong>in</strong>tended to address a variety of audiences, <strong>in</strong>clud<strong>in</strong>g<br />
government policymakers, vendors, managers responsible for <strong>the</strong> purchase and<br />
use of computer and communic<strong>at</strong>ions systems, people <strong>in</strong>volved <strong>in</strong> computerrel<strong>at</strong>ed<br />
research and development, educ<strong>at</strong>ors, and <strong>in</strong>terested members of <strong>the</strong><br />
general public. The chapters and appendixes th<strong>at</strong> follow provide technical and<br />
analytical detail to fur<strong>the</strong>r support <strong>the</strong> assertions, conclusions, and<br />
recommend<strong>at</strong>ions presented <strong>in</strong> this first chapter.<br />
• Chapter 2 describes basic concepts of <strong>in</strong>form<strong>at</strong>ion security, <strong>in</strong>clud<strong>in</strong>g<br />
security policies and management controls.<br />
• Chapter 3 describes technology associ<strong>at</strong>ed with computer and<br />
communic<strong>at</strong>ions security, rel<strong>at</strong><strong>in</strong>g technical approaches to security<br />
policies and management controls.<br />
• Chapter 4 discusses methodological issues rel<strong>at</strong>ed to build<strong>in</strong>g secure<br />
software systems.<br />
• Chapter 5 discusses system evalu<strong>at</strong>ion criteria, which provide yardsticks<br />
for evalu<strong>at</strong><strong>in</strong>g <strong>the</strong> quality of systems. This topic is a current focus of much<br />
<strong>in</strong>tern<strong>at</strong>ional concern and activity.<br />
• Chapter 6 discusses why <strong>the</strong> marketplace has failed to substantially<br />
<strong>in</strong>crease <strong>the</strong> supply of security technology and discusses options for<br />
stimul<strong>at</strong><strong>in</strong>g <strong>the</strong> market.<br />
• Chapter 7 discusses <strong>the</strong> need for a new <strong>in</strong>stitution, referred to as <strong>the</strong><br />
Inform<strong>at</strong>ion Security Found<strong>at</strong>ion.<br />
• Chapter 8 outl<strong>in</strong>es problems and opportunities <strong>in</strong> <strong>the</strong> research community<br />
and suggests topics for research and mechanisms for streng<strong>the</strong>n<strong>in</strong>g <strong>the</strong><br />
research <strong>in</strong>frastructure.<br />
• Appendixes provide fur<strong>the</strong>r detail on <strong>the</strong> Orange Book (A), technology<br />
(B), emergency response teams (C), models for proposed guidel<strong>in</strong>es (D),<br />
high-grade thre<strong>at</strong>s (E), and term<strong>in</strong>ology (F).<br />
The n<strong>at</strong>ure of <strong>the</strong> subject of security dict<strong>at</strong>es some limits on <strong>the</strong> content of<br />
this report. Of necessity, this report anticip<strong>at</strong>es thre<strong>at</strong>s <strong>in</strong> order to guide <strong>the</strong><br />
development of effective security policy; it <strong>the</strong>refore <strong>in</strong>herently conta<strong>in</strong>s a<br />
degree of surmise. It leaves th<strong>in</strong>gs unsaid so as not to act as a textbook for<br />
<strong>at</strong>tackers, and <strong>the</strong>refore it may fail to <strong>in</strong>form or <strong>in</strong>spire some whose <strong>in</strong>form<strong>at</strong>ion<br />
is <strong>at</strong> risk. And f<strong>in</strong>ally, it may carry with<strong>in</strong> it <strong>the</strong> seeds of its own failure, as <strong>the</strong><br />
countermeasures<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 26<br />
it may <strong>in</strong>spire may also lead to new and more effective thre<strong>at</strong>s. Such is <strong>the</strong><br />
n<strong>at</strong>ure of security.<br />
RECOMMENDATIONS<br />
The central concern of this report is how to get more and better computer<br />
and communic<strong>at</strong>ions security <strong>in</strong>to use. Five of <strong>the</strong> committee's six<br />
recommend<strong>at</strong>ions endorse actions with medium- to long-range impacts.<br />
Ano<strong>the</strong>r, Recommend<strong>at</strong>ion 2, outl<strong>in</strong>es short-term actions aimed <strong>at</strong> immedi<strong>at</strong>ely<br />
improv<strong>in</strong>g <strong>the</strong> security of comput<strong>in</strong>g systems. It is clear th<strong>at</strong> system oper<strong>at</strong>ors,<br />
users, and managers need to take effective steps now to upgrade and stabilize<br />
<strong>the</strong>ir oper<strong>at</strong><strong>in</strong>g environments; developers and vendors are likewise urged to use<br />
exist<strong>in</strong>g capabilities for immedi<strong>at</strong>e enhancement of computer security. Also of<br />
concern are a number of currently unfold<strong>in</strong>g political developments (e.g.,<br />
development of harmonized <strong>in</strong>tern<strong>at</strong>ional criteria for trusted system design and<br />
evalu<strong>at</strong>ion) th<strong>at</strong> call for immedi<strong>at</strong>e <strong>at</strong>tention from both public policymakers and<br />
vendors <strong>in</strong> particular. The committee has addressed such developments with<strong>in</strong><br />
<strong>the</strong> body of <strong>the</strong> report as appropri<strong>at</strong>e.<br />
Although <strong>the</strong> committee focused on system security, its recommend<strong>at</strong>ions<br />
also serve o<strong>the</strong>r aspects of system trustworth<strong>in</strong>ess, <strong>in</strong> particular safety and<br />
reliability. It does not make sense to address <strong>the</strong>se issues separ<strong>at</strong>ely. Many of<br />
<strong>the</strong> methods and techniques th<strong>at</strong> make systems more secure make <strong>the</strong>m more<br />
trustworthy <strong>in</strong> general. System safety is tied to security, both <strong>in</strong> method and <strong>in</strong><br />
objective. The penetr<strong>at</strong>ion of comput<strong>in</strong>g <strong>in</strong>to <strong>the</strong> social and economic fabric<br />
means th<strong>at</strong>, <strong>in</strong>creas<strong>in</strong>gly, wh<strong>at</strong> we may want to protect or secure is public safety.<br />
Increas<strong>in</strong>g <strong>the</strong> trustworth<strong>in</strong>ess of computer systems requires actions on<br />
many fronts—develop<strong>in</strong>g technology and products, streng<strong>the</strong>n<strong>in</strong>g managerial<br />
controls and response programs, and enhanc<strong>in</strong>g public awareness. Toward th<strong>at</strong><br />
end, <strong>the</strong> committee recommends six sets of actions, summarized as follows:<br />
1. Promulg<strong>at</strong><strong>in</strong>g a comprehensive set of generally accepted system<br />
security pr<strong>in</strong>ciples, referred to as GSSP (see also Chapter 2);<br />
2. Tak<strong>in</strong>g specific short-term actions th<strong>at</strong> build on readily available<br />
capabilities (see also Chapter 6);<br />
3. Establish<strong>in</strong>g a comprehensive <strong>in</strong>cident d<strong>at</strong>a repository and appropri<strong>at</strong>e<br />
educ<strong>at</strong>ion programs to promote public awareness (see also Chapters 4<br />
and 6);<br />
4. Clarify<strong>in</strong>g export control criteria and procedures (see also Chapter 6);<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 27<br />
5. Secur<strong>in</strong>g fund<strong>in</strong>g for a comprehensive, directed program of research<br />
(see also Chapters 3, 4, and 8); and<br />
6. Establish<strong>in</strong>g a new organiz<strong>at</strong>ion to nurture <strong>the</strong> development,<br />
commercializ<strong>at</strong>ion, and proper use of trust technology, referred to as<br />
<strong>the</strong> Inform<strong>at</strong>ion Security Found<strong>at</strong>ion, or ISF (see also Chapters 5, 6,<br />
and 7).<br />
Recommend<strong>at</strong>ion 1 Promulg<strong>at</strong>e Comprehensive Generally<br />
Accepted System Security Pr<strong>in</strong>ciples (GSSP)<br />
1a. Establish a set of Generally Accepted System Security Pr<strong>in</strong>ciples,<br />
or GSSP, for computer systems. Because of widely vary<strong>in</strong>g understand<strong>in</strong>g<br />
about vulnerabilities, thre<strong>at</strong>s, and safeguards, system vendors and users need<br />
guidance to develop and use trusted systems. It is nei<strong>the</strong>r desirable nor feasible<br />
to make all who come <strong>in</strong>to contact with computers experts <strong>in</strong> computer and<br />
communic<strong>at</strong>ions security. It is, however, both desirable and feasible to achieve<br />
a general expect<strong>at</strong>ion for a m<strong>in</strong>imum level of protection. O<strong>the</strong>rwise, responses<br />
to security problems will cont<strong>in</strong>ue to be fragmented and often <strong>in</strong>effective.<br />
The committee believes it is possible to enunci<strong>at</strong>e a basic set of securityrel<strong>at</strong>ed<br />
pr<strong>in</strong>ciples th<strong>at</strong> are so broadly applicable and effective for <strong>the</strong> design and<br />
use of systems th<strong>at</strong> <strong>the</strong>y ought to be a part of any system with significant<br />
oper<strong>at</strong>ional requirements. This set will grow with research and experience <strong>in</strong><br />
new areas of concern, such as <strong>in</strong>tegrity and availability, and can also grow<br />
beyond <strong>the</strong> specifics of security to deal with o<strong>the</strong>r rel<strong>at</strong>ed aspects of system<br />
trust, such as safety. GSSP should articul<strong>at</strong>e and codify <strong>the</strong>se pr<strong>in</strong>ciples.<br />
Successful GSSP would establish a set of expect<strong>at</strong>ions about and<br />
requirements for good practice th<strong>at</strong> would be well understood by system<br />
developers and security professionals, accepted by government, and recognized<br />
by managers and <strong>the</strong> public as protect<strong>in</strong>g organiz<strong>at</strong>ional and <strong>in</strong>dividual <strong>in</strong>terests<br />
aga<strong>in</strong>st security breaches and lapses <strong>in</strong> <strong>the</strong> protection of privacy. Analogous<br />
broad acceptance has been accorded to f<strong>in</strong>ancial account<strong>in</strong>g standards (wh<strong>at</strong><br />
have been called <strong>the</strong> Generally Accepted Account<strong>in</strong>g Pr<strong>in</strong>ciples, or GAAP) and<br />
build<strong>in</strong>g codes, 19 both of which conta<strong>in</strong> pr<strong>in</strong>ciples def<strong>in</strong>ed with <strong>in</strong>dustry <strong>in</strong>put<br />
and used or recognized by government as well. To achieve a similar level of<br />
consensus, one th<strong>at</strong> builds on but reaches beyond th<strong>at</strong> accorded to <strong>the</strong> Orange<br />
Book (see Appendix A), <strong>the</strong> GSSP development process should be endorsed by<br />
and accept <strong>in</strong>put from all relevant communities, <strong>in</strong>clud<strong>in</strong>g commercial users,<br />
vendors, and <strong>in</strong>terested agencies of <strong>the</strong> U.S. government. The development of<br />
GSSP would<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 28<br />
require a level of effort and community particip<strong>at</strong>ion th<strong>at</strong> is well beyond <strong>the</strong><br />
scope ei<strong>the</strong>r of this report or of organiz<strong>at</strong>ions currently active <strong>in</strong> <strong>the</strong> security<br />
arena. The committee <strong>the</strong>refore recommends th<strong>at</strong> <strong>the</strong> process of establish<strong>in</strong>g<br />
GSSP be spearheaded by a new organiz<strong>at</strong>ion discussed below <strong>in</strong><br />
recommend<strong>at</strong>ion 6.<br />
BOX 1.6 POTENTIAL ELEMENTS OF GENERALLY<br />
ACCEPTED SYSTEM SECURITY PRINCIPLES<br />
The follow<strong>in</strong>g set of examples is <strong>in</strong>tended to illustr<strong>at</strong>e <strong>the</strong> k<strong>in</strong>ds of<br />
pr<strong>in</strong>ciples and consider<strong>at</strong>ions th<strong>at</strong> might be embodied <strong>in</strong> GSSP. The<br />
committee emphasizes security-rel<strong>at</strong>ed issues but believes th<strong>at</strong> GSSP<br />
should also stress safety-rel<strong>at</strong>ed practices.<br />
• Quality control—A system is safe and secure only to <strong>the</strong> extent th<strong>at</strong> it<br />
can be trusted to provide <strong>the</strong> functionality it is <strong>in</strong>tended to supply. At a<br />
m<strong>in</strong>imum, <strong>the</strong> best known <strong>in</strong>dustrial practice must be used for system<br />
development, and some recognized means for potential purchasers or<br />
users to obta<strong>in</strong> <strong>in</strong>dependent evalu<strong>at</strong>ion must be provided. A stronger<br />
requirement would specify th<strong>at</strong> every procedure <strong>in</strong> <strong>the</strong> software be<br />
accompanied by text specify<strong>in</strong>g its potential impact on safety and<br />
security and argu<strong>in</strong>g th<strong>at</strong> those specific<strong>at</strong>ions imply <strong>the</strong> desired<br />
properties.* Chapter 5 discusses specific proposals for evalu<strong>at</strong>ion of<br />
systems rel<strong>at</strong>ive to GSSP.<br />
• Access control on code as well as d<strong>at</strong>a—Every system must have <strong>the</strong><br />
means to control which users can perform oper<strong>at</strong>ions on which pieces of<br />
d<strong>at</strong>a, and which particular oper<strong>at</strong>ions are possible. A m<strong>in</strong>imum<br />
mechanism has a fixed set of oper<strong>at</strong>ions (for example read, write, and<br />
execute) and may only associ<strong>at</strong>e permission with st<strong>at</strong>ic groups of users,<br />
but stronger means, such as <strong>the</strong> ability to list particular users, are<br />
recommended.<br />
• User identific<strong>at</strong>ion and au<strong>the</strong>ntic<strong>at</strong>ion—Every system must assign an<br />
unambiguous identifier to each separ<strong>at</strong>e user and must have <strong>the</strong> means<br />
to assure th<strong>at</strong> any user is properly associ<strong>at</strong>ed with <strong>the</strong> correct identifier.<br />
A m<strong>in</strong>imum mechanism for this function is passwords, but stronger<br />
means, such as challenge-response identity checks, are recommended.<br />
• Protection of executable code—Every system must have <strong>the</strong> means to<br />
ensure th<strong>at</strong> programs cannot be modified or replaced improperly.<br />
Mechanisms stronger than customary access control are recommended,<br />
such as a basic system function to recognize certa<strong>in</strong> programs as<br />
"<strong>in</strong>stalled" or "production" or "trusted,'' and to restrict <strong>the</strong> access to<br />
specified d<strong>at</strong>a to only this class of program.<br />
• Security logg<strong>in</strong>g—Every system must have <strong>the</strong> means to log for l<strong>at</strong>er<br />
audit all security-relevant oper<strong>at</strong>ions on <strong>the</strong> system. At a m<strong>in</strong>imum, this<br />
must <strong>in</strong>clude all improper <strong>at</strong>tempts to au<strong>the</strong>ntic<strong>at</strong>e a user or to access<br />
d<strong>at</strong>a, all changes to <strong>the</strong> list of authorized users, and (if appropri<strong>at</strong>e) all<br />
successful<br />
Presented <strong>in</strong> Box 1.6 are some potential GSSP elements th<strong>at</strong> <strong>in</strong><br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 29<br />
fully developed GSSP would be elabor<strong>at</strong>ed <strong>in</strong> gre<strong>at</strong>er detail. The committee<br />
expects th<strong>at</strong> GSSP would also cover m<strong>at</strong>ters of safety th<strong>at</strong> fall outside <strong>the</strong> scope<br />
of this report.<br />
security-rel<strong>at</strong>ed oper<strong>at</strong>ions (user au<strong>the</strong>ntic<strong>at</strong>ions, file opens, and so on).<br />
The log must be implemented <strong>in</strong> such a way th<strong>at</strong> it cannot be altered or<br />
deleted after be<strong>in</strong>g written. A stronger version would also prevent <strong>the</strong><br />
security adm<strong>in</strong>istr<strong>at</strong>or from delet<strong>in</strong>g <strong>the</strong> log.<br />
• Security adm<strong>in</strong>istr<strong>at</strong>or—All systems must support <strong>the</strong> concept of a<br />
special class of users who are permitted to perform actions th<strong>at</strong> change<br />
<strong>the</strong> security st<strong>at</strong>e of <strong>the</strong> system, such as add<strong>in</strong>g users or <strong>in</strong>stall<strong>in</strong>g<br />
trusted programs. They must control system code and d<strong>at</strong>a sources <strong>in</strong><br />
appropri<strong>at</strong>e off-l<strong>in</strong>e facilities. They must employ standard procedures for<br />
system <strong>in</strong>itializ<strong>at</strong>ion, backup, and recovery from "crashes."<br />
• D<strong>at</strong>a encryption—While d<strong>at</strong>a encryption is not, <strong>in</strong> itself, an applic<strong>at</strong>ionlevel<br />
security requirement, it is currently recognized as <strong>the</strong> method of<br />
choice for protect<strong>in</strong>g communic<strong>at</strong>ion <strong>in</strong> distributed systems. Any system<br />
th<strong>at</strong> can be <strong>at</strong>tached to a network must support some standard means<br />
for d<strong>at</strong>a encryption. A stronger version would forbid software encryption.<br />
• Oper<strong>at</strong>ional support tools—Every system must provide tools to assist<br />
<strong>the</strong> user and <strong>the</strong> security adm<strong>in</strong>istr<strong>at</strong>or <strong>in</strong> verify<strong>in</strong>g <strong>the</strong> security st<strong>at</strong>e of<br />
<strong>the</strong> system. These <strong>in</strong>clude tools to <strong>in</strong>spect security logs effectively, tools<br />
to provide a warn<strong>in</strong>g of unexpected system behavior, tools to <strong>in</strong>spect <strong>the</strong><br />
security st<strong>at</strong>e of <strong>the</strong> system, and tools to control, configure, and manage<br />
<strong>the</strong> off-l<strong>in</strong>e d<strong>at</strong>a and code storage and hardware <strong>in</strong>ventory.<br />
• Independent audit—At some reasonable and regular <strong>in</strong>terval, an<br />
<strong>in</strong>dependent unannounced audit of <strong>the</strong> on-l<strong>in</strong>e system, oper<strong>at</strong>ion,<br />
adm<strong>in</strong>istr<strong>at</strong>ion, configur<strong>at</strong>ion control, and audit records should be<br />
<strong>in</strong>voked by an agency unrel<strong>at</strong>ed to th<strong>at</strong> responsible for <strong>the</strong> system<br />
design and/or oper<strong>at</strong>ions. Such an audit should be analogous to an<br />
annual bus<strong>in</strong>ess audit by account<strong>in</strong>g firms.<br />
• Hazard analysis—A hazard analysis must be done for every safetycritical<br />
system. This analysis must describe those st<strong>at</strong>es of <strong>the</strong> system<br />
th<strong>at</strong> can lead to situ<strong>at</strong>ions <strong>in</strong> which life is endangered and must estim<strong>at</strong>e<br />
<strong>the</strong> probability and severity of each under various conditions of usage. It<br />
should also c<strong>at</strong>egorize <strong>the</strong> extent to which hazards are <strong>in</strong>dependent of<br />
each o<strong>the</strong>r.<br />
* Note th<strong>at</strong> <strong>the</strong> Internet Eng<strong>in</strong>eer<strong>in</strong>g Advisory Board has begun to contempl<strong>at</strong>e "security<br />
impact st<strong>at</strong>ements" for proposed modific<strong>at</strong>ions to <strong>the</strong> large and complex Internet.<br />
Comprehensive GSSP must reflect <strong>the</strong> needs of <strong>the</strong> widest possible<br />
spectrum of computer users. Although some groups with particular<br />
responsibilities (e.g., <strong>in</strong> bank<strong>in</strong>g) might be tempted to reject GSSP <strong>in</strong><br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 30<br />
favor of def<strong>in</strong><strong>in</strong>g practices specific to <strong>the</strong>ir sectors, <strong>the</strong> committee believes th<strong>at</strong><br />
this would be unfortun<strong>at</strong>e. Base-level security requirements of <strong>the</strong> sort outl<strong>in</strong>ed<br />
above are broadly applicable and ought to be def<strong>in</strong>ed <strong>in</strong> common (see<br />
Chapter 2), so th<strong>at</strong> <strong>the</strong> fe<strong>at</strong>ures required to support GSSP can become a part of<br />
general-purpose comput<strong>in</strong>g. Only as a part of ma<strong>in</strong>stream comput<strong>in</strong>g products<br />
will <strong>the</strong>y become available <strong>at</strong> reasonable cost.<br />
In order to serve a wide range of users, GSSP must allow vari<strong>at</strong>ion with<br />
circumstances. The committee concludes (see Chapter 5) th<strong>at</strong> GSSP should be<br />
organized <strong>in</strong> a somewh<strong>at</strong> more unbundled manner than is <strong>the</strong> Orange Book.<br />
The process of motiv<strong>at</strong><strong>in</strong>g <strong>the</strong> adoption of GSSP could and probably<br />
should differ across sectors. For example, where computers are used to help<br />
manage assets, cooper<strong>at</strong>ion with <strong>the</strong> American Institute of Certified<br />
Professional Accountants or <strong>the</strong> F<strong>in</strong>ancial Account<strong>in</strong>g Standards Board might<br />
lead to <strong>in</strong>corpor<strong>at</strong>ion of GSSP <strong>in</strong>to <strong>the</strong> larger body of standard practice for<br />
account<strong>in</strong>g. In systems used for health care, GSSP might become a part of <strong>the</strong><br />
Food and Drug Adm<strong>in</strong>istr<strong>at</strong>ion's regul<strong>at</strong>ions govern<strong>in</strong>g medical equipment.<br />
GSSP could also be directly <strong>in</strong>corpor<strong>at</strong>ed <strong>in</strong>to government requests for<br />
proposals (RFPs) and o<strong>the</strong>r procurement actions. Dur<strong>in</strong>g <strong>the</strong> development of<br />
GSSP it would be necessary to consider mechanisms and options for motiv<strong>at</strong><strong>in</strong>g<br />
adoption of GSSP.<br />
The committee expects n<strong>at</strong>ural forces, such as customers' expect<strong>at</strong>ions,<br />
requirements for purchas<strong>in</strong>g <strong>in</strong>surance, vendors' concerns about liability,<br />
<strong>in</strong>dustry associ<strong>at</strong>ions, and advertis<strong>in</strong>g advantage, to <strong>in</strong>still GSSP <strong>in</strong> <strong>the</strong><br />
marketplace. Never<strong>the</strong>less it is possible to imag<strong>in</strong>e th<strong>at</strong> <strong>in</strong> some circumstances,<br />
such as for life-critical systems, certa<strong>in</strong> aspects of GSSP might become<br />
mand<strong>at</strong>ory. Serious consider<strong>at</strong>ion of regul<strong>at</strong>ion or o<strong>the</strong>r mechanisms for<br />
enforcement is both prem<strong>at</strong>ure and beyond <strong>the</strong> scope of this report. However,<br />
<strong>the</strong> process implied by <strong>the</strong> committee's set of recommend<strong>at</strong>ions could force<br />
such consider<strong>at</strong>ion <strong>in</strong> a few years. Th<strong>at</strong> process entails establish<strong>in</strong>g a new<br />
organiz<strong>at</strong>ion, develop<strong>in</strong>g GSSP, and beg<strong>in</strong>n<strong>in</strong>g <strong>the</strong> dissem<strong>in</strong><strong>at</strong>ion of GSSP<br />
through voluntary means.<br />
1b. Consider <strong>the</strong> system requirements specified by <strong>the</strong> Orange Book<br />
for <strong>the</strong> C2 and B1 levels as a short-term def<strong>in</strong>ition of Generally Accepted<br />
System Security Pr<strong>in</strong>ciples and a start<strong>in</strong>g po<strong>in</strong>t for more extensive<br />
def<strong>in</strong>itions. To d<strong>at</strong>e and by default, <strong>the</strong> pr<strong>in</strong>cipal vehicle <strong>in</strong> <strong>the</strong> United St<strong>at</strong>es<br />
for rais<strong>in</strong>g <strong>the</strong> level of practice <strong>in</strong> computer and communic<strong>at</strong>ions security has<br />
been <strong>the</strong> N<strong>at</strong>ional Computer Security Center's Orange Book and its various<br />
<strong>in</strong>terpret<strong>at</strong>ions. Although<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 31<br />
<strong>the</strong> Orange Book is not a full set of GSSP (see Appendix A), it is a major step<br />
th<strong>at</strong> is currently mold<strong>in</strong>g <strong>the</strong> market and is clearly consonant with GSSP.<br />
The C2 and B1 r<strong>at</strong><strong>in</strong>gs describe systems th<strong>at</strong> provide base-l<strong>in</strong>e levels of<br />
acceptable discretionary security (C2) and systems th<strong>at</strong> provide m<strong>in</strong>imal levels<br />
of acceptable mand<strong>at</strong>ory multilevel security (B1). 20 However, <strong>the</strong> Orange Book<br />
is not adequ<strong>at</strong>e to meet <strong>the</strong> public's long-term needs, largely because it is<br />
<strong>in</strong>complete. GSSP would provide fuller tre<strong>at</strong>ment of <strong>in</strong>tegrity, availability, and<br />
advanced techniques for assurance and software development. 21 It must address<br />
distributed systems and evolv<strong>in</strong>g architectures (as well as change <strong>in</strong> <strong>the</strong><br />
underly<strong>in</strong>g technologies generally), which means th<strong>at</strong> it should go beyond<br />
trusted comput<strong>in</strong>g bases as currently def<strong>in</strong>ed.<br />
1c. Establish methods, guidel<strong>in</strong>es and facilities for evalu<strong>at</strong><strong>in</strong>g products<br />
for conformance to GSSP. A mechanism for check<strong>in</strong>g conformance to GSSP<br />
is required for GSSP to have its fullest impact and to protect both vendors and<br />
consumers. As with technical standards, it is possible to claim conformance, but<br />
conformance must be genu<strong>in</strong>e for benefits, such as <strong>in</strong>teroperability, to be<br />
realized. Conformance evalu<strong>at</strong>ion is already becom<strong>in</strong>g a prom<strong>in</strong>ent issue across<br />
<strong>the</strong> <strong>in</strong>dustry because of <strong>the</strong> prolifer<strong>at</strong>ion of standards. 22 Evalu<strong>at</strong>ion of security<br />
and safety properties is generally recognized as more difficult than evalu<strong>at</strong>ion<br />
of conformance to <strong>in</strong>teroperability standards. Therefore, methods for evalu<strong>at</strong><strong>in</strong>g<br />
conformance should be considered for each element of GSSP.<br />
It will also be necessary both to tra<strong>in</strong> evalu<strong>at</strong>ors and to establish <strong>the</strong> extent<br />
and tim<strong>in</strong>g of <strong>in</strong>dependent evalu<strong>at</strong>ion. The details of <strong>the</strong> evalu<strong>at</strong>ion process<br />
affect costs to vendors and users as well as <strong>the</strong> confidence of both <strong>in</strong> <strong>the</strong><br />
performance or quality of a system. In Chapter 5 <strong>the</strong> committee recommends<br />
th<strong>at</strong> <strong>the</strong> m<strong>in</strong>imal GSSP evalu<strong>at</strong>ion <strong>in</strong>clude two parts, an explicit design<br />
evalu<strong>at</strong>ion performed by an outside team, and a coord<strong>in</strong><strong>at</strong>ed process of track<strong>in</strong>g<br />
field experience with <strong>the</strong> product and track<strong>in</strong>g and report<strong>in</strong>g security faults.<br />
This process ought to be less costly and time-consum<strong>in</strong>g than <strong>the</strong> current NCSC<br />
process, thus improv<strong>in</strong>g <strong>the</strong> chances of its widespread acceptance.<br />
Experience with <strong>the</strong> current NCSC evalu<strong>at</strong>ion process suggests th<strong>at</strong><br />
<strong>in</strong>dividual products can be evalu<strong>at</strong>ed somewh<strong>at</strong> formally and objectively.<br />
However, a system composed of evalu<strong>at</strong>ed components may not provide <strong>the</strong><br />
security implied by component r<strong>at</strong><strong>in</strong>gs. Achiev<strong>in</strong>g overall system security<br />
requires more objective, uniform, and rigorous standards for system<br />
certific<strong>at</strong>ion. The committee recommends<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 32<br />
th<strong>at</strong> GSSP <strong>in</strong>clude guidel<strong>in</strong>es for system certific<strong>at</strong>ion, aga<strong>in</strong> build<strong>in</strong>g on exist<strong>in</strong>g<br />
methodology.<br />
1d. Use GSSP as a basis for resolv<strong>in</strong>g differences between U.S. and<br />
foreign criteria for trustworthy systems and as a vehicle for shap<strong>in</strong>g <strong>in</strong>puts<br />
to <strong>in</strong>tern<strong>at</strong>ional discussions of security and safety standards. With <strong>the</strong><br />
current emergence of n<strong>at</strong>ional evalu<strong>at</strong>ion criteria and <strong>the</strong> proposed harmonized<br />
Inform<strong>at</strong>ion Technology Security Evalu<strong>at</strong>ion Criteria (ITSEC; Federal Republic<br />
of Germany, 1990) developed by <strong>the</strong> United K<strong>in</strong>gdom, France, Germany, and<br />
<strong>the</strong> Ne<strong>the</strong>rlands, <strong>the</strong> Orange Book is no longer <strong>the</strong> only game <strong>in</strong> town. Just as<br />
GSSP would serve to extend <strong>the</strong> Orange Book criteria to cover <strong>in</strong>tegrity and<br />
availability and advanced system development and assurance techniques, it<br />
should also serve as <strong>the</strong> basis for resolv<strong>in</strong>g <strong>the</strong> differences between <strong>the</strong> Orange<br />
Book and <strong>in</strong>tern<strong>at</strong>ional criteria such as <strong>the</strong> ITSEC. In <strong>the</strong> ongo<strong>in</strong>g process of<br />
reconcil<strong>in</strong>g <strong>in</strong>tern<strong>at</strong>ional criteria and evalu<strong>at</strong>ions, U.S. <strong>in</strong>terests may be<br />
<strong>in</strong>adequ<strong>at</strong>ely served if <strong>the</strong> compar<strong>at</strong>ively narrowly focused Orange Book is <strong>the</strong><br />
sole basis for U.S. positions.<br />
The committee supports a move already under discussion to conduct<br />
simultaneous evalu<strong>at</strong>ions of products aga<strong>in</strong>st <strong>the</strong> Orange Book and <strong>in</strong>tern<strong>at</strong>ional<br />
criteria to improve <strong>the</strong> understand<strong>in</strong>g of <strong>the</strong> rel<strong>at</strong>ionships among different<br />
criteria and to enhance reciprocity. A concerted effort to simultaneously<br />
evalu<strong>at</strong>e a series of trusted products can, over a reasonable period of time, br<strong>in</strong>g<br />
<strong>the</strong> criteria (eventually <strong>in</strong>clud<strong>in</strong>g GSSP) to a common level of understand<strong>in</strong>g<br />
and promote <strong>the</strong> development of reciprocity <strong>in</strong> r<strong>at</strong><strong>in</strong>gs.<br />
Similar concerns perta<strong>in</strong> to U.S. particip<strong>at</strong>ion <strong>in</strong> <strong>in</strong>tern<strong>at</strong>ional standardssett<strong>in</strong>g<br />
committees. U.S. particip<strong>at</strong>ion is often constra<strong>in</strong>ed by concerns about<br />
<strong>in</strong>tern<strong>at</strong>ional technology transfer or by limited technical support from <strong>in</strong>dustry.<br />
The cost of weak particip<strong>at</strong>ion may be <strong>the</strong> imposition on <strong>the</strong> marketplace of<br />
standards th<strong>at</strong> do not fully reflect U.S. n<strong>at</strong>ional or <strong>in</strong>dustrial <strong>in</strong>terests.<br />
Recommend<strong>at</strong>ion 2 Take Specific Short-term Actions th<strong>at</strong><br />
Build on Readily Available Capabilities<br />
System users and vendors can take a number of actions th<strong>at</strong> will<br />
immedi<strong>at</strong>ely improve <strong>the</strong> security of comput<strong>in</strong>g systems.<br />
2a. Develop security policies. Computer system users should th<strong>in</strong>k<br />
through <strong>the</strong>ir security needs, establish appropri<strong>at</strong>e policies and associ<strong>at</strong>ed<br />
procedures, and ensure th<strong>at</strong> everyone <strong>in</strong> a given organiz<strong>at</strong>ion<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 33<br />
knows those policies and procedures and has some understand<strong>in</strong>g of security<br />
risks and safe comput<strong>in</strong>g practices. Many organiz<strong>at</strong>ions have taken <strong>the</strong>se<br />
common-sense steps; many o<strong>the</strong>rs have not or could do so more effectively. 23<br />
At <strong>the</strong> highest level, <strong>the</strong>se policies provide directions for programs th<strong>at</strong> affect<br />
physical security, cont<strong>in</strong>gency plann<strong>in</strong>g, electronic access, network<strong>in</strong>g, security<br />
awareness, and so on. With<strong>in</strong> each of <strong>the</strong>se general security areas, policies<br />
should be developed to identify <strong>the</strong> specific controls or mechanisms needed to<br />
s<strong>at</strong>isfy organiz<strong>at</strong>ional objectives.<br />
It should be understood th<strong>at</strong> plann<strong>in</strong>g and sett<strong>in</strong>g policies and procedures<br />
need not result <strong>in</strong> wholesale changes to <strong>in</strong>stalled systems. Many of <strong>the</strong> most<br />
effective management controls rel<strong>at</strong>e to system oper<strong>at</strong>ion r<strong>at</strong>her than to<br />
functional changes to system design, both because oper<strong>at</strong>ional changes can be<br />
accomplished quickly and because oper<strong>at</strong>ional weaknesses <strong>in</strong> computer systems<br />
are among <strong>the</strong> most severe practical problems today. Such changes may not<br />
decrease vulnerabilities, but <strong>the</strong>y can reduce a potential thre<strong>at</strong> by impos<strong>in</strong>g<br />
controls on potential abusers. Two obvious techniques are upgrad<strong>in</strong>g <strong>the</strong> quality<br />
of security adm<strong>in</strong>istr<strong>at</strong>ion (e.g., password management, audit analysis, and<br />
configur<strong>at</strong>ion management) and educ<strong>at</strong><strong>in</strong>g <strong>in</strong>dividual users about <strong>the</strong> risks of<br />
import<strong>in</strong>g software (e.g., contam<strong>in</strong><strong>at</strong>ion by viruses).<br />
2b. Form computer emergency response teams. The committee<br />
recommends th<strong>at</strong> all organiz<strong>at</strong>ions dependent on proper oper<strong>at</strong>ion of computer<br />
systems form or obta<strong>in</strong> access to computer emergency response teams (CERTs)<br />
tra<strong>in</strong>ed to deal with security viol<strong>at</strong>ions (see Appendix C). These teams should<br />
be prepared to limit <strong>the</strong> impact of successful <strong>at</strong>tacks, provide guidance <strong>in</strong><br />
recover<strong>in</strong>g from <strong>at</strong>tacks, and take measures to prevent repetition of successful<br />
<strong>at</strong>tacks.<br />
For security problems aris<strong>in</strong>g from basic design faults, such as <strong>the</strong> lack of<br />
security <strong>in</strong> MS/DOS, little remedy can be expected <strong>in</strong> <strong>the</strong> short term. However,<br />
for problems result<strong>in</strong>g from implement<strong>at</strong>ion flaws, a CERT can help by<br />
<strong>in</strong>form<strong>in</strong>g <strong>the</strong> vendor of <strong>the</strong> fault, ensur<strong>in</strong>g th<strong>at</strong> <strong>the</strong> fault receives sufficient<br />
<strong>at</strong>tention, and help<strong>in</strong>g to ensure th<strong>at</strong> upgraded software is distributed and<br />
<strong>in</strong>stalled. DARPA's CERT and o<strong>the</strong>r, smaller efforts have demonstr<strong>at</strong>ed <strong>the</strong><br />
potential of emergency response teams.<br />
2c. Use as a first step <strong>the</strong> Orange Book's C2 and B1 criteria. Until<br />
GSSP can be articul<strong>at</strong>ed and put <strong>in</strong> place, <strong>in</strong>dustry needs some guidance for<br />
rais<strong>in</strong>g <strong>the</strong> security floor <strong>in</strong> <strong>the</strong> marketplace. The Orange Book's C2 and B1<br />
criteria provide such guidance, which should be<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 34<br />
valuable not only to conventional computer system vendors (hardware and<br />
software) but also to vendors of computer-based medical systems, specialized<br />
d<strong>at</strong>abase management systems, and o<strong>the</strong>r computer-based products. Vendors<br />
who have not already done so should move to meet C2 and B1 criteria as a<br />
conserv<strong>at</strong>ive step toward <strong>in</strong>stitut<strong>in</strong>g GSSP.<br />
2d. Use sound methodology and modern technology to develop highquality<br />
software. The committee recommends th<strong>at</strong> developers of securityrelevant<br />
software use current-gener<strong>at</strong>ion tools for software eng<strong>in</strong>eer<strong>in</strong>g. The<br />
development of high-quality software, clearly a paramount goal for any project,<br />
often is not achieved because of various real-world pressures and constra<strong>in</strong>ts<br />
(e.g., competitive need for fast release, or customer demand for enhanced<br />
performance). Although <strong>the</strong> development of more trustworthy systems <strong>in</strong><br />
general is a concern, security <strong>in</strong> particular can suffer if systems are not<br />
constructed <strong>in</strong> a methodical and controlled way.<br />
Poor development practices can have several consequences. First, <strong>the</strong>y<br />
may lead to a system with vulnerabilities th<strong>at</strong> result directly from undetected<br />
errors <strong>in</strong> <strong>the</strong> software. (Although objective evidence is hard to g<strong>at</strong>her, it seems<br />
th<strong>at</strong> technical <strong>at</strong>tacks on systems are targeted more to implement<strong>at</strong>ion faults<br />
than to design faults.) Second, such a system may be much harder to evalu<strong>at</strong>e,<br />
s<strong>in</strong>ce it is very difficult for an <strong>in</strong>dependent evalu<strong>at</strong>or to understand or review<br />
<strong>the</strong> implement<strong>at</strong>ion. Third, <strong>the</strong> system may be harder to ma<strong>in</strong>ta<strong>in</strong> or evolve,<br />
which means th<strong>at</strong> with time, <strong>the</strong> security of <strong>the</strong> system may get worse, not better.<br />
Conventional wisdom about sound development practices applies with<br />
special force where security is <strong>in</strong>volved (see Box 1.7).<br />
2e. Implement emerg<strong>in</strong>g security standards and particip<strong>at</strong>e actively <strong>in</strong><br />
<strong>the</strong>ir design. The committee urges vendors to <strong>in</strong>corpor<strong>at</strong>e emerg<strong>in</strong>g security<br />
standards <strong>in</strong>to <strong>the</strong>ir product plann<strong>in</strong>g and to particip<strong>at</strong>e more actively <strong>in</strong> <strong>the</strong><br />
design of such standards. In particular, vendors should develop distributed<br />
system architectures comp<strong>at</strong>ible with evolv<strong>in</strong>g security standards. 24 Fur<strong>the</strong>r,<br />
vendors and large-system users should make <strong>the</strong> sett<strong>in</strong>g of security standards a<br />
higher priority.<br />
Current <strong>at</strong>tempts to set standards raise two concerns. First, standardssett<strong>in</strong>g<br />
committees should strive to make security standards simple, s<strong>in</strong>ce<br />
complexity is associ<strong>at</strong>ed with a gre<strong>at</strong>er potential for security problems.<br />
Achiev<strong>in</strong>g consensus typically results <strong>in</strong> a standard th<strong>at</strong> comb<strong>in</strong>es <strong>the</strong> <strong>in</strong>terests<br />
of diverse parties, a process th<strong>at</strong> promotes complexity. Second, because <strong>the</strong>re<br />
are hundreds of comput<strong>in</strong>g-rel<strong>at</strong>ed standards groups, sett<strong>in</strong>g security standards<br />
gets rel<strong>at</strong>ively<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 35<br />
limited <strong>at</strong>tention and particip<strong>at</strong>ion. Although NIST has supported <strong>the</strong> sett<strong>in</strong>g of<br />
such standards, emphasis <strong>in</strong> this country on standards development by <strong>the</strong><br />
priv<strong>at</strong>e sector makes active <strong>in</strong>dustry particip<strong>at</strong>ion essential. Therefore, vendors<br />
should be encouraged to assign represent<strong>at</strong>ives to U.S. standards efforts to<br />
ensure th<strong>at</strong> (1) <strong>the</strong> impact of standards th<strong>at</strong> affect security is fully understood<br />
and (2) security standards can be implemented effectively.<br />
BOX 1.7 SOUND DEVELOPMENT METHODOLOGY FOR<br />
SECURE SOFTWARE AND SYSTEMS<br />
• Strive for simplicity and smallness where feasible.<br />
• Use software configur<strong>at</strong>ion management and control systems for all<br />
source and object code, specific<strong>at</strong>ions, documents, test plans and<br />
results, version control, and release track<strong>in</strong>g.<br />
• Reduce exposure to failure of security. For example, valid<strong>at</strong>ed copies of<br />
vital d<strong>at</strong>a should be kept off-l<strong>in</strong>e, and cont<strong>in</strong>gency plans for extended<br />
computer outages should be <strong>in</strong> place.<br />
• Restrict general access to software development tools and products, and<br />
to <strong>the</strong> physical environment.<br />
• Develop generally available components with well-documented programlevel<br />
<strong>in</strong>terfaces th<strong>at</strong> can be <strong>in</strong>corpor<strong>at</strong>ed <strong>in</strong>to secure software. Among<br />
<strong>the</strong>se should be standardized <strong>in</strong>terfaces to security services (e.g.,<br />
cryptography) th<strong>at</strong> may have hardware implement<strong>at</strong>ions.<br />
• Provide excess memory and comput<strong>in</strong>g capacity rel<strong>at</strong>ive to <strong>the</strong> <strong>in</strong>tended<br />
functionality. This reduces <strong>the</strong> need to solve performance problems by<br />
<strong>in</strong>troduc<strong>in</strong>g complexity <strong>in</strong>to <strong>the</strong> software.<br />
• Use higher-level languages. (This suggestion may not apply to<br />
<strong>in</strong>telligence thre<strong>at</strong>s.)<br />
• Aim for build<strong>in</strong>g secure software by extend<strong>in</strong>g exist<strong>in</strong>g secure software.<br />
Fur<strong>the</strong>rmore, use m<strong>at</strong>ure product or development technology.<br />
• Couple development of secure software with regular evalu<strong>at</strong>ion. If<br />
system evalu<strong>at</strong>ion is to be done by an outside organiz<strong>at</strong>ion, th<strong>at</strong><br />
organiz<strong>at</strong>ion should be <strong>in</strong>volved <strong>in</strong> <strong>the</strong> project from it <strong>in</strong>ception.<br />
• Schedule more time and resources for assurance than are typical today.<br />
• Design software to limit <strong>the</strong> need for secrecy. When a project <strong>at</strong>tempts to<br />
ma<strong>in</strong>ta<strong>in</strong> secrecy, it must take extraord<strong>in</strong>ary measures, (e.g., cleared<br />
"<strong>in</strong>spectors general") to ensure th<strong>at</strong> secrecy is not abused (e.g., to<br />
conceal poor-quality work).<br />
2f. Use technical aids to foster secure oper<strong>at</strong>ions. The committee<br />
recommends th<strong>at</strong> vendors take technical steps th<strong>at</strong> will help dim<strong>in</strong>ish <strong>the</strong> impact<br />
of user ignorance and carelessness and make it easier to<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 36<br />
adm<strong>in</strong>ister systems <strong>in</strong> a secure manner. For example, systems should be shipped<br />
with security fe<strong>at</strong>ures turned on, so th<strong>at</strong> explicit action is needed to disable<br />
<strong>the</strong>m, and with default identific<strong>at</strong>ions and passwords turned off, so th<strong>at</strong> a<br />
conscious effort is required to enable <strong>the</strong>m. More efforts are needed to develop<br />
and market tools th<strong>at</strong> could exam<strong>in</strong>e <strong>the</strong> st<strong>at</strong>e of a system and report on its<br />
security. 25 Such audit tools (e.g., MIT's Kuang tool (Baldw<strong>in</strong>, 1988), Digital<br />
Equipment Corpor<strong>at</strong>ion's Inspect, Clyde Digital's Cubic, DEMAX's Securepack,<br />
and AT&T's Quest) have proved useful <strong>in</strong> assur<strong>in</strong>g <strong>the</strong> cont<strong>in</strong>ued oper<strong>at</strong>ional<br />
security of runn<strong>in</strong>g systems.<br />
Recommend<strong>at</strong>ion 3 G<strong>at</strong>her Inform<strong>at</strong>ion and Provide<br />
Educ<strong>at</strong>ion<br />
3a. Build a repository of <strong>in</strong>cident d<strong>at</strong>a. The committee recommends th<strong>at</strong><br />
a repository of <strong>in</strong>cident <strong>in</strong>form<strong>at</strong>ion be established for use <strong>in</strong> research, to<br />
<strong>in</strong>crease public awareness of successful penetr<strong>at</strong>ions and exist<strong>in</strong>g<br />
vulnerabilities, and to assist security practitioners, who often have difficulty<br />
persuad<strong>in</strong>g managers to <strong>in</strong>vest <strong>in</strong> security. This d<strong>at</strong>abase should c<strong>at</strong>egorize,<br />
report, and track pert<strong>in</strong>ent <strong>in</strong>stances of system security-rel<strong>at</strong>ed thre<strong>at</strong>s, risks, and<br />
failures. Because of <strong>the</strong> need for secrecy and confidentiality about specific<br />
system flaws and actual penetr<strong>at</strong>ions, this <strong>in</strong>form<strong>at</strong>ion must be collected and<br />
dissem<strong>in</strong><strong>at</strong>ed <strong>in</strong> a controlled manner. One possible model for d<strong>at</strong>a collection is<br />
<strong>the</strong> <strong>in</strong>cident report<strong>in</strong>g system adm<strong>in</strong>istered by <strong>the</strong> N<strong>at</strong>ional Transport<strong>at</strong>ion<br />
<strong>Safe</strong>ty Board; two directly relevant efforts are <strong>the</strong> <strong>in</strong>cident track<strong>in</strong>g begun by<br />
DARPA's computer emergency response team and NIST's announced plans to<br />
beg<strong>in</strong> to track <strong>in</strong>cidents.<br />
3b. Foster educ<strong>at</strong>ion <strong>in</strong> eng<strong>in</strong>eer<strong>in</strong>g secure systems. There is a dram<strong>at</strong>ic<br />
shortage of people qualified to build secure software. Universities should<br />
establish software eng<strong>in</strong>eer<strong>in</strong>g programs th<strong>at</strong> emphasize development of critical<br />
and secure software; major system users should likewise provide for cont<strong>in</strong>u<strong>in</strong>g<br />
educ<strong>at</strong>ion th<strong>at</strong> promotes expertise <strong>in</strong> sett<strong>in</strong>g requirements for, specify<strong>in</strong>g, and<br />
build<strong>in</strong>g critical software. Effective work on critical software requires<br />
specialized knowledge of wh<strong>at</strong> can go wrong <strong>in</strong> <strong>the</strong> applic<strong>at</strong>ion doma<strong>in</strong>.<br />
Competence <strong>in</strong> software th<strong>at</strong> controls a nuclear reactor, for example, does not<br />
qualify one to work on flight-control software. Work<strong>in</strong>g on secure software<br />
requires yet more skills, <strong>in</strong>clud<strong>in</strong>g understand<strong>in</strong>g <strong>the</strong> potential for <strong>at</strong>tack, for<br />
software <strong>in</strong> general and for <strong>the</strong> applic<strong>at</strong>ion doma<strong>in</strong> <strong>in</strong> particular.<br />
Especially needed is a university-based program aimed <strong>at</strong> return<strong>in</strong>g,<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 37<br />
gradu<strong>at</strong>e-level students who are already somewh<strong>at</strong> familiar with <strong>at</strong> least one<br />
applic<strong>at</strong>ion area. In addition to cover<strong>in</strong>g conventional software eng<strong>in</strong>eer<strong>in</strong>g,<br />
such a program would give special emphasis to topics rel<strong>at</strong>ed to critical<br />
software and security 26 and could best be developed <strong>at</strong> universities with strong<br />
gradu<strong>at</strong>e eng<strong>in</strong>eer<strong>in</strong>g and bus<strong>in</strong>ess programs. The committee envisions as an<br />
<strong>in</strong>itial step approxim<strong>at</strong>ely three such programs, each turn<strong>in</strong>g out perhaps 20<br />
people a year.<br />
Given <strong>the</strong> current shortage of qualified people and <strong>the</strong> time needed for<br />
universities to establish appropri<strong>at</strong>e programs, those undertak<strong>in</strong>g large securityrel<strong>at</strong>ed<br />
development efforts should deal explicitly with <strong>the</strong> need to educ<strong>at</strong>e<br />
project members. Both time and money for this should appear <strong>in</strong> project budgets.<br />
3c. Provide early tra<strong>in</strong><strong>in</strong>g <strong>in</strong> security practices and ethics. The<br />
committee recommends th<strong>at</strong> security practices and ethics be <strong>in</strong>tegr<strong>at</strong>ed <strong>in</strong>to <strong>the</strong><br />
general process of learn<strong>in</strong>g about and us<strong>in</strong>g computers. Awareness of <strong>the</strong><br />
importance of security measures should be <strong>in</strong>tegr<strong>at</strong>ed <strong>in</strong>to early educ<strong>at</strong>ion about<br />
comput<strong>in</strong>g. Lessons about socially acceptable and unacceptable behavior (e.g.,<br />
steal<strong>in</strong>g passwords is not acceptable) should also be taught when students first<br />
beg<strong>in</strong> to use computers, just as library etiquette (e.g., writ<strong>in</strong>g <strong>in</strong> library books is<br />
not acceptable) is taught to young readers—with <strong>the</strong> recognition, of course, th<strong>at</strong><br />
security is a more complex subject. This recommend<strong>at</strong>ion is aimed <strong>at</strong> teachers,<br />
especially those <strong>at</strong> <strong>the</strong> primary and secondary levels. Implement<strong>in</strong>g it would<br />
require th<strong>at</strong> organiz<strong>at</strong>ions and professionals concerned with security get <strong>the</strong><br />
word out, to organiz<strong>at</strong>ions th<strong>at</strong> customarily serve and <strong>in</strong>form teachers and<br />
directly to teachers <strong>in</strong> communities.<br />
Recommend<strong>at</strong>ion 4 Clarify Export Control Criteria, and Set<br />
Up a Forum for Arbitr<strong>at</strong>ion<br />
The market for computer and communic<strong>at</strong>ions security, like <strong>the</strong> computer<br />
market overall, is <strong>in</strong>tern<strong>at</strong>ional. If <strong>the</strong> United St<strong>at</strong>es does not allow vendors of<br />
commercial systems to export security products and products with rel<strong>at</strong>ively<br />
effective security fe<strong>at</strong>ures, large mult<strong>in</strong><strong>at</strong>ional firms as well as foreign<br />
consumers will simply purchase equivalent systems from foreign<br />
manufacturers. At issue is <strong>the</strong> ability to export two types of products: (1) trusted<br />
systems and (2) encryption.<br />
4a. Clarify export controls on trusted systems and differenti<strong>at</strong>e<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 38<br />
<strong>the</strong>m from Orange Book r<strong>at</strong><strong>in</strong>gs. Industry has compla<strong>in</strong>ed for some time<br />
about current export controls on trusted systems. The requirement for case-bycase<br />
review of export licenses for trusted systems with Orange Book r<strong>at</strong><strong>in</strong>gs of<br />
B3 and above adds to <strong>the</strong> cost of such systems, because sales may be restricted<br />
and extra time is needed to apply for and receive export approval. These<br />
prospects discourage <strong>in</strong>dustry from develop<strong>in</strong>g more secure systems; vendors<br />
do not want to jeopardize <strong>the</strong> exportability of <strong>the</strong>ir ma<strong>in</strong>l<strong>in</strong>e commercial<br />
offer<strong>in</strong>gs. 27<br />
The committee recommends th<strong>at</strong> Orange Book r<strong>at</strong><strong>in</strong>gs not be used as<br />
export control criteria. It also recommends th<strong>at</strong> <strong>the</strong> Department of Commerce,<br />
<strong>in</strong> conjunction with <strong>the</strong> Departments of Defense and St<strong>at</strong>e, clarify for <strong>in</strong>dustry<br />
<strong>the</strong> content of <strong>the</strong> regul<strong>at</strong>ions and <strong>the</strong> process by which <strong>the</strong>y are implemented.<br />
Removal of Orange Book r<strong>at</strong><strong>in</strong>gs as control parameters would also help to<br />
allevi<strong>at</strong>e potential problems associ<strong>at</strong>ed with multiple, n<strong>at</strong>ional r<strong>at</strong><strong>in</strong>g schemes<br />
(see Chapter 5).<br />
The crux of <strong>the</strong> problem appears to be confusion among Orange Book<br />
r<strong>at</strong><strong>in</strong>gs, dual-use (military and civilian) technology, and military-critical<br />
technology. Security technology <strong>in</strong>tended to counter an <strong>in</strong>telligence-grade thre<strong>at</strong><br />
is considered military critical and not dual use—it is not aimed <strong>at</strong> commercial<br />
as well as military uses. Security technology <strong>in</strong>tended to counter a lower,<br />
crim<strong>in</strong>al-grade thre<strong>at</strong> is of use to both defense and commercial entities, but it is<br />
not military critical. S<strong>in</strong>ce an Orange Book r<strong>at</strong><strong>in</strong>g per se is not proof aga<strong>in</strong>st an<br />
<strong>in</strong>telligence-grade thre<strong>at</strong>, it does not alone signal military-critical technology<br />
th<strong>at</strong> should be tightly controlled. Industry needs to know which fe<strong>at</strong>ures of a<br />
product might trigger export restrictions.<br />
4b. Review export controls on implement<strong>at</strong>ions of <strong>the</strong> D<strong>at</strong>a Encryption<br />
Standard. The growth of networked and distributed systems has cre<strong>at</strong>ed needs<br />
for encryption <strong>in</strong> <strong>the</strong> priv<strong>at</strong>e sector. Some of th<strong>at</strong> pressure has been seen <strong>in</strong> <strong>the</strong><br />
push for gre<strong>at</strong>er exportability of products us<strong>in</strong>g <strong>the</strong> D<strong>at</strong>a Encryption Standard<br />
(DES) and its deployment <strong>in</strong> foreign offices of U.S. companies. 28<br />
In pr<strong>in</strong>ciple, any widely available <strong>in</strong>tern<strong>at</strong>ionally usable encryption<br />
algorithm should be adequ<strong>at</strong>e. NIST, work<strong>in</strong>g with NSA, is currently try<strong>in</strong>g to<br />
develop such algorithms. However, <strong>the</strong> committee notes th<strong>at</strong> this effort may not<br />
solve <strong>in</strong>dustry's problems, for several reasons. The grow<strong>in</strong>g <strong>in</strong>stalled base of<br />
DES products cannot be easily retrofitted with <strong>the</strong> new products. The foreign<br />
supply of DES products may <strong>in</strong>crease <strong>the</strong> appeal of foreign products. F<strong>in</strong>ally,<br />
NSA-<strong>in</strong>fluenced altern<strong>at</strong>ives may be unacceptable to foreign or even U.S.<br />
buyers, as evidenced by <strong>the</strong> American Bank<strong>in</strong>g Associ<strong>at</strong>ion's opposition<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 39<br />
to <strong>the</strong> NSA's proposals to effectively restrict banks to encryption algorithms<br />
designed and developed by NSA when <strong>the</strong> DES was last recertified, <strong>in</strong> 1988.<br />
The committee has been apprised th<strong>at</strong> NSA, because of classified n<strong>at</strong>ional<br />
security concerns, does not support <strong>the</strong> removal of rema<strong>in</strong><strong>in</strong>g restrictions on<br />
export of DES. However, <strong>the</strong>re is a grow<strong>in</strong>g lack of symp<strong>at</strong>hy <strong>in</strong> <strong>the</strong><br />
commercial community with <strong>the</strong> NSA position on this m<strong>at</strong>ter. The committee<br />
recommends th<strong>at</strong> <strong>the</strong> Adm<strong>in</strong>istr<strong>at</strong>ion appo<strong>in</strong>t an arbitr<strong>at</strong>ion group consist<strong>in</strong>g of<br />
appropri<strong>at</strong>ely cleared <strong>in</strong>dividuals from <strong>in</strong>dustry and <strong>the</strong> Department of<br />
Commerce as well as <strong>the</strong> Department of Defense to impartially evalu<strong>at</strong>e if <strong>the</strong>re<br />
are <strong>in</strong>deed valid reasons <strong>at</strong> this time for limit<strong>in</strong>g <strong>the</strong> export of DES. 29<br />
Recommend<strong>at</strong>ion 5 Fund and Pursue Needed Research<br />
The dram<strong>at</strong>ic changes <strong>in</strong> <strong>the</strong> technology of comput<strong>in</strong>g make it necessary<br />
for <strong>the</strong> computer science and eng<strong>in</strong>eer<strong>in</strong>g communities to reth<strong>in</strong>k some of <strong>the</strong><br />
current technical approaches to achiev<strong>in</strong>g security. The most dram<strong>at</strong>ic example<br />
of <strong>the</strong> problem is <strong>the</strong> confusion about how best to achieve security <strong>in</strong> networked<br />
environments and embedded systems.<br />
At present, <strong>the</strong>re is no vigorous program to meet this need. Particularly<br />
worrisome is <strong>the</strong> lack of academic research <strong>in</strong> computer security, notably<br />
research relevant to distributed systems and networks. 30 Only <strong>in</strong> <strong>the</strong>oretical<br />
areas, such as number <strong>the</strong>ory, zero-knowledge proofs, and cryptology, which<br />
are conducive to <strong>in</strong>dividual research efforts, has <strong>the</strong>re been significant academic<br />
effort. Although it must be understood th<strong>at</strong> many research topics could be<br />
pursued <strong>in</strong> <strong>in</strong>dustrial as well as academic research labor<strong>at</strong>ories, <strong>the</strong> committee<br />
has focused on streng<strong>the</strong>n<strong>in</strong>g <strong>the</strong> compar<strong>at</strong>ively weaker research effort <strong>in</strong><br />
universities, s<strong>in</strong>ce universities both gener<strong>at</strong>e technical talent and are<br />
traditionally <strong>the</strong> base for address<strong>in</strong>g rel<strong>at</strong>ively fundamental questions.<br />
The committee recommends th<strong>at</strong> government sponsors of computer<br />
science and technology research (<strong>in</strong> particular, DARPA and NSF) undertake<br />
well-def<strong>in</strong>ed and adequ<strong>at</strong>ely funded programs of research and technology<br />
development <strong>in</strong> computer security. A key role for NSF (and perhaps DARPA),<br />
beyond specific fund<strong>in</strong>g of relevant projects, is to facilit<strong>at</strong>e <strong>in</strong>creased crosscoupl<strong>in</strong>g<br />
between security experts and researchers <strong>in</strong> rel<strong>at</strong>ed fields. The<br />
committee also recommends th<strong>at</strong> NIST, <strong>in</strong> keep<strong>in</strong>g with its <strong>in</strong>terest <strong>in</strong> computer<br />
security and its charter to enhance security for sensitive unclassified d<strong>at</strong>a and<br />
systems, provide<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 40<br />
fund<strong>in</strong>g for research <strong>in</strong> areas of key concern to it, ei<strong>the</strong>r <strong>in</strong>ternally or <strong>in</strong><br />
collabor<strong>at</strong>ion with o<strong>the</strong>r agencies th<strong>at</strong> support research.<br />
BOX 1.8 SECURITY RESEARCH AGENDA<br />
• Security modularity—How can a set of system components with known<br />
security properties be comb<strong>in</strong>ed or composed to form a larger system<br />
with known security properties? How can a system be decomposed <strong>in</strong>to<br />
build<strong>in</strong>g blocks, units th<strong>at</strong> can be used <strong>in</strong>dependently <strong>in</strong> o<strong>the</strong>r systems?<br />
• Security policy models—Security requirements o<strong>the</strong>r than disclosure<br />
control, such as <strong>in</strong>tegrity, availability, and distributed au<strong>the</strong>ntic<strong>at</strong>ion and<br />
authoriz<strong>at</strong>ion, are not easily modeled. There is also a need for better<br />
models th<strong>at</strong> address protocols and o<strong>the</strong>r aspects of distributed systems.<br />
• Cost/benefit models for security—How much does security (<strong>in</strong>clud<strong>in</strong>g<br />
also privacy protection) really cost, and wh<strong>at</strong> are its real benefits?<br />
• New security mechanisms—As new requirements are proposed, as<br />
new thre<strong>at</strong>s are considered, and as new technologies become prevalent,<br />
new mechanisms are required to ma<strong>in</strong>ta<strong>in</strong> effective security. Some<br />
current topics for research <strong>in</strong>clude mechanisms to support critical<br />
aspects of <strong>in</strong>tegrity (separ<strong>at</strong>ion of duty, for example), distributed key<br />
management on low-security systems, multiway and transitive<br />
au<strong>the</strong>ntic<strong>at</strong>ion, availability (especially <strong>in</strong> distributed systems and<br />
networks), privacy assurance, and access controllers <strong>in</strong> networks to<br />
permit <strong>in</strong>terconnection of mutually suspicious organiz<strong>at</strong>ions.<br />
• Increas<strong>in</strong>g effectiveness of assurance techniques—More needs to<br />
be known about <strong>the</strong> spectrum of analysis techniques, both formal and<br />
<strong>in</strong>formal, and to wh<strong>at</strong> aspects of security <strong>the</strong>y best apply. Also, tools are<br />
needed to support <strong>the</strong> gener<strong>at</strong>ion of assurance evidence.<br />
• Altern<strong>at</strong>ive represent<strong>at</strong>ions and present<strong>at</strong>ions—New represent<strong>at</strong>ions<br />
of security properties may yield new analysis techniques. For example,<br />
The committee has identified several specific technical issues th<strong>at</strong> justify<br />
research (see Box 1.8). Chapter 8 provides a fuller discussion; Chapters 3 and 4<br />
address some underly<strong>in</strong>g issues. The list, although by no means complete,<br />
shows <strong>the</strong> scope and importance of a possible research agenda.<br />
The committee believes th<strong>at</strong> gre<strong>at</strong>er university <strong>in</strong>volvement <strong>in</strong> large-scale<br />
research-oriented system development projects (comparable to <strong>the</strong> old Arpanet<br />
and Multics programs) would be highly beneficial for security research. It is<br />
important th<strong>at</strong> contemporary projects, both <strong>in</strong>side and outside universities, be<br />
encouraged to use st<strong>at</strong>e-of-<strong>the</strong> art software development tools and security<br />
techniques, <strong>in</strong> order to evalu<strong>at</strong>e <strong>the</strong>se tools and to assess <strong>the</strong> expected ga<strong>in</strong> <strong>in</strong><br />
system security. Also, while academic computer security research traditionally<br />
has been<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 41<br />
performed <strong>in</strong> computer science departments, several study areas are clearly<br />
appropri<strong>at</strong>e for researchers based <strong>in</strong> bus<strong>in</strong>ess schools, <strong>in</strong>clud<strong>in</strong>g assess<strong>in</strong>g <strong>the</strong><br />
actual value to an organiz<strong>at</strong>ion of <strong>in</strong>form<strong>at</strong>ion technology and of protect<strong>in</strong>g<br />
privacy.<br />
graphics tools th<strong>at</strong> allow system oper<strong>at</strong>ors to set, explore, and analyze<br />
proposed policies (who should get access to wh<strong>at</strong>) and system<br />
configur<strong>at</strong>ions (who has access to wh<strong>at</strong>) may help identify weaknesses<br />
or unwanted restrictions as policies are <strong>in</strong>stituted and deployed systems<br />
used.<br />
• Autom<strong>at</strong>ed security procedures—Research is needed <strong>in</strong> autom<strong>at</strong><strong>in</strong>g<br />
critical aspects of system oper<strong>at</strong>ion, to assist <strong>the</strong> system manager <strong>in</strong><br />
avoid<strong>in</strong>g security faults <strong>in</strong> this area. Examples <strong>in</strong>clude tools to check <strong>the</strong><br />
security st<strong>at</strong>e of a system, models of oper<strong>at</strong>ional requirements and<br />
desired controls, and thre<strong>at</strong> assessment aids.<br />
• Nonrepudi<strong>at</strong>ion—To protect proprietary rights it may be necessary to<br />
record user actions so as to bar <strong>the</strong> user from l<strong>at</strong>er repudi<strong>at</strong><strong>in</strong>g <strong>the</strong>se<br />
actions. Do<strong>in</strong>g this <strong>in</strong> a way th<strong>at</strong> respects <strong>the</strong> privacy of users is difficult.<br />
• Resource control—Resource control is associ<strong>at</strong>ed with <strong>the</strong> prevention<br />
of unauthorized use of proprietary software or d<strong>at</strong>abases legitim<strong>at</strong>ely<br />
<strong>in</strong>stalled <strong>in</strong> a comput<strong>in</strong>g system. It has <strong>at</strong>tracted little research and<br />
implement<strong>at</strong>ion effort, but it poses some difficult technical problems and<br />
possibly problems rel<strong>at</strong>ed to privacy as well.<br />
• Systems with security perimeters—Network protocol design efforts<br />
have tended to assume th<strong>at</strong> networks will provide general<br />
<strong>in</strong>terconnection. However, as observed <strong>in</strong> Chapter 3, a common<br />
practical approach to achiev<strong>in</strong>g security <strong>in</strong> distributed systems is to<br />
partition <strong>the</strong> system <strong>in</strong>to regions th<strong>at</strong> are separ<strong>at</strong>ed by a security<br />
perimeter. This may cause a loss of network functionality. If, for<br />
example, a network permits mail but not directory services (because of<br />
security concerns about directory searches), less mail may be sent<br />
because no capability exists to look up <strong>the</strong> address of a recipient.<br />
DARPA has a tradition of fund<strong>in</strong>g significant system development projects<br />
of <strong>the</strong> k<strong>in</strong>d th<strong>at</strong> can be highly beneficial for security research. Examples of<br />
valuable projects <strong>in</strong>clude:<br />
• Use of st<strong>at</strong>e-of-<strong>the</strong>-art software development techniques and tools to<br />
produce a secure system. The explicit goal of such an effort should be to<br />
evalu<strong>at</strong>e <strong>the</strong> development process and to assess <strong>the</strong> expected ga<strong>in</strong> <strong>in</strong><br />
system quality. The difficulty of uncover<strong>in</strong>g vulnerabilities through<br />
test<strong>in</strong>g suggests th<strong>at</strong> a marriage of traditional software eng<strong>in</strong>eer<strong>in</strong>g<br />
techniques with formal methods is needed.<br />
• Development of distributed systems with a variety of security properties.<br />
A project now under way, with DARPA fund<strong>in</strong>g, is <strong>the</strong><br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 42<br />
development of encryption-based priv<strong>at</strong>e electronic mail. Ano<strong>the</strong>r such<br />
project could focus on decentralized, peer-connected name servers.<br />
• Development of a system support<strong>in</strong>g some approach to d<strong>at</strong>a <strong>in</strong>tegrity.<br />
There are now some proposed models for <strong>in</strong>tegrity, but without worked<br />
examples it will be impossible to valid<strong>at</strong>e <strong>the</strong>m. This represents an<br />
opportunity for DARPA-NIST cooper<strong>at</strong>ion.<br />
In addition to fund<strong>in</strong>g specific relevant projects, both DARPA and NSF<br />
should encourage collabor<strong>at</strong>ion across research fields. Cross-discipl<strong>in</strong>ary<br />
research <strong>in</strong> <strong>the</strong> follow<strong>in</strong>g areas would streng<strong>the</strong>n system trustworth<strong>in</strong>ess:<br />
• <strong>Safe</strong>ty: There is grow<strong>in</strong>g concern about and <strong>in</strong>terest <strong>in</strong> <strong>the</strong> safety-rel<strong>at</strong>ed<br />
aspects of computer process<strong>in</strong>g both <strong>in</strong> <strong>the</strong> United St<strong>at</strong>es and<br />
<strong>in</strong>tern<strong>at</strong>ionally.<br />
• Fault-tolerant comput<strong>in</strong>g: Much research has been directed <strong>at</strong> <strong>the</strong> problem<br />
of fault-tolerant comput<strong>in</strong>g, and an <strong>at</strong>tempt should be made to extend this<br />
work to o<strong>the</strong>r aspects of security.<br />
• Code analysis: People work<strong>in</strong>g on optimiz<strong>in</strong>g and paralleliz<strong>in</strong>g compilers<br />
have extensive experience <strong>in</strong> analyz<strong>in</strong>g both source and object code for a<br />
variety of properties. An <strong>at</strong>tempt should be made to see if similar<br />
techniques can be used to analyze code for properties rel<strong>at</strong>ed to security.<br />
• Security <strong>in</strong>terfaces: People work<strong>in</strong>g <strong>in</strong> <strong>the</strong> area of formal specific<strong>at</strong>ion<br />
should be encouraged to specify standardized <strong>in</strong>terfaces to security<br />
services and to apply <strong>the</strong>ir techniques to <strong>the</strong> specific<strong>at</strong>ion and analysis of<br />
high-level security properties.<br />
• Theoretical research: Theoretical work needs to be properly <strong>in</strong>tegr<strong>at</strong>ed <strong>in</strong><br />
actual systems. Often both <strong>the</strong>oreticians and system practitioners<br />
misunderstand <strong>the</strong> system aspects of security or <strong>the</strong> <strong>the</strong>oretical limit<strong>at</strong>ions<br />
of secure algorithms.<br />
• Programm<strong>in</strong>g language research: New paradigms require new security<br />
models, new design and analysis techniques, perhaps additional<br />
constructs, and persuasion of both researchers and users th<strong>at</strong> security is<br />
important before too many tools prolifer<strong>at</strong>e.<br />
• Software development environments: Myriad tools (e.g., <strong>the</strong>orem provers,<br />
test coverage monitors, object managers, and <strong>in</strong>terface packages) cont<strong>in</strong>ue<br />
to be developed by researchers, sometimes <strong>in</strong> collabor<strong>at</strong>ive efforts such as<br />
Arcadia. Some str<strong>at</strong>egy for <strong>in</strong>tegr<strong>at</strong><strong>in</strong>g such tools is needed to drive <strong>the</strong><br />
research toward more system-oriented solutions. 31<br />
Aga<strong>in</strong>, much of this research is appropri<strong>at</strong>e for both commercial and<br />
academic entities, and it might require or benefit from <strong>in</strong>dustry-<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 43<br />
university collabor<strong>at</strong>ion. Certa<strong>in</strong>ly, jo<strong>in</strong>t <strong>in</strong>dustry-university efforts may<br />
facilit<strong>at</strong>e <strong>the</strong> process of technology transfer. NSF and DARPA have a tradition<br />
of work<strong>in</strong>g with <strong>the</strong> broad science community and could obviously take on<br />
programs to facilit<strong>at</strong>e needed collabor<strong>at</strong>ion. Some possible specific actions are<br />
suggested <strong>in</strong> Chapter 8.<br />
Recommend<strong>at</strong>ion 6 Establish an Inform<strong>at</strong>ion Security<br />
Found<strong>at</strong>ion<br />
The public needs an <strong>in</strong>stitution th<strong>at</strong> will acceler<strong>at</strong>e <strong>the</strong> commercializ<strong>at</strong>ion<br />
and adoption of safer and more secure computer and communic<strong>at</strong>ions systems.<br />
To meet th<strong>at</strong> need, <strong>the</strong> committee recommends <strong>the</strong> establishment of a new<br />
priv<strong>at</strong>e organiz<strong>at</strong>ion—a consortium of computer users, vendors, and o<strong>the</strong>r<br />
<strong>in</strong>terested parties (e.g., property and casualty <strong>in</strong>surers). This organiz<strong>at</strong>ion must<br />
not be, or even be perceived to be, a captive of government, system vendors, or<br />
<strong>in</strong>dividual segments of <strong>the</strong> user community.<br />
The committee recommends a new <strong>in</strong>stitution because it concludes th<strong>at</strong><br />
press<strong>in</strong>g needs <strong>in</strong> <strong>the</strong> follow<strong>in</strong>g areas are not likely to be met adequ<strong>at</strong>ely by<br />
exist<strong>in</strong>g entities:<br />
• Establishment of Generally Accepted System Security Pr<strong>in</strong>ciples, or GSSP;<br />
• Research on computer system security, <strong>in</strong>clud<strong>in</strong>g evalu<strong>at</strong>ion techniques;<br />
• System evalu<strong>at</strong>ion;<br />
• Development and ma<strong>in</strong>tenance of an <strong>in</strong>cident, thre<strong>at</strong>, and vulnerability<br />
track<strong>in</strong>g system;<br />
• Educ<strong>at</strong>ion and tra<strong>in</strong><strong>in</strong>g;<br />
• Broker<strong>in</strong>g and enhanc<strong>in</strong>g communic<strong>at</strong>ions between commercial and<br />
n<strong>at</strong>ional security <strong>in</strong>terests; and<br />
• Focused particip<strong>at</strong>ion <strong>in</strong> <strong>in</strong>tern<strong>at</strong>ional standardiz<strong>at</strong>ion and harmoniz<strong>at</strong>ion<br />
efforts for commercial security practice.<br />
Why should <strong>the</strong>se functions be comb<strong>in</strong>ed <strong>in</strong> a s<strong>in</strong>gle organiz<strong>at</strong>ion?<br />
Although <strong>the</strong> proposed organiz<strong>at</strong>ion would not have a monopoly on all of <strong>the</strong>se<br />
functions, <strong>the</strong> committee believes th<strong>at</strong> <strong>the</strong> functions are synergistic. For<br />
example, <strong>in</strong>volvement <strong>in</strong> research would help <strong>the</strong> organiz<strong>at</strong>ion recruit<br />
technically talented staff; <strong>in</strong>volvement <strong>in</strong> research and <strong>the</strong> development of<br />
GSSP would <strong>in</strong>form <strong>the</strong> evalu<strong>at</strong>ion effort; and <strong>in</strong>volvement <strong>in</strong> GSSP<br />
development and evalu<strong>at</strong>ion would <strong>in</strong>form educ<strong>at</strong>ion, tra<strong>in</strong><strong>in</strong>g, and<br />
contributions to <strong>in</strong>tern<strong>at</strong>ional criteria-sett<strong>in</strong>g and evalu<strong>at</strong>ion schemes. Fur<strong>the</strong>r, a<br />
new organiz<strong>at</strong>ion would have<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 44<br />
more flexibility than those currently focused on security to build strong bridges<br />
to o<strong>the</strong>r aspects of trust, notably safety.<br />
In <strong>the</strong> short run, this organiz<strong>at</strong>ion, called <strong>the</strong> Inform<strong>at</strong>ion Security<br />
Found<strong>at</strong>ion (ISF) <strong>in</strong> this report, would act to <strong>in</strong>crease awareness and<br />
expect<strong>at</strong>ions regard<strong>in</strong>g system security and safety. The pressure provided by<br />
organized track<strong>in</strong>g and report<strong>in</strong>g of faults would encourage vendors and users<br />
to pay gre<strong>at</strong>er <strong>at</strong>tention to system quality; <strong>the</strong> development and promulg<strong>at</strong>ion of<br />
GSSP should cause users and vendors to focus on an accepted base of prudent<br />
practice.<br />
In <strong>the</strong> longer term, a major activity of <strong>the</strong> ISF would be product evalu<strong>at</strong>ion.<br />
The complex and critical n<strong>at</strong>ure of security products makes <strong>in</strong>dependent<br />
evalu<strong>at</strong>ion essential. The only current official source of evalu<strong>at</strong>ions, <strong>the</strong> NCSC,<br />
has been criticized as poorly suited to meet<strong>in</strong>g <strong>in</strong>dustry's needs, and changes <strong>in</strong><br />
its charter and direction are reduc<strong>in</strong>g its role <strong>in</strong> this area. The process of<br />
evalu<strong>at</strong>ion described <strong>in</strong> Chapters 5 and 7 is <strong>in</strong>tended to address directly<br />
<strong>in</strong>dustry's concerns with <strong>the</strong> current process and to def<strong>in</strong>e a program th<strong>at</strong> can be<br />
a success <strong>in</strong> <strong>the</strong> commercial marketplace. The committee concludes th<strong>at</strong> some<br />
form of system evalu<strong>at</strong>ion is a critical aspect of achiev<strong>in</strong>g any real improvement<br />
<strong>in</strong> computer security.<br />
Also <strong>in</strong> <strong>the</strong> longer term, <strong>the</strong> ISF would work to bridge <strong>the</strong> security and<br />
safety arenas, us<strong>in</strong>g as vehicles GSSP and evalu<strong>at</strong>ion as well as <strong>the</strong> o<strong>the</strong>r<br />
activities. The ISF could play a critical role <strong>in</strong> improv<strong>in</strong>g <strong>the</strong> overall quality and<br />
trustworth<strong>in</strong>ess of computer systems, us<strong>in</strong>g <strong>the</strong> need for better security as an<br />
<strong>in</strong>itial target to motiv<strong>at</strong>e its activities.<br />
The organiz<strong>at</strong>ion envisioned must be designed to <strong>in</strong>teract closely with<br />
government, specifically <strong>the</strong> NCSC and NIST, so th<strong>at</strong> its results can contribute<br />
to s<strong>at</strong>isfy<strong>in</strong>g government needs. Similarly, it would coord<strong>in</strong><strong>at</strong>e with oper<strong>at</strong>ional<br />
organiz<strong>at</strong>ions such as DARPA's CERT, especially if <strong>the</strong> CERT proceeds with<br />
its plans to develop an emergency-<strong>in</strong>cident track<strong>in</strong>g capability. The government<br />
may be <strong>the</strong> best vehicle to launch <strong>the</strong> ISF, but it should be an <strong>in</strong>dependent,<br />
priv<strong>at</strong>e organiz<strong>at</strong>ion once functional.<br />
As discussed <strong>in</strong> detail <strong>in</strong> Chapter 7, <strong>the</strong> committee concludes th<strong>at</strong> <strong>the</strong> ISF<br />
would need <strong>the</strong> highest level of governmental support; <strong>the</strong> strongest expression<br />
of such support would be a special congressional charter. Such a charter would<br />
def<strong>in</strong>e ISF's role and its rel<strong>at</strong>ion to <strong>the</strong> government. At <strong>the</strong> same time, <strong>the</strong><br />
organiz<strong>at</strong>ion should be outside of <strong>the</strong> government to keep it separ<strong>at</strong>e from <strong>the</strong><br />
focus on <strong>in</strong>tragovernmental security needs, <strong>in</strong>ternec<strong>in</strong>e political squabbles, and<br />
<strong>the</strong> hir<strong>in</strong>g and resource limit<strong>at</strong>ions th<strong>at</strong> constra<strong>in</strong> NCSC and NIST. Its major<br />
source of funds should be member subscriptions and fees<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 45<br />
for services such as evalu<strong>at</strong>ion. It must not depend on government fund<strong>in</strong>g for<br />
its viability.<br />
Note th<strong>at</strong> <strong>the</strong> mission outl<strong>in</strong>ed above is much more challeng<strong>in</strong>g than<br />
def<strong>in</strong><strong>in</strong>g standards or provid<strong>in</strong>g evalu<strong>at</strong>ion of consumer durables (e.g., as done<br />
by Underwriters Labor<strong>at</strong>ories, Inc.). The committee does not know of any<br />
exist<strong>in</strong>g priv<strong>at</strong>e organiz<strong>at</strong>ion th<strong>at</strong> could take on <strong>the</strong>se tasks.<br />
Although it recognizes th<strong>at</strong> any proposal for establish<strong>in</strong>g a new <strong>in</strong>stitution<br />
faces an uphill b<strong>at</strong>tle, <strong>the</strong> committee sees this proposal as a test of commitment<br />
for <strong>in</strong>dustry, which has compla<strong>in</strong>ed loudly about <strong>the</strong> exist<strong>in</strong>g <strong>in</strong>stitutional<br />
<strong>in</strong>frastructure. Commitment to an organiz<strong>at</strong>ion like th<strong>at</strong> proposed can facilit<strong>at</strong>e<br />
self-regul<strong>at</strong>ion and gre<strong>at</strong>ly dim<strong>in</strong>ish <strong>the</strong> likelihood of explicit government<br />
regul<strong>at</strong>ion.<br />
If a new organiz<strong>at</strong>ion is not established—or if <strong>the</strong> functions proposed for it<br />
are not pursued <strong>in</strong> an aggressive and well-funded manner, <strong>the</strong> most immedi<strong>at</strong>e<br />
consequence will be <strong>the</strong> fur<strong>the</strong>r discourag<strong>in</strong>g of efforts by vendors to develop<br />
evalu<strong>at</strong>ed products, even though evalu<strong>at</strong>ion is vital to assur<strong>in</strong>g th<strong>at</strong> products are<br />
<strong>in</strong>deed trustworthy; <strong>the</strong> cont<strong>in</strong>u<strong>at</strong>ion of a slow r<strong>at</strong>e of progress <strong>in</strong> <strong>the</strong> market,<br />
leav<strong>in</strong>g many system users unprotected and unaware of <strong>the</strong> risks <strong>the</strong>y face; and<br />
<strong>the</strong> prospect th<strong>at</strong> U.S. vendors will become less competitive <strong>in</strong> <strong>the</strong> <strong>in</strong>tern<strong>at</strong>ional<br />
systems market. Without aggressive action to <strong>in</strong>crease system trustworth<strong>in</strong>ess,<br />
<strong>the</strong> n<strong>at</strong>ional exposure to safety and security c<strong>at</strong>astrophes will <strong>in</strong>crease rapidly.<br />
CONCLUSION<br />
Gett<strong>in</strong>g widely deployed and more effective computer and<br />
communic<strong>at</strong>ions security is essential if <strong>the</strong> United St<strong>at</strong>es is to fully achieve <strong>the</strong><br />
promise of <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong>. The technology base is chang<strong>in</strong>g, and <strong>the</strong><br />
prolifer<strong>at</strong>ion of networks and distributed systems has <strong>in</strong>creased <strong>the</strong> risks of<br />
thre<strong>at</strong>s to security and safety. The computer and communic<strong>at</strong>ions security<br />
problem is grow<strong>in</strong>g. Progress is needed on many fronts—<strong>in</strong>clud<strong>in</strong>g<br />
management, development, research, legal enforcement, and <strong>in</strong>stitutional<br />
support—to <strong>in</strong>tegr<strong>at</strong>e security <strong>in</strong>to <strong>the</strong> development and use of computer and<br />
communic<strong>at</strong>ions technology and to make it a constructive and rout<strong>in</strong>e<br />
component of <strong>in</strong>form<strong>at</strong>ion systems.<br />
NOTES<br />
1. Losses from credit card and communic<strong>at</strong>ions fraud alone <strong>in</strong>vestig<strong>at</strong>ed by <strong>the</strong> Secret Service range<br />
<strong>in</strong>to <strong>the</strong> millions. See Box 1.1 for o<strong>the</strong>r examples.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 46<br />
2. This growth may be aided by recent political changes <strong>in</strong> Eastern Europe and <strong>the</strong> Soviet Union,<br />
which are believed to be free<strong>in</strong>g up <strong>in</strong>telligence resources th<strong>at</strong> analysts suggest may be redirected<br />
toward economic and technological targets (Safire, 1990).<br />
3. Vot<strong>in</strong>g systems present special challenges: First, <strong>the</strong> d<strong>at</strong>a is public property. Second, vot<strong>in</strong>g<br />
systems are <strong>in</strong>form<strong>at</strong>ion systems deployed to strange loc<strong>at</strong>ions, handled by volunteers, abused by<br />
<strong>the</strong> media (''got to know <strong>the</strong> results by 8 p.m."), and offered by specialty vendors. Third, <strong>the</strong><br />
openness issue can be evaded by vendors promot<strong>in</strong>g proprietary approaches, <strong>in</strong> <strong>the</strong> absence of any<br />
organized screen<strong>in</strong>g or regul<strong>at</strong>ory activity. Fourth, <strong>the</strong> security overhead <strong>in</strong> <strong>the</strong> system cannot get <strong>in</strong><br />
<strong>the</strong> way of <strong>the</strong> oper<strong>at</strong>ions of <strong>the</strong> system under wh<strong>at</strong> are always difficult conditions. Vot<strong>in</strong>g system<br />
technology makes an <strong>in</strong>terest<strong>in</strong>g case study because it is <strong>in</strong>herently system-oriented: ballot<br />
prepar<strong>at</strong>ion, <strong>in</strong>put sens<strong>in</strong>g, d<strong>at</strong>a record<strong>in</strong>g and transmission, pre-election test<strong>in</strong>g, <strong>in</strong>trusion<br />
prevention, result preserv<strong>at</strong>ion, and report<strong>in</strong>g. The variety of product responses are <strong>the</strong>refore<br />
immense, and each product must fit as wide a range of vot<strong>in</strong>g situ<strong>at</strong>ions as possible, and be<br />
<strong>at</strong>tractive and cost-effective. Anecdotal evidence suggests a range of security problems for this<br />
compar<strong>at</strong>ively new applic<strong>at</strong>ion. (Hoffman, 1988; ECRI, 1988b; Saltman, 1988; miscellaneous issues<br />
of RISKS.)<br />
4. Viruses can spread by means of or <strong>in</strong>dependently of networks (e.g., via contam<strong>in</strong><strong>at</strong>ed diskettes).<br />
5. The committee did not f<strong>in</strong>d evidence of significant Japanese activity <strong>in</strong> computer security,<br />
although viruses have begun to raise concern <strong>in</strong> Japan as evidenced by Japanese newspaper articles,<br />
and Japanese system development <strong>in</strong>terests provide a found<strong>at</strong>ion for possible eventual action. For<br />
competitive reasons, both Japanese and European developments should be closely monitored.<br />
6. A new organiz<strong>at</strong>ion, <strong>the</strong> Electronic Frontiers Found<strong>at</strong>ion, has recently been launched to defend<br />
<strong>the</strong>se free speech aspects.<br />
7. For example, professional journals and meet<strong>in</strong>gs have held numerous deb<strong>at</strong>es over <strong>the</strong><br />
<strong>in</strong>terpret<strong>at</strong>ion of <strong>the</strong> Internet worm and <strong>the</strong> behavior of its perpetr<strong>at</strong>or; <strong>the</strong> Internet worm also<br />
prompted <strong>the</strong> issuance or reissuance of codes of ethics by a variety of computer specialist<br />
organiz<strong>at</strong>ions.<br />
8. Two recent studies have po<strong>in</strong>ted to <strong>the</strong> <strong>in</strong>creased concern with security <strong>in</strong> networks: The<br />
congressional Office of Technology Assessment's Critical Connections: Communic<strong>at</strong>ion for <strong>the</strong><br />
Future (OTA, 1990) and <strong>the</strong> N<strong>at</strong>ional Research Council's Grow<strong>in</strong>g Vulnerability of <strong>the</strong> Public<br />
Switched Networks (NRC, 1989b).<br />
9. This evolution took roughly two centuries <strong>in</strong> <strong>the</strong> case of safecrack<strong>in</strong>g, a technology whose<br />
systems consist of a box, a door, and a lock.<br />
10. This does not mean th<strong>at</strong> <strong>the</strong> effort was wasted. In fact, some would argue th<strong>at</strong> this is <strong>the</strong> height<br />
of success (Tzu, 1988).<br />
11. For example, a California prosecutor recently observed th<strong>at</strong> "We probably turn down more cases<br />
[<strong>in</strong>volv<strong>in</strong>g computer break-<strong>in</strong>s] than we charge, because computer-system proprietors haven't made<br />
clear wh<strong>at</strong> is allowed and wh<strong>at</strong> isn't" (Stipp, 1990).<br />
12. For example, a description of a magnetic door sensor th<strong>at</strong> is highly selective about <strong>the</strong> magnetic<br />
field it will recognize as <strong>in</strong>dic<strong>at</strong><strong>in</strong>g "door closed" can <strong>in</strong>dic<strong>at</strong>e to <strong>at</strong>tackers th<strong>at</strong> less sophistic<strong>at</strong>ed<br />
sensors can be misled by plac<strong>in</strong>g a strong magnet near <strong>the</strong>m before open<strong>in</strong>g <strong>the</strong> door.<br />
13. For example, <strong>the</strong> GAO recently noted <strong>in</strong> connection with <strong>the</strong> numerous penetr<strong>at</strong>ions of <strong>the</strong><br />
Space Physics Analysis Network <strong>in</strong> <strong>the</strong> 1980s th<strong>at</strong>, "Skillful, unauthorized users could enter and exit<br />
a computer without be<strong>in</strong>g detected. In such cases and even <strong>in</strong> those <strong>in</strong>stances where NASA has<br />
detected illegal entry, d<strong>at</strong>a could have been copied, altered, or destroyed without NASA or anyone<br />
else know<strong>in</strong>g" (GAO, 1989e, p. 1).<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 47<br />
14. "Programm<strong>in</strong>g" is to be understood <strong>in</strong> a general sense—anyth<strong>in</strong>g th<strong>at</strong> modifies or extends <strong>the</strong><br />
capabilities of a system is programm<strong>in</strong>g. Modific<strong>at</strong>ion of controls on access to a system, for<br />
example, is a type of programm<strong>in</strong>g with significant security implic<strong>at</strong>ions. Even special-purpose<br />
systems with no access to programm<strong>in</strong>g languages, not even to a "shell" or command language, are<br />
usually programmable <strong>in</strong> this sense.<br />
15. "Embeddedness" refers to <strong>the</strong> extent to which a computer system is embedded <strong>in</strong> a process, and<br />
it correl<strong>at</strong>es with <strong>the</strong> degree to which <strong>the</strong> process is controlled by <strong>the</strong> computer. Computercontrolled<br />
X-ray mach<strong>in</strong>es and manufactur<strong>in</strong>g systems, avionics systems, and missiles are examples<br />
of embedded systems. Higher degrees of embeddedness, gener<strong>at</strong>ed by competitive pressures th<strong>at</strong><br />
drive <strong>the</strong> push for autom<strong>at</strong>ion, shorten <strong>the</strong> l<strong>in</strong>k between <strong>in</strong>form<strong>at</strong>ion and action and <strong>in</strong>crease <strong>the</strong><br />
potential for irreversible actions taken without human <strong>in</strong>tervention. By autom<strong>at</strong><strong>in</strong>g much of a<br />
process, embeddedness <strong>in</strong>creases <strong>the</strong> leverage of an <strong>at</strong>tacker.<br />
16. However, sometimes <strong>the</strong>re will be trade-offs between security or safety and o<strong>the</strong>r characteristics,<br />
like performance. Such trade-offs are not unique to comput<strong>in</strong>g, although <strong>the</strong>y may be compar<strong>at</strong>ively<br />
more recent.<br />
17. It is worth not<strong>in</strong>g, however, th<strong>at</strong> "safety factors" play a role <strong>in</strong> security. Measures such as audit<br />
trails are <strong>in</strong>cluded <strong>in</strong> security systems as a safety factor; <strong>the</strong>y provide a backup mechanism for<br />
detection when someth<strong>in</strong>g else breaks.<br />
18. Even NSA is confront<strong>in</strong>g budget cuts <strong>in</strong> <strong>the</strong> context of overall cuts <strong>in</strong> defense spend<strong>in</strong>g.<br />
19. For example, <strong>the</strong> American Institute of Certified Public Accountants promulg<strong>at</strong>es St<strong>at</strong>ements on<br />
Audit<strong>in</strong>g Standards (SAS), and <strong>the</strong> F<strong>in</strong>ancial Account<strong>in</strong>g Standards Board (FASB) promulg<strong>at</strong>es<br />
wh<strong>at</strong> have been called Generally Accepted Account<strong>in</strong>g Pr<strong>in</strong>ciples (GAAP). Managers accept <strong>the</strong><br />
importance of both <strong>the</strong> standards and <strong>the</strong>ir enforcement as a risk management tool. Adherence to<br />
<strong>the</strong>se standards is also encouraged by laws and regul<strong>at</strong>ions th<strong>at</strong> seek to protect <strong>in</strong>vestors and <strong>the</strong><br />
public. (See Appendix D.)<br />
20. B1 is also <strong>the</strong> highest level to which systems can effectively be retrofitted with security fe<strong>at</strong>ures.<br />
21. An effort by several large commercial users to list desired computer and communic<strong>at</strong>ions<br />
system security fe<strong>at</strong>ures demonstr<strong>at</strong>es <strong>the</strong> importance of gre<strong>at</strong>er <strong>in</strong>tegrity protection and <strong>the</strong><br />
emphasis on discretionary access control <strong>in</strong> th<strong>at</strong> community. This effort appears to place rel<strong>at</strong>ively<br />
limited emphasis on assurance and evalu<strong>at</strong>ion, both of which <strong>the</strong> committee deem important to<br />
GSSP and to an ideal set of criteria. The seed for th<strong>at</strong> effort was a project with<strong>in</strong> American Express<br />
Travel Rel<strong>at</strong>ed Services to def<strong>in</strong>e a corpor<strong>at</strong>e security standard called C2-Plus and based, as <strong>the</strong><br />
name suggests, on <strong>the</strong> Orange Book's C2 criteria (Cutler and Jones, 1990).<br />
22. In <strong>the</strong> past decade, a number of organiz<strong>at</strong>ions (e.g., Corpor<strong>at</strong>ion for Open Systems and <strong>the</strong><br />
formerly <strong>in</strong>dependent Manufactur<strong>in</strong>g Autom<strong>at</strong>ion Protocol/Technical Office Protocol Users Group)<br />
have emerged with <strong>the</strong> goal of <strong>in</strong>fluenc<strong>in</strong>g <strong>the</strong> development of <strong>in</strong>dustry standards for comput<strong>in</strong>g and<br />
communic<strong>at</strong>ions technology and promot<strong>in</strong>g <strong>the</strong> use of official standards, <strong>in</strong> part by facilit<strong>at</strong><strong>in</strong>g<br />
conformance test<strong>in</strong>g (Frenkel, 1990).<br />
23. The Computer Security Act of 1987, for example, set <strong>in</strong> motion a process aimed <strong>at</strong> improv<strong>in</strong>g<br />
security plann<strong>in</strong>g <strong>in</strong> federal agencies. The experience showed th<strong>at</strong> it was easier to achieve<br />
compliance on paper than to truly streng<strong>the</strong>n plann<strong>in</strong>g and management controls (GAO, 1990c).<br />
24. Examples <strong>in</strong>clude ISO 7498–2 (ISO, 1989), CCITT X.509 (CCITT, 1989b), and <strong>the</strong> NSAlaunched<br />
Secure D<strong>at</strong>a Network System (SDNS) standardiz<strong>at</strong>ion program.<br />
25. The very availability of such tools puts an extra responsibility on management to elim<strong>in</strong><strong>at</strong>e <strong>the</strong><br />
k<strong>in</strong>ds of vulnerabilities <strong>the</strong> tools reveal.<br />
26. For example, discussions of different project management structures would<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
OVERVIEW AND RECOMMENDATIONS 48<br />
deal with <strong>the</strong>ir impact not only on productivity but also on security. Discussions of quality assurance<br />
would emphasize safety eng<strong>in</strong>eer<strong>in</strong>g more than might be expected <strong>in</strong> a traditional software<br />
eng<strong>in</strong>eer<strong>in</strong>g program.<br />
27. It is expensive for vendors to ma<strong>in</strong>ta<strong>in</strong> two versions of products—secure and regular. Thus, all<br />
else be<strong>in</strong>g equal, regular versions can be expected to be displaced by secure versions. But if sales<br />
are restricted, <strong>the</strong>n only <strong>the</strong> regular version will be marketed, to <strong>the</strong> detriment of security.<br />
28. As this report goes to press, a case is under consider<strong>at</strong>ion <strong>at</strong> <strong>the</strong> Department of St<strong>at</strong>e th<strong>at</strong> could<br />
result <strong>in</strong> liberalized export of DES chips, although such an outcome is considered unlikely.<br />
29. As of this writ<strong>in</strong>g, similar actions may also be necessary <strong>in</strong> connection with <strong>the</strong> RSA public-key<br />
encryption system, which is already available overseas (without p<strong>at</strong>ent protection) because its<br />
pr<strong>in</strong>ciples were first published <strong>in</strong> an academic journal (Rivest et al., 1978).<br />
30. The paucity of academic effort is reflected by <strong>the</strong> fact th<strong>at</strong> only 5 to 10 percent of <strong>the</strong> <strong>at</strong>tendees<br />
<strong>at</strong> recent IEEE Symposiums on Security and Privacy have been from universities.<br />
31. For vendors, rel<strong>at</strong>ed topics would be trusted distribution and trusted configur<strong>at</strong>ion control over<br />
<strong>the</strong> product life cycle.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CONCEPTS OF INFORMATION SECURITY 49<br />
2<br />
Concepts of Inform<strong>at</strong>ion Security<br />
This chapter discusses security policies <strong>in</strong> <strong>the</strong> context of requirements for<br />
<strong>in</strong>form<strong>at</strong>ion security and <strong>the</strong> circumstances <strong>in</strong> which those requirements must be<br />
met, exam<strong>in</strong>es common pr<strong>in</strong>ciples of management control, and reviews typical<br />
system vulnerabilities, <strong>in</strong> order to motiv<strong>at</strong>e consider<strong>at</strong>ion of <strong>the</strong> specific sorts of<br />
security mechanisms th<strong>at</strong> can be built <strong>in</strong>to computer systems—to complement<br />
nontechnical management controls and thus implement policy—and to stress<br />
<strong>the</strong> significance of establish<strong>in</strong>g GSSP. Additional <strong>in</strong>form<strong>at</strong>ion on privacy issues<br />
and detail<strong>in</strong>g <strong>the</strong> results of an <strong>in</strong>formal survey of commercial security officers is<br />
provided <strong>in</strong> <strong>the</strong> two chapter appendixes.<br />
Organiz<strong>at</strong>ions and people th<strong>at</strong> use computers can describe <strong>the</strong>ir needs for<br />
<strong>in</strong>form<strong>at</strong>ion security and trust <strong>in</strong> systems <strong>in</strong> terms of three major requirements:<br />
• Confidentiality: controll<strong>in</strong>g who gets to read <strong>in</strong>form<strong>at</strong>ion;<br />
• Integrity: assur<strong>in</strong>g th<strong>at</strong> <strong>in</strong>form<strong>at</strong>ion and programs are changed only <strong>in</strong> a<br />
specified and authorized manner; and<br />
• Availability: assur<strong>in</strong>g th<strong>at</strong> authorized users have cont<strong>in</strong>ued access to<br />
<strong>in</strong>form<strong>at</strong>ion and resources.<br />
These three requirements may be emphasized differently <strong>in</strong> various<br />
applic<strong>at</strong>ions. For a n<strong>at</strong>ional defense system, <strong>the</strong> chief concern may be ensur<strong>in</strong>g<br />
<strong>the</strong> confidentiality of classified <strong>in</strong>form<strong>at</strong>ion, whereas a funds transfer system<br />
may require strong <strong>in</strong>tegrity controls. The requirements for applic<strong>at</strong>ions th<strong>at</strong> are<br />
connected to external systems will differ from those for applic<strong>at</strong>ions without<br />
such <strong>in</strong>terconnection. Thus <strong>the</strong> specific requirements and controls for<br />
<strong>in</strong>form<strong>at</strong>ion security can vary.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CONCEPTS OF INFORMATION SECURITY 50<br />
The framework with<strong>in</strong> which an organiz<strong>at</strong>ion strives to meet its needs for<br />
<strong>in</strong>form<strong>at</strong>ion security is codified as security policy. A security policy is a concise<br />
st<strong>at</strong>ement, by those responsible for a system (e.g., senior management), of<br />
<strong>in</strong>form<strong>at</strong>ion values, protection responsibilities, and organiz<strong>at</strong>ional commitment.<br />
One can implement th<strong>at</strong> policy by tak<strong>in</strong>g specific actions guided by<br />
management control pr<strong>in</strong>ciples and utiliz<strong>in</strong>g specific security standards,<br />
procedures, and mechanisms. Conversely, <strong>the</strong> selection of standards,<br />
procedures, and mechanisms should be guided by policy to be most effective.<br />
To be useful, a security policy must not only st<strong>at</strong>e <strong>the</strong> security need (e.g.,<br />
for confidentiality—th<strong>at</strong> d<strong>at</strong>a shall be disclosed only to authorized <strong>in</strong>dividuals),<br />
but also address <strong>the</strong> range of circumstances under which th<strong>at</strong> need must be met<br />
and <strong>the</strong> associ<strong>at</strong>ed oper<strong>at</strong><strong>in</strong>g standards. Without this second part, a security<br />
policy is so general as to be useless (although <strong>the</strong> second part may be realized<br />
through procedures and standards set to implement <strong>the</strong> policy). In any particular<br />
circumstance, some thre<strong>at</strong>s are more probable than o<strong>the</strong>rs, and a prudent policy<br />
setter must assess <strong>the</strong> thre<strong>at</strong>s, assign a level of concern to each, and st<strong>at</strong>e a<br />
policy <strong>in</strong> terms of which thre<strong>at</strong>s are to be resisted. For example, until recently<br />
most policies for security did not require th<strong>at</strong> security needs be met <strong>in</strong> <strong>the</strong> face<br />
of a virus <strong>at</strong>tack, because th<strong>at</strong> form of <strong>at</strong>tack was uncommon and not widely<br />
understood. As viruses have escal<strong>at</strong>ed from a hypo<strong>the</strong>tical to a commonplace<br />
thre<strong>at</strong>, it has become necessary to reth<strong>in</strong>k such policies <strong>in</strong> regard to methods of<br />
distribution and acquisition of software. Implicit <strong>in</strong> this process is<br />
management's choice of a level of residual risk th<strong>at</strong> it will live with, a level th<strong>at</strong><br />
varies among organiz<strong>at</strong>ions.<br />
Management controls are <strong>the</strong> mechanisms and techniques—adm<strong>in</strong>istr<strong>at</strong>ive,<br />
procedural, and technical—th<strong>at</strong> are <strong>in</strong>stituted to implement a security policy.<br />
Some management controls are explicitly concerned with protect<strong>in</strong>g<br />
<strong>in</strong>form<strong>at</strong>ion and <strong>in</strong>form<strong>at</strong>ion systems, but <strong>the</strong> concept of management controls<br />
<strong>in</strong>cludes much more than a computer's specific role <strong>in</strong> enforc<strong>in</strong>g security. Note<br />
th<strong>at</strong> management controls not only are used by managers, but also may be<br />
exercised by users. An effective program of management controls is needed to<br />
cover all aspects of <strong>in</strong>form<strong>at</strong>ion security, <strong>in</strong>clud<strong>in</strong>g physical security,<br />
classific<strong>at</strong>ion of <strong>in</strong>form<strong>at</strong>ion, <strong>the</strong> means of recover<strong>in</strong>g from breaches of security,<br />
and above all tra<strong>in</strong><strong>in</strong>g to <strong>in</strong>still awareness and acceptance by people. There are<br />
trade-offs among controls. For example, if technical controls are not available,<br />
<strong>the</strong>n procedural controls might be used until a technical solution is found.<br />
Technical measures alone cannot prevent viol<strong>at</strong>ions of <strong>the</strong> trust people<br />
place <strong>in</strong> <strong>in</strong>dividuals, viol<strong>at</strong>ions th<strong>at</strong> have been <strong>the</strong> source of<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CONCEPTS OF INFORMATION SECURITY 51<br />
much of <strong>the</strong> computer security problem <strong>in</strong> <strong>in</strong>dustry to d<strong>at</strong>e (see Chapter 6).<br />
Technical measures may prevent people from do<strong>in</strong>g unauthorized th<strong>in</strong>gs but<br />
cannot prevent <strong>the</strong>m from do<strong>in</strong>g th<strong>in</strong>gs th<strong>at</strong> <strong>the</strong>ir job functions entitle <strong>the</strong>m to<br />
do. Thus, to prevent viol<strong>at</strong>ions of trust r<strong>at</strong>her than just repair <strong>the</strong> damage th<strong>at</strong><br />
results, one must depend primarily on human awareness of wh<strong>at</strong> o<strong>the</strong>r human<br />
be<strong>in</strong>gs <strong>in</strong> an organiz<strong>at</strong>ion are do<strong>in</strong>g. But even a technically sound system with<br />
<strong>in</strong>formed and w<strong>at</strong>chful management and users cannot be free of all possible<br />
vulnerabilities. The residual risk must be managed by audit<strong>in</strong>g, backup, and<br />
recovery procedures supported by general alertness and cre<strong>at</strong>ive responses.<br />
Moreover, an organiz<strong>at</strong>ion must have adm<strong>in</strong>istr<strong>at</strong>ive procedures <strong>in</strong> place to<br />
br<strong>in</strong>g peculiar actions to <strong>the</strong> <strong>at</strong>tention of someone who can legitim<strong>at</strong>ely <strong>in</strong>quire<br />
<strong>in</strong>to <strong>the</strong> appropri<strong>at</strong>eness of such actions, and th<strong>at</strong> person must actually make <strong>the</strong><br />
<strong>in</strong>quiry. In many organiz<strong>at</strong>ions, <strong>the</strong>se adm<strong>in</strong>istr<strong>at</strong>ive provisions are far less<br />
s<strong>at</strong>isfactory than are <strong>the</strong> technical provisions for security.<br />
A major conclusion of this report is th<strong>at</strong> <strong>the</strong> lack of a clear articul<strong>at</strong>ion of<br />
security policy for general comput<strong>in</strong>g is a major impediment to improved<br />
security <strong>in</strong> computer systems. Although <strong>the</strong> Department of Defense (DOD) has<br />
articul<strong>at</strong>ed its requirements for controls to ensure confidentiality, <strong>the</strong>re is no<br />
articul<strong>at</strong>ion for systems based on o<strong>the</strong>r requirements and management controls<br />
(discussed below)—<strong>in</strong>dividual accountability, separ<strong>at</strong>ion of duty, auditability,<br />
and recovery. This committee's goal of develop<strong>in</strong>g a set of Generally Accepted<br />
System Security Pr<strong>in</strong>ciples, GSSP, is <strong>in</strong>tended to address this deficiency and is<br />
a central recommend<strong>at</strong>ion of this report.<br />
In comput<strong>in</strong>g <strong>the</strong>re is no generally accepted body of prudent practice<br />
analogous to <strong>the</strong> Generally Accepted Account<strong>in</strong>g Pr<strong>in</strong>ciples promulg<strong>at</strong>ed by <strong>the</strong><br />
F<strong>in</strong>ancial Audit<strong>in</strong>g Standards Board (see Appendix D). Managers who have<br />
never seen adequ<strong>at</strong>e controls for computer systems may not appreci<strong>at</strong>e <strong>the</strong><br />
capabilities currently available to <strong>the</strong>m, or <strong>the</strong> risks <strong>the</strong>y are tak<strong>in</strong>g by oper<strong>at</strong><strong>in</strong>g<br />
without <strong>the</strong>se controls. Faced with demands for more output, <strong>the</strong>y have had no<br />
<strong>in</strong>centive to spend money on controls. Reason<strong>in</strong>g like <strong>the</strong> follow<strong>in</strong>g is common:<br />
"Can't do it and still stay competitive"; "We've never had any trouble, so why<br />
worry"; "The vendor didn't put it <strong>in</strong> <strong>the</strong> product; <strong>the</strong>re's noth<strong>in</strong>g we can do."<br />
On <strong>the</strong> basis of reported losses, such <strong>at</strong>titudes are not unjustified<br />
(Neumann, 1989). However, computers are active entities, and programs can be<br />
changed <strong>in</strong> a tw<strong>in</strong>kl<strong>in</strong>g, so th<strong>at</strong> past happ<strong>in</strong>ess is no predictor of future bliss.<br />
There has to be only one Internet worm <strong>in</strong>cident to signal a larger problem.<br />
Experience s<strong>in</strong>ce <strong>the</strong> Internet worm <strong>in</strong>volv<strong>in</strong>g copy-c<strong>at</strong> and deriv<strong>at</strong>ive <strong>at</strong>tacks<br />
shows how a possibility once demonstr<strong>at</strong>ed can become an actuality frequently<br />
used. 1<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CONCEPTS OF INFORMATION SECURITY 52<br />
Some consensus does exist on fundamental or m<strong>in</strong>imum-required security<br />
mechanisms. A recent <strong>in</strong>formal survey conducted on behalf of <strong>the</strong> committee<br />
shows a widespread desire among corpor<strong>at</strong>e system managers and security<br />
officers for <strong>the</strong> ability to identify users and limit times and places of access,<br />
particularly over networks, and to w<strong>at</strong>ch for <strong>in</strong>trusion by record<strong>in</strong>g <strong>at</strong>tempts <strong>at</strong><br />
<strong>in</strong>valid actions (see Chapter Appendix 2.2). Ad hoc virus checkers, well known<br />
<strong>in</strong> <strong>the</strong> personal computer market, are also <strong>in</strong> demand. However, <strong>the</strong>re is little<br />
demand for system managers to be able to obta<strong>in</strong> positive confirm<strong>at</strong>ion th<strong>at</strong> <strong>the</strong><br />
software runn<strong>in</strong>g on <strong>the</strong>ir systems today is <strong>the</strong> same as wh<strong>at</strong> was runn<strong>in</strong>g<br />
yesterday. Such a simple analog of hardware diagnostics should be a<br />
fundamental requirement; it may not be seen as such because vendors do not<br />
offer it or because users have difficulty express<strong>in</strong>g <strong>the</strong>ir needs.<br />
Although thre<strong>at</strong>s and policies for address<strong>in</strong>g <strong>the</strong>m are different for<br />
different applic<strong>at</strong>ions, <strong>the</strong>y never<strong>the</strong>less have much <strong>in</strong> common, and <strong>the</strong> general<br />
systems on which applic<strong>at</strong>ions are built are often <strong>the</strong> same. Fur<strong>the</strong>rmore, basic<br />
security services can work aga<strong>in</strong>st many thre<strong>at</strong>s and support many policies.<br />
Thus <strong>the</strong>re is a large core of policies and services on which most of <strong>the</strong> users of<br />
computers should be able to agree. On this basis <strong>the</strong> committee proposes <strong>the</strong><br />
effort to def<strong>in</strong>e and articul<strong>at</strong>e GSSP.<br />
SECURITY POLICIES-RESPONDING TO REQUIREMENTS<br />
FOR CONFIDENTIALITY,INTEGRITY, AND AVAILABILITY<br />
The weight given to each of <strong>the</strong> three major requirements describ<strong>in</strong>g needs<br />
for <strong>in</strong>form<strong>at</strong>ion security—confidentiality, <strong>in</strong>tegrity, and availability—depends<br />
strongly on circumstances. For example, <strong>the</strong> adverse effects of a system not<br />
be<strong>in</strong>g available must be rel<strong>at</strong>ed <strong>in</strong> part to requirements for recovery time. A<br />
system th<strong>at</strong> must be restored with<strong>in</strong> an hour after disruption represents, and<br />
requires, a more demand<strong>in</strong>g set of policies and controls than does a similar<br />
system th<strong>at</strong> need not be restored for two to three days. Likewise, <strong>the</strong> risk of loss<br />
of confidentiality with respect to a major product announcement will change<br />
with time. Early disclosure may jeopardize competitive advantage, but<br />
disclosure just before <strong>the</strong> <strong>in</strong>tended announcement may be <strong>in</strong>significant. In this<br />
case <strong>the</strong> <strong>in</strong>form<strong>at</strong>ion rema<strong>in</strong>s <strong>the</strong> same, while <strong>the</strong> tim<strong>in</strong>g of its release<br />
significantly affects <strong>the</strong> risk of loss.<br />
Confidentiality<br />
Confidentiality is a requirement whose purpose is to keep sensitive<br />
<strong>in</strong>form<strong>at</strong>ion from be<strong>in</strong>g disclosed to unauthorized recipients. The<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CONCEPTS OF INFORMATION SECURITY 53<br />
secrets might be important for reasons of n<strong>at</strong>ional security (nuclear weapons<br />
d<strong>at</strong>a), law enforcement (<strong>the</strong> identities of undercover drug agents), competitive<br />
advantage (manufactur<strong>in</strong>g costs or bidd<strong>in</strong>g plans), or personal privacy (credit<br />
histories) (see Chapter Appendix 2.1).<br />
The most fully developed policies for confidentiality reflect <strong>the</strong> concerns<br />
of <strong>the</strong> U.S. n<strong>at</strong>ional security community, because this community has been<br />
will<strong>in</strong>g to pay to get policies def<strong>in</strong>ed and implemented (and because <strong>the</strong> value<br />
of <strong>the</strong> <strong>in</strong>form<strong>at</strong>ion it seeks to protect is deemed very high). S<strong>in</strong>ce <strong>the</strong> scope of<br />
thre<strong>at</strong> is very broad <strong>in</strong> this context, <strong>the</strong> policy requires systems to be robust <strong>in</strong><br />
<strong>the</strong> face of a wide variety of <strong>at</strong>tacks. The specific DOD policies for ensur<strong>in</strong>g<br />
confidentiality do not explicitly itemize <strong>the</strong> range of expected thre<strong>at</strong>s for which<br />
a policy must hold. Instead, <strong>the</strong>y reflect an oper<strong>at</strong>ional approach, express<strong>in</strong>g <strong>the</strong><br />
policy by st<strong>at</strong><strong>in</strong>g <strong>the</strong> particular management controls th<strong>at</strong> must be used to<br />
achieve <strong>the</strong> requirement for confidentiality. Thus <strong>the</strong>y avoid list<strong>in</strong>g thre<strong>at</strong>s,<br />
which would represent a severe risk <strong>in</strong> itself, and avoid <strong>the</strong> risk of poor security<br />
design implicit <strong>in</strong> tak<strong>in</strong>g a fresh approach to each new problem.<br />
The oper<strong>at</strong>ional controls th<strong>at</strong> <strong>the</strong> military has developed <strong>in</strong> support of this<br />
requirement <strong>in</strong>volve autom<strong>at</strong>ed mechanisms for handl<strong>in</strong>g <strong>in</strong>form<strong>at</strong>ion th<strong>at</strong> is<br />
critical to n<strong>at</strong>ional security. Such mechanisms call for <strong>in</strong>form<strong>at</strong>ion to be<br />
classified <strong>at</strong> different levels of sensitivity and <strong>in</strong> isol<strong>at</strong>ed compartments, to be<br />
labeled with this classific<strong>at</strong>ion, and to be handled by people cleared for access<br />
to particular levels and/or compartments. With<strong>in</strong> each level and compartment, a<br />
person with an appropri<strong>at</strong>e clearance must also have a "need to know" <strong>in</strong> order<br />
to ga<strong>in</strong> access. These procedures are mand<strong>at</strong>ory: elabor<strong>at</strong>e procedures must also<br />
be followed to declassify <strong>in</strong>form<strong>at</strong>ion. 2<br />
Classific<strong>at</strong>ion policies exist <strong>in</strong> o<strong>the</strong>r sett<strong>in</strong>gs, reflect<strong>in</strong>g a general<br />
recognition th<strong>at</strong> to protect assets it is helpful to identify and c<strong>at</strong>egorize <strong>the</strong>m.<br />
Some commercial firms, for <strong>in</strong>stance, classify <strong>in</strong>form<strong>at</strong>ion as restricted,<br />
company confidential, and unclassified (Schmitt, 1990). Even if an organiz<strong>at</strong>ion<br />
has no secrets of its own, it may be obliged by law or common courtesy to<br />
preserve <strong>the</strong> privacy of <strong>in</strong>form<strong>at</strong>ion about <strong>in</strong>dividuals. Medical records, for<br />
example, may require more careful protection than does most proprietary<br />
<strong>in</strong>form<strong>at</strong>ion. A hospital must thus select a suitable confidentiality policy to<br />
uphold its fiduciary responsibility with respect to p<strong>at</strong>ient records.<br />
In <strong>the</strong> commercial world confidentiality is customarily guarded by security<br />
mechanisms th<strong>at</strong> are less str<strong>in</strong>gent than those of <strong>the</strong> n<strong>at</strong>ional security<br />
community. For example, <strong>in</strong>form<strong>at</strong>ion is assigned to an "owner" (or guardian),<br />
who controls access to it. 3 Such security mechanisms are capable of deal<strong>in</strong>g<br />
with many situ<strong>at</strong>ions but are not as resistant to certa<strong>in</strong> <strong>at</strong>tacks as are<br />
mechanisms based on classific<strong>at</strong>ion and mand<strong>at</strong>ory<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CONCEPTS OF INFORMATION SECURITY 54<br />
label<strong>in</strong>g, <strong>in</strong> part because <strong>the</strong>re is no way to tell where copies of <strong>in</strong>form<strong>at</strong>ion may<br />
flow. With Trojan horse <strong>at</strong>tacks, for example, even legitim<strong>at</strong>e and honest users<br />
of an owner mechanism can be tricked <strong>in</strong>to disclos<strong>in</strong>g secret d<strong>at</strong>a. The<br />
commercial world has borne <strong>the</strong>se vulnerabilities <strong>in</strong> exchange for <strong>the</strong> gre<strong>at</strong>er<br />
oper<strong>at</strong>ional flexibility and system performance currently associ<strong>at</strong>ed with<br />
rel<strong>at</strong>ively weak security.<br />
Integrity<br />
Integrity is a requirement meant to ensure th<strong>at</strong> <strong>in</strong>form<strong>at</strong>ion and programs<br />
are changed only <strong>in</strong> a specified and authorized manner. It may be important to<br />
keep d<strong>at</strong>a consistent (as <strong>in</strong> double-entry bookkeep<strong>in</strong>g) or to allow d<strong>at</strong>a to be<br />
changed only <strong>in</strong> an approved manner (as <strong>in</strong> withdrawals from a bank account).<br />
It may also be necessary to specify <strong>the</strong> degree of <strong>the</strong> accuracy of d<strong>at</strong>a.<br />
Some policies for ensur<strong>in</strong>g <strong>in</strong>tegrity reflect a concern for prevent<strong>in</strong>g fraud<br />
and are st<strong>at</strong>ed <strong>in</strong> terms of management controls. For example, any task<br />
<strong>in</strong>volv<strong>in</strong>g <strong>the</strong> potential for fraud must be divided <strong>in</strong>to parts th<strong>at</strong> are performed<br />
by separ<strong>at</strong>e people, an approach called separ<strong>at</strong>ion of duty. A classic example is<br />
a purchas<strong>in</strong>g system, which has three parts: order<strong>in</strong>g, receiv<strong>in</strong>g, and payment.<br />
Someone must sign off on each step, <strong>the</strong> same person cannot sign off on two<br />
steps, and <strong>the</strong> records can be changed only by fixed procedures—for example,<br />
an account is debited and a check written only for <strong>the</strong> amount of an approved<br />
and received order. In this case, although <strong>the</strong> policy is st<strong>at</strong>ed oper<strong>at</strong>ionally—<br />
th<strong>at</strong> is, <strong>in</strong> terms of specific management controls—<strong>the</strong> thre<strong>at</strong> model is explicitly<br />
disclosed as well.<br />
O<strong>the</strong>r <strong>in</strong>tegrity policies reflect concerns for prevent<strong>in</strong>g errors and<br />
omissions, and controll<strong>in</strong>g <strong>the</strong> effects of program change. Integrity policies<br />
have not been studied as carefully as confidentiality policies. Computer<br />
measures th<strong>at</strong> have been <strong>in</strong>stalled to guard <strong>in</strong>tegrity tend to be ad hoc and do not<br />
flow from <strong>the</strong> <strong>in</strong>tegrity models th<strong>at</strong> have been proposed (see Chapter 3).<br />
Availability<br />
Availability is a requirement <strong>in</strong>tended to ensure th<strong>at</strong> systems work<br />
promptly and service is not denied to authorized users. From an oper<strong>at</strong>ional<br />
standpo<strong>in</strong>t, this requirement refers to adequ<strong>at</strong>e response time and/or guaranteed<br />
bandwidth. From a security standpo<strong>in</strong>t, it represents <strong>the</strong> ability to protect<br />
aga<strong>in</strong>st and recover from a damag<strong>in</strong>g event. The availability of properly<br />
function<strong>in</strong>g computer systems (e.g., for rout<strong>in</strong>g long-distance calls or handl<strong>in</strong>g<br />
airl<strong>in</strong>e reserv<strong>at</strong>ions) is essential to <strong>the</strong> oper<strong>at</strong>ion of many large enterprises and<br />
sometimes<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CONCEPTS OF INFORMATION SECURITY 55<br />
for preserv<strong>in</strong>g lives (e.g., air traffic control or autom<strong>at</strong>ed medical systems).<br />
Cont<strong>in</strong>gency plann<strong>in</strong>g is concerned with assess<strong>in</strong>g risks and develop<strong>in</strong>g plans<br />
for avert<strong>in</strong>g or recover<strong>in</strong>g from adverse events th<strong>at</strong> might render a system<br />
unavailable.<br />
Traditional cont<strong>in</strong>gency plann<strong>in</strong>g to ensure availability usually <strong>in</strong>cludes<br />
responses only to acts of God (e.g., earthquakes) or accidental anthropogenic<br />
events (e.g., a toxic gas leak prevent<strong>in</strong>g entry to a facility). However,<br />
cont<strong>in</strong>gency plann<strong>in</strong>g must also <strong>in</strong>volve provid<strong>in</strong>g for responses to malicious<br />
acts, not simply acts of God or accidents, and as such must <strong>in</strong>clude an explicit<br />
assessment of thre<strong>at</strong> based on a model of a real adversary, not on a probabilistic<br />
model of n<strong>at</strong>ure.<br />
For example, a simple availability policy is usually st<strong>at</strong>ed like this: "On <strong>the</strong><br />
average, a term<strong>in</strong>al shall be down for less than 10 m<strong>in</strong>utes per month." A<br />
particular term<strong>in</strong>al (e.g., an autom<strong>at</strong>ic teller mach<strong>in</strong>e or a reserv<strong>at</strong>ion agent's<br />
keyboard and screen) is up if it responds correctly with<strong>in</strong> one second to a<br />
standard request for service; o<strong>the</strong>rwise it is down. This policy means th<strong>at</strong> <strong>the</strong> up<br />
time <strong>at</strong> each term<strong>in</strong>al, averaged over all <strong>the</strong> term<strong>in</strong>als, must be <strong>at</strong> least 99.98<br />
percent.<br />
A security policy to ensure availability usually takes a different form, as <strong>in</strong><br />
<strong>the</strong> follow<strong>in</strong>g example: "No <strong>in</strong>puts to <strong>the</strong> system by any user who is not an<br />
authorized adm<strong>in</strong>istr<strong>at</strong>or shall cause <strong>the</strong> system to cease serv<strong>in</strong>g some o<strong>the</strong>r<br />
user." Note th<strong>at</strong> this policy does not say anyth<strong>in</strong>g about system failures, except<br />
to <strong>the</strong> extent th<strong>at</strong> <strong>the</strong>y can be caused by user actions. Instead, it identifies a<br />
particular thre<strong>at</strong>, a malicious or <strong>in</strong>competent act by a regular user of <strong>the</strong> system,<br />
and requires <strong>the</strong> system to survive this act. It says noth<strong>in</strong>g about o<strong>the</strong>r ways <strong>in</strong><br />
which a hostile party could deny service, for example, by cutt<strong>in</strong>g a telephone<br />
l<strong>in</strong>e; a separ<strong>at</strong>e assertion is required for each such thre<strong>at</strong>, <strong>in</strong>dic<strong>at</strong><strong>in</strong>g <strong>the</strong> extent to<br />
which resistance to th<strong>at</strong> thre<strong>at</strong> is deemed important.<br />
Examples of Security Requirements for Different Applic<strong>at</strong>ions<br />
The exact security needs of systems will vary from applic<strong>at</strong>ion to<br />
applic<strong>at</strong>ion even with<strong>in</strong> a s<strong>in</strong>gle applic<strong>at</strong>ion. As a result, organiz<strong>at</strong>ions must<br />
both understand <strong>the</strong>ir applic<strong>at</strong>ions and th<strong>in</strong>k through <strong>the</strong> relevant choices to<br />
achieve <strong>the</strong> appropri<strong>at</strong>e level of security.<br />
An autom<strong>at</strong>ed teller system, for example, must keep personal identific<strong>at</strong>ion<br />
numbers (PINs) confidential, both <strong>in</strong> <strong>the</strong> host system and dur<strong>in</strong>g transmission<br />
for a transaction. It must protect <strong>the</strong> <strong>in</strong>tegrity of account records and of<br />
<strong>in</strong>dividual transactions. Protection of privacy is important, but not critically so.<br />
Availability of <strong>the</strong> host system is important to <strong>the</strong> economic survival of <strong>the</strong><br />
bank, although not to its fiduciary responsibility. As compared to <strong>the</strong><br />
availability of<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CONCEPTS OF INFORMATION SECURITY 56<br />
<strong>the</strong> host system, <strong>the</strong> availability of <strong>in</strong>dividual teller mach<strong>in</strong>es is of less concern.<br />
A telephone switch<strong>in</strong>g system, on <strong>the</strong> o<strong>the</strong>r hand, does not have high<br />
requirements for <strong>in</strong>tegrity on <strong>in</strong>dividual transactions, as last<strong>in</strong>g damage will not<br />
be <strong>in</strong>curred by occasionally los<strong>in</strong>g a call or bill<strong>in</strong>g record. The <strong>in</strong>tegrity of<br />
control programs and configur<strong>at</strong>ion records, however, is critical. Without <strong>the</strong>se,<br />
<strong>the</strong> switch<strong>in</strong>g function would be defe<strong>at</strong>ed and <strong>the</strong> most important <strong>at</strong>tribute of all<br />
—availability—would be compromised. A telephone switch<strong>in</strong>g system must<br />
also preserve <strong>the</strong> confidentiality of <strong>in</strong>dividual calls, prevent<strong>in</strong>g one caller from<br />
overhear<strong>in</strong>g ano<strong>the</strong>r.<br />
Security needs are determ<strong>in</strong>ed more by wh<strong>at</strong> a system is used for than by<br />
wh<strong>at</strong> it is. A typesett<strong>in</strong>g system, for example, will have to assure confidentiality<br />
if it is be<strong>in</strong>g used to publish corpor<strong>at</strong>e proprietary m<strong>at</strong>erial, <strong>in</strong>tegrity if it is<br />
be<strong>in</strong>g used to publish laws, and availability if it is be<strong>in</strong>g used to publish a daily<br />
paper. A general-purpose time-shar<strong>in</strong>g system might be expected to provide<br />
confidentiality if it serves diverse clientele, <strong>in</strong>tegrity if it is used as a<br />
development environment for software or eng<strong>in</strong>eer<strong>in</strong>g designs, and availability<br />
to <strong>the</strong> extent th<strong>at</strong> no one user can monopolize <strong>the</strong> service and th<strong>at</strong> lost files will<br />
be retrievable.<br />
MANAGEMENT CONTROLS-CHOOSING THE MEANS TO<br />
SECURE INFORMATION AND OPERATIONS<br />
The sett<strong>in</strong>g of security policy is a basic responsibility of management<br />
with<strong>in</strong> an organiz<strong>at</strong>ion. Management has a duty to preserve and protect assets<br />
and to ma<strong>in</strong>ta<strong>in</strong> <strong>the</strong> quality of service. To this end it must assure th<strong>at</strong> oper<strong>at</strong>ions<br />
are carried out prudently <strong>in</strong> <strong>the</strong> face of realistic risks aris<strong>in</strong>g from credible<br />
thre<strong>at</strong>s. This duty may be fulfilled by def<strong>in</strong><strong>in</strong>g high-level security policies and<br />
<strong>the</strong>n transl<strong>at</strong><strong>in</strong>g <strong>the</strong>se policies <strong>in</strong>to specific standards and procedures for<br />
select<strong>in</strong>g and nurtur<strong>in</strong>g personnel, for check<strong>in</strong>g and audit<strong>in</strong>g oper<strong>at</strong>ions, for<br />
establish<strong>in</strong>g cont<strong>in</strong>gency plans, and so on. Through <strong>the</strong>se actions, management<br />
may prevent, detect, and recover from loss. Recovery depends on various forms<br />
of <strong>in</strong>surance: backup records, redundant systems and service sites, self<strong>in</strong>surance<br />
by cash reserves, and purchased <strong>in</strong>surance to offset <strong>the</strong> cost of<br />
recovery.<br />
Prevent<strong>in</strong>g Breaches of Security—<br />
Basic Pr<strong>in</strong>ciples<br />
Management controls are <strong>in</strong>tended to guide oper<strong>at</strong>ions <strong>in</strong> proper directions,<br />
prevent or detect mischief and harmful mistakes, and give<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CONCEPTS OF INFORMATION SECURITY 57<br />
early warn<strong>in</strong>g of vulnerabilities. Organiz<strong>at</strong>ions <strong>in</strong> almost every l<strong>in</strong>e of endeavor<br />
have established controls based on <strong>the</strong> follow<strong>in</strong>g key pr<strong>in</strong>ciples:<br />
• Individual accountability,<br />
• Audit<strong>in</strong>g, and<br />
• Separ<strong>at</strong>ion of duty.<br />
These pr<strong>in</strong>ciples, recognized <strong>in</strong> some form for centuries, are <strong>the</strong> basis of<br />
precomputer oper<strong>at</strong><strong>in</strong>g procedures th<strong>at</strong> are very well understood.<br />
Individual accountability answers <strong>the</strong> question: Who is responsible for this<br />
st<strong>at</strong>ement or action? Its purpose is to keep track of wh<strong>at</strong> has happened, of who<br />
has had access to <strong>in</strong>form<strong>at</strong>ion and resources and wh<strong>at</strong> actions have been taken.<br />
In any real system <strong>the</strong>re are many reasons why actual oper<strong>at</strong>ion may not always<br />
reflect <strong>the</strong> orig<strong>in</strong>al <strong>in</strong>tentions of <strong>the</strong> owners: people make mistakes, <strong>the</strong> system<br />
has errors, <strong>the</strong> system is vulnerable to certa<strong>in</strong> <strong>at</strong>tacks, <strong>the</strong> broad policy was not<br />
transl<strong>at</strong>ed correctly <strong>in</strong>to detailed specific<strong>at</strong>ions, <strong>the</strong> owners changed <strong>the</strong>ir m<strong>in</strong>ds,<br />
and so on. When th<strong>in</strong>gs go wrong, it is necessary to know wh<strong>at</strong> has happened,<br />
and who is <strong>the</strong> cause. This <strong>in</strong>form<strong>at</strong>ion is <strong>the</strong> basis for assess<strong>in</strong>g damage,<br />
recover<strong>in</strong>g lost <strong>in</strong>form<strong>at</strong>ion, evalu<strong>at</strong><strong>in</strong>g vulnerabilities, and <strong>in</strong>iti<strong>at</strong><strong>in</strong>g<br />
compens<strong>at</strong><strong>in</strong>g actions, such as legal prosecution, outside <strong>the</strong> computer system.<br />
To support <strong>the</strong> pr<strong>in</strong>ciple of <strong>in</strong>dividual accountability, <strong>the</strong> service called<br />
user au<strong>the</strong>ntic<strong>at</strong>ion is required. Without reliable identific<strong>at</strong>ion, <strong>the</strong>re can be no<br />
accountability. Thus au<strong>the</strong>ntic<strong>at</strong>ion is a crucial underp<strong>in</strong>n<strong>in</strong>g of <strong>in</strong>form<strong>at</strong>ion<br />
security. Many systems have been penetr<strong>at</strong>ed when weak or poorly<br />
adm<strong>in</strong>istered au<strong>the</strong>ntic<strong>at</strong>ion services have been compromised, for example, by<br />
guess<strong>in</strong>g poorly chosen passwords.<br />
The basic service provided by au<strong>the</strong>ntic<strong>at</strong>ion is <strong>in</strong>form<strong>at</strong>ion th<strong>at</strong> a<br />
st<strong>at</strong>ement or action was made by a particular user. Sometimes, however, <strong>the</strong>re is<br />
a need to ensure th<strong>at</strong> <strong>the</strong> user will not l<strong>at</strong>er be able to claim th<strong>at</strong> a st<strong>at</strong>ement<br />
<strong>at</strong>tributed to him was forged and th<strong>at</strong> he never made it. In <strong>the</strong> world of paper<br />
documents, this is <strong>the</strong> purpose of notariz<strong>in</strong>g a sign<strong>at</strong>ure; <strong>the</strong> notary provides<br />
<strong>in</strong>dependent and highly credible evidence, which will be conv<strong>in</strong>c<strong>in</strong>g even after<br />
many years, th<strong>at</strong> a sign<strong>at</strong>ure is genu<strong>in</strong>e and not forged. This more str<strong>in</strong>gent form<br />
of au<strong>the</strong>ntic<strong>at</strong>ion, called nonrepudi<strong>at</strong>ion, is offered by few computer systems<br />
today, although a legal need for it can be foreseen as computer-medi<strong>at</strong>ed<br />
transactions become more common <strong>in</strong> bus<strong>in</strong>ess.<br />
Audit<strong>in</strong>g services support accountability and <strong>the</strong>refore are valuable to<br />
management and to <strong>in</strong>ternal or external auditors. Given <strong>the</strong> reality th<strong>at</strong> every<br />
computer system can be compromised from with<strong>in</strong>,<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CONCEPTS OF INFORMATION SECURITY 58<br />
and th<strong>at</strong> many systems can also be compromised if surreptitious access can be<br />
ga<strong>in</strong>ed, accountability is a vital last resort. Audit<strong>in</strong>g services make and keep <strong>the</strong><br />
records necessary to support accountability. Usually <strong>the</strong>y are closely tied to<br />
au<strong>the</strong>ntic<strong>at</strong>ion and authoriz<strong>at</strong>ion (a service for determ<strong>in</strong><strong>in</strong>g whe<strong>the</strong>r a user or<br />
system is trusted for a given purpose—see discussion below), so th<strong>at</strong> every<br />
au<strong>the</strong>ntic<strong>at</strong>ion is recorded, as is every <strong>at</strong>tempted access, whe<strong>the</strong>r authorized or<br />
not. Given <strong>the</strong> critical role of audit<strong>in</strong>g, audit<strong>in</strong>g devices are sometimes <strong>the</strong> first<br />
target of an <strong>at</strong>tacker and should be protected accord<strong>in</strong>gly.<br />
A system's audit records, often called an audit trail, have o<strong>the</strong>r potential<br />
uses besides establish<strong>in</strong>g accountability. It may be possible, for example, to<br />
analyze an audit trail for suspicious p<strong>at</strong>terns of access and so detect improper<br />
behavior by both legitim<strong>at</strong>e users and masqueraders. The ma<strong>in</strong> drawbacks are<br />
process<strong>in</strong>g and <strong>in</strong>terpret<strong>in</strong>g <strong>the</strong> audit d<strong>at</strong>a.<br />
Systems may change constantly as personnel and equipment come and go<br />
and applic<strong>at</strong>ions evolve. From a security standpo<strong>in</strong>t, a chang<strong>in</strong>g system is not<br />
likely to be an improv<strong>in</strong>g system. To take an active stand aga<strong>in</strong>st gradual<br />
erosion of security measures, one may supplement a dynamically collected<br />
audit trail (which is useful <strong>in</strong> ferret<strong>in</strong>g out wh<strong>at</strong> has happened) with st<strong>at</strong>ic audits<br />
th<strong>at</strong> check <strong>the</strong> configur<strong>at</strong>ion to see th<strong>at</strong> it is not open for <strong>at</strong>tack. St<strong>at</strong>ic audit<br />
services may check th<strong>at</strong> software has not changed, th<strong>at</strong> file access controls are<br />
properly set, th<strong>at</strong> obsolete user accounts have been turned off, th<strong>at</strong> <strong>in</strong>com<strong>in</strong>g<br />
and outgo<strong>in</strong>g communic<strong>at</strong>ions l<strong>in</strong>es are correctly enabled, th<strong>at</strong> passwords are<br />
hard to guess, and so on. Aside from virus checkers, few st<strong>at</strong>ic audit tools exist<br />
<strong>in</strong> <strong>the</strong> market.<br />
The well-established practice of separ<strong>at</strong>ion of duty specifies th<strong>at</strong> important<br />
oper<strong>at</strong>ions cannot be performed by a s<strong>in</strong>gle person but <strong>in</strong>stead require <strong>the</strong><br />
agreement of (<strong>at</strong> least) two different people. Separ<strong>at</strong>ion of duty thus streng<strong>the</strong>ns<br />
security by prevent<strong>in</strong>g any s<strong>in</strong>gle-handed subversion of <strong>the</strong> controls. It can also<br />
help reduce errors by provid<strong>in</strong>g for an <strong>in</strong>dependent check of one person's<br />
actions by ano<strong>the</strong>r.<br />
Separ<strong>at</strong>ion of duty is an example of a broader class of controls th<strong>at</strong> <strong>at</strong>tempt<br />
to specify who is trusted for a given purpose. This sort of control is generally<br />
known as user authoriz<strong>at</strong>ion. Authoriz<strong>at</strong>ion determ<strong>in</strong>es whe<strong>the</strong>r a particular<br />
user, who has been au<strong>the</strong>ntic<strong>at</strong>ed as <strong>the</strong> source of a request to do someth<strong>in</strong>g, is<br />
trusted for th<strong>at</strong> oper<strong>at</strong>ion. Authoriz<strong>at</strong>ion may also <strong>in</strong>clude controls on <strong>the</strong> time<br />
<strong>at</strong> which someth<strong>in</strong>g can be done (only dur<strong>in</strong>g work<strong>in</strong>g hours) or <strong>the</strong> computer<br />
term<strong>in</strong>al from which it can be requested (only <strong>the</strong> one on <strong>the</strong> manager's desk).<br />
Just as <strong>the</strong> goal of <strong>in</strong>dividual accountability requires a lower-level<br />
mechanism for user au<strong>the</strong>ntic<strong>at</strong>ion, so also do authoriz<strong>at</strong>ion controls such as<br />
separ<strong>at</strong>ion of duty require a lower-level mechanism to ensure<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CONCEPTS OF INFORMATION SECURITY 59<br />
th<strong>at</strong> users have access only to <strong>the</strong> correct objects. Inside <strong>the</strong> computer, <strong>the</strong>se<br />
enforcement mechanisms are usually called access control mechanisms.<br />
Respond<strong>in</strong>g to Breaches of Security<br />
Recovery controls provide <strong>the</strong> means to respond to, r<strong>at</strong>her than prevent, a<br />
security breach. The use of a recovery mechanism does not necessarily <strong>in</strong>dic<strong>at</strong>e<br />
a system shortcom<strong>in</strong>g; for some thre<strong>at</strong>s, detection and recovery may well be<br />
more cost-effective than <strong>at</strong>tempts <strong>at</strong> total prevention. Recovery from a security<br />
breach may <strong>in</strong>volve tak<strong>in</strong>g discipl<strong>in</strong>ary or legal action, notify<strong>in</strong>g <strong>in</strong>cidentally<br />
compromised parties, or chang<strong>in</strong>g policies, for example. From a technical<br />
standpo<strong>in</strong>t, a security breach has much <strong>in</strong> common with a failure th<strong>at</strong> results<br />
from faulty equipment, software, or oper<strong>at</strong>ions. Usually some work will have to<br />
be discarded, and some or all of <strong>the</strong> system will have to be rolled back to a<br />
clean st<strong>at</strong>e.<br />
Security breaches usually entail more recovery effort than do acts of God.<br />
Unlike proverbial lightn<strong>in</strong>g, breaches of security can be counted on to strike<br />
twice unless <strong>the</strong> route of compromise has been shut off. Causes must be loc<strong>at</strong>ed.<br />
Were passwords compromised? Are backups clean? Did some user activity<br />
compromise <strong>the</strong> system by mistake? And major extra work—chang<strong>in</strong>g all<br />
passwords, rebuild<strong>in</strong>g <strong>the</strong> system from orig<strong>in</strong>al copies, shutt<strong>in</strong>g down certa<strong>in</strong><br />
communic<strong>at</strong>ion l<strong>in</strong>ks or <strong>in</strong>troduc<strong>in</strong>g au<strong>the</strong>ntic<strong>at</strong>ion procedures on <strong>the</strong>m, or<br />
undertak<strong>in</strong>g more user educ<strong>at</strong>ion—may have to be done to prevent a recurrence.<br />
DEVELOPING POLICIES AND APPROPRIATE CONTROLS<br />
Ideally a comprehensive spectrum of security measures would ensure th<strong>at</strong><br />
<strong>the</strong> confidentiality, <strong>in</strong>tegrity, and availability of computer-based systems were<br />
appropri<strong>at</strong>ely ma<strong>in</strong>ta<strong>in</strong>ed. In practice it is not possible to make ironclad<br />
guarantees. The only recipe for perfect security is perfect isol<strong>at</strong>ion: noth<strong>in</strong>g <strong>in</strong>,<br />
noth<strong>in</strong>g out. This is impractical, and so security policies will always reflect<br />
trade-offs between cost and risk. The assets to be protected should be<br />
c<strong>at</strong>egorized by value, <strong>the</strong> vulnerabilities by importance, and <strong>the</strong> risks by<br />
severity, and defensive measures should be <strong>in</strong>stalled accord<strong>in</strong>gly. Residual<br />
vulnerabilities should be recognized.<br />
Plann<strong>in</strong>g a security program is somewh<strong>at</strong> like buy<strong>in</strong>g <strong>in</strong>surance. An<br />
organiz<strong>at</strong>ion considers <strong>the</strong> follow<strong>in</strong>g:<br />
• The value of <strong>the</strong> assets be<strong>in</strong>g protected.<br />
• The vulnerabilities of <strong>the</strong> system: possible types of compromise,<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CONCEPTS OF INFORMATION SECURITY 60<br />
of users as well as systems. Wh<strong>at</strong> damage can <strong>the</strong> person <strong>in</strong> front of <strong>the</strong><br />
autom<strong>at</strong>ed teller mach<strong>in</strong>e do? Wh<strong>at</strong> about <strong>the</strong> person beh<strong>in</strong>d it? 4<br />
• Thre<strong>at</strong>s: do adversaries exist to exploit <strong>the</strong>se vulnerabilities? Do <strong>the</strong>y have<br />
a motive, th<strong>at</strong> is, someth<strong>in</strong>g to ga<strong>in</strong>? How likely is <strong>at</strong>tack <strong>in</strong> each case?<br />
• <strong>Risk</strong>s: <strong>the</strong> costs of failures and recovery. Wh<strong>at</strong> is <strong>the</strong> worst credible k<strong>in</strong>d<br />
of failure? Possibilities are de<strong>at</strong>h, <strong>in</strong>jury, compromise to n<strong>at</strong>ional security,<br />
<strong>in</strong>dustrial espionage, loss of personal privacy, f<strong>in</strong>ancial fraud, election<br />
fraud.<br />
• The organiz<strong>at</strong>ion's degree of risk aversion.<br />
Thence follows a rough idea of expected losses. On <strong>the</strong> o<strong>the</strong>r side of <strong>the</strong><br />
ledger are <strong>the</strong>se:<br />
• Available countermeasures (controls and security services),<br />
• Their effectiveness, and<br />
• Their direct costs and <strong>the</strong> opportunity costs of <strong>in</strong>stall<strong>in</strong>g <strong>the</strong>m.<br />
The security plans <strong>the</strong>n become a bus<strong>in</strong>ess decision, possibly tempered by<br />
legal requirements and consider<strong>at</strong>ion of externalities (see ''<strong>Risk</strong>s and<br />
Vulnerabilities," below).<br />
Ideally, controls are chosen as <strong>the</strong> result of careful analysis. 5 In practice,<br />
<strong>the</strong> most important consider<strong>at</strong>ion is wh<strong>at</strong> controls are available. Most<br />
purchasers of computer systems cannot afford to have a system designed from<br />
scr<strong>at</strong>ch to meet <strong>the</strong>ir needs, a circumstance th<strong>at</strong> seems particularly true <strong>in</strong> <strong>the</strong><br />
case of security needs. The customer is thus reduced to select<strong>in</strong>g from among<br />
<strong>the</strong> various preexist<strong>in</strong>g solutions, with <strong>the</strong> hope th<strong>at</strong> one will m<strong>at</strong>ch <strong>the</strong><br />
identified needs.<br />
Some organiz<strong>at</strong>ions formalize <strong>the</strong> procedure for manag<strong>in</strong>g computerassoci<strong>at</strong>ed<br />
risk by us<strong>in</strong>g a control m<strong>at</strong>rix th<strong>at</strong> identifies appropri<strong>at</strong>e control<br />
measures for given vulnerabilities over a range of risks. Us<strong>in</strong>g such a m<strong>at</strong>rix as<br />
a guide, adm<strong>in</strong>istr<strong>at</strong>ors may better select appropri<strong>at</strong>e controls for various<br />
resources. A rough cut <strong>at</strong> address<strong>in</strong>g <strong>the</strong> problem is often taken: How much<br />
bus<strong>in</strong>ess depends on <strong>the</strong> system? Wh<strong>at</strong> is <strong>the</strong> worst credible k<strong>in</strong>d of failure, and<br />
how much would it cost to recover? Do available mechanisms address possible<br />
causes? Are <strong>the</strong>y cost-effective?<br />
The computer <strong>in</strong>dustry can be expected to respond to clearly articul<strong>at</strong>ed<br />
security needs provided th<strong>at</strong> such needs apply to a broad enough base of<br />
customers. This has happened with <strong>the</strong> Orange Book visà vis <strong>the</strong> defense<br />
community—but slowly, because vendors were not conv<strong>in</strong>ced <strong>the</strong> customer<br />
base was large enough to warrant acceler<strong>at</strong>ed <strong>in</strong>vestments <strong>in</strong> trust technology.<br />
However, for many of <strong>the</strong> management controls discussed above,<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CONCEPTS OF INFORMATION SECURITY 61<br />
<strong>the</strong>re is not a clear, widely accepted articul<strong>at</strong>ion of how computer systems<br />
should be designed to support <strong>the</strong>se controls, wh<strong>at</strong> sort of robustness is required<br />
<strong>in</strong> <strong>the</strong> mechanisms, and so on. As a result, customers for computer security are<br />
faced with a "take-it-or-leave-it" marketplace. For <strong>in</strong>stance, customers appear to<br />
demand password-based au<strong>the</strong>ntic<strong>at</strong>ion because it is available, not because<br />
analysis has shown th<strong>at</strong> this rel<strong>at</strong>ively weak mechanism provides enough<br />
protection. This effect works <strong>in</strong> both directions: a service is not demanded if it<br />
is not available, but once it becomes available somewhere, it soon becomes<br />
wanted everywhere. See Chapter 6 for a discussion of <strong>the</strong> marketplace.<br />
RISKS AND VULNERABILITIES<br />
<strong>Risk</strong>s arise because an <strong>at</strong>tack could exploit some system vulnerability (see,<br />
for example, Boxes 2.1 and 2.2). Th<strong>at</strong> is, each vulnerability of a system reflects<br />
a potential thre<strong>at</strong>, with correspond<strong>in</strong>g risks. In a sampl<strong>in</strong>g of a collection of over<br />
3,000 cases of computer system abuse, drawn from <strong>the</strong> media and personal<br />
report<strong>in</strong>g, <strong>the</strong> follow<strong>in</strong>g types of <strong>at</strong>tack, listed roughly <strong>in</strong> order of decreas<strong>in</strong>g<br />
frequency, predom<strong>in</strong><strong>at</strong>ed (Neumann and Parker, 1989):<br />
• Misus<strong>in</strong>g authority, through activities such as improper acquisition of<br />
resources (read<strong>in</strong>g of d<strong>at</strong>a, <strong>the</strong>ft of programs), surreptitious modific<strong>at</strong>ion,<br />
and denials of service, apparently by authorized users.<br />
• Masquerad<strong>in</strong>g, as <strong>in</strong> one user imperson<strong>at</strong><strong>in</strong>g ano<strong>the</strong>r.<br />
• Bypass<strong>in</strong>g <strong>in</strong>tended controls, by means such as password <strong>at</strong>tacks and<br />
exploit<strong>at</strong>ion of trapdoors. These <strong>at</strong>tacks typically exploit system flaws or<br />
hidden circumventive "fe<strong>at</strong>ures."<br />
• Sett<strong>in</strong>g up subsequent abuses such as Trojan horses, logic bombs, or<br />
viruses.<br />
• Carry<strong>in</strong>g out hardware and media abuses, such as physical <strong>at</strong>tacks on<br />
equipment and scaveng<strong>in</strong>g of <strong>in</strong>form<strong>at</strong>ion from discarded media.<br />
(Electronic <strong>in</strong>terference and eavesdropp<strong>in</strong>g also belong <strong>in</strong> this class but<br />
have not been widely detected.)<br />
• Us<strong>in</strong>g a computer system as an <strong>in</strong>direct aid <strong>in</strong> committ<strong>in</strong>g a crim<strong>in</strong>al act,<br />
as <strong>in</strong> auto-dial<strong>in</strong>g telephone numbers <strong>in</strong> search of answer<strong>in</strong>g modems,<br />
crack<strong>in</strong>g ano<strong>the</strong>r system's encrypted password files, or runn<strong>in</strong>g an illicit<br />
bus<strong>in</strong>ess. (For example, drug oper<strong>at</strong>ions are becom<strong>in</strong>g <strong>in</strong>creas<strong>in</strong>gly<br />
computerized.)<br />
The cases considered <strong>in</strong> <strong>the</strong> sampl<strong>in</strong>g cited above often <strong>in</strong>volved multiple<br />
classes of abuse. In <strong>at</strong>tack<strong>in</strong>g <strong>the</strong> N<strong>at</strong>ional Aeronautics and Space<br />
Adm<strong>in</strong>istr<strong>at</strong>ion systems, <strong>the</strong> West German Chaos Computer<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CONCEPTS OF INFORMATION SECURITY 62<br />
Club masqueraded, bypassed access controls (partly by exploit<strong>in</strong>g a subtle<br />
oper<strong>at</strong><strong>in</strong>g system flaw), and used Trojan horses to capture passwords. The<br />
Internet worm of November 1988 exploited weak password mechanisms and<br />
design and implement<strong>at</strong>ion flaws <strong>in</strong> mail-handl<strong>in</strong>g and <strong>in</strong>form<strong>at</strong>ion-service<br />
programs to propag<strong>at</strong>e itself from mach<strong>in</strong>e to mach<strong>in</strong>e (Rochlis and Eich<strong>in</strong>,<br />
1989; Spafford, 1989a,b). Personal computer pest programs typically use Trojan<br />
horse <strong>at</strong>tacks, some with virus-like propag<strong>at</strong>ion.<br />
BOX 2.1 THE WILY HACKER<br />
In August 1986, Clifford Stoll, an astronomer work<strong>in</strong>g <strong>at</strong> <strong>the</strong> Lawrence<br />
Berkeley Labor<strong>at</strong>ory, detected an <strong>in</strong>truder, nicknamed him <strong>the</strong> Wily Hacker,<br />
and began to monitor his <strong>in</strong>trusions. Over a period of 10 months, <strong>the</strong> Wily<br />
Hacker <strong>at</strong>tacked roughly 450 computers oper<strong>at</strong>ed by <strong>the</strong> U.S. military and its<br />
contractors, successfully ga<strong>in</strong><strong>in</strong>g access to 30 of <strong>the</strong>m. Prior to detection, he<br />
is believed to have mounted <strong>at</strong>tacks for as long as a year.<br />
Although orig<strong>in</strong>ally thought to be a local prankster, <strong>the</strong> Wily Hacker<br />
turned out to be a competent and persistent computer professional <strong>in</strong> West<br />
Germany, with alleged ties to <strong>the</strong> Soviet KGB, and possibly with<br />
confeder<strong>at</strong>es <strong>in</strong> Germany.* It is assumed th<strong>at</strong> <strong>the</strong> Wily Hacker was look<strong>in</strong>g<br />
for classified or sensitive d<strong>at</strong>a on each of <strong>the</strong> systems he penetr<strong>at</strong>ed,<br />
although regul<strong>at</strong>ions prohibit <strong>the</strong> storage of classified d<strong>at</strong>a on <strong>the</strong> systems <strong>in</strong><br />
question.<br />
Look<strong>in</strong>g for technological keywords and for passwords to o<strong>the</strong>r systems,<br />
<strong>the</strong> Wily Hacker exhaustively searched <strong>the</strong> electronic files and messages<br />
loc<strong>at</strong>ed on each system. He carefully concealed his presence on <strong>the</strong><br />
computer systems and networks th<strong>at</strong> he penetr<strong>at</strong>ed, us<strong>in</strong>g multiple entry<br />
po<strong>in</strong>ts as necessary. He made long-term plans, <strong>in</strong> one <strong>in</strong>stance establish<strong>in</strong>g<br />
a trapdoor th<strong>at</strong> he used almost a year l<strong>at</strong>er.<br />
The most significant aspect of <strong>the</strong> Wily Hacker <strong>in</strong>cident is th<strong>at</strong> <strong>the</strong><br />
perpetr<strong>at</strong>or was highly skilled and highly motiv<strong>at</strong>ed. Also notable is <strong>the</strong><br />
<strong>in</strong>volvement of a U.S. accomplice. Track<strong>in</strong>g <strong>the</strong> Wily Hacker required <strong>the</strong><br />
cooper<strong>at</strong>ion of more than 15 organiz<strong>at</strong>ions, <strong>in</strong>clud<strong>in</strong>g U.S. authorities,<br />
German authorities, and priv<strong>at</strong>e corpor<strong>at</strong>ions. The tre<strong>at</strong>ment of <strong>the</strong> Wily<br />
Hacker by German authorities left some <strong>in</strong> <strong>the</strong> United St<strong>at</strong>es uns<strong>at</strong>isfied,<br />
because under German law <strong>the</strong> absence of damage to German systems and<br />
<strong>the</strong> n<strong>at</strong>ure of <strong>the</strong> evidence available dim<strong>in</strong>ished sentenc<strong>in</strong>g options.<br />
* He has been identified variously as M<strong>at</strong>hias Speer or Marcus Hess, a computer science<br />
student <strong>in</strong> Hanover.<br />
SOURCES: Stoll (1988); Markoff (1988a).<br />
The preced<strong>in</strong>g summary of penetr<strong>at</strong>ions gives a good view of <strong>the</strong><br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CONCEPTS OF INFORMATION SECURITY 63<br />
present situ<strong>at</strong>ion. However, it is unwise to extrapol<strong>at</strong>e from <strong>the</strong> present to<br />
predict <strong>the</strong> classes of vulnerability th<strong>at</strong> will be significant <strong>in</strong> <strong>the</strong> future. As<br />
expertise and <strong>in</strong>terconnection <strong>in</strong>crease and as control procedures improve, <strong>the</strong><br />
risks and likely thre<strong>at</strong>s will change. 6 For example, given recent events, <strong>the</strong><br />
frequency of Trojan horse and virus <strong>at</strong>tacks is expected to <strong>in</strong>crease.<br />
Interconnection results <strong>in</strong> <strong>the</strong> vulnerability of weak l<strong>in</strong>ks endanger<strong>in</strong>g o<strong>the</strong>r<br />
parts of an <strong>in</strong>terconnected system. This phenomenon is particularly <strong>in</strong>sidious<br />
when different parts of a system fall under different managements with different<br />
assessments of risk. For example, suppose computer center A used by students<br />
determ<strong>in</strong>es th<strong>at</strong> <strong>the</strong> expected costs of recovery from plausible <strong>at</strong>tacks do not<br />
justify <strong>the</strong> costs of protective measures. The center has d<strong>at</strong>a connections to a<br />
more sensitive government-sponsored research center B, to which some<br />
students have access. By computer eavesdropp<strong>in</strong>g <strong>at</strong> <strong>the</strong> student-center end, an<br />
<strong>in</strong>visible <strong>in</strong>truder learns passwords to <strong>the</strong> research <strong>in</strong>stall<strong>at</strong>ion. Somewh<strong>at</strong><br />
paradoxically, <strong>the</strong> low guard kept <strong>at</strong> center A forces B to <strong>in</strong>troduce more<br />
rigorous and costly measures to protect <strong>the</strong> supposedly <strong>in</strong>nocuous<br />
communic<strong>at</strong>ions with A than are necessary for genu<strong>in</strong>ely sensitive<br />
communic<strong>at</strong>ions with <strong>in</strong>stall<strong>at</strong>ions th<strong>at</strong> are as cautious as B.<br />
Such scenarios have been played out many times <strong>in</strong> real life. In sav<strong>in</strong>g<br />
money for itself, <strong>in</strong>stall<strong>at</strong>ion A has shifted costs to B, cre<strong>at</strong><strong>in</strong>g wh<strong>at</strong> economists<br />
call an externality. At <strong>the</strong> very least, it seems, <strong>in</strong>stall<strong>at</strong>ion B should be aware of<br />
<strong>the</strong> security st<strong>at</strong>e of A before agree<strong>in</strong>g to communic<strong>at</strong>e.<br />
System <strong>in</strong>terconnection may even affect applic<strong>at</strong>ions th<strong>at</strong> do not <strong>in</strong>volve<br />
communic<strong>at</strong>ion <strong>at</strong> all: <strong>the</strong> risks of <strong>in</strong>terconnection are borne not only by <strong>the</strong><br />
applic<strong>at</strong>ions <strong>the</strong>y benefit, but also by o<strong>the</strong>r applic<strong>at</strong>ions th<strong>at</strong> share <strong>the</strong> same<br />
equipment. In <strong>the</strong> example given above, some applic<strong>at</strong>ions <strong>at</strong> <strong>in</strong>stall<strong>at</strong>ion B may<br />
need to be apprised of <strong>the</strong> security st<strong>at</strong>e of <strong>in</strong>stall<strong>at</strong>ion A even though <strong>the</strong>y never<br />
overtly communic<strong>at</strong>e with A.<br />
In some sectors, <strong>the</strong> recognition of <strong>in</strong>terdependence has already affected<br />
<strong>the</strong> choice of safeguard. For example, a n<strong>at</strong>ional funds transfer system may<br />
depend on communic<strong>at</strong>ions l<strong>in</strong>es provided by a common carrier. It is common<br />
commercial practice to trust th<strong>at</strong> common carriers transmit faithfully, but for<br />
funds transfer such trust is judged to be imprudent, and cryptographic methods<br />
are used to ensure th<strong>at</strong> <strong>the</strong> carrier need not be trusted for <strong>the</strong> <strong>in</strong>tegrity of funds<br />
transfer (although it is still trusted to ensure availability). The altern<strong>at</strong>ive would<br />
have been to <strong>in</strong>clude <strong>the</strong> carriers with<strong>in</strong> <strong>the</strong> trusted funds transfer system, and<br />
work to ensure th<strong>at</strong> <strong>the</strong>y transmit faithfully.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CONCEPTS OF INFORMATION SECURITY 64<br />
BOX 2.2 THE INTERNET WORM<br />
The Internet, an <strong>in</strong>tern<strong>at</strong>ional network of computer systems th<strong>at</strong> has<br />
evolved over <strong>the</strong> last decade, provides electronic mail, file transfer, and<br />
remote log-<strong>in</strong> capabilities. Currently, <strong>the</strong> Internet <strong>in</strong>terconnects several<br />
thousand <strong>in</strong>dividual networks (<strong>in</strong>clud<strong>in</strong>g government, commercial, and<br />
academic networks) th<strong>at</strong> connect some 60,000 computers. The Internet has<br />
become <strong>the</strong> electronic backbone for computer research, development, and<br />
user communities.<br />
On November 2, 1988, <strong>the</strong> Internet was <strong>at</strong>tacked by a self-replic<strong>at</strong><strong>in</strong>g<br />
program called a worm th<strong>at</strong> spread with<strong>in</strong> hours to somewhere between<br />
2,000 and 6,000 computer systems—<strong>the</strong> precise number rema<strong>in</strong>s uncerta<strong>in</strong>.<br />
Only systems (VAX and Sun 3) runn<strong>in</strong>g certa<strong>in</strong> types of Unix (variants of<br />
BSD 4) were affected.<br />
The Internet worm was developed and launched by Robert T. Morris, Jr.,<br />
who <strong>at</strong> <strong>the</strong> time was a gradu<strong>at</strong>e student <strong>at</strong> Cornell University. Morris<br />
exploited security weaknesses (<strong>in</strong> <strong>the</strong> f<strong>in</strong>gerd, rhosts, and sendmail<br />
programs) <strong>in</strong> <strong>the</strong> affected versions of Unix. The worm program itself did not<br />
cause any damage to <strong>the</strong> systems th<strong>at</strong> it <strong>at</strong>tacked <strong>in</strong> <strong>the</strong> sense th<strong>at</strong> it did not<br />
steal, corrupt, or destroy d<strong>at</strong>a and did not alter <strong>the</strong> systems <strong>the</strong>mselves;<br />
however, its rapid prolifer<strong>at</strong>ion and <strong>the</strong> ensu<strong>in</strong>g confusion caused severe<br />
degrad<strong>at</strong>ion <strong>in</strong> service and shut down some systems and network<br />
connections throughout <strong>the</strong> Internet for two or three days, affect<strong>in</strong>g sites th<strong>at</strong><br />
were not directly <strong>at</strong>tacked. Ironically, electronic mail messages with guidance<br />
for conta<strong>in</strong><strong>in</strong>g <strong>the</strong> worm were <strong>the</strong>mselves delayed because of network<br />
congestion caused by <strong>the</strong> worm's rapid replic<strong>at</strong>ion.<br />
Although Morris argued th<strong>at</strong> <strong>the</strong> worm was an experiment unleashed<br />
without malice, he was convicted of a felony (<strong>the</strong> conviction may be<br />
appealed) under <strong>the</strong> Computer Fraud and Abuse Act (CFAA) of 1986, <strong>the</strong><br />
first such conviction. Reflect<strong>in</strong>g uncerta<strong>in</strong>ty about both <strong>the</strong> applicability of <strong>the</strong><br />
CFAA and <strong>the</strong> n<strong>at</strong>ure of <strong>the</strong> <strong>in</strong>cident, federal prosecutors were slow to<br />
<strong>in</strong>vestig<strong>at</strong>e and br<strong>in</strong>g charges <strong>in</strong> this case.<br />
The Internet worm has received considerable <strong>at</strong>tention by comput<strong>in</strong>g<br />
professionals, security experts, and <strong>the</strong> general public, thanks to <strong>the</strong><br />
abundant publicity about <strong>the</strong> <strong>in</strong>cident, <strong>the</strong> divided op<strong>in</strong>ions with<strong>in</strong> <strong>the</strong><br />
computer community about <strong>the</strong> impact of <strong>the</strong> <strong>in</strong>cident, and a general<br />
recognition th<strong>at</strong> <strong>the</strong> Internet worm <strong>in</strong>cident has illum<strong>in</strong><strong>at</strong>ed <strong>the</strong> potential for<br />
damage from more dangerous <strong>at</strong>tacks as society becomes more dependent<br />
on computer networks. The <strong>in</strong>cident triggered <strong>the</strong> establishment of numerous<br />
computer emergency response teams (CERTs), start<strong>in</strong>g with DARPA's<br />
CERT for <strong>the</strong> Internet; a reevalu<strong>at</strong>ion of ethics for computer professionals<br />
and users; and, <strong>at</strong> least temporarily, a general tighten<strong>in</strong>g of security <strong>in</strong><br />
corpor<strong>at</strong>e and government networks.<br />
SOURCES: Comer (1988); Spafford (1989a); Rochlis and Eich<strong>in</strong> (1989);<br />
and Neumann (1990).<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CONCEPTS OF INFORMATION SECURITY 65<br />
In o<strong>the</strong>r sectors, <strong>in</strong>clud<strong>in</strong>g <strong>the</strong> research community, <strong>the</strong> design and <strong>the</strong><br />
management of computer-medi<strong>at</strong>ed networks gener<strong>at</strong>e communic<strong>at</strong>ion<br />
vulnerabilities. In <strong>the</strong>se systems (e.g., Bitnet) messages travel lengthy p<strong>at</strong>hs<br />
through computers <strong>in</strong> <strong>the</strong> control of numerous organiz<strong>at</strong>ions of which <strong>the</strong><br />
communicants are largely unaware, and for which message handl<strong>in</strong>g is not a<br />
central bus<strong>in</strong>ess concern. Responsibility for <strong>the</strong> privacy and <strong>in</strong>tegrity of<br />
communic<strong>at</strong>ions <strong>in</strong> <strong>the</strong>se networks is so diffuse as to be nonexistent. Unlike<br />
common carriers, <strong>the</strong>se networks warrant no degree of trust. This situ<strong>at</strong>ion is<br />
understood by only some of <strong>the</strong>se networks' users, and even <strong>the</strong>y may gamble<br />
on <strong>the</strong> security of <strong>the</strong>ir transmissions <strong>in</strong> <strong>the</strong> <strong>in</strong>terests of convenience and<br />
reduced expenses.<br />
SECURING THE WHOLE SYSTEM<br />
Because security is a weak-l<strong>in</strong>k phenomenon, a security program must be<br />
multidimensional. Regardless of security policy goals, one cannot completely<br />
ignore any of <strong>the</strong> three major requirements—confidentiality, <strong>in</strong>tegrity, and<br />
availability—which support one ano<strong>the</strong>r. For example, confidentiality is needed<br />
to protect passwords. Passwords <strong>in</strong> turn promote system <strong>in</strong>tegrity by controll<strong>in</strong>g<br />
access and provid<strong>in</strong>g a basis for <strong>in</strong>dividual accountability. Confidentiality<br />
controls <strong>the</strong>mselves must be immune to tamper<strong>in</strong>g—an <strong>in</strong>tegrity consider<strong>at</strong>ion.<br />
And <strong>in</strong> <strong>the</strong> event th<strong>at</strong> th<strong>in</strong>gs do go wrong, it must be possible for adm<strong>in</strong>istr<strong>at</strong>ive<br />
and ma<strong>in</strong>tenance personnel to step <strong>in</strong> to fix th<strong>in</strong>gs—an availability concern.<br />
A system is an <strong>in</strong>terdependent collection of components th<strong>at</strong> can be<br />
considered as a unified whole. A computer oper<strong>at</strong><strong>in</strong>g system, an applic<strong>at</strong>ion<br />
such as a computerized payroll, a local network of eng<strong>in</strong>eer<strong>in</strong>g workst<strong>at</strong>ions, or<br />
<strong>the</strong> n<strong>at</strong>ionwide network for electronic funds transfer each can be considered as a<br />
system—and any one system may depend on o<strong>the</strong>rs. All of <strong>the</strong>se <strong>in</strong>volve<br />
physical elements and people as well as computers and software. Physical<br />
protection <strong>in</strong>cludes environmental controls such as guards, locks, doors, and<br />
fences as well as protection aga<strong>in</strong>st and recovery from fire, flood, and o<strong>the</strong>r<br />
n<strong>at</strong>ural hazards.<br />
Although a security program must be designed from a holistic perspective,<br />
<strong>the</strong> program itself need not—<strong>in</strong>deed should not—be monolithic. It is best to<br />
oper<strong>at</strong>e on a divide-and-conquer pr<strong>in</strong>ciple, reflect<strong>in</strong>g <strong>the</strong> classical management<br />
control pr<strong>in</strong>ciple of separ<strong>at</strong>ion of duty. A system made of mutually distrustful<br />
parts should be stronger than a simple trusted system. On a large scale,<br />
communic<strong>at</strong>ions l<strong>in</strong>ks def<strong>in</strong>e n<strong>at</strong>ural boundaries of distrust. With<strong>in</strong> a s<strong>in</strong>gle<br />
system extra strength may be ga<strong>in</strong>ed by isol<strong>at</strong><strong>in</strong>g au<strong>the</strong>ntic<strong>at</strong>ion functions and<br />
audit<strong>in</strong>g<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CONCEPTS OF INFORMATION SECURITY 66<br />
records <strong>in</strong> physically separ<strong>at</strong>e, more rigorously controlled hardware. Such<br />
isol<strong>at</strong>ion of function is universal <strong>in</strong> serious cryptography.<br />
Technology alone cannot provide security. In particular, an <strong>in</strong>form<strong>at</strong>ion<br />
security program is of little avail if its users do not buy <strong>in</strong>to it. The program<br />
must be realistic and ma<strong>in</strong>ta<strong>in</strong> <strong>the</strong> awareness and commitment of all<br />
participants. Fur<strong>the</strong>r, management actions must signal th<strong>at</strong> security m<strong>at</strong>ters.<br />
When rewards go only to visible results (e.g., meet<strong>in</strong>g deadl<strong>in</strong>es or sav<strong>in</strong>g<br />
costs), <strong>at</strong>tention will surely shift away from security—until disaster strikes.<br />
APPENDIX 2.1—PRIVACY<br />
Concern for privacy arises <strong>in</strong> connection with <strong>the</strong> security of computer<br />
systems <strong>in</strong> two dispar<strong>at</strong>e ways:<br />
• <strong>the</strong> need to protect personal <strong>in</strong>form<strong>at</strong>ion about people th<strong>at</strong> is kept <strong>in</strong><br />
computer systems; and<br />
• <strong>the</strong> need to ensure th<strong>at</strong> employees of an organiz<strong>at</strong>ion are comply<strong>in</strong>g with<br />
<strong>the</strong> organiz<strong>at</strong>ion's policies and procedures.<br />
The first need supports privacy; <strong>the</strong> <strong>in</strong>stitution of policies and mechanisms<br />
for confidentiality should streng<strong>the</strong>n it. The second, however, is a case <strong>in</strong> which<br />
need is not aligned with privacy; strong audit<strong>in</strong>g or surveillance measures may<br />
well <strong>in</strong>fr<strong>in</strong>ge on <strong>the</strong> privacy of those whose actions are observed. It is important<br />
to understand both aspects of privacy.<br />
Protection of Inform<strong>at</strong>ion About Individuals<br />
The need to protect personal <strong>in</strong>form<strong>at</strong>ion is addressed <strong>in</strong> several laws,<br />
notably <strong>in</strong>clud<strong>in</strong>g <strong>the</strong> Privacy Act of 1974 (P.L. 93–579), which was enacted<br />
dur<strong>in</strong>g a period of <strong>in</strong>tern<strong>at</strong>ional concern about privacy triggered by advanc<strong>in</strong>g<br />
computeriz<strong>at</strong>ion of personal d<strong>at</strong>a. 7 A number of authors who have written on<br />
<strong>the</strong> subject believe th<strong>at</strong> privacy protections are stronger <strong>in</strong> o<strong>the</strong>r countries (Turn,<br />
1990; Flaherty, 1990).<br />
The Privacy Act is based on five major pr<strong>in</strong>ciples th<strong>at</strong> have been generally<br />
accepted as basic privacy criteria <strong>in</strong> <strong>the</strong> United St<strong>at</strong>es and Europe:<br />
1. There must be no personal d<strong>at</strong>a record keep<strong>in</strong>g system whose very<br />
existence is secret.<br />
2. There must be a way for <strong>in</strong>dividuals to f<strong>in</strong>d out wh<strong>at</strong> <strong>in</strong>form<strong>at</strong>ion about<br />
<strong>the</strong>m is on a record and how it is used.<br />
3. There must be a way for <strong>in</strong>dividuals to prevent <strong>in</strong>form<strong>at</strong>ion<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CONCEPTS OF INFORMATION SECURITY 67<br />
obta<strong>in</strong>ed about <strong>the</strong>m for one purpose from be<strong>in</strong>g used or made<br />
available for o<strong>the</strong>r purposes without <strong>the</strong>ir consent.<br />
4. There must be a way for <strong>in</strong>dividuals to correct or amend a record of<br />
identifiable <strong>in</strong>form<strong>at</strong>ion about <strong>the</strong>m.<br />
5. Any organiz<strong>at</strong>ion cre<strong>at</strong><strong>in</strong>g, ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g, us<strong>in</strong>g, or dissem<strong>in</strong><strong>at</strong><strong>in</strong>g<br />
records of identifiable personal d<strong>at</strong>a must assure th<strong>at</strong> d<strong>at</strong>a are used as<br />
<strong>in</strong>tended and must take precautions to prevent misuse of <strong>the</strong> d<strong>at</strong>a.<br />
Even where most organiz<strong>at</strong>ions make a reasonable, conscientious effort to<br />
protect <strong>the</strong> privacy of personal <strong>in</strong>form<strong>at</strong>ion resid<strong>in</strong>g <strong>in</strong> <strong>the</strong>ir comput<strong>in</strong>g systems,<br />
compromisable system and d<strong>at</strong>a access controls often allow <strong>in</strong>truders to viol<strong>at</strong>e<br />
personal privacy. For example, a survey of 178 federal agencies by <strong>the</strong> General<br />
Account<strong>in</strong>g Office revealed 34 known breaches <strong>in</strong> computerized systems<br />
conta<strong>in</strong><strong>in</strong>g personal <strong>in</strong>form<strong>at</strong>ion <strong>in</strong> fiscal years 1988 and 1989; 30 of those<br />
<strong>in</strong>cidents <strong>in</strong>volved unauthorized access to <strong>the</strong> <strong>in</strong>form<strong>at</strong>ion by <strong>in</strong>dividuals<br />
o<strong>the</strong>rwise authorized to use <strong>the</strong> systems (GAO, 1990e). Frequent reports of<br />
"hacker" <strong>in</strong>vasions <strong>in</strong>to credit-report<strong>in</strong>g d<strong>at</strong>abases and p<strong>at</strong>ients' medical records<br />
provide ample evidence of <strong>the</strong> general lack of appropri<strong>at</strong>e protection of personal<br />
<strong>in</strong>form<strong>at</strong>ion <strong>in</strong> computer systems. Also, some applic<strong>at</strong>ions <strong>in</strong> and of <strong>the</strong>mselves<br />
appear to underm<strong>in</strong>e <strong>the</strong> Privacy Act's pr<strong>in</strong>ciple th<strong>at</strong> <strong>in</strong>dividuals should be able<br />
to control <strong>in</strong>form<strong>at</strong>ion about <strong>the</strong>mselves. 8 As noted <strong>in</strong> a recent newspaper<br />
column,<br />
Most of us have no way of know<strong>in</strong>g all <strong>the</strong> d<strong>at</strong>abases th<strong>at</strong> conta<strong>in</strong> <strong>in</strong>form<strong>at</strong>ion<br />
about us. In short, we are los<strong>in</strong>g control over <strong>the</strong> <strong>in</strong>form<strong>at</strong>ion about ourselves.<br />
Many people are not confident about exist<strong>in</strong>g safeguards, and few are<br />
conv<strong>in</strong>ced th<strong>at</strong> <strong>the</strong>y should have to pay for <strong>the</strong> benefits of <strong>the</strong> computer age<br />
with <strong>the</strong>ir personal freedoms. (Lewis, 1990)<br />
Because of concerns about privacy, companies will <strong>in</strong>creas<strong>in</strong>gly need<br />
secure systems to store <strong>in</strong>form<strong>at</strong>ion. Indeed, <strong>in</strong> Canada, governmental<br />
regul<strong>at</strong>ion concern<strong>in</strong>g <strong>the</strong> requirements for privacy of <strong>in</strong>form<strong>at</strong>ion about<br />
<strong>in</strong>dividuals contributed to an ongo<strong>in</strong>g effort to extend <strong>the</strong> U.S. Orange Book to<br />
<strong>in</strong>clude specific support for privacy policy.<br />
Employee Privacy <strong>in</strong> <strong>the</strong> Workplace<br />
An employer's need to ensure th<strong>at</strong> employees comply with policies and<br />
procedures requires some check<strong>in</strong>g by management on employees' activities<br />
<strong>in</strong>volv<strong>in</strong>g <strong>the</strong> use of company comput<strong>in</strong>g resources; how much and wh<strong>at</strong> k<strong>in</strong>d of<br />
check<strong>in</strong>g are subject to deb<strong>at</strong>e. 9 A common management premise is th<strong>at</strong> if a<br />
policy or procedure is not enforced, it will eventually not be obeyed, lead<strong>in</strong>g to<br />
an erosion of respect for and compliance with o<strong>the</strong>r policies and procedures.<br />
For <strong>in</strong>stance,<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CONCEPTS OF INFORMATION SECURITY 68<br />
consider a policy st<strong>at</strong><strong>in</strong>g th<strong>at</strong> company comput<strong>in</strong>g resources will be used only<br />
for proper bus<strong>in</strong>ess purposes. Users certify upon start<strong>in</strong>g <strong>the</strong>ir jobs (or upon<br />
<strong>in</strong>troduction of <strong>the</strong> policy) th<strong>at</strong> <strong>the</strong>y understand and will comply with this policy<br />
and o<strong>the</strong>rs. Random spot checks of user files by <strong>in</strong>form<strong>at</strong>ion security analysts<br />
may be conducted to ensure th<strong>at</strong> personal bus<strong>in</strong>ess items, games, and so on, are<br />
not put on company comput<strong>in</strong>g resources. Discipl<strong>in</strong>ary action may result when<br />
viol<strong>at</strong>ions of policy are discovered.<br />
The above situ<strong>at</strong>ion does not, <strong>in</strong> itself, rel<strong>at</strong>e to security. However, one<br />
method proposed to <strong>in</strong>crease <strong>the</strong> level of system security <strong>in</strong>volves monitor<strong>in</strong>g<br />
workers' actions to detect, for example, p<strong>at</strong>terns of activity th<strong>at</strong> suggest th<strong>at</strong> a<br />
worker's password has been stolen. This level of monitor<strong>in</strong>g provides <strong>in</strong>creased<br />
opportunity to observe all aspects of worker activity, not just security-rel<strong>at</strong>ed<br />
activity, and to significantly reduce a worker's expect<strong>at</strong>ion for privacy <strong>at</strong> work.<br />
Some managers argue th<strong>at</strong> a worker, while perform<strong>in</strong>g work-rel<strong>at</strong>ed<br />
activity, should expect arbitrary supervisory observ<strong>at</strong>ion and review and th<strong>at</strong><br />
<strong>the</strong>re is no expect<strong>at</strong>ion of privacy <strong>in</strong> th<strong>at</strong> context. This argument comb<strong>in</strong>es<br />
consider<strong>at</strong>ion of privacy with consider<strong>at</strong>ions of management style and<br />
philosophy, which are beyond <strong>the</strong> scope of this report. However, wh<strong>at</strong> is<br />
relevant to this report is <strong>the</strong> fact th<strong>at</strong> computer and communic<strong>at</strong>ions<br />
technologies facilit<strong>at</strong>e gre<strong>at</strong>er monitor<strong>in</strong>g and surveillance of employees and<br />
th<strong>at</strong> needs for computer and communic<strong>at</strong>ions security motiv<strong>at</strong>e monitor<strong>in</strong>g and<br />
surveillance, some of which may use computer technology. As <strong>the</strong><br />
congressional Office of Technology Assessment has noted, <strong>the</strong> effects of<br />
computer-based monitor<strong>in</strong>g depend on <strong>the</strong> way it is used (OTA, 1987a).<br />
There are complex trade-offs among privacy, management control, and<br />
more general security controls. How, for example, can management ensure th<strong>at</strong><br />
its computer facilities are be<strong>in</strong>g used only for legitim<strong>at</strong>e bus<strong>in</strong>ess purposes if <strong>the</strong><br />
computer system conta<strong>in</strong>s security fe<strong>at</strong>ures th<strong>at</strong> limit access to <strong>the</strong> files of<br />
<strong>in</strong>dividuals? Typically, a system adm<strong>in</strong>istr<strong>at</strong>or has access to everyth<strong>in</strong>g on a<br />
system. To prevent abuse of this privilege, a secure audit trail may be used. The<br />
goal is to prevent <strong>the</strong> <strong>in</strong>teraction of <strong>the</strong> needs for control, security, and privacy<br />
from <strong>in</strong>hibit<strong>in</strong>g <strong>the</strong> adequ<strong>at</strong>e achievement of any of <strong>the</strong> three.<br />
Note th<strong>at</strong> by trac<strong>in</strong>g or monitor<strong>in</strong>g <strong>the</strong> computer actions of <strong>in</strong>dividuals, one<br />
can viol<strong>at</strong>e <strong>the</strong> privacy of persons who are not <strong>in</strong> an employee rel<strong>at</strong>ionship but<br />
are more generally clients of an organiz<strong>at</strong>ion or citizens of a country. For<br />
example, <strong>the</strong> Wall Street Journal reported recently th<strong>at</strong> customer d<strong>at</strong>a entered<br />
by a travel agency <strong>in</strong>to a major airl<strong>in</strong>e reserv<strong>at</strong>ion system was accessible to and<br />
used by o<strong>the</strong>r travel service firms without <strong>the</strong> knowledge of <strong>the</strong> customer or<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CONCEPTS OF INFORMATION SECURITY 69<br />
<strong>the</strong> travel agency (W<strong>in</strong>ans, 1990). Computer systems as a mechanism provide<br />
no protection for people <strong>in</strong> <strong>the</strong>se situ<strong>at</strong>ions; as was observed above, computers,<br />
even very secure computers, are only a mechanism, not a policy. Indeed, very<br />
secure systems may actually make <strong>the</strong> problem worse, if <strong>the</strong> presence of <strong>the</strong>se<br />
mechanisms falsely encourages people to entrust critical <strong>in</strong>form<strong>at</strong>ion to such<br />
systems.<br />
There is an important dist<strong>in</strong>ction between policy and mechanism. A<br />
computer system is a mechanism, but if <strong>the</strong>re is no enforceable policy, a<br />
mechanism provides no protection. Only <strong>in</strong> <strong>the</strong> presence of an enforceable<br />
policy can any protection or assurance occur. While five basic pr<strong>in</strong>ciples th<strong>at</strong><br />
make up a recognized privacy policy are summarized above, security, as it is<br />
discussed <strong>in</strong> this report, does not provide or enforce such a policy, except <strong>in</strong> <strong>the</strong><br />
narrow sense of protect<strong>in</strong>g a system from hostile <strong>in</strong>truders. Protect<strong>in</strong>g a system<br />
(or <strong>the</strong> <strong>in</strong>form<strong>at</strong>ion it conta<strong>in</strong>s) from <strong>the</strong> owner of <strong>the</strong> system is a totally<br />
different problem, which will become <strong>in</strong>creas<strong>in</strong>gly important as we proceed to a<br />
still gre<strong>at</strong>er use of computers <strong>in</strong> our society.<br />
APPENDIX 2.2—INFORMAL SURVEY TO ASSESS SECURITY<br />
REQUIREMENTS<br />
In April 1989 <strong>in</strong>formal telephone <strong>in</strong>terviews were conducted by a<br />
committee member with <strong>the</strong> <strong>in</strong>form<strong>at</strong>ion security officers of 30 priv<strong>at</strong>e<br />
companies <strong>in</strong> <strong>the</strong> aerospace, f<strong>in</strong>ance, food and beverage, manufactur<strong>in</strong>g,<br />
petrochemical, retail, and utilities <strong>in</strong>dustries. With<strong>in</strong> <strong>the</strong>se c<strong>at</strong>egories an even<br />
distribution of companies was achieved, and <strong>in</strong>terviewees were distributed<br />
geographically. Individuals were asked wh<strong>at</strong> basic security fe<strong>at</strong>ures should be<br />
built <strong>in</strong>to vendor systems (essential fe<strong>at</strong>ures)—wh<strong>at</strong> <strong>the</strong>ir requirements were<br />
and whe<strong>the</strong>r those requirements were be<strong>in</strong>g met. Their unanimous op<strong>in</strong>ion was<br />
th<strong>at</strong> current vendor software does not meet <strong>the</strong>ir basic security needs.<br />
The survey addressed two c<strong>at</strong>egories of security measures: prevention and<br />
detection. With<strong>in</strong> <strong>the</strong> prevention c<strong>at</strong>egory <strong>the</strong> focus was on three areas:<br />
computers, term<strong>in</strong>als, and telecommunic<strong>at</strong>ions and network<strong>in</strong>g.<br />
Individuals were asked to consider 40 specific security measures. For each,<br />
<strong>the</strong>y were asked whe<strong>the</strong>r <strong>the</strong> measure should be built <strong>in</strong>to vendor systems as a<br />
mand<strong>at</strong>ory (essential) item, be built <strong>in</strong> as an optional item, or not be built <strong>in</strong>.<br />
User Identific<strong>at</strong>ion<br />
All of <strong>the</strong> <strong>in</strong>terviewees believed th<strong>at</strong> a unique identific<strong>at</strong>ion (ID) for each<br />
user and autom<strong>at</strong>ic suspension of an ID for a certa<strong>in</strong> number<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CONCEPTS OF INFORMATION SECURITY 70<br />
of unauthorized access <strong>at</strong>tempts were essential. The capability to prevent <strong>the</strong><br />
simultaneous use of an ID was considered essential by 90 percent of <strong>the</strong><br />
<strong>in</strong>dividuals <strong>in</strong>terviewed. A comment was th<strong>at</strong> this capability should be<br />
controllable based ei<strong>the</strong>r on <strong>the</strong> ID or <strong>the</strong> source of <strong>the</strong> access.<br />
Eighty-three percent of <strong>the</strong> <strong>in</strong>terviewees agreed it is essential th<strong>at</strong> <strong>the</strong> d<strong>at</strong>e,<br />
time, and place of last use be displayed to <strong>the</strong> user upon sign-on to <strong>the</strong> system.<br />
A comment was th<strong>at</strong> this fe<strong>at</strong>ure should also be available <strong>at</strong> o<strong>the</strong>r times. The<br />
same number required <strong>the</strong> capability to assign to <strong>the</strong> user an expir<strong>at</strong>ion d<strong>at</strong>e for<br />
authoriz<strong>at</strong>ion to access a system. Comments on this item were th<strong>at</strong> <strong>the</strong> ability to<br />
specify a future active d<strong>at</strong>e for IDs was needed and th<strong>at</strong> <strong>the</strong> capability to let <strong>the</strong><br />
system adm<strong>in</strong>istr<strong>at</strong>or know when an ID was about to expire was required.<br />
Seventy-three percent thought th<strong>at</strong> <strong>the</strong> capability to limit system access to<br />
certa<strong>in</strong> times, days, d<strong>at</strong>es, and/or from certa<strong>in</strong> places was essential.<br />
User Verific<strong>at</strong>ion or Au<strong>the</strong>ntic<strong>at</strong>ion<br />
All <strong>in</strong>terviewees believed th<strong>at</strong> prevent<strong>in</strong>g <strong>the</strong> reuse of expired passwords,<br />
hav<strong>in</strong>g <strong>the</strong> system force password changes, hav<strong>in</strong>g <strong>the</strong> password always<br />
prompted for, and hav<strong>in</strong>g <strong>the</strong> ID and password verified <strong>at</strong> sign-on time were all<br />
essential security measures.<br />
N<strong>in</strong>ety-seven percent judged as essential <strong>the</strong> capabilities to implement a<br />
password of six or more alphanumeric characters and to have passwords stored<br />
encrypted on <strong>the</strong> system. Eighty-seven percent believed th<strong>at</strong> an autom<strong>at</strong>ic check<br />
to elim<strong>in</strong><strong>at</strong>e easy passwords should be an essential fe<strong>at</strong>ure, although one<br />
<strong>in</strong>dividual thought th<strong>at</strong>, <strong>in</strong> this case, it would be difficult to know wh<strong>at</strong> to check<br />
for.<br />
Sixty percent saw <strong>the</strong> capability to <strong>in</strong>terface with a dynamic password<br />
token as an essential fe<strong>at</strong>ure. One recommend<strong>at</strong>ion was to <strong>in</strong>vestig<strong>at</strong>e <strong>the</strong> use of<br />
icons th<strong>at</strong> would be assigned to users as guides to select<strong>in</strong>g mean<strong>in</strong>gful (easily<br />
remembered) passwords. Thirty-three percent considered a random password<br />
gener<strong>at</strong>or essential; 7 percent did not want one.<br />
File Access Control<br />
All <strong>in</strong>terviewees considered it essential to be able to limit access to files,<br />
programs, and d<strong>at</strong>abases. Only 60 percent thought th<strong>at</strong> <strong>the</strong> capability to limit<br />
access to a specified time or day should be essential. Although all <strong>in</strong>form<strong>at</strong>ion<br />
security officers of f<strong>in</strong>ancial organiz<strong>at</strong>ions<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CONCEPTS OF INFORMATION SECURITY 71<br />
thought such a capability should be essential, <strong>at</strong> least some represent<strong>at</strong>ives from<br />
all o<strong>the</strong>r c<strong>at</strong>egories of bus<strong>in</strong>esses preferred th<strong>at</strong> such a fe<strong>at</strong>ure be optional.<br />
Eighty-three percent agreed th<strong>at</strong> a virus detection and protection capability<br />
and <strong>the</strong> ability to purge a file dur<strong>in</strong>g deletion were essential fe<strong>at</strong>ures. An added<br />
comment was th<strong>at</strong> vendors should be required to certify a product as be<strong>in</strong>g free<br />
of viruses or trapdoors. Seventy-three percent considered <strong>the</strong> capability to<br />
encrypt sensitive d<strong>at</strong>a to be mand<strong>at</strong>ory, but one respondent was opposed to th<strong>at</strong><br />
fe<strong>at</strong>ure because it could complic<strong>at</strong>e disaster recovery (i.e., one might not be able<br />
to access such d<strong>at</strong>a <strong>in</strong> an emergency dur<strong>in</strong>g process<strong>in</strong>g <strong>at</strong> an altern<strong>at</strong>e site).<br />
N<strong>in</strong>ety-five percent thought it should be essential to require <strong>the</strong> execution of<br />
production programs from a secure production library and also, if us<strong>in</strong>g<br />
encryption, to destroy <strong>the</strong> pla<strong>in</strong>text dur<strong>in</strong>g <strong>the</strong> encryption process.<br />
Term<strong>in</strong>al Controls<br />
All <strong>in</strong>terviewees agreed th<strong>at</strong> prevent<strong>in</strong>g <strong>the</strong> display of passwords on<br />
screens or reports should be essential. N<strong>in</strong>ety-five percent favored hav<strong>in</strong>g an<br />
autom<strong>at</strong>ed log-off/time-out capability as a mand<strong>at</strong>ory fe<strong>at</strong>ure. A comment was<br />
th<strong>at</strong> it should be possible to vary this fe<strong>at</strong>ure by ID.<br />
Identific<strong>at</strong>ion of term<strong>in</strong>als was a capability th<strong>at</strong> 87 percent considered<br />
essential, but only two-thirds felt th<strong>at</strong> a term<strong>in</strong>al lock should be <strong>in</strong>cluded <strong>in</strong> <strong>the</strong><br />
essential c<strong>at</strong>egory.<br />
An additional comment was th<strong>at</strong> a token port (for dynamic password<br />
<strong>in</strong>terface) should be a fe<strong>at</strong>ure of term<strong>in</strong>als.<br />
Telecommunic<strong>at</strong>ions and Network<strong>in</strong>g<br />
More than 95 percent of <strong>the</strong> <strong>in</strong>terviewees believed th<strong>at</strong> network security<br />
monitor<strong>in</strong>g; bridge, router, and g<strong>at</strong>eway filter<strong>in</strong>g; and dial-<strong>in</strong> user au<strong>the</strong>ntic<strong>at</strong>ion<br />
should be essential fe<strong>at</strong>ures. Also, 90 percent wanted a modem-lock<strong>in</strong>g device<br />
as a mand<strong>at</strong>ory fe<strong>at</strong>ure. Eighty-three to eighty-seven percent of <strong>in</strong>terviewees<br />
wanted security modems (call-back au<strong>the</strong>ntic<strong>at</strong>ion), d<strong>at</strong>a encryption, autom<strong>at</strong>ed<br />
encryption and decryption capabilities, and <strong>the</strong> ability to autom<strong>at</strong>ically<br />
disconnect an unneeded modem to be regarded as essential.<br />
Additional comments <strong>in</strong> this area addressed <strong>the</strong> need for message<br />
au<strong>the</strong>ntic<strong>at</strong>ion and nonrepudi<strong>at</strong>ion as security fe<strong>at</strong>ures.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CONCEPTS OF INFORMATION SECURITY 72<br />
Detection Measures<br />
All <strong>in</strong>terviewees believed th<strong>at</strong> audit trails identify<strong>in</strong>g <strong>in</strong>valid access<br />
<strong>at</strong>tempts and report<strong>in</strong>g ID and term<strong>in</strong>al source identific<strong>at</strong>ion rel<strong>at</strong>ed to <strong>in</strong>valid<br />
access <strong>at</strong>tempts were essential security measures. Likewise, all agreed th<strong>at</strong><br />
viol<strong>at</strong>ion reports (<strong>in</strong>clud<strong>in</strong>g d<strong>at</strong>e, time, service, viol<strong>at</strong>ion type, ID, d<strong>at</strong>a sets, and<br />
so forth) and <strong>the</strong> capability to query a system's log to retrieve selected d<strong>at</strong>a were<br />
essential fe<strong>at</strong>ures.<br />
Eighty-three percent were <strong>in</strong> favor of network <strong>in</strong>trusion detection, a<br />
rel<strong>at</strong>ively new capability, as an essential item. However, everyone also agreed<br />
on <strong>the</strong> need for improved report<strong>in</strong>g of <strong>in</strong>trusions.<br />
General Comments and Summary<br />
General suggestions made <strong>in</strong> <strong>the</strong> course of <strong>the</strong> <strong>in</strong>terviews <strong>in</strong>cluded <strong>the</strong><br />
follow<strong>in</strong>g:<br />
• Make requirements general r<strong>at</strong>her than specific so th<strong>at</strong> <strong>the</strong>y can apply to<br />
all k<strong>in</strong>ds of systems.<br />
• Make security transparent to <strong>the</strong> user.<br />
• Make sure th<strong>at</strong> ''mand<strong>at</strong>ory" really means mand<strong>at</strong>ory.<br />
• Seek op<strong>in</strong>ions from those who pay for <strong>the</strong> systems.<br />
In summary, it was clearly <strong>the</strong> consensus th<strong>at</strong> basic <strong>in</strong>form<strong>at</strong>ion security<br />
fe<strong>at</strong>ures should be required components th<strong>at</strong> vendors build <strong>in</strong>to <strong>in</strong>form<strong>at</strong>ion<br />
systems. Some control of <strong>the</strong> implement<strong>at</strong>ion of fe<strong>at</strong>ures should be available to<br />
organiz<strong>at</strong>ions so th<strong>at</strong> flexibility to accommod<strong>at</strong>e special circumstances is<br />
available.<br />
Interviewees <strong>in</strong>dic<strong>at</strong>ed th<strong>at</strong> list<strong>in</strong>g essential (must-have and must-use) and<br />
optional security fe<strong>at</strong>ures <strong>in</strong> an accredited standards document would be very<br />
useful for vendors and procurement officers <strong>in</strong> <strong>the</strong> priv<strong>at</strong>e sector. Vendors could<br />
use <strong>the</strong> criteria as a measure of how well <strong>the</strong>ir products meet requirements for<br />
<strong>in</strong>form<strong>at</strong>ion security and <strong>the</strong> needs of <strong>the</strong> users. Procurement officers could use<br />
<strong>the</strong> criteria as benchmarks <strong>in</strong> evalu<strong>at</strong><strong>in</strong>g different vendors' equipment dur<strong>in</strong>g <strong>the</strong><br />
purchas<strong>in</strong>g cycle. Vendors could also use <strong>the</strong> criteria as a market<strong>in</strong>g tool, as<br />
<strong>the</strong>y currently use <strong>the</strong> Orange Book criteria. These comments are supportive of<br />
<strong>the</strong> GSSP concept developed by this committee.<br />
NOTES<br />
1. Some document<strong>at</strong>ion can be found <strong>in</strong> <strong>the</strong> Defense Advanced Research Projects <strong>Age</strong>ncy's<br />
Computer Emergency Response Team advisories, which are distributed to system managers and <strong>in</strong> a<br />
variety of electronic newsletters and bullet<strong>in</strong> boards.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CONCEPTS OF INFORMATION SECURITY 73<br />
2. The mechanisms for carry<strong>in</strong>g out such procedures are called mand<strong>at</strong>ory access controls by <strong>the</strong><br />
DOD.<br />
3. Such mechanisms are called discretionary access controls by <strong>the</strong> DOD, and user-directed, identitybased<br />
access controls by <strong>the</strong> Intern<strong>at</strong>ional Organiz<strong>at</strong>ion for Standards. Also, <strong>the</strong> owner-based<br />
approach stands <strong>in</strong> contrast with <strong>the</strong> more formal, centrally adm<strong>in</strong>istered clearance or accessauthoriz<strong>at</strong>ion<br />
process of <strong>the</strong> n<strong>at</strong>ional security community.<br />
4. There are many k<strong>in</strong>ds of vulnerability. Authorized people can misuse <strong>the</strong>ir authority. One user<br />
can imperson<strong>at</strong>e ano<strong>the</strong>r. One break-<strong>in</strong> can set up <strong>the</strong> conditions for o<strong>the</strong>rs, for example, by<br />
<strong>in</strong>stall<strong>in</strong>g a virus. Physical <strong>at</strong>tacks on equipment can compromise it. Discarded media can be<br />
scavenged. An <strong>in</strong>truder can get access from a remote system th<strong>at</strong> is not well secured, as happened<br />
with <strong>the</strong> Internet worm.<br />
5. Although it might be comfort<strong>in</strong>g to commend <strong>the</strong> use of, or research <strong>in</strong>to, quantit<strong>at</strong>ive risk<br />
assessment as a plann<strong>in</strong>g tool, <strong>in</strong> many cases little more than a semiquantit<strong>at</strong>ive or checklist-type<br />
approach seems warranted. <strong>Risk</strong> assessment is <strong>the</strong> very basis of <strong>the</strong> <strong>in</strong>surance <strong>in</strong>dustry, which, it can<br />
be noted, has been slow to offer computer security coverage to bus<strong>in</strong>esses or <strong>in</strong>dividuals (see<br />
Chapter 6, Appendix 6.2, "Insurance"). In some cases (e.g., <strong>the</strong> risk of damage to <strong>the</strong> records of a<br />
s<strong>in</strong>gle customer's accounts) quantit<strong>at</strong>ive assessment makes sense. In general, however, risk<br />
assessment is a difficult and complex task, and quantit<strong>at</strong>ive assessment of myriad qualit<strong>at</strong>ively<br />
different, low-probability, high-impact risks has not been notably successful. The nuclear <strong>in</strong>dustry is<br />
a case <strong>in</strong> po<strong>in</strong>t.<br />
6. The extent of <strong>in</strong>terconnection envisioned for <strong>the</strong> future underscores <strong>the</strong> importance of plann<strong>in</strong>g<br />
for <strong>in</strong>terdependencies. For example, William Mitchell has laid out a highly <strong>in</strong>terconnected vision:<br />
Through open systems <strong>in</strong>terconnection (OSI), bus<strong>in</strong>esses will rely on computer networks as much as<br />
<strong>the</strong>y depend on <strong>the</strong> global telecom network. Enterprise networks will meet an emerg<strong>in</strong>g need: <strong>the</strong>y<br />
will allow any s<strong>in</strong>gle computer <strong>in</strong> any part of <strong>the</strong> world to be as accessible to users as any telephone.<br />
OSI network<strong>in</strong>g capabilities will give every networked computer a unique and easily accessible<br />
address. Individual computer networks will jo<strong>in</strong> <strong>in</strong>to a s<strong>in</strong>gle cohesive system <strong>in</strong> much <strong>the</strong> same way<br />
as <strong>in</strong>dependent telecom networks jo<strong>in</strong> to form one global service. (Mitchell, 1990, pp. 69–72)<br />
7. O<strong>the</strong>r federal privacy laws <strong>in</strong>clude <strong>the</strong> Fair Credit Report<strong>in</strong>g Act of 1970 (P.L. 91–508), <strong>the</strong><br />
Family Educ<strong>at</strong>ional Rights and Privacy Act of 1974 (20 U.S.C. 1232g), <strong>the</strong> Right of F<strong>in</strong>ancial<br />
Privacy Act of 1978 (11 U.S.C. 1100 et seq.), <strong>the</strong> Electronic Funds Transfer Act of 1978 (15 U.S.C.<br />
1693, P.L. 95–200), <strong>the</strong> Cable Communic<strong>at</strong>ions Policy Act of 1984 (48 U.S.C. 551), <strong>the</strong> Electronic<br />
Communic<strong>at</strong>ions Privacy Act of 1986 (18 U.S.C. 2511), and <strong>the</strong> Computer M<strong>at</strong>ch<strong>in</strong>g and Privacy<br />
Protection Act of 1988 (5 U.S.C. 552a Note) (Turn, 1990). St<strong>at</strong>es have also passed laws to protect<br />
privacy.<br />
8. This po<strong>in</strong>t was made by <strong>the</strong> congressional Office of Technology Assessment <strong>in</strong> an analysis of<br />
federal agency use of electronic record systems for computer m<strong>at</strong>ch<strong>in</strong>g, verific<strong>at</strong>ion, and profil<strong>in</strong>g<br />
(OTA, 1986b).<br />
9. Recent cases about management perus<strong>in</strong>g electronic mail messages th<strong>at</strong> senders and receivers had<br />
believed were priv<strong>at</strong>e amplify th<strong>at</strong> deb<strong>at</strong>e (Communic<strong>at</strong>ions Week, 1990a).<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
TECHNOLOGY TO ACHIEVE SECURE COMPUTER SYSTEMS 74<br />
3<br />
Technology to Achieve Secure Computer<br />
Systems<br />
A reasonably complete survey of <strong>the</strong> technology needed to protect<br />
<strong>in</strong>form<strong>at</strong>ion and o<strong>the</strong>r resources controlled by computer systems, this chapter<br />
discusses how such technology can be used to make systems secure. It expla<strong>in</strong>s<br />
<strong>the</strong> essential technical ideas, gives <strong>the</strong> major properties of relevant techniques<br />
currently known, and tells why <strong>the</strong>y are important. Suggest<strong>in</strong>g developments<br />
th<strong>at</strong> may occur <strong>in</strong> <strong>the</strong> next few years, it provides some of <strong>the</strong> r<strong>at</strong>ionale for <strong>the</strong><br />
research agenda set forth <strong>in</strong> Chapter 8.<br />
Appendix B of this report discusses <strong>in</strong> more detail several topics th<strong>at</strong> are<br />
ei<strong>the</strong>r fundamental to computer security technology or of special current <strong>in</strong>terest<br />
—<strong>in</strong>clud<strong>in</strong>g how some important th<strong>in</strong>gs (such as passwords) work and why <strong>the</strong>y<br />
do not work perfectly.<br />
This discussion of <strong>the</strong> technology of computer security addresses two<br />
major concerns:<br />
1. Wh<strong>at</strong> do we mean by security?<br />
2. How do we get security, and how do we know when we have it?<br />
The first <strong>in</strong>volves specific<strong>at</strong>ion of security and <strong>the</strong> services th<strong>at</strong> computer<br />
systems provide to support security. The second <strong>in</strong>volves implement<strong>at</strong>ion of<br />
security, and <strong>in</strong> particular <strong>the</strong> means of establish<strong>in</strong>g confidence th<strong>at</strong> a system<br />
will actually provide <strong>the</strong> security <strong>the</strong> specific<strong>at</strong>ions promise. Each topic is<br />
discussed accord<strong>in</strong>g to its importance for <strong>the</strong> overall goal of provid<strong>in</strong>g computer<br />
security, and not accord<strong>in</strong>g to how much work has already been done on th<strong>at</strong><br />
topic.<br />
This chapter discusses many of <strong>the</strong> concepts <strong>in</strong>troduced <strong>in</strong> Chapter 2, but<br />
<strong>in</strong> more detail. It exam<strong>in</strong>es <strong>the</strong> technical process of rel<strong>at</strong><strong>in</strong>g computer<br />
mechanisms to higher-level controls and policies, a process<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
TECHNOLOGY TO ACHIEVE SECURE COMPUTER SYSTEMS 75<br />
th<strong>at</strong> requires <strong>the</strong> development of abstract security models and support<strong>in</strong>g<br />
mechanisms. Although careful analysis of <strong>the</strong> k<strong>in</strong>d carried out <strong>in</strong> this chapter<br />
may seem tedious, it is a necessary prerequisite to ensur<strong>in</strong>g <strong>the</strong> security of<br />
someth<strong>in</strong>g as complic<strong>at</strong>ed as a computer system. Ensur<strong>in</strong>g security, like<br />
protect<strong>in</strong>g <strong>the</strong> environment, requires a holistic approach; it is not enough to<br />
focus on <strong>the</strong> problem th<strong>at</strong> caused trouble last month, because as soon as th<strong>at</strong><br />
difficulty is resolved, ano<strong>the</strong>r will arise.<br />
SPECIFICATION VS. IMPLEMENTATION<br />
The dist<strong>in</strong>ction between wh<strong>at</strong> a system does and how it does it, between<br />
specific<strong>at</strong>ion and implement<strong>at</strong>ion, is basic to <strong>the</strong> design and analysis of<br />
computer systems. A specific<strong>at</strong>ion for a system is <strong>the</strong> meet<strong>in</strong>g po<strong>in</strong>t between <strong>the</strong><br />
customer and <strong>the</strong> builder. It says wh<strong>at</strong> <strong>the</strong> system is supposed to do. This is<br />
important to <strong>the</strong> builder, who must ensure th<strong>at</strong> wh<strong>at</strong> <strong>the</strong> system actually does<br />
m<strong>at</strong>ches wh<strong>at</strong> it is supposed to do. It is equally important to <strong>the</strong> customer, who<br />
must be confident th<strong>at</strong> wh<strong>at</strong> <strong>the</strong> system is supposed to do m<strong>at</strong>ches wh<strong>at</strong> he<br />
wants. It is especially critical to know exactly and completely how a system is<br />
supposed to support requirements for security, because any mistake can be<br />
exploited by a malicious adversary.<br />
Specific<strong>at</strong>ions can be written <strong>at</strong> many levels of detail and with many<br />
degrees of formality. Broad and <strong>in</strong>formal specific<strong>at</strong>ions of security are called<br />
security policies 1 (see Chapter 2), examples of which <strong>in</strong>clude <strong>the</strong> follow<strong>in</strong>g: (1)<br />
"Confidentiality: Inform<strong>at</strong>ion shall be disclosed only to people authorized to<br />
receive it." (2) "Integrity: D<strong>at</strong>a shall be modified only accord<strong>in</strong>g to established<br />
procedures and <strong>at</strong> <strong>the</strong> direction of properly authorized people."<br />
It is possible to separ<strong>at</strong>e from <strong>the</strong> whole <strong>the</strong> part of a specific<strong>at</strong>ion th<strong>at</strong> is<br />
relevant to security. Usually a whole specific<strong>at</strong>ion encompasses much more<br />
than <strong>the</strong> security-relevant part. For example, a whole specific<strong>at</strong>ion usually says<br />
a good deal about price and performance. In systems for which confidentiality<br />
and <strong>in</strong>tegrity are <strong>the</strong> primary goals of security policies, performance is not<br />
relevant to security because a system can provide confidentiality and <strong>in</strong>tegrity<br />
regardless of how well or badly it performs. But for systems for which<br />
availability and <strong>in</strong>tegrity are paramount, performance specific<strong>at</strong>ions may be<br />
relevant to security. S<strong>in</strong>ce security is <strong>the</strong> focus of this discussion,<br />
"specific<strong>at</strong>ion" as used here should be understood to describe only wh<strong>at</strong> is<br />
relevant to security.<br />
A secure system is one th<strong>at</strong> meets <strong>the</strong> particular specific<strong>at</strong>ions meant to<br />
ensure security. S<strong>in</strong>ce many different specific<strong>at</strong>ions are possible,<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
TECHNOLOGY TO ACHIEVE SECURE COMPUTER SYSTEMS 76<br />
<strong>the</strong>re cannot be any absolute notion of a secure system. An example from a<br />
rel<strong>at</strong>ed field clarifies this po<strong>in</strong>t. We say th<strong>at</strong> an action is legal if it meets <strong>the</strong><br />
requirements of <strong>the</strong> law. S<strong>in</strong>ce different jurisdictions can have different sets of<br />
laws, <strong>the</strong>re cannot be any absolute notion of a legal action; wh<strong>at</strong> is legal under<br />
<strong>the</strong> laws of Brita<strong>in</strong> may be illegal <strong>in</strong> <strong>the</strong> United St<strong>at</strong>es.<br />
A system th<strong>at</strong> is believed to be secure is called trusted. Of course, a trusted<br />
system must be trusted for someth<strong>in</strong>g; <strong>in</strong> <strong>the</strong> context of this report it is trusted to<br />
meet security specific<strong>at</strong>ions. In some o<strong>the</strong>r context such a system might be<br />
trusted to control a shuttle launch or to retrieve all <strong>the</strong> 1988 court op<strong>in</strong>ions<br />
deal<strong>in</strong>g with civil rights.<br />
Policies express a general <strong>in</strong>tent. Of course, <strong>the</strong>y can be more detailed than<br />
<strong>the</strong> very general ones given as examples above; for <strong>in</strong>stance, <strong>the</strong> follow<strong>in</strong>g is a<br />
ref<strong>in</strong>ement of <strong>the</strong> first policy: "Salary confidentiality: Individual salary<br />
<strong>in</strong>form<strong>at</strong>ion shall be disclosed only to <strong>the</strong> employee, his superiors, and<br />
authorized personnel people."<br />
But whe<strong>the</strong>r general or specific, policies conta<strong>in</strong> terms th<strong>at</strong> are not<br />
precisely def<strong>in</strong>ed, and so it is not possible to tell with absolute certa<strong>in</strong>ty whe<strong>the</strong>r<br />
a system s<strong>at</strong>isfies a policy. Fur<strong>the</strong>rmore, policies specify <strong>the</strong> behavior of people<br />
and of <strong>the</strong> physical environment as well as <strong>the</strong> behavior of mach<strong>in</strong>es, so th<strong>at</strong> it<br />
is not possible for a computer system alone to s<strong>at</strong>isfy <strong>the</strong>m. Technology for<br />
security addresses <strong>the</strong>se problems by provid<strong>in</strong>g methods for <strong>the</strong> follow<strong>in</strong>g:<br />
• Integr<strong>at</strong><strong>in</strong>g a computer system <strong>in</strong>to a larger system, compris<strong>in</strong>g people and<br />
a physical environment as well as computers, th<strong>at</strong> meets its security<br />
policies;<br />
• Giv<strong>in</strong>g a precise specific<strong>at</strong>ion, called a security model, for <strong>the</strong> securityrelevant<br />
behavior of <strong>the</strong> computer system;<br />
• Build<strong>in</strong>g, with components th<strong>at</strong> provide and use security services, a<br />
system th<strong>at</strong> meets <strong>the</strong> specific<strong>at</strong>ions; and<br />
• Establish<strong>in</strong>g confidence, or assurance, th<strong>at</strong> a system actually does meet its<br />
specific<strong>at</strong>ions.<br />
This is a tall order th<strong>at</strong> <strong>at</strong> <strong>the</strong> moment can be only partially filled. The first<br />
two actions are discussed <strong>in</strong> <strong>the</strong> section below titled "Specific<strong>at</strong>ion," <strong>the</strong> last two<br />
<strong>in</strong> <strong>the</strong> follow<strong>in</strong>g section titled "Implement<strong>at</strong>ion." Services are discussed <strong>in</strong> both<br />
sections to expla<strong>in</strong> both <strong>the</strong> functions be<strong>in</strong>g provided and how <strong>the</strong>y are<br />
implemented.<br />
SPECIFICATION: POLICIES, MODELS, AND SERVICES<br />
This section deals with <strong>the</strong> specific<strong>at</strong>ion of security. It is based on <strong>the</strong><br />
taxonomy of security policies given <strong>in</strong> Chapter 2. There are only a few highly<br />
developed security policies, and research is needed to<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
TECHNOLOGY TO ACHIEVE SECURE COMPUTER SYSTEMS 77<br />
develop additional policies (see Chapter 8), especially <strong>in</strong> <strong>the</strong> areas of <strong>in</strong>tegrity<br />
and availability. Each of <strong>the</strong> highly developed policies has a correspond<strong>in</strong>g<br />
(formal) security model, which is a precise specific<strong>at</strong>ion of how a computer<br />
system should behave as part of a larger system th<strong>at</strong> implements a policy.<br />
Implement<strong>in</strong>g a security model requires mechanisms th<strong>at</strong> provide particular<br />
security services. A small number of fundamental mechanisms have been<br />
identified th<strong>at</strong> seem adequ<strong>at</strong>e to implement most of <strong>the</strong> highly developed<br />
security policies currently <strong>in</strong> use.<br />
The simple example of a traffic light illustr<strong>at</strong>es <strong>the</strong> concepts of policy and<br />
model; <strong>in</strong> this example, safety plays <strong>the</strong> role of security. The light is part of a<br />
system th<strong>at</strong> <strong>in</strong>cludes roads, cars, and drivers. The safety policy for <strong>the</strong> complete<br />
system is th<strong>at</strong> two cars should not collide. This is ref<strong>in</strong>ed <strong>in</strong>to a policy th<strong>at</strong><br />
traffic must not move <strong>in</strong> two conflict<strong>in</strong>g directions through an <strong>in</strong>tersection <strong>at</strong> <strong>the</strong><br />
same time. This policy is transl<strong>at</strong>ed <strong>in</strong>to a safety model for <strong>the</strong> traffic light itself<br />
(which plays a role analogous to th<strong>at</strong> of a computer system with<strong>in</strong> a complete<br />
system): two green lights may never appear <strong>in</strong> conflict<strong>in</strong>g traffic p<strong>at</strong>terns<br />
simultaneously. This is a simple specific<strong>at</strong>ion. Observe th<strong>at</strong> <strong>the</strong> complete<br />
specific<strong>at</strong>ion for a traffic light is much more complex; it provides for <strong>the</strong> ability<br />
to set <strong>the</strong> dur<strong>at</strong>ion of <strong>the</strong> various cycles, to synchronize <strong>the</strong> light with o<strong>the</strong>r<br />
traffic lights, to display different comb<strong>in</strong><strong>at</strong>ions of arrows, and so forth. None of<br />
<strong>the</strong>se details, however, is critical to <strong>the</strong> safety of <strong>the</strong> system, because <strong>the</strong>y do<br />
not bear directly on whe<strong>the</strong>r or not cars will collide. Observe also th<strong>at</strong> for <strong>the</strong><br />
whole system to meet its safety policy, <strong>the</strong> light must be visible to <strong>the</strong> drivers,<br />
and <strong>the</strong>y must understand and obey its rules. If <strong>the</strong> light rema<strong>in</strong>s red <strong>in</strong> all<br />
directions it will meet its specific<strong>at</strong>ion, but <strong>the</strong> drivers will lose p<strong>at</strong>ience and<br />
start to ignore it, so th<strong>at</strong> <strong>the</strong> entire system may not support a policy of ensur<strong>in</strong>g<br />
safety.<br />
An ord<strong>in</strong>ary library affords a more complete example (see Appendix B of<br />
this report) th<strong>at</strong> illustr<strong>at</strong>es several aspects of computer system security <strong>in</strong> a<br />
context th<strong>at</strong> does not <strong>in</strong>volve computers.<br />
Policies<br />
A security policy is an <strong>in</strong>formal specific<strong>at</strong>ion of <strong>the</strong> rules by which people<br />
are given access to a system to read and change <strong>in</strong>form<strong>at</strong>ion and to use<br />
resources. Policies n<strong>at</strong>urally fall <strong>in</strong>to a few major c<strong>at</strong>egories:<br />
1. Confidentiality: controll<strong>in</strong>g who gets to read <strong>in</strong>form<strong>at</strong>ion;<br />
2. Integrity: assur<strong>in</strong>g th<strong>at</strong> <strong>in</strong>form<strong>at</strong>ion and programs are changed only <strong>in</strong> a<br />
specified and authorized manner; and<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
TECHNOLOGY TO ACHIEVE SECURE COMPUTER SYSTEMS 78<br />
3. Availability: assur<strong>in</strong>g th<strong>at</strong> authorized users have cont<strong>in</strong>ued access to<br />
<strong>in</strong>form<strong>at</strong>ion and resources.<br />
Two orthogonal c<strong>at</strong>egories can be added:<br />
4. Resource control: controll<strong>in</strong>g who has access to comput<strong>in</strong>g, storage, or<br />
communic<strong>at</strong>ion resources (exclusive of d<strong>at</strong>a); and<br />
5. Accountability: know<strong>in</strong>g who has had access to <strong>in</strong>form<strong>at</strong>ion or<br />
resources.<br />
Chapter 2 describes <strong>the</strong>se c<strong>at</strong>egories <strong>in</strong> detail and discusses how an<br />
organiz<strong>at</strong>ion th<strong>at</strong> uses computers can formul<strong>at</strong>e a security policy by draw<strong>in</strong>g<br />
elements from all <strong>the</strong>se c<strong>at</strong>egories. The discussion below summarizes this<br />
m<strong>at</strong>erial and supplements it with some technical details.<br />
Security policies for computer systems generally reflect long-stand<strong>in</strong>g<br />
policies for <strong>the</strong> security of systems th<strong>at</strong> do not <strong>in</strong>volve computers. In <strong>the</strong> case of<br />
n<strong>at</strong>ional security <strong>the</strong>se are embodied <strong>in</strong> <strong>the</strong> <strong>in</strong>form<strong>at</strong>ion classific<strong>at</strong>ion and<br />
personnel clearance system; for commercial comput<strong>in</strong>g <strong>the</strong>y come from<br />
established account<strong>in</strong>g and management control practices.<br />
From a technical viewpo<strong>in</strong>t, <strong>the</strong> most fully developed policies are those<br />
th<strong>at</strong> have been developed to ensure confidentiality. They reflect <strong>the</strong> concerns of<br />
<strong>the</strong> n<strong>at</strong>ional security community and are derived from Department of Defense<br />
(DOD) Directive 5000.1, <strong>the</strong> basic directive for protect<strong>in</strong>g classified <strong>in</strong>form<strong>at</strong>ion. 2<br />
The DOD computer security policy is based on security levels. Given two<br />
levels, one may be lower than <strong>the</strong> o<strong>the</strong>r, or <strong>the</strong> two may not be comparable. The<br />
basic pr<strong>in</strong>ciple is th<strong>at</strong> <strong>in</strong>form<strong>at</strong>ion can never be allowed to leak to a lower level,<br />
or even to a level th<strong>at</strong> is not comparable. In particular, a program th<strong>at</strong> has "read<br />
access" to d<strong>at</strong>a <strong>at</strong> a higher level cannot simultaneously have "write access" to<br />
lower-level d<strong>at</strong>a. This is a rigid policy motiv<strong>at</strong>ed by a lack of trust <strong>in</strong><br />
applic<strong>at</strong>ion programs. In contrast, a person can make an unclassified telephone<br />
call even though he may have classified documents on his desk, because he is<br />
trusted to not read <strong>the</strong> document over <strong>the</strong> telephone. There is no strong basis for<br />
plac<strong>in</strong>g similar trust <strong>in</strong> an arbitrary computer program.<br />
A security level or compartment consists of an access level (ei<strong>the</strong>r top<br />
secret, secret, confidential, or unclassified) and a set of c<strong>at</strong>egories (e.g., Critical<br />
Nuclear Weapon Design Inform<strong>at</strong>ion (CNWDI), North Atlantic Tre<strong>at</strong>y<br />
Organiz<strong>at</strong>ion (NATO), and so on). The access levels are ordered (top secret,<br />
highest; unclassified, lowest). The c<strong>at</strong>egories, which have unique access and<br />
protection requirements, are not ordered, but sets of c<strong>at</strong>egories are ordered by<br />
<strong>in</strong>clusion: one set is lower than ano<strong>the</strong>r if every c<strong>at</strong>egory <strong>in</strong> <strong>the</strong> first is <strong>in</strong>cluded<br />
<strong>in</strong> <strong>the</strong> second. One<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
TECHNOLOGY TO ACHIEVE SECURE COMPUTER SYSTEMS 79<br />
security level is lower than ano<strong>the</strong>r, different level if it has an equal or lower<br />
access level and an equal or lower set of c<strong>at</strong>egories. Thus [confidential; NATO]<br />
is lower than both [confidential; CNWDI, NATO] and [secret; NATO]. Given<br />
two levels, it is possible th<strong>at</strong> nei<strong>the</strong>r is lower than <strong>the</strong> o<strong>the</strong>r. Thus [secret;<br />
CNWDI] and [confidential; NATO] are not comparable.<br />
Every piece of <strong>in</strong>form<strong>at</strong>ion has a security level (often called its label).<br />
Normally <strong>in</strong>form<strong>at</strong>ion is not permitted to flow downward: <strong>in</strong>form<strong>at</strong>ion <strong>at</strong> one<br />
level can be derived only from <strong>in</strong>form<strong>at</strong>ion <strong>at</strong> equal or lower levels, never from<br />
<strong>in</strong>form<strong>at</strong>ion th<strong>at</strong> is <strong>at</strong> a higher level or is not comparable. If <strong>in</strong>form<strong>at</strong>ion is<br />
computed from several <strong>in</strong>puts, it has a level th<strong>at</strong> is <strong>at</strong> least as high as any of <strong>the</strong><br />
<strong>in</strong>puts. This rule ensures th<strong>at</strong> if <strong>in</strong>form<strong>at</strong>ion is stored <strong>in</strong> a system, anyth<strong>in</strong>g<br />
computed from it will have an equal or higher level. Thus <strong>the</strong> classific<strong>at</strong>ion<br />
never decreases.<br />
The DOD computer security policy specifies th<strong>at</strong> a person is cleared to a<br />
particular security level and can see <strong>in</strong>form<strong>at</strong>ion only <strong>at</strong> th<strong>at</strong>, or a lower, level.<br />
S<strong>in</strong>ce anyth<strong>in</strong>g seen can be derived only from o<strong>the</strong>r <strong>in</strong>form<strong>at</strong>ion c<strong>at</strong>egorized as<br />
be<strong>in</strong>g <strong>at</strong> th<strong>at</strong> level or lower, <strong>the</strong> result is th<strong>at</strong> wh<strong>at</strong> a person sees can depend only<br />
on <strong>in</strong>form<strong>at</strong>ion <strong>in</strong> <strong>the</strong> system <strong>at</strong> his level or lower. This policy is mand<strong>at</strong>ory:<br />
except for certa<strong>in</strong> carefully controlled downgrad<strong>in</strong>g or declassific<strong>at</strong>ion<br />
procedures, nei<strong>the</strong>r users nor programs <strong>in</strong> <strong>the</strong> system can break <strong>the</strong> rules or<br />
change <strong>the</strong> security levels. As Chapter 2 expla<strong>in</strong>s, both this and o<strong>the</strong>r<br />
confidentiality policies can also be applied <strong>in</strong> o<strong>the</strong>r sett<strong>in</strong>gs.<br />
Integrity policies have not been studied as carefully as confidentiality<br />
policies, even though some sort of <strong>in</strong>tegrity policy governs <strong>the</strong> oper<strong>at</strong>ion of<br />
every commercial d<strong>at</strong>a-process<strong>in</strong>g system. Work <strong>in</strong> this area (Clark and Wilson,<br />
1987) lags work on confidentiality by about 15 years. None<strong>the</strong>less, <strong>in</strong>terest is<br />
grow<strong>in</strong>g <strong>in</strong> workable <strong>in</strong>tegrity policies and correspond<strong>in</strong>g mechanisms,<br />
especially s<strong>in</strong>ce such mechanisms provide a sound basis for limit<strong>in</strong>g <strong>the</strong> damage<br />
caused by viruses, self-replic<strong>at</strong><strong>in</strong>g software th<strong>at</strong> can carry hidden <strong>in</strong>structions to<br />
alter or destroy d<strong>at</strong>a.<br />
The most highly developed policies to support <strong>in</strong>tegrity reflect <strong>the</strong><br />
concerns of <strong>the</strong> account<strong>in</strong>g and audit<strong>in</strong>g community for prevent<strong>in</strong>g fraud. The<br />
essential notions are <strong>in</strong>dividual accountability, auditability, separ<strong>at</strong>ion of duty,<br />
and standard procedures. Ano<strong>the</strong>r k<strong>in</strong>d of <strong>in</strong>tegrity policy is derived from <strong>the</strong><br />
<strong>in</strong>form<strong>at</strong>ion-flow policy for confidentiality applied <strong>in</strong> reverse, so th<strong>at</strong><br />
<strong>in</strong>form<strong>at</strong>ion can be derived only from o<strong>the</strong>r <strong>in</strong>form<strong>at</strong>ion of <strong>the</strong> same or a higher<br />
<strong>in</strong>tegrity level (Biba, 1975). This particular policy is extremely restrictive and<br />
thus has not been applied <strong>in</strong> practice.<br />
Policies c<strong>at</strong>egorized under accountability have usually been formul<strong>at</strong>ed<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
TECHNOLOGY TO ACHIEVE SECURE COMPUTER SYSTEMS 80<br />
as part of confidentiality or <strong>in</strong>tegrity policies. Accountability has not received<br />
<strong>in</strong>dependent <strong>at</strong>tention.<br />
In addition, very little work has been done on security policies rel<strong>at</strong>ed to<br />
availability. Absent this work, <strong>the</strong> focus has been on <strong>the</strong> practical aspects of<br />
cont<strong>in</strong>gency plann<strong>in</strong>g and recoverability.<br />
Models<br />
To eng<strong>in</strong>eer a computer system th<strong>at</strong> can be used as part of a larger system<br />
th<strong>at</strong> implements a security policy, and to decide unambiguously whe<strong>the</strong>r such a<br />
computer system meets its specific<strong>at</strong>ion, an <strong>in</strong>formal, broadly st<strong>at</strong>ed policy must<br />
be transl<strong>at</strong>ed <strong>in</strong>to a precise model. A model differs from a policy <strong>in</strong> two ways:<br />
1. It describes <strong>the</strong> desired behavior of a computer system's mechanisms,<br />
not th<strong>at</strong> of <strong>the</strong> larger system th<strong>at</strong> <strong>in</strong>cludes people.<br />
2. It is precisely st<strong>at</strong>ed <strong>in</strong> formal language th<strong>at</strong> resolves <strong>the</strong> ambiguities of<br />
English and makes it possible, <strong>at</strong> least <strong>in</strong> pr<strong>in</strong>ciple, to give a<br />
m<strong>at</strong>hem<strong>at</strong>ical proof th<strong>at</strong> a system s<strong>at</strong>isfies <strong>the</strong> model.<br />
Two models are <strong>in</strong> wide use. One, based on <strong>the</strong> DOD computer security<br />
policy, is <strong>the</strong> flow model; it supports a certa<strong>in</strong> k<strong>in</strong>d of confidentiality policy.<br />
The o<strong>the</strong>r, based on <strong>the</strong> familiar idea of st<strong>at</strong>ion<strong>in</strong>g a guard <strong>at</strong> an entrance, is <strong>the</strong><br />
access control model; it supports a variety of confidentiality, <strong>in</strong>tegrity, and<br />
accountability policies. There are no models th<strong>at</strong> support availability policies.<br />
Flow Model<br />
The flow model is derived from <strong>the</strong> DOD computer security policy<br />
described above. In this model (Denn<strong>in</strong>g, 1976) each piece of d<strong>at</strong>a <strong>in</strong> <strong>the</strong> system<br />
visible to a user or an applic<strong>at</strong>ion program is held <strong>in</strong> a conta<strong>in</strong>er called an<br />
object. Each object has an associ<strong>at</strong>ed security level. An object's level <strong>in</strong>dic<strong>at</strong>es<br />
<strong>the</strong> security level of <strong>the</strong> d<strong>at</strong>a it conta<strong>in</strong>s. D<strong>at</strong>a <strong>in</strong> one object is allowed to affect<br />
ano<strong>the</strong>r object only if <strong>the</strong> source object's level is lower than or equal to <strong>the</strong><br />
dest<strong>in</strong><strong>at</strong>ion object's level. All <strong>the</strong> d<strong>at</strong>a with<strong>in</strong> a s<strong>in</strong>gle object have <strong>the</strong> same level<br />
and hence can be manipul<strong>at</strong>ed freely.<br />
The flow model ensures th<strong>at</strong> <strong>in</strong>form<strong>at</strong>ion <strong>at</strong> a given security level flows<br />
only to an equal or higher level. D<strong>at</strong>a is not <strong>the</strong> same as <strong>in</strong>form<strong>at</strong>ion; for<br />
example, an encrypted message conta<strong>in</strong>s d<strong>at</strong>a, but it conveys no <strong>in</strong>form<strong>at</strong>ion<br />
unless one knows <strong>the</strong> encryption key or can break <strong>the</strong> encryption system.<br />
Unfortun<strong>at</strong>ely, d<strong>at</strong>a is all <strong>the</strong> computer can understand. By prevent<strong>in</strong>g an object<br />
<strong>at</strong> one level from be<strong>in</strong>g<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
TECHNOLOGY TO ACHIEVE SECURE COMPUTER SYSTEMS 81<br />
affected <strong>in</strong> any way by d<strong>at</strong>a th<strong>at</strong> is not <strong>at</strong> an equal or lower level, <strong>the</strong> flow model<br />
ensures th<strong>at</strong> <strong>in</strong>form<strong>at</strong>ion can flow only to an equal or higher level <strong>in</strong>side <strong>the</strong><br />
computer system. It does this very conserv<strong>at</strong>ively and thus forbids many actions<br />
th<strong>at</strong> would not <strong>in</strong> fact cause any <strong>in</strong>form<strong>at</strong>ion to flow improperly.<br />
A more complic<strong>at</strong>ed version of <strong>the</strong> flow model (which is actually <strong>the</strong> basis<br />
of <strong>the</strong> rules <strong>in</strong> <strong>the</strong> Orange Book) separ<strong>at</strong>es objects <strong>in</strong>to active subjects th<strong>at</strong> can<br />
<strong>in</strong>iti<strong>at</strong>e oper<strong>at</strong>ions and passive objects th<strong>at</strong> simply conta<strong>in</strong> d<strong>at</strong>a, such as a file, a<br />
piece of paper, or a display screen. D<strong>at</strong>a can flow only between an object and a<br />
subject; flow from object to subject is called a read oper<strong>at</strong>ion, and flow from<br />
subject to object is called a write oper<strong>at</strong>ion. Now <strong>the</strong> rules are th<strong>at</strong> a subject can<br />
only read from an object <strong>at</strong> an equal or lower level, and can only write to an<br />
object <strong>at</strong> an equal or higher level.<br />
Not all possible flows <strong>in</strong> a system look like read and write oper<strong>at</strong>ions.<br />
Because <strong>the</strong> system is shar<strong>in</strong>g resources among objects <strong>at</strong> different levels, it is<br />
possible for <strong>in</strong>form<strong>at</strong>ion to flow on wh<strong>at</strong> are known as covert channels<br />
(Lampson, 1973; IEEE, 1990a). For example, a high-level subject might be able<br />
to send a little <strong>in</strong>form<strong>at</strong>ion to a low-level subject by us<strong>in</strong>g up all <strong>the</strong> disk space<br />
if it learns th<strong>at</strong> a surprise <strong>at</strong>tack is scheduled for next week. When <strong>the</strong> low-level<br />
subject f<strong>in</strong>ds itself unable to write a file, it has learned about <strong>the</strong> <strong>at</strong>tack (or <strong>at</strong><br />
least received a h<strong>in</strong>t). To fully realize <strong>the</strong> <strong>in</strong>tended purpose of a flow model, it is<br />
necessary to identify and <strong>at</strong>tempt to close all <strong>the</strong> covert channels, although total<br />
avoidance of covert channels is generally impossible due to <strong>the</strong> need to share<br />
resources.<br />
To fit this model of a computer system <strong>in</strong>to <strong>the</strong> real world, it is necessary<br />
to account for people. A person is cleared to some level of permitted access.<br />
When he identifies himself to <strong>the</strong> system as a user present <strong>at</strong> some term<strong>in</strong>al, he<br />
can set <strong>the</strong> term<strong>in</strong>al's level to any equal or lower level. This ensures th<strong>at</strong> <strong>the</strong> user<br />
will never see <strong>in</strong>form<strong>at</strong>ion <strong>at</strong> a higher level than his clearance allows. If <strong>the</strong> user<br />
sets <strong>the</strong> term<strong>in</strong>al level lower than <strong>the</strong> level of his clearance, he is trusted not to<br />
take high-level <strong>in</strong>form<strong>at</strong>ion out of his head and <strong>in</strong>troduce it <strong>in</strong>to <strong>the</strong> system.<br />
Although not logically required, <strong>the</strong> flow model policy has generally been<br />
viewed as mand<strong>at</strong>ory; nei<strong>the</strong>r users nor programs <strong>in</strong> a system can break <strong>the</strong><br />
flow rule or change levels. No real system can strictly follow this rule, s<strong>in</strong>ce<br />
procedures are always needed for declassify<strong>in</strong>g d<strong>at</strong>a, alloc<strong>at</strong><strong>in</strong>g resources, and<br />
<strong>in</strong>troduc<strong>in</strong>g new users, for example. The access control model is used for <strong>the</strong>se<br />
purposes, among o<strong>the</strong>rs.<br />
Access Control Model<br />
The access control model is based on <strong>the</strong> idea of st<strong>at</strong>ion<strong>in</strong>g a guard<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
TECHNOLOGY TO ACHIEVE SECURE COMPUTER SYSTEMS 82<br />
<strong>in</strong> front of a valuable resource to control who has access to it. This model<br />
organizes <strong>the</strong> system <strong>in</strong>to<br />
• Objects: entities th<strong>at</strong> respond to oper<strong>at</strong>ions by chang<strong>in</strong>g <strong>the</strong>ir st<strong>at</strong>e,<br />
provid<strong>in</strong>g <strong>in</strong>form<strong>at</strong>ion about <strong>the</strong>ir st<strong>at</strong>e, or both;<br />
• Subjects: active objects th<strong>at</strong> can perform oper<strong>at</strong>ions on objects; and<br />
• Oper<strong>at</strong>ions: <strong>the</strong> way th<strong>at</strong> subjects <strong>in</strong>teract with objects.<br />
The objects are <strong>the</strong> resources be<strong>in</strong>g protected; an object might be a<br />
document, a term<strong>in</strong>al, or a rocket. A set of rules specifies, for each object and<br />
each subject, wh<strong>at</strong> oper<strong>at</strong>ions th<strong>at</strong> subject is allowed to perform on th<strong>at</strong> object.<br />
A reference monitor acts as <strong>the</strong> guard to ensure th<strong>at</strong> <strong>the</strong> rules are followed<br />
(Lampson, 1985). An example of a set of access rules follows:<br />
Subject Oper<strong>at</strong>ion Object<br />
Smith Read file ''1990 pay raises"<br />
White Send "Hello" Term<strong>in</strong>al 23<br />
Process 1274 Rew<strong>in</strong>d Tape unit 7<br />
Black Fire three rounds Bow gun<br />
Jones Pay <strong>in</strong>voice 432567 Account Q34<br />
There are many ways to express <strong>the</strong> access rules. The two most popular are<br />
to <strong>at</strong>tach to each subject a list of <strong>the</strong> objects it can access (a capability list), or to<br />
<strong>at</strong>tach to each object a list of <strong>the</strong> subjects th<strong>at</strong> can access it (an access control<br />
list). Each list also identifies <strong>the</strong> oper<strong>at</strong>ions th<strong>at</strong> are allowed. Most systems use<br />
some comb<strong>in</strong><strong>at</strong>ion of <strong>the</strong>se approaches.<br />
Usually <strong>the</strong> access rules do not mention each oper<strong>at</strong>ion separ<strong>at</strong>ely. Instead<br />
<strong>the</strong>y def<strong>in</strong>e a smaller number of "rights" (often called permissions)—for<br />
example, read, write, and search—and grant some set of rights to each (subject,<br />
object) pair. Each oper<strong>at</strong>ion <strong>in</strong> turn requires some set of rights. In this way a<br />
number of different oper<strong>at</strong>ions, all requir<strong>in</strong>g <strong>the</strong> right to read, can read<br />
<strong>in</strong>form<strong>at</strong>ion from an object. For example, if <strong>the</strong> object is a text file, <strong>the</strong> right to<br />
read may be required for such oper<strong>at</strong>ions as read<strong>in</strong>g a l<strong>in</strong>e, count<strong>in</strong>g <strong>the</strong> number<br />
of words, and list<strong>in</strong>g all <strong>the</strong> misspelled words.<br />
One oper<strong>at</strong>ion th<strong>at</strong> can be done on an object is to change which subjects<br />
can access <strong>the</strong> object. There are many ways to exercise this control, depend<strong>in</strong>g<br />
on wh<strong>at</strong> a particular policy is. When a discretionary policy applies, for each<br />
object an "owner" or pr<strong>in</strong>cipal is identified who can decide without any<br />
restrictions who can do wh<strong>at</strong> to <strong>the</strong> object. When a mand<strong>at</strong>ory policy applies,<br />
<strong>the</strong> owner can make <strong>the</strong>se<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
TECHNOLOGY TO ACHIEVE SECURE COMPUTER SYSTEMS 83<br />
decisions only with<strong>in</strong> certa<strong>in</strong> limits. For example, a mand<strong>at</strong>ory flow policy<br />
allows only a security officer to change <strong>the</strong> security level of an object, and <strong>the</strong><br />
flow model rules limit access. The pr<strong>in</strong>cipal controll<strong>in</strong>g <strong>the</strong> object can usually<br />
apply fur<strong>the</strong>r limits <strong>at</strong> his discretion.<br />
The access control model leaves open wh<strong>at</strong> <strong>the</strong> subjects are. Most<br />
commonly, subjects are users, and any active entity <strong>in</strong> <strong>the</strong> system is tre<strong>at</strong>ed as<br />
act<strong>in</strong>g on behalf of some user. In some systems a program can be a subject <strong>in</strong> its<br />
own right. This adds a gre<strong>at</strong> deal of flexibility, because <strong>the</strong> program can<br />
implement new objects us<strong>in</strong>g exist<strong>in</strong>g ones to which it has access. Such a<br />
program is called a protected subsystem; it runs as a subject different from <strong>the</strong><br />
pr<strong>in</strong>cipal <strong>in</strong>vok<strong>in</strong>g it, usually one th<strong>at</strong> can access more objects. The security<br />
services used to support cre<strong>at</strong>ion of protected subsystems also may be used to<br />
conf<strong>in</strong>e suspected Trojan horses or viruses, thus limit<strong>in</strong>g <strong>the</strong> potential for<br />
damage from such programs. This can be done by runn<strong>in</strong>g a suspect program as<br />
a subject th<strong>at</strong> is different from <strong>the</strong> pr<strong>in</strong>cipal <strong>in</strong>vok<strong>in</strong>g it, <strong>in</strong> this case a subject<br />
th<strong>at</strong> can access fewer objects. Unfortun<strong>at</strong>ely, such facilities have not been<br />
available <strong>in</strong> most oper<strong>at</strong><strong>in</strong>g systems.<br />
The access control model can be used to realize both secrecy and <strong>in</strong>tegrity<br />
policies, <strong>the</strong> former by controll<strong>in</strong>g read oper<strong>at</strong>ions and <strong>the</strong> l<strong>at</strong>ter by controll<strong>in</strong>g<br />
write oper<strong>at</strong>ions, and o<strong>the</strong>rs th<strong>at</strong> change <strong>the</strong> st<strong>at</strong>e. This model supports<br />
accountability, us<strong>in</strong>g <strong>the</strong> simple notion th<strong>at</strong> every time an oper<strong>at</strong>ion is <strong>in</strong>voked,<br />
<strong>the</strong> identity of <strong>the</strong> subject and <strong>the</strong> object as well as <strong>the</strong> oper<strong>at</strong>ion should be<br />
recorded <strong>in</strong> an audit trail th<strong>at</strong> can l<strong>at</strong>er be exam<strong>in</strong>ed. Difficulties <strong>in</strong> mak<strong>in</strong>g<br />
practical use of such <strong>in</strong>form<strong>at</strong>ion may arise ow<strong>in</strong>g to <strong>the</strong> large size of an audit<br />
trail.<br />
Services<br />
Basic security services are used to build systems s<strong>at</strong>isfy<strong>in</strong>g <strong>the</strong> policies<br />
discussed above. Directly support<strong>in</strong>g <strong>the</strong> access control model, which <strong>in</strong> turn<br />
can be used to support nearly all <strong>the</strong> policies discussed, <strong>the</strong>se services are as<br />
follows:<br />
• Au<strong>the</strong>ntic<strong>at</strong>ion: determ<strong>in</strong><strong>in</strong>g who is responsible for a given request or<br />
st<strong>at</strong>ement, 3 whe<strong>the</strong>r it is, "The loan r<strong>at</strong>e is 10.3 percent," or "Read file<br />
'Memo to Mike,'" or "Launch <strong>the</strong> rocket.''<br />
• Authoriz<strong>at</strong>ion: determ<strong>in</strong><strong>in</strong>g who is trusted for a given purpose, whe<strong>the</strong>r it<br />
is establish<strong>in</strong>g a loan r<strong>at</strong>e, read<strong>in</strong>g a file, or launch<strong>in</strong>g a rocket.<br />
• Audit<strong>in</strong>g: record<strong>in</strong>g each oper<strong>at</strong>ion th<strong>at</strong> is <strong>in</strong>voked along with <strong>the</strong> identity<br />
of <strong>the</strong> subject and object, and l<strong>at</strong>er exam<strong>in</strong><strong>in</strong>g <strong>the</strong>se records.<br />
Given <strong>the</strong>se services, it is easy to implement <strong>the</strong> access control<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
TECHNOLOGY TO ACHIEVE SECURE COMPUTER SYSTEMS 84<br />
model. Whenever an oper<strong>at</strong>ion is <strong>in</strong>voked, <strong>the</strong> reference monitor uses<br />
au<strong>the</strong>ntic<strong>at</strong>ion to f<strong>in</strong>d out who is request<strong>in</strong>g <strong>the</strong> oper<strong>at</strong>ion and <strong>the</strong>n uses<br />
authoriz<strong>at</strong>ion to f<strong>in</strong>d out whe<strong>the</strong>r <strong>the</strong> requester is trusted for th<strong>at</strong> oper<strong>at</strong>ion. If<br />
so, <strong>the</strong> reference monitor allows <strong>the</strong> oper<strong>at</strong>ion to proceed; o<strong>the</strong>rwise, it cancels<br />
<strong>the</strong> oper<strong>at</strong>ion. In ei<strong>the</strong>r case, it uses audit<strong>in</strong>g to record <strong>the</strong> event.<br />
Au<strong>the</strong>ntic<strong>at</strong>ion<br />
To answer <strong>the</strong> question, Who is responsible for this st<strong>at</strong>ement?, it is<br />
necessary to know wh<strong>at</strong> sort of entities can be responsible for st<strong>at</strong>ements; we<br />
call <strong>the</strong>se entities pr<strong>in</strong>cipals. It is also necessary to have a way of nam<strong>in</strong>g <strong>the</strong><br />
pr<strong>in</strong>cipals th<strong>at</strong> is consistent between au<strong>the</strong>ntic<strong>at</strong>ion and authoriz<strong>at</strong>ion, so th<strong>at</strong><br />
<strong>the</strong> result of au<strong>the</strong>ntic<strong>at</strong><strong>in</strong>g a st<strong>at</strong>ement is mean<strong>in</strong>gful for authoriz<strong>at</strong>ion.<br />
A pr<strong>in</strong>cipal is a (human) user or a (computer) system. A user is a person,<br />
but a system requires some explan<strong>at</strong>ion. A system comprises hardware (e.g., a<br />
computer) and perhaps software (e.g., an oper<strong>at</strong><strong>in</strong>g system). A system can<br />
depend on ano<strong>the</strong>r system; for example, a user-query process depends on a<br />
d<strong>at</strong>abase management system, which depends on an oper<strong>at</strong><strong>in</strong>g system, which<br />
depends on a computer. As part of au<strong>the</strong>ntic<strong>at</strong><strong>in</strong>g a system, it may be necessary<br />
to verify th<strong>at</strong> <strong>the</strong> systems it depends on are trusted.<br />
In order to express trust <strong>in</strong> a pr<strong>in</strong>cipal (e.g., to specify who can launch <strong>the</strong><br />
rocket), one must be able to give <strong>the</strong> pr<strong>in</strong>cipal a name. The name must be<br />
<strong>in</strong>dependent of any <strong>in</strong>form<strong>at</strong>ion (such as passwords or encryption keys) th<strong>at</strong><br />
may change without any change <strong>in</strong> <strong>the</strong> pr<strong>in</strong>cipal itself. Also, it must be<br />
mean<strong>in</strong>gful, both when access is granted and l<strong>at</strong>er when <strong>the</strong> trust be<strong>in</strong>g granted<br />
is reviewed to see whe<strong>the</strong>r th<strong>at</strong> trust is still warranted. A nam<strong>in</strong>g system must be:<br />
• Complete: every pr<strong>in</strong>cipal has a name; it is difficult or impossible to<br />
express trust <strong>in</strong> a nameless pr<strong>in</strong>cipal.<br />
• Unambiguous: <strong>the</strong> same name does not refer to two different pr<strong>in</strong>cipals;<br />
o<strong>the</strong>rwise it is impossible to know who is be<strong>in</strong>g trusted.<br />
• Secure: it is easy to tell which o<strong>the</strong>r pr<strong>in</strong>cipals must be trusted <strong>in</strong> order to<br />
au<strong>the</strong>ntic<strong>at</strong>e a st<strong>at</strong>ement from a named pr<strong>in</strong>cipal.<br />
In a large system, nam<strong>in</strong>g must be decentralized to be manageable.<br />
Fur<strong>the</strong>rmore, it is nei<strong>the</strong>r possible nor wise to rely on a s<strong>in</strong>gle pr<strong>in</strong>cipal th<strong>at</strong> is<br />
trusted by every part of <strong>the</strong> system. S<strong>in</strong>ce systems as well as users can be<br />
pr<strong>in</strong>cipals, systems as well as users must be able to have names.<br />
One way to organize a decentralized nam<strong>in</strong>g system is as a hierarchy,<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
TECHNOLOGY TO ACHIEVE SECURE COMPUTER SYSTEMS 85<br />
follow<strong>in</strong>g <strong>the</strong> model of a tree-structured file system like <strong>the</strong> one <strong>in</strong> Unix or MS/<br />
DOS, two popular oper<strong>at</strong><strong>in</strong>g systems. The Consult<strong>at</strong>ive Committee on<br />
Intern<strong>at</strong>ional Telephony and Telegraphy (CCITT) X.500 standard for nam<strong>in</strong>g<br />
def<strong>in</strong>es such a hierarchy (CCITT, 1989b); it is meant to be suitable for nam<strong>in</strong>g<br />
every pr<strong>in</strong>cipal <strong>in</strong> <strong>the</strong> world. In this scheme an <strong>in</strong>dividual can have a name like<br />
"US/GOV/St<strong>at</strong>e/ James_Baker." Such a nam<strong>in</strong>g system can be complete; <strong>the</strong>re<br />
is no shortage of names, and registr<strong>at</strong>ion can be made as convenient as desired.<br />
It is unambiguous provided each directory is unambiguous.<br />
The CCITT also def<strong>in</strong>es a standard (X.509) for au<strong>the</strong>ntic<strong>at</strong><strong>in</strong>g a pr<strong>in</strong>cipal<br />
with an X.500 name; <strong>the</strong> section on au<strong>the</strong>ntic<strong>at</strong>ion techniques below discusses<br />
how this is done (CCITT, 1989b). Note th<strong>at</strong> an X.509 au<strong>the</strong>ntic<strong>at</strong>ion may<br />
<strong>in</strong>volve more than one agent. For example, agent A may au<strong>the</strong>ntic<strong>at</strong>e agent B,<br />
who <strong>in</strong> turn au<strong>the</strong>ntic<strong>at</strong>es <strong>the</strong> pr<strong>in</strong>cipal.<br />
A rema<strong>in</strong><strong>in</strong>g issue is exactly who should be trusted to au<strong>the</strong>ntic<strong>at</strong>e a given<br />
name. In <strong>the</strong> X.509 au<strong>the</strong>ntic<strong>at</strong>ion framework, typically, pr<strong>in</strong>cipals trust agents<br />
close to <strong>the</strong>m <strong>in</strong> <strong>the</strong> hierarchy. A pr<strong>in</strong>cipal is less likely to trust agents far<strong>the</strong>r<br />
from it <strong>in</strong> <strong>the</strong> hierarchy, whe<strong>the</strong>r those agents are above, below, or <strong>in</strong> entirely<br />
different branches of <strong>the</strong> tree. If a system <strong>at</strong> one po<strong>in</strong>t <strong>in</strong> <strong>the</strong> tree wants to<br />
au<strong>the</strong>ntic<strong>at</strong>e a pr<strong>in</strong>cipal elsewhere, and if <strong>the</strong>re is no one agent th<strong>at</strong> can<br />
au<strong>the</strong>ntic<strong>at</strong>e both, <strong>the</strong>n <strong>the</strong> system must establish a cha<strong>in</strong> of trust through<br />
multiple agents. 4<br />
Often a pr<strong>in</strong>cipal wants to act with less than its full authority, <strong>in</strong> order to<br />
reduce <strong>the</strong> damage th<strong>at</strong> can be done <strong>in</strong> case of a mistake. For this purpose it is<br />
convenient to def<strong>in</strong>e additional pr<strong>in</strong>cipals, called roles, to provide a way of<br />
authoriz<strong>in</strong>g a pr<strong>in</strong>cipal to play a role, and to allow <strong>the</strong> pr<strong>in</strong>cipal to make a<br />
st<strong>at</strong>ement us<strong>in</strong>g any role for which it is authorized. For example, a system<br />
adm<strong>in</strong>istr<strong>at</strong>or might have a "normal" role and a "powerful" role. The<br />
au<strong>the</strong>ntic<strong>at</strong>ion service <strong>the</strong>n reports th<strong>at</strong> a st<strong>at</strong>ement was made by a role r<strong>at</strong>her<br />
than by <strong>the</strong> orig<strong>in</strong>al pr<strong>in</strong>cipal, after verify<strong>in</strong>g both th<strong>at</strong> <strong>the</strong> st<strong>at</strong>ement came from<br />
<strong>the</strong> orig<strong>in</strong>al pr<strong>in</strong>cipal and th<strong>at</strong> he was authorized to play th<strong>at</strong> role. (It is critical<br />
to ensure th<strong>at</strong> <strong>the</strong> use of such roles does not prevent audit<strong>in</strong>g measures from<br />
identify<strong>in</strong>g <strong>the</strong> <strong>in</strong>dividual who is ultim<strong>at</strong>ely responsible for actions.)<br />
In general, trust is not simply a m<strong>at</strong>ter of trust<strong>in</strong>g a s<strong>in</strong>gle user or system<br />
pr<strong>in</strong>cipal. It is necessary to trust <strong>the</strong> (hardware and software) systems through<br />
which th<strong>at</strong> user is communic<strong>at</strong><strong>in</strong>g. For example, suppose th<strong>at</strong> a user Alice<br />
runn<strong>in</strong>g on a workst<strong>at</strong>ion B is enter<strong>in</strong>g a transaction on a transaction server C,<br />
which <strong>in</strong> turn makes a network access to a d<strong>at</strong>abase mach<strong>in</strong>e D. D's<br />
authoriz<strong>at</strong>ion decision may need to take account not just of Alice, but also of<br />
<strong>the</strong> fact th<strong>at</strong> B and C are <strong>in</strong>volved and must be trusted. Some of <strong>the</strong>se issues do<br />
not arise <strong>in</strong> a centralized system, where a s<strong>in</strong>gle authority is responsible for all <strong>the</strong><br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
TECHNOLOGY TO ACHIEVE SECURE COMPUTER SYSTEMS 86<br />
au<strong>the</strong>ntic<strong>at</strong>ion and provides <strong>the</strong> resources for all <strong>the</strong> applic<strong>at</strong>ions, but even <strong>in</strong> a<br />
centralized system an oper<strong>at</strong>ion on a file, for example, is often <strong>in</strong>voked through<br />
an applic<strong>at</strong>ion, such as a word-process<strong>in</strong>g program, which is not part of <strong>the</strong> base<br />
system and perhaps should not be trusted <strong>in</strong> <strong>the</strong> same way.<br />
Such rules may be expressed by <strong>in</strong>troduc<strong>in</strong>g new, compound pr<strong>in</strong>cipals,<br />
such as "Smith ON Workst<strong>at</strong>ion 4," to represent <strong>the</strong> user act<strong>in</strong>g through<br />
<strong>in</strong>termediaries. Then it becomes possible to express trust <strong>in</strong> <strong>the</strong> compound<br />
pr<strong>in</strong>cipal exactly as <strong>in</strong> any o<strong>the</strong>r. The name "Workst<strong>at</strong>ion 4" identifies <strong>the</strong><br />
<strong>in</strong>termedi<strong>at</strong>e system, just as <strong>the</strong> name "Smith" identifies <strong>the</strong> user.<br />
How do we au<strong>the</strong>ntic<strong>at</strong>e such pr<strong>in</strong>cipals? When Workst<strong>at</strong>ion 4 says,<br />
"Smith wants to read <strong>the</strong> file 'pay raises,'" how do we know (1) th<strong>at</strong> <strong>the</strong> request<br />
is really from th<strong>at</strong> workst<strong>at</strong>ion and not somewhere else and (2) th<strong>at</strong> it is really<br />
Smith act<strong>in</strong>g through Workst<strong>at</strong>ion 4, and not Jones or someone else?<br />
We answer <strong>the</strong> first question by au<strong>the</strong>ntic<strong>at</strong><strong>in</strong>g <strong>the</strong> <strong>in</strong>termedi<strong>at</strong>e systems as<br />
well as <strong>the</strong> users. If <strong>the</strong> resource and <strong>the</strong> <strong>in</strong>termedi<strong>at</strong>e are on <strong>the</strong> same mach<strong>in</strong>e,<br />
<strong>the</strong> oper<strong>at</strong><strong>in</strong>g system can au<strong>the</strong>ntic<strong>at</strong>e <strong>the</strong> <strong>in</strong>termedi<strong>at</strong>e to <strong>the</strong> resource. If not,<br />
we use <strong>the</strong> cryptographic methods discussed <strong>in</strong> <strong>the</strong> section below titled "Secure<br />
Channels."<br />
To answer <strong>the</strong> second question, we need some evidence th<strong>at</strong> Smith has<br />
deleg<strong>at</strong>ed to Workst<strong>at</strong>ion 4 <strong>the</strong> authority to act on his behalf. We cannot ask for<br />
direct evidence th<strong>at</strong> Smith asked to read <strong>the</strong> file—if we could have th<strong>at</strong>, <strong>the</strong>n he<br />
would not be act<strong>in</strong>g through <strong>the</strong> workst<strong>at</strong>ion. We certa<strong>in</strong>ly cannot take <strong>the</strong><br />
workst<strong>at</strong>ion's word for it; <strong>the</strong>n it could act for Smith no m<strong>at</strong>ter who is really<br />
<strong>the</strong>re. But we can demand a st<strong>at</strong>ement th<strong>at</strong> we believe is from Smith, assert<strong>in</strong>g<br />
th<strong>at</strong> Workst<strong>at</strong>ion 4 can speak for him (probably for some limited time, and<br />
perhaps only for some limited purposes). Given th<strong>at</strong> Smith says, "Workst<strong>at</strong>ion 4<br />
can act for me," and Workst<strong>at</strong>ion 4 says, "Smith says to read <strong>the</strong> file 'pay<br />
raises,'" <strong>the</strong>n we can believe th<strong>at</strong> Smith on Workst<strong>at</strong>ion 4 says, "Read <strong>the</strong> file<br />
'pay raises.'"<br />
There is ano<strong>the</strong>r au<strong>the</strong>ntic<strong>at</strong>ion question lurk<strong>in</strong>g here, namely how do we<br />
know th<strong>at</strong> <strong>the</strong> software <strong>in</strong> <strong>the</strong> workst<strong>at</strong>ion is correctly represent<strong>in</strong>g Smith's<br />
<strong>in</strong>tended action? Unless <strong>the</strong> applic<strong>at</strong>ion program th<strong>at</strong> Smith is us<strong>in</strong>g is itself<br />
trusted, it is possible th<strong>at</strong> <strong>the</strong> action Smith has requested has been transformed<br />
by this program <strong>in</strong>to ano<strong>the</strong>r action th<strong>at</strong> Smith is authorized to execute. Such<br />
might be <strong>the</strong> case if a virus were to <strong>in</strong>fect <strong>the</strong> applic<strong>at</strong>ion Smith is runn<strong>in</strong>g on<br />
his workst<strong>at</strong>ion. This aspect of <strong>the</strong> au<strong>the</strong>ntic<strong>at</strong>ion problem can be addressed<br />
through <strong>the</strong> use of trusted applic<strong>at</strong>ion software and through <strong>in</strong>tegrity<br />
mechanisms as discussed <strong>in</strong> <strong>the</strong> section "Secure Channels" below.<br />
To au<strong>the</strong>ntic<strong>at</strong>e <strong>the</strong> deleg<strong>at</strong>ion st<strong>at</strong>ement from Smith, "Workst<strong>at</strong>ion<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
TECHNOLOGY TO ACHIEVE SECURE COMPUTER SYSTEMS 87<br />
4 can act for me," we need to employ <strong>the</strong> cryptographic methods described<br />
below.<br />
The basic service provided by au<strong>the</strong>ntic<strong>at</strong>ion is <strong>in</strong>form<strong>at</strong>ion th<strong>at</strong> a<br />
st<strong>at</strong>ement was made by some pr<strong>in</strong>cipal. An aggressive form of au<strong>the</strong>ntic<strong>at</strong>ion,<br />
called nonrepudi<strong>at</strong>ion, can be accomplished by a digital analog of notariz<strong>in</strong>g, <strong>in</strong><br />
which a trusted authority records <strong>the</strong> sign<strong>at</strong>ure and <strong>the</strong> time it was made (see<br />
"Digital Sign<strong>at</strong>ures" <strong>in</strong> Appendix B).<br />
Authoriz<strong>at</strong>ion<br />
Authoriz<strong>at</strong>ion determ<strong>in</strong>es who is trusted for a given purpose, usually for<br />
do<strong>in</strong>g some oper<strong>at</strong>ion on an object. More precisely, it determ<strong>in</strong>es whe<strong>the</strong>r a<br />
particular pr<strong>in</strong>cipal, who has been au<strong>the</strong>ntic<strong>at</strong>ed as <strong>the</strong> source of a request to do<br />
an oper<strong>at</strong>ion on an object, is trusted for th<strong>at</strong> oper<strong>at</strong>ion on th<strong>at</strong> object. (This<br />
object-oriented view of authoriz<strong>at</strong>ion also encompasses <strong>the</strong> more traditional<br />
implement<strong>at</strong>ions of file protection, and so forth.)<br />
Authoriz<strong>at</strong>ion is customarily implemented by associ<strong>at</strong><strong>in</strong>g with <strong>the</strong> object<br />
an access control list (ACL) th<strong>at</strong> tells which pr<strong>in</strong>cipals are authorized for which<br />
oper<strong>at</strong>ions. The ACL also may refer to <strong>at</strong>tributes of <strong>the</strong> pr<strong>in</strong>cipals, such as<br />
security clearances. The authoriz<strong>at</strong>ion service takes a pr<strong>in</strong>cipal, an ACL, and an<br />
oper<strong>at</strong>ion or a set of rights, and returns "yes" or "no." This way of provid<strong>in</strong>g <strong>the</strong><br />
service leaves <strong>the</strong> object free to store <strong>the</strong> ACL <strong>in</strong> any convenient place and to<br />
make its own decisions about how different parts of <strong>the</strong> object are protected. A<br />
d<strong>at</strong>abase object, for <strong>in</strong>stance, may wish to use different ACLs for different<br />
fields, so th<strong>at</strong> salary <strong>in</strong>form<strong>at</strong>ion is protected by one ACL and address<br />
<strong>in</strong>form<strong>at</strong>ion by ano<strong>the</strong>r, less restrictive one.<br />
Often several pr<strong>in</strong>cipals have <strong>the</strong> same rights to access a number of<br />
objects. It is both expensive and unreliable to repe<strong>at</strong> <strong>the</strong> entire set of pr<strong>in</strong>cipals<br />
for each object. Instead, it is convenient to def<strong>in</strong>e a group of pr<strong>in</strong>cipals, give it a<br />
name, and give <strong>the</strong> group access to each of <strong>the</strong> objects. For <strong>in</strong>stance, a company<br />
might def<strong>in</strong>e <strong>the</strong> group "executive committee." The group thus acts as a<br />
pr<strong>in</strong>cipal for <strong>the</strong> purpose of authoriz<strong>at</strong>ion, but <strong>the</strong> authoriz<strong>at</strong>ion service is<br />
responsible for verify<strong>in</strong>g th<strong>at</strong> <strong>the</strong> pr<strong>in</strong>cipal actually mak<strong>in</strong>g <strong>the</strong> request is a<br />
member of <strong>the</strong> group.<br />
In this section authoriz<strong>at</strong>ion has been discussed ma<strong>in</strong>ly from <strong>the</strong> viewpo<strong>in</strong>t<br />
of an object, which must decide whe<strong>the</strong>r a pr<strong>in</strong>cipal is authorized to <strong>in</strong>voke a<br />
certa<strong>in</strong> oper<strong>at</strong>ion. In general, however, <strong>the</strong> subject do<strong>in</strong>g <strong>the</strong> oper<strong>at</strong>ion may also<br />
need to verify th<strong>at</strong> <strong>the</strong> system implement<strong>in</strong>g <strong>the</strong> object is authorized to do so.<br />
For <strong>in</strong>stance, when logg<strong>in</strong>g <strong>in</strong> over a telephone l<strong>in</strong>e, a user may want to be sure<br />
th<strong>at</strong> he<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
TECHNOLOGY TO ACHIEVE SECURE COMPUTER SYSTEMS 88<br />
has actually reached <strong>the</strong> <strong>in</strong>tended system and not some o<strong>the</strong>r, hostile system th<strong>at</strong><br />
may try to spoof him. This process is usually called mutual au<strong>the</strong>ntic<strong>at</strong>ion,<br />
although it actually <strong>in</strong>volves authoriz<strong>at</strong>ion as well: st<strong>at</strong>ements from <strong>the</strong> object<br />
must be au<strong>the</strong>ntic<strong>at</strong>ed as com<strong>in</strong>g from <strong>the</strong> system th<strong>at</strong> implements <strong>the</strong> object,<br />
and <strong>the</strong> subject must have access rules to decide whe<strong>the</strong>r th<strong>at</strong> system is<br />
authorized to do so.<br />
Audit<strong>in</strong>g<br />
Given <strong>the</strong> reality th<strong>at</strong> every computer system can be compromised from<br />
with<strong>in</strong>, and th<strong>at</strong> many systems can also be compromised if surreptitious access<br />
can be ga<strong>in</strong>ed, accountability is a vital last resort. Accountability policies were<br />
discussed above—and <strong>the</strong> po<strong>in</strong>t was made th<strong>at</strong>, for example, all significant<br />
events should be recorded and <strong>the</strong> record<strong>in</strong>g mechanisms should be<br />
nonsubvertible. Audit<strong>in</strong>g services support <strong>the</strong>se policies. Usually <strong>the</strong>y are<br />
closely tied to au<strong>the</strong>ntic<strong>at</strong>ion and authoriz<strong>at</strong>ion, so th<strong>at</strong> every au<strong>the</strong>ntic<strong>at</strong>ion is<br />
recorded, as is every <strong>at</strong>tempted access, whe<strong>the</strong>r authorized or not.<br />
In addition to establish<strong>in</strong>g accountability, an audit trail may also reveal<br />
suspicious p<strong>at</strong>terns of access and so enable detection of improper behavior by<br />
both legitim<strong>at</strong>e users and masqueraders. However, limit<strong>at</strong>ions to this use of<br />
audit <strong>in</strong>form<strong>at</strong>ion often restrict its use to detect<strong>in</strong>g unsophistic<strong>at</strong>ed <strong>in</strong>truders. In<br />
practice, sophistic<strong>at</strong>ed <strong>in</strong>truders have been able to circumvent audit trails <strong>in</strong> <strong>the</strong><br />
course of penetr<strong>at</strong><strong>in</strong>g systems. Techniques such as <strong>the</strong> use of write-once optical<br />
disks, cryptographic protection, and remote storage of audit trails can help<br />
counter some of <strong>the</strong>se <strong>at</strong>tacks on <strong>the</strong> audit d<strong>at</strong>abase itself, but <strong>the</strong>se measures do<br />
not address all <strong>the</strong> vulnerabilities of audit mechanisms. Even <strong>in</strong> circumstances<br />
where audit trail <strong>in</strong>form<strong>at</strong>ion could be used to detect penetr<strong>at</strong>ion <strong>at</strong>tempts, a<br />
problem arises <strong>in</strong> process<strong>in</strong>g and <strong>in</strong>terpret<strong>in</strong>g <strong>the</strong> audit d<strong>at</strong>a. Both st<strong>at</strong>istical and<br />
expert-system approaches are currently be<strong>in</strong>g tried, but <strong>the</strong>ir utility is as yet<br />
unproven (Lunt, 1988).<br />
IMPLEMENTATION: THE TRUSTED COMPUTING BASE<br />
This section explores how to build a system th<strong>at</strong> meets <strong>the</strong> k<strong>in</strong>d of security<br />
specific<strong>at</strong>ions discussed earlier, and how to establish confidence th<strong>at</strong> it does<br />
meet <strong>the</strong>m. Systems are built of components; a system also depends on its<br />
components. This means th<strong>at</strong> <strong>the</strong> components have to work (i.e., meet <strong>the</strong>ir<br />
specific<strong>at</strong>ions) for <strong>the</strong> system to work<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
TECHNOLOGY TO ACHIEVE SECURE COMPUTER SYSTEMS 89<br />
(i.e., meet its specific<strong>at</strong>ion). Note, however, th<strong>at</strong> not all components of a system<br />
have to work properly <strong>in</strong> order for a given aspect of <strong>the</strong> system to function<br />
properly. Thus security properties need not depend on all components of a<br />
system work<strong>in</strong>g correctly; r<strong>at</strong>her, only <strong>the</strong> security-relevant components must<br />
function properly.<br />
Each component is itself a system with specific<strong>at</strong>ions and implement<strong>at</strong>ion,<br />
and so <strong>the</strong> concept of a system applies <strong>at</strong> all levels. For example, a distributed<br />
system depends on a network, workst<strong>at</strong>ions, servers, ma<strong>in</strong>frames, pr<strong>in</strong>ters, and<br />
so forth. A workst<strong>at</strong>ion depends on a display, keyboard, disk, processor,<br />
network <strong>in</strong>terface, oper<strong>at</strong><strong>in</strong>g system, and, for example, a spreadsheet<br />
applic<strong>at</strong>ion. A processor depends on <strong>in</strong>tegr<strong>at</strong>ed circuit chips, wires, circuit<br />
boards, and connectors. A spreadsheet depends on display rout<strong>in</strong>es, an<br />
arithmetic library, and a macro language processor, and so it goes down to <strong>the</strong><br />
basic oper<strong>at</strong>ions of <strong>the</strong> programm<strong>in</strong>g language, which <strong>in</strong> turn depend on <strong>the</strong><br />
basic oper<strong>at</strong>ions of <strong>the</strong> mach<strong>in</strong>e, which <strong>in</strong> turn depend on changes <strong>in</strong> <strong>the</strong> st<strong>at</strong>e of<br />
<strong>the</strong> chips and wires, for example. A chip depends on adders and memory cells,<br />
and so it goes down to <strong>the</strong> electrons and photons, whose behavior is described<br />
by quantum electrodynamics.<br />
A component must be trusted if it has to work for <strong>the</strong> system to meet its<br />
security specific<strong>at</strong>ion. The set of trusted hardware and software components is<br />
called <strong>the</strong> trusted comput<strong>in</strong>g base (TCB). If a component is <strong>in</strong> <strong>the</strong> TCB, so is<br />
every component th<strong>at</strong> it depends on, because if <strong>the</strong>y do not work, it is not<br />
guaranteed to work ei<strong>the</strong>r. As was established previously, <strong>the</strong> concern <strong>in</strong> this<br />
discussion is security, and so <strong>the</strong> trusted components need to be trusted only to<br />
support security <strong>in</strong> this context.<br />
Note th<strong>at</strong> a system depends on more than its hardware and software. The<br />
physical environment and <strong>the</strong> people who use, oper<strong>at</strong>e, and manage it are also<br />
components of <strong>the</strong> system. Some of <strong>the</strong>m must also be trusted. For example, if<br />
<strong>the</strong> power fails, a system may stop provid<strong>in</strong>g service; thus <strong>the</strong> power source<br />
must be trusted for availability. Ano<strong>the</strong>r example: every system has security<br />
officers who set security levels, authorize users, and so on; <strong>the</strong>y must be trusted<br />
to do this properly. Yet ano<strong>the</strong>r: <strong>the</strong> system may disclose <strong>in</strong>form<strong>at</strong>ion only to<br />
authorized users, and <strong>the</strong>y must be trusted not to publish <strong>the</strong> <strong>in</strong>form<strong>at</strong>ion <strong>in</strong> <strong>the</strong><br />
newspaper. Thus when trust is assessed, <strong>the</strong> security of <strong>the</strong> entire system must<br />
be evalu<strong>at</strong>ed, us<strong>in</strong>g <strong>the</strong> basic pr<strong>in</strong>ciples of analyz<strong>in</strong>g dependencies, m<strong>in</strong>imiz<strong>in</strong>g<br />
<strong>the</strong> number and complexity of trusted components, and carefully analyz<strong>in</strong>g each<br />
one.<br />
From a TCB perspective, three key aspects of implement<strong>in</strong>g a secure<br />
system are <strong>the</strong> follow<strong>in</strong>g (derived from Anderson, 1972):<br />
1. Keep<strong>in</strong>g <strong>the</strong> TCB as small and simple as possible to make it amenable<br />
to detailed analysis;<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
TECHNOLOGY TO ACHIEVE SECURE COMPUTER SYSTEMS 90<br />
2. Ensur<strong>in</strong>g th<strong>at</strong> <strong>the</strong> TCB medi<strong>at</strong>es all accesses to d<strong>at</strong>a and programs th<strong>at</strong><br />
are to be protected; th<strong>at</strong> is, it must not be possible to bypass <strong>the</strong> TCB;<br />
and<br />
3. Mak<strong>in</strong>g certa<strong>in</strong> th<strong>at</strong> <strong>the</strong> TCB itself cannot be tampered with, th<strong>at</strong> is,<br />
th<strong>at</strong> programs outside <strong>the</strong> TCB cannot maliciously modify <strong>the</strong> TCB<br />
software or d<strong>at</strong>a structures.<br />
The basic method for keep<strong>in</strong>g <strong>the</strong> TCB small is to separ<strong>at</strong>e out all <strong>the</strong><br />
nonsecurity functions <strong>in</strong>to untrusted components. For example, an elev<strong>at</strong>or has<br />
a very simple brak<strong>in</strong>g mechanism whose only job is to stop <strong>the</strong> elev<strong>at</strong>or if it<br />
starts to move <strong>at</strong> a speed faster than a fixed maximum, no m<strong>at</strong>ter wh<strong>at</strong> else goes<br />
wrong. The rest of <strong>the</strong> elev<strong>at</strong>or control mechanism may be very complex,<br />
<strong>in</strong>volv<strong>in</strong>g schedul<strong>in</strong>g of several elev<strong>at</strong>ors or respond<strong>in</strong>g to requests from various<br />
floors, but none of this must be trusted for safety, because <strong>the</strong> brak<strong>in</strong>g<br />
mechanism does not depend on anyth<strong>in</strong>g else. In this case, <strong>the</strong> brak<strong>in</strong>g<br />
mechanism is called <strong>the</strong> safety kernel.<br />
A purchas<strong>in</strong>g system may also be used to illustr<strong>at</strong>e <strong>the</strong> rel<strong>at</strong>ive smallness<br />
of a TCB. A large and complic<strong>at</strong>ed word processor may be used to prepare<br />
orders, but <strong>the</strong> TCB can be limited to a simple program th<strong>at</strong> displays <strong>the</strong><br />
completed order and asks <strong>the</strong> user to confirm it. An even more complic<strong>at</strong>ed<br />
d<strong>at</strong>abase system may be used to f<strong>in</strong>d <strong>the</strong> order th<strong>at</strong> corresponds to an arriv<strong>in</strong>g<br />
shipment, but <strong>the</strong> TCB can be limited to a simple program th<strong>at</strong> displays <strong>the</strong><br />
received order and a proposed payment authoriz<strong>at</strong>ion and asks <strong>the</strong> user to<br />
confirm <strong>the</strong>m. If <strong>the</strong> order and authoriz<strong>at</strong>ion can be digitally signed (us<strong>in</strong>g<br />
methods described below), even <strong>the</strong> components th<strong>at</strong> store <strong>the</strong>m need not be <strong>in</strong><br />
<strong>the</strong> TCB.<br />
The basic method for f<strong>in</strong>d<strong>in</strong>g dependencies, relevant to ensur<strong>in</strong>g TCB<br />
access to protected d<strong>at</strong>a and programs and to mak<strong>in</strong>g <strong>the</strong> TCB tamperproof, is<br />
careful analysis of how each step <strong>in</strong> build<strong>in</strong>g and execut<strong>in</strong>g a system is carried<br />
out. Ideally assurance for each system is given by a formal m<strong>at</strong>hem<strong>at</strong>ical proof<br />
th<strong>at</strong> <strong>the</strong> system s<strong>at</strong>isfies its specific<strong>at</strong>ion provided all its components do. In<br />
practice such proofs are only sometimes feasible, because it is hard to formalize<br />
<strong>the</strong> specific<strong>at</strong>ions and to carry out <strong>the</strong> proofs. Moreover, every such proof is<br />
conditioned on <strong>the</strong> assumption th<strong>at</strong> <strong>the</strong> components work and have not been<br />
tampered with. (See <strong>the</strong> Chapter 4 section "Formal Specific<strong>at</strong>ion and<br />
Verific<strong>at</strong>ion" for a description of <strong>the</strong> st<strong>at</strong>e of <strong>the</strong> art.) In practice, assurance is<br />
also garnered by rely<strong>in</strong>g on components th<strong>at</strong> have worked for many people,<br />
trust<strong>in</strong>g implementors not to be malicious, carefully writ<strong>in</strong>g specific<strong>at</strong>ions for<br />
components, and carefully exam<strong>in</strong><strong>in</strong>g implement<strong>at</strong>ions for dependencies and<br />
errors. Because <strong>the</strong>re are so<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
TECHNOLOGY TO ACHIEVE SECURE COMPUTER SYSTEMS 91<br />
many bases to cover, and because every base is critical to assurance, <strong>the</strong>re are<br />
bound to be mistakes.<br />
Hence two o<strong>the</strong>r important aspects of assurance are redundant checks like<br />
<strong>the</strong> security perimeters discussed below, and methods, such as audit trails and<br />
backup d<strong>at</strong>abases, for recover<strong>in</strong>g from failures.<br />
The ma<strong>in</strong> components of a TCB are discussed below <strong>in</strong> <strong>the</strong> sections headed<br />
"<strong>Comput<strong>in</strong>g</strong>" and "Communic<strong>at</strong>ions." This division reflects <strong>the</strong> fact th<strong>at</strong> a<br />
modern distributed system is made up of computers th<strong>at</strong> can be analyzed<br />
<strong>in</strong>dividually but th<strong>at</strong> must communic<strong>at</strong>e with each o<strong>the</strong>r quite differently from<br />
<strong>the</strong> way each communic<strong>at</strong>es <strong>in</strong>ternally.<br />
<strong>Comput<strong>in</strong>g</strong><br />
The comput<strong>in</strong>g part of <strong>the</strong> TCB <strong>in</strong>cludes <strong>the</strong> applic<strong>at</strong>ion programs, <strong>the</strong><br />
oper<strong>at</strong><strong>in</strong>g system th<strong>at</strong> <strong>the</strong>y depend on, and <strong>the</strong> hardware (process<strong>in</strong>g and<br />
storage) th<strong>at</strong> both depend on.<br />
Hardware<br />
S<strong>in</strong>ce software consists of <strong>in</strong>structions th<strong>at</strong> must be executed by hardware,<br />
<strong>the</strong> hardware must be part of <strong>the</strong> TCB. The hardware is depended on to isol<strong>at</strong>e<br />
<strong>the</strong> TCB from <strong>the</strong> untrusted parts of <strong>the</strong> system. To do this, it suffices for <strong>the</strong><br />
hardware to provide for a "user st<strong>at</strong>e" <strong>in</strong> which a program can access only <strong>the</strong><br />
ord<strong>in</strong>ary comput<strong>in</strong>g <strong>in</strong>structions and restricted portions of <strong>the</strong> memory, as well<br />
as a "supervisor st<strong>at</strong>e" <strong>in</strong> which a program can access every part of <strong>the</strong><br />
hardware. Most contemporary computers above <strong>the</strong> level of personal computers<br />
tend to <strong>in</strong>corpor<strong>at</strong>e <strong>the</strong>se facilities. There is no strict requirement for fancier<br />
hardware fe<strong>at</strong>ures, although <strong>the</strong>y may improve performance <strong>in</strong> some<br />
architectures.<br />
The only essential, <strong>the</strong>n, is to have simple hardware th<strong>at</strong> is trustworthy. For<br />
most purposes <strong>the</strong> ord<strong>in</strong>ary care th<strong>at</strong> competent eng<strong>in</strong>eers take to make <strong>the</strong><br />
hardware work is good enough. It is possible to get higher assurance by us<strong>in</strong>g<br />
formal methods to design and verify <strong>the</strong> hardware; this has been done <strong>in</strong> several<br />
projects, of which <strong>the</strong> VIPER verified microprocessor chip (for a detailed<br />
description see Appendix B) is an example (Cullyer, 1989). There is a<br />
mechanically checked proof to show th<strong>at</strong> <strong>the</strong> VIPER chip's g<strong>at</strong>e-level design<br />
implements its specific<strong>at</strong>ion. VIPER pays <strong>the</strong> usual price for high assurance: it<br />
is several times slower than ord<strong>in</strong>ary microprocessors built <strong>at</strong> <strong>the</strong> same time.<br />
Ano<strong>the</strong>r approach to us<strong>in</strong>g hardware to support high assurance is to<br />
provide a separ<strong>at</strong>e, simple processor with specialized software to implement <strong>the</strong><br />
basic access control services. If this hardware controls<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
TECHNOLOGY TO ACHIEVE SECURE COMPUTER SYSTEMS 92<br />
<strong>the</strong> computer's memory access mechanism and forces all <strong>in</strong>put/output d<strong>at</strong>a to be<br />
encrypted, th<strong>at</strong> is enough to keep <strong>the</strong> rest of <strong>the</strong> hardware and software out of<br />
<strong>the</strong> TCB. (This requires th<strong>at</strong> components upstream of <strong>the</strong> security hardware do<br />
not share <strong>in</strong>form<strong>at</strong>ion across security classes.) This approach has been pursued<br />
<strong>in</strong> <strong>the</strong> LOCK project, which is described <strong>in</strong> detail <strong>in</strong> Appendix B.<br />
Unlike <strong>the</strong> o<strong>the</strong>r components of a comput<strong>in</strong>g system, hardware is physical<br />
and has physical <strong>in</strong>teractions with <strong>the</strong> environment. For <strong>in</strong>stance, someone can<br />
open a cab<strong>in</strong>et conta<strong>in</strong><strong>in</strong>g a computer and replace one of <strong>the</strong> circuit boards. If<br />
this is done with malicious <strong>in</strong>tent, obviously all bets are off about <strong>the</strong> security of<br />
<strong>the</strong> computer. It follows th<strong>at</strong> physical security of <strong>the</strong> hardware must be assured.<br />
There are less obvious physical thre<strong>at</strong>s. In particular, computer hardware<br />
<strong>in</strong>volves chang<strong>in</strong>g electric and magnetic fields, and it <strong>the</strong>refore gener<strong>at</strong>es<br />
electromagnetic radi<strong>at</strong>ion (often called eman<strong>at</strong>ions) 5 as a byproduct of normal<br />
oper<strong>at</strong>ion. Because this radi<strong>at</strong>ion can be a way for <strong>in</strong>form<strong>at</strong>ion to be disclosed,<br />
ensur<strong>in</strong>g confidentiality may require th<strong>at</strong> it be controlled. Similarly, radi<strong>at</strong>ion<br />
from <strong>the</strong> environment can affect <strong>the</strong> hardware.<br />
Oper<strong>at</strong><strong>in</strong>g System<br />
The job of an oper<strong>at</strong><strong>in</strong>g system is to share <strong>the</strong> hardware among applic<strong>at</strong>ion<br />
programs and to provide generic security services so th<strong>at</strong> most applic<strong>at</strong>ions do<br />
not need to be part of <strong>the</strong> TCB. This layer<strong>in</strong>g of security services is useful<br />
because it keeps <strong>the</strong> TCB small, s<strong>in</strong>ce <strong>the</strong>re is only one oper<strong>at</strong><strong>in</strong>g system for<br />
many applic<strong>at</strong>ions. With<strong>in</strong> <strong>the</strong> oper<strong>at</strong><strong>in</strong>g system itself <strong>the</strong> idea of layer<strong>in</strong>g or<br />
partition<strong>in</strong>g can be used to divide <strong>the</strong> oper<strong>at</strong><strong>in</strong>g system <strong>in</strong>to a kernel th<strong>at</strong> is part<br />
of <strong>the</strong> TCB and <strong>in</strong>to o<strong>the</strong>r components th<strong>at</strong> are not (Gasser, 1988). How to do<br />
this is well known.<br />
The oper<strong>at</strong><strong>in</strong>g system provides an authoriz<strong>at</strong>ion service by controll<strong>in</strong>g<br />
subjects' (processes) accesses to objects (files and communic<strong>at</strong>ion devices such<br />
as term<strong>in</strong>als). The oper<strong>at</strong><strong>in</strong>g system can enforce various security models for<br />
<strong>the</strong>se objects, which may be enough to s<strong>at</strong>isfy <strong>the</strong> security policy. In particular<br />
it can enforce a flow model, which is sufficient for <strong>the</strong> DOD confidentiality<br />
policy, as long as it is able to keep track of security levels <strong>at</strong> <strong>the</strong> coarse<br />
granularity of whole files.<br />
To enforce an <strong>in</strong>tegrity policy like <strong>the</strong> purchas<strong>in</strong>g system policy described<br />
above, <strong>the</strong>re must be some trusted applic<strong>at</strong>ions to handle functions like<br />
approv<strong>in</strong>g orders. The oper<strong>at</strong><strong>in</strong>g system must be able to tre<strong>at</strong> <strong>the</strong>se applic<strong>at</strong>ions<br />
as pr<strong>in</strong>cipals, so th<strong>at</strong> <strong>the</strong>y can access objects th<strong>at</strong> <strong>the</strong> untrusted applic<strong>at</strong>ions<br />
runn<strong>in</strong>g on behalf of <strong>the</strong> same user cannot access. Such applic<strong>at</strong>ions are<br />
protected subsystems.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
TECHNOLOGY TO ACHIEVE SECURE COMPUTER SYSTEMS 93<br />
Applic<strong>at</strong>ions and <strong>the</strong> Problem of Malicious Code<br />
Ideally applic<strong>at</strong>ions should not be part of <strong>the</strong> TCB, s<strong>in</strong>ce <strong>the</strong>y are<br />
numerous, are often large and complic<strong>at</strong>ed, and tend to come from a variety of<br />
sources th<strong>at</strong> are difficult to police. Unfortun<strong>at</strong>ely, <strong>at</strong>tempts to build applic<strong>at</strong>ions,<br />
such as electronic mail or d<strong>at</strong>abases th<strong>at</strong> can handle multiple levels of classified<br />
<strong>in</strong>form<strong>at</strong>ion, on top of an oper<strong>at</strong><strong>in</strong>g system th<strong>at</strong> enforces flow have had limited<br />
success. It is necessary to use a different oper<strong>at</strong><strong>in</strong>g system object for<br />
<strong>in</strong>form<strong>at</strong>ion <strong>at</strong> each security level, and often <strong>the</strong>se objects are large and<br />
expensive. And to implement an <strong>in</strong>tegrity policy, it is always necessary to trust<br />
some applic<strong>at</strong>ion code. Aga<strong>in</strong>, it seems best to apply <strong>the</strong> kernel method, putt<strong>in</strong>g<br />
<strong>the</strong> code th<strong>at</strong> must be trusted <strong>in</strong>to separ<strong>at</strong>e components th<strong>at</strong> are protected<br />
subsystems. The oper<strong>at</strong><strong>in</strong>g system must support this approach (Honeywell,<br />
1985–1988).<br />
In most systems any applic<strong>at</strong>ion program runn<strong>in</strong>g on behalf of a user has<br />
full access to all th<strong>at</strong> <strong>the</strong> user can access. This is considered acceptable on <strong>the</strong><br />
assumption th<strong>at</strong> <strong>the</strong> program, although it may not be trusted to always do <strong>the</strong><br />
right th<strong>in</strong>g, is unlikely to do an <strong>in</strong>tolerable amount of damage. But suppose th<strong>at</strong><br />
<strong>the</strong> program does not just do <strong>the</strong> wrong th<strong>in</strong>g, but is actively malicious? Such a<br />
program, which appears to do someth<strong>in</strong>g useful but has hidden with<strong>in</strong> it <strong>the</strong><br />
ability to cause serious damage, is called a Trojan horse. When a Trojan horse<br />
runs, it can do a gre<strong>at</strong> deal of damage: delete files, corrupt d<strong>at</strong>a, send a message<br />
with <strong>the</strong> user's secrets to ano<strong>the</strong>r mach<strong>in</strong>e, disrupt <strong>the</strong> oper<strong>at</strong>ion of <strong>the</strong> host,<br />
waste mach<strong>in</strong>e resources, and so forth. There are many places to hide a Trojan<br />
horse: <strong>the</strong> oper<strong>at</strong><strong>in</strong>g system, an executable program, a shell command file, or a<br />
macro <strong>in</strong> a spreadsheet or word-process<strong>in</strong>g program are only a few of <strong>the</strong><br />
possibilities. Moreover, a compiler or o<strong>the</strong>r program development tool with a<br />
Trojan horse can <strong>in</strong>sert secondary Trojan horses <strong>in</strong>to <strong>the</strong> programs it gener<strong>at</strong>es.<br />
The danger is even gre<strong>at</strong>er if <strong>the</strong> Trojan horse can also make copies of<br />
itself. Such a program is called a virus. Because it can spread quickly <strong>in</strong> a<br />
computer network or by copy<strong>in</strong>g disks, a virus can be a serious thre<strong>at</strong><br />
(''Viruses," <strong>in</strong> Appendix B, gives more details and describes countermeasures).<br />
Several examples of viruses have <strong>in</strong>fected thousands of mach<strong>in</strong>es.<br />
Communic<strong>at</strong>ions<br />
Methods for deal<strong>in</strong>g with communic<strong>at</strong>ions and security for distributed<br />
systems are less well developed than those for stand-alone centralized systems;<br />
distributed systems are both newer and more complex. There<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
TECHNOLOGY TO ACHIEVE SECURE COMPUTER SYSTEMS 94<br />
is no consensus about methods to provide security for distributed systems, but a<br />
TCB for a distributed system can be built out of suitable trusted elements<br />
runn<strong>in</strong>g on <strong>the</strong> various mach<strong>in</strong>es th<strong>at</strong> <strong>the</strong> system comprises. The committee<br />
believes th<strong>at</strong> distributed systems are now well enough understood th<strong>at</strong> this<br />
approach to secur<strong>in</strong>g such systems should also become recognized as effective<br />
and appropri<strong>at</strong>e <strong>in</strong> achiev<strong>in</strong>g security.<br />
A TCB for communic<strong>at</strong>ions has two important aspects: secure channels for<br />
facilit<strong>at</strong><strong>in</strong>g communic<strong>at</strong>ion among <strong>the</strong> various parts of a system, and security<br />
perimeters for restrict<strong>in</strong>g communic<strong>at</strong>ion between one part of a system and <strong>the</strong><br />
rest.<br />
Secure Channels<br />
The access control model describes <strong>the</strong> work<strong>in</strong>g of a system <strong>in</strong> terms of<br />
requests for oper<strong>at</strong>ions from a subject to an object and correspond<strong>in</strong>g responses,<br />
whe<strong>the</strong>r <strong>the</strong> system is a s<strong>in</strong>gle computer or a distributed system. It is useful to<br />
explore <strong>the</strong> topic of secure communic<strong>at</strong>ion separ<strong>at</strong>ely from <strong>the</strong> discussions<br />
above of computers, subjects, or objects so as to better del<strong>in</strong>e<strong>at</strong>e <strong>the</strong><br />
fundamental concerns th<strong>at</strong> underlie secure channels <strong>in</strong> a broad range of<br />
comput<strong>in</strong>g contexts.<br />
A channel is a p<strong>at</strong>h by which two or more pr<strong>in</strong>cipals communic<strong>at</strong>e. A<br />
secure channel may be a physically protected p<strong>at</strong>h (e.g., a physical wire, a disk<br />
drive and associ<strong>at</strong>ed disk, or memory protected by hardware and an oper<strong>at</strong><strong>in</strong>g<br />
system) or a logical p<strong>at</strong>h secured by encryption. A channel need not oper<strong>at</strong>e <strong>in</strong><br />
real time: a message sent on a channel may be read much l<strong>at</strong>er, for <strong>in</strong>stance, if it<br />
is stored on a disk. A secure channel provides <strong>in</strong>tegrity (a receiver can know<br />
who orig<strong>in</strong>ally cre<strong>at</strong>ed a message th<strong>at</strong> is received and th<strong>at</strong> <strong>the</strong> message is <strong>in</strong>tact<br />
(unmodified)), confidentiality (a sender can know who can read a message th<strong>at</strong><br />
is sent), or both. 6 The process of f<strong>in</strong>d<strong>in</strong>g out who can send or receive on a<br />
secure channel is called au<strong>the</strong>ntic<strong>at</strong><strong>in</strong>g <strong>the</strong> channel; once a channel has been<br />
au<strong>the</strong>ntic<strong>at</strong>ed, st<strong>at</strong>ements and requests arriv<strong>in</strong>g on it are also au<strong>the</strong>ntic<strong>at</strong>ed.<br />
Typically <strong>the</strong> secure channels between subjects and objects <strong>in</strong>side a<br />
computer are physically protected: <strong>the</strong> wires <strong>in</strong> <strong>the</strong> computer are assumed to be<br />
secure, and <strong>the</strong> oper<strong>at</strong><strong>in</strong>g system protects <strong>the</strong> p<strong>at</strong>hs by which programs<br />
communic<strong>at</strong>e with each o<strong>the</strong>r, us<strong>in</strong>g methods described above for implement<strong>in</strong>g<br />
TCBs. This is one aspect of a broader po<strong>in</strong>t: every component of a physically<br />
protected channel is part of <strong>the</strong> TCB and must meet a security specific<strong>at</strong>ion. If a<br />
wire connects two computers, it may be difficult to secure physically, especially<br />
if <strong>the</strong> computers are <strong>in</strong> different build<strong>in</strong>gs.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
TECHNOLOGY TO ACHIEVE SECURE COMPUTER SYSTEMS 95<br />
To keep wires out of <strong>the</strong> TCB we resort to encryption, which makes it<br />
possible to have a channel whose security does not depend on <strong>the</strong> security of<br />
any wires or <strong>in</strong>termedi<strong>at</strong>e systems through which <strong>the</strong> messages are passed.<br />
Encryption works by comput<strong>in</strong>g from <strong>the</strong> d<strong>at</strong>a of <strong>the</strong> orig<strong>in</strong>al message, called<br />
<strong>the</strong> clear text or pla<strong>in</strong>text, some different d<strong>at</strong>a, called <strong>the</strong> ciphertext, which is<br />
actually transmitted. A correspond<strong>in</strong>g decryption oper<strong>at</strong>ion <strong>at</strong> <strong>the</strong> receiver takes<br />
<strong>the</strong> ciphertext and computes <strong>the</strong> orig<strong>in</strong>al pla<strong>in</strong>text. A good encryption scheme<br />
reflects <strong>the</strong> concept th<strong>at</strong> <strong>the</strong>re are some simple rules for encryption and<br />
decryption, and th<strong>at</strong> comput<strong>in</strong>g <strong>the</strong> pla<strong>in</strong>text from <strong>the</strong> ciphertext, or vice versa,<br />
without know<strong>in</strong>g <strong>the</strong> rules is too difficult to be practical. This should be true<br />
even for one who already knows a gre<strong>at</strong> deal of o<strong>the</strong>r pla<strong>in</strong>text and its<br />
correspond<strong>in</strong>g ciphertext.<br />
Encryption thus provides a channel with confidentiality and <strong>in</strong>tegrity. All<br />
<strong>the</strong> parties th<strong>at</strong> know <strong>the</strong> encryption rules are possible senders, and those th<strong>at</strong><br />
know <strong>the</strong> decryption rules are possible receivers. Obta<strong>in</strong><strong>in</strong>g many secure<br />
channels requires hav<strong>in</strong>g many sets of rules, one for each channel, and divid<strong>in</strong>g<br />
<strong>the</strong> rules <strong>in</strong>to two parts, <strong>the</strong> algorithm and <strong>the</strong> key. The algorithm is fixed, and<br />
everyone knows it. The key can be expressed as a reasonably short sequence of<br />
characters, a few hundred <strong>at</strong> most. It is different for each secure channel and is<br />
known only to <strong>the</strong> possible senders or receivers. It must be fairly easy to<br />
gener<strong>at</strong>e new keys th<strong>at</strong> cannot be easily guessed.<br />
The two k<strong>in</strong>ds of encryption algorithms are described below. It is<br />
important to have some understand<strong>in</strong>g of <strong>the</strong> technical issues <strong>in</strong>volved <strong>in</strong> order<br />
to appreci<strong>at</strong>e <strong>the</strong> policy deb<strong>at</strong>e about controls th<strong>at</strong> limit <strong>the</strong> export of popular<br />
forms of encryption (Chapter 6) and <strong>in</strong>fluence wh<strong>at</strong> is actually available on <strong>the</strong><br />
market. 7<br />
1. Symmetric (secret or priv<strong>at</strong>e) key encryption, <strong>in</strong> which <strong>the</strong> same key is<br />
used to send and receive (i.e., to encrypt and decrypt). The key must be<br />
known only to <strong>the</strong> possible senders and receivers. Decryption of a<br />
message us<strong>in</strong>g <strong>the</strong> secret key shared by a receiver and a sender can<br />
provide <strong>in</strong>tegrity for <strong>the</strong> receiver, assum<strong>in</strong>g <strong>the</strong> use of suitable errordetection<br />
measures. The D<strong>at</strong>a Encryption Standard (DES) is <strong>the</strong> most<br />
widely used, published symmetric encryption algorithm (NBS, 1977).<br />
2. Asymmetric (public) key encryption, <strong>in</strong> which different keys are used<br />
to encrypt and decrypt. The key used to encrypt a message for<br />
confidentiality <strong>in</strong> asymmetric encryption is a key made publicly known<br />
by <strong>the</strong> <strong>in</strong>tended receiver and identified as be<strong>in</strong>g associ<strong>at</strong>ed with him,<br />
but <strong>the</strong> correspond<strong>in</strong>g key used to decrypt <strong>the</strong> message is known only<br />
to th<strong>at</strong> receiver. Conversely, a key used to encrypt a message for<br />
<strong>in</strong>tegrity (to digitally sign <strong>the</strong> message) <strong>in</strong> asymmetric<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
TECHNOLOGY TO ACHIEVE SECURE COMPUTER SYSTEMS 96<br />
encryption is known only to <strong>the</strong> sender, but <strong>the</strong> correspond<strong>in</strong>g key used<br />
to decrypt <strong>the</strong> message (valid<strong>at</strong>e <strong>the</strong> sign<strong>at</strong>ure) must be publicly known<br />
and associ<strong>at</strong>ed with th<strong>at</strong> sender. Thus <strong>the</strong> security services to ensure<br />
confidentiality and <strong>in</strong>tegrity are provided by different keys <strong>in</strong><br />
asymmetric encryption. The Rivest-Shamir-Adelman (RSA) algorithm<br />
is <strong>the</strong> most widely used form of public-key encryption (Rivest et al.,<br />
1978).<br />
Known algorithms for asymmetric encryption run <strong>at</strong> rel<strong>at</strong>ively slow r<strong>at</strong>es<br />
(a few thousand bits per second <strong>at</strong> most), whereas it is possible to buy hardware<br />
th<strong>at</strong> implements DES <strong>at</strong> r<strong>at</strong>es of up to 45 megabits per second, and an<br />
implement<strong>at</strong>ion <strong>at</strong> a r<strong>at</strong>e of 1 gigabit per second is feasible with current<br />
technology. A practical design <strong>the</strong>refore uses symmetric encryption for<br />
handl<strong>in</strong>g bulk d<strong>at</strong>a and uses asymmetric encryption only for distribut<strong>in</strong>g<br />
symmetric keys and for a few o<strong>the</strong>r special purposes. Appendix B's<br />
"Cryptography" section gives details on encryption.<br />
A digital sign<strong>at</strong>ure provides a secure channel for send<strong>in</strong>g a message to<br />
many receivers who may see <strong>the</strong> message long after it is sent and who are not<br />
necessarily known to <strong>the</strong> sender. Digital sign<strong>at</strong>ures may have many important<br />
applic<strong>at</strong>ions <strong>in</strong> mak<strong>in</strong>g a TCB smaller. For <strong>in</strong>stance, <strong>in</strong> <strong>the</strong> purchas<strong>in</strong>g system<br />
described above, if an approved order is signed digitally, it can be stored<br />
outside <strong>the</strong> TCB, and <strong>the</strong> payment component can still trust it. See <strong>the</strong><br />
Appendix B section headed "Digital Sign<strong>at</strong>ures" for a more careful def<strong>in</strong>ition<br />
and some discussion of how to implement digital sign<strong>at</strong>ures.<br />
Au<strong>the</strong>ntic<strong>at</strong><strong>in</strong>g Channels<br />
Given a secure channel, it is still necessary to f<strong>in</strong>d out who is <strong>at</strong> <strong>the</strong> o<strong>the</strong>r<br />
end, th<strong>at</strong> is, to au<strong>the</strong>ntic<strong>at</strong>e it. The first step is to au<strong>the</strong>ntic<strong>at</strong>e a channel from<br />
one computer system to ano<strong>the</strong>r. The simplest way to do this is to ask for a<br />
password. Then if <strong>the</strong>re is a way to m<strong>at</strong>ch up <strong>the</strong> password with a pr<strong>in</strong>cipal,<br />
au<strong>the</strong>ntic<strong>at</strong>ion is complete. The trouble with a password is th<strong>at</strong> <strong>the</strong> receiver can<br />
misrepresent himself as <strong>the</strong> sender to anyone else who trusts <strong>the</strong> same<br />
password. As with symmetric encryption, this means th<strong>at</strong> one needs a separ<strong>at</strong>e<br />
password to au<strong>the</strong>ntic<strong>at</strong>e himself to every system th<strong>at</strong> one trusts differently.<br />
Fur<strong>the</strong>rmore, anyone who can read (or eavesdrop on) <strong>the</strong> channel also can<br />
imperson<strong>at</strong>e <strong>the</strong> sender. Popular computer network media such as E<strong>the</strong>rnet or<br />
token r<strong>in</strong>gs are vulnerable to such abuses.<br />
The need for a pr<strong>in</strong>cipal to use a unique symmetric key to au<strong>the</strong>ntic<strong>at</strong>e<br />
himself to every different system can be addressed by us<strong>in</strong>g a trusted<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
TECHNOLOGY TO ACHIEVE SECURE COMPUTER SYSTEMS 97<br />
third party to act as an <strong>in</strong>termediary <strong>in</strong> <strong>the</strong> cryptographic au<strong>the</strong>ntic<strong>at</strong>ion process,<br />
a concept th<strong>at</strong> has been understood for some time (Branstad, 1973; Kent, 1976;<br />
Needham and Schroeder, 1978). This approach, us<strong>in</strong>g symmetric encryption to<br />
achieve au<strong>the</strong>ntic<strong>at</strong>ion, is now embodied <strong>in</strong> <strong>the</strong> Kerberos au<strong>the</strong>ntic<strong>at</strong>ion system<br />
(Miller et al., 1987; Ste<strong>in</strong>er et al., 1988). However, <strong>the</strong> requirement th<strong>at</strong> this<br />
technology imposes, namely <strong>the</strong> need to trust a third party with keys th<strong>at</strong> may<br />
be used (directly or <strong>in</strong>directly) to encrypt <strong>the</strong> pr<strong>in</strong>cipal's d<strong>at</strong>a, may have<br />
hampered its widespread adoption.<br />
Both of <strong>the</strong>se problems can be overcome by challenge-response<br />
au<strong>the</strong>ntic<strong>at</strong>ion schemes. These schemes make it possible to prove th<strong>at</strong> a secret is<br />
known without disclos<strong>in</strong>g it to an eavesdropper. The simplest scheme to expla<strong>in</strong><br />
as an example is based on asymmetric encryption, although schemes based on<br />
<strong>the</strong> use of symmetric encryption (Kent et al., 1982) have been developed, and<br />
zero-knowledge techniques have been proposed (Chaum, 1983). The challenger<br />
f<strong>in</strong>ds out <strong>the</strong> public key of <strong>the</strong> pr<strong>in</strong>cipal be<strong>in</strong>g au<strong>the</strong>ntic<strong>at</strong>ed, chooses a random<br />
number, and sends it to <strong>the</strong> pr<strong>in</strong>cipal encrypted us<strong>in</strong>g both <strong>the</strong> challenger's<br />
priv<strong>at</strong>e key and <strong>the</strong> pr<strong>in</strong>cipal's public key. The pr<strong>in</strong>cipal decrypts <strong>the</strong> challenge<br />
us<strong>in</strong>g his priv<strong>at</strong>e key and <strong>the</strong> public key of <strong>the</strong> challenger, extracts <strong>the</strong> random<br />
number, and encrypts <strong>the</strong> number with his priv<strong>at</strong>e key and <strong>the</strong> challenger's<br />
public key and sends back <strong>the</strong> result. The challenger decrypts <strong>the</strong> result us<strong>in</strong>g<br />
his priv<strong>at</strong>e key and <strong>the</strong> pr<strong>in</strong>cipal's public key; if he gets back <strong>the</strong> orig<strong>in</strong>al<br />
number, he knows th<strong>at</strong> <strong>the</strong> pr<strong>in</strong>cipal must have done <strong>the</strong> encrypt<strong>in</strong>g. 8<br />
How does <strong>the</strong> challenger learn <strong>the</strong> pr<strong>in</strong>cipal's public key? The CCITT<br />
X.509 standard def<strong>in</strong>es a framework for au<strong>the</strong>ntic<strong>at</strong><strong>in</strong>g a secure channel to a<br />
pr<strong>in</strong>cipal with an X.500 name; this is done by au<strong>the</strong>ntic<strong>at</strong><strong>in</strong>g <strong>the</strong> pr<strong>in</strong>cipal's<br />
public key us<strong>in</strong>g certific<strong>at</strong>es th<strong>at</strong> are digitally signed. Such a certific<strong>at</strong>e, signed<br />
by a trusted authority, gives a public key, K, and asserts th<strong>at</strong> a message signed<br />
by K can be trusted to come from <strong>the</strong> pr<strong>in</strong>cipal. The standard does not def<strong>in</strong>e<br />
how o<strong>the</strong>r channels to <strong>the</strong> pr<strong>in</strong>cipal can be au<strong>the</strong>ntic<strong>at</strong>ed, but technology for<br />
do<strong>in</strong>g this is well understood. An X.509 au<strong>the</strong>ntic<strong>at</strong>ion may <strong>in</strong>volve more than<br />
one agent. For example, agent A may au<strong>the</strong>ntic<strong>at</strong>e agent B, who <strong>in</strong> turn<br />
au<strong>the</strong>ntic<strong>at</strong>es <strong>the</strong> pr<strong>in</strong>cipal. (For a more thorough discussion of this sort of<br />
au<strong>the</strong>ntic<strong>at</strong>ion, see X.509 (CCITT, 1989b) and subsequent papers th<strong>at</strong> identify<br />
and correct a flaw <strong>in</strong> <strong>the</strong> X.509 three-way au<strong>the</strong>ntic<strong>at</strong>ion protocol (e.g., Burrows<br />
et al., 1989).)<br />
Challenge-response schemes solve <strong>the</strong> problem of au<strong>the</strong>ntic<strong>at</strong><strong>in</strong>g one<br />
computer system to ano<strong>the</strong>r. Au<strong>the</strong>ntic<strong>at</strong><strong>in</strong>g a user is more difficult, s<strong>in</strong>ce users<br />
are not good <strong>at</strong> do<strong>in</strong>g encryption or remember<strong>in</strong>g large, secret quantities. One<br />
can be au<strong>the</strong>ntic<strong>at</strong>ed by wh<strong>at</strong> one knows (a<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
TECHNOLOGY TO ACHIEVE SECURE COMPUTER SYSTEMS 98<br />
password), wh<strong>at</strong> one is (as characterized by biometrics), or wh<strong>at</strong> one has (a<br />
"smart card" or token).<br />
The use of a password is <strong>the</strong> traditional method. Its drawbacks have<br />
already been expla<strong>in</strong>ed and are discussed <strong>in</strong> more detail <strong>in</strong> <strong>the</strong> section titled<br />
"Passwords" <strong>in</strong> Appendix B.<br />
Biometrics <strong>in</strong>volves measur<strong>in</strong>g some physical characteristics of a person—<br />
handwrit<strong>in</strong>g, f<strong>in</strong>gerpr<strong>in</strong>ts, or ret<strong>in</strong>al p<strong>at</strong>terns, for example—and transmitt<strong>in</strong>g this<br />
<strong>in</strong>form<strong>at</strong>ion to <strong>the</strong> system th<strong>at</strong> is au<strong>the</strong>ntic<strong>at</strong><strong>in</strong>g <strong>the</strong> person (Holmes et al.,<br />
1990). The problems are forgery and compromise. It may be easy to substitute a<br />
mold of someone else's f<strong>in</strong>ger, especially if <strong>the</strong> imperson<strong>at</strong>or is not be<strong>in</strong>g<br />
w<strong>at</strong>ched. Altern<strong>at</strong>ively, anyone who can bypass <strong>the</strong> physical reader and simply<br />
<strong>in</strong>ject <strong>the</strong> bits derived from <strong>the</strong> biometric scann<strong>in</strong>g can imperson<strong>at</strong>e <strong>the</strong> person,<br />
a critical concern <strong>in</strong> a distributed system environment. Perhaps <strong>the</strong> gre<strong>at</strong>est<br />
problem associ<strong>at</strong>ed with biometric au<strong>the</strong>ntic<strong>at</strong>ion technology to d<strong>at</strong>e has been<br />
<strong>the</strong> cost of equipp<strong>in</strong>g term<strong>in</strong>als and workst<strong>at</strong>ions with <strong>the</strong> <strong>in</strong>put devices<br />
necessary for most of <strong>the</strong>se techniques. 9<br />
By provid<strong>in</strong>g <strong>the</strong> user with a t<strong>in</strong>y computer th<strong>at</strong> can be carried around and<br />
will act as an agent of au<strong>the</strong>ntic<strong>at</strong>ion, a smart card or token reduces <strong>the</strong> problem<br />
of au<strong>the</strong>ntic<strong>at</strong><strong>in</strong>g a user to <strong>the</strong> problem of au<strong>the</strong>ntic<strong>at</strong><strong>in</strong>g a computer (NIST,<br />
1988). A smart card fits <strong>in</strong>to a special reader and communic<strong>at</strong>es electrically<br />
with a system; a token has a keypad and display, and <strong>the</strong> user keys <strong>in</strong> a<br />
challenge, reads <strong>the</strong> response, and types it back to <strong>the</strong> system (see, for example,<br />
<strong>the</strong> product Racal W<strong>at</strong>chword). (At least one token au<strong>the</strong>ntic<strong>at</strong>ion system<br />
(Security Dynamics' SecureID) relies on time as an implicit challenge, and thus<br />
<strong>the</strong> token used with this system requires no keypad.) A smart card or token is<br />
usually comb<strong>in</strong>ed with a password to keep it from be<strong>in</strong>g easily used if it is lost<br />
or stolen; autom<strong>at</strong>ic teller mach<strong>in</strong>es require a card and a personal identific<strong>at</strong>ion<br />
number (PIN) for <strong>the</strong> same reason.<br />
Security Perimeters<br />
A distributed system can become very large; systems with 50,000<br />
computers exist today, and <strong>the</strong>y are grow<strong>in</strong>g rapidly. In a large system no s<strong>in</strong>gle<br />
agent will be trusted by everyone; security must take account of this fact.<br />
Security is only as strong as its weakest l<strong>in</strong>k. To control <strong>the</strong> amount of damage<br />
th<strong>at</strong> a security breach can do and to limit <strong>the</strong> scope of <strong>at</strong>tacks, a large system<br />
may be divided <strong>in</strong>to parts, each surrounded by a security perimeter. The<br />
methods described above can <strong>in</strong> pr<strong>in</strong>ciple provide a high level of security even<br />
<strong>in</strong> a very large system th<strong>at</strong> is accessible to many malicious pr<strong>in</strong>cipals. But<br />
implement<strong>in</strong>g <strong>the</strong>se methods throughout a system is sure to be difficult<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
TECHNOLOGY TO ACHIEVE SECURE COMPUTER SYSTEMS 99<br />
and time-consum<strong>in</strong>g, and ensur<strong>in</strong>g th<strong>at</strong> <strong>the</strong>y are used correctly is likely to be<br />
even more difficult. The pr<strong>in</strong>ciple of "divide and conquer" suggests th<strong>at</strong> it may<br />
be wiser to divide a large system <strong>in</strong>to smaller parts and to restrict severely <strong>the</strong><br />
ways <strong>in</strong> which <strong>the</strong>se parts can <strong>in</strong>teract with each o<strong>the</strong>r.<br />
The idea is to establish a security perimeter around part of a system and to<br />
disallow fully general communic<strong>at</strong>ion across <strong>the</strong> perimeter. Instead, carefully<br />
managed and audited g<strong>at</strong>es <strong>in</strong> <strong>the</strong> perimeter allow only certa<strong>in</strong> limited k<strong>in</strong>ds of<br />
traffic (e.g., electronic mail, but not file transfers). A g<strong>at</strong>e may also restrict <strong>the</strong><br />
pairs of source and dest<strong>in</strong><strong>at</strong>ion systems th<strong>at</strong> can communic<strong>at</strong>e through it.<br />
It is important to understand th<strong>at</strong> a security perimeter is not foolproof. If it<br />
allows <strong>the</strong> pass<strong>in</strong>g of electronic mail, <strong>the</strong>n users can encode arbitrary programs<br />
or d<strong>at</strong>a <strong>in</strong> <strong>the</strong> mail and get <strong>the</strong>m across <strong>the</strong> perimeter. But this is unlikely to<br />
happen by mistake, for it requires much more deliber<strong>at</strong>e plann<strong>in</strong>g than do <strong>the</strong><br />
more direct ways of communic<strong>at</strong><strong>in</strong>g <strong>in</strong>side <strong>the</strong> perimeter us<strong>in</strong>g term<strong>in</strong>al<br />
connections. Fur<strong>the</strong>rmore, a mail-only perimeter is an important rem<strong>in</strong>der of<br />
system security concerns. Users and managers will come to understand th<strong>at</strong> it is<br />
dangerous to implement autom<strong>at</strong>ed services th<strong>at</strong> accept electronic mail requests<br />
from outside and tre<strong>at</strong> <strong>the</strong>m <strong>in</strong> <strong>the</strong> same fashion as communic<strong>at</strong>ions orig<strong>in</strong><strong>at</strong><strong>in</strong>g<br />
<strong>in</strong>side <strong>the</strong> perimeter.<br />
As with any security measure, a price is paid <strong>in</strong> convenience and flexibility<br />
for a security perimeter: it is difficult to do th<strong>in</strong>gs across <strong>the</strong> perimeter. Users<br />
and managers must decide on <strong>the</strong> proper balance between security and<br />
convenience. See Appendix B's "Security Perimeters" section for more details.<br />
Methodology<br />
An essential part of establish<strong>in</strong>g trust <strong>in</strong> a comput<strong>in</strong>g system is ensur<strong>in</strong>g<br />
th<strong>at</strong> it was built accord<strong>in</strong>g to proper methods. This important subject is<br />
discussed <strong>in</strong> detail <strong>in</strong> Chapter 4.<br />
CONCLUSION<br />
The technical means for achiev<strong>in</strong>g gre<strong>at</strong>er system security and trust are a<br />
function of <strong>the</strong> policies and models th<strong>at</strong> have been articul<strong>at</strong>ed and developed to<br />
d<strong>at</strong>e. Because most work to d<strong>at</strong>e has focused on confidentiality policies and<br />
models, <strong>the</strong> most highly developed services and <strong>the</strong> most effective<br />
implement<strong>at</strong>ions support requirements for confidentiality. Wh<strong>at</strong> is currently on<br />
<strong>the</strong> market and known to users thus reflects only some of <strong>the</strong> need for trust<br />
technology. Research<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
TECHNOLOGY TO ACHIEVE SECURE COMPUTER SYSTEMS 100<br />
topics described <strong>in</strong> Chapter 8 provide some direction for redress<strong>in</strong>g this<br />
imbalance, as does <strong>the</strong> process of articul<strong>at</strong><strong>in</strong>g GSSP described <strong>in</strong> Chapter 1,<br />
which would both nourish and draw from efforts to develop a richer set of<br />
policies and models. As noted <strong>in</strong> Chapter 6, elements of public policy may also<br />
affect wh<strong>at</strong> technology is available to protect <strong>in</strong>form<strong>at</strong>ion and o<strong>the</strong>r resources<br />
controlled by computer systems—neg<strong>at</strong>ively, <strong>in</strong> <strong>the</strong> case of export controls, or<br />
positively, <strong>in</strong> <strong>the</strong> case of federal procurement goals and regul<strong>at</strong>ions.<br />
NOTES<br />
1. Term<strong>in</strong>ology is not always used consistently <strong>in</strong> <strong>the</strong> security field. Policies are often called<br />
"requirements"; sometimes <strong>the</strong> word "policy" is reserved for a broad st<strong>at</strong>ement and ''requirement" is<br />
used for a more detailed st<strong>at</strong>ement.<br />
2. DOD Directive 5200.28, "Security Requirements for Autom<strong>at</strong>ic D<strong>at</strong>a Process<strong>in</strong>g (ADP)<br />
Systems," is <strong>the</strong> <strong>in</strong>terpret<strong>at</strong>ion of this policy for computer security (encompass<strong>in</strong>g requirements for<br />
personnel, physical, and system security). The Trusted Computer Security Evalu<strong>at</strong>ion Criteria<br />
(TCSEC, or Orange Book, also known as DOD 5200.28-STD; U.S. DOD, 1985d) specifies security<br />
evalu<strong>at</strong>ion criteria for computers th<strong>at</strong> are used to protect classified (or unclassified) d<strong>at</strong>a.<br />
3. Th<strong>at</strong> is, who caused it to be made, <strong>in</strong> <strong>the</strong> context of <strong>the</strong> computer system; legal responsibility is a<br />
different m<strong>at</strong>ter.<br />
4. The simplest such cha<strong>in</strong> <strong>in</strong>volves all <strong>the</strong> agents <strong>in</strong> <strong>the</strong> p<strong>at</strong>h, from <strong>the</strong> system up through <strong>the</strong><br />
hierarchy to <strong>the</strong> first ancestor th<strong>at</strong> is common to both <strong>the</strong> system and <strong>the</strong> pr<strong>in</strong>cipal, and <strong>the</strong>n down to<br />
<strong>the</strong> pr<strong>in</strong>cipal. Such a cha<strong>in</strong> will always exist if each agent is prepared to au<strong>the</strong>ntic<strong>at</strong>e its parent and<br />
children. This scheme is simple to expla<strong>in</strong>; it can be modified to deal with renam<strong>in</strong>g and to allow for<br />
shorter au<strong>the</strong>ntic<strong>at</strong>ion p<strong>at</strong>hs between cooper<strong>at</strong><strong>in</strong>g pairs of pr<strong>in</strong>cipals.<br />
5. The government's Tempest (Transient Electromagnetic Pulse Eman<strong>at</strong>ions Standard) program is<br />
concerned with reduction of such eman<strong>at</strong>ions. Tempest requirements can be met by us<strong>in</strong>g Tempest<br />
products or shield<strong>in</strong>g whole rooms where unprotected products may be used. NSA has evalu<strong>at</strong>ed<br />
and approved a variety of Tempest products, although nonapproved products are also available.<br />
6. In some circumstances a third secure channel property, availability, might be added to this list. If<br />
a channel exhibits secure availability, a sender can, with high probability, be confident th<strong>at</strong> his<br />
message will be received, even <strong>in</strong> <strong>the</strong> face of malicious <strong>at</strong>tack. Most communic<strong>at</strong>ion channels<br />
<strong>in</strong>corpor<strong>at</strong>e some facilities designed to ensure availability, but most do so only under <strong>the</strong><br />
assumptions of benign error, not <strong>in</strong> <strong>the</strong> context of malicious <strong>at</strong>tack. At this time <strong>the</strong>re is rel<strong>at</strong>ively<br />
little understand<strong>in</strong>g of practical, generic methods of provid<strong>in</strong>g communic<strong>at</strong>ion channels th<strong>at</strong> offer<br />
availability <strong>in</strong> <strong>the</strong> face of <strong>at</strong>tack (o<strong>the</strong>r than those approaches provided to deal with n<strong>at</strong>ural disasters<br />
or those provided for certa<strong>in</strong> military communic<strong>at</strong>ion systems).<br />
7. For example, <strong>the</strong> Digital Equipment Corpor<strong>at</strong>ion's development of an architecture for distributed<br />
system security was reportedly constra<strong>in</strong>ed by <strong>the</strong> availability of specific algorithms:<br />
The most popular algorithm for symmetric key encryption is <strong>the</strong> DES (D<strong>at</strong>a Encryption<br />
Standard). … However, <strong>the</strong> DES algorithm is not specified by <strong>the</strong> architecture and, for<br />
export reasons, ability to use o<strong>the</strong>r algorithms is a requirement. The preferred algorithm<br />
for asymmetric key cryptography, and <strong>the</strong> only known algorithm with <strong>the</strong> properties<br />
required by <strong>the</strong> architecture, is RSA. … (Gasser et al., 1989, p. 308)<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
TECHNOLOGY TO ACHIEVE SECURE COMPUTER SYSTEMS 101<br />
8. This procedure proves <strong>the</strong> presence of <strong>the</strong> pr<strong>in</strong>cipal but gives no assurance th<strong>at</strong> <strong>the</strong> pr<strong>in</strong>cipal is<br />
actually <strong>at</strong> <strong>the</strong> o<strong>the</strong>r end of <strong>the</strong> channel; it is possible th<strong>at</strong> an adversary controls <strong>the</strong> channel and is<br />
relay<strong>in</strong>g messages from <strong>the</strong> pr<strong>in</strong>cipal. To provide this assurance, <strong>the</strong> pr<strong>in</strong>cipal should encrypt some<br />
unambiguous identific<strong>at</strong>ion of <strong>the</strong> channel with his priv<strong>at</strong>e key as well, thus certify<strong>in</strong>g th<strong>at</strong> he is <strong>at</strong><br />
one end. If <strong>the</strong> channel is secured by encryption, <strong>the</strong> encryption key identifies it. S<strong>in</strong>ce <strong>the</strong> key itself<br />
must not be disclosed, a one-way hash (see Appendix B) of <strong>the</strong> key should be used <strong>in</strong>stead.<br />
9. Ano<strong>the</strong>r problem with ret<strong>in</strong>a scans is th<strong>at</strong> <strong>in</strong>dividuals concerned about potential health effects<br />
sometimes object to use of <strong>the</strong> technology.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
PROGRAMMING METHODOLOGY 102<br />
4<br />
Programm<strong>in</strong>g Methodology<br />
This chapter discusses issues pert<strong>in</strong>ent to produc<strong>in</strong>g all high-quality<br />
software and, <strong>in</strong> particular, issues pert<strong>in</strong>ent primarily to produc<strong>in</strong>g software<br />
designed to resist <strong>at</strong>tack. Both applic<strong>at</strong>ion and system-level software are<br />
considered. Although <strong>the</strong>re are differences between how <strong>the</strong> two are produced,<br />
<strong>the</strong> similarities dom<strong>in</strong><strong>at</strong>e <strong>the</strong> differences.<br />
Of <strong>the</strong> several factors th<strong>at</strong> govern <strong>the</strong> difficulty of produc<strong>in</strong>g software, one<br />
of <strong>the</strong> most important is <strong>the</strong> level of quality to be <strong>at</strong>ta<strong>in</strong>ed, as <strong>in</strong>dic<strong>at</strong>ed by <strong>the</strong><br />
extent to which <strong>the</strong> software performs accord<strong>in</strong>g to expect<strong>at</strong>ions. High-quality<br />
software does wh<strong>at</strong> it is supposed to do almost all <strong>the</strong> time, even when its users<br />
make mistakes. For <strong>the</strong> purposes of this study, software is classified accord<strong>in</strong>g<br />
to four levels of quality: explor<strong>at</strong>ory, production quality, critical, and secure.<br />
These levels differ accord<strong>in</strong>g to wh<strong>at</strong> <strong>the</strong> software is expected to do (its<br />
functionality) and <strong>the</strong> complexity of <strong>the</strong> conditions under which <strong>the</strong> software is<br />
expected to be used (environmental complexity).<br />
Explor<strong>at</strong>ory software does not have to work; <strong>the</strong> chief issue is speed of<br />
development. Although it has uses, explor<strong>at</strong>ory software is not discussed <strong>in</strong> this<br />
report.<br />
Production-quality software needs to work reasonably well most of <strong>the</strong><br />
time, and its failures should have limited effects. For example, we expect our<br />
spreadsheets to work most of <strong>the</strong> time but are will<strong>in</strong>g to put up with occasional<br />
crashes, and even with occasional loss of d<strong>at</strong>a. We are not will<strong>in</strong>g to put up with<br />
<strong>in</strong>correct results.<br />
Critical software needs to work very well almost all of <strong>the</strong> time, and<br />
certa<strong>in</strong> k<strong>in</strong>ds of failures must be avoided. Critical software is used <strong>in</strong> trusted and<br />
safety-critical applic<strong>at</strong>ions, for example, medical <strong>in</strong>struments, where failure of<br />
<strong>the</strong> software can have c<strong>at</strong>astrophic results.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
PROGRAMMING METHODOLOGY 103<br />
In produc<strong>in</strong>g critical software <strong>the</strong> primary worries are m<strong>in</strong>imiz<strong>in</strong>g bugs <strong>in</strong><br />
<strong>the</strong> software and ensur<strong>in</strong>g reasonable behavior when nonmalicious users do<br />
unexpected th<strong>in</strong>gs or when unexpected comb<strong>in</strong><strong>at</strong>ions of external events occur.<br />
Produc<strong>in</strong>g critical software presents <strong>the</strong> same problems as produc<strong>in</strong>g productionquality<br />
software, but because <strong>the</strong> cost of failure is higher, <strong>the</strong> standards must be<br />
higher. In produc<strong>in</strong>g critical software <strong>the</strong> goal is to decrease risk, not to<br />
decrease cost.<br />
Secure software is critical software th<strong>at</strong> needs to be resistant to <strong>at</strong>tack.<br />
Produc<strong>in</strong>g it presents <strong>the</strong> same problems as does produc<strong>in</strong>g critical software,<br />
plus some o<strong>the</strong>rs. One of <strong>the</strong> key problems is analyz<strong>in</strong>g <strong>the</strong> k<strong>in</strong>ds of <strong>at</strong>tacks th<strong>at</strong><br />
<strong>the</strong> software must be designed to resist. The level and k<strong>in</strong>d of thre<strong>at</strong> have a<br />
significant impact on how difficult <strong>the</strong> software is to produce. Issues to consider<br />
<strong>in</strong>clude <strong>the</strong> follow<strong>in</strong>g:<br />
• To wh<strong>at</strong> do potential <strong>at</strong>tackers have access? The spectrum ranges from <strong>the</strong><br />
keyboard of an autom<strong>at</strong>ed teller mach<strong>in</strong>e to <strong>the</strong> object code of an<br />
oper<strong>at</strong>ional system.<br />
• Who are <strong>the</strong> <strong>at</strong>tackers and wh<strong>at</strong> resources do <strong>the</strong>y have? The spectrum<br />
ranges from a bored gradu<strong>at</strong>e student, to a malicious <strong>in</strong>sider, to a<br />
knowledgeable, well-funded, highly motiv<strong>at</strong>ed organiz<strong>at</strong>ion (e.g., a<br />
priv<strong>at</strong>e or n<strong>at</strong>ional <strong>in</strong>telligence-g<strong>at</strong>her<strong>in</strong>g organiz<strong>at</strong>ion).<br />
• How much and wh<strong>at</strong> has to be protected?<br />
In addition, <strong>the</strong> developers of secure software cannot adopt <strong>the</strong> various<br />
probabilistic measures of quality th<strong>at</strong> developers of o<strong>the</strong>r software often can.<br />
For many applic<strong>at</strong>ions, it is quite reasonable to toler<strong>at</strong>e a flaw th<strong>at</strong> is rarely<br />
exposed and to assume th<strong>at</strong> its hav<strong>in</strong>g occurred once does not <strong>in</strong>crease <strong>the</strong><br />
likelihood th<strong>at</strong> it will occur aga<strong>in</strong> (Gray, 1987; Adams, 1984). It is also<br />
reasonable to assume th<strong>at</strong> logically <strong>in</strong>dependent failures will be st<strong>at</strong>istically<br />
<strong>in</strong>dependent and not happen <strong>in</strong> concert. In contrast, a security vulnerability,<br />
once discovered, will be rapidly dissem<strong>in</strong><strong>at</strong>ed among a community of <strong>at</strong>tackers<br />
and can be expected to be exploited on a regular basis until it is fixed.<br />
In pr<strong>in</strong>ciple, software can be secure without be<strong>in</strong>g production quality. The<br />
most obvious problem is th<strong>at</strong> software th<strong>at</strong> fails frequently will result <strong>in</strong> denial<br />
of service. Such software also opens <strong>the</strong> door to less obvious security breaches.<br />
A perpetr<strong>at</strong>or of an <strong>in</strong>telligence-grade <strong>at</strong>tack (see Appendix E, "High-grade<br />
Thre<strong>at</strong>s") wants to avoid alert<strong>in</strong>g <strong>the</strong> adm<strong>in</strong>istr<strong>at</strong>ors of <strong>the</strong> target system while<br />
conduct<strong>in</strong>g an <strong>at</strong>tack; a system with numerous low-level vulnerabilities<br />
provides a rich source of false alarms and diversions th<strong>at</strong> can be used to cover<br />
up <strong>the</strong> actual <strong>at</strong>tack or to provide w<strong>in</strong>dows of opportunity (e.g., when <strong>the</strong><br />
system is recover<strong>in</strong>g from a crash) for <strong>the</strong> subversion of hardware or software.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
PROGRAMMING METHODOLOGY 104<br />
Low-quality software also <strong>in</strong>vites <strong>at</strong>tack by <strong>in</strong>siders, by requir<strong>in</strong>g th<strong>at</strong><br />
adm<strong>in</strong>istr<strong>at</strong>ive personnel be granted excessive privileges of access to manually<br />
repair d<strong>at</strong>a after software or system failures.<br />
Ano<strong>the</strong>r important factor contribut<strong>in</strong>g to <strong>the</strong> difficulty of produc<strong>in</strong>g<br />
software is <strong>the</strong> set of performance constra<strong>in</strong>ts <strong>the</strong> software is <strong>in</strong>tended to meet,<br />
th<strong>at</strong> is, constra<strong>in</strong>ts on <strong>the</strong> resources (usually memory or time) <strong>the</strong> software is<br />
permitted to consume dur<strong>in</strong>g use. At one extreme, <strong>the</strong>re may be no limit on <strong>the</strong><br />
size of <strong>the</strong> software, and denial of service is considered acceptable. At <strong>the</strong> o<strong>the</strong>r<br />
extreme is software th<strong>at</strong> must fit <strong>in</strong>to limited memory and meet "hard" real-time<br />
constra<strong>in</strong>ts. It has been said th<strong>at</strong> writ<strong>in</strong>g extremely efficient programs is an<br />
exercise <strong>in</strong> logical br<strong>in</strong>kmanship. Work<strong>in</strong>g on <strong>the</strong> br<strong>in</strong>k <strong>in</strong>creases <strong>the</strong><br />
probability of faults and vulnerabilities. If one must work on <strong>the</strong> br<strong>in</strong>k, <strong>the</strong> goals<br />
of <strong>the</strong> software should be scaled back to compens<strong>at</strong>e.<br />
Perhaps <strong>the</strong> most important factor <strong>in</strong>fluenc<strong>in</strong>g <strong>the</strong> difficulty of produc<strong>in</strong>g<br />
software is size. Produc<strong>in</strong>g big systems, for example, a global communic<strong>at</strong>ion<br />
system, is qualit<strong>at</strong>ively different from produc<strong>in</strong>g small ones. The reasons for<br />
this are well documented (NRC, 1989a).<br />
In summary, simultaneous growth <strong>in</strong> level of quality, performance<br />
constra<strong>in</strong>ts, functionality, and environmental complexity results <strong>in</strong> a<br />
correspond<strong>in</strong>g dram<strong>at</strong>ic <strong>in</strong>crease <strong>in</strong> <strong>the</strong> cost and risk of produc<strong>in</strong>g, and <strong>the</strong> risk<br />
of us<strong>in</strong>g, <strong>the</strong> software. There is no technology available to avoid this, nor is<br />
research likely to provide us with such a technology <strong>in</strong> <strong>the</strong> foreseeable future. If<br />
<strong>the</strong> highest possible quality is demanded for secure software, someth<strong>in</strong>g else<br />
must give. Because security cannot be <strong>at</strong>ta<strong>in</strong>ed without quality and <strong>the</strong><br />
environment <strong>in</strong> which a system is to run is usually hard to control, typically one<br />
must ei<strong>the</strong>r remove performance constra<strong>in</strong>ts (perhaps by alloc<strong>at</strong><strong>in</strong>g extra<br />
resources) or reduce <strong>the</strong> <strong>in</strong>tended functionality.<br />
SOFTWARE IS MORE THAN CODE<br />
Good software is more than good code. It must be accompanied by highquality<br />
document<strong>at</strong>ion, <strong>in</strong>clud<strong>in</strong>g a requirements document, a design document,<br />
carefully written specific<strong>at</strong>ions for key modules, test plans, a ma<strong>in</strong>tenance plan,<br />
and so on.<br />
Of particular importance for secure software is a guide to oper<strong>at</strong>ions. More<br />
comprehensive than a user's manual, such a guide often calls for oper<strong>at</strong>ional<br />
procedures th<strong>at</strong> must be undertaken by people o<strong>the</strong>r than users of <strong>the</strong> software,<br />
for example, by system adm<strong>in</strong>istr<strong>at</strong>ors. In evalu<strong>at</strong><strong>in</strong>g software one must<br />
consider wh<strong>at</strong> it will do if <strong>the</strong> <strong>in</strong>structions <strong>in</strong> <strong>the</strong> guide to oper<strong>at</strong>ions are<br />
followed, and wh<strong>at</strong> it will do if<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
PROGRAMMING METHODOLOGY 105<br />
<strong>the</strong>y are not. One must also evalu<strong>at</strong>e how likely it is th<strong>at</strong> capable people with<br />
good <strong>in</strong>tentions will succeed <strong>in</strong> follow<strong>in</strong>g <strong>the</strong> procedures laid down <strong>in</strong> <strong>the</strong> guide<br />
to oper<strong>at</strong>ions.<br />
For critical and secure software, a guide to oper<strong>at</strong>ions is particularly<br />
important. In comb<strong>in</strong><strong>at</strong>ion with <strong>the</strong> software it must provide for <strong>the</strong> follow<strong>in</strong>g:<br />
• Audit<strong>in</strong>g: Wh<strong>at</strong> <strong>in</strong>form<strong>at</strong>ion is to be collected, how it is to be collected,<br />
and wh<strong>at</strong> is to be done with it must be described. Those who have<br />
penetr<strong>at</strong>ed secure software cannot be expected to file a bug report, and so<br />
mechanisms for detect<strong>in</strong>g such penetr<strong>at</strong>ions are needed. Reduction of raw<br />
audit d<strong>at</strong>a to <strong>in</strong>telligible form rema<strong>in</strong>s a complex and expensive process; a<br />
plan for secure software must <strong>in</strong>clude resources for <strong>the</strong> development of<br />
systems to reduce and display audit d<strong>at</strong>a.<br />
• Recovery: Produc<strong>in</strong>g fault-free software of significant size is nearly<br />
impossible. Therefore one must plan for deal<strong>in</strong>g with faults, for example,<br />
by us<strong>in</strong>g carefully designed recovery procedures th<strong>at</strong> are exercised on a<br />
regular basis. When <strong>the</strong>y are needed, it is important th<strong>at</strong> such procedures<br />
function properly and th<strong>at</strong> those who will be us<strong>in</strong>g <strong>the</strong>m are familiar with<br />
<strong>the</strong>ir oper<strong>at</strong>ion. If <strong>at</strong> all possible manual procedures should be <strong>in</strong> place to<br />
ma<strong>in</strong>ta<strong>in</strong> oper<strong>at</strong>ions <strong>in</strong> <strong>the</strong> absence of comput<strong>in</strong>g. This requires evalu<strong>at</strong><strong>in</strong>g<br />
<strong>the</strong> risk of hardware or software crashes versus <strong>the</strong> benefits when<br />
everyth<strong>in</strong>g works.<br />
• Oper<strong>at</strong>ion <strong>in</strong> an emergency mode: There may be provisions for bypass<strong>in</strong>g<br />
some security fe<strong>at</strong>ures <strong>in</strong> times of extreme emergency. For example,<br />
procedures may exist th<strong>at</strong> permit "break<strong>in</strong>g <strong>in</strong>" to protected d<strong>at</strong>a <strong>in</strong> critical<br />
circumstances such as <strong>in</strong>capacit<strong>at</strong>ion or dismissal of employees with<br />
special authoriz<strong>at</strong>ions. However, <strong>the</strong> system design should tre<strong>at</strong> such<br />
emergencies explicitly, as part of <strong>the</strong> set of events th<strong>at</strong> must be managed<br />
by security controls.<br />
Software should be delivered with some evidence th<strong>at</strong> it meets its<br />
specific<strong>at</strong>ions (assurance). For noncritical software <strong>the</strong> good reput<strong>at</strong>ion of <strong>the</strong><br />
vendor may be enough. Critical software should be accompanied by<br />
document<strong>at</strong>ion describ<strong>in</strong>g <strong>the</strong> analysis <strong>the</strong> software has been subjected to. For<br />
critical software <strong>the</strong>re must be no doubt about wh<strong>at</strong> configur<strong>at</strong>ions <strong>the</strong><br />
conclusions of test<strong>in</strong>g and valid<strong>at</strong>ion apply to and no doubt th<strong>at</strong> wh<strong>at</strong> is<br />
delivered is wh<strong>at</strong> was valid<strong>at</strong>ed. Secure software should be accompanied by<br />
<strong>in</strong>structions and tools th<strong>at</strong> make it possible to do cont<strong>in</strong>u<strong>in</strong>g quality assurance <strong>in</strong><br />
<strong>the</strong> field.<br />
Software delivered without assurance evidence may provide only illusory<br />
security. A system th<strong>at</strong> is manifestly nonsecure will generally <strong>in</strong>spire caution on<br />
<strong>the</strong> part of its users; a system th<strong>at</strong> provides illusory security will <strong>in</strong>spire trust<br />
and <strong>the</strong>n betray th<strong>at</strong> trust when <strong>at</strong>tacked.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
PROGRAMMING METHODOLOGY 106<br />
Arrangements should be made to have <strong>the</strong> assurance evidence reviewed by<br />
a team of experts who are <strong>in</strong>dividually and organiz<strong>at</strong>ionally <strong>in</strong>dependent from<br />
<strong>the</strong> development team.<br />
Software should be delivered with a plan for its ma<strong>in</strong>tenance and<br />
enhancement. This plan should outl<strong>in</strong>e how various expected changes might be<br />
accomplished and should also make clear wh<strong>at</strong> k<strong>in</strong>ds of changes might<br />
seriously compromise <strong>the</strong> software.<br />
Secure software must be developed under a security plan. The plan should<br />
address wh<strong>at</strong> elements of <strong>the</strong> software are to be kept confidential, how to<br />
manage trusted distribution of software changes, and how authorized users can<br />
be notified of newly discovered vulnerabilities without hav<strong>in</strong>g th<strong>at</strong> knowledge<br />
fall <strong>in</strong>to <strong>the</strong> wrong hands.<br />
SIMPLER IS BETTER<br />
The best software is simple <strong>in</strong> two respects. It has a rel<strong>at</strong>ively simple<br />
<strong>in</strong>ternal structure, and it presents a rel<strong>at</strong>ively simple <strong>in</strong>terface to <strong>the</strong><br />
environment <strong>in</strong> which it is embedded.<br />
Before decid<strong>in</strong>g to <strong>in</strong>corpor<strong>at</strong>e a fe<strong>at</strong>ure <strong>in</strong>to a software system, one should<br />
<strong>at</strong>tempt to understand all <strong>the</strong> costs of add<strong>in</strong>g th<strong>at</strong> fe<strong>at</strong>ure and do a careful costbenefit<br />
analysis. The cost of add<strong>in</strong>g a fe<strong>at</strong>ure to software is usually<br />
underestim<strong>at</strong>ed. The dom<strong>in</strong>ant cost is not th<strong>at</strong> of <strong>the</strong> fe<strong>at</strong>ure per se, but th<strong>at</strong> of<br />
sort<strong>in</strong>g out and controll<strong>in</strong>g <strong>the</strong> <strong>in</strong>teractions of th<strong>at</strong> fe<strong>at</strong>ure with all <strong>the</strong> o<strong>the</strong>rs. In<br />
particular, underestim<strong>at</strong><strong>in</strong>g cost results from a failure to appreci<strong>at</strong>e <strong>the</strong> effects of<br />
scale. The o<strong>the</strong>r side of <strong>the</strong> co<strong>in</strong> is th<strong>at</strong> <strong>the</strong> value of a new fe<strong>at</strong>ure is usually<br />
overestim<strong>at</strong>ed. When fe<strong>at</strong>ures are added, a program becomes more complex for<br />
its users as well as for its developers. Fur<strong>the</strong>rmore, <strong>the</strong> <strong>in</strong>teractions of fe<strong>at</strong>ures<br />
may <strong>in</strong>troduce unexpected security risks. It is axiom<strong>at</strong>ic among <strong>at</strong>tackers th<strong>at</strong><br />
one does not break components but r<strong>at</strong>her systems, by exploit<strong>in</strong>g unanticip<strong>at</strong>ed<br />
comb<strong>in</strong><strong>at</strong>ions of fe<strong>at</strong>ures. It cannot be emphasized enough th<strong>at</strong> truly secure<br />
systems are modest, straightforward, and understandable.<br />
The best designs are straightforward. The more <strong>in</strong>tric<strong>at</strong>e <strong>the</strong> design and <strong>the</strong><br />
gre<strong>at</strong>er <strong>the</strong> number of special-case fe<strong>at</strong>ures to accomplish a given functionality,<br />
<strong>the</strong> gre<strong>at</strong>er <strong>the</strong> scope for errors. Sometimes simple designs may be (or may<br />
appear to be) unacceptably <strong>in</strong>efficient. This can lead developers to compromise<br />
<strong>the</strong> structure or <strong>in</strong>tegrity of code or to employ <strong>in</strong>tric<strong>at</strong>e fast algorithms,<br />
responses th<strong>at</strong> almost always make <strong>the</strong> software harder to produce and less<br />
reliable, and often make it more dependent on <strong>the</strong> precise characteristics of <strong>the</strong><br />
<strong>in</strong>put. Better hardware and less ambitious specific<strong>at</strong>ions deserve strong<br />
consider<strong>at</strong>ion before one ventures <strong>in</strong>to such an exercise <strong>in</strong> software<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
PROGRAMMING METHODOLOGY 107<br />
virtuosity. Such trade-offs deserve special <strong>at</strong>tention by designers of secure<br />
systems, who too often accept <strong>the</strong> almost impossible requirements to preserve<br />
<strong>the</strong> full performance, function, and hardware of predecessor systems.<br />
THE ROLE OF PROGRAMMING LANGUAGES<br />
An important thre<strong>at</strong> to all software is bugs th<strong>at</strong> have been accidentally<br />
<strong>in</strong>troduced by programmers. It has been clearly demonstr<strong>at</strong>ed th<strong>at</strong> higher-level<br />
programm<strong>in</strong>g languages tend to reduce <strong>the</strong> number of such bugs, for <strong>the</strong><br />
follow<strong>in</strong>g reasons:<br />
• Higher-level languages reduce <strong>the</strong> total amount of code th<strong>at</strong> must be<br />
written.<br />
• Higher-level languages provide abstraction mechanisms th<strong>at</strong> make<br />
programs easier to read. All higher-level languages provide procedures.<br />
The better languages provide mechanisms for d<strong>at</strong>a abstraction (e.g.,<br />
packages) and for control abstraction (e.g., iter<strong>at</strong>ors).<br />
• Higher-level languages provide checkable redundancy, such as type<br />
check<strong>in</strong>g th<strong>at</strong> can turn programs with un<strong>in</strong>tended semantics <strong>in</strong>to illegal<br />
programs th<strong>at</strong> are rejected by <strong>the</strong> compiler. This helps turn errors th<strong>at</strong><br />
would o<strong>the</strong>rwise occur while <strong>the</strong> program is runn<strong>in</strong>g <strong>in</strong>to errors th<strong>at</strong> must<br />
be fixed before <strong>the</strong> program can run.<br />
• Higher-level languages can elim<strong>in</strong><strong>at</strong>e <strong>the</strong> possibility of mak<strong>in</strong>g certa<strong>in</strong><br />
k<strong>in</strong>ds of errors. Languages with autom<strong>at</strong>ic storage management, for<br />
example, gre<strong>at</strong>ly reduce <strong>the</strong> likelihood of a program try<strong>in</strong>g to use memory<br />
th<strong>at</strong> no longer belongs to it. Much useful analysis can be done by <strong>the</strong><br />
compiler, but <strong>the</strong>re is usually ample opportunity to use o<strong>the</strong>r tools as well.<br />
Sometimes <strong>the</strong>se tools—for example, various C preprocessors—make up<br />
for deficiencies <strong>in</strong> <strong>the</strong> programm<strong>in</strong>g language. Sometimes <strong>the</strong>y enforce<br />
cod<strong>in</strong>g standards peculiar to an organiz<strong>at</strong>ion or project, for example, <strong>the</strong><br />
standard th<strong>at</strong> all types be def<strong>in</strong>ed <strong>in</strong> a separ<strong>at</strong>e repository. Sometimes <strong>the</strong>y<br />
are primitive program verific<strong>at</strong>ion systems th<strong>at</strong> look for anomalies <strong>in</strong> <strong>the</strong><br />
code, for example, code th<strong>at</strong> cannot be reached.<br />
A potential drawback to us<strong>in</strong>g higher-level programm<strong>in</strong>g languages <strong>in</strong><br />
produc<strong>in</strong>g secure software is th<strong>at</strong> <strong>the</strong>y open up <strong>the</strong> possibility of certa<strong>in</strong> k<strong>in</strong>ds of<br />
"tunnel<strong>in</strong>g <strong>at</strong>tacks." In a tunnel<strong>in</strong>g <strong>at</strong>tack, <strong>the</strong> <strong>at</strong>tacker <strong>at</strong>tempts to exploit<br />
vulnerabilities <strong>at</strong> a level of abstraction bene<strong>at</strong>h th<strong>at</strong> <strong>at</strong> which <strong>the</strong> system<br />
developers were work<strong>in</strong>g. To avoid such <strong>at</strong>tacks one must be able to analyze <strong>the</strong><br />
software bene<strong>at</strong>h <strong>the</strong> level of <strong>the</strong> source language. Higher-level languages often<br />
have large run-time packages (e.g., <strong>the</strong> Ada Run-Time Support Library). These<br />
run-time<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
PROGRAMMING METHODOLOGY 108<br />
packages are often provided as black boxes by compiler vendors and are not<br />
subject to <strong>the</strong> requirements for <strong>in</strong>dependent exam<strong>in</strong><strong>at</strong>ion and development of<br />
assurance evidence th<strong>at</strong> <strong>the</strong> rest of <strong>the</strong> software must s<strong>at</strong>isfy. They are,<br />
<strong>the</strong>refore, often a weak l<strong>in</strong>k <strong>in</strong> <strong>the</strong> security cha<strong>in</strong>.<br />
THE ROLE OF SPECIFICATIONS<br />
Specific<strong>at</strong>ions describe software components. They are written primarily to<br />
provide precise, easy-to-read, module-level document<strong>at</strong>ion of <strong>in</strong>terfaces. This<br />
document<strong>at</strong>ion facilit<strong>at</strong>es system design, <strong>in</strong>tegr<strong>at</strong>ion, and ma<strong>in</strong>tenance, and it<br />
encourages reuse of modules. The most vex<strong>in</strong>g problems <strong>in</strong> build<strong>in</strong>g systems<br />
<strong>in</strong>volve overall system organiz<strong>at</strong>ion and <strong>the</strong> <strong>in</strong>tegr<strong>at</strong>ion of components.<br />
Modularity is <strong>the</strong> key to effective <strong>in</strong>tegr<strong>at</strong>ion, and specific<strong>at</strong>ions are essential<br />
for achiev<strong>in</strong>g program modularity. Abstraction boundaries allow one to<br />
understand programs one module <strong>at</strong> a time. However, an abstraction is<br />
<strong>in</strong>tangible. Without a specific<strong>at</strong>ion, <strong>the</strong>re is no way to know wh<strong>at</strong> <strong>the</strong><br />
abstraction is or to dist<strong>in</strong>guish it from one of its implement<strong>at</strong>ions (i.e.,<br />
executable code).<br />
The process of writ<strong>in</strong>g a specific<strong>at</strong>ion clarifies and deepens understand<strong>in</strong>g<br />
of <strong>the</strong> object be<strong>in</strong>g specified by encourag<strong>in</strong>g prompt <strong>at</strong>tention to<br />
<strong>in</strong>consistencies, <strong>in</strong>completenesses, and ambiguities. Once written, specific<strong>at</strong>ions<br />
are helpful to auditors, implementors, and ma<strong>in</strong>ta<strong>in</strong>ers. A specific<strong>at</strong>ion<br />
describes an agreement between clients and providers of a service. The provider<br />
agrees to write a module th<strong>at</strong> meets a specific<strong>at</strong>ion. The user agrees not to rely<br />
on any properties of <strong>the</strong> module th<strong>at</strong> are not guaranteed by <strong>the</strong> specific<strong>at</strong>ion.<br />
Thus specific<strong>at</strong>ions provide logical firewalls between providers and clients of<br />
abstractions.<br />
Dur<strong>in</strong>g system audit<strong>in</strong>g, specific<strong>at</strong>ions provide <strong>in</strong>form<strong>at</strong>ion th<strong>at</strong> can be<br />
used to gener<strong>at</strong>e test d<strong>at</strong>a, build stubs, and analyze <strong>in</strong>form<strong>at</strong>ion flow. Dur<strong>in</strong>g<br />
system <strong>in</strong>tegr<strong>at</strong>ion <strong>the</strong>y reduce <strong>the</strong> number and severity of <strong>in</strong>terfac<strong>in</strong>g problems<br />
by reduc<strong>in</strong>g <strong>the</strong> number of implicit assumptions.<br />
Specific<strong>at</strong>ions are usually much easier to understand than are<br />
implement<strong>at</strong>ions—thus comb<strong>in</strong><strong>in</strong>g specific<strong>at</strong>ions is less work than comb<strong>in</strong><strong>in</strong>g<br />
implement<strong>at</strong>ions. By rely<strong>in</strong>g only on those properties guaranteed by a<br />
specific<strong>at</strong>ion, one makes <strong>the</strong> software easier to ma<strong>in</strong>ta<strong>in</strong> because it is clear wh<strong>at</strong><br />
properties must be ma<strong>in</strong>ta<strong>in</strong>ed when an abstraction or its implement<strong>at</strong>ion is<br />
changed. By dist<strong>in</strong>guish<strong>in</strong>g abstractions from implement<strong>at</strong>ions, one <strong>in</strong>creases<br />
<strong>the</strong> probability of build<strong>in</strong>g reusable components.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
PROGRAMMING METHODOLOGY 109<br />
One of <strong>the</strong> most important uses of specific<strong>at</strong>ions is design verific<strong>at</strong>ion.<br />
Gett<strong>in</strong>g a design "right" is often much more difficult than implement<strong>in</strong>g <strong>the</strong><br />
design. 1 Therefore, <strong>the</strong> ease and precision with which conjectures about a<br />
design can be st<strong>at</strong>ed and checked are of primary importance.<br />
The k<strong>in</strong>ds of questions one might ask about a design specific<strong>at</strong>ion fall <strong>in</strong>to<br />
a spectrum <strong>in</strong>clud<strong>in</strong>g two extremes: general questions relevant to any<br />
specific<strong>at</strong>ion and problem-specific questions deal<strong>in</strong>g with a particular<br />
applic<strong>at</strong>ion. The general questions usually deal with <strong>in</strong>consistency (e.g., Does<br />
<strong>the</strong> specific<strong>at</strong>ion contradict itself?) or <strong>in</strong>completeness (e.g., Have important<br />
issues not been addressed?). Between <strong>the</strong> two extremes are questions rel<strong>at</strong>ed to<br />
a class of designs, for example, generic security questions. Design verific<strong>at</strong>ion<br />
has enjoyed considerable success both <strong>in</strong>side and outside <strong>the</strong> security area. The<br />
key to this success has been th<strong>at</strong> <strong>the</strong> conjectures to be checked and <strong>the</strong><br />
specific<strong>at</strong>ions from which <strong>the</strong>y are supposed to follow can both be written <strong>at</strong> <strong>the</strong><br />
same rel<strong>at</strong>ively high level of abstraction.<br />
RELATING SPECIFICATIONS TO PROGRAMS<br />
The preced<strong>in</strong>g discussions of <strong>the</strong> roles of programm<strong>in</strong>g languages and<br />
specific<strong>at</strong>ions have emphasized <strong>the</strong> importance of separ<strong>at</strong>ely analyz<strong>in</strong>g both<br />
specific<strong>at</strong>ions and programs. Show<strong>in</strong>g th<strong>at</strong> programs meet <strong>the</strong>ir specific<strong>at</strong>ions is<br />
approached ma<strong>in</strong>ly by <strong>the</strong> use of test<strong>in</strong>g and verific<strong>at</strong>ion (or prov<strong>in</strong>g). Test<strong>in</strong>g is<br />
a form of analysis <strong>in</strong> which a rel<strong>at</strong>ively small number of cases are exam<strong>in</strong>ed.<br />
Verific<strong>at</strong>ion deals with a potentially unbounded number of cases and almost<br />
always <strong>in</strong>volves some form of <strong>in</strong>ductive reason<strong>in</strong>g, ei<strong>the</strong>r over <strong>the</strong> number of<br />
steps of a program (e.g., one shows th<strong>at</strong> if some property holds after <strong>the</strong><br />
program has executed n steps, it will also hold after n + 1 steps) or over <strong>the</strong><br />
structure of a d<strong>at</strong>a type (e.g., one shows th<strong>at</strong> if some property holds for <strong>the</strong> first<br />
n elements of an array, it will also hold for <strong>the</strong> first n + 1 elements).<br />
The purpose of both k<strong>in</strong>ds of analysis is to discover errors <strong>in</strong> programs and<br />
specific<strong>at</strong>ions, not to certify th<strong>at</strong> ei<strong>the</strong>r is error-free. Proponents of test<strong>in</strong>g have<br />
always understood this. Test<strong>in</strong>g cannot provide assurance th<strong>at</strong> a property holds<br />
—<strong>the</strong>re are simply too many cases to be exam<strong>in</strong>ed <strong>in</strong> any realistic system. In<br />
pr<strong>in</strong>ciple, verific<strong>at</strong>ion can be used to certify th<strong>at</strong> a program s<strong>at</strong>isfies its<br />
specific<strong>at</strong>ion. In practice, this is not <strong>the</strong> case. As <strong>the</strong> history of m<strong>at</strong>hem<strong>at</strong>ics<br />
makes clear, even <strong>the</strong> most closely scrut<strong>in</strong>ized proofs may be flawed.<br />
Test<strong>in</strong>g techniques can be grouped roughly <strong>in</strong>to three classes: (1) random<br />
test<strong>in</strong>g <strong>in</strong>volves selection of d<strong>at</strong>a across <strong>the</strong> environment, often with some<br />
frequency distribution; (2) structural test<strong>in</strong>g <strong>in</strong>volves<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
PROGRAMMING METHODOLOGY 110<br />
gener<strong>at</strong><strong>in</strong>g test cases from a program itself, forc<strong>in</strong>g known behavior onto <strong>the</strong><br />
program; and (3) functional test<strong>in</strong>g uses <strong>the</strong> specified functions of a program as<br />
<strong>the</strong> basis for def<strong>in</strong><strong>in</strong>g test cases (Howden, 1987; Miller and Howden, 1981).<br />
These techniques are complementary and should be used <strong>in</strong> concert.<br />
It is important th<strong>at</strong> verific<strong>at</strong>ion not be equ<strong>at</strong>ed with formal proofs. Informal<br />
but rigorous reason<strong>in</strong>g about <strong>the</strong> rel<strong>at</strong>ionships between implement<strong>at</strong>ions and<br />
specific<strong>at</strong>ions has proved to be an effective approach to f<strong>in</strong>d<strong>in</strong>g errors<br />
(Solomon, 1982). People build<strong>in</strong>g concurrent programs frequently st<strong>at</strong>e key<br />
<strong>in</strong>variants and make <strong>in</strong>formal arguments about <strong>the</strong>ir validity (Lamport, 1989;<br />
W<strong>in</strong>g, 1990).<br />
Common sense and much empirical evidence make it clear th<strong>at</strong> nei<strong>the</strong>r<br />
test<strong>in</strong>g nor verific<strong>at</strong>ion by itself is adequ<strong>at</strong>e to provide assurance for critical and<br />
secure software. In addition to be<strong>in</strong>g necessarily <strong>in</strong>complete, test<strong>in</strong>g is not a<br />
cheap process, often requir<strong>in</strong>g th<strong>at</strong> months be spent <strong>in</strong> gr<strong>in</strong>d<strong>in</strong>g out test cases,<br />
runn<strong>in</strong>g <strong>the</strong> system on <strong>the</strong>m, and exam<strong>in</strong><strong>in</strong>g <strong>the</strong> results. These tests must be<br />
repe<strong>at</strong>ed whenever <strong>the</strong> code or oper<strong>at</strong><strong>in</strong>g environment is changed (a process<br />
called regressions test<strong>in</strong>g). Test<strong>in</strong>g software under actual oper<strong>at</strong><strong>in</strong>g conditions is<br />
particularly expensive. 2 Verific<strong>at</strong>ion relies on <strong>in</strong>duction to address multiple<br />
cases <strong>at</strong> once. However, discover<strong>in</strong>g <strong>the</strong> appropri<strong>at</strong>e <strong>in</strong>duction hypo<strong>the</strong>ses can<br />
be a difficult task. Fur<strong>the</strong>rmore, unless <strong>the</strong> proofs are mach<strong>in</strong>e checked <strong>the</strong>y are<br />
likely to conta<strong>in</strong> errors, and, as discussed <strong>in</strong> <strong>the</strong> follow<strong>in</strong>g section, large<br />
mach<strong>in</strong>e-checked proofs are typically beyond <strong>the</strong> current st<strong>at</strong>e of <strong>the</strong> art.<br />
Many views exist on how test<strong>in</strong>g and prov<strong>in</strong>g can be comb<strong>in</strong>ed. The IBM<br />
''cleanroom" approach (L<strong>in</strong>ger and Mills, 1988; Selby et al., 1987) uses a form<br />
of design th<strong>at</strong> facilit<strong>at</strong>es <strong>in</strong>formal proofs dur<strong>in</strong>g an <strong>in</strong>spection process comb<strong>in</strong>ed<br />
with test<strong>in</strong>g to yield st<strong>at</strong>istical evidence. Some parts of a system may be tested<br />
and o<strong>the</strong>rs proved. The basic technique of prov<strong>in</strong>g—work<strong>in</strong>g a symbolic<br />
expression down a p<strong>at</strong>h of <strong>the</strong> program—may be used <strong>in</strong> ei<strong>the</strong>r a test<strong>in</strong>g or<br />
prov<strong>in</strong>g mode. This is especially applicable to secure systems when <strong>the</strong><br />
symbolic expression represents an <strong>in</strong>terest<strong>in</strong>g security <strong>in</strong>fraction, such as<br />
penetr<strong>at</strong><strong>in</strong>g a communic<strong>at</strong>ion system or fak<strong>in</strong>g an encryption key. Inductive<br />
arguments may be used to show th<strong>at</strong> certa<strong>in</strong> p<strong>at</strong>hs cannot be taken, <strong>the</strong>reby<br />
reduc<strong>in</strong>g <strong>the</strong> number of cases to be analyzed.<br />
Real-time systems pose special problems. The current practice is to use<br />
<strong>in</strong>form<strong>at</strong>ion g<strong>at</strong>hered from semiformal but often ad hoc analysis (e.g., design<br />
reviews, summ<strong>at</strong>ion of estim<strong>at</strong>ed times for events along specific program p<strong>at</strong>hs,<br />
and simul<strong>at</strong>ion) to determ<strong>in</strong>e whe<strong>the</strong>r an implement<strong>at</strong>ion will meet its specified<br />
time deadl<strong>in</strong>es with an acceptable degree of probability. More system<strong>at</strong>ic<br />
methods for analyz<strong>in</strong>g functional<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
PROGRAMMING METHODOLOGY 111<br />
and performance properties of real-time software systems are needed.<br />
FORMAL SPECIFICATION AND VERIFICATION<br />
In <strong>the</strong> computer science liter<strong>at</strong>ure, <strong>the</strong> phrase "formal method" is often<br />
used to refer to any applic<strong>at</strong>ion of a m<strong>at</strong>hem<strong>at</strong>ical technique to <strong>the</strong> development<br />
or analysis of hardware or software (IEEE, 1990b,c). In this report, "formal" is<br />
used <strong>in</strong> <strong>the</strong> narrower sense of "subject to symbolic reason<strong>in</strong>g." Thus, for<br />
example, a formal proof is a proof th<strong>at</strong> can, <strong>at</strong> least <strong>in</strong> pr<strong>in</strong>ciple, be checked by<br />
mach<strong>in</strong>e.<br />
The process of formally verify<strong>in</strong>g th<strong>at</strong> a program is correct with respect to<br />
its specific<strong>at</strong>ion <strong>in</strong>volves both gener<strong>at</strong><strong>in</strong>g and prov<strong>in</strong>g verific<strong>at</strong>ion conditions. A<br />
verific<strong>at</strong>ion-condition gener<strong>at</strong>or accepts as <strong>in</strong>put a piece of code and formal<br />
specific<strong>at</strong>ions for th<strong>at</strong> code, and <strong>the</strong>n outputs a set of verific<strong>at</strong>ion conditions,<br />
also called conjectures or proof oblig<strong>at</strong>ions. These verific<strong>at</strong>ion conditions are<br />
<strong>in</strong>put to a <strong>the</strong>orem prover <strong>in</strong> an <strong>at</strong>tempt to prove <strong>the</strong>ir validity us<strong>in</strong>g <strong>the</strong><br />
underly<strong>in</strong>g logic. If <strong>the</strong> conditions are all proved, <strong>the</strong>n <strong>the</strong> program is said to<br />
s<strong>at</strong>isfy its specific<strong>at</strong>ion.<br />
The security community has been <strong>in</strong>terested for some time <strong>in</strong> <strong>the</strong> use of<br />
formal verific<strong>at</strong>ion to <strong>in</strong>crease confidence <strong>in</strong> <strong>the</strong> security of software (Craigen<br />
and Summerskill, 1990). While some success has been reported (Haigh et al.,<br />
1987), on <strong>the</strong> whole formal program verific<strong>at</strong>ion has not proved to be a<br />
generally cost-effective technique. The major obstacles have been <strong>the</strong> follow<strong>in</strong>g<br />
(Kemmerer, 1986):<br />
• The difficulty of cross<strong>in</strong>g <strong>the</strong> barrier between <strong>the</strong> level of abstraction<br />
represented by code and <strong>the</strong> level of abstraction <strong>at</strong> which specific<strong>at</strong>ions<br />
should be written.<br />
• Limits on <strong>the</strong>orem-prov<strong>in</strong>g technology. Given <strong>the</strong> current st<strong>at</strong>e of <strong>the</strong>oremprov<strong>in</strong>g<br />
technology, program verific<strong>at</strong>ion entails extensive user<br />
<strong>in</strong>teraction to prove rel<strong>at</strong>ively simple <strong>the</strong>orems.<br />
• The lack of well-eng<strong>in</strong>eered tools.<br />
The last obstacle is certa<strong>in</strong>ly surmountable, but whe<strong>the</strong>r <strong>the</strong> first two can<br />
be overcome is subject to deb<strong>at</strong>e.<br />
There are fundamental limits to how good <strong>the</strong>orem provers can become.<br />
The basic problem is undecidable, but th<strong>at</strong> is not relevant for most of <strong>the</strong> proof<br />
oblig<strong>at</strong>ions th<strong>at</strong> arise <strong>in</strong> program verific<strong>at</strong>ion. A more worrisome fact is th<strong>at</strong><br />
reason<strong>in</strong>g about many rel<strong>at</strong>ively simple <strong>the</strong>ories is <strong>in</strong>herently expensive, 3 and<br />
many of <strong>the</strong> formulas th<strong>at</strong> arise <strong>in</strong> practice take a long time to simplify. Despite<br />
<strong>the</strong>se difficulties,<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
PROGRAMMING METHODOLOGY 112<br />
<strong>the</strong>re has been enough progress <strong>in</strong> mechanical <strong>the</strong>orem prov<strong>in</strong>g <strong>in</strong> <strong>the</strong> last<br />
decade (L<strong>in</strong>dsay, 1988) to give some cause for optimism.<br />
Whe<strong>the</strong>r or not <strong>the</strong> abstraction barrier can be gracefully crossed is <strong>the</strong> most<br />
critical question. The problem is th<strong>at</strong> <strong>the</strong> properties people care about, for<br />
example, au<strong>the</strong>ntic<strong>at</strong>ion of users, are most easily st<strong>at</strong>ed <strong>at</strong> a level of abstraction<br />
far removed from th<strong>at</strong> <strong>at</strong> which <strong>the</strong> code is written. Those do<strong>in</strong>g formal program<br />
verific<strong>at</strong>ion spend most of <strong>the</strong>ir time mired <strong>in</strong> code-level details, for example,<br />
prov<strong>in</strong>g th<strong>at</strong> two variables do not refer to <strong>the</strong> same piece of storage, and <strong>in</strong><br />
try<strong>in</strong>g to map those details onto <strong>the</strong> properties <strong>the</strong>y really care about.<br />
A formal specific<strong>at</strong>ion is a prerequisite to formal program verific<strong>at</strong>ion.<br />
However, as outl<strong>in</strong>ed above <strong>in</strong> <strong>the</strong> section titled "The Role of Specific<strong>at</strong>ions,"<br />
specific<strong>at</strong>ions have an important role th<strong>at</strong> is <strong>in</strong>dependent of program verific<strong>at</strong>ion.<br />
The potential advantages of formal over <strong>in</strong>formal specific<strong>at</strong>ions are clear:<br />
formal specific<strong>at</strong>ions have an unambiguous mean<strong>in</strong>g and are subject to<br />
manipul<strong>at</strong>ion by programs. To fully realize <strong>the</strong>se advantages, one must have<br />
access to tools th<strong>at</strong> support construct<strong>in</strong>g and reason<strong>in</strong>g about formal<br />
specific<strong>at</strong>ions.<br />
An important aspect of modern programm<strong>in</strong>g languages is th<strong>at</strong> <strong>the</strong>y are<br />
carefully eng<strong>in</strong>eered so th<strong>at</strong> some k<strong>in</strong>ds of programm<strong>in</strong>g errors are detected by<br />
ei<strong>the</strong>r <strong>the</strong> compiler or <strong>the</strong> run-time system. Some languages use "specs" or<br />
"defs" modules (Mitchell et al., 1979), which can be viewed as a first step <strong>in</strong><br />
<strong>in</strong>tegr<strong>at</strong><strong>in</strong>g formal specific<strong>at</strong>ions <strong>in</strong>to <strong>the</strong> programm<strong>in</strong>g process. However,<br />
experience with such languages shows th<strong>at</strong> while programmers are careful with<br />
those parts (e.g., <strong>the</strong> types of arguments) th<strong>at</strong> are checked by <strong>the</strong>ir programm<strong>in</strong>g<br />
environment, <strong>the</strong>y are much less careful about those parts (e.g., constra<strong>in</strong>ts on<br />
<strong>the</strong> values of arguments) th<strong>at</strong> are not checked. If <strong>the</strong> l<strong>at</strong>ter parts were checked as<br />
well, programmers would be careful about <strong>the</strong>m, too.<br />
Designs are expressed <strong>in</strong> a formal not<strong>at</strong>ion th<strong>at</strong> can be analyzed, and<br />
formal st<strong>at</strong>ements about <strong>the</strong>m can be proved. The process of formal design<br />
verific<strong>at</strong>ion can be used to <strong>in</strong>crease one's confidence th<strong>at</strong> <strong>the</strong> specific<strong>at</strong>ions say<br />
"<strong>the</strong> right th<strong>in</strong>g," for example, th<strong>at</strong> <strong>the</strong>y imply some security property.<br />
Organiz<strong>at</strong>ions build<strong>in</strong>g secure systems have made serious <strong>at</strong>tempts to<br />
apply formal specific<strong>at</strong>ion, formal design verific<strong>at</strong>ion, and formal program<br />
verific<strong>at</strong>ion. This committee <strong>in</strong>terviewed members of several such<br />
organiz<strong>at</strong>ions 4 and observed a consistent p<strong>at</strong>tern:<br />
• Writ<strong>in</strong>g formal specific<strong>at</strong>ions and do<strong>in</strong>g design verific<strong>at</strong>ion significantly<br />
<strong>in</strong>creased people's confidence <strong>in</strong> <strong>the</strong> quality of <strong>the</strong>ir designs.<br />
• Important flaws were found both dur<strong>in</strong>g <strong>the</strong> writ<strong>in</strong>g of specific<strong>at</strong>ions and<br />
dur<strong>in</strong>g <strong>the</strong> actual design verific<strong>at</strong>ion. Although <strong>the</strong> majority of<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
PROGRAMMING METHODOLOGY 113<br />
<strong>the</strong> flaws were found as <strong>the</strong> specific<strong>at</strong>ions were written, <strong>the</strong> "thre<strong>at</strong>" of<br />
design verific<strong>at</strong>ion was an important factor <strong>in</strong> gett<strong>in</strong>g people to take <strong>the</strong><br />
specific<strong>at</strong>ion process seriously.<br />
• Design-level verific<strong>at</strong>ion is far more cost-effective than is program-level<br />
verific<strong>at</strong>ion.<br />
• Writ<strong>in</strong>g code-level entry/exit assertions is useful even if <strong>the</strong>y are not<br />
verified.<br />
• Although usable tools exist for writ<strong>in</strong>g and prov<strong>in</strong>g properties about<br />
specific<strong>at</strong>ions, better specific<strong>at</strong>ion languages and tools are needed.<br />
• More <strong>at</strong>tention needs to be devoted to formaliz<strong>in</strong>g a variety of generally<br />
applicable security properties th<strong>at</strong> can be verified <strong>at</strong> <strong>the</strong> design level.<br />
• Little is understood about <strong>the</strong> formal specific<strong>at</strong>ion and verific<strong>at</strong>ion of<br />
performance constra<strong>in</strong>ts.<br />
HAZARD ANALYSIS<br />
For critical and secure systems, hazard analysis is important. This <strong>in</strong>volves<br />
<strong>the</strong> identific<strong>at</strong>ion of environmental and system factors th<strong>at</strong> can go wrong and<br />
<strong>the</strong> levels of concern th<strong>at</strong> should be <strong>at</strong>tached to <strong>the</strong> results. Environmental<br />
events <strong>in</strong>clude such actions as an oper<strong>at</strong>or mistyp<strong>in</strong>g a command or an<br />
earthquake toppl<strong>in</strong>g a disk drive. System<strong>at</strong>ic hazard analysis starts with a list of<br />
such events gener<strong>at</strong>ed by experts <strong>in</strong> such doma<strong>in</strong>s as <strong>the</strong> applic<strong>at</strong>ion, <strong>the</strong> physics<br />
of <strong>the</strong> underly<strong>in</strong>g technology, and <strong>the</strong> history of failures of similar systems.<br />
Each hazard is <strong>the</strong>n traced <strong>in</strong>to <strong>the</strong> system by ask<strong>in</strong>g pert<strong>in</strong>ent questions: Is<br />
system behavior def<strong>in</strong>ed for this hazard? How will <strong>the</strong> system actually behave<br />
under <strong>the</strong>se conditions? Wh<strong>at</strong> can be done to m<strong>in</strong>imize <strong>the</strong> effects of this<br />
hazard? Thus hazard analysis is a form of valid<strong>at</strong>ion <strong>in</strong> assur<strong>in</strong>g th<strong>at</strong> <strong>the</strong><br />
environment is well understood and th<strong>at</strong> <strong>the</strong> product is be<strong>in</strong>g built to respond<br />
properly to expected events. Many forms of security breaches can be tre<strong>at</strong>ed as<br />
hazards (U.K. M<strong>in</strong>istry of Defence, 1989b).<br />
Physical system safety eng<strong>in</strong>eers have long used techniques such as failuremode<br />
effects analysis and fault trees to trace <strong>the</strong> effects of hazards. Software is<br />
also amenable to analysis by such techniques, but additional problems arise<br />
(Leveson, 1986). First, <strong>the</strong> sheer complexity of most software limits <strong>the</strong> depth<br />
of analysis. Second, <strong>the</strong> failure modes of computer-controlled systems are not<br />
as <strong>in</strong>tuitive as those for physical systems. By analogy, as radios with analog<br />
tuners age, <strong>the</strong> ability to separ<strong>at</strong>e st<strong>at</strong>ions slowly decreases. In contrast, radios<br />
with digital tuners tend to work well, or not <strong>at</strong> all.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
PROGRAMMING METHODOLOGY 114<br />
STRUCTURING THE DEVELOPMENT PROCESS<br />
Some of <strong>the</strong> more popular approaches to software development have<br />
aspects th<strong>at</strong> this committee believes are counterproductive.<br />
Some approaches encourage organiz<strong>at</strong>ions to ignore wh<strong>at</strong> <strong>the</strong>y already<br />
have when start<strong>in</strong>g a new software project. There seems to be an almost<br />
irresistible urge to start with a clean sl<strong>at</strong>e. While this offers <strong>the</strong> advantage of not<br />
hav<strong>in</strong>g to live with past mistakes, it offers <strong>the</strong> opportunity to make a host of<br />
new ones. Most of <strong>the</strong> time, us<strong>in</strong>g exist<strong>in</strong>g software reduces both cost and risk.<br />
If software has been around for some time, those work<strong>in</strong>g with it already have a<br />
considerable <strong>in</strong>vestment <strong>in</strong> understand<strong>in</strong>g it. This <strong>in</strong>vestment should not be<br />
discarded lightly. F<strong>in</strong>ally, when <strong>the</strong> hazards of a system are well understood, it<br />
often becomes possible to devise oper<strong>at</strong>ional procedures to limit <strong>the</strong>ir scope.<br />
For similar reasons it is usually prudent to stick to established tools when<br />
build<strong>in</strong>g software th<strong>at</strong> must be secure. Not only should programmers use<br />
programm<strong>in</strong>g languages <strong>the</strong>y already understand, but <strong>the</strong>y should also look for<br />
compilers th<strong>at</strong> have been used extensively <strong>in</strong> similar projects. Although this is a<br />
conserv<strong>at</strong>ive approach th<strong>at</strong> over <strong>the</strong> long haul is likely to impede progress <strong>in</strong> <strong>the</strong><br />
st<strong>at</strong>e of <strong>the</strong> art, it is clear th<strong>at</strong> us<strong>in</strong>g new tools significantly <strong>in</strong>creases risk.<br />
The development process should not place unnecessary barriers between<br />
<strong>the</strong> design, implement<strong>at</strong>ion, and valid<strong>at</strong>ion stages of an effort to produce<br />
software. Particularly dangerous <strong>in</strong> produc<strong>in</strong>g critical or secure software are<br />
approaches th<strong>at</strong> rely primarily on ex post facto valid<strong>at</strong>ion. Software should be<br />
evalu<strong>at</strong>ed as it is be<strong>in</strong>g built, so th<strong>at</strong> <strong>the</strong> process as well as <strong>the</strong> product can be<br />
exam<strong>in</strong>ed. The most reliable evalu<strong>at</strong>ions <strong>in</strong>volve know<strong>in</strong>g wh<strong>at</strong> goes on while<br />
<strong>the</strong> system is be<strong>in</strong>g designed. Evalu<strong>at</strong>ion by outsiders is necessary but should<br />
not be <strong>the</strong> primary method of assurance.<br />
Both software and <strong>the</strong> software development process should be structured<br />
so as to <strong>in</strong>clude <strong>in</strong>cremental development based on altern<strong>at</strong>ion between<br />
rel<strong>at</strong>ively short design and implement<strong>at</strong>ion phases. This style of development<br />
has several advantages, among <strong>the</strong>m <strong>the</strong> follow<strong>in</strong>g:<br />
• It helps to keep designers <strong>in</strong> touch with <strong>the</strong> real world by provid<strong>in</strong>g<br />
feedback.<br />
• It tends to lead to a more modular design because designers are<br />
encouraged to <strong>in</strong>vent coherent subsystems th<strong>at</strong> can be implemented<br />
<strong>in</strong>dependently of o<strong>the</strong>r subsystems. (Th<strong>at</strong> is not to say th<strong>at</strong> <strong>the</strong> various<br />
subsystems do not share code.)<br />
• It leads to designs <strong>in</strong> which piecewise valid<strong>at</strong>ion (usually by some<br />
comb<strong>in</strong><strong>at</strong>ion of reason<strong>in</strong>g and test<strong>in</strong>g) of <strong>the</strong> implement<strong>at</strong>ion is<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
PROGRAMMING METHODOLOGY 115<br />
possible. At <strong>the</strong> same time it encourages designers to th<strong>in</strong>k of plann<strong>in</strong>g for<br />
valid<strong>at</strong>ion as part of <strong>the</strong> design process.<br />
• By encourag<strong>in</strong>g designers to th<strong>in</strong>k of <strong>the</strong> design as someth<strong>in</strong>g th<strong>at</strong> changes<br />
r<strong>at</strong>her than as a st<strong>at</strong>ic entity th<strong>at</strong> is done "correctly" once, it tends to lead<br />
to designs th<strong>at</strong> can be more easily changed if <strong>the</strong> software needs to be<br />
modified.<br />
MANAGING SOFTWARE PROCUREMENT<br />
Current trends <strong>in</strong> software procurement (particularly under government<br />
contracts) are r<strong>at</strong>her disturb<strong>in</strong>g:<br />
1. It has become <strong>in</strong>creas<strong>in</strong>gly common for those buy<strong>in</strong>g software to<br />
develop an adversarial rel<strong>at</strong>ionship with those produc<strong>in</strong>g it. Recent<br />
legisl<strong>at</strong>ion (<strong>the</strong> Procurement Integrity Act of 1989, P.L. 100-679,<br />
Section 27) could be <strong>in</strong>terpreted as virtually mand<strong>at</strong><strong>in</strong>g such a<br />
rel<strong>at</strong>ionship. If implemented, this act, which would stop <strong>the</strong> flow of<br />
"<strong>in</strong>side" <strong>in</strong>form<strong>at</strong>ion to potential vendors, might have <strong>the</strong> effect of<br />
stopp<strong>in</strong>g <strong>the</strong> flow of all <strong>in</strong>form<strong>at</strong>ion to potential vendors, thus<br />
significantly <strong>in</strong>creas<strong>in</strong>g <strong>the</strong> number of government software<br />
procurements th<strong>at</strong> would overrun costs or fail to meet <strong>the</strong> customer's<br />
expect<strong>at</strong>ions. 5<br />
2. Purchasers of software have begun to take an <strong>in</strong>creas<strong>in</strong>gly narrow view<br />
of <strong>the</strong> cost of software. Procurement standards th<strong>at</strong> require buy<strong>in</strong>g<br />
software from <strong>the</strong> lowest bidder tend to work aga<strong>in</strong>st efforts to<br />
improve software quality. Likewise, <strong>the</strong> procurement of software by<br />
organiz<strong>at</strong>ions th<strong>at</strong> are separ<strong>at</strong>e from <strong>the</strong> end users typically leads to an<br />
emphasis on reduction of <strong>in</strong>itial cost, with a correspond<strong>in</strong>g <strong>in</strong>crease <strong>in</strong><br />
life-cycle expense.<br />
3. Contractors often use <strong>the</strong>ir most talented eng<strong>in</strong>eers to procure contracts<br />
r<strong>at</strong>her than to build systems.<br />
The best software is produced when <strong>the</strong> customer and vendor have a<br />
cooper<strong>at</strong>ive rel<strong>at</strong>ionship. In <strong>the</strong> beg<strong>in</strong>n<strong>in</strong>g, this makes it possible for <strong>the</strong><br />
customer to be frank about his needs and <strong>the</strong> vendor to be frank about <strong>the</strong><br />
difficulty of meet<strong>in</strong>g those needs. A negoti<strong>at</strong>ion can <strong>the</strong>n follow as toge<strong>the</strong>r <strong>the</strong><br />
customer and vendor <strong>at</strong>tempt to balance <strong>the</strong> customer's desires aga<strong>in</strong>st<br />
implement<strong>at</strong>ion difficulties. As <strong>the</strong> project progresses, particularly if it is done<br />
<strong>in</strong> <strong>the</strong> <strong>in</strong>cremental way suggested above, <strong>the</strong> vendor and customer must both<br />
feel free to revisit <strong>the</strong> def<strong>in</strong>ition of wh<strong>at</strong> <strong>the</strong> software is to do. Such a<br />
rel<strong>at</strong>ionship, while still possible <strong>in</strong> <strong>the</strong> priv<strong>at</strong>e sector, could become difficult <strong>in</strong><br />
government procurements, ow<strong>in</strong>g to <strong>the</strong> difficulty of determ<strong>in</strong><strong>in</strong>g wh<strong>at</strong> is or is<br />
not illegal under <strong>the</strong> Procurement Integrity Act of 1989 (if it is actually<br />
implemented). Adapt<strong>at</strong>ion to changed circumstances and<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
PROGRAMMING METHODOLOGY 116<br />
redirection of contracts to <strong>in</strong>corpor<strong>at</strong>e lessons learned could be difficult,<br />
because <strong>the</strong> law makes even prelim<strong>in</strong>ary discussion of such issues between<br />
customer and vendor a crim<strong>in</strong>al offense. Thus <strong>in</strong>creas<strong>in</strong>gly <strong>the</strong> emphasis <strong>in</strong> <strong>the</strong><br />
customer-vendor rel<strong>at</strong>ionship could be on s<strong>at</strong>isfaction of <strong>the</strong> letter of <strong>the</strong><br />
contract. The sense of team ownership of a problem, so essential to success <strong>in</strong><br />
an <strong>in</strong>tangible field such as software development, would be lost completely.<br />
Procurement standards th<strong>at</strong> require software to be purchased from <strong>the</strong><br />
lowest bidder often miss <strong>the</strong> po<strong>in</strong>t th<strong>at</strong> <strong>the</strong> real cost of software is not <strong>the</strong> <strong>in</strong>itial<br />
purchase price. The costs of port<strong>in</strong>g, support<strong>in</strong>g, ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g, and modify<strong>in</strong>g<br />
<strong>the</strong> software usually dom<strong>in</strong><strong>at</strong>e <strong>in</strong>itial production costs. Fur<strong>the</strong>rmore <strong>the</strong> cost of<br />
us<strong>in</strong>g software th<strong>at</strong> does not perform as well as it might can often outweigh any<br />
sav<strong>in</strong>gs achieved <strong>at</strong> <strong>the</strong> time it is purchased. F<strong>in</strong>ally, buy<strong>in</strong>g software from <strong>the</strong><br />
lowest bidder encourages vendors to take a short-term approach to software<br />
development. In a well-run software organiz<strong>at</strong>ion, every significant software<br />
project should have as a secondary goal produc<strong>in</strong>g components th<strong>at</strong> will be<br />
useful <strong>in</strong> o<strong>the</strong>r projects. This will not happen by accident, s<strong>in</strong>ce it is more work<br />
and <strong>the</strong>refore more costly to produce components th<strong>at</strong> are likely to be reusable.<br />
SCHEDULING SOFTWARE DEVELOPMENT<br />
One of <strong>the</strong> reasons th<strong>at</strong> software projects are chronically beh<strong>in</strong>d schedule<br />
and over budget is th<strong>at</strong> <strong>the</strong>y start with unrealistic requirements, schedules, and<br />
budgets. A customer's requirements are often vague wish lists, which are<br />
frequently <strong>in</strong>terpreted as less onerous than <strong>the</strong>y <strong>in</strong> fact prove to be when <strong>the</strong>y<br />
are l<strong>at</strong>er clarified. The scheduled delivery d<strong>at</strong>e for software is often based on<br />
market<strong>in</strong>g consider<strong>at</strong>ions (e.g., w<strong>in</strong>n<strong>in</strong>g a contract), r<strong>at</strong>her than on a careful<br />
analysis of how much work is actually <strong>in</strong>volved. An unrealistically optimistic<br />
schedule has many disadvantages:<br />
• Decisions about wh<strong>at</strong> <strong>the</strong> software will do are made under crisis<br />
conditions and <strong>at</strong> <strong>the</strong> wrong time (near <strong>the</strong> end of a project) and for <strong>the</strong><br />
wrong reasons (how hard someth<strong>in</strong>g will be to implement given <strong>the</strong><br />
current st<strong>at</strong>e of <strong>the</strong> software, r<strong>at</strong>her than how important it is or how hard it<br />
would have been to implement from <strong>the</strong> start<strong>in</strong>g po<strong>in</strong>t).<br />
• Programmers who have worked hard try<strong>in</strong>g to meet an impossible<br />
schedule will be demoralized when it becomes apparent th<strong>at</strong> <strong>the</strong> schedule<br />
cannot be met. They will eventually beg<strong>in</strong> to believe th<strong>at</strong> miss<strong>in</strong>g<br />
deadl<strong>in</strong>es is <strong>the</strong> norm.<br />
• The whole development process is distorted. People may spend <strong>in</strong>ord<strong>in</strong><strong>at</strong>e<br />
amounts of care on rel<strong>at</strong>ively unimportant pieces of <strong>the</strong><br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
PROGRAMMING METHODOLOGY 117<br />
software th<strong>at</strong> happen to be built early <strong>in</strong> <strong>the</strong> project and <strong>the</strong>n race through<br />
important pieces near <strong>the</strong> end. Activities like quality assurance th<strong>at</strong><br />
typically occur near <strong>the</strong> end of <strong>the</strong> process get compressed and slighted.<br />
Schedul<strong>in</strong>g <strong>the</strong> development of critical or secure software is somewh<strong>at</strong><br />
different from <strong>the</strong> schedul<strong>in</strong>g for o<strong>the</strong>r k<strong>in</strong>ds of software. Extra time and money<br />
must be alloc<strong>at</strong>ed for extensive review and analysis. If an outside review is<br />
required, this must be taken <strong>in</strong>to account from <strong>the</strong> beg<strong>in</strong>n<strong>in</strong>g, s<strong>in</strong>ce extra time<br />
and money must be alloc<strong>at</strong>ed throughout <strong>the</strong> life of <strong>the</strong> project. One<br />
consequence of an extremely careful review process is <strong>the</strong> <strong>in</strong>creased likelihood<br />
of uncover<strong>in</strong>g problems. Time and money must be reserved for deal<strong>in</strong>g with<br />
such problems prior to system delivery.<br />
EDUCATION AND TRAINING<br />
There is a shortage of well-qualified people to work on production-quality<br />
software. There is a more serious shortage of those qualified to build critical<br />
software, and a dram<strong>at</strong>ic shortage of people qualified to build secure software.<br />
A discussion of <strong>the</strong> general shortage of qualified technical people <strong>in</strong> this<br />
country is beyond <strong>the</strong> scope of this report. However, a few comments are <strong>in</strong><br />
order about <strong>the</strong> narrower problems associ<strong>at</strong>ed with <strong>the</strong> educ<strong>at</strong>ion and tra<strong>in</strong><strong>in</strong>g of<br />
those work<strong>in</strong>g on critical and secure software.<br />
Sett<strong>in</strong>g requirements for, specify<strong>in</strong>g, and build<strong>in</strong>g critical software require<br />
specialized knowledge not possessed by typical software eng<strong>in</strong>eers. Over <strong>the</strong><br />
years o<strong>the</strong>r eng<strong>in</strong>eer<strong>in</strong>g discipl<strong>in</strong>es have developed specialized techniques—<br />
hazard analysis—for analyz<strong>in</strong>g critical artifacts. Such techniques are not<br />
covered <strong>in</strong> most software eng<strong>in</strong>eer<strong>in</strong>g curricula, nor are <strong>the</strong>y covered by most<br />
on-<strong>the</strong>-job tra<strong>in</strong><strong>in</strong>g. Fur<strong>the</strong>rmore, work<strong>in</strong>g on critical software requires<br />
specialized knowledge of wh<strong>at</strong> can go wrong <strong>in</strong> <strong>the</strong> applic<strong>at</strong>ion doma<strong>in</strong>.<br />
Work<strong>in</strong>g on secure software requires yet more skills. Most notably, one<br />
must be tra<strong>in</strong>ed to understand <strong>the</strong> potential for <strong>at</strong>tack, for software <strong>in</strong> general<br />
and for <strong>the</strong> specific applic<strong>at</strong>ion doma<strong>in</strong> <strong>in</strong> particular.<br />
This committee advoc<strong>at</strong>es a two-pronged approach to address<strong>in</strong>g <strong>the</strong><br />
shortage of people qualified to work on software: a new university-based<br />
program <strong>in</strong> comb<strong>in</strong><strong>at</strong>ion with provisions for more on-<strong>the</strong>-job educ<strong>at</strong>ion as a part<br />
of current and future software projects.<br />
The university-based program would be aimed <strong>at</strong> return<strong>in</strong>g, gradu<strong>at</strong>e-level<br />
students who are already somewh<strong>at</strong> familiar with <strong>at</strong> least one applic<strong>at</strong>ion area.<br />
While <strong>the</strong> program would cover conventional software eng<strong>in</strong>eer<strong>in</strong>g, special<br />
emphasis would be given to topics rel<strong>at</strong>ed<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
PROGRAMMING METHODOLOGY 118<br />
to critical and secure software. For example, different project management<br />
structures would be discussed <strong>in</strong> terms of <strong>the</strong>ir impact on both productivity and<br />
security. Discussions of quality assurance might emphasize safety eng<strong>in</strong>eer<strong>in</strong>g<br />
more than would be expected <strong>in</strong> a traditional software eng<strong>in</strong>eer<strong>in</strong>g program.<br />
Although careful consider<strong>at</strong>ion should be given to <strong>the</strong> specific content of such a<br />
curriculum, it seems clear th<strong>at</strong> <strong>at</strong> least a one-year or perhaps even a two-year<br />
program is needed. Such a program could best be developed <strong>at</strong> universities with<br />
strong gradu<strong>at</strong>e eng<strong>in</strong>eer<strong>in</strong>g and bus<strong>in</strong>ess programs.<br />
The committee envisions as an <strong>in</strong>itial step approxim<strong>at</strong>ely three such<br />
programs, each turn<strong>in</strong>g out perhaps 20 people a year. Over time, it would be<br />
necessary (and probably possible) to <strong>in</strong>crease <strong>the</strong> number of gradu<strong>at</strong>es.<br />
Develop<strong>in</strong>g such a program would not be <strong>in</strong>expensive: <strong>the</strong> committee estim<strong>at</strong>es<br />
th<strong>at</strong> <strong>the</strong> cost would be on <strong>the</strong> order of $1 million.<br />
Given <strong>the</strong> current shortage and <strong>the</strong> time it will take to establish university<br />
programs th<strong>at</strong> can <strong>in</strong>crease <strong>the</strong> supply of qualified software eng<strong>in</strong>eers, managers<br />
of large security-rel<strong>at</strong>ed development efforts should deal explicitly with <strong>the</strong><br />
need to educ<strong>at</strong>e project members. Both time and money for this should be<br />
appear <strong>in</strong> project budgets.<br />
MANAGEMENT CONCERNS IN PRODUCING SECURE<br />
SOFTWARE<br />
Manag<strong>in</strong>g a project to produce secure software requires all <strong>the</strong> basic skills<br />
and discipl<strong>in</strong>e required to manage any substantial project. However, production<br />
of secure software typically differs from production of general high-quality<br />
software <strong>in</strong> one area, and th<strong>at</strong> is <strong>in</strong> <strong>the</strong> heavy emphasis placed on assurance, and<br />
<strong>in</strong> particular on <strong>the</strong> evalu<strong>at</strong>ion of assurance conducted by an <strong>in</strong>dependent team.<br />
Perhaps <strong>the</strong> most difficult, and certa<strong>in</strong>ly <strong>the</strong> most dist<strong>in</strong>ctive, management<br />
problem faced <strong>in</strong> <strong>the</strong> production of secure software is <strong>in</strong>tegr<strong>at</strong><strong>in</strong>g <strong>the</strong><br />
development and <strong>the</strong> assurance evalu<strong>at</strong>ion efforts. The two efforts are typically<br />
conducted by different teams th<strong>at</strong> have different outlooks and use different<br />
not<strong>at</strong>ions. In general, <strong>the</strong> assurance team has an analytical outlook th<strong>at</strong> is<br />
reflected <strong>in</strong> <strong>the</strong> not<strong>at</strong>ions it uses to describe a system; <strong>the</strong> development team<br />
focuses on <strong>the</strong> timely production of software, and accord<strong>in</strong>gly emphasizes<br />
syn<strong>the</strong>sis and cre<strong>at</strong>ivity.<br />
As a consequence it is very easy for an antagonistic rel<strong>at</strong>ionship to develop<br />
between <strong>the</strong> two teams. One result is th<strong>at</strong> wh<strong>at</strong> is analyzed (typically a<br />
description of a system) may bear little resemblance to <strong>the</strong> software th<strong>at</strong> is<br />
actually produced. Geographic and organiz<strong>at</strong>ional<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
PROGRAMMING METHODOLOGY 119<br />
separ<strong>at</strong>ion of <strong>the</strong> assurance and development teams compounds this problem.<br />
Ideally, <strong>the</strong> teams work side by side with <strong>the</strong> same m<strong>at</strong>erial; as a practical<br />
m<strong>at</strong>ter, a jo<strong>in</strong>tly s<strong>at</strong>isfactory "transl<strong>at</strong>ion not<strong>at</strong>ion" may have to be devised so<br />
th<strong>at</strong> <strong>the</strong> assurance team does not have to work with actual source code (which is<br />
typically not processable by <strong>the</strong>ir tools) and <strong>the</strong> development team does not<br />
have to program <strong>in</strong> an <strong>in</strong>appropri<strong>at</strong>e language.<br />
Schedul<strong>in</strong>g of <strong>the</strong> various assurance and implement<strong>at</strong>ion milestones is<br />
typically a difficult process. Assurance technology is considerably less m<strong>at</strong>ure<br />
than implement<strong>at</strong>ion technology, and <strong>the</strong> tools it uses are often labor<strong>at</strong>ory<br />
prototypes r<strong>at</strong>her than production-quality software. Estim<strong>at</strong>es of time and effort<br />
on <strong>the</strong> part of <strong>the</strong> assurance team are <strong>the</strong>refore difficult to make, and <strong>the</strong> various<br />
assurance milestones often become <strong>the</strong> "g<strong>at</strong><strong>in</strong>g factor" <strong>in</strong> ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g a project's<br />
schedule. Managers must make it clear from <strong>the</strong> outset, and ma<strong>in</strong>ta<strong>in</strong> <strong>the</strong><br />
posture, th<strong>at</strong> assurance is an important aspect of <strong>the</strong> project and not just<br />
someth<strong>in</strong>g th<strong>at</strong> causes schedule slips and prevents programmers from do<strong>in</strong>g<br />
th<strong>in</strong>gs <strong>in</strong> o<strong>the</strong>rwise reasonable ways. They must also recognize <strong>the</strong> fact th<strong>at</strong><br />
assurance will be a cont<strong>in</strong>u<strong>in</strong>g cost. When a software system is modified, <strong>the</strong><br />
assurance evidence must be upd<strong>at</strong>ed. This means more than merely runn<strong>in</strong>g<br />
regression tests. If, for example, assurance <strong>in</strong>volves covert channel analyses,<br />
<strong>the</strong>n those too must be redone.<br />
The project plan must <strong>in</strong>clude a long, slow start-up <strong>in</strong> <strong>the</strong> beg<strong>in</strong>n<strong>in</strong>g, with a<br />
higher percentage of time devoted to specific<strong>at</strong>ion and analysis than is devoted<br />
to design. This lead time is required because <strong>the</strong> typical design team can devise<br />
mechanisms <strong>at</strong> a r<strong>at</strong>e th<strong>at</strong> gre<strong>at</strong>ly exceeds <strong>the</strong> ability of <strong>the</strong> assurance team to<br />
capture <strong>the</strong> mechanisms <strong>in</strong> <strong>the</strong>ir not<strong>at</strong>ions and to analyze <strong>the</strong>m.<br />
Managers should also cultiv<strong>at</strong>e a project culture <strong>in</strong> which assurance is<br />
viewed as everybody's problem and not just some mysterious process th<strong>at</strong> takes<br />
place after <strong>the</strong> software is done. It is particularly necessary th<strong>at</strong> <strong>the</strong> developers<br />
appreci<strong>at</strong>e an <strong>at</strong>tacker's m<strong>in</strong>d-set, so th<strong>at</strong> <strong>the</strong>y <strong>the</strong>mselves look <strong>at</strong> everyth<strong>in</strong>g<br />
<strong>the</strong>y do from <strong>the</strong> po<strong>in</strong>t of view of <strong>the</strong> thre<strong>at</strong>. Inform<strong>at</strong>ion security (INFOSEC)<br />
<strong>at</strong>tacks generally succeed because <strong>the</strong> <strong>at</strong>tacker has embarked on an adventure,<br />
whereas <strong>the</strong> defenders are just work<strong>in</strong>g <strong>at</strong> a job. Management must <strong>in</strong>still <strong>the</strong><br />
prob<strong>in</strong>g, skeptical, confident view of <strong>the</strong> <strong>at</strong>tacker <strong>in</strong> each developer if <strong>the</strong><br />
software is to be secure <strong>in</strong> fact as well as on paper.<br />
WHAT MAKES SECURE SOFTWARE DIFFERENT<br />
From <strong>the</strong> perspective of programm<strong>in</strong>g methodology, <strong>the</strong> hardest part of<br />
produc<strong>in</strong>g secure software is produc<strong>in</strong>g good software. If one<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
PROGRAMMING METHODOLOGY 120<br />
<strong>in</strong>cludes denial of service under <strong>the</strong> security rubric, produc<strong>in</strong>g secure software<br />
<strong>in</strong>volves all <strong>the</strong> difficulties associ<strong>at</strong>ed with build<strong>in</strong>g critical software, plus <strong>the</strong><br />
additional difficulties associ<strong>at</strong>ed with assur<strong>in</strong>g <strong>in</strong>tegrity and confidentiality<br />
under <strong>the</strong> presumption of outside <strong>at</strong>tack.<br />
Some of <strong>the</strong> techniques generally considered useful <strong>in</strong> produc<strong>in</strong>g software<br />
have additional benefits <strong>in</strong> <strong>the</strong> security realm. People <strong>in</strong> <strong>the</strong> programm<strong>in</strong>g<br />
methodology field have long stressed <strong>the</strong> importance of modularity. In addition<br />
to mak<strong>in</strong>g software easier to build, modularity helps to limit <strong>the</strong> scope of bugs<br />
and penetr<strong>at</strong>ions. Modularity may even be useful <strong>in</strong> reduc<strong>in</strong>g <strong>the</strong> impact of<br />
subverted developers.<br />
There are also some apparent trade-offs between security concerns and<br />
o<strong>the</strong>r facets of good practice—''apparent" because most of <strong>the</strong> time one should<br />
opt for good software practice; without it one will not have anyth<strong>in</strong>g useful.<br />
Attempts to provide protection from high-grade thre<strong>at</strong>s by strictly limit<strong>in</strong>g<br />
<strong>the</strong> number of people with access to various parts of <strong>the</strong> software may be selfdefe<strong>at</strong><strong>in</strong>g.<br />
The social process of <strong>the</strong> <strong>in</strong>teraction of professionals on a project,<br />
conducted formally or casually, is a powerful tool for achiev<strong>in</strong>g correctness <strong>in</strong><br />
fields like m<strong>at</strong>hem<strong>at</strong>ics or software th<strong>at</strong> deal with <strong>in</strong>tangibles. Secrecy stops <strong>the</strong><br />
social process <strong>in</strong> its tracks, and strict applic<strong>at</strong>ion of <strong>the</strong> "need-to-know"<br />
pr<strong>in</strong>ciple makes it very likely th<strong>at</strong> system elements are subject to scrut<strong>in</strong>y only<br />
by <strong>in</strong>siders with a vested <strong>in</strong>terest <strong>in</strong> <strong>the</strong> success of <strong>the</strong> project. Secrecy may also<br />
h<strong>in</strong>der <strong>the</strong> technical evolution of countermeasures; <strong>in</strong>dividuals assigned to <strong>the</strong><br />
development of a given device or subsystem may not be aware of even <strong>the</strong><br />
existence of predecessor devices, much less <strong>the</strong>ir specific strengths and<br />
weaknesses and mix of success and failure.<br />
The <strong>in</strong>herent mutability of software conflicts with <strong>the</strong> requirements for<br />
achiev<strong>in</strong>g security. Consequently secure software is often deliber<strong>at</strong>ely made<br />
difficult to modify, for example, by burn<strong>in</strong>g code <strong>in</strong>to read-only memory. Not<br />
only does this make it hard for <strong>at</strong>tackers to subvert <strong>the</strong> software, but it also,<br />
unfortun<strong>at</strong>ely, makes it hard to make legitim<strong>at</strong>e changes, for example, fix<strong>in</strong>g a<br />
known vulnerability.<br />
In resource-limited projects, any resources devoted to protect<strong>in</strong>g those<br />
parts of a system deemed most vulnerable will detract from protect<strong>in</strong>g o<strong>the</strong>r<br />
parts of <strong>the</strong> system. One must be careful to ensure th<strong>at</strong> o<strong>the</strong>r parts of <strong>the</strong> system<br />
are not unduly impoverished.<br />
RECOMMENDED APPROACHES TO SOUND<br />
DEVELOPMENT METHODOLOGY<br />
The recommend<strong>at</strong>ions th<strong>at</strong> follow are broad directives <strong>in</strong>tended to reflect<br />
general pr<strong>in</strong>ciples. Some are <strong>in</strong>cluded <strong>in</strong> <strong>the</strong> fourth subset of<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
PROGRAMMING METHODOLOGY 121<br />
<strong>the</strong> committee's recommend<strong>at</strong>ion 2, which calls for short-term actions th<strong>at</strong> build<br />
on exist<strong>in</strong>g capabilities (see Chapter 1).<br />
• F<strong>in</strong>d<strong>in</strong>g: Wh<strong>at</strong> correl<strong>at</strong>es most strongly with lack of vulnerabilities <strong>in</strong><br />
software is simplicity. Fur<strong>the</strong>rmore, as complexity and size <strong>in</strong>crease, <strong>the</strong><br />
probability of serious vulnerabilities <strong>in</strong>creases more than l<strong>in</strong>early.<br />
Recommend<strong>at</strong>ion: To produce software systems th<strong>at</strong> are secure, structure<br />
systems so th<strong>at</strong> security-critical components are simple and small.<br />
• F<strong>in</strong>d<strong>in</strong>g: Software of significant size must be assumed to have residual<br />
errors th<strong>at</strong> can compromise security. Recommend<strong>at</strong>ion: Reduce<br />
vulnerability aris<strong>in</strong>g from failure of security. Keep valid<strong>at</strong>ed copies of<br />
vital d<strong>at</strong>a off-l<strong>in</strong>e. Establish cont<strong>in</strong>gency plans for extended computer<br />
outages.<br />
• F<strong>in</strong>d<strong>in</strong>g: Extensive and extended use of software tends to reduce <strong>the</strong><br />
number of residual errors, and hence <strong>the</strong> vulnerabilities.<br />
Recommend<strong>at</strong>ion: Encourage <strong>the</strong> development of generally available<br />
components with well-documented program-level <strong>in</strong>terfaces th<strong>at</strong> can be<br />
<strong>in</strong>corpor<strong>at</strong>ed <strong>in</strong>to secure software. Among <strong>the</strong>se should be standardized<br />
<strong>in</strong>terfaces to security services.<br />
• F<strong>in</strong>d<strong>in</strong>g: Design-level verific<strong>at</strong>ion us<strong>in</strong>g formal specific<strong>at</strong>ions has proved<br />
to be effective <strong>in</strong> <strong>the</strong> security area. Recommend<strong>at</strong>ion: Do more research<br />
on <strong>the</strong> development of tools to support formal design-level verific<strong>at</strong>ion.<br />
Emphasize as a particularly important aspect of this research <strong>the</strong><br />
identific<strong>at</strong>ion of design-level properties to be verified.<br />
• F<strong>in</strong>d<strong>in</strong>g: The most important bottleneck <strong>in</strong> reason<strong>in</strong>g about programs is<br />
<strong>the</strong> difficulty of deal<strong>in</strong>g with multiple levels of abstraction.<br />
Recommend<strong>at</strong>ion: Conduct research on program verific<strong>at</strong>ion so as to put<br />
gre<strong>at</strong>er emphasis on this problem.<br />
• F<strong>in</strong>d<strong>in</strong>g: Software th<strong>at</strong> taxes <strong>the</strong> resources of <strong>the</strong> comput<strong>in</strong>g environment<br />
<strong>in</strong> which it is run is likely to be complex and thus vulnerable.<br />
Recommend<strong>at</strong>ion: When build<strong>in</strong>g secure software, provide excess<br />
memory and comput<strong>in</strong>g capacity rel<strong>at</strong>ive to <strong>the</strong> <strong>in</strong>tended functionality.<br />
• F<strong>in</strong>d<strong>in</strong>g: The use of higher-level programm<strong>in</strong>g languages reduces <strong>the</strong><br />
probability of residual errors, which <strong>in</strong> turn reduces <strong>the</strong> probability of<br />
residual vulnerabilities. Recommend<strong>at</strong>ion: When tunnel<strong>in</strong>g <strong>at</strong>tacks are not<br />
a major concern, use higher-level languages <strong>in</strong> build<strong>in</strong>g secure software.<br />
• F<strong>in</strong>d<strong>in</strong>g: Us<strong>in</strong>g established software tends to reduce risk.<br />
Recommend<strong>at</strong>ion: In general, build secure software by extend<strong>in</strong>g exist<strong>in</strong>g<br />
software with which experience has been ga<strong>in</strong>ed. Fur<strong>the</strong>rmore, use m<strong>at</strong>ure<br />
technology, for example, compilers th<strong>at</strong> have been <strong>in</strong> use for some time.<br />
• F<strong>in</strong>d<strong>in</strong>g: Ex post facto evalu<strong>at</strong>ion of software is not as reliable<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
PROGRAMMING METHODOLOGY 122<br />
as evalu<strong>at</strong>ion th<strong>at</strong> takes place dur<strong>in</strong>g <strong>the</strong> construction of <strong>the</strong> software.<br />
Recommend<strong>at</strong>ion: Couple development of secure software with regular<br />
evalu<strong>at</strong>ion. If evalu<strong>at</strong>ion is to be done by an outside organiz<strong>at</strong>ion, <strong>in</strong>volve<br />
th<strong>at</strong> organiz<strong>at</strong>ion <strong>in</strong> <strong>the</strong> project from <strong>the</strong> start.<br />
• F<strong>in</strong>d<strong>in</strong>g: There is a severe shortage of people qualified to build secure<br />
software. Recommend<strong>at</strong>ion: Establish educ<strong>at</strong>ional programs th<strong>at</strong><br />
emphasize <strong>the</strong> construction of trusted and secure software <strong>in</strong> <strong>the</strong> context<br />
of software eng<strong>in</strong>eer<strong>in</strong>g.<br />
• F<strong>in</strong>d<strong>in</strong>g: Adopt<strong>in</strong>g new software production practices <strong>in</strong>volves a<br />
substantial risk th<strong>at</strong> cannot usually be undertaken without conv<strong>in</strong>c<strong>in</strong>g<br />
evidence th<strong>at</strong> significant benefits are likely to result. This gre<strong>at</strong>ly <strong>in</strong>hibits<br />
<strong>the</strong> adoption of new and improved practice. Recommend<strong>at</strong>ion: Establish<br />
an organiz<strong>at</strong>ion for <strong>the</strong> purpose of conduct<strong>in</strong>g showcase projects to<br />
demonstr<strong>at</strong>e <strong>the</strong> effectiveness of apply<strong>in</strong>g well-understood techniques to<br />
<strong>the</strong> development of secure software.<br />
• F<strong>in</strong>d<strong>in</strong>g: Assurance is often <strong>the</strong> g<strong>at</strong><strong>in</strong>g factor <strong>in</strong> ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g a project<br />
schedule for produc<strong>in</strong>g secure software. This is particularly true dur<strong>in</strong>g<br />
<strong>the</strong> design phase of a project. Recommend<strong>at</strong>ion: Build <strong>in</strong>to schedules<br />
more time and resources for assurance than are currently typical.<br />
• F<strong>in</strong>d<strong>in</strong>g: There is a trade-off between <strong>the</strong> traditional security technique of<br />
limit<strong>in</strong>g access to <strong>in</strong>form<strong>at</strong>ion to those with a need to know and <strong>the</strong><br />
traditional software eng<strong>in</strong>eer<strong>in</strong>g technique of extensively review<strong>in</strong>g<br />
designs and code. Although <strong>the</strong>re are circumstances <strong>in</strong> which it is<br />
appropri<strong>at</strong>e to keep mechanisms secret, for most parts of most<br />
applic<strong>at</strong>ions <strong>the</strong> benefits of secrecy are outweighed by <strong>the</strong> costs. When a<br />
project <strong>at</strong>tempts to ma<strong>in</strong>ta<strong>in</strong> secrecy, it must take extraord<strong>in</strong>ary measures,<br />
for example, provid<strong>in</strong>g for cleared "<strong>in</strong>spectors general," to ensure th<strong>at</strong> <strong>the</strong><br />
need to ma<strong>in</strong>ta<strong>in</strong> secrecy is not abused for o<strong>the</strong>r purposes, such as<br />
avoid<strong>in</strong>g accountability on <strong>the</strong> part of developers. Recommend<strong>at</strong>ion:<br />
Design software so as to limit <strong>the</strong> need for secrecy.<br />
NOTES<br />
1. For example, Jay Crawford of <strong>the</strong> Naval Weapons Center <strong>at</strong> Ch<strong>in</strong>a Lake, California, reports th<strong>at</strong><br />
<strong>the</strong> majority of errors <strong>in</strong> <strong>the</strong> production versions of <strong>the</strong> flight software managed <strong>the</strong>re were classified<br />
as specific<strong>at</strong>ion and design errors r<strong>at</strong>her than cod<strong>in</strong>g errors.<br />
2. The Navy estim<strong>at</strong>es th<strong>at</strong> test<strong>in</strong>g software <strong>in</strong> an oper<strong>at</strong><strong>in</strong>g aircraft costs $10,000 per hour.<br />
3. Check<strong>in</strong>g <strong>the</strong> s<strong>at</strong>isfiability of simple boolean formulas, for example, is an NP-complete problem;<br />
th<strong>at</strong> is, <strong>the</strong> worst-case time required (probably) grows exponentially <strong>in</strong> <strong>the</strong> size of <strong>the</strong> formula.<br />
4. Morrie Gasser and Ray Modeen, Secure Systems Group, Digital Equipment Corpor<strong>at</strong>ion;<br />
Timothy E. Lev<strong>in</strong>, Gem<strong>in</strong>i <strong>Computers</strong>, Inc.; J. Thomas Haigh, Secure <strong>Comput<strong>in</strong>g</strong><br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
PROGRAMMING METHODOLOGY 123<br />
Technology Corpor<strong>at</strong>ion (formerly Honeywell Secure <strong>Comput<strong>in</strong>g</strong> Technology Center); and George<br />
D<strong>in</strong>olt, Ford Aerospace Corpor<strong>at</strong>ion.<br />
5. Implement<strong>at</strong>ion of <strong>the</strong> Procurement Integrity Act of 1989 was suspended through November 30,<br />
1990, and may be fur<strong>the</strong>r suspended until May 31, 1991, to consider proposed changes by <strong>the</strong><br />
Adm<strong>in</strong>istr<strong>at</strong>ion (see Congressional Record of June 21, 1990, and August 2, 1990).<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CRITERIA TO EVALUATE COMPUTER AND NETWORK SECURITY 124<br />
5<br />
Criteria to Evalu<strong>at</strong>e Computer and<br />
Network Security<br />
Characteriz<strong>in</strong>g a computer system as be<strong>in</strong>g secure presupposes some<br />
criteria, explicit or implicit, aga<strong>in</strong>st which <strong>the</strong> system <strong>in</strong> question is measured or<br />
evalu<strong>at</strong>ed. Documents such as <strong>the</strong> N<strong>at</strong>ional Computer Security Center's<br />
(NCSC's) Trusted Computer System Evalu<strong>at</strong>ion Criteria (TCSEC, or Orange<br />
Book; U.S. DOD, 1985d) and its Trusted Network Interpret<strong>at</strong>ion (TNI, or Red<br />
Book; U.S. DOD, 1987), and <strong>the</strong> harmonized Inform<strong>at</strong>ion Technology Security<br />
Evalu<strong>at</strong>ion Criteria (ITSEC; Federal Republic of Germany, 1990) of France,<br />
Germany, <strong>the</strong> Ne<strong>the</strong>rlands, and <strong>the</strong> United K<strong>in</strong>gdom provide standards aga<strong>in</strong>st<br />
which computer and network systems can be evalu<strong>at</strong>ed with respect to security<br />
characteristics. As described below <strong>in</strong> "Compar<strong>in</strong>g N<strong>at</strong>ional Criteria Sets," <strong>the</strong>se<br />
documents embody different approaches to security evalu<strong>at</strong>ion, and <strong>the</strong><br />
differences are a result of o<strong>the</strong>r, perhaps less obvious purposes th<strong>at</strong> security<br />
evalu<strong>at</strong>ion criteria can serve.<br />
This chapter describes <strong>the</strong> compet<strong>in</strong>g goals th<strong>at</strong> <strong>in</strong>fluence <strong>the</strong> development<br />
of criteria and how current criteria reflect trade-offs among <strong>the</strong>se goals. It<br />
discusses how U.S. criteria should be restructured to reflect <strong>the</strong> emergence of<br />
foreign evalu<strong>at</strong>ion criteria and <strong>the</strong> experience ga<strong>in</strong>ed from <strong>the</strong> use of current<br />
NCSC criteria. While build<strong>in</strong>g on experience ga<strong>in</strong>ed <strong>in</strong> <strong>the</strong> use of Orange Book<br />
criteria, <strong>the</strong> analysis contributes to <strong>the</strong> arguments for a new construct, Generally<br />
Accepted System Security Pr<strong>in</strong>ciples, or GSSP. As recommended by <strong>the</strong><br />
committee, GSSP would provide a broader set of criteria and drive a more<br />
flexible and comprehensive process for evalu<strong>at</strong><strong>in</strong>g s<strong>in</strong>gle-vendor (and<br />
conglomer<strong>at</strong>e) systems.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CRITERIA TO EVALUATE COMPUTER AND NETWORK SECURITY 125<br />
SECURITY EVALUATION CRITERIA IN GENERAL<br />
At a m<strong>in</strong>imum, security evalu<strong>at</strong>ion criteria provide a standard language for<br />
express<strong>in</strong>g security characteristics and establish an objective basis for<br />
evalu<strong>at</strong><strong>in</strong>g a product rel<strong>at</strong>ive to <strong>the</strong>se characteristics. Thus one can critique such<br />
criteria based on how well security characteristics can be expressed and<br />
evalu<strong>at</strong>ed rel<strong>at</strong>ive to <strong>the</strong> criteria. Security evalu<strong>at</strong>ion criteria also serve as<br />
frameworks for users (purchasers) and for vendors. Users employ criteria <strong>in</strong> <strong>the</strong><br />
selection and acquisition of computer and network products, for example, by<br />
rely<strong>in</strong>g on <strong>in</strong>dependent evalu<strong>at</strong>ions to valid<strong>at</strong>e vendor claims for security and by<br />
us<strong>in</strong>g r<strong>at</strong><strong>in</strong>gs as a basis for concisely express<strong>in</strong>g computer and network security<br />
requirements. Vendors rely on criteria for guidance <strong>in</strong> <strong>the</strong> development of<br />
products and use evalu<strong>at</strong>ions as a means of product differenti<strong>at</strong>ion. Thus it is<br />
also possible to critique security evalu<strong>at</strong>ion criteria based on <strong>the</strong>ir utility to<br />
users and vendors <strong>in</strong> support of <strong>the</strong>se goals.<br />
These goals of security evalu<strong>at</strong>ion criteria are not thoroughly<br />
complementary. Each of <strong>the</strong> n<strong>at</strong>ional criteria sets <strong>in</strong> use (or proposed) today<br />
reflects somewh<strong>at</strong> different goals and <strong>the</strong> trade-offs made by <strong>the</strong> criteria<br />
developers rel<strong>at</strong>ive to <strong>the</strong>se goals. A separ<strong>at</strong>e issue with regard to evalu<strong>at</strong><strong>in</strong>g<br />
system security is how applicable criteria of <strong>the</strong> sort noted above are to<br />
complete systems, as opposed to <strong>in</strong>dividual computer or network products. This<br />
question is addressed below <strong>in</strong> "System Certific<strong>at</strong>ion vs. Product Evalu<strong>at</strong>ion."<br />
Before discuss<strong>in</strong>g <strong>in</strong> more detail <strong>the</strong> goals for product criteria, it is useful to<br />
exam<strong>in</strong>e <strong>the</strong> n<strong>at</strong>ure of <strong>the</strong> security characteristics addressed <strong>in</strong> evalu<strong>at</strong>ion criteria.<br />
Security Characteristics<br />
Most evalu<strong>at</strong>ion criteria reflect two potentially <strong>in</strong>dependent aspects of<br />
security: functionality and assurance. Security functionality refers to <strong>the</strong><br />
facilities by which security services are provided to users. These facilities may<br />
<strong>in</strong>clude, for example, various types of access control mechanisms th<strong>at</strong> allow<br />
users to constra<strong>in</strong> access to d<strong>at</strong>a, or au<strong>the</strong>ntic<strong>at</strong>ion mechanisms th<strong>at</strong> verify a<br />
user's claimed identity. Usually it is easy to understand differences <strong>in</strong> security<br />
functionality, because <strong>the</strong>y are manifested by mechanisms with which <strong>the</strong> user<br />
<strong>in</strong>teracts (perhaps <strong>in</strong>directly). Systems differ <strong>in</strong> <strong>the</strong> number, type, and<br />
comb<strong>in</strong><strong>at</strong>ion of security mechanisms available.<br />
In contrast, security assurance often is not represented by any user-visible<br />
mechanisms and so can be difficult to evalu<strong>at</strong>e. A product r<strong>at</strong><strong>in</strong>g <strong>in</strong>tended to<br />
describe security assurance expresses an evalu<strong>at</strong>or's<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CRITERIA TO EVALUATE COMPUTER AND NETWORK SECURITY 126<br />
degree of confidence <strong>in</strong> <strong>the</strong> effectiveness of <strong>the</strong> implement<strong>at</strong>ion of security<br />
functionality. Personal perceptions of "degree of confidence" are rel<strong>at</strong>ive, and<br />
so criteria for objectively assess<strong>in</strong>g security assurance are based primarily on<br />
requirements for <strong>in</strong>creas<strong>in</strong>gly rigorous development practices, document<strong>at</strong>ion,<br />
analysis, configur<strong>at</strong>ion management, and test<strong>in</strong>g. Rel<strong>at</strong>ive degrees of assurance<br />
also may be <strong>in</strong>dic<strong>at</strong>ed by rank<strong>in</strong>gs based on <strong>the</strong> rel<strong>at</strong>ive strength of <strong>the</strong><br />
underly<strong>in</strong>g mechanisms (e.g., cryptographic algorithms).<br />
Thus two products th<strong>at</strong> appear to provide <strong>the</strong> same security functionality to<br />
a user may actually provide different levels of assurance because of <strong>the</strong><br />
particulars (e.g., rel<strong>at</strong>ive strength or quality) of <strong>the</strong> mechanisms used to<br />
implement <strong>the</strong> functionality or because of differences <strong>in</strong> <strong>the</strong> development<br />
methodology, document<strong>at</strong>ion, or analysis accorded each implement<strong>at</strong>ion. Such<br />
differences <strong>in</strong> <strong>the</strong> underly<strong>in</strong>g mechanisms of implement<strong>at</strong>ion should be<br />
recognized <strong>in</strong> an evalu<strong>at</strong>ion of security. Their significance can be illustr<strong>at</strong>ed by<br />
analogy: two pa<strong>in</strong>ted picnic tables may appear to be identical outwardly, but<br />
one is constructed of pressure-tre<strong>at</strong>ed lumber and <strong>the</strong> o<strong>the</strong>r of untre<strong>at</strong>ed lumber.<br />
Although <strong>the</strong> functionality of both with regard to table size and se<strong>at</strong><strong>in</strong>g capacity<br />
is identical, <strong>the</strong> former table may be more durable than <strong>the</strong> l<strong>at</strong>ter because of <strong>the</strong><br />
m<strong>at</strong>erials used to construct (implement) it.<br />
Ano<strong>the</strong>r example illustr<strong>at</strong>es more subtle determ<strong>in</strong>ants of assurance. A<br />
product might be evalu<strong>at</strong>ed as provid<strong>in</strong>g a high level of assurance because it<br />
was developed by <strong>in</strong>dividuals hold<strong>in</strong>g U.S. government top-secret clearances<br />
and work<strong>in</strong>g <strong>in</strong> a physically secure facility, and because it came with reams of<br />
document<strong>at</strong>ion detail<strong>in</strong>g <strong>the</strong> system design and <strong>at</strong>test<strong>in</strong>g to <strong>the</strong> rigorous<br />
development practices used. But an identical product developed by uncleared<br />
<strong>in</strong>dividuals <strong>in</strong> a nonsecured environment and not accompanied by equivalent<br />
document<strong>at</strong>ion, would probably receive a much lower assurance r<strong>at</strong><strong>in</strong>g.<br />
Although <strong>the</strong> second product <strong>in</strong> this example is not necessarily less secure than<br />
<strong>the</strong> first, an evalu<strong>at</strong>or probably would have less confidence <strong>in</strong> <strong>the</strong> security of <strong>the</strong><br />
second product due to <strong>the</strong> lack of support<strong>in</strong>g evidence provided by its<br />
implementors, and perhaps, less confidence <strong>in</strong> <strong>the</strong> trustworth<strong>in</strong>ess of <strong>the</strong><br />
implementors <strong>the</strong>mselves. 1<br />
Somewh<strong>at</strong> analogous is <strong>the</strong> contrast between buy<strong>in</strong>g a picnic table from a<br />
well-known manufacturer with a reput<strong>at</strong>ion for quality (a member of <strong>the</strong> "Picnic<br />
Table Manufacturers of America") versus purchas<strong>in</strong>g a table from someone who<br />
builds picnic tables as an avoc<strong>at</strong>ion. One may have confidence th<strong>at</strong> <strong>the</strong> former<br />
manufacturer will use good m<strong>at</strong>erials and construction techniques (to protect his<br />
corpor<strong>at</strong>e image), whereas <strong>the</strong> l<strong>at</strong>ter may represent a gre<strong>at</strong>er risk (unless one<br />
knows <strong>the</strong> builder or has references from s<strong>at</strong>isfied customers), irrespective of<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CRITERIA TO EVALUATE COMPUTER AND NETWORK SECURITY 127<br />
<strong>the</strong> actual quality of m<strong>at</strong>erials and workmanship. For computers and networks,<br />
<strong>the</strong> technology is sufficiently complex th<strong>at</strong> users cannot, <strong>in</strong> general, personally<br />
evalu<strong>at</strong>e <strong>the</strong> security assurance and <strong>the</strong>refore <strong>the</strong> quality of <strong>the</strong> product as <strong>the</strong>y<br />
might <strong>the</strong> quality of a picnic table. Even evalu<strong>at</strong>ors cannot thoroughly exam<strong>in</strong>e<br />
every aspect of a computer system to <strong>the</strong> depth one would prefer, hence <strong>the</strong><br />
reliance on evidence of good development practices, extensive document<strong>at</strong>ion,<br />
and so on.<br />
Security assurance is evalu<strong>at</strong>ed <strong>in</strong> <strong>the</strong>se <strong>in</strong>direct ways <strong>in</strong> part because<br />
test<strong>in</strong>g, specific<strong>at</strong>ion, and verific<strong>at</strong>ion technology is not sufficiently m<strong>at</strong>ure to<br />
permit more direct rank<strong>in</strong>gs of assurance. In pr<strong>in</strong>ciple one could beg<strong>in</strong> by<br />
specify<strong>in</strong>g, us<strong>in</strong>g a formal specific<strong>at</strong>ion language, <strong>the</strong> security policies th<strong>at</strong> a<br />
target product should implement. Then one could use verific<strong>at</strong>ion tools<br />
(programs) to establish <strong>the</strong> correspondence between this specific<strong>at</strong>ion and a<br />
formal top-level specific<strong>at</strong>ion (FTLS) for <strong>the</strong> product. This FTLS could, <strong>in</strong> turn,<br />
be shown to m<strong>at</strong>ch <strong>the</strong> actual implement<strong>at</strong>ion of <strong>the</strong> product <strong>in</strong> a (high-level)<br />
programm<strong>in</strong>g language. The output of <strong>the</strong> compiler used to transl<strong>at</strong>e <strong>the</strong> highlevel<br />
language <strong>in</strong>to executable code would also have to be shown to correspond<br />
to <strong>the</strong> high-level language. This process could be cont<strong>in</strong>ued to <strong>in</strong>clude firmware<br />
and hardware modules and logic design if one were to impose even more<br />
str<strong>in</strong>gent assurance standards.<br />
As described <strong>in</strong> Chapter 4 of this report, st<strong>at</strong>e-of-<strong>the</strong>-art specific<strong>at</strong>ion and<br />
verific<strong>at</strong>ion technology does not allow for such a thorough, computer-driven<br />
process to demonstr<strong>at</strong>e th<strong>at</strong> a computer or network correctly supports a security<br />
policy. Experience has shown th<strong>at</strong> <strong>the</strong>re are numerous opportunities for human<br />
subversion of such a process unless it is carried through to <strong>the</strong> step th<strong>at</strong> <strong>in</strong>cludes<br />
exam<strong>in</strong><strong>at</strong>ion of <strong>the</strong> executable code (Thompson, 1984), and unless extreme<br />
measures, currently beyond <strong>the</strong> st<strong>at</strong>e of <strong>the</strong> art, are taken to ensure <strong>the</strong><br />
correctness of <strong>the</strong> verific<strong>at</strong>ion tools, compilers, and so on. Test<strong>in</strong>g is a useful<br />
adjunct to <strong>the</strong> process, but <strong>the</strong> <strong>in</strong>terfaces to <strong>the</strong> products of <strong>in</strong>terest are<br />
sufficiently complex so as to preclude exhaustive test<strong>in</strong>g to detect security<br />
flaws. Thus test<strong>in</strong>g can contribute to an evalu<strong>at</strong>or's confidence th<strong>at</strong> security<br />
functionality is correctly implemented, but it cannot be <strong>the</strong> sole basis for<br />
provid<strong>in</strong>g a r<strong>at</strong><strong>in</strong>g based on assurance as well. This expla<strong>in</strong>s, <strong>in</strong> large part, <strong>the</strong><br />
reliance on <strong>in</strong>direct evidence of assurance (e.g., document<strong>at</strong>ion requirements,<br />
trusted developers, and use of a secure development environment).<br />
Assurance Evalu<strong>at</strong>ion<br />
There are actually two stages of assurance evalu<strong>at</strong>ion: design evalu<strong>at</strong>ion<br />
and implement<strong>at</strong>ion evalu<strong>at</strong>ion. Design evalu<strong>at</strong>ion <strong>at</strong>tempts to assure<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CRITERIA TO EVALUATE COMPUTER AND NETWORK SECURITY 128<br />
th<strong>at</strong> a particular proposed system design actually provides <strong>the</strong> functionality it<br />
<strong>at</strong>tempts r<strong>at</strong>her than simply appear<strong>in</strong>g to do so. Some early systems were<br />
constructed th<strong>at</strong> associ<strong>at</strong>ed passwords with files, r<strong>at</strong>her than with users, as a<br />
form of access control. This approach gave <strong>the</strong> appearance of provid<strong>in</strong>g <strong>the</strong><br />
required functionality but <strong>in</strong> fact failed to provide adequ<strong>at</strong>e accountability. This<br />
is an example of a design flaw th<strong>at</strong> would likely be detected and remedied by a<br />
design evalu<strong>at</strong>ion process.<br />
Design evalu<strong>at</strong>ion is <strong>in</strong>surance aga<strong>in</strong>st mak<strong>in</strong>g a fundamental design error<br />
and embedd<strong>in</strong>g this error so deeply <strong>in</strong> a system th<strong>at</strong> it cannot l<strong>at</strong>er be changed<br />
for any reasonable cost. To support <strong>the</strong> requirement of confidentiality, <strong>the</strong><br />
possible mechanisms are well enough understood th<strong>at</strong> design evalu<strong>at</strong>ion may<br />
not be needed to ensure a good design. But for newer areas of functionality,<br />
such as support<strong>in</strong>g <strong>the</strong> requirement for <strong>in</strong>tegrity or secure distributed systems,<br />
<strong>the</strong>re is less experience with design options.<br />
This committee considers explicit design evalu<strong>at</strong>ion to be very important.<br />
There are many ways to obta<strong>in</strong> such review, and vendor prudence may be<br />
sufficient <strong>in</strong> some circumstances to ensure th<strong>at</strong> this step is part of system<br />
design. However, <strong>in</strong> general, <strong>the</strong> committee endorses design evalu<strong>at</strong>ion by an<br />
<strong>in</strong>dependent team (<strong>in</strong>volv<strong>in</strong>g personnel not employed by <strong>the</strong> vendor) as a<br />
standard part of secure system design and encourages th<strong>at</strong> this step be<br />
undertaken whenever possible.<br />
Implement<strong>at</strong>ion evalu<strong>at</strong>ion is also important, but generally is more<br />
difficult, more time consum<strong>in</strong>g, and more costly. For <strong>the</strong> level of assurance<br />
generally required <strong>in</strong> <strong>the</strong> commercial market, it may be sufficient to carry out a<br />
m<strong>in</strong>imal implement<strong>at</strong>ion evalu<strong>at</strong>ion (as part of overall system quality assurance<br />
procedures, <strong>in</strong>clud<strong>in</strong>g <strong>in</strong>itial oper<strong>at</strong>ional or Beta test<strong>in</strong>g) prior to system release<br />
if a good design evalu<strong>at</strong>ion is performed. Moreover, if <strong>the</strong> <strong>in</strong>cident report<strong>in</strong>g<br />
and track<strong>in</strong>g system proposed <strong>in</strong> Chapters 1 and 6 is <strong>in</strong>stituted, implement<strong>at</strong>ion<br />
flaws can be identified and fixed <strong>in</strong> <strong>the</strong> normal course of system releases. (Of<br />
course, well-known systems with well-known design flaws cont<strong>in</strong>ue to be used,<br />
and cont<strong>in</strong>ue to be penetr<strong>at</strong>ed. But for systems with modest security<br />
pretensions, many <strong>at</strong>tacks exploit implement<strong>at</strong>ion flaws th<strong>at</strong> could be corrected<br />
through diligent <strong>in</strong>cident report<strong>in</strong>g and fix<strong>in</strong>g of reported flaws.) By contrast <strong>the</strong><br />
current implement<strong>at</strong>ion evalu<strong>at</strong>ion process as practiced by NCSC is very time<br />
consum<strong>in</strong>g, and because it must occur after implement<strong>at</strong>ion, it slows <strong>the</strong><br />
delivery of evalu<strong>at</strong>ed systems to <strong>the</strong> marketplace. 2<br />
For systems <strong>at</strong>tempt<strong>in</strong>g to conform to a basel<strong>in</strong>e set of GSSP as<br />
recommended by <strong>the</strong> committee (see Chapter 1, "Overview and<br />
Recommend<strong>at</strong>ions," and Chapter 2, "Concepts of Inform<strong>at</strong>ion Security"),<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CRITERIA TO EVALUATE COMPUTER AND NETWORK SECURITY 129<br />
<strong>the</strong> committee recommends th<strong>at</strong> <strong>in</strong> <strong>the</strong> short term a process of evalu<strong>at</strong><strong>in</strong>g<br />
<strong>in</strong>stalled systems (field evalu<strong>at</strong>ion), r<strong>at</strong>her than <strong>the</strong> a priori implement<strong>at</strong>ion<br />
evalu<strong>at</strong>ion now carried out by NCSC, be used to <strong>in</strong>crease <strong>the</strong> level of<br />
implement<strong>at</strong>ion quality.<br />
This process of field evalu<strong>at</strong>ion, while it shares <strong>the</strong> basic goal of <strong>the</strong><br />
current NCSC process, differs from th<strong>at</strong> process <strong>in</strong> several ways th<strong>at</strong> <strong>the</strong><br />
committee views as advantageous. First, because such field evalu<strong>at</strong>ion is less<br />
time consum<strong>in</strong>g, it may be viewed as less onerous than <strong>the</strong> current method for<br />
implement<strong>at</strong>ion evalu<strong>at</strong>ion. It should also be less costly, which would <strong>in</strong>crease<br />
its acceptability. One side effect is th<strong>at</strong> <strong>the</strong> early customers of a system subject<br />
to field evalu<strong>at</strong>ion would not have <strong>the</strong> full benefit of evalu<strong>at</strong>ed security<br />
mechanisms, a situ<strong>at</strong>ion th<strong>at</strong> would prompt customers with rel<strong>at</strong>ively high<br />
concern for security to delay purchase. In exchange for this limit<strong>at</strong>ion for early<br />
customers, <strong>the</strong> system would reach <strong>the</strong> market promptly and <strong>the</strong>n cont<strong>in</strong>ue to<br />
improve as a result of field experience. This process would also accommod<strong>at</strong>e<br />
new releases and revisions of a system more easily than <strong>the</strong> current NCSC<br />
procedure, <strong>the</strong> R<strong>at</strong><strong>in</strong>g Ma<strong>in</strong>tenance Phase (RAMP). New releases th<strong>at</strong> revise <strong>the</strong><br />
function of <strong>the</strong> system should receive an <strong>in</strong>cremental design review. But<br />
revisions to fix bugs would n<strong>at</strong>urally be covered by <strong>the</strong> normal process of field<br />
test<strong>in</strong>g. Indeed, it would be hoped th<strong>at</strong> revisions would follow n<strong>at</strong>urally from<br />
<strong>the</strong> implement<strong>at</strong>ion evalu<strong>at</strong>ion.<br />
This field evalu<strong>at</strong>ion process, if explicitly organized, can focus market<br />
forces <strong>in</strong> an effective way and lead to <strong>the</strong> recognition of outside evalu<strong>at</strong>ion as a<br />
valuable part of system assurance. The committee is concerned th<strong>at</strong>, outside of<br />
<strong>the</strong> DOD, where <strong>the</strong> NCSC process is mand<strong>at</strong>ed, <strong>the</strong>re is little appreci<strong>at</strong>ion of<br />
<strong>the</strong> importance of evalu<strong>at</strong>ion as an explicit step. Instead, <strong>the</strong> tendency <strong>in</strong>itially is<br />
to accept security claims <strong>at</strong> face value, which can result <strong>in</strong> a l<strong>at</strong>er loss of<br />
credibility for a set of requirements. For example, customers have confused a<br />
bad implement<strong>at</strong>ion for a bad specific<strong>at</strong>ion, and rejected a specific<strong>at</strong>ion when<br />
one system implemented it badly. Thus <strong>the</strong> committee has l<strong>in</strong>ked its<br />
recommend<strong>at</strong>ion for <strong>the</strong> establishment of a broad set of criteria, GSSP, with a<br />
recommend<strong>at</strong>ion to establish methods, guidel<strong>in</strong>es, and facilities for evalu<strong>at</strong><strong>in</strong>g<br />
products with respect to GSSP.<br />
The committee believes th<strong>at</strong> <strong>the</strong> way to achieve a system evalu<strong>at</strong>ion<br />
process supported by vendors and users alike is to beg<strong>in</strong> with a design<br />
evalu<strong>at</strong>ion, based on GSSP itself, and to follow up with an implement<strong>at</strong>ion<br />
evalu<strong>at</strong>ion, focus<strong>in</strong>g on field experience and <strong>in</strong>cident report<strong>in</strong>g and track<strong>in</strong>g.<br />
Incident report<strong>in</strong>g and track<strong>in</strong>g could have <strong>the</strong> added effect of document<strong>in</strong>g<br />
vendor <strong>at</strong>tentiveness to security, educ<strong>at</strong><strong>in</strong>g customers, and even illum<strong>in</strong><strong>at</strong><strong>in</strong>g<br />
potential sources of legal liability. Over time,<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CRITERIA TO EVALUATE COMPUTER AND NETWORK SECURITY 130<br />
<strong>the</strong> follow<strong>in</strong>g steps might be anticip<strong>at</strong>ed: If GSSP were <strong>in</strong>stituted, prudent<br />
consumers would demand GSSP-conform<strong>in</strong>g systems as a part of normal<br />
practice. GSSP would drive field evalu<strong>at</strong>ion. If vendors perceived field<br />
evalu<strong>at</strong>ion as help<strong>in</strong>g <strong>the</strong>m <strong>in</strong> <strong>the</strong> marketplace or reduc<strong>in</strong>g <strong>the</strong>ir liability, <strong>the</strong>y<br />
would come to support <strong>the</strong> process, and perhaps even argue for a stronger<br />
implement<strong>at</strong>ion evalu<strong>at</strong>ion as a means to obta<strong>in</strong> a higher assurance r<strong>at</strong><strong>in</strong>g for<br />
systems. Thus GSSP could comb<strong>in</strong>e with market forces to promote<br />
development of systems evalu<strong>at</strong>ed as hav<strong>in</strong>g rel<strong>at</strong>ively high assurance<br />
(analogous to <strong>the</strong> higher levels of <strong>the</strong> current Orange Book), a level of<br />
assurance th<strong>at</strong> today does not seem to be justified <strong>in</strong> <strong>the</strong> eyes of many vendors<br />
and consumers. For this cha<strong>in</strong> of events to unfold, GSSP must be embraced by<br />
vendors and users. To stimul<strong>at</strong>e <strong>the</strong> development of GSSP, <strong>the</strong> committee<br />
recommends bas<strong>in</strong>g <strong>the</strong> <strong>in</strong>itial set of GSSP on <strong>the</strong> Orange Book (specifically,<br />
<strong>the</strong> committee recommends build<strong>in</strong>g from C2 and B1 criteria) and possibly<br />
mak<strong>in</strong>g conformance to GSSP mand<strong>at</strong>ory <strong>in</strong> some significant applic<strong>at</strong>ions, such<br />
as medical equipment or o<strong>the</strong>r life-critical systems.<br />
Trade-offs <strong>in</strong> Group<strong>in</strong>g of Criteria<br />
In develop<strong>in</strong>g product criteria, one of <strong>the</strong> primary trade-offs <strong>in</strong>volves <strong>the</strong><br />
extent to which security characteristics are grouped toge<strong>the</strong>r. As noted above,<br />
aspects of security can be divided <strong>in</strong>to two broad types: functionality and<br />
assurance. Some criteria, for example, <strong>the</strong> Orange Book and <strong>the</strong> TNI, tend to<br />
''bundle" toge<strong>the</strong>r functionality and assurance characteristics to def<strong>in</strong>e a small<br />
set of system security r<strong>at</strong><strong>in</strong>gs. O<strong>the</strong>r criteria, for example, <strong>the</strong> proposed West<br />
German (ZSI) set, group characteristics of each type <strong>in</strong>to evalu<strong>at</strong>ion classes but<br />
keep <strong>the</strong> two types <strong>in</strong>dependent, yield<strong>in</strong>g a somewh<strong>at</strong> larger set of possible<br />
r<strong>at</strong><strong>in</strong>gs. At <strong>the</strong> extreme, <strong>the</strong> orig<strong>in</strong>ally proposed British (DTI) criteria (a new<br />
evalu<strong>at</strong>ion scheme for both government and commercial systems has s<strong>in</strong>ce been<br />
developed (U.K. CESG/DTI, 1990)) are completely unbundled, def<strong>in</strong><strong>in</strong>g<br />
security controls and security objectives and a language <strong>in</strong> which to formul<strong>at</strong>e<br />
claims for how a system uses controls to achieve <strong>the</strong> objectives. Comparisons<br />
with <strong>the</strong> successor harmonized criteria, <strong>the</strong> ITSEC, which builds on both <strong>the</strong><br />
ZSI and DTI schemes, are amplified <strong>in</strong> <strong>the</strong> section below titled "Compar<strong>in</strong>g<br />
N<strong>at</strong>ional Criteria Sets."<br />
One argument <strong>in</strong> favor of bundl<strong>in</strong>g criteria is th<strong>at</strong> it makes life easier for<br />
evalu<strong>at</strong>ors, users, and vendors. When a product is submitted for evalu<strong>at</strong>ion, a<br />
claim is made th<strong>at</strong> it implements a set of security functions with <strong>the</strong> requisite<br />
level of assurance for a given r<strong>at</strong><strong>in</strong>g. The job of an evalu<strong>at</strong>or is made easier if<br />
<strong>the</strong> security functions and assurance techniques aga<strong>in</strong>st which a product is<br />
evalu<strong>at</strong>ed have been bundled<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CRITERIA TO EVALUATE COMPUTER AND NETWORK SECURITY 131<br />
<strong>in</strong>to a small number of r<strong>at</strong><strong>in</strong>gs (e.g., six, as <strong>in</strong> <strong>the</strong> Orange Book). Because<br />
evalu<strong>at</strong>ors are likely to see many systems th<strong>at</strong> have been submitted for <strong>the</strong> same<br />
r<strong>at</strong><strong>in</strong>g, <strong>the</strong>y ga<strong>in</strong> experience th<strong>at</strong> can be applied to l<strong>at</strong>er evalu<strong>at</strong>ions, thus<br />
reduc<strong>in</strong>g <strong>the</strong> time required to perform an evalu<strong>at</strong>ion.<br />
When completely unbundled criteria are used (e.g., <strong>the</strong> proposed DTI set),<br />
<strong>the</strong> evalu<strong>at</strong>ors may have to exam<strong>in</strong>e anew <strong>the</strong> collection of security fe<strong>at</strong>ures<br />
claimed for each product, s<strong>in</strong>ce <strong>the</strong>re may not have been previously evalu<strong>at</strong>ed<br />
products with <strong>the</strong> same set of fe<strong>at</strong>ures. In this sense, evalu<strong>at</strong>ion associ<strong>at</strong>ed with<br />
unbundled criteria would probably become more time consum<strong>in</strong>g and more<br />
difficult (for a system with comparable functionality and assurance<br />
characteristics) than evalu<strong>at</strong>ion aga<strong>in</strong>st bundled criteria.<br />
Bundled criteria def<strong>in</strong>e wh<strong>at</strong> <strong>the</strong>ir authors believe are appropri<strong>at</strong>e<br />
comb<strong>in</strong><strong>at</strong>ions of security functions and assurance techniques th<strong>at</strong> will yield<br />
useful products. This signal<strong>in</strong>g of appropri<strong>at</strong>e comb<strong>in</strong><strong>at</strong>ions is an especially<br />
important activity if users and vendors are not competent to def<strong>in</strong>e such<br />
comb<strong>in</strong><strong>at</strong>ions on <strong>the</strong>ir own. Bundled criteria play a very powerful role <strong>in</strong><br />
shap<strong>in</strong>g <strong>the</strong> marketplace for secure systems, because <strong>the</strong>y tend to dict<strong>at</strong>e wh<strong>at</strong><br />
mechanisms and assurances most users will specify <strong>in</strong> requests for proposals<br />
and wh<strong>at</strong> vendors will build (<strong>in</strong> order to m<strong>at</strong>ch <strong>the</strong> r<strong>at</strong><strong>in</strong>gs).<br />
A small number of evalu<strong>at</strong>ion r<strong>at</strong><strong>in</strong>gs helps channel user demands for<br />
security to systems th<strong>at</strong> fall <strong>in</strong>to one of a few r<strong>at</strong>ed slots. If user demands are<br />
not focused <strong>in</strong> this fashion, development and evalu<strong>at</strong>ion costs cannot be<br />
amortized over a large enough customer base. Vendors can <strong>the</strong>n be faced with<br />
<strong>the</strong> prospect of build<strong>in</strong>g custom-designed secure systems products, which can<br />
be prohibitively expensive (and thus dim<strong>in</strong>ish demand). Bundled criteria enable<br />
a vendor to direct product development to a very small number of r<strong>at</strong><strong>in</strong>g targets.<br />
A concern often cited for unbundled criteria is th<strong>at</strong> it is possible <strong>in</strong><br />
pr<strong>in</strong>ciple to specify group<strong>in</strong>gs of security fe<strong>at</strong>ures th<strong>at</strong> might, <strong>in</strong> toto, yield<br />
"nonsecure" systems. For example, a system th<strong>at</strong> <strong>in</strong>cludes sophistic<strong>at</strong>ed access<br />
control fe<strong>at</strong>ures but omits all audit facilities might represent an <strong>in</strong>appropri<strong>at</strong>e<br />
comb<strong>in</strong><strong>at</strong>ion of fe<strong>at</strong>ures. If vendors and users of secure systems were to become<br />
significantly more sophistic<strong>at</strong>ed, <strong>the</strong> need to impose such guidance through<br />
bundled criteria would become less crucial. However, <strong>the</strong>re will always be users<br />
and vendors who lack <strong>the</strong> necessary knowledge and skills to understand how<br />
trustworthy a system may be. The question is whe<strong>the</strong>r it is wise to rely on<br />
vendors to select "good" comb<strong>in</strong><strong>at</strong>ions of security fe<strong>at</strong>ures for systems and to<br />
rely on users to be knowledgeable <strong>in</strong> request<strong>in</strong>g appropri<strong>at</strong>e group<strong>in</strong>gs if<br />
unbundled criteria are adopted.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CRITERIA TO EVALUATE COMPUTER AND NETWORK SECURITY 132<br />
While bundled criteria may protect <strong>the</strong> naive vendor, <strong>the</strong>y may also limit<br />
<strong>the</strong> sophistic<strong>at</strong>ed vendor, because <strong>the</strong>y do not reward <strong>the</strong> development of<br />
systems with security functionality or assurance outside of th<strong>at</strong> prescribed by<br />
<strong>the</strong> r<strong>at</strong><strong>in</strong>gs. For example, recent work on security models (Clark and Wilson,<br />
1987) suggests th<strong>at</strong> many security practices <strong>in</strong> <strong>the</strong> commercial sector are not<br />
well m<strong>at</strong>ched to <strong>the</strong> security models th<strong>at</strong> underlie <strong>the</strong> Orange Book. A computer<br />
system designed expressly to support <strong>the</strong> Clark-Wilson model of security, and<br />
thus well suited to typical commercial security requirements, might not qualify<br />
under evalu<strong>at</strong>ion based on <strong>the</strong> Orange Book. A system th<strong>at</strong> did qualify for an<br />
Orange Book r<strong>at</strong><strong>in</strong>g and had added functions for <strong>in</strong>tegrity to support <strong>the</strong> Clark-<br />
Wilson model would receive no special recognition for <strong>the</strong> added functionality<br />
s<strong>in</strong>ce th<strong>at</strong> functionality, notably rel<strong>at</strong><strong>in</strong>g to <strong>in</strong>tegrity, is outside <strong>the</strong> scope of <strong>the</strong><br />
Orange Book. 3<br />
The government-funded LOCK project (see Appendix B), for example, is<br />
one <strong>at</strong>tempt to provide both security functionality and assurance beyond th<strong>at</strong><br />
called for by <strong>the</strong> highest r<strong>at</strong><strong>in</strong>g (A1) of <strong>the</strong> Orange Book. But because this<br />
project's security characteristics exceed those specified <strong>in</strong> <strong>the</strong> r<strong>at</strong><strong>in</strong>gs scale,<br />
LOCK (like o<strong>the</strong>r <strong>at</strong>tempts to go beyond A1) cannot be "rewarded" for <strong>the</strong>se<br />
capabilities with<strong>in</strong> <strong>the</strong> r<strong>at</strong><strong>in</strong>g scheme. It can be argued th<strong>at</strong> if LOCK were not<br />
government funded it would not have been developed, s<strong>in</strong>ce a vendor would<br />
have no means with<strong>in</strong> <strong>the</strong> evalu<strong>at</strong>ion process of substanti<strong>at</strong><strong>in</strong>g claims of<br />
superior security and users would have no means of specify<strong>in</strong>g <strong>the</strong>se<br />
capabilities (e.g., <strong>in</strong> requests for proposals) rel<strong>at</strong>ive to <strong>the</strong> criteria (Orange Book).<br />
Bundled criteria make it difficult to modify <strong>the</strong> criteria to adapt to<br />
chang<strong>in</strong>g technology or modes of use. Chang<strong>in</strong>g computer technology imposes<br />
<strong>the</strong> requirement th<strong>at</strong> security criteria must evolve. The advent of network<strong>in</strong>g<br />
represents a key example of this need. For example, as this report is prepared,<br />
none of <strong>the</strong> computers r<strong>at</strong>ed by <strong>the</strong> NCSC <strong>in</strong>cludes network <strong>in</strong>terface software<br />
<strong>in</strong> <strong>the</strong> evalu<strong>at</strong>ed product, despite <strong>the</strong> fact th<strong>at</strong> many of <strong>the</strong>se systems will be<br />
connected to networks. This may be <strong>in</strong>dic<strong>at</strong>ive, <strong>in</strong> part, of <strong>the</strong> gre<strong>at</strong>er<br />
complexity associ<strong>at</strong>ed with secur<strong>in</strong>g a computer <strong>at</strong>tached to a network, but it<br />
also illustr<strong>at</strong>es how criteria can become disconnected from developments <strong>in</strong> <strong>the</strong><br />
workplace. For some of <strong>the</strong>se computers, <strong>the</strong> <strong>in</strong>clusion of network <strong>in</strong>terface<br />
software will not only formally void <strong>the</strong> evalu<strong>at</strong>ion but will also <strong>in</strong>troduce<br />
unevalu<strong>at</strong>ed, security-critical software. This experience argues strongly th<strong>at</strong><br />
evalu<strong>at</strong>ion criteria must be able to accommod<strong>at</strong>e technological evolution so th<strong>at</strong><br />
fielded products rema<strong>in</strong> true to <strong>the</strong>ir evalu<strong>at</strong>ions.<br />
The discussion and examples given above demonstr<strong>at</strong>e th<strong>at</strong> constra<strong>in</strong>ts on<br />
<strong>the</strong> evolv<strong>in</strong>g marketplace can occur unless evalu<strong>at</strong>ion criteria can<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CRITERIA TO EVALUATE COMPUTER AND NETWORK SECURITY 133<br />
be extended to accommod<strong>at</strong>e new paradigms <strong>in</strong> security functionality or<br />
assurance. Such problems could arise with unbundled criteria, but criteria like<br />
<strong>the</strong> Orange Book set seem especially vulnerable to paradigm shifts because<br />
<strong>the</strong>ir hierarchic, bundled n<strong>at</strong>ure makes <strong>the</strong>m more difficult to extend.<br />
Based on <strong>the</strong>se consider<strong>at</strong>ions, <strong>the</strong> committee concludes th<strong>at</strong> <strong>in</strong> <strong>the</strong> future a<br />
somewh<strong>at</strong> less bundled set of security criteria will best serve <strong>the</strong> needs of <strong>the</strong><br />
user and vendor communities. It is essential to provide for evolution of <strong>the</strong><br />
criteria to address new functions and new assurance techniques. The committee<br />
also believes th<strong>at</strong> naive users are not well served by bundled criteria, but r<strong>at</strong>her<br />
are misled to believe th<strong>at</strong> complex security problems can be solved by merely<br />
select<strong>in</strong>g an appropri<strong>at</strong>ely r<strong>at</strong>ed product. If naive users or vendors need<br />
protection from <strong>the</strong> possibility of select<strong>in</strong>g <strong>in</strong>comp<strong>at</strong>ible fe<strong>at</strong>ures from <strong>the</strong><br />
criteria, this can be made available by provid<strong>in</strong>g guidel<strong>in</strong>es, which can suggest<br />
collections of fe<strong>at</strong>ures th<strong>at</strong>, while useful, are not mand<strong>at</strong>ory, as bundled criteria<br />
would be.<br />
Compar<strong>in</strong>g N<strong>at</strong>ional Criteria Sets<br />
The Orange Book and its Trusted Network Interpret<strong>at</strong>ion, <strong>the</strong> Red Book,<br />
establish r<strong>at</strong><strong>in</strong>gs th<strong>at</strong> span four hierarchical divisions: D, C, B, and A, <strong>in</strong><br />
ascend<strong>in</strong>g order. The "D" r<strong>at</strong><strong>in</strong>g is given to products with negligible or no<br />
security; <strong>the</strong> "C," "B," and "A'' r<strong>at</strong><strong>in</strong>gs reflect specific, <strong>in</strong>creas<strong>in</strong>g provision of<br />
security. Each division <strong>in</strong>cludes one or more classes, numbered from 1 (th<strong>at</strong> is,<br />
stronger r<strong>at</strong><strong>in</strong>gs correl<strong>at</strong>e with higher numbers), th<strong>at</strong> provide f<strong>in</strong>er-granularity<br />
r<strong>at</strong><strong>in</strong>gs. Thus an evalu<strong>at</strong>ed system is assigned a digraph, for example, C2 or A1,<br />
th<strong>at</strong> places it <strong>in</strong> a class <strong>in</strong> a division. At present, <strong>the</strong> follow<strong>in</strong>g classes exist, <strong>in</strong><br />
ascend<strong>in</strong>g order: C1, C2, B1, B2, B3, and A1. A summary of criteria for each<br />
class, reproduced from <strong>the</strong> Orange Book's Appendix C, can be found <strong>in</strong><br />
Appendix A of this report. There are significant, security functionality<br />
dist<strong>in</strong>ctions between division-C and division-B systems. In particular, <strong>the</strong> C<br />
division provides for discretionary access control, while <strong>the</strong> B division adds<br />
mand<strong>at</strong>ory access control. A1 systems, <strong>the</strong> only class today with<strong>in</strong> <strong>the</strong> A<br />
division, add assurance, draw<strong>in</strong>g on formal design specific<strong>at</strong>ion and<br />
verific<strong>at</strong>ion, but no functionality, to B3 systems. Assurance requirements<br />
<strong>in</strong>crease from one division to <strong>the</strong> next and from one class to <strong>the</strong> next with<strong>in</strong> a<br />
division. The Orange Book describes B2 systems as rel<strong>at</strong>ively resistant, and B3<br />
as highly resistant, to penetr<strong>at</strong>ion. The robustness of <strong>the</strong>se and higher systems<br />
comes from <strong>the</strong>ir added requirements for functionality and/or assurance, which<br />
<strong>in</strong> turn drive gre<strong>at</strong>er <strong>at</strong>tention to security, beg<strong>in</strong>n<strong>in</strong>g<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CRITERIA TO EVALUATE COMPUTER AND NETWORK SECURITY 134<br />
<strong>in</strong> <strong>the</strong> early stages of development. Th<strong>at</strong> is, more effort must be made to build<br />
security <strong>in</strong>, as opposed to add<strong>in</strong>g it on, to achieve a B2 or higher r<strong>at</strong><strong>in</strong>g.<br />
In <strong>the</strong>se U.S. criteria, both <strong>the</strong> language for express<strong>in</strong>g security<br />
characteristics and <strong>the</strong> basis for evalu<strong>at</strong>ion are thus embodied <strong>in</strong> <strong>the</strong><br />
requirements for each division and class. This represents a highly "bundled"<br />
approach to criteria <strong>in</strong> th<strong>at</strong> each r<strong>at</strong><strong>in</strong>g, for example, B2, is a comb<strong>in</strong><strong>at</strong>ion of a<br />
set of security functions and security assurance <strong>at</strong>tributes.<br />
The Inform<strong>at</strong>ion Technology Security Evalu<strong>at</strong>ion Criteria (ITSEC)—<strong>the</strong><br />
harmonized criteria of France, Germany, <strong>the</strong> Ne<strong>the</strong>rlands, and <strong>the</strong> United<br />
K<strong>in</strong>gdom (Federal Republic of Germany, 1990)—represents an effort to<br />
establish a comprehensive set of security requirements for widespread<br />
<strong>in</strong>tern<strong>at</strong>ional use. ITSEC is generally <strong>in</strong>tended as a superset of TCSEC, with<br />
ITSEC r<strong>at</strong><strong>in</strong>gs mappable onto <strong>the</strong> TCSEC evalu<strong>at</strong>ion classes (see below).<br />
Historically, ITSEC represents a remarkably easily <strong>at</strong>ta<strong>in</strong>ed evolutionary<br />
graft<strong>in</strong>g toge<strong>the</strong>r of evalu<strong>at</strong>ion classes of <strong>the</strong> German (light) Green Book<br />
(GISA, 1989) and <strong>the</strong> "claims language" of <strong>the</strong> British (dark) Green Books<br />
(U.K. DTI, 1989). ITSEC unbundles functional criteria (F1 to F10) and<br />
correctness criteria (E0 as <strong>the</strong> degener<strong>at</strong>e case, and E1 to E6), which are<br />
evalu<strong>at</strong>ed <strong>in</strong>dependently.<br />
The functional criteria F1 to F5 are of generally <strong>in</strong>creas<strong>in</strong>g merit and<br />
correspond roughly to <strong>the</strong> functionality of TCSEC evalu<strong>at</strong>ion classes C1, C2,<br />
B1, B2, and B3, respectively. The rema<strong>in</strong><strong>in</strong>g functionality criteria address d<strong>at</strong>a<br />
and program <strong>in</strong>tegrity (F6), system availability (F7), d<strong>at</strong>a <strong>in</strong>tegrity <strong>in</strong><br />
communic<strong>at</strong>ion (F8), d<strong>at</strong>a confidentiality <strong>in</strong> communic<strong>at</strong>ion (F9), and network<br />
security, <strong>in</strong>clud<strong>in</strong>g confidentiality and <strong>in</strong>tegrity (F10). F6 to F10 may <strong>in</strong><br />
pr<strong>in</strong>ciple be evalu<strong>at</strong>ed orthogonally to each o<strong>the</strong>r and to <strong>the</strong> chosen base level,<br />
F1, F2, F3, F4, or F5.<br />
The correctness criteria are <strong>in</strong>tended to provide <strong>in</strong>creased assurance. To a<br />
first approxim<strong>at</strong>ion, <strong>the</strong> correctness criteria cumul<strong>at</strong>ively require test<strong>in</strong>g (E1),<br />
configur<strong>at</strong>ion control and controlled distribution (E2), access to <strong>the</strong> detailed<br />
design and source code (E3), rigorous vulnerability analysis (E4), demonstrable<br />
correspondence between detailed design and source code (E5), and formal<br />
models, formal descriptions, and formal correspondences between <strong>the</strong>m (E6).<br />
E2 through E6 correspond roughly to <strong>the</strong> assurance aspects of TCSEC<br />
evalu<strong>at</strong>ion classes C2, B1, B2, B3, and A1, respectively.<br />
ITSEC's unbundl<strong>in</strong>g has advantages and disadvantages. On <strong>the</strong> whole it is<br />
a meritorious concept, as long as assurance does not become a victim of<br />
commercial expediency, and if <strong>the</strong> plethora of r<strong>at</strong><strong>in</strong>g comb<strong>in</strong><strong>at</strong>ions does not<br />
cause confusion.<br />
A particular concern with <strong>the</strong> ITSEC is th<strong>at</strong> it does not mand<strong>at</strong>e<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CRITERIA TO EVALUATE COMPUTER AND NETWORK SECURITY 135<br />
any particular modularity with respect to system architecture. In particular, it<br />
does not require th<strong>at</strong> <strong>the</strong> security-relevant parts of <strong>the</strong> system be isol<strong>at</strong>ed <strong>in</strong>to a<br />
trusted comput<strong>in</strong>g base, or TCB. It is of course possible to evalu<strong>at</strong>e an entire<br />
system accord<strong>in</strong>g to ITSEC without reference to its composability (e.g., as an<br />
applic<strong>at</strong>ion on top of a TCB), but this complic<strong>at</strong>es <strong>the</strong> evalu<strong>at</strong>ion and fails to<br />
take advantage of o<strong>the</strong>r rel<strong>at</strong>ed product evalu<strong>at</strong>ions. The effectiveness of this<br />
approach rema<strong>in</strong>s to be seen.<br />
The <strong>in</strong>itial ITSEC draft was published and circul<strong>at</strong>ed for comment <strong>in</strong> 1990.<br />
Hundreds of comments were submitted by <strong>in</strong>dividuals and organiz<strong>at</strong>ions from<br />
several countries, <strong>in</strong>clud<strong>in</strong>g <strong>the</strong> United St<strong>at</strong>es, and a special meet<strong>in</strong>g of<br />
<strong>in</strong>terested parties was held <strong>in</strong> Brussels <strong>in</strong> September 1990. In view of <strong>the</strong><br />
volume and range of comments submitted, plus <strong>the</strong> <strong>in</strong>troduction of a different<br />
proposal by EUROBIT, a European computer manufacturers' trade associ<strong>at</strong>ion,<br />
a revised draft is not expected before mid-1991.<br />
The dynamic situ<strong>at</strong>ion calls for vigilance and particip<strong>at</strong>ion, to <strong>the</strong> extent<br />
possible, by U.S. <strong>in</strong>terests. At present, <strong>the</strong> N<strong>at</strong>ional Institute of Standards and<br />
Technology (NIST) is coord<strong>in</strong><strong>at</strong><strong>in</strong>g U.S. <strong>in</strong>puts, although corpor<strong>at</strong>ions and<br />
<strong>in</strong>dividuals are also contribut<strong>in</strong>g directly. It is likely th<strong>at</strong> <strong>the</strong> complete process<br />
of establish<strong>in</strong>g harmonized criteria, associ<strong>at</strong>ed evalu<strong>at</strong>ion mechanisms, and<br />
rel<strong>at</strong>ed standards will take some time and will, after establishment, cont<strong>in</strong>ue to<br />
evolve. Because <strong>the</strong> European <strong>in</strong>iti<strong>at</strong>ives are based <strong>in</strong> part on a reaction to <strong>the</strong><br />
narrowness of <strong>the</strong> TCSEC, and because NIST's resources are severely<br />
constra<strong>in</strong>ed, <strong>the</strong> committee recommends th<strong>at</strong> GSSP and a new organiz<strong>at</strong>ion to<br />
spearhead GSSP, <strong>the</strong> Inform<strong>at</strong>ion Security Found<strong>at</strong>ion, provide a focus for<br />
future U.S. particip<strong>at</strong>ion <strong>in</strong> <strong>in</strong>tern<strong>at</strong>ional criteria and evalu<strong>at</strong>ion <strong>in</strong>iti<strong>at</strong>ives.<br />
Reciprocity Among Criteria Sets<br />
A question n<strong>at</strong>urally arises with regard to comparability and reciprocity of<br />
<strong>the</strong> r<strong>at</strong><strong>in</strong>gs of different systems. Even though r<strong>at</strong><strong>in</strong>gs under one criteria set may<br />
be mappable to roughly comparable r<strong>at</strong><strong>in</strong>gs under a different criteria set, <strong>the</strong><br />
mapp<strong>in</strong>g is likely to be imprecise and not symmetric; for example, <strong>the</strong><br />
mapp<strong>in</strong>gs may be many-to-one. Even if <strong>the</strong>re is a reasonable mapp<strong>in</strong>g between<br />
some r<strong>at</strong><strong>in</strong>gs <strong>in</strong> different criteria, one country may refuse to recognize <strong>the</strong><br />
results of an evalu<strong>at</strong>ion performed by an organiz<strong>at</strong>ion <strong>in</strong> ano<strong>the</strong>r country, for<br />
political, as well as technical, reasons. The subjective n<strong>at</strong>ure of <strong>the</strong> r<strong>at</strong><strong>in</strong>gs<br />
process makes it difficult, if not impossible, to ensure consistency among<br />
evalu<strong>at</strong>ions performed <strong>at</strong> different facilities, by different evalu<strong>at</strong>ors, <strong>in</strong> different<br />
countries, especially when one adds <strong>the</strong> differences <strong>in</strong> <strong>the</strong><br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CRITERIA TO EVALUATE COMPUTER AND NETWORK SECURITY 136<br />
criteria <strong>the</strong>mselves. In such circumstances it is not hard to imag<strong>in</strong>e how security<br />
evalu<strong>at</strong>ion criteria can become <strong>the</strong> basis for erect<strong>in</strong>g barriers to <strong>in</strong>tern<strong>at</strong>ional<br />
trade <strong>in</strong> computer systems, much as some have argued th<strong>at</strong> <strong>in</strong>tern<strong>at</strong>ional<br />
standards have become (Frenkel, 1990). Reciprocity has been a thorny problem<br />
<strong>in</strong> <strong>the</strong> compar<strong>at</strong>ively simpler area of r<strong>at</strong><strong>in</strong>g conformance to <strong>in</strong>teroperability<br />
standards, where test<strong>in</strong>g and certific<strong>at</strong>ion are <strong>in</strong>creas<strong>in</strong>gly <strong>in</strong> demand, and <strong>the</strong>re<br />
is every <strong>in</strong>dic<strong>at</strong>ion it will be a major problem for secure systems.<br />
Mult<strong>in</strong><strong>at</strong>ional vendors of computer systems do not wish to <strong>in</strong>cur <strong>the</strong> costs<br />
and delay to market associ<strong>at</strong>ed with multiple evalu<strong>at</strong>ions under different<br />
n<strong>at</strong>ional criteria sets. Equally important, <strong>the</strong>y may not be will<strong>in</strong>g to reveal to<br />
foreign evalu<strong>at</strong>ors details of <strong>the</strong>ir system design and <strong>the</strong>ir development process,<br />
which <strong>the</strong>y may view as highly proprietary. The major U.S. computer system<br />
vendors derive a significant fraction of <strong>the</strong>ir revenue from foreign sales and thus<br />
are especially vulnerable to prolifer<strong>at</strong><strong>in</strong>g, foreign evalu<strong>at</strong>ion criteria. At <strong>the</strong><br />
same time, <strong>the</strong> NCSC has <strong>in</strong>terpreted its charter as not encompass<strong>in</strong>g evalu<strong>at</strong>ion<br />
of systems submitted by foreign vendors. This has stimul<strong>at</strong>ed <strong>the</strong> development<br />
of foreign criteria and thus has contributed to <strong>the</strong> potential conflicts among<br />
criteria on an <strong>in</strong>tern<strong>at</strong>ional scale.<br />
Analyses <strong>in</strong>dic<strong>at</strong>e th<strong>at</strong> one can map any of <strong>the</strong> Orange Book r<strong>at</strong><strong>in</strong>gs onto<br />
an ITSEC r<strong>at</strong><strong>in</strong>g. A reverse mapp<strong>in</strong>g (from ITSEC to Orange Book r<strong>at</strong><strong>in</strong>gs) is<br />
also possible, although some comb<strong>in</strong><strong>at</strong>ions of assurance and functionality are<br />
not well represented, and thus <strong>the</strong> evalu<strong>at</strong>ed product may be "underr<strong>at</strong>ed."<br />
However, <strong>the</strong> ITSEC claims language may tend to complic<strong>at</strong>e comparisons of<br />
ITSEC r<strong>at</strong><strong>in</strong>gs with one ano<strong>the</strong>r.<br />
Products evalu<strong>at</strong>ed under <strong>the</strong> Orange Book could be granted ITSEC r<strong>at</strong><strong>in</strong>gs<br />
and r<strong>at</strong><strong>in</strong>gs under o<strong>the</strong>r criteria th<strong>at</strong> are rel<strong>at</strong>ively unbundled. This should be<br />
good news for U.S. vendors, if r<strong>at</strong><strong>in</strong>g reciprocity agreements are enacted<br />
between <strong>the</strong> United St<strong>at</strong>es and foreign governments. Of course, a U.S. vendor<br />
could not use reciprocity to achieve <strong>the</strong> full range of r<strong>at</strong><strong>in</strong>gs available to<br />
vendors who undergo ITSEC evalu<strong>at</strong>ion directly.<br />
Even when <strong>the</strong>re are correspondences between r<strong>at</strong><strong>in</strong>gs under different<br />
criteria, <strong>the</strong>re is <strong>the</strong> question of confidence <strong>in</strong> <strong>the</strong> evalu<strong>at</strong>ion process as carried<br />
out <strong>in</strong> different countries. 4 Discussions with NCSC and NSA staff suggest th<strong>at</strong><br />
reciprocity may be feasible <strong>at</strong> lower levels of <strong>the</strong> Orange Book, perhaps B1 and<br />
below, but not <strong>at</strong> <strong>the</strong> higher levels (committee brief<strong>in</strong>gs; personal<br />
communic<strong>at</strong>ions). In part this sort of limit<strong>at</strong>ion reflects <strong>the</strong> subjective n<strong>at</strong>ure of<br />
<strong>the</strong> evalu<strong>at</strong>ion process. It may also <strong>in</strong>dic<strong>at</strong>e a reluctance to rely on "outside"<br />
evalu<strong>at</strong>ion for systems th<strong>at</strong> would be used to separ<strong>at</strong>e multiple levels of DOD<br />
classified d<strong>at</strong>a. If o<strong>the</strong>r countries were to take a similar approach for<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CRITERIA TO EVALUATE COMPUTER AND NETWORK SECURITY 137<br />
high assurance levels under <strong>the</strong>ir criteria, <strong>the</strong>n reciprocity agreements would be<br />
of limited value over time (as more systems <strong>at</strong>ta<strong>in</strong> higher r<strong>at</strong><strong>in</strong>gs). Ano<strong>the</strong>r<br />
likely consequence would be a divergence between criteria and evalu<strong>at</strong>ions for<br />
systems <strong>in</strong>tended for use <strong>in</strong> defense applic<strong>at</strong>ions and those <strong>in</strong>tended for use <strong>in</strong><br />
commercial applic<strong>at</strong>ions.<br />
SYSTEM CERTIFICATION VS. PRODUCT EVALUATION<br />
The discussion above has addressed security evalu<strong>at</strong>ion criteria th<strong>at</strong> focus<br />
on computer and network products. These criteria do not address all of <strong>the</strong><br />
security concerns th<strong>at</strong> arise when one actually deploys a system, whe<strong>the</strong>r it<br />
consists of a s<strong>in</strong>gle computer or is composed of multiple computer and network<br />
products from different vendors. Procedural and physical safeguards, and o<strong>the</strong>rs<br />
for personnel and eman<strong>at</strong>ions, enter <strong>in</strong>to overall system security, and <strong>the</strong>se are<br />
not addressed by product criteria. Overall system security is addressed by<br />
perform<strong>in</strong>g a thorough analysis of <strong>the</strong> system <strong>in</strong> question, tak<strong>in</strong>g <strong>in</strong>to account<br />
not only <strong>the</strong> r<strong>at</strong><strong>in</strong>gs of products th<strong>at</strong> might be used to construct <strong>the</strong> system, but<br />
also <strong>the</strong> thre<strong>at</strong>s directed aga<strong>in</strong>st <strong>the</strong> system and <strong>the</strong> concerns addressed by <strong>the</strong><br />
o<strong>the</strong>r safeguards noted above, and produc<strong>in</strong>g a security architecture th<strong>at</strong> address<br />
all of <strong>the</strong>se security concerns.<br />
The simple r<strong>at</strong><strong>in</strong>gs scheme embodied <strong>in</strong> <strong>the</strong> Orange Book and <strong>the</strong> TNI<br />
have led many users to th<strong>in</strong>k <strong>in</strong> terms of product r<strong>at</strong><strong>in</strong>gs for entire systems.<br />
Thus it is not uncommon to hear a user st<strong>at</strong>e th<strong>at</strong> his system, which consists of<br />
numerous computers l<strong>in</strong>ked by various networks, all from different vendors,<br />
needs to be, for example, B1. This st<strong>at</strong>ement arises from a naive <strong>at</strong>tempt to<br />
apply <strong>the</strong> environment guidel<strong>in</strong>es developed for <strong>the</strong> Orange Book to entire<br />
systems of much gre<strong>at</strong>er complexity and diversity. It leads to discussions of<br />
whe<strong>the</strong>r a network connect<strong>in</strong>g several computers with <strong>the</strong> same r<strong>at</strong><strong>in</strong>g is itself<br />
r<strong>at</strong>ed <strong>at</strong> or below <strong>the</strong> level of <strong>the</strong> connected computers. Such discussions, by<br />
adopt<strong>in</strong>g design<strong>at</strong>ions developed for product evalu<strong>at</strong>ion, tend to obscure <strong>the</strong><br />
complexity of characteriz<strong>in</strong>g <strong>the</strong> security requirements for real systems and <strong>the</strong><br />
difficulty of design<strong>in</strong>g system security solutions.<br />
In fact, <strong>the</strong> term "evalu<strong>at</strong>ion" is often reserved for products, not deployed<br />
systems. Instead, <strong>at</strong> least <strong>in</strong> <strong>the</strong> DOD and <strong>in</strong>telligence communities, systems are<br />
certified for use <strong>in</strong> a particular environment with d<strong>at</strong>a of a specified sensitivity. 5<br />
Unfortun<strong>at</strong>ely, <strong>the</strong> certific<strong>at</strong>ion process tends to be more subjective and less<br />
technically rigorous than <strong>the</strong> product evalu<strong>at</strong>ion process. Certific<strong>at</strong>ion of<br />
systems historically preceded Orange Book-style product evalu<strong>at</strong>ion, and<br />
certific<strong>at</strong>ion criteria are typically less uniform, th<strong>at</strong> is, vary<strong>in</strong>g from agency to<br />
agency.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CRITERIA TO EVALUATE COMPUTER AND NETWORK SECURITY 138<br />
None<strong>the</strong>less, certific<strong>at</strong>ion does <strong>at</strong>tempt to take <strong>in</strong>to account <strong>the</strong> full set of<br />
security discipl<strong>in</strong>es noted above and thus is more an <strong>at</strong>tempt <strong>at</strong> a systems<br />
approach to security than it is product evalu<strong>at</strong>ion.<br />
Certified systems are not r<strong>at</strong>ed with concise design<strong>at</strong>ions, and standards for<br />
certific<strong>at</strong>ion are less uniform than those for product evalu<strong>at</strong>ion, so th<strong>at</strong> users<br />
cannot use <strong>the</strong> results of a certific<strong>at</strong>ion applied to an exist<strong>in</strong>g system to simply<br />
specify security requirements for a new system. Unlike th<strong>at</strong> from product<br />
evalu<strong>at</strong>ions, <strong>the</strong> experience ga<strong>in</strong>ed from certify<strong>in</strong>g systems is not so easily<br />
codified and transferred for use <strong>in</strong> certify<strong>in</strong>g o<strong>the</strong>r systems. To approach <strong>the</strong><br />
level of rigor and uniformity comparable to th<strong>at</strong> <strong>in</strong>volved <strong>in</strong> product evalu<strong>at</strong>ion,<br />
a system certifier would probably have to be more extensively tra<strong>in</strong>ed than his<br />
counterpart who evalu<strong>at</strong>es products. After all, certifiers must be competent <strong>in</strong><br />
more security discipl<strong>in</strong>es and be able to understand <strong>the</strong> security implic<strong>at</strong>ions of<br />
comb<strong>in</strong><strong>in</strong>g various evalu<strong>at</strong>ed and unevalu<strong>at</strong>ed components to construct a system.<br />
A user <strong>at</strong>tempt<strong>in</strong>g to characterize <strong>the</strong> security requirements for a system he<br />
is to acquire will f<strong>in</strong>d apply<strong>in</strong>g system certific<strong>at</strong>ion methodology a priori a<br />
much more complex process than specify<strong>in</strong>g a concise product r<strong>at</strong><strong>in</strong>g based on a<br />
read<strong>in</strong>g of <strong>the</strong> TCSEC environment guidel<strong>in</strong>es (Yellow Book; U.S. DOD,<br />
1985b). Formul<strong>at</strong><strong>in</strong>g <strong>the</strong> security architecture for a system and select<strong>in</strong>g<br />
products to realize th<strong>at</strong> architecture are <strong>in</strong>tr<strong>in</strong>sically complex tasks th<strong>at</strong> require<br />
expertise most users do not possess. R<strong>at</strong>her than <strong>at</strong>tempt<strong>in</strong>g to cast system<br />
security requirements <strong>in</strong> <strong>the</strong> very concise language of a product r<strong>at</strong><strong>in</strong>gs scheme<br />
such as <strong>the</strong> Orange Book, users must accept <strong>the</strong> complexity associ<strong>at</strong>ed with<br />
system security and accept th<strong>at</strong> develop<strong>in</strong>g and specify<strong>in</strong>g such requirements<br />
are nontrivial tasks best performed by highly tra<strong>in</strong>ed security specialists. 6<br />
In large organiz<strong>at</strong>ions <strong>the</strong> task of system certific<strong>at</strong>ion may be handled by<br />
<strong>in</strong>ternal staff. Smaller organiz<strong>at</strong>ions will probably need to enlist <strong>the</strong> services of<br />
external specialists to aid <strong>in</strong> <strong>the</strong> certific<strong>at</strong>ion of systems, much as structural<br />
eng<strong>in</strong>eers are called <strong>in</strong> as consultants. In ei<strong>the</strong>r case system certifiers will need<br />
to be better tra<strong>in</strong>ed to deal with <strong>in</strong>creas<strong>in</strong>gly complex systems with <strong>in</strong>creased<br />
rigor. A comb<strong>in</strong><strong>at</strong>ion of formal tra<strong>in</strong><strong>in</strong>g and real-world experience are<br />
appropri<strong>at</strong>e prerequisites for certifiers, and licens<strong>in</strong>g (<strong>in</strong>clud<strong>in</strong>g formal<br />
exam<strong>in</strong><strong>at</strong>ion) of consult<strong>in</strong>g certifiers may also be appropri<strong>at</strong>e.<br />
Increas<strong>in</strong>gly, computers are becom<strong>in</strong>g connected via networks and are<br />
be<strong>in</strong>g organized <strong>in</strong>to distributed systems. In such environments a much more<br />
thorough system security analysis is required, and <strong>the</strong> product r<strong>at</strong><strong>in</strong>g associ<strong>at</strong>ed<br />
with each of <strong>the</strong> <strong>in</strong>dividual computers is <strong>in</strong> no way a sufficient basis for<br />
evalu<strong>at</strong><strong>in</strong>g <strong>the</strong> security of <strong>the</strong> system as a whole. This suggests th<strong>at</strong> it will<br />
become <strong>in</strong>creas<strong>in</strong>gly important to<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CRITERIA TO EVALUATE COMPUTER AND NETWORK SECURITY 139<br />
develop methodologies for ascerta<strong>in</strong><strong>in</strong>g <strong>the</strong> security of networked systems, not<br />
just evalu<strong>at</strong>ions for <strong>in</strong>dividual computers. Product evalu<strong>at</strong>ions are not applicable<br />
to whole systems <strong>in</strong> general, and as "open systems" th<strong>at</strong> can be <strong>in</strong>terconnected<br />
rel<strong>at</strong>ively easily become more <strong>the</strong> rule, <strong>the</strong> need for system security evalu<strong>at</strong>ion,<br />
as dist<strong>in</strong>ct from product evalu<strong>at</strong>ion, will become even more critical.<br />
Many of <strong>the</strong> complexities of system security become apparent <strong>in</strong> <strong>the</strong><br />
context of networks, and <strong>the</strong> TNI (which is undergo<strong>in</strong>g revision) actually<br />
<strong>in</strong>corpor<strong>at</strong>es several dist<strong>in</strong>ct criteria <strong>in</strong> its <strong>at</strong>tempt to address <strong>the</strong>se varied<br />
concerns. Part I of <strong>the</strong> TNI provides product evalu<strong>at</strong>ion criteria for networks,<br />
but s<strong>in</strong>ce networks are seldom homogeneous products this portion of <strong>the</strong> TNI<br />
seems to have rel<strong>at</strong>ively little direct applicability to real networks. Part II and<br />
Appendix A of <strong>the</strong> TNI espouse an unbundled approach to evalu<strong>at</strong>ion of<br />
network components, someth<strong>in</strong>g th<strong>at</strong> seems especially appropri<strong>at</strong>e for such<br />
devices and th<strong>at</strong> is similar to <strong>the</strong> ITSEC F9 and F10 functionality classes.<br />
However, many of <strong>the</strong> r<strong>at</strong><strong>in</strong>gs specified <strong>in</strong> Part II and Appendix A of <strong>the</strong> TNI<br />
are fairly crude; for example, for some fe<strong>at</strong>ures only "none" or "present" r<strong>at</strong><strong>in</strong>gs<br />
may be granted. More precise r<strong>at</strong><strong>in</strong>gs, accompanied by better characteriz<strong>at</strong>ions<br />
of requirements for such r<strong>at</strong><strong>in</strong>gs, must be provided for <strong>the</strong>se portions of <strong>the</strong> TNI<br />
to become really useful. Appendix C of <strong>the</strong> TNI <strong>at</strong>tempts to provide generic<br />
rules to guide users through <strong>the</strong> complex process of connect<strong>in</strong>g r<strong>at</strong>ed products<br />
toge<strong>the</strong>r to form trusted systems, but it has not proven to be very useful. This is<br />
clearly a topic suitable for fur<strong>the</strong>r research (see Chapter 8).<br />
RECOMMENDATIONS FOR PRODUCT EVALUATION AND<br />
SYSTEM CERTIFICATION CRITERIA<br />
The U.S. computer <strong>in</strong>dustry has made a significant <strong>in</strong>vestment <strong>in</strong><br />
develop<strong>in</strong>g oper<strong>at</strong><strong>in</strong>g systems th<strong>at</strong> comply with <strong>the</strong> Orange Book. This reality<br />
argues aga<strong>in</strong>st any recommend<strong>at</strong>ion th<strong>at</strong> would undercut th<strong>at</strong> <strong>in</strong>vestment or<br />
underm<strong>in</strong>e <strong>in</strong>dustry confidence <strong>in</strong> <strong>the</strong> stability of security evalu<strong>at</strong>ion criteria.<br />
Yet <strong>the</strong>re are compell<strong>in</strong>g arguments <strong>in</strong> favor of establish<strong>in</strong>g less-bundled<br />
criteria to address some of <strong>the</strong> shortcom<strong>in</strong>gs cited above. This situ<strong>at</strong>ion suggests<br />
a compromise approach <strong>in</strong> which elements from <strong>the</strong> Orange Book are reta<strong>in</strong>ed<br />
but additional criteria, extensions of <strong>the</strong> TCSEC, are developed to address some<br />
of <strong>the</strong>se arguments. This tack is consistent with <strong>the</strong> recommend<strong>at</strong>ions for GSSP<br />
made <strong>in</strong> Chapter 1, which would accommod<strong>at</strong>e security facilities generally<br />
regarded as useful but outside <strong>the</strong> scope of <strong>the</strong> current criteria, for example,<br />
those support<strong>in</strong>g <strong>the</strong> model for Clark-Wilson <strong>in</strong>tegrity (Clark and Wilson, 1987).<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CRITERIA TO EVALUATE COMPUTER AND NETWORK SECURITY 140<br />
The importance of ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g <strong>the</strong> momentum gener<strong>at</strong>ed by <strong>the</strong> Orange<br />
Book process and plann<strong>in</strong>g for some future reciprocity or harmoniz<strong>at</strong>ion of<br />
<strong>in</strong>tern<strong>at</strong>ional criteria sets makes moderniz<strong>at</strong>ion of <strong>the</strong> Orange Book necessary,<br />
although <strong>the</strong> committee anticip<strong>at</strong>es a convergence between this process and <strong>the</strong><br />
process of develop<strong>in</strong>g GSSP. In both <strong>in</strong>stances, <strong>the</strong> <strong>in</strong>tent is to reward vendors<br />
who wish to provide additional security functionality and/or gre<strong>at</strong>er security<br />
assurance than is currently accommod<strong>at</strong>ed by <strong>the</strong> Orange Book criteria. The<br />
TNI should be restructured to be more analogous to <strong>the</strong> ITSEC (i.e., with less<br />
emphasis on Parts I and II and more on a ref<strong>in</strong>ed Appendix A). The TNI is new<br />
enough so as not to have acquired a large <strong>in</strong>dustry <strong>in</strong>vestment, and it is now<br />
undergo<strong>in</strong>g revision anyway. Thus it should be politically feasible to modify <strong>the</strong><br />
TNI <strong>at</strong> this stage.<br />
The ITSEC effort represents a serious <strong>at</strong>tempt to transcend some of <strong>the</strong><br />
limit<strong>at</strong>ions <strong>in</strong> <strong>the</strong> TCSEC, <strong>in</strong>clud<strong>in</strong>g <strong>the</strong> criteria for <strong>in</strong>tegrity and availability.<br />
However, it must be recognized th<strong>at</strong> nei<strong>the</strong>r TCSEC nor ITSEC provides <strong>the</strong><br />
ultim<strong>at</strong>e answer, and thus ongo<strong>in</strong>g efforts are vital. For example, a weakness of<br />
ITSEC is th<strong>at</strong> its extended functional criteria F6 through F10 are <strong>in</strong>dependently<br />
assessable monolithic requirements. It might be more appropri<strong>at</strong>e if <strong>in</strong>tegrity<br />
and availability criteria were graded similarly to criteria Fl through F5 for<br />
confidentiality, with <strong>the</strong>ir own hierarchies of r<strong>at</strong><strong>in</strong>gs. (The draft Canadian<br />
criteria work <strong>in</strong> th<strong>at</strong> direction.)<br />
There is also a need to address broader system security concerns <strong>in</strong> a<br />
manner th<strong>at</strong> recognizes <strong>the</strong> heterogeneity of <strong>in</strong>tegr<strong>at</strong>ed or conglomer<strong>at</strong>e<br />
systems. This is a m<strong>at</strong>ter more ak<strong>in</strong> to certific<strong>at</strong>ion than to product evalu<strong>at</strong>ion.<br />
To better address requirements for overall system security, it will be<br />
necessary to <strong>in</strong>stitute more objective, uniform, rigorous standards for system<br />
certific<strong>at</strong>ion. The committee recommends th<strong>at</strong> GSSP <strong>in</strong>clude relevant guidel<strong>in</strong>es<br />
to illum<strong>in</strong><strong>at</strong>e such standards. To beg<strong>in</strong>, a guide for system certific<strong>at</strong>ion should<br />
be prepared, to provide a more uniform basis for certific<strong>at</strong>ion. A committee<br />
should be established to exam<strong>in</strong>e exist<strong>in</strong>g system certific<strong>at</strong>ion guidel<strong>in</strong>es and<br />
rel<strong>at</strong>ed document<strong>at</strong>ion—for example, password management standards—from<br />
government and <strong>in</strong>dustry as <strong>in</strong>put to <strong>the</strong>se guidel<strong>in</strong>es. An <strong>at</strong>tempt should be<br />
made to formalize <strong>the</strong> process of certify<strong>in</strong>g a conglomer<strong>at</strong>e system composed of<br />
evalu<strong>at</strong>ed systems, recogniz<strong>in</strong>g th<strong>at</strong> this problem is very complex and may<br />
require a high degree of tra<strong>in</strong><strong>in</strong>g and experience <strong>in</strong> <strong>the</strong> certifier. Development<br />
and evalu<strong>at</strong>ion of heterogeneous systems rema<strong>in</strong> crucial research issues.<br />
For systems where classified <strong>in</strong>form<strong>at</strong>ion must be protected, a fur<strong>the</strong>r k<strong>in</strong>d<br />
of criteria development is implied, notably development of an<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CRITERIA TO EVALUATE COMPUTER AND NETWORK SECURITY 141<br />
additional assurance class with<strong>in</strong> <strong>the</strong> A division, for example, A2 (this is<br />
primarily for government, not commercial, users), 7 as well as functionality<br />
extensions for all divisions of <strong>the</strong> Orange Book.<br />
The committee's conclusions and specific recommend<strong>at</strong>ions, which are<br />
rest<strong>at</strong>ed <strong>in</strong> Chapter 1 under recommend<strong>at</strong>ion 1, are as follows:<br />
1. A new gener<strong>at</strong>ion of evalu<strong>at</strong>ion criteria is required and should be<br />
established, to deal with an expanded set of functional requirements for<br />
security and to respond to <strong>the</strong> evolution of computer technology, for<br />
example, network<strong>in</strong>g. These criteria can <strong>in</strong>corpor<strong>at</strong>e <strong>the</strong> security<br />
functions of <strong>the</strong> exist<strong>in</strong>g TCSEC (<strong>at</strong> <strong>the</strong> C2 or B1 level) and thus<br />
preserve <strong>the</strong> present <strong>in</strong>dustry <strong>in</strong>vestment <strong>in</strong> Orange Book-r<strong>at</strong>ed<br />
systems. The committee's proposed GSSP are <strong>in</strong>tended to meet this<br />
need.<br />
2. The new gener<strong>at</strong>ion of criteria should be somewh<strong>at</strong> unbundled,<br />
compared to <strong>the</strong> current TCSEC, both to permit <strong>the</strong> addition of new<br />
functions and to permit some flexibility <strong>in</strong> <strong>the</strong> assurance methodology<br />
used. Guidel<strong>in</strong>es should be prepared to prevent naive users from<br />
specify<strong>in</strong>g <strong>in</strong>comp<strong>at</strong>ible sets of requirements. The ITSEC represents a<br />
reasonable example of <strong>the</strong> desirable degree of unbundled specific<strong>at</strong>ion.<br />
3. Systems designed to conform to GSSP should undergo explicit<br />
evalu<strong>at</strong>ion for conformance to <strong>the</strong> GSSP criteria. Design evalu<strong>at</strong>ion<br />
should be performed by an <strong>in</strong>dependent team of evalu<strong>at</strong>ors.<br />
Implement<strong>at</strong>ion evalu<strong>at</strong>ion should <strong>in</strong>clude a comb<strong>in</strong><strong>at</strong>ion of explicit<br />
system audit, field experience, and organized report<strong>in</strong>g of security<br />
faults. Such a process, which should be less costly and less onerous<br />
than <strong>the</strong> current NCSC process, is more likely to be cost-effective to<br />
<strong>the</strong> vendor and user, and is more likely to ga<strong>in</strong> acceptance <strong>in</strong> <strong>the</strong> market.<br />
4. Effort should be expended to develop and improve <strong>the</strong> organized<br />
methods and criteria for deal<strong>in</strong>g with complete systems, as opposed to<br />
products. This applies particularly to distributed systems, <strong>in</strong> which<br />
various different products are connected by a network.<br />
NOTES<br />
1. In <strong>the</strong> current environment, <strong>in</strong> which evalu<strong>at</strong>ions have been conducted by <strong>the</strong> NCSC, commercial<br />
system developers may face a gre<strong>at</strong>er challenge than those with defense contract<strong>in</strong>g experience, who<br />
may have both cleared personnel and a work<strong>in</strong>g understand<strong>in</strong>g of <strong>the</strong> document<strong>at</strong>ion requirements.<br />
This practical problem underscores <strong>the</strong> need for a more effective <strong>in</strong>terface between <strong>the</strong> commercial<br />
and <strong>the</strong> n<strong>at</strong>ional security or classified worlds.<br />
2. Based on <strong>in</strong>form<strong>at</strong>ion obta<strong>in</strong>ed <strong>in</strong> a brief<strong>in</strong>g from NCSC officials, <strong>the</strong> NCSC evalu<strong>at</strong>ion process<br />
consists of five phases, <strong>in</strong>clud<strong>in</strong>g: (1) Pre-review Phase, (2) Vendor<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
CRITERIA TO EVALUATE COMPUTER AND NETWORK SECURITY 142<br />
Assistance Phase (VAP), (3) Design Analysis Phase, (4) Formal Evalu<strong>at</strong>ion Phase, and (5) R<strong>at</strong><strong>in</strong>g<br />
Ma<strong>in</strong>tenance Phase (RAMP).<br />
In <strong>the</strong> Pre-review Phase vendors present <strong>the</strong> NCSC with a proposal def<strong>in</strong><strong>in</strong>g <strong>the</strong> goals <strong>the</strong>y expect to<br />
achieve and <strong>the</strong> basic technical approach be<strong>in</strong>g used. The pre-review proposal is used to determ<strong>in</strong>e<br />
<strong>the</strong> amount of NCSC resources needed to perform any subsequent evalu<strong>at</strong>ion. The Vendor<br />
Assistance Phase, which can beg<strong>in</strong> <strong>at</strong> any stage of product development, consists primarily of<br />
monitor<strong>in</strong>g and provid<strong>in</strong>g comments. Dur<strong>in</strong>g this phase, <strong>the</strong> NCSC makes a conscious effort not to<br />
"advise" <strong>the</strong> vendors (for legal reasons and because it is <strong>in</strong>terested <strong>in</strong> evolution, not research and<br />
development). The Vendor Assistance Phase usually ends six to eight months before a product is<br />
released. The Design Analysis Phase takes an <strong>in</strong>-depth look <strong>at</strong> <strong>the</strong> design and implement<strong>at</strong>ion of a<br />
product us<strong>in</strong>g analytic tools. Dur<strong>in</strong>g this phase <strong>the</strong> Initial Product Analysis Report (IPAR) is<br />
produced, and <strong>the</strong> product is usually released for Beta test<strong>in</strong>g. The Formal Evalu<strong>at</strong>ion Phase<br />
<strong>in</strong>cludes both performance and penetr<strong>at</strong>ion test<strong>in</strong>g of <strong>the</strong> actual product be<strong>in</strong>g produced. Products<br />
th<strong>at</strong> pass <strong>the</strong>se tests are added to <strong>the</strong> Evalu<strong>at</strong>ed Products List (EPL) <strong>at</strong> <strong>the</strong> appropri<strong>at</strong>e level. Usually<br />
vendors beg<strong>in</strong> shipp<strong>in</strong>g <strong>the</strong>ir product to normal customers dur<strong>in</strong>g this phase. The R<strong>at</strong><strong>in</strong>g<br />
Ma<strong>in</strong>tenance Phase (RAMP), which takes place after products are shipped and perta<strong>in</strong>s to<br />
enhancements (e.g., movement from one version of a product to ano<strong>the</strong>r), is <strong>in</strong>tended for C2 and B1<br />
systems, to enable vendors to improve <strong>the</strong>ir product without undergo<strong>in</strong>g a complete recertific<strong>at</strong>ion.<br />
3. The NCSC has argued th<strong>at</strong> it is prem<strong>at</strong>ure to adopt criteria th<strong>at</strong> address security fe<strong>at</strong>ures th<strong>at</strong><br />
support Clark-Wilson <strong>in</strong>tegrity because formal models for such security policies do not yet exist. In<br />
this way <strong>the</strong>y justify <strong>the</strong> present bundled structure of <strong>the</strong> TCSEC (committee brief<strong>in</strong>g by NSA). The<br />
NCSC cont<strong>in</strong>ues to view <strong>in</strong>tegrity and assured service as research topics, cit<strong>in</strong>g a lack of formal<br />
policy models for <strong>the</strong>se security services. However, it is worth not<strong>in</strong>g th<strong>at</strong> <strong>the</strong> Orange Book does not<br />
require a system to demonstr<strong>at</strong>e correspondence to a formal security policy model until class B2,<br />
and <strong>the</strong> preponderance of r<strong>at</strong>ed systems <strong>in</strong> use <strong>in</strong> <strong>the</strong> commercial sector are below this level, for<br />
example, <strong>at</strong> <strong>the</strong> C2 level. Thus <strong>the</strong> NCSC argument aga<strong>in</strong>st unbundl<strong>in</strong>g <strong>the</strong> TCSEC to <strong>in</strong>clude<br />
<strong>in</strong>tegrity and availability requirements <strong>in</strong> <strong>the</strong> criteria, <strong>at</strong> least <strong>at</strong> <strong>the</strong>se lower levels of assurance, does<br />
not appear to be consistent.<br />
4. In <strong>the</strong> future software tools th<strong>at</strong> capture key development steps may facilit<strong>at</strong>e evalu<strong>at</strong>ion and<br />
cross-checks on evalu<strong>at</strong>ions by o<strong>the</strong>rs.<br />
5. In <strong>the</strong> DOD environment <strong>the</strong> term "accredit<strong>at</strong>ion" refers to formal approval to use a system <strong>in</strong> a<br />
specified environment as granted by a design<strong>at</strong>ed approval authority. The term "certific<strong>at</strong>ion" refers<br />
to <strong>the</strong> technical process th<strong>at</strong> underlies <strong>the</strong> formal accredit<strong>at</strong>ion.<br />
6. The claims language of <strong>the</strong> ITSEC may be more amenable to system security specific<strong>at</strong>ion.<br />
However, product evalu<strong>at</strong>ion and system certific<strong>at</strong>ion are still different processes and should not be<br />
confused, even if <strong>the</strong> r<strong>at</strong><strong>in</strong>gs term<strong>in</strong>ology can be shared between <strong>the</strong> two.<br />
7. Proposals for an A2 class have been made before with no results, but LOCK and o<strong>the</strong>r projects<br />
suggest th<strong>at</strong> it may now be time to extend <strong>the</strong> criteria to provide a higher assurance class. This class<br />
could apply formal specific<strong>at</strong>ion and verific<strong>at</strong>ion technology to a gre<strong>at</strong>er degree, require more<br />
str<strong>in</strong>gent control on <strong>the</strong> development process (compare to <strong>the</strong> ITSEC E6 and E7), and/or call for<br />
stronger security mechanisms (e.g., <strong>the</strong> LOCK SIDEARM and BED technology, described <strong>in</strong><br />
Appendix B of this report). The choice of which additional assurance fe<strong>at</strong>ures might be <strong>in</strong>cluded <strong>in</strong><br />
A2 requires fur<strong>the</strong>r study.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
WHY THE SECURITY MARKET HAS NOT WORKED WELL 143<br />
6<br />
Why <strong>the</strong> Security Market Has Not Worked<br />
Well<br />
Currently available are a wide variety of goods and services <strong>in</strong>tended to<br />
enhance computer and communic<strong>at</strong>ions security. These range from accessory<br />
devices for physical security, identific<strong>at</strong>ion, au<strong>the</strong>ntic<strong>at</strong>ion, and encryption to<br />
<strong>in</strong>surance and disaster recovery services, which provide computer and<br />
communic<strong>at</strong>ions centers as a backup to an organiz<strong>at</strong>ion's or <strong>in</strong>dividual's own<br />
equipment and facilities. This chapter focuses on <strong>the</strong> market for secure or<br />
trusted systems and rel<strong>at</strong>ed products, primarily software. It provides an<br />
overview of <strong>the</strong> market and its problems, outl<strong>in</strong>es <strong>the</strong> <strong>in</strong>fluences of <strong>the</strong> federal<br />
government on this market, discusses <strong>the</strong> lack of consumer awareness and<br />
options for allevi<strong>at</strong><strong>in</strong>g it, and assesses actual and potential government<br />
regul<strong>at</strong>ion of <strong>the</strong> secure system market. Additional details on <strong>the</strong> export control<br />
process and <strong>in</strong>surance are provided <strong>in</strong> two chapter appendixes.<br />
THE MARKET FOR TRUSTWORTHY SYSTEMS<br />
Secure or trusted <strong>in</strong>form<strong>at</strong>ion systems are supplied by vendors of generaland<br />
special-purpose hardware and software. Overall, <strong>the</strong> market for <strong>the</strong>se<br />
systems has developed slowly, although <strong>the</strong> pace is pick<strong>in</strong>g up somewh<strong>at</strong> now.<br />
Whereas <strong>the</strong> market <strong>in</strong> 1980 was dom<strong>in</strong><strong>at</strong>ed by commercial computer and<br />
communic<strong>at</strong>ions systems with no security fe<strong>at</strong>ures, <strong>the</strong> market <strong>in</strong> 1990 <strong>in</strong>cludes<br />
a significant number of systems th<strong>at</strong> offer discretionary access control and a<br />
grow<strong>in</strong>g number from both major and niche vendors with both discretionary<br />
and mand<strong>at</strong>ory access control, which provides significant protections aga<strong>in</strong>st<br />
breaches of confidentiality. Notable is <strong>the</strong> trend to produce systems r<strong>at</strong>ed <strong>at</strong> <strong>the</strong><br />
Orange Book's B1 level (see Appendix A of this report), often by<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
WHY THE SECURITY MARKET HAS NOT WORKED WELL 144<br />
adapt<strong>in</strong>g products th<strong>at</strong> had had fewer security fe<strong>at</strong>ures and less assurance.<br />
Accord<strong>in</strong>g to vendors, consumers most frequently demand security <strong>in</strong><br />
connection with networked systems, which serve multiple users. One market<br />
research firm (Intern<strong>at</strong>ional Resource Development) has estim<strong>at</strong>ed th<strong>at</strong> <strong>the</strong><br />
market for local area network (LAN) security devices may grow up to sixfold<br />
by <strong>the</strong> mid-1990s; it also foresees significant growth <strong>in</strong> d<strong>at</strong>a and voice<br />
encryption devices, <strong>in</strong> part because <strong>the</strong>ir costs are decl<strong>in</strong><strong>in</strong>g (Brown, 1989a).<br />
O<strong>the</strong>r factors cited for growth <strong>in</strong> <strong>the</strong> encryption market are requirements for<br />
control of fraud <strong>in</strong> f<strong>in</strong>ancial services and elsewhere (D<strong>at</strong>apro Research, 1989a).<br />
Prom<strong>in</strong>ent <strong>in</strong> <strong>the</strong> market has been host access control software for IBM<br />
ma<strong>in</strong>frames, especially IBM's RACF and Computer Associ<strong>at</strong>es' ACF2 and Top<br />
Secret. This type of add-on software provides (but does not enforce) services,<br />
such as user identific<strong>at</strong>ion, au<strong>the</strong>ntic<strong>at</strong>ion, authoriz<strong>at</strong>ion, and audit trails, th<strong>at</strong><br />
<strong>the</strong> underly<strong>in</strong>g oper<strong>at</strong><strong>in</strong>g systems lack. It was orig<strong>in</strong>ally developed <strong>in</strong> <strong>the</strong> 1970s<br />
and early 1980s, driven by <strong>the</strong> spread of multiaccess applic<strong>at</strong>ions (ma<strong>in</strong>framebased<br />
systems were not orig<strong>in</strong>ally developed with security as a significant<br />
consider<strong>at</strong>ion). Both IBM and Computer Associ<strong>at</strong>es plan to make <strong>the</strong>se<br />
products conform to Orange Book B1 criteria. Although IBM <strong>in</strong>tends now to<br />
br<strong>in</strong>g its major oper<strong>at</strong><strong>in</strong>g systems up to <strong>the</strong> B1 level, it is reluctant to undertake<br />
development to achieve higher levels of assurance (committee brief<strong>in</strong>g by<br />
IBM). Moreover, <strong>the</strong> market for host access control systems is grow<strong>in</strong>g slowly<br />
because those who need <strong>the</strong>m generally have <strong>the</strong>m already. 1 One market<br />
analyst, D<strong>at</strong>apro, notes th<strong>at</strong> sales come mostly from organiz<strong>at</strong>ions required by<br />
federal or st<strong>at</strong>e regul<strong>at</strong>ions to implement security controls (D<strong>at</strong>apro Research,<br />
1990a).<br />
The most powerful altern<strong>at</strong>ives to add-on software, of course, are systems<br />
with security and trust built <strong>in</strong>. In contrast to <strong>the</strong> ma<strong>in</strong>frame environment, some<br />
vendors have been build<strong>in</strong>g more security fe<strong>at</strong>ures directly <strong>in</strong>to midrange and<br />
open systems, possibly benefit<strong>in</strong>g from <strong>the</strong> more rapid growth of this part of <strong>the</strong><br />
market. Even <strong>in</strong> <strong>the</strong> personal computer market, newer oper<strong>at</strong><strong>in</strong>g systems (e.g.,<br />
OS/2) offer more security than older ones (e.g., MS/DOS).<br />
Multics, <strong>the</strong> first commercial oper<strong>at</strong><strong>in</strong>g system th<strong>at</strong> was developed (by <strong>the</strong><br />
Massachusetts Institute of Technology, General Electric, and AT&T Bell<br />
Labor<strong>at</strong>ories) with security as a design goal, achieved a B2 r<strong>at</strong><strong>in</strong>g <strong>in</strong> 1985.<br />
While Multics has a loyal follow<strong>in</strong>g and is frequently cited as a prime exemplar<br />
of system security, its commercial history has not been encourag<strong>in</strong>g. Its pend<strong>in</strong>g<br />
discont<strong>in</strong>u<strong>at</strong>ion by its vendor (now Bull, previously Honeywell, orig<strong>in</strong>ally<br />
General Electric) apparently reflects a str<strong>at</strong>egic commitment to o<strong>the</strong>r oper<strong>at</strong><strong>in</strong>g<br />
systems (D<strong>at</strong>apro Research, 1990b).<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
WHY THE SECURITY MARKET HAS NOT WORKED WELL 145<br />
The history of Unix illustr<strong>at</strong>es <strong>the</strong> variability of market forces dur<strong>in</strong>g <strong>the</strong><br />
lifetime of a s<strong>in</strong>gle product. Orig<strong>in</strong>ally Unix had security facilities superior to<br />
those <strong>in</strong> most commercial systems <strong>the</strong>n <strong>in</strong> widespread use. 2 Unix was<br />
enthusiastically adopted by <strong>the</strong> academic computer science community because<br />
of its effectiveness for software development. This community, where security<br />
consciousness was not widespread, cre<strong>at</strong>ed new capabilities, especially to<br />
<strong>in</strong>terface to DARPA-sponsored network<strong>in</strong>g (e.g., remote log-<strong>in</strong> and remote<br />
command execution). 3 As Unix spread <strong>in</strong>to <strong>the</strong> commercial marketplace, <strong>the</strong><br />
new capabilities were demanded despite <strong>the</strong> fact th<strong>at</strong> <strong>the</strong>y underm<strong>in</strong>ed <strong>the</strong><br />
ability to run a tight ship from <strong>the</strong> security standpo<strong>in</strong>t. Subsequently, and<br />
largely spurred by <strong>the</strong> Orange Book, various efforts to streng<strong>the</strong>n <strong>the</strong> Unix<br />
system have been undertaken (<strong>in</strong>clud<strong>in</strong>g T-MACH, funded by DARPA; LOCK,<br />
funded by <strong>the</strong> N<strong>at</strong>ional Security <strong>Age</strong>ncy; <strong>the</strong> IEEE POSIX 1003.6 standards<br />
proposal; and various manufacturers' projects). But <strong>the</strong> corrections will not be<br />
total: many customers still choose freedom over safety.<br />
The slow growth of <strong>the</strong> market for secure software and systems feeds<br />
vendor perceptions th<strong>at</strong> its profitability is limited. Both high development costs<br />
and a perceived small market have made secure software and system<br />
development appear as a significant risk to vendors. Moreover, a vendor th<strong>at</strong><br />
<strong>in</strong>troduces a secure product before its competitors has only a year or two to<br />
charge a premium. After th<strong>at</strong>, consumers come to expect th<strong>at</strong> <strong>the</strong> new <strong>at</strong>tributes<br />
will be part of <strong>the</strong> standard product offer<strong>in</strong>g. Thus <strong>the</strong> pace of change and<br />
competition <strong>in</strong> <strong>the</strong> overall market for computer technology may be <strong>in</strong>imical to<br />
security, subord<strong>in</strong><strong>at</strong><strong>in</strong>g security-relevant quality to cre<strong>at</strong>ivity, functionality, and<br />
timely releases or upgrades. These o<strong>the</strong>r <strong>at</strong>tributes are rewarded <strong>in</strong> <strong>the</strong><br />
marketplace and more easily understood by consumers and even software<br />
developers.<br />
While <strong>the</strong> overall market for computer technology is grow<strong>in</strong>g and<br />
broaden<strong>in</strong>g, <strong>the</strong> tremendous growth <strong>in</strong> retail distribution, as opposed to custom<br />
or low-volume/high-price sales, has helped to distance vendors from consumers<br />
and to dim<strong>in</strong>ish <strong>the</strong> voice of <strong>the</strong> grow<strong>in</strong>g body of computer users <strong>in</strong> vendor<br />
decision mak<strong>in</strong>g. Although vendors have rel<strong>at</strong>ively direct communic<strong>at</strong>ions with<br />
large-system customers—customers whom <strong>the</strong>y know by name and with whom<br />
<strong>the</strong>y have <strong>in</strong>dividualized contracts—<strong>the</strong>y are rel<strong>at</strong>ively removed from buyers of<br />
personal computer products, who may be customers of a retail outlet r<strong>at</strong>her than<br />
of <strong>the</strong> manufacturer itself. Retail distribution itself may constra<strong>in</strong> <strong>the</strong> market<strong>in</strong>g<br />
of security products. Vendors of encryption and access control products have<br />
<strong>in</strong>dic<strong>at</strong>ed th<strong>at</strong> some retailers may avoid offer<strong>in</strong>g security products because ''<strong>the</strong><br />
issue of security dampens enthusiasm," while some of <strong>the</strong>se rel<strong>at</strong>ively small<br />
vendors avoid retail<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
WHY THE SECURITY MARKET HAS NOT WORKED WELL 146<br />
distribution because it requires more customer support than <strong>the</strong>y can manage<br />
(D<strong>at</strong>apro Research, 1989a).<br />
Many <strong>in</strong> <strong>the</strong> security field <strong>at</strong>tribute <strong>the</strong> <strong>in</strong>creased availability of more<br />
secure systems to government policies stimul<strong>at</strong><strong>in</strong>g demand for secure systems<br />
(see "Federal Government Influence on <strong>the</strong> Market" below). Those policies<br />
have led to a two-tiered market: government agencies, especially those th<strong>at</strong><br />
process classified <strong>in</strong>form<strong>at</strong>ion, and <strong>the</strong>ir vendors, are likely to demand Orange<br />
Book-r<strong>at</strong>ed trusted systems; o<strong>the</strong>r agencies, commercial organiz<strong>at</strong>ions, and<br />
<strong>in</strong>dividuals th<strong>at</strong> process sensitive but unclassified <strong>in</strong>form<strong>at</strong>ion are more likely to<br />
use less sophistic<strong>at</strong>ed safeguards. This second market tier constitutes <strong>the</strong> bulk of<br />
<strong>the</strong> market for computer-based systems. The committee believes th<strong>at</strong>, more<br />
often than not, consumers do not have enough or good enough safeguards, both<br />
because options on <strong>the</strong> market often appear to be <strong>in</strong>effective or too expensive,<br />
and because <strong>the</strong> value of runn<strong>in</strong>g a safe oper<strong>at</strong>ion is often not fully appreci<strong>at</strong>ed.<br />
S<strong>in</strong>ce d<strong>at</strong>a describ<strong>in</strong>g <strong>the</strong> marketplace are limited and of questionable quality,<br />
<strong>the</strong> committee bases its judgment on members' experiences <strong>in</strong> major system<br />
user and vendor companies and consultancies. This judgment also reflects <strong>the</strong><br />
committee's recognition th<strong>at</strong> even systems conform<strong>in</strong>g to rel<strong>at</strong>ively high Orange<br />
Book r<strong>at</strong><strong>in</strong>gs have limit<strong>at</strong>ions, and do not adequ<strong>at</strong>ely address consumer needs<br />
for <strong>in</strong>tegrity and availability safeguards.<br />
A SOFT MARKET: CONCERNS OF VENDORS<br />
Vendors argue th<strong>at</strong> a lack of broad-based consumer understand<strong>in</strong>g of<br />
security risks and safeguard options results <strong>in</strong> rel<strong>at</strong>ively low levels of demand<br />
for computer and communic<strong>at</strong>ions security. For example, one survey of network<br />
users found th<strong>at</strong> only 17 percent of Fortune 1000 sites and 10 percent of o<strong>the</strong>r<br />
sites used network security systems (Network World, 1990). Thus, although<br />
market research may signal high growth r<strong>at</strong>es <strong>in</strong> certa<strong>in</strong> security markets, <strong>the</strong><br />
absolute market volume is small. To ga<strong>in</strong> <strong>in</strong>sight <strong>in</strong>to <strong>the</strong> current market clim<strong>at</strong>e<br />
for secure products, <strong>the</strong> committee <strong>in</strong>terviewed several hardware and software<br />
vendors.<br />
Vendors f<strong>in</strong>d security hard to sell, <strong>in</strong> part because consumers and vendors<br />
have very different perceptions of <strong>the</strong> security problem. 4 This situ<strong>at</strong>ion calls for<br />
cre<strong>at</strong>ive market<strong>in</strong>g: one vendor stresses functionality <strong>in</strong> market<strong>in</strong>g oper<strong>at</strong><strong>in</strong>g<br />
system software for s<strong>in</strong>gle-user systems and security <strong>in</strong> market<strong>in</strong>g essentially<br />
<strong>the</strong> same software for multiuser local area networked systems. A commonly<br />
reported problem is limited will<strong>in</strong>gness of management to pay for security,<br />
although <strong>the</strong> rise <strong>in</strong> expect<strong>at</strong>ions follow<strong>in</strong>g publicity over major computer<br />
crimes suggests<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
WHY THE SECURITY MARKET HAS NOT WORKED WELL 147<br />
th<strong>at</strong> <strong>at</strong> least <strong>at</strong> <strong>the</strong> technical level, consumers are ready for more security. From<br />
<strong>the</strong> consumer's perspective, it is easy to buy someth<strong>in</strong>g th<strong>at</strong> is cheap; buy<strong>in</strong>g<br />
someth<strong>in</strong>g expensive requires risk assessment and an <strong>in</strong>vestment <strong>in</strong> persuad<strong>in</strong>g<br />
management of <strong>the</strong> need. Vendors observed th<strong>at</strong> <strong>the</strong>y hear about wh<strong>at</strong><br />
consumers would like, but <strong>the</strong>y do not hear consumers say th<strong>at</strong> <strong>the</strong>y will not<br />
buy products th<strong>at</strong> lack certa<strong>in</strong> security fe<strong>at</strong>ures.<br />
Vendors differ <strong>in</strong> <strong>the</strong>ir <strong>at</strong>titudes toward <strong>the</strong> Orange Book as a stimulus to<br />
commercial product security. Some <strong>in</strong>dic<strong>at</strong>ed th<strong>at</strong> <strong>the</strong>y saw <strong>the</strong> government as<br />
lead<strong>in</strong>g <strong>the</strong> market; o<strong>the</strong>rs characterized <strong>the</strong> government as a force th<strong>at</strong><br />
motiv<strong>at</strong>es <strong>the</strong>ir customers but not <strong>the</strong>m directly. Vendors familiar with <strong>the</strong><br />
Orange Book f<strong>in</strong>d it offers little comfort <strong>in</strong> market<strong>in</strong>g. For example, one<br />
customer told a sales represent<strong>at</strong>ive th<strong>at</strong> he did not need <strong>the</strong> capabilities<br />
required by <strong>the</strong> Orange Book and <strong>the</strong>n proceeded to list, <strong>in</strong> his own words,<br />
requirements for mand<strong>at</strong>ory access control and complete audit<strong>in</strong>g safeguards,<br />
which are covered extensively <strong>in</strong> <strong>the</strong> Orange Book. Overall, vendors ma<strong>in</strong>ta<strong>in</strong>ed<br />
th<strong>at</strong> <strong>the</strong> Orange Book has had limited appeal outside <strong>the</strong> government<br />
contract<strong>in</strong>g market, <strong>in</strong> part because it is associ<strong>at</strong>ed with <strong>the</strong> military and <strong>in</strong> part<br />
because it adds yet more jargon to an already technically complex subject. This<br />
sentiment echoes <strong>the</strong> f<strong>in</strong>d<strong>in</strong>gs of ano<strong>the</strong>r study th<strong>at</strong> g<strong>at</strong>hered <strong>in</strong>puts from<br />
vendors (AFCEA, 1989). Vendors also <strong>in</strong>dic<strong>at</strong>ed th<strong>at</strong> market<strong>in</strong>g a product<br />
developed <strong>in</strong> <strong>the</strong> Orange Book environment to commercial clients required<br />
special tactics, extra work th<strong>at</strong> most have been reluctant to undertake.<br />
Vendors also compla<strong>in</strong>ed th<strong>at</strong> it is risky to develop products <strong>in</strong>tended for<br />
government evalu<strong>at</strong>ion (associ<strong>at</strong>ed with <strong>the</strong> Orange Book) because <strong>the</strong><br />
evalu<strong>at</strong>ion process itself is expensive for vendors—it takes time and money to<br />
supply necessary <strong>in</strong>form<strong>at</strong>ion—and because of uncerta<strong>in</strong>ty th<strong>at</strong> <strong>the</strong> desired<br />
r<strong>at</strong><strong>in</strong>g will be awarded. Time is a key concern <strong>in</strong> <strong>the</strong> rel<strong>at</strong>ively fast-paced<br />
computer system market, and vendors compla<strong>in</strong> about both <strong>the</strong> time to complete<br />
an evalu<strong>at</strong>ion and <strong>the</strong> tim<strong>in</strong>g of <strong>the</strong> evalu<strong>at</strong>ion rel<strong>at</strong>ive to <strong>the</strong> product cycle. The<br />
vendor's product cycle is driven by many factors—competition, market<br />
demands for functionality, development costs, and comp<strong>at</strong>ibility and synchrony<br />
with o<strong>the</strong>r products—of which security is just one more factor, and a factor th<strong>at</strong><br />
is sometimes perceived as hav<strong>in</strong>g a neg<strong>at</strong>ive impact on some of <strong>the</strong> o<strong>the</strong>rs.<br />
While vendors may have a product development-to-release cycle th<strong>at</strong> takes<br />
about three to six years, <strong>the</strong> evalu<strong>at</strong>ions have tended to come l<strong>at</strong>e <strong>in</strong> <strong>the</strong> product<br />
cycle, often result<strong>in</strong>g <strong>in</strong> <strong>the</strong> issu<strong>in</strong>g of r<strong>at</strong><strong>in</strong>gs after a product has been<br />
superseded by newer technology.<br />
The time to complete an evalu<strong>at</strong>ion has been a function of N<strong>at</strong>ional<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
WHY THE SECURITY MARKET HAS NOT WORKED WELL 148<br />
Computer Security Center (NCSC) resources and practice. NCSC's schedule has<br />
been driven by its emphasis on security, <strong>the</strong> perceived needs of its pr<strong>in</strong>cipal<br />
clients <strong>in</strong> <strong>the</strong> n<strong>at</strong>ional security community, and <strong>the</strong> (limited) availability of<br />
evalu<strong>at</strong>ion staff. By 1990, NCSC was complet<strong>in</strong>g evalu<strong>at</strong>ions <strong>at</strong> a r<strong>at</strong>e of about<br />
five per year, although <strong>the</strong> shift from evalu<strong>at</strong><strong>in</strong>g primarily C-level systems to<br />
primarily B-level systems was expected to extend <strong>the</strong> time required per<br />
evalu<strong>at</strong>ion (An<strong>the</strong>s, 1989d; committee brief<strong>in</strong>g by NSA). The time <strong>in</strong>volved<br />
reflects <strong>the</strong> quality of <strong>the</strong> evalu<strong>at</strong>ion resources: <strong>in</strong>dividuals assigned to do<br />
evalu<strong>at</strong>ions have often had limited, if any, experience <strong>in</strong> develop<strong>in</strong>g or<br />
analyz<strong>in</strong>g complex systems, a situ<strong>at</strong>ion th<strong>at</strong> extends <strong>the</strong> time needed to<br />
complete an evalu<strong>at</strong>ion; both vendors and NCSC management have recognized<br />
this. Fur<strong>the</strong>r, as a member of <strong>the</strong> NCSC staff observed to <strong>the</strong> committee, "We<br />
don't speed th<strong>in</strong>gs up." As of l<strong>at</strong>e October 1990, 1 system had obta<strong>in</strong>ed an A1<br />
r<strong>at</strong><strong>in</strong>g, none had been r<strong>at</strong>ed B3, 2 had been r<strong>at</strong>ed B2, 3 had been r<strong>at</strong>ed B1, 13<br />
had been r<strong>at</strong>ed C2, and 1 had been r<strong>at</strong>ed C1 (personal communic<strong>at</strong>ion, NSA,<br />
October 26, 1990). Prospects for future evalu<strong>at</strong>ions are uncerta<strong>in</strong>, <strong>in</strong> view of <strong>the</strong><br />
recent reorganiz<strong>at</strong>ion of <strong>the</strong> NCSC (see Chapter 7).<br />
Vendors have little <strong>in</strong>centive to produce r<strong>at</strong>able systems when <strong>the</strong> absence<br />
of r<strong>at</strong>ed products has not detectably impaired sales. Customers, even<br />
government agencies th<strong>at</strong> nom<strong>in</strong>ally require r<strong>at</strong>ed products, tend to buy<br />
wh<strong>at</strong>ever is available, functionally desirable, and or comp<strong>at</strong>ible with previously<br />
purchased technology. Customer will<strong>in</strong>gness to buy unr<strong>at</strong>ed products th<strong>at</strong> come<br />
only with vendor claims about <strong>the</strong>ir security properties suggests possibilities for<br />
false advertis<strong>in</strong>g and o<strong>the</strong>r risks to consumers.<br />
Consider <strong>the</strong> multilevel secure d<strong>at</strong>abase management system released by<br />
Sybase <strong>in</strong> February 1990 (Danca, 1990a). The Secure Server, as it is called, was<br />
designed and developed to meet B1-level requirements for mand<strong>at</strong>ory access<br />
control as def<strong>in</strong>ed <strong>in</strong> <strong>the</strong> Orange Book. The development for th<strong>at</strong> product began<br />
<strong>in</strong> 1985, with <strong>the</strong> <strong>in</strong>itial oper<strong>at</strong>ional (Beta) release <strong>in</strong> <strong>the</strong> spr<strong>in</strong>g of 1989. The Air<br />
Force adopted <strong>the</strong> Secure Server <strong>in</strong> its next version of <strong>the</strong> Global Decision<br />
Support System (GDSS), which is used by <strong>the</strong> Military Airlift Command to<br />
monitor and control worldwide airlift capabilities. However, <strong>at</strong> <strong>the</strong> time of its<br />
release, <strong>the</strong> Secure Server had not been evalu<strong>at</strong>ed aga<strong>in</strong>st <strong>the</strong> Orange Book<br />
criteria because <strong>the</strong> relevant criteria, conta<strong>in</strong>ed <strong>in</strong> <strong>the</strong> Trusted D<strong>at</strong>abase<br />
Interpret<strong>at</strong>ion (TDI), were still be<strong>in</strong>g reviewed. Although <strong>the</strong> TDI is expected to<br />
be released <strong>in</strong> l<strong>at</strong>e 1990 or early 1991, it will be <strong>at</strong> least six months (and<br />
probably n<strong>in</strong>e months) before any official op<strong>in</strong>ion is rendered by NCSC. In<br />
short, Sybase will be market<strong>in</strong>g a secure product th<strong>at</strong> took five years to develop<br />
and <strong>the</strong> Air Force will be us<strong>in</strong>g th<strong>at</strong><br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
WHY THE SECURITY MARKET HAS NOT WORKED WELL 149<br />
product for a full year before any evalu<strong>at</strong>ion <strong>in</strong>form<strong>at</strong>ion is released. Both <strong>the</strong><br />
vendors and consumers have proceeded with some degree of risk.<br />
FEDERAL GOVERNMENT INFLUENCE ON THE MARKET<br />
The federal government has tried to <strong>in</strong>fluence commercial-grade computer<br />
security through direct procurement, research support, and regul<strong>at</strong>ory<br />
requirements placed on <strong>the</strong> handl<strong>in</strong>g of d<strong>at</strong>a <strong>in</strong> <strong>the</strong> priv<strong>at</strong>e sector. Th<strong>at</strong> <strong>in</strong>fluence<br />
has been realized both directly through government actions (e.g., procurement<br />
and <strong>in</strong>vestment <strong>in</strong> research) and <strong>in</strong>directly through regul<strong>at</strong>ions and policies th<strong>at</strong><br />
provide <strong>in</strong>centives or dis<strong>in</strong>centives <strong>in</strong> <strong>the</strong> marketplaces. 5 The <strong>in</strong>fluence of <strong>the</strong><br />
Orange Book is discussed <strong>in</strong> Chapters 2 to 5 and <strong>in</strong> Appendix A. Procurement<br />
and str<strong>at</strong>egic research programs are discussed briefly below.<br />
Procurement<br />
The U.S. government has tried to suggest th<strong>at</strong> a strong government and<br />
commercial market would exist for security products were such products<br />
available (EIA, 1987). Industry is skeptical of such promises, argu<strong>in</strong>g th<strong>at</strong> <strong>the</strong><br />
government does not follow through <strong>in</strong> its procurement (AFCEA, 1989), even<br />
after sponsor<strong>in</strong>g <strong>the</strong> development of special projects for military-critical<br />
technology. However, one step <strong>the</strong> government has taken th<strong>at</strong> has apparently<br />
stimul<strong>at</strong>ed <strong>the</strong> market is known as "C2 by '92." A directive (NTISSP No. 200,<br />
issued on July 15,1987) of <strong>the</strong> N<strong>at</strong>ional Telecommunic<strong>at</strong>ions and Inform<strong>at</strong>ion<br />
Systems Security Committee (NTISSC), <strong>the</strong> body th<strong>at</strong> develops and issues<br />
n<strong>at</strong>ional system security oper<strong>at</strong><strong>in</strong>g policies, required federal agencies and <strong>the</strong>ir<br />
contractors to <strong>in</strong>stall by 1992 discretionary access control and audit<strong>in</strong>g <strong>at</strong> <strong>the</strong><br />
Orange Book C2 level <strong>in</strong> multiuser computer systems conta<strong>in</strong><strong>in</strong>g classified or<br />
unclassified but sensitive <strong>in</strong>form<strong>at</strong>ion. This directive is widely believed to have<br />
stimul<strong>at</strong>ed <strong>the</strong> production of C2-level systems. However, its impact <strong>in</strong> <strong>the</strong> future<br />
is <strong>in</strong> question, given <strong>the</strong> divergence <strong>in</strong> programs for protect<strong>in</strong>g classified and<br />
sensitive but unclassified <strong>in</strong>form<strong>at</strong>ion th<strong>at</strong> has been re<strong>in</strong>forced by <strong>the</strong> Computer<br />
Security Act of 1987 and <strong>the</strong> revision of N<strong>at</strong>ional Security Decision Directive<br />
145 (see Chapter 7). The Computer Security Act itself has <strong>the</strong> potential for<br />
<strong>in</strong>creas<strong>in</strong>g <strong>the</strong> demand for trusted systems, but <strong>the</strong> security assessment and<br />
plann<strong>in</strong>g process it triggered fell short of expect<strong>at</strong>ions (GAO, 1990c).<br />
Concern for security is not a consistent factor <strong>in</strong> government<br />
procurements. A small sample, compiled by <strong>the</strong> committee, of 30 recent<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
WHY THE SECURITY MARKET HAS NOT WORKED WELL 150<br />
(1989) requests for proposal (RFPs), 10 of which were issued by DOD<br />
organiz<strong>at</strong>ions and 20 of which were issued by <strong>the</strong> civil agencies, presents a<br />
picture of uneven concern for security: five RFPs had no st<strong>at</strong>ed security<br />
requirements. Five DOD and eight civil agency RFPs specified adherence to<br />
standards def<strong>in</strong>ed by <strong>the</strong> NCSC and <strong>the</strong> N<strong>at</strong>ional Institute of Standards and<br />
Technology (NIST), although three of <strong>the</strong> DOD RFPs did not specify an Orange<br />
Book level. Two DOD and three civil agency RFPs <strong>in</strong>dic<strong>at</strong>ed th<strong>at</strong> unclassified<br />
but protectable d<strong>at</strong>a would be handled. None of <strong>the</strong> DOD RFPs specified<br />
encryption requirements; three civil agency RFPs required D<strong>at</strong>a Encryption<br />
Standard (DES) encryption, and one required NSA-approved encryption<br />
technology. Access control fe<strong>at</strong>ures were required by 13 RFPs. Audit<strong>in</strong>g<br />
fe<strong>at</strong>ures were required by six.<br />
The procurement process itself provides vehicles for weaken<strong>in</strong>g <strong>the</strong><br />
demand for security. Vendors occasionally challenge (through mechanisms for<br />
comment with<strong>in</strong> <strong>the</strong> procurement process) strong security requirements <strong>in</strong><br />
RFPs, on <strong>the</strong> grounds th<strong>at</strong> such requirements limit competition. For example, a<br />
C2 requirement for personal computers was dropped from an RFP from <strong>the</strong> Air<br />
Force Computer Acquisition Command (AFCAC) because conform<strong>in</strong>g systems<br />
were not available (Poos, 1990). Budgetary pressures may also contribute to<br />
weaken<strong>in</strong>g security requirements. Such pressures may, for example, result <strong>in</strong><br />
<strong>the</strong> <strong>in</strong>clusion of security technology as a non-evalu<strong>at</strong>ed option, r<strong>at</strong>her than as a<br />
requirement, lead<strong>in</strong>g to a vendor perception th<strong>at</strong> <strong>the</strong> organiz<strong>at</strong>ion is only pay<strong>in</strong>g<br />
lip service to <strong>the</strong> need for security.<br />
Interest<strong>in</strong>gly, DOD itself is explor<strong>in</strong>g novel ways to use <strong>the</strong> procurement<br />
process to stimul<strong>at</strong>e <strong>the</strong> market beyond <strong>the</strong> Orange Book and military standards.<br />
In 1989 it launched <strong>the</strong> Protection of Logistics Unclassified/Sensitive Systems<br />
(PLUS) program to promote standards for secure d<strong>at</strong>a process<strong>in</strong>g and d<strong>at</strong>a<br />
exchange among DOD and its suppliers. PLUS complements o<strong>the</strong>r DOD efforts<br />
to autom<strong>at</strong>e procurement procedures (e.g., electronic d<strong>at</strong>a <strong>in</strong>terchange and<br />
Computer-aided Acquisition and Logistics Support (CALS) programs), help<strong>in</strong>g<br />
to autom<strong>at</strong>e procurement (Kass, 1990). A subsidiary goal of PLUS is cheaper<br />
commercial security products (personal communic<strong>at</strong>ion with PLUS staff).<br />
Str<strong>at</strong>egic Federal Investments <strong>in</strong> Research and Development<br />
The government, especially through DARPA fund<strong>in</strong>g, has contributed to<br />
computer technology through large-scale str<strong>at</strong>egic research and development<br />
programs th<strong>at</strong> supported <strong>the</strong> cre<strong>at</strong>ion or enhancement of facilities such as <strong>the</strong><br />
(recently decommissioned) Arpanet network<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
WHY THE SECURITY MARKET HAS NOT WORKED WELL 151<br />
serv<strong>in</strong>g researchers, Multics and ADEPT 50 (oper<strong>at</strong><strong>in</strong>g systems with security<br />
fe<strong>at</strong>ures), MACH (an extension of <strong>the</strong> Unix oper<strong>at</strong><strong>in</strong>g system th<strong>at</strong> fully<br />
<strong>in</strong>tegr<strong>at</strong>es network capabilities and th<strong>at</strong> has been championed by <strong>the</strong> <strong>in</strong>dustry<br />
consortium Open Software Found<strong>at</strong>ion), and <strong>the</strong> Connection Mach<strong>in</strong>e (an<br />
advanced parallel processor). Each of <strong>the</strong>se projects—which were sponsored by<br />
DARPA—has moved <strong>the</strong> market <strong>in</strong>to areas th<strong>at</strong> are beneficial to both<br />
government and commercial computer users. The Arpanet and Multics<br />
experiences illustr<strong>at</strong>e how very large scale, multifaceted, systems-oriented<br />
projects can c<strong>at</strong>alyze substantial technological advances, expand <strong>the</strong> level of<br />
expertise <strong>in</strong> <strong>the</strong> research community, and sp<strong>in</strong> off developments <strong>in</strong> a number of<br />
areas. Scale, complexity, and systems orient<strong>at</strong>ion are particularly important for<br />
progress <strong>in</strong> <strong>the</strong> computer and communic<strong>at</strong>ions security arena, and <strong>the</strong><br />
government is <strong>the</strong> largest supporter of <strong>the</strong>se projects. Historically, security has<br />
been a secondary concern <strong>in</strong> such projects, although it is ga<strong>in</strong><strong>in</strong>g more <strong>at</strong>tention<br />
now. The widespread impact of <strong>the</strong>se projects suggests th<strong>at</strong> similar <strong>in</strong>iti<strong>at</strong>ives<br />
emphasiz<strong>in</strong>g security could pay off handsomely.<br />
In <strong>the</strong> security field specifically, projects such as Multics and ADEPT 50<br />
(which provided strong access control mechanisms), LOCK (hardware-based<br />
<strong>in</strong>tegrity and assurance), SeaView (a secure d<strong>at</strong>abase management system),<br />
TMACH (a trusted or secure version of MACH), and <strong>the</strong> CCEP (Commercial<br />
COMSEC Endorsement Program for commercially produced encryption<br />
products) are <strong>in</strong>tended to stimul<strong>at</strong>e <strong>the</strong> market to develop enhanced security<br />
capabilities by reduc<strong>in</strong>g some of <strong>the</strong> development risks. The LOCK program,<br />
for example, was designed to make full document<strong>at</strong>ion and background m<strong>at</strong>erial<br />
available to major vendors so th<strong>at</strong> <strong>the</strong>y might profit from <strong>the</strong> LOCK experience;<br />
similar benefits are expected from <strong>the</strong> TMACH development program.<br />
Ano<strong>the</strong>r example is NSA's STU-III telephone project, which <strong>in</strong>volved<br />
vendors <strong>in</strong> <strong>the</strong> design process. Five prospective vendors competed to develop<br />
designs; three went on to develop products. The <strong>in</strong>terval from contract award to<br />
commercial product was less than three years, although years of research and<br />
development were necessary beforehand. The STU-III has decreased <strong>the</strong> price<br />
of secure voice and d<strong>at</strong>a communic<strong>at</strong>ions from over $10,000 per unit to about<br />
$2,000 per unit, pleas<strong>in</strong>g both government consumers and <strong>the</strong> commercial<br />
vendors. Moreover, <strong>in</strong> 1990 <strong>the</strong> DOD purchased several thousand STU-III<br />
term<strong>in</strong>als for use not only <strong>in</strong> DOD facilities but also for loan to qualified<br />
defense contractors; <strong>the</strong>se firms will receive <strong>the</strong> majority of <strong>the</strong> purchased units.<br />
This program will help to overcome one obvious dis<strong>in</strong>centive for commercial<br />
acquisition: to be of use, not only <strong>the</strong> party orig<strong>in</strong><strong>at</strong><strong>in</strong>g a call but also <strong>the</strong><br />
receiver must have a STU-III.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
WHY THE SECURITY MARKET HAS NOT WORKED WELL 152<br />
For n<strong>at</strong>ional security reasons, programs th<strong>at</strong> are sponsored by NSA conf<strong>in</strong>e<br />
direct technology transfer to companies with U.S. majority ownership, <strong>the</strong>reby<br />
exclud<strong>in</strong>g companies with foreign ownership, control, or <strong>in</strong>fluence (FOCI).<br />
While <strong>the</strong> United St<strong>at</strong>es has legitim<strong>at</strong>e n<strong>at</strong>ional <strong>in</strong>terests <strong>in</strong> ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g<br />
technological advantage, <strong>the</strong> <strong>in</strong>creas<strong>in</strong>gly <strong>in</strong>tern<strong>at</strong>ional n<strong>at</strong>ure of <strong>the</strong> computer<br />
bus<strong>in</strong>ess makes it difficult to even identify wh<strong>at</strong> is a U.S. company, much less<br />
target <strong>in</strong>centives (NRC, 1990). Ano<strong>the</strong>r factor to consider <strong>in</strong> <strong>the</strong> realm of<br />
str<strong>at</strong>egic research and development is <strong>the</strong> fact th<strong>at</strong>, consistent with its primary<br />
mission, NSA's projects are rel<strong>at</strong>ively closed, whereas an agency like DARPA<br />
can more aggressively reach out to <strong>the</strong> computer science and technology<br />
community.<br />
The proposed federal high-performance comput<strong>in</strong>g program (OSTP, 1989)<br />
could provide a vehicle for str<strong>at</strong>egic research <strong>in</strong>vestment <strong>in</strong> system security<br />
technology; <strong>in</strong>deed, security is cited as a consider<strong>at</strong>ion <strong>in</strong> develop<strong>in</strong>g <strong>the</strong><br />
component N<strong>at</strong>ional Research and Educ<strong>at</strong>ion Network—and security would<br />
clearly be important to <strong>the</strong> success of <strong>the</strong> network. <strong>Age</strong>ncies <strong>in</strong>volved <strong>in</strong><br />
gener<strong>at</strong><strong>in</strong>g technology through this program <strong>in</strong>clude DOD (with responsibility<br />
concentr<strong>at</strong>ed <strong>in</strong> DARPA), <strong>the</strong> N<strong>at</strong>ional Science Found<strong>at</strong>ion (NSF), <strong>the</strong> N<strong>at</strong>ional<br />
Aeronautics and Space Adm<strong>in</strong>istr<strong>at</strong>ion (NASA), <strong>the</strong> Department of Energy<br />
(DOE), and NIST. However, fund<strong>in</strong>g uncerta<strong>in</strong>ty and delays associ<strong>at</strong>ed with <strong>the</strong><br />
high-performance comput<strong>in</strong>g program suggest both th<strong>at</strong> security aspects could<br />
be compromised and th<strong>at</strong> additional but more modest large-scale technology<br />
development projects th<strong>at</strong> promote secure system development may be more<br />
feasible. Certa<strong>in</strong>ly, <strong>the</strong>y would have substantial benefits <strong>in</strong> terms of advanc<strong>in</strong>g<br />
and commercializ<strong>in</strong>g trust technology. O<strong>the</strong>r government-backed research<br />
programs th<strong>at</strong> focus on physical, n<strong>at</strong>ural, or biomedical sciences (e.g., <strong>the</strong><br />
anticip<strong>at</strong>ed d<strong>at</strong>abase for <strong>the</strong> mapp<strong>in</strong>g and sequenc<strong>in</strong>g of <strong>the</strong> human genome, or<br />
remote-access earth sciences facilities) also have security consider<strong>at</strong>ions th<strong>at</strong><br />
could provide useful testbeds for <strong>in</strong>nov<strong>at</strong>ive approaches or demonstr<strong>at</strong>ions of<br />
known technology.<br />
Export Controls as a Market Inhibitor<br />
Vendors ma<strong>in</strong>ta<strong>in</strong> th<strong>at</strong> controls on exports <strong>in</strong>hibit <strong>the</strong> development of<br />
improved commercial computer and communic<strong>at</strong>ions security products.<br />
Controls on <strong>the</strong> export of commercial computer security technology raise<br />
questions about <strong>the</strong> k<strong>in</strong>d of technology transfer th<strong>at</strong> should be controlled (and<br />
why), whe<strong>the</strong>r security technologies aimed <strong>at</strong> <strong>the</strong> civilian market should be<br />
considered to have military relevance (dual use), whe<strong>the</strong>r control should<br />
cont<strong>in</strong>ue under <strong>the</strong> provisions aimed <strong>at</strong><br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
WHY THE SECURITY MARKET HAS NOT WORKED WELL 153<br />
munitions, and o<strong>the</strong>r consider<strong>at</strong>ions th<strong>at</strong> affect how commercial and military<br />
perspectives should be weighed and balanced for <strong>the</strong>se technologies. An<br />
overview of <strong>the</strong> export control process is provided <strong>in</strong> Chapter Appendix 6.1.<br />
The challenge for policymakers is to balance n<strong>at</strong>ional security and economic<br />
security <strong>in</strong>terests <strong>in</strong> draw<strong>in</strong>g <strong>the</strong> l<strong>in</strong>e between technology th<strong>at</strong> should be<br />
controlled, because it compromises n<strong>at</strong>ional security (<strong>in</strong> this case by hamper<strong>in</strong>g<br />
<strong>in</strong>telligence g<strong>at</strong>her<strong>in</strong>g by government entities) and technology th<strong>at</strong> need not be,<br />
and allow<strong>in</strong>g th<strong>at</strong> l<strong>in</strong>e to move over time. 6<br />
The committee considered controls on <strong>the</strong> export of trusted systems and on<br />
<strong>the</strong> export of commercial-grade cryptographic products. The current rules<br />
constra<strong>in</strong><strong>in</strong>g <strong>the</strong> export of trusted (and cryptographic) systems were developed<br />
<strong>at</strong> a time when <strong>the</strong> U.S. position <strong>in</strong> this area of technology was predom<strong>in</strong>ant. As<br />
<strong>in</strong> o<strong>the</strong>r areas of technology, th<strong>at</strong> position has changed, and it is time to review<br />
<strong>the</strong> n<strong>at</strong>ure of <strong>the</strong> controls and <strong>the</strong>ir applic<strong>at</strong>ion, to assure th<strong>at</strong> wh<strong>at</strong>ever controls<br />
are <strong>in</strong> place balance all U.S. <strong>in</strong>terests and <strong>the</strong>reby support n<strong>at</strong>ional security <strong>in</strong><br />
<strong>the</strong> fullest sense over <strong>the</strong> long term. The emergence of foreign criteria and<br />
evalu<strong>at</strong>ion schemes (see "Compar<strong>in</strong>g N<strong>at</strong>ional Criteria Sets" <strong>in</strong> Chapter 5)<br />
makes reconsider<strong>at</strong>ion of export controls on trusted systems especially timely.<br />
Balanc<strong>in</strong>g <strong>the</strong> possible temporary military benefit aga<strong>in</strong>st <strong>the</strong> long-run<br />
<strong>in</strong>terests of both n<strong>at</strong>ional security applic<strong>at</strong>ions and commercial viability, <strong>the</strong><br />
committee concludes th<strong>at</strong> Orange Book r<strong>at</strong><strong>in</strong>gs, per se, do not signify militarycritical<br />
technology, even <strong>at</strong> <strong>the</strong> B3 and A1 levels. Of course, specific<br />
implement<strong>at</strong>ions of B3 and A1 systems may <strong>in</strong>volve technology (e.g., certa<strong>in</strong><br />
forms of encryption) th<strong>at</strong> does raise n<strong>at</strong>ional security concerns, but such<br />
technology is not necessary for achiev<strong>in</strong>g those r<strong>at</strong><strong>in</strong>gs. NSA officials who<br />
briefed <strong>the</strong> committee offered support for th<strong>at</strong> conclusion, which is also<br />
supported by <strong>the</strong> fact th<strong>at</strong> <strong>the</strong> criteria for achiev<strong>in</strong>g Orange Book r<strong>at</strong><strong>in</strong>gs are<br />
published <strong>in</strong>form<strong>at</strong>ion. The committee urges clarify<strong>in</strong>g just wh<strong>at</strong> aspects of a<br />
trusted system are to be controlled, <strong>in</strong>dependent of Orange Book levels, and<br />
target<strong>in</strong>g more precisely <strong>the</strong> technology th<strong>at</strong> it is essential to control. It also<br />
urges reexam<strong>in</strong><strong>at</strong>ion of controls on implement<strong>at</strong>ions of <strong>the</strong> D<strong>at</strong>a Encryption<br />
Standard (DES), which also derive from published <strong>in</strong>form<strong>at</strong>ion (<strong>the</strong> standard;<br />
NBS, 1977). Issues <strong>in</strong> both of <strong>the</strong>se areas are discussed below.<br />
Technology Transfer: R<strong>at</strong>ionale for Controll<strong>in</strong>g Security Exports<br />
Currently, <strong>the</strong> military and <strong>in</strong>telligence communities provide <strong>the</strong> largest<br />
concentr<strong>at</strong>ion of effort, expertise, and resources alloc<strong>at</strong>ed to<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
WHY THE SECURITY MARKET HAS NOT WORKED WELL 154<br />
ensur<strong>in</strong>g <strong>in</strong>form<strong>at</strong>ion security. Devoted to counter<strong>in</strong>g thre<strong>at</strong>s not likely to be<br />
experienced by <strong>in</strong>dustry, much of this effort and expertise gives rise to special,<br />
often classified, products th<strong>at</strong> are not and should not be commercially available.<br />
However, a strong commercial security effort would make it possible for <strong>the</strong><br />
defense sector to concentr<strong>at</strong>e its development resources on military-critical<br />
technology. Then <strong>the</strong> flow of technology for dual-use systems could be<br />
substantially reversed, thus lessen<strong>in</strong>g concerns about <strong>the</strong> export of vital military<br />
technology.<br />
Exports of dual-use computer technologies are controlled largely for<br />
defensive reasons, s<strong>in</strong>ce those technologies can be used aga<strong>in</strong>st U.S. n<strong>at</strong>ional<br />
security—to design, build, or implement weaponry or military oper<strong>at</strong>ions, for<br />
example. Computer security presents offensive and defensive concerns.<br />
Adversaries' uses of computer security technologies can hamper U.S.<br />
<strong>in</strong>telligence g<strong>at</strong>her<strong>in</strong>g for n<strong>at</strong>ional security purposes (OTA, 1987b). As a result,<br />
DOD seeks to review sophistic<strong>at</strong>ed new technologies and products, to prevent<br />
potential adversaries of <strong>the</strong> United St<strong>at</strong>es from acquir<strong>in</strong>g new capabilities,<br />
whe<strong>the</strong>r or not <strong>the</strong> DOD itself <strong>in</strong>tends to use <strong>the</strong>m. Ano<strong>the</strong>r concern is th<strong>at</strong><br />
<strong>in</strong>tern<strong>at</strong>ional availability exposes <strong>the</strong> technology to broader scrut<strong>in</strong>y, especially<br />
by potential adversaries, and thus <strong>in</strong>creases <strong>the</strong> possibility of compromise of<br />
safeguards.<br />
The need to m<strong>in</strong>imize exposure of critical technology implies th<strong>at</strong> certa<strong>in</strong><br />
military-critical computer security needs will cont<strong>in</strong>ue to be met through<br />
separ<strong>at</strong>e r<strong>at</strong>her than dual-use technology (see Appendix E, "High-grade<br />
Thre<strong>at</strong>s"). As noted <strong>in</strong> this report's "Overview" (Chapter 1), n<strong>at</strong>ional security<br />
dict<strong>at</strong>es th<strong>at</strong> key <strong>in</strong>sights not be shared openly, even though such secrecy may<br />
handicap <strong>the</strong> development process (see "Programm<strong>in</strong>g Methodology,''<br />
Chapter 4). To ma<strong>in</strong>ta<strong>in</strong> superiority, <strong>the</strong> export of such technology will always<br />
be restricted. Thus <strong>the</strong> discussion <strong>in</strong> this chapter focuses on dual-use technology.<br />
Export Control of Cryptographic Systems and Components<br />
Historically, because of <strong>the</strong> importance of encryption to <strong>in</strong>telligence<br />
oper<strong>at</strong>ions and <strong>the</strong> importance of secrecy to ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g <strong>the</strong> effectiveness of a<br />
given encryption scheme, cryptographic algorithms and <strong>the</strong>ir implement<strong>at</strong>ions<br />
could not be exported <strong>at</strong> all, even to o<strong>the</strong>r countries th<strong>at</strong> particip<strong>at</strong>e <strong>in</strong> <strong>the</strong><br />
Coord<strong>in</strong><strong>at</strong><strong>in</strong>g Committee on Multil<strong>at</strong>eral Export Controls (CoCom).<br />
Restrictions on exports of DES have been contested by <strong>in</strong>dustry because of<br />
<strong>the</strong> grow<strong>in</strong>g use of DES. The restrictions were recently relaxed somewh<strong>at</strong>,<br />
allow<strong>in</strong>g for export of confidentiality applic<strong>at</strong>ions under <strong>the</strong> Intern<strong>at</strong>ional<br />
Traffic <strong>in</strong> Arms Regul<strong>at</strong>ions (ITAR; Office of<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
WHY THE SECURITY MARKET HAS NOT WORKED WELL 155<br />
<strong>the</strong> Federal Register, 1990) to f<strong>in</strong>ancial <strong>in</strong>stitutions or U.S.-company<br />
subsidiaries overseas. DES may also be exported for d<strong>at</strong>a <strong>in</strong>tegrity applic<strong>at</strong>ions<br />
(NIST, 1990b). Th<strong>at</strong> is, DES may be used to compute <strong>in</strong>tegrity checks for<br />
<strong>in</strong>form<strong>at</strong>ion but may not be used to encrypt <strong>the</strong> <strong>in</strong>form<strong>at</strong>ion itself. Priv<strong>at</strong>e<br />
(vendor-specific) algorithms are generally approved for export follow<strong>in</strong>g review<br />
by NSA (although th<strong>at</strong> review may result <strong>in</strong> changes <strong>in</strong> <strong>the</strong> algorithm to permit<br />
export). The Department of Commerce reviews export licenses for DES and<br />
o<strong>the</strong>r cryptographic products <strong>in</strong>tended for au<strong>the</strong>ntic<strong>at</strong>ion, access control,<br />
protection of proprietary software, and autom<strong>at</strong>ic teller devices.<br />
Because of current controls, computer-based products aimed <strong>at</strong> <strong>the</strong><br />
commercial market th<strong>at</strong> <strong>in</strong>corpor<strong>at</strong>e encryption capabilities for confidentiality<br />
can only be exported for limited specific uses. (Ironically, encryption may even<br />
be unavailable as a method to assure safe delivery of o<strong>the</strong>r controlled products,<br />
<strong>in</strong>clud<strong>in</strong>g security products.) Affected products <strong>in</strong>clude Dbase-IV and o<strong>the</strong>r<br />
systems (<strong>in</strong>clud<strong>in</strong>g PC-oriented systems) with message and file security<br />
fe<strong>at</strong>ures. However, anecdotal evidence suggests th<strong>at</strong> <strong>the</strong> regul<strong>at</strong>ions may not be<br />
applied consistently, mak<strong>in</strong>g it difficult to assess <strong>the</strong>ir impact.<br />
In some cases, <strong>the</strong> miss<strong>in</strong>g or disabled encryption function can be replaced<br />
overseas with a local product; <strong>in</strong>digenous DES implement<strong>at</strong>ions are available<br />
overseas. The local product may <strong>in</strong>volve a different, locally developed<br />
algorithm. It is not clear, however, th<strong>at</strong> modular replacement of encryption units<br />
will always be possible. The movement from auxiliary black-box units to<br />
<strong>in</strong>tegral systems suggests th<strong>at</strong> it will become less feasible, and <strong>the</strong>re is some<br />
question about whe<strong>the</strong>r modular replacement viol<strong>at</strong>es <strong>the</strong> spirit if not <strong>the</strong> letter<br />
of exist<strong>in</strong>g controls, which may discourage some vendors from even <strong>at</strong>tempt<strong>in</strong>g<br />
this option. Vendors are most troubled by <strong>the</strong> prospect th<strong>at</strong> <strong>the</strong> grow<strong>in</strong>g<br />
<strong>in</strong>tegr<strong>at</strong>ion of encryption <strong>in</strong>to general-purpose comput<strong>in</strong>g technology thre<strong>at</strong>ens<br />
<strong>the</strong> large export market for computer technology <strong>at</strong> a time when some 50<br />
percent or more of vendors' revenues may come from overseas.<br />
Much of <strong>the</strong> deb<strong>at</strong>e th<strong>at</strong> led to <strong>the</strong> relax<strong>at</strong>ion of export restrictions for DES<br />
centered on <strong>the</strong> fact th<strong>at</strong> <strong>the</strong> design of DES is widely known, hav<strong>in</strong>g been<br />
widely published for many years. Similarly, <strong>the</strong> RSA public-key algorithm (see<br />
"Selected Topics <strong>in</strong> Computer Security Technology," Appendix B) is well<br />
known and is, <strong>in</strong> fact, not p<strong>at</strong>ented outside <strong>the</strong> United St<strong>at</strong>es—because <strong>the</strong> basic<br />
pr<strong>in</strong>ciples were first published <strong>in</strong> an academic journal (Rivest et al., 1978).<br />
Consequently, <strong>the</strong>re are implement<strong>at</strong>ions of DES and RSA th<strong>at</strong> have been<br />
developed outside <strong>the</strong> United St<strong>at</strong>es and, as such, are not bound by U.S.<br />
restrictions. 7 However, <strong>the</strong>y may be subject to foreign export control regimes.<br />
With<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
WHY THE SECURITY MARKET HAS NOT WORKED WELL 156<br />
U.S. vendors enjo<strong>in</strong>ed from sell<strong>in</strong>g DES abroad, <strong>the</strong>n foreign consumers<br />
and, more importantly, large mult<strong>in</strong><strong>at</strong>ional consumers will simply purchase<br />
equivalent systems from foreign manufacturers.<br />
Recogniz<strong>in</strong>g <strong>the</strong> demand for a freely exportable confidentiality algorithm,<br />
NIST, <strong>in</strong> consult<strong>at</strong>ion with NSA, has announced plans to develop and certify a<br />
new algorithm for protect<strong>in</strong>g sensitive but unclassified <strong>in</strong>form<strong>at</strong>ion, possibly<br />
draw<strong>in</strong>g on a published public-key system. A jo<strong>in</strong>t NIST-NSA committee is<br />
work<strong>in</strong>g to develop a set of four cryptographic algorithms for use <strong>in</strong> <strong>the</strong><br />
commercial environment. One algorithm would provide confidentiality and thus<br />
is a DES substitute. A public-key distribution algorithm would be used to<br />
distribute <strong>the</strong> keys used by <strong>the</strong> first algorithm. The last two algorithms would be<br />
used to provide digital sign<strong>at</strong>ures for messages: one would compute a one-way<br />
hash on a message and <strong>the</strong> o<strong>the</strong>r would digitally sign <strong>the</strong> hash. All of <strong>the</strong><br />
algorithms would, by design, be exportable, thus address<strong>in</strong>g a major compla<strong>in</strong>t<br />
about DES. However, this process has been delayed, apparently because of<br />
NSA's discomfort with NIST's reported preference for us<strong>in</strong>g RSA, which it<br />
perceives as almost a de facto standard (Zachary, 1990).<br />
The announced development of one or more exportable algorithms has not<br />
s<strong>at</strong>isfied vendors, who note th<strong>at</strong> overseas competitors can offer local<br />
implement<strong>at</strong>ions of DES, which has become widely recognized as a standard.<br />
By contrast, <strong>the</strong> new algorithm, while promised to be <strong>at</strong> least as good as DES,<br />
may be difficult to sell as it will be <strong>in</strong>comp<strong>at</strong>ible with DES implement<strong>at</strong>ions <strong>in</strong><br />
use and may be ta<strong>in</strong>ted as U.S.-government-developed. Under <strong>the</strong><br />
circumstances, if n<strong>at</strong>ional security objections to free DES export cont<strong>in</strong>ue, <strong>the</strong>y<br />
should <strong>at</strong> <strong>the</strong> least be expla<strong>in</strong>ed to <strong>in</strong>dustry. Also, <strong>in</strong>dependent expert review of<br />
<strong>the</strong> new algorithm is desirable to elev<strong>at</strong>e confidence to <strong>the</strong> level th<strong>at</strong> DES has<br />
<strong>at</strong>ta<strong>in</strong>ed. Note th<strong>at</strong> <strong>the</strong>re are o<strong>the</strong>r (non-DES) commercially developed<br />
encryption algorithms th<strong>at</strong> are licensed for export by <strong>the</strong> Department of St<strong>at</strong>e.<br />
The United St<strong>at</strong>es is typically <strong>in</strong>volved <strong>in</strong> <strong>the</strong>ir development, and some 98<br />
percent of <strong>the</strong> products implement<strong>in</strong>g <strong>the</strong>se algorithms are approved for export<br />
(committee brief<strong>in</strong>g by NSA).<br />
Export Control of Trusted Systems<br />
Trusted systems th<strong>at</strong> have been evalu<strong>at</strong>ed <strong>at</strong> <strong>the</strong> Orange Book's levels B3<br />
and above are subject to a case-by-case review, whe<strong>the</strong>r or not <strong>the</strong>y <strong>in</strong>corpor<strong>at</strong>e<br />
cryptography or o<strong>the</strong>r technologies deemed military-critical. 8 Th<strong>at</strong> is, <strong>the</strong><br />
government must approve <strong>the</strong> export of a given system to a given customer for<br />
a given applic<strong>at</strong>ion if it is, or could be, r<strong>at</strong>ed as B3 or above; products with<br />
lower r<strong>at</strong><strong>in</strong>gs are not regarded<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
WHY THE SECURITY MARKET HAS NOT WORKED WELL 157<br />
as military-critical technology. The same rules extend to document<strong>at</strong>ion and<br />
analysis (e.g., for a technical conference or journal) of affected products. An<br />
average of 15 such license applic<strong>at</strong>ions per year (cover<strong>in</strong>g five to seven items)<br />
have been reviewed over <strong>the</strong> past three years, and all have been granted. 9 About<br />
half have <strong>in</strong>volved U.S. vendors provid<strong>in</strong>g technical d<strong>at</strong>a to <strong>the</strong>ir subsidiaries.<br />
In <strong>the</strong> case of software verific<strong>at</strong>ion tools, which are used to develop trusted<br />
systems, <strong>the</strong>re is <strong>the</strong> added requirement th<strong>at</strong> <strong>in</strong>formal <strong>in</strong>tergovernmental<br />
agreements exist to monitor <strong>the</strong> tools' <strong>in</strong>stall<strong>at</strong>ion and oper<strong>at</strong>ion. This is<br />
somewh<strong>at</strong> less restrictive than <strong>the</strong> tre<strong>at</strong>ment for supercomputers.<br />
Note th<strong>at</strong> <strong>in</strong> some respects trusted systems technology is very difficult to<br />
control because it depends heavily on software, which is rel<strong>at</strong>ively easy to copy<br />
and transport (NRC, 1988a). As a result, such technology can never be <strong>the</strong> only<br />
l<strong>in</strong>e of defense for protection of sensitive <strong>in</strong>form<strong>at</strong>ion and systems.<br />
The Commercial Imper<strong>at</strong>ive<br />
Because of <strong>the</strong> n<strong>at</strong>ional security <strong>in</strong>terests th<strong>at</strong> dom<strong>in</strong><strong>at</strong>e <strong>the</strong> ITAR, <strong>the</strong><br />
current export control regime for high-level trusted systems and for most<br />
encryption products does not conta<strong>in</strong> mechanisms for address<strong>in</strong>g vendor<br />
concerns about competitiveness. By contrast, commercial competitiveness<br />
concerns affect both <strong>the</strong> evolution of <strong>the</strong> Control List (CL) and <strong>the</strong> Commodity<br />
Control List (CCL) associ<strong>at</strong>ed with <strong>the</strong> Export Adm<strong>in</strong>istr<strong>at</strong>ion Regul<strong>at</strong>ions (see<br />
Chapter Appendix 6.1) and <strong>the</strong> periodic reviews of dual-use technologies by <strong>the</strong><br />
United St<strong>at</strong>es and o<strong>the</strong>r participants <strong>in</strong> CoCom. Under <strong>the</strong> terms of <strong>the</strong> Export<br />
Adm<strong>in</strong>istr<strong>at</strong>ion Act (50 U.S.C. APP. §§ 2401–2420, as amended), foreign<br />
availability may also justify <strong>the</strong> relax<strong>at</strong>ion of controls for particular products, as<br />
it did for AT-class PCs <strong>in</strong> July 1989. Foreign availability is not, however, a<br />
factor <strong>in</strong> adm<strong>in</strong>ister<strong>in</strong>g controls on military-critical technologies under <strong>the</strong> ITAR.<br />
The discussions of controls on dual-use technology exports <strong>in</strong> general draw<br />
on a broader range of perspectives than do <strong>the</strong> discussions of technologies<br />
controlled under <strong>the</strong> ITAR, <strong>in</strong> part because <strong>the</strong>re is generally no argument over<br />
whe<strong>the</strong>r a product is a munition or of fundamentally military value. As a result<br />
<strong>the</strong>re is <strong>at</strong> least <strong>the</strong> potential for a gre<strong>at</strong>er balanc<strong>in</strong>g of policy <strong>in</strong>terests <strong>in</strong> <strong>the</strong><br />
mak<strong>in</strong>g of control decisions affect<strong>in</strong>g non-ITAR technologies. The compla<strong>in</strong>ts<br />
from <strong>in</strong>dustry surround<strong>in</strong>g controls on <strong>the</strong> export of DES and RSA, algorithms<br />
for encryption th<strong>at</strong> fall <strong>in</strong> part under ITAR rules, signal a larger problem<br />
develop<strong>in</strong>g for exports of security technology. In today's global market for<br />
computer technology, commercial product l<strong>in</strong>e development,<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
WHY THE SECURITY MARKET HAS NOT WORKED WELL 158<br />
production economics, and competitive str<strong>at</strong>egy lead producers to want to<br />
market products worldwide. Major vendors generally have a major share of<br />
bus<strong>in</strong>ess (often 50 percent or higher) from outside of <strong>the</strong> United St<strong>at</strong>es.<br />
Industry has four key concerns: First, every sale is important for<br />
profitability <strong>in</strong> a small market, such as <strong>the</strong> current market for security-r<strong>at</strong>ed<br />
systems. This means th<strong>at</strong> both actual disapproval of a given sale and <strong>the</strong> delay<br />
and uncerta<strong>in</strong>ty associ<strong>at</strong>ed with <strong>the</strong> approval process are costly to vendors.<br />
(Supercomputers are an extreme case of this problem.) Second, <strong>the</strong> pr<strong>in</strong>cipal<br />
commercial customers today for trusted systems (and commercial-grade<br />
encryption) are mult<strong>in</strong><strong>at</strong>ional corpor<strong>at</strong>ions. This means th<strong>at</strong> if <strong>the</strong>y cannot use a<br />
product <strong>in</strong> all of <strong>the</strong>ir loc<strong>at</strong>ions around <strong>the</strong> world, <strong>the</strong>y may not buy from a U.S.<br />
vendor even for <strong>the</strong>ir U.S. sites. Third, U.S. vendors have seen <strong>the</strong> beg<strong>in</strong>n<strong>in</strong>gs<br />
of foreign competition <strong>in</strong> trust technology, competition th<strong>at</strong> is be<strong>in</strong>g nurtured by<br />
foreign governments th<strong>at</strong> have launched <strong>the</strong>ir own criteria and evalu<strong>at</strong>ion<br />
schemes to stimul<strong>at</strong>e local <strong>in</strong>dustry (see "Compar<strong>in</strong>g N<strong>at</strong>ional Criteria Sets" <strong>in</strong><br />
Chapter 5). These efforts may alter <strong>the</strong> terms of competition for U.S. vendors,<br />
stimul<strong>at</strong>e new directions <strong>in</strong> <strong>in</strong>tern<strong>at</strong>ional standards, and affect vendor decisions<br />
on where as well as <strong>in</strong> wh<strong>at</strong> to <strong>in</strong>vest. Fourth, as security (and safety)<br />
technology becomes <strong>in</strong>creas<strong>in</strong>gly embedded <strong>in</strong> complex systems, system<br />
technology and users will come to depend on trust technology, and it will<br />
become more difficult to excise or modify <strong>in</strong> systems th<strong>at</strong> are exportable. This<br />
last problem has been cited by vendors as a source of special concern; a rel<strong>at</strong>ed<br />
concern is provid<strong>in</strong>g <strong>in</strong>teroperability if different standards are used <strong>in</strong> different<br />
countries or regions.<br />
The real difficulty arises if a vendor considers build<strong>in</strong>g security <strong>in</strong>to a<br />
"ma<strong>in</strong>stream" commercial product. In th<strong>at</strong> event, <strong>the</strong> system's level of security,<br />
r<strong>at</strong>her than its process<strong>in</strong>g power, becomes its dom<strong>in</strong>ant <strong>at</strong>tribute for<br />
determ<strong>in</strong><strong>in</strong>g exportability. A computer system th<strong>at</strong> would export [sic] under a<br />
Commerce Department license with no delay or advance process<strong>in</strong>g would<br />
become subject to <strong>the</strong> full St<strong>at</strong>e Department munitions licens<strong>in</strong>g process. No<br />
vendor will consider subject<strong>in</strong>g a ma<strong>in</strong>stream commercial product to such<br />
restrictions. 10<br />
The push by <strong>in</strong>dustry for expanded export flexibility for security-r<strong>at</strong>ed<br />
systems and low-grade encryption units highlights <strong>the</strong> tension between<br />
government encouragement of <strong>the</strong> supply of computer security technology,<br />
notably through <strong>the</strong> Orange Book evalu<strong>at</strong>ion of commercial products, and<br />
potential government restriction of <strong>the</strong> market for security products through<br />
export controls. The presence of an export control review threshold <strong>at</strong> B3,<br />
affect<strong>in</strong>g B3 and A1 systems <strong>in</strong>tended for o<strong>the</strong>r CoCom countries, has<br />
discouraged <strong>the</strong> enhancement of systems<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
WHY THE SECURITY MARKET HAS NOT WORKED WELL 159<br />
to <strong>the</strong>se levels, for fear of mak<strong>in</strong>g products more difficult, if not impossible, to<br />
export.<br />
S<strong>in</strong>ce o<strong>the</strong>r factors, such as high development costs and softness of<br />
perceived demand, discourage development of highly r<strong>at</strong>ed systems, it is<br />
difficult to quantify <strong>the</strong> dis<strong>in</strong>centive aris<strong>in</strong>g from export controls. However, <strong>the</strong><br />
very real pressure to export DES and RSA does provide evidence of a<br />
develop<strong>in</strong>g <strong>in</strong>tern<strong>at</strong>ional market for security technology beyond wh<strong>at</strong> may<br />
currently be exported. Those and similar or successor technologies are not <strong>the</strong><br />
technologies th<strong>at</strong> are used for defense purposes, and it may be time to endorse a<br />
n<strong>at</strong>ional policy th<strong>at</strong> separ<strong>at</strong>es but mutually respects both n<strong>at</strong>ional security and<br />
commercial <strong>in</strong>terests. Those <strong>in</strong>terests may overlap <strong>in</strong> <strong>the</strong> long run: as long as<br />
policy encourages use of commercial off-<strong>the</strong>-shelf technology, a strong<br />
commercial technology base is essential for feed<strong>in</strong>g military needs. Even<br />
specifically military systems profit from commercial experience. And <strong>the</strong><br />
strength of <strong>the</strong> commercial technology base today depends on <strong>the</strong> breadth of <strong>the</strong><br />
market, which has become thoroughly <strong>in</strong>tern<strong>at</strong>ional.<br />
CONSUMER AWARENESS<br />
Even <strong>the</strong> best product will not be sold if <strong>the</strong> consumer does not see a need<br />
for it. Consumer awareness and will<strong>in</strong>gness to pay are limited because people<br />
simply do not know enough about <strong>the</strong> likelihood or <strong>the</strong> consequences of <strong>at</strong>tacks<br />
on computer systems or about more benign factors th<strong>at</strong> can result <strong>in</strong> system<br />
failure or compromise. 11 Consumer appreci<strong>at</strong>ion of system quality focuses on<br />
fe<strong>at</strong>ures th<strong>at</strong> affect normal oper<strong>at</strong>ions—speed, ease of use, functionality, and so<br />
on. This situ<strong>at</strong>ion feeds a market for <strong>in</strong>appropri<strong>at</strong>e or <strong>in</strong>complete security<br />
solutions, such as antiviral software th<strong>at</strong> is effective only aga<strong>in</strong>st certa<strong>in</strong> viruses<br />
but may be believed to provide broader protection, or password identific<strong>at</strong>ion<br />
systems th<strong>at</strong> are easily subverted <strong>in</strong> ord<strong>in</strong>ary use. 12<br />
Fur<strong>the</strong>r milit<strong>at</strong><strong>in</strong>g aga<strong>in</strong>st consumer <strong>in</strong>terest <strong>in</strong> newer, technical<br />
vulnerabilities and thre<strong>at</strong>s is <strong>the</strong> experience of most organiz<strong>at</strong>ions with<br />
rel<strong>at</strong>ively unsophistic<strong>at</strong>ed abuses by <strong>in</strong>dividuals authorized to access a given<br />
system (often <strong>in</strong>siders), abuses th<strong>at</strong> happen to have <strong>in</strong>volved computers but th<strong>at</strong><br />
need not have. The bread-and-butter work of <strong>the</strong> corpor<strong>at</strong>e computer security<br />
<strong>in</strong>vestig<strong>at</strong>or is mostly devoted to worry<strong>in</strong>g about such <strong>in</strong>cidents as <strong>the</strong> follow<strong>in</strong>g:<br />
1. Two members of management extract valuable proprietary d<strong>at</strong>a from a<br />
company's computer and <strong>at</strong>tempt to sell <strong>the</strong> d<strong>at</strong>a to a competitor;<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
WHY THE SECURITY MARKET HAS NOT WORKED WELL 160<br />
2. An employee of company A, work<strong>in</strong>g on a contract for company B,<br />
uses a computer of company B to send a bomb thre<strong>at</strong> to company C;<br />
3. An employee copies a backup tape conta<strong>in</strong><strong>in</strong>g confidential personnel<br />
<strong>in</strong>form<strong>at</strong>ion, which he <strong>the</strong>n reveals to his friends;<br />
4. An employee uses his access to company bill<strong>in</strong>g <strong>in</strong>form<strong>at</strong>ion on a<br />
computer to reduce <strong>the</strong> bills of certa<strong>in</strong> customers, for which service he<br />
collects a fee; and<br />
5. An employee uses company computer facilities to help him arrange<br />
illegal narcotics transactions.<br />
All five of <strong>the</strong> above <strong>in</strong>cidents are typical <strong>in</strong> a particular sense. In none of<br />
<strong>the</strong>m did any s<strong>in</strong>gle computer action of <strong>the</strong> perpetr<strong>at</strong>or, as a computer action,<br />
extend beyond <strong>the</strong> person's legitim<strong>at</strong>e authority to access, modify, transmit, and<br />
pr<strong>in</strong>t d<strong>at</strong>a. There was no problem of password <strong>in</strong>tegrity, for example, or<br />
unauthorized access to d<strong>at</strong>a, or Trojan horses. R<strong>at</strong>her, it was <strong>the</strong> p<strong>at</strong>tern of<br />
actions, <strong>the</strong>ir <strong>in</strong>tent, and <strong>the</strong>ir cumul<strong>at</strong>ive effect th<strong>at</strong> constituted <strong>the</strong> abuse.<br />
The k<strong>in</strong>ds of <strong>in</strong>cidents listed above consume most of <strong>the</strong> security officer's<br />
time and shape his priorities for effective countermeasures. Wh<strong>at</strong> <strong>the</strong> corpor<strong>at</strong>e<br />
computer and communic<strong>at</strong>ions security specialist is most likely to want, beyond<br />
wh<strong>at</strong> he typically has, are better tools for monitor<strong>in</strong>g and audit<strong>in</strong>g <strong>the</strong> effects of<br />
collections of actions by authorized users: detailed logs, good monitor<strong>in</strong>g tools,<br />
well-designed audit trails, and <strong>the</strong> easy ability to select and summarize from<br />
<strong>the</strong>se <strong>in</strong> various ways depend<strong>in</strong>g on <strong>the</strong> circumstances he is fac<strong>in</strong>g. 13 This<br />
history <strong>in</strong> large measure accounts for <strong>the</strong> rel<strong>at</strong>ively low <strong>in</strong>terest <strong>in</strong> <strong>the</strong><br />
commercial sector <strong>in</strong> many of <strong>the</strong> security measures discussed <strong>in</strong> this report.<br />
Never<strong>the</strong>less, even <strong>at</strong>tention to adm<strong>in</strong>istr<strong>at</strong>ive and management controls,<br />
discussed <strong>in</strong> Chapter 2, is less than it could or should be.<br />
Enhanc<strong>in</strong>g security requires changes <strong>in</strong> <strong>at</strong>titudes and behavior th<strong>at</strong> are<br />
difficult because most people consider computer security to be abstract and<br />
concerned more with hypo<strong>the</strong>tical r<strong>at</strong>her than likely events. Very few<br />
<strong>in</strong>dividuals not professionally concerned with security, from top management<br />
through <strong>the</strong> lowest-level employee, have ever been directly <strong>in</strong>volved <strong>in</strong> or<br />
affected by a computer security <strong>in</strong>cident. Such <strong>in</strong>cidents are reported<br />
<strong>in</strong>frequently, and <strong>the</strong>n often <strong>in</strong> specialized media, and <strong>the</strong>y are comprehensible<br />
only <strong>in</strong> broadest outl<strong>in</strong>e. Fur<strong>the</strong>r, most people have difficulty rel<strong>at</strong><strong>in</strong>g to <strong>the</strong><br />
<strong>in</strong>tricacies of malicious computer actions. Yet it is understood th<strong>at</strong> <strong>in</strong>stall<strong>in</strong>g<br />
computer security safeguards has neg<strong>at</strong>ive aspects such as added cost,<br />
dim<strong>in</strong>ished performance (e.g., slower response times), <strong>in</strong>convenience <strong>in</strong> use,<br />
and <strong>the</strong> awkwardness of monitor<strong>in</strong>g and enforcement, not to mention objections<br />
from <strong>the</strong><br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
WHY THE SECURITY MARKET HAS NOT WORKED WELL 161<br />
work force to any of <strong>the</strong> above. The Internet worm experience showed th<strong>at</strong> even<br />
<strong>in</strong>dividuals and organiz<strong>at</strong>ions th<strong>at</strong> understand <strong>the</strong> thre<strong>at</strong>s may not act to protect<br />
aga<strong>in</strong>st <strong>the</strong>m.<br />
The sens<strong>at</strong>ional tre<strong>at</strong>ment of computer crimes <strong>in</strong> <strong>the</strong> press and <strong>in</strong> movies<br />
about computer hijacks may obscure <strong>the</strong> grow<strong>in</strong>g role of computer technology<br />
<strong>in</strong> accomplish<strong>in</strong>g more traditional and familiar crimes (e.g., fraud and<br />
embezzlement). In <strong>the</strong> public's eye, computer crimes are perpetr<strong>at</strong>ed by<br />
overzealous whiz-kids or spies, not disgruntled employees or professional<br />
crim<strong>in</strong>als; prosecutors also compla<strong>in</strong> th<strong>at</strong> <strong>the</strong> media portray perpetr<strong>at</strong>ors as<br />
smarter than <strong>in</strong>vestig<strong>at</strong>ors and prosecutors (comments of federal prosecutor<br />
William Cook <strong>at</strong> <strong>the</strong> 1989 N<strong>at</strong>ional Computer Security Conference). Public<br />
skepticism may be re<strong>in</strong>forced when, as <strong>in</strong> <strong>the</strong> case of recent <strong>in</strong>vestig<strong>at</strong>ions of <strong>the</strong><br />
Legion of Doom and o<strong>the</strong>r alleged system abusers (Sh<strong>at</strong>z, 1990), questions are<br />
raised about viol<strong>at</strong>ion of First Amendment rights and <strong>the</strong> propriety of search<br />
and seizure techniques—issues of longstand<strong>in</strong>g popular concern. 14<br />
Inevitably, resources are <strong>in</strong>vested <strong>in</strong> safeguards only when <strong>the</strong>re is a net<br />
payoff as measured aga<strong>in</strong>st goals of <strong>the</strong> organiz<strong>at</strong>ion—whe<strong>the</strong>r such goals are<br />
chosen or imposed. It is notable th<strong>at</strong> <strong>the</strong> bank<strong>in</strong>g <strong>in</strong>dustry's protection of<br />
computer and communic<strong>at</strong>ions systems was stimul<strong>at</strong>ed by law and regul<strong>at</strong>ion.<br />
In <strong>the</strong> communic<strong>at</strong>ions <strong>in</strong>dustry, lost revenues (e.g., through piracy of services)<br />
have been a major spur to tighten<strong>in</strong>g security.<br />
Insurance as a Market Lever<br />
Insurance can offset <strong>the</strong> f<strong>in</strong>ancial costs of a computer-rel<strong>at</strong>ed mishap. The<br />
development of <strong>the</strong> commercial market for computer <strong>in</strong>surance (described <strong>in</strong><br />
Chapter Appendix 6.2) provides a w<strong>in</strong>dow <strong>in</strong>to <strong>the</strong> problems of achiev<strong>in</strong>g<br />
gre<strong>at</strong>er awareness and market response. 15<br />
The market for <strong>in</strong>surance aga<strong>in</strong>st computer problems has grown slowly.<br />
Insurance <strong>in</strong>dustry represent<strong>at</strong>ives <strong>at</strong>tribute <strong>the</strong> slow growth to low levels of<br />
awareness and concern on <strong>the</strong> part of organiz<strong>at</strong>ions and <strong>in</strong>dividuals, plus uneven<br />
appreci<strong>at</strong>ion of <strong>the</strong> issues with<strong>in</strong> <strong>the</strong> <strong>in</strong>surance <strong>in</strong>dustry, where underwriters and<br />
<strong>in</strong>vestig<strong>at</strong>ors may not fully understand <strong>the</strong> n<strong>at</strong>ure of <strong>the</strong> technology and its<br />
implic<strong>at</strong>ions as used. 16 Insurance <strong>in</strong>dustry represent<strong>at</strong>ives also po<strong>in</strong>t to <strong>the</strong><br />
reluctance of victims of computer mishaps to make <strong>the</strong>ir experiences public,<br />
even <strong>at</strong> <strong>the</strong> expense of not collect<strong>in</strong>g on <strong>in</strong>surance.<br />
The process of determ<strong>in</strong><strong>in</strong>g whe<strong>the</strong>r coverage will be provided <strong>in</strong>volves<br />
assess<strong>in</strong>g <strong>the</strong> controls provided by a prospect. Somewh<strong>at</strong> like auditors,<br />
underwriters and carriers evalu<strong>at</strong>e security-rel<strong>at</strong>ed safeguards <strong>in</strong> place by<br />
focus<strong>in</strong>g on physical and oper<strong>at</strong>ional elements.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
WHY THE SECURITY MARKET HAS NOT WORKED WELL 162<br />
There is a concern for <strong>the</strong> whole control environment, <strong>in</strong>clud<strong>in</strong>g directly<br />
relevant controls and controls for o<strong>the</strong>r risks, which may <strong>in</strong>dic<strong>at</strong>e how well new<br />
risks may be controlled.<br />
To <strong>the</strong> extent th<strong>at</strong> premiums reflect preventive measures by an<br />
organiz<strong>at</strong>ion (e.g., off-site periodic backup copies of d<strong>at</strong>a, high-quality door<br />
locks, 24-hour guard coverage, and spr<strong>in</strong>kler or o<strong>the</strong>r fire control systems),<br />
<strong>in</strong>surance is a f<strong>in</strong>ancial lever to encourage sound security, just as <strong>the</strong> Foreign<br />
Corrupt Practices Act (P.L. 95-215) and a variety of account<strong>in</strong>g pr<strong>in</strong>ciples and<br />
standards have encouraged stronger management controls <strong>in</strong> general (and, <strong>in</strong><br />
some <strong>in</strong>stances, stronger <strong>in</strong>form<strong>at</strong>ion security <strong>in</strong> particular (Snyders, 1983)).<br />
Educ<strong>at</strong>ion and Incident Track<strong>in</strong>g for Security Awareness<br />
If some of <strong>the</strong> problems <strong>in</strong> <strong>the</strong> secure system marketplace are due to lack<br />
of awareness among consumers, options for rais<strong>in</strong>g consumer awareness of<br />
thre<strong>at</strong>s, vulnerabilities, and safeguards are obviously <strong>at</strong>tractive. Two options are<br />
raised here as concepts—educ<strong>at</strong>ion and <strong>in</strong>cident report<strong>in</strong>g and track<strong>in</strong>g. The<br />
committee's recommend<strong>at</strong>ion th<strong>at</strong> <strong>in</strong>cident track<strong>in</strong>g be undertaken by a new<br />
organiz<strong>at</strong>ion is discussed <strong>in</strong> Chapter 7.<br />
Educ<strong>at</strong>ion<br />
Society has often regul<strong>at</strong>ed itself by promot<strong>in</strong>g certa<strong>in</strong> behaviors, for<br />
example, tak<strong>in</strong>g care of library books. Societal care-tak<strong>in</strong>g norms must now be<br />
extended to <strong>in</strong>form<strong>at</strong>ion <strong>in</strong> electronic form and associ<strong>at</strong>ed systems. The<br />
committee believes th<strong>at</strong> elements of responsible use should be taught along with<br />
<strong>the</strong> basics of how to use computer and communic<strong>at</strong>ion systems, much as people<br />
learn how to be responsible users of libraries. Build<strong>in</strong>g concern about security<br />
and responsible use <strong>in</strong>to comput<strong>in</strong>g and general curricula (where computers are<br />
used) may be more constructive <strong>in</strong> <strong>the</strong> long run than focus<strong>in</strong>g efforts on<br />
separ<strong>at</strong>e and isol<strong>at</strong>ed ethics units. This is not to discourage <strong>the</strong> many recent<br />
efforts among computer-rel<strong>at</strong>ed professional societies, schools, and companies<br />
to streng<strong>the</strong>n and discuss codes of ethics. 17 However, today much of <strong>the</strong><br />
security tra<strong>in</strong><strong>in</strong>g is funded by commercial companies and <strong>the</strong>ir employee<br />
students; th<strong>at</strong> tra<strong>in</strong><strong>in</strong>g, <strong>in</strong> turn, is focused on security officers and not end users.<br />
The committee underscores th<strong>at</strong> <strong>the</strong> process becomes one to persuade, lead, and<br />
educ<strong>at</strong>e, and when possible, to make <strong>the</strong> unacceptability of not protect<strong>in</strong>g<br />
computer systems outweigh <strong>the</strong> cost of tak<strong>in</strong>g appropri<strong>at</strong>e action.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
WHY THE SECURITY MARKET HAS NOT WORKED WELL 163<br />
Incident Report<strong>in</strong>g and Track<strong>in</strong>g<br />
More extensive and system<strong>at</strong>ic report<strong>in</strong>g and track<strong>in</strong>g of security and o<strong>the</strong>r<br />
system problems could help to persuade decisionmakers of <strong>the</strong>ir value and<br />
policymakers of rel<strong>at</strong>ed risks. For example, <strong>in</strong>vestig<strong>at</strong>ion and prosecution of<br />
computer crimes have proceeded slowly because of <strong>the</strong> uneven understand<strong>in</strong>g<br />
with<strong>in</strong> <strong>the</strong> legal community of <strong>the</strong> crim<strong>in</strong>al potential as well as <strong>the</strong> rel<strong>at</strong>ively<br />
high costs <strong>in</strong>volved <strong>in</strong> computer crimes (Conly, 1989; U.S. DOJ, 1989). At this<br />
time <strong>the</strong>re is little st<strong>at</strong>istical or organized knowledge about vulnerabilities,<br />
thre<strong>at</strong>s, risks, and failures. (Neumann and Parker (1989) represent one <strong>at</strong>tempt<br />
to characterize vulnerabilities.) Wh<strong>at</strong> is known about security breaches is<br />
largely anecdotal, as many security events happen off <strong>the</strong> record; one source of<br />
such <strong>in</strong>form<strong>at</strong>ion with<strong>in</strong> <strong>the</strong> computer science and eng<strong>in</strong>eer<strong>in</strong>g community is <strong>the</strong><br />
electronic forum or digest known as RISKS. 18 Estim<strong>at</strong>es of aggreg<strong>at</strong>e losses<br />
vary widely, rang<strong>in</strong>g from millions to billions of dollars, and estim<strong>at</strong>es cited<br />
frequently <strong>in</strong> news reports are challenged by prosecutors (comments of federal<br />
prosecutor William Cook <strong>at</strong> <strong>the</strong> 1989 N<strong>at</strong>ional Computer Security Conference).<br />
The European Community has begun to develop computer <strong>in</strong>cident track<strong>in</strong>g<br />
capabilities; <strong>the</strong> British and <strong>the</strong> French both have new programs (Prefonta<strong>in</strong>e,<br />
1990). A reliable body of <strong>in</strong>form<strong>at</strong>ion could be used to make <strong>the</strong> public and <strong>the</strong><br />
government more aware of <strong>the</strong> risks.<br />
A means is needed for g<strong>at</strong>her<strong>in</strong>g <strong>in</strong>form<strong>at</strong>ion about <strong>in</strong>cidents,<br />
vulnerabilities, and so forth <strong>in</strong> a controlled manner, whereby <strong>in</strong>form<strong>at</strong>ion would<br />
actually be available to those who need it—vendors, users, <strong>in</strong>vestig<strong>at</strong>ors,<br />
prosecutors, and researchers. There are a number of implement<strong>at</strong>ion issues th<strong>at</strong><br />
would have to be addressed, such as provision for a need-to-know compartment<br />
for unclassified <strong>in</strong>form<strong>at</strong>ion th<strong>at</strong> is considered sensitive because of <strong>the</strong> potential<br />
implic<strong>at</strong>ions of its widespread dissem<strong>in</strong><strong>at</strong>ion. It would also be necessary to<br />
couple reports with <strong>the</strong> cave<strong>at</strong> th<strong>at</strong> yesterday's mode of <strong>at</strong>tack may not<br />
necessarily be tomorrow's. The <strong>in</strong>cident-report<strong>in</strong>g system associ<strong>at</strong>ed with <strong>the</strong><br />
N<strong>at</strong>ional Transport<strong>at</strong>ion <strong>Safe</strong>ty Board illustr<strong>at</strong>es one approach to d<strong>at</strong>a collection<br />
(although <strong>the</strong> handl<strong>in</strong>g, storage, and retrieval of <strong>the</strong> d<strong>at</strong>a are likely to be different<br />
—computer <strong>in</strong>cident d<strong>at</strong>a are much more likely than transport<strong>at</strong>ion d<strong>at</strong>a to be<br />
exploited for copy-c<strong>at</strong> or deriv<strong>at</strong>ive <strong>at</strong>tacks).<br />
Given <strong>the</strong> volume of transactions and activity th<strong>at</strong> has occurred <strong>in</strong> <strong>the</strong><br />
<strong>in</strong>form<strong>at</strong>ion systems of <strong>the</strong> priv<strong>at</strong>e sector and occurs <strong>the</strong>re each day, and given<br />
<strong>the</strong> decade or so dur<strong>in</strong>g which numerous computer mishaps, <strong>in</strong>tentional and<br />
accidental, have been documented and recorded, <strong>the</strong> valid<strong>at</strong>ed evidence th<strong>at</strong> has<br />
been accumul<strong>at</strong>ed rema<strong>in</strong>s m<strong>in</strong>uscule by comparison to th<strong>at</strong> of crim<strong>in</strong>al<br />
<strong>in</strong>cidents or accidents <strong>in</strong> o<strong>the</strong>r areas<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
WHY THE SECURITY MARKET HAS NOT WORKED WELL 164<br />
of bus<strong>in</strong>ess risk, for example, fire, embezzlement, and <strong>the</strong>ft. This situ<strong>at</strong>ion may<br />
reflect a rel<strong>at</strong>ively low <strong>in</strong>cidence of problems to d<strong>at</strong>e, but <strong>the</strong>re is strong<br />
evidence th<strong>at</strong> available <strong>in</strong>form<strong>at</strong>ion is significantly underreported. 19 The effort<br />
begun by <strong>the</strong> DARPA Computer Emergency Response Team to develop a<br />
mechanism to track <strong>the</strong> emergency <strong>in</strong>cidents to which it responds, and rel<strong>at</strong>ed<br />
plans <strong>at</strong> NIST, are a step <strong>in</strong> <strong>the</strong> right direction th<strong>at</strong> could provide <strong>the</strong> impetus for<br />
a more comprehensive effort. 20 Such an effort is discussed <strong>in</strong> Chapter 7.<br />
Technical Tools to Compens<strong>at</strong>e for Limited Consumer<br />
Awareness<br />
Limited awareness of security needs or hazards can be offset <strong>in</strong> part by<br />
technical tools. Properly designed technical solutions may serve to re<strong>in</strong>force<br />
safe behavior <strong>in</strong> a nonthre<strong>at</strong>en<strong>in</strong>g way, with little or no <strong>in</strong>fr<strong>in</strong>gement of personal<br />
privacy or convenience. Impersonal, even-handed technical solutions may well<br />
be better received than nontechnical adm<strong>in</strong>istr<strong>at</strong>ive enforcement. The key is to<br />
build <strong>in</strong> protections th<strong>at</strong> preserve an organiz<strong>at</strong>ion's assets with <strong>the</strong> m<strong>in</strong>imum<br />
possible <strong>in</strong>fr<strong>in</strong>gement on personal privacy, convenience, and ease of use. As an<br />
explicit example, consider <strong>the</strong> ubiquitous password as a personal-identific<strong>at</strong>ion<br />
safeguard. In response to compla<strong>in</strong>ts about forgett<strong>in</strong>g passwords and about<br />
requirements to change <strong>the</strong>m periodically, autom<strong>at</strong>ed on-l<strong>in</strong>e prompt<strong>in</strong>g<br />
procedures can be <strong>in</strong>troduced; a question-and-response process can be<br />
autom<strong>at</strong>ically triggered by elapsed calendar time s<strong>in</strong>ce <strong>the</strong> last password<br />
change, and autom<strong>at</strong>ed screen<strong>in</strong>g can be provided to deter a user from select<strong>in</strong>g<br />
an ill-conceived choice. Concerted vendor action, perhaps aided by trade<br />
associ<strong>at</strong>ions, and consumer demand may be needed to get such tools offered<br />
and supported rout<strong>in</strong>ely by vendors.<br />
Some issues perta<strong>in</strong><strong>in</strong>g to <strong>the</strong> proper use of such autom<strong>at</strong>ed tools call for<br />
sensitivity and <strong>in</strong>formed decision mak<strong>in</strong>g by management. One concern is <strong>the</strong><br />
potential for loss of community responsibility. Individual users no longer have<br />
<strong>the</strong> motiv<strong>at</strong>ion, nor <strong>in</strong> many cases even <strong>the</strong> capability, to monitor <strong>the</strong> st<strong>at</strong>e of<br />
<strong>the</strong>ir system. Just as depersonalized ''renewed" cities of high-rises and doormen<br />
sacrifice <strong>the</strong> safety provided by observant neighbors <strong>in</strong> earlier, apparently<br />
chaotic, gossip-ridden, ethnic neighborhoods (Jacobs, 1972), so a system th<strong>at</strong><br />
relies on carefully adm<strong>in</strong>istered access controls and firewalls sacrifices <strong>the</strong><br />
social pressure and community alertness th<strong>at</strong> prevented severe malfeasance <strong>in</strong><br />
older nonsecure systems. A perpetr<strong>at</strong>or <strong>in</strong> a tightly controlled system knows<br />
better who to look out for than one <strong>in</strong> an open system. Fur<strong>the</strong>rmore, a tightly<br />
controlled system discourages,<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
WHY THE SECURITY MARKET HAS NOT WORKED WELL 165<br />
even punishes, <strong>the</strong> simple curiosity of ord<strong>in</strong>ary users th<strong>at</strong> can spot unusual acts.<br />
Wise management will avoid partition<strong>in</strong>g <strong>the</strong> community too f<strong>in</strong>ely lest <strong>the</strong><br />
human component, on which all security ultim<strong>at</strong>ely rests, be lost. Simply put,<br />
technological tools are necessary but should not be overused<br />
REGULATION AS A MARKET INFLUENCE: PRODUCT<br />
QUALITY AND LIABILITY<br />
Regul<strong>at</strong>ion is a policy tool th<strong>at</strong> can compens<strong>at</strong>e for consumer <strong>in</strong>ability to<br />
understand a complex product on which much may depend. Rel<strong>at</strong>ively little<br />
about computer systems is now regul<strong>at</strong>ed, aside from physical aspects of<br />
hardware. 21 Although software is a pr<strong>in</strong>cipal determ<strong>in</strong>ant of <strong>the</strong> trustworth<strong>in</strong>ess<br />
of computer systems, software has generally not been subject to regul<strong>at</strong>ion.<br />
However, regul<strong>at</strong>ions such as those govern<strong>in</strong>g export of technology, <strong>the</strong><br />
development of safety-critical systems (recently <strong>in</strong>troduced <strong>in</strong> <strong>the</strong> United<br />
K<strong>in</strong>gdom), or <strong>the</strong> privacy of records about persons (as implemented <strong>in</strong><br />
Scand<strong>in</strong>avia) do have an immedi<strong>at</strong>e bear<strong>in</strong>g on computer security and<br />
assurance. The issue of privacy protection through regul<strong>at</strong>ion is discussed <strong>in</strong><br />
Chapter 2, Appendix 2.1.<br />
Like o<strong>the</strong>r <strong>in</strong>dustries, <strong>the</strong> computer <strong>in</strong>dustry is uncomfortable with<br />
regul<strong>at</strong>ion. Industry argues th<strong>at</strong> regul<strong>at</strong>ions can discourage production, <strong>in</strong> part<br />
by mak<strong>in</strong>g it more costly and f<strong>in</strong>ancially risky. This is one of <strong>the</strong> criticisms<br />
directed aga<strong>in</strong>st export controls. However, regul<strong>at</strong>ion can also open up markets,<br />
when market forces do not produce socially desirable outcomes, by requir<strong>in</strong>g all<br />
manufacturers to provide capabilities th<strong>at</strong> would o<strong>the</strong>rwise be too risky for<br />
<strong>in</strong>dividual vendors to <strong>in</strong>troduce. Vendors have often been put on an equal<br />
foot<strong>in</strong>g via regul<strong>at</strong>ion when public safety has been an issue (e.g., <strong>in</strong> <strong>the</strong><br />
environmental, food, drug, and transport<strong>at</strong>ion arenas). In <strong>the</strong> market for trusted<br />
systems, <strong>the</strong> Orange Book and associ<strong>at</strong>ed evalu<strong>at</strong>ions, play<strong>in</strong>g <strong>the</strong> role of<br />
standards and certific<strong>at</strong>ion, have helped to do <strong>the</strong> same—unfortun<strong>at</strong>ely, th<strong>at</strong><br />
market rema<strong>in</strong>s both small and uncerta<strong>in</strong>. 22 As suggested above <strong>in</strong> "A Soft<br />
Market," <strong>in</strong>dividual vendors f<strong>in</strong>d add<strong>in</strong>g trust technology <strong>in</strong>to <strong>the</strong>ir systems<br />
f<strong>in</strong>ancially risky because consumers are unable to evalu<strong>at</strong>e security and trust<br />
and are <strong>the</strong>refore unwill<strong>in</strong>g to pay for <strong>the</strong>se qualities. 23<br />
Although <strong>in</strong> <strong>the</strong> United St<strong>at</strong>es regul<strong>at</strong>ion is currently a policy option of last<br />
resort, grow<strong>in</strong>g recognition of <strong>the</strong> security and safety ramific<strong>at</strong>ions of computer<br />
systems will focus <strong>at</strong>tention on <strong>the</strong> question of whe<strong>the</strong>r regul<strong>at</strong>ion of computer<br />
and communic<strong>at</strong>ions software and system developers is needed or appropri<strong>at</strong>e,<br />
<strong>at</strong> least <strong>in</strong> specific situ<strong>at</strong>ions<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
WHY THE SECURITY MARKET HAS NOT WORKED WELL 166<br />
(for example, where lives are <strong>at</strong> risk). The issue has already been broached <strong>in</strong> a<br />
recent congressional committee report (Paul, 1989). Although full tre<strong>at</strong>ment of<br />
th<strong>at</strong> question is outside <strong>the</strong> scope of this report, <strong>the</strong> committee felt it necessary<br />
to lay out some of <strong>the</strong> relevant issues as a rem<strong>in</strong>der th<strong>at</strong> sometimes last resorts<br />
are used, and to provide re<strong>in</strong>forcement for its belief th<strong>at</strong> some <strong>in</strong>centives for<br />
mak<strong>in</strong>g GSSP truly generally accepted would be of value.<br />
Product Quality Regul<strong>at</strong>ions<br />
System manufacturers generally have much gre<strong>at</strong>er technical expertise<br />
than system owners, who <strong>in</strong> acquir<strong>in</strong>g and us<strong>in</strong>g a system must rely on <strong>the</strong><br />
superior technical skill of <strong>the</strong> system vendor. The same observ<strong>at</strong>ion, of course,<br />
applies to many regul<strong>at</strong>ed products on which <strong>the</strong> public depends, such as<br />
automobiles, pharmaceuticals, and transport<strong>at</strong>ion carriers. Similar motiv<strong>at</strong>ions<br />
lie beh<strong>in</strong>d a variety of standards and certific<strong>at</strong>ion programs, which may be<br />
ei<strong>the</strong>r mand<strong>at</strong>ory (effectively regul<strong>at</strong>ions) or voluntary (FTC, 1983). Whereas<br />
failure of an automobile can have severe, but localized, consequences, failure of<br />
an <strong>in</strong>form<strong>at</strong>ion system can adversely affect many users simultaneously—plus<br />
o<strong>the</strong>r <strong>in</strong>dividuals who may, for example, be connected to a given system or<br />
about whom <strong>in</strong>form<strong>at</strong>ion may be stored on a given system—and can even<br />
prevent efficient function<strong>in</strong>g of major societal <strong>in</strong>stitutions. This problem of<br />
<strong>in</strong>terdependence was a concern <strong>in</strong> recent GAO <strong>in</strong>quiries <strong>in</strong>to <strong>the</strong> security of<br />
government and f<strong>in</strong>ancial systems (GAO, 1989e, 1990a,b). The widespread<br />
havoc th<strong>at</strong> various computer viruses have wreaked amply demonstr<strong>at</strong>es <strong>the</strong><br />
damage th<strong>at</strong> can occur when a weak spot <strong>in</strong> a s<strong>in</strong>gle type of system is exploited.<br />
The accidental failure of an AT&T switch<strong>in</strong>g system, which blocked an<br />
estim<strong>at</strong>ed 40 million telephone calls over a n<strong>in</strong>e-hour period on January 15,<br />
1990, also illustr<strong>at</strong>es <strong>the</strong> k<strong>in</strong>d of disruption th<strong>at</strong> is possible even under<br />
conditions of rigorous software and system test<strong>in</strong>g. The public exposure and<br />
mutual <strong>in</strong>terdependence of networked computer systems make trustworth<strong>in</strong>ess<br />
as important for such systems as it is for systems where lives or large amounts<br />
of money are <strong>at</strong> stake, as <strong>in</strong> transport<strong>at</strong>ion or bank<strong>in</strong>g. Indeed, <strong>in</strong> sett<strong>in</strong>gs as<br />
diverse as <strong>the</strong> test<strong>in</strong>g of pharmaceuticals, <strong>the</strong> design of automobiles, or <strong>the</strong><br />
cre<strong>at</strong>ion of spreadsheet programs, results from programs and computers th<strong>at</strong> are<br />
not directly <strong>in</strong>volved <strong>in</strong> critical applic<strong>at</strong>ions ultim<strong>at</strong>ely w<strong>in</strong>d up <strong>in</strong> just such<br />
applic<strong>at</strong>ions.<br />
Goods and services th<strong>at</strong> imp<strong>in</strong>ge on public health and safety have<br />
historically been regul<strong>at</strong>ed. Moreover, <strong>the</strong> direct risk to human life is a stronger<br />
and historically more successful motiv<strong>at</strong>ion for regul<strong>at</strong>ion<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
WHY THE SECURITY MARKET HAS NOT WORKED WELL 167<br />
than <strong>the</strong> risk to economic well-be<strong>in</strong>g, except <strong>in</strong> <strong>the</strong> case of a few key <strong>in</strong>dustries<br />
(e.g., banks and <strong>in</strong>surance carriers). This situ<strong>at</strong>ion suggests th<strong>at</strong> regul<strong>at</strong>ion of<br />
safety aspects of computers, a process th<strong>at</strong> has begun <strong>in</strong> <strong>the</strong> United K<strong>in</strong>gdom<br />
(U.K. M<strong>in</strong>istry of Defence, 1989a,b), has <strong>the</strong> best chance for success, especially<br />
with safety-critical <strong>in</strong>dustries such as medical devices and health care, or even<br />
transport<strong>at</strong>ion. It also suggests th<strong>at</strong> <strong>the</strong> case for security-rel<strong>at</strong>ed regul<strong>at</strong>ion will<br />
be strongest where <strong>the</strong>re are <strong>the</strong> gre<strong>at</strong>est tie-<strong>in</strong>s to safety or o<strong>the</strong>r critical<br />
impacts. Thus computer systems used <strong>in</strong> applic<strong>at</strong>ions for which some form of<br />
regul<strong>at</strong>ion may be warranted may <strong>the</strong>mselves be subject to regul<strong>at</strong>ion, because<br />
of <strong>the</strong> n<strong>at</strong>ure of <strong>the</strong> applic<strong>at</strong>ion. This is <strong>the</strong> th<strong>in</strong>k<strong>in</strong>g beh<strong>in</strong>d, for example, <strong>the</strong><br />
Food and Drug Adm<strong>in</strong>istr<strong>at</strong>ion's efforts to look <strong>at</strong> computer systems embedded<br />
<strong>in</strong> medical <strong>in</strong>struments and processes (Peterson, 1988). Note, however, th<strong>at</strong> it is<br />
not always possible to tell when a general-purpose system may be used <strong>in</strong> a<br />
safety-critical applic<strong>at</strong>ion. Thus standardized r<strong>at</strong><strong>in</strong>gs have been used <strong>in</strong> o<strong>the</strong>r<br />
sett<strong>in</strong>gs. 24<br />
Product Liability as a Market Influence<br />
In addition to be<strong>in</strong>g directly regul<strong>at</strong>ed, <strong>the</strong> quality of software and systems<br />
and, <strong>in</strong> particular, <strong>the</strong>ir security and safety aspects, may be regul<strong>at</strong>ed implicitly<br />
if courts f<strong>in</strong>d vendors legally liable for safety- or security-relevant flaws. Those<br />
flaws could be a result of negligence or of misrepresent<strong>at</strong>ion; <strong>the</strong> law <strong>in</strong>volved<br />
might <strong>in</strong>volve contracts, torts, or consumer protection (e.g., warranties). At<br />
present, <strong>the</strong>re is some <strong>in</strong>dic<strong>at</strong>ion from case law th<strong>at</strong> vendors are more likely<br />
now than previously to be found liable for software or system flaws, and some<br />
legal analysts expect th<strong>at</strong> trend to grow stronger (Agranoff, 1989; Nycum,<br />
1989; Boss and Woodward, 1988). The committee applauds th<strong>at</strong> trend, because<br />
it believes th<strong>at</strong> security and trust have been overlooked or ignored <strong>in</strong> system<br />
development more often than not. Fur<strong>the</strong>r, <strong>the</strong> committee believes th<strong>at</strong> a<br />
recognized standard for system design and development, which could consist of<br />
GSSP, can provide a yardstick aga<strong>in</strong>st which liability can be assessed. 25<br />
Depend<strong>in</strong>g exclusively on legal liability as a mechanism to stimul<strong>at</strong>e<br />
improvements <strong>in</strong> quality could backfire: it could <strong>in</strong>hibit <strong>in</strong>nov<strong>at</strong>ion because of<br />
fears l<strong>in</strong>k<strong>in</strong>g legal risks and <strong>the</strong> development of new products. GSSP could help<br />
allay such fears and curb capricious litig<strong>at</strong>ion by clarify<strong>in</strong>g general expect<strong>at</strong>ions<br />
about wh<strong>at</strong> constitutes responsible design and development.<br />
Software plays a critical role <strong>in</strong> assur<strong>in</strong>g <strong>the</strong> trustworth<strong>in</strong>ess of computer<br />
and communic<strong>at</strong>ions systems. However, <strong>the</strong> risk th<strong>at</strong> software may not function<br />
properly is borne largely by <strong>the</strong> consumer, especially<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
WHY THE SECURITY MARKET HAS NOT WORKED WELL 168<br />
for off-<strong>the</strong>-shelf software, which is typically obta<strong>in</strong>ed under licenses laden with<br />
disclaimers. Off-<strong>the</strong>-shelf applic<strong>at</strong>ions programs and even oper<strong>at</strong><strong>in</strong>g systems are<br />
typically acquired by license with limited rights, under <strong>the</strong> terms specified by<br />
<strong>the</strong> manufacturer, as opposed to direct sale (which would imply th<strong>at</strong> <strong>the</strong> vendor<br />
forfeits control over <strong>the</strong> terms and conditions of its use) (Davis, 1985). The<br />
purchaser typically has no barga<strong>in</strong><strong>in</strong>g power with respect to <strong>the</strong> terms and<br />
conditions of <strong>the</strong> license. 26 PC-based software licenses present <strong>the</strong> extreme<br />
case, s<strong>in</strong>ce <strong>the</strong>y are often sealed under shr<strong>in</strong>k-wrap packag<strong>in</strong>g whose open<strong>in</strong>g<br />
signifies acceptance of <strong>the</strong> license. Typically, such licenses limit liability for<br />
damages to replacement of defective media or document<strong>at</strong>ion, repair of<br />
substantial program errors, or refund of <strong>the</strong> license fee. From <strong>the</strong> vendor's<br />
perspective, this is not surpris<strong>in</strong>g: <strong>the</strong> revenue from an <strong>in</strong>dividual "sale" of PC<br />
software is very small, <strong>in</strong> <strong>the</strong> tens or hundreds of dollars; from <strong>the</strong> consumer's<br />
perspective, <strong>the</strong> absence of additional protections contributes to rel<strong>at</strong>ively low<br />
prices for packaged software. By contrast, customized applic<strong>at</strong>ions systems,<br />
which may well be purchased r<strong>at</strong>her than licensed, are developed <strong>in</strong> response to<br />
<strong>the</strong> specifically st<strong>at</strong>ed requirements of <strong>the</strong> client. The terms and conditions are<br />
those negoti<strong>at</strong>ed between <strong>the</strong> parties, <strong>the</strong> buyer has some real barga<strong>in</strong><strong>in</strong>g power,<br />
and <strong>the</strong> contract will reflect <strong>the</strong> <strong>in</strong>tent and objectives of both parties.<br />
Some consumer protection may come from <strong>the</strong> Uniform Commercial Code<br />
(UCC). Consumer protection may also come from <strong>the</strong> Magnuson-Moss<br />
Warranty Act (15 USC § 2301 et seq. (1982)), which provides standards for full<br />
warranties, permits limited warranties, and requires th<strong>at</strong> warranties be expressed<br />
<strong>in</strong> understandable language and be available <strong>at</strong> <strong>the</strong> po<strong>in</strong>t of sale.<br />
The UCC is a uniform law, drafted by <strong>the</strong> N<strong>at</strong>ional Conference of<br />
Commissioners on Uniform St<strong>at</strong>e Laws and adopted as law by 49 st<strong>at</strong>es, th<strong>at</strong><br />
governs commercial transactions, <strong>in</strong>clud<strong>in</strong>g <strong>the</strong> sale of goods. While <strong>the</strong>re is no<br />
law requir<strong>in</strong>g express warranties <strong>in</strong> software licenses, <strong>the</strong> UCC addresses wh<strong>at</strong><br />
constitutes an express warranty where provided, how it is to be enforced, and<br />
how to disclaim implied warranties. 27 The acquisition of a good by license is a<br />
"transaction" <strong>in</strong> goods and is generally covered by Article 2 of <strong>the</strong> UCC,<br />
although some provisions of <strong>the</strong> code refer specifically to "sale" and may not be<br />
applicable to licensed goods. The N<strong>at</strong>ional Conference of Commissioners is<br />
expected to clarify <strong>the</strong> issue of whe<strong>the</strong>r software is a "good" (and <strong>the</strong>refore<br />
covered by <strong>the</strong> UCC) by <strong>in</strong>clud<strong>in</strong>g software with<strong>in</strong> <strong>the</strong> def<strong>in</strong>ition of a "good." In<br />
any case, <strong>the</strong> st<strong>at</strong>e courts are quite familiar with <strong>the</strong> UCC and tend to apply its<br />
pr<strong>in</strong>ciples to software<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
WHY THE SECURITY MARKET HAS NOT WORKED WELL 169<br />
license transactions. Note th<strong>at</strong> a proposed extension to <strong>the</strong> UCC, Section 4A,<br />
would impose liability on banks for errors <strong>in</strong> electronic funds transfers under<br />
certa<strong>in</strong> conditions. This provision is already seen as motiv<strong>at</strong><strong>in</strong>g gre<strong>at</strong>er wire<br />
transfer network security among banks (D<strong>at</strong>apro Research, 1989b).<br />
The UCC provides a number of protections for <strong>the</strong> buyer of goods. In<br />
every sale of a product by a seller th<strong>at</strong> deals <strong>in</strong> goods of <strong>the</strong> k<strong>in</strong>d sold, <strong>the</strong>re is<br />
an implied warranty th<strong>at</strong> <strong>the</strong> product is merchantable. The usual test for<br />
merchantability is whe<strong>the</strong>r <strong>the</strong> product is fit for <strong>the</strong> ord<strong>in</strong>ary purposes for which<br />
such products are used. The buyer can recover damages whe<strong>the</strong>r or not <strong>the</strong><br />
seller knew of a defect, or whe<strong>the</strong>r or not <strong>the</strong> seller could have discovered such<br />
a defect. The UCC also provides an implied warranty of fitness for a particular<br />
purpose. This warranty provides damages where any seller, whe<strong>the</strong>r a dealer <strong>in</strong><br />
goods of <strong>the</strong> k<strong>in</strong>d sold or not, has any reason to know <strong>the</strong> specific use to which<br />
<strong>the</strong> product will be put, and knows th<strong>at</strong> <strong>the</strong> buyer is rely<strong>in</strong>g on <strong>the</strong> seller's<br />
superior expertise to select a suitable product. These warranties may be, and<br />
almost always are, disclaimed as part of PC software shr<strong>in</strong>k-wrap licenses,<br />
often by conspicuously <strong>in</strong>clud<strong>in</strong>g such words as "as is" or "with all faults."<br />
The UCC does permit <strong>the</strong> vendor to limit or exclude consequential and<br />
<strong>in</strong>cidental damages, unless such limit<strong>at</strong>ion is unconscionable (e.g., because it is<br />
overly one-sided). Consequential damages are compens<strong>at</strong>ion for an <strong>in</strong>jury th<strong>at</strong><br />
does not flow immedi<strong>at</strong>ely and directly from <strong>the</strong> action, but only from <strong>the</strong><br />
consequences or results of <strong>the</strong> action. For example, damages from a computer<br />
break-<strong>in</strong> th<strong>at</strong> exploited a flawed password mechanism would be deemed<br />
consequential to <strong>the</strong> extent th<strong>at</strong> <strong>the</strong> supplier of <strong>the</strong> password mechanism was<br />
held responsible. Recovery from suppliers can take o<strong>the</strong>r less far-reach<strong>in</strong>g (and<br />
more plausible) forms, such as <strong>in</strong>cidental damages. Incidental damages <strong>in</strong>clude<br />
commercially reasonable charges <strong>in</strong>curred <strong>in</strong>cident to a breach, such as costs<br />
<strong>in</strong>curred to mitig<strong>at</strong>e <strong>the</strong> damage.<br />
While disclaimers and standard-form contracts or licenses are legal and<br />
help to keep prices down, as applied to software <strong>the</strong>y raise questions about<br />
whe<strong>the</strong>r consumers understand wh<strong>at</strong> is happen<strong>in</strong>g and wh<strong>at</strong> popular licens<strong>in</strong>g<br />
practices may mean. These questions were noted <strong>in</strong> a recent review of computer<br />
contract cases:<br />
S<strong>in</strong>ce purchasers generally base <strong>the</strong>ir selection of equipment and software on<br />
<strong>the</strong> sellers' represent<strong>at</strong>ions as to <strong>the</strong> technical performance capabilities and<br />
reliability of equipment, <strong>the</strong> buyers often ignore <strong>the</strong> generally broad<br />
disclaimers of express and implied warranties <strong>in</strong> standard vendor contracts.<br />
When <strong>the</strong>y become disappo<strong>in</strong>ted and discover th<strong>at</strong> disclaimers foreclose <strong>the</strong>ir<br />
contract remedies, <strong>the</strong>y turn to <strong>the</strong> law of misrepresent<strong>at</strong>ion for relief.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
WHY THE SECURITY MARKET HAS NOT WORKED WELL 170<br />
Misrepresent<strong>at</strong>ion cases will cont<strong>in</strong>ue to prolifer<strong>at</strong>e until <strong>the</strong> <strong>in</strong>dustry more<br />
closely aligns its express warranties with <strong>the</strong> reasonable expect<strong>at</strong>ions of its<br />
customers, who assume th<strong>at</strong> <strong>the</strong> hardware and software <strong>the</strong>y buy will perform<br />
as described by <strong>the</strong> sellers' represent<strong>at</strong>ives who sold <strong>the</strong>m <strong>the</strong> product. (Boss<br />
and Woodward, 1988, p. 1533)<br />
The vulnerability of consumers and <strong>the</strong> mism<strong>at</strong>ch of expect<strong>at</strong>ions even<br />
where <strong>in</strong>dividualized contracts are <strong>in</strong>volved have been underscored by a few<br />
recent <strong>in</strong>cidents <strong>in</strong>volv<strong>in</strong>g vendor disabl<strong>in</strong>g of <strong>in</strong>stalled software <strong>in</strong> <strong>the</strong> course<br />
of disputes with customers. 28<br />
Software and Systems Present Special Problems<br />
It is clear from <strong>the</strong> forego<strong>in</strong>g discussion th<strong>at</strong> a buyer of off-<strong>the</strong>-shelf<br />
software has extremely limited recourse should <strong>the</strong> licensed software not<br />
perform as expected. The major motiv<strong>at</strong>ion for <strong>the</strong> vendor to produce<br />
trustworthy software is <strong>the</strong> desire to rema<strong>in</strong> competitive. In <strong>the</strong> process,<br />
however, fe<strong>at</strong>ures for which customer demand is not high may receive<br />
<strong>in</strong>adequ<strong>at</strong>e <strong>at</strong>tention. For example, restra<strong>in</strong>ts to protect passengers and emission<br />
controls to protect <strong>the</strong> public <strong>at</strong> large are now universally <strong>in</strong>stalled <strong>in</strong><br />
automobiles because <strong>the</strong>y have been mand<strong>at</strong>ed by government action. Although<br />
public <strong>in</strong>terest groups helped spur government action, few <strong>in</strong>dividual consumers<br />
demanded <strong>the</strong>se fe<strong>at</strong>ures, perhaps because of <strong>the</strong> <strong>in</strong>creased cost or <strong>the</strong><br />
perception of reduced performance or <strong>the</strong> <strong>in</strong>ability of an <strong>in</strong>dividual to barga<strong>in</strong><br />
for <strong>the</strong>m effectively. Yet few would argue th<strong>at</strong> <strong>the</strong>se impositions are not <strong>in</strong> <strong>the</strong><br />
public <strong>in</strong>terest; wh<strong>at</strong> does stimul<strong>at</strong>e argument is <strong>the</strong> str<strong>in</strong>gency of <strong>the</strong> safeguard<br />
required.<br />
Unsafe or nonsecure software poses analogous risks to users and to o<strong>the</strong>rs<br />
exposed to it (see Chapter 2's "<strong>Risk</strong>s and Vulnerabilities"). More trustworthy<br />
software may, like safer and cleaner automobiles, carry a higher product price<br />
tag and may also suffer from a perception of reduced performance. In <strong>the</strong><br />
absence of general consumer demand for more trustworthy software, should<br />
manufacturers of off-<strong>the</strong>-shelf software be subjected to governmental action? In<br />
particular, should <strong>the</strong> government act to reduce a software vendor's ability to<br />
disclaim warranties and to limit damages?<br />
The software <strong>in</strong>dustry and software itself exhibit some characteristics th<strong>at</strong><br />
limit <strong>the</strong> scope for governmental action. On <strong>the</strong> one hand, complex software<br />
will <strong>in</strong>evitably conta<strong>in</strong> errors; no human be<strong>in</strong>g can guarantee th<strong>at</strong> it will be free<br />
of errors. Imposition of strict liability (without a f<strong>in</strong>d<strong>in</strong>g of malice or<br />
negligence) for any error would clearly not be equitable, s<strong>in</strong>ce <strong>the</strong> exercise of<br />
even an exceptionally high degree of care <strong>in</strong> software production would not<br />
guarantee an error-free product.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
WHY THE SECURITY MARKET HAS NOT WORKED WELL 171<br />
On <strong>the</strong> o<strong>the</strong>r hand, tools and test<strong>in</strong>g methods to reduce <strong>the</strong> probability of errors<br />
are available. System<strong>at</strong>ic use of such tools and methods prior to software<br />
release reduces <strong>the</strong> frequency and severity of errors <strong>in</strong> <strong>the</strong> fielded product. The<br />
committee believes th<strong>at</strong> <strong>the</strong>se tools and methods are not now <strong>in</strong> wide use both<br />
because <strong>the</strong>y are not well known (e.g., <strong>the</strong> forefront technology of autom<strong>at</strong>ed<br />
protocol analysis, which can dram<strong>at</strong>ically shorten <strong>the</strong> development cycle) or<br />
because, given <strong>the</strong> evolution of products and practices <strong>in</strong> <strong>the</strong> <strong>in</strong>dustry, <strong>the</strong>y<br />
appear to have been ignored by vendors (e.g., as has been <strong>the</strong> case for strongly<br />
type-checked l<strong>in</strong>k editors).<br />
Of course, licensees must accept many risks <strong>in</strong> us<strong>in</strong>g software. Users must<br />
tra<strong>in</strong> <strong>the</strong>mselves sufficiently <strong>in</strong> <strong>the</strong> proper oper<strong>at</strong>ion of a computer system and<br />
software before rely<strong>in</strong>g on <strong>the</strong>m. A software vendor should not be held liable<br />
for damage caused by users' gross ignorance. 29 At <strong>the</strong> same time, <strong>the</strong> software<br />
vendor must bear a degree of responsibility <strong>in</strong> help<strong>in</strong>g to properly tra<strong>in</strong> <strong>the</strong> user<br />
through adequ<strong>at</strong>e and clear document<strong>at</strong>ion describ<strong>in</strong>g proper use of <strong>the</strong> product,<br />
and its limit<strong>at</strong>ions, <strong>in</strong>clud<strong>in</strong>g <strong>the</strong>ir bear<strong>in</strong>g on security and safety. The superior<br />
knowledge and skill of <strong>the</strong> software vendor itself should impose a duty of care<br />
on th<strong>at</strong> vendor toward <strong>the</strong> unskilled licensee, who <strong>in</strong> purchas<strong>in</strong>g <strong>the</strong> product<br />
must rely on <strong>the</strong> vendor's represent<strong>at</strong>ions, skill, and knowledge. 30 At <strong>the</strong> same<br />
time, any imposition of liability on <strong>the</strong> vendor must imply a concomitant<br />
imposition of responsibility on <strong>the</strong> user to make a reasonable effort to learn how<br />
to use <strong>the</strong> software properly.<br />
Perhaps <strong>the</strong> most compell<strong>in</strong>g argument aga<strong>in</strong>st <strong>in</strong>creas<strong>in</strong>g product liability<br />
for software and systems vendors is <strong>the</strong> potential for adverse impacts on <strong>the</strong><br />
dynamic software <strong>in</strong>dustry, where products come quickly to <strong>the</strong> market and<br />
advances are cont<strong>in</strong>ually made—both of which are major consumer benefits.<br />
Innov<strong>at</strong>ion is frequently supported by venture capital, and imposition of heavy<br />
warranty liability can chill <strong>the</strong> flow of capital and restrict <strong>the</strong> <strong>in</strong>troduction of<br />
new products or <strong>the</strong> prolifer<strong>at</strong>ion of new ventures. Even when rais<strong>in</strong>g capital is<br />
not an issue, risk aversion itself can discourage <strong>in</strong>nov<strong>at</strong>ion. In ei<strong>the</strong>r case, <strong>the</strong><br />
<strong>in</strong>creased bus<strong>in</strong>ess risk to <strong>the</strong> vendor is reflected <strong>in</strong> higher product prices to <strong>the</strong><br />
consumer, which <strong>in</strong> turn may mean th<strong>at</strong> fewer consumers benefit from a given<br />
piece of software.<br />
Toward Equitable Alloc<strong>at</strong>ion of Liability<br />
The possible adverse consequences of hold<strong>in</strong>g software and system<br />
vendors to a higher standard of care must be carefully weighed aga<strong>in</strong>st <strong>the</strong><br />
potential benefits. As more powerful and more highly<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
WHY THE SECURITY MARKET HAS NOT WORKED WELL 172<br />
<strong>in</strong>terconnected systems become more widespread, <strong>the</strong>re will be <strong>in</strong>creas<strong>in</strong>g<br />
concern th<strong>at</strong> <strong>the</strong> current alloc<strong>at</strong>ion of <strong>the</strong> risk of software failure is too onesided<br />
for an <strong>in</strong>form<strong>at</strong>ion society, <strong>at</strong> least for off-<strong>the</strong>-shelf software. The <strong>in</strong>dustry<br />
is sufficiently m<strong>at</strong>ure and verific<strong>at</strong>ion tools and methodologies are sufficiently<br />
well understood today th<strong>at</strong> total <strong>in</strong>sul<strong>at</strong>ion of <strong>the</strong> <strong>in</strong>dustry from <strong>the</strong><br />
consequences of software failure can no longer be justified. Oper<strong>at</strong><strong>in</strong>g system<br />
software and <strong>the</strong> major off-<strong>the</strong>-shelf applic<strong>at</strong>ions software packages are<br />
produced by companies with a bus<strong>in</strong>ess base substantial enough to support<br />
quality assurance programs th<strong>at</strong> would yield safer and more secure software;<br />
such programs could also reduce any liability risk to manageable proportions.<br />
As it is, vendors have already begun programs to make sure th<strong>at</strong> <strong>the</strong>ir own<br />
development and production efforts are free of contam<strong>in</strong><strong>at</strong>ion from viruses.<br />
IBM, for example, set up its High-Integrity <strong>Comput<strong>in</strong>g</strong> Labor<strong>at</strong>ory for this<br />
purpose (Smith, 1989; committee brief<strong>in</strong>g by IBM), and ADAPSO, a trade<br />
associ<strong>at</strong>ion, has been promot<strong>in</strong>g such efforts for its constituent software and<br />
services companies (Landry, 1990). Similarly, vendors do, to vary<strong>in</strong>g degrees,<br />
notify users of security-rel<strong>at</strong>ed flaws. For example, Sun Microsystems recently<br />
announced <strong>the</strong> Customer Warn<strong>in</strong>g System for handl<strong>in</strong>g security <strong>in</strong>cidents 31<br />
(Ulbrich and Coll<strong>in</strong>s, 1990).<br />
Shift<strong>in</strong>g more (not all) risk to <strong>the</strong> vendors would result <strong>in</strong> gre<strong>at</strong>er care<br />
be<strong>in</strong>g taken <strong>in</strong> <strong>the</strong> production and test<strong>in</strong>g of software. The British move to<br />
require gre<strong>at</strong>er test<strong>in</strong>g of safety-relevant software illustr<strong>at</strong>es th<strong>at</strong> <strong>the</strong>se concerns<br />
are not just local, but are <strong>in</strong> fact relevant to a worldwide marketplace. The<br />
result<strong>in</strong>g <strong>in</strong>creased use of verific<strong>at</strong>ion techniques would not only improve <strong>the</strong><br />
level of software trustworth<strong>in</strong>ess <strong>in</strong> <strong>the</strong> most general sense, but would also<br />
necessarily improve <strong>the</strong> level of trust <strong>in</strong> <strong>the</strong> specific <strong>in</strong>form<strong>at</strong>ion security<br />
context. (See Chapter 4's "Rel<strong>at</strong><strong>in</strong>g Specific<strong>at</strong>ions to Programs" and "Formal<br />
Specific<strong>at</strong>ion and Verific<strong>at</strong>ion.")<br />
The n<strong>at</strong>ional <strong>in</strong>terest <strong>in</strong> <strong>the</strong> trustworth<strong>in</strong>ess of software is sufficiently<br />
strong th<strong>at</strong> Congress should review this question to determ<strong>in</strong>e (1) whe<strong>the</strong>r<br />
federal law is required (or whe<strong>the</strong>r st<strong>at</strong>e efforts are adequ<strong>at</strong>e) and (2) to wh<strong>at</strong><br />
extent risks th<strong>at</strong> can be averted through safer software should be shifted from<br />
user to vendor. Equitable risk alloc<strong>at</strong>ion, which reasonably balances vendor and<br />
user <strong>in</strong>terests, is achievable and will advance <strong>the</strong> n<strong>at</strong>ional <strong>in</strong>terest.<br />
The development of GSSP, as recommended <strong>in</strong> Chapters 1 and 2, would<br />
provide a positive force to balance and complement <strong>the</strong> neg<strong>at</strong>ive force of<br />
product liability. GSSP would provide a clear found<strong>at</strong>ion of expect<strong>at</strong>ion th<strong>at</strong><br />
customers may count on as standards of performance and vendors may regard<br />
as standards of adequacy, aga<strong>in</strong>st which<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
WHY THE SECURITY MARKET HAS NOT WORKED WELL 173<br />
legal claims could be judged. Interest<strong>in</strong>gly, a similar notion was expressed by<br />
<strong>in</strong>surance <strong>in</strong>dustry represent<strong>at</strong>ives <strong>in</strong>terviewed for this study, who suggested<br />
th<strong>at</strong> some form of standard th<strong>at</strong> could be harmonized with account<strong>in</strong>g standards<br />
would be a potent mechanism to improve security controls <strong>in</strong> <strong>the</strong> bus<strong>in</strong>ess<br />
community. Their r<strong>at</strong>ionale was th<strong>at</strong> such standards would raise <strong>the</strong> profile of<br />
<strong>the</strong> issue with corpor<strong>at</strong>e directors and officers, who are liable to owners<br />
(stockholders, partners, and so on). 32<br />
The committee recognizes th<strong>at</strong> security is not <strong>the</strong> only property <strong>in</strong>volved <strong>in</strong><br />
<strong>the</strong> issue of product liability; safety is obviously ano<strong>the</strong>r such property.<br />
However, as security is a sublim<strong>in</strong>al property of software, it is here th<strong>at</strong> <strong>the</strong> gap<br />
between unspoken customer expect<strong>at</strong>ions and unarticul<strong>at</strong>ed vendor <strong>in</strong>tentions<br />
looms largest. Advances <strong>in</strong> articul<strong>at</strong><strong>in</strong>g GSSP would go far toward clarify<strong>in</strong>g<br />
<strong>the</strong> entire field. Both customers and vendors stand to ga<strong>in</strong>.<br />
APPENDIX 6.1—EXPORT CONTROL PROCESS<br />
N<strong>at</strong>ional security export controls (hereafter, "export controls") limit access<br />
<strong>in</strong> o<strong>the</strong>r countries to technologies and products th<strong>at</strong> could be valuable for<br />
military purposes. The control process, which varies by type of product,<br />
<strong>in</strong>volves a list of controlled items and an adm<strong>in</strong>istr<strong>at</strong>ive structure for enforc<strong>in</strong>g<br />
controls on <strong>the</strong> export of listed items. Controlled exports do not mean no<br />
exports. R<strong>at</strong>her, <strong>the</strong>se exports are controlled <strong>in</strong> terms of dest<strong>in</strong><strong>at</strong>ion and, <strong>in</strong><br />
some cases, volume or end use, with restrictions specified as part of <strong>the</strong> export<br />
license. It should be noted th<strong>at</strong> even <strong>the</strong> tightest export controls do not totally<br />
block access to protected technology.<br />
Four organiz<strong>at</strong>ions have been <strong>the</strong> pr<strong>in</strong>cipal <strong>in</strong>fluences on <strong>the</strong> export control<br />
policy and process of <strong>the</strong> United St<strong>at</strong>es, namely <strong>the</strong> Coord<strong>in</strong><strong>at</strong><strong>in</strong>g Committee for<br />
Multil<strong>at</strong>eral Export Control (CoCom), <strong>in</strong> which <strong>the</strong> United St<strong>at</strong>es particip<strong>at</strong>es,<br />
and <strong>the</strong> U.S. Departments of St<strong>at</strong>e, Commerce, and Defense. Each of <strong>the</strong>se<br />
organiz<strong>at</strong>ions has its own policies and jurisdictions for export control, but all<br />
<strong>the</strong> organiz<strong>at</strong>ions <strong>in</strong>teract heavily with regard to common pursuits (NAS, 1987).<br />
CoCom, a multil<strong>at</strong>eral effort to curb <strong>the</strong> flow of technology from <strong>the</strong> West<br />
to <strong>the</strong> Soviet Union and wh<strong>at</strong> have been its allies <strong>in</strong> <strong>the</strong> East Bloc, has <strong>in</strong>cluded<br />
represent<strong>at</strong>ives from Japan, Australia, and all NATO countries except Iceland.<br />
Products controlled by CoCom are listed on <strong>the</strong> Industrial List (IL). The<br />
Department of St<strong>at</strong>e adm<strong>in</strong>isters <strong>the</strong> Intern<strong>at</strong>ional Traffic <strong>in</strong> Arms Regul<strong>at</strong>ions<br />
(ITAR; 22 CFR, Parts 120–130) through its Center for Defense Trade (formerly<br />
<strong>the</strong> Office of Munitions Control) <strong>in</strong> consult<strong>at</strong>ion with <strong>the</strong> Department of Defense.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
WHY THE SECURITY MARKET HAS NOT WORKED WELL 174<br />
Th<strong>at</strong> office ma<strong>in</strong>ta<strong>in</strong>s <strong>the</strong> U.S. Munitions Control List, which <strong>in</strong>cludes<br />
technologies and products represent<strong>in</strong>g an obvious military thre<strong>at</strong>, such as<br />
weaponry. F<strong>in</strong>ally, <strong>the</strong> Department of Commerce adm<strong>in</strong>isters <strong>the</strong> Export<br />
Adm<strong>in</strong>istr<strong>at</strong>ion Regul<strong>at</strong>ions (EAR; CFR Parts 368–399), <strong>in</strong> consult<strong>at</strong>ion with<br />
<strong>the</strong> Department of Defense. Commerce ma<strong>in</strong>ta<strong>in</strong>s <strong>the</strong> Control List (CL), which<br />
has classified elements, and <strong>the</strong> Commodity Control List (CCL), which is not<br />
classified. Both of <strong>the</strong>se lists conta<strong>in</strong> dual-use technologies and products, which<br />
have both military and civilian/commercial value, and military-critical<br />
technologies th<strong>at</strong> may be tre<strong>at</strong>ed specially.<br />
Recent developments <strong>in</strong> Eastern Europe have placed pressure on CoCom<br />
as an <strong>in</strong>stitution and on <strong>the</strong> United St<strong>at</strong>es, which is generally more conserv<strong>at</strong>ive<br />
than o<strong>the</strong>r CoCom n<strong>at</strong>ions about controll<strong>in</strong>g exports of dual-use technology.<br />
Even <strong>the</strong> topic of trade with o<strong>the</strong>r CoCom countries has stirred substantial<br />
deb<strong>at</strong>e with<strong>in</strong> <strong>the</strong> U.S. government, some center<strong>in</strong>g on how products are labeled<br />
(<strong>the</strong> most publicized controversy perta<strong>in</strong>s to def<strong>in</strong><strong>in</strong>g wh<strong>at</strong> is a supercomputer)<br />
and where <strong>the</strong>y are listed, and much on whe<strong>the</strong>r a product should be listed <strong>at</strong> all.<br />
Exports of general- and special-purpose computer systems are controlled if<br />
<strong>the</strong> systems offer one or more of three qualities: high performance (potentially<br />
useful <strong>in</strong> such str<strong>at</strong>egic applic<strong>at</strong>ions as nuclear bomb development or war<br />
gam<strong>in</strong>g), specific military-critical functionality (e.g., radi<strong>at</strong>ion harden<strong>in</strong>g and<br />
ruggedness or applic<strong>at</strong>ions like on-board fire control), or <strong>the</strong> capability to<br />
produce high-performance or military-critical computer systems (e.g.,<br />
sophistic<strong>at</strong>ed computer-aided design and manufactur<strong>in</strong>g systems). Exports of<br />
supercomputers to countries o<strong>the</strong>r than Canada and Japan are subject to case-bycase<br />
review, which can take months, and require special conditions associ<strong>at</strong>ed<br />
with <strong>the</strong> sale, <strong>in</strong>stall<strong>at</strong>ion, and oper<strong>at</strong>ion of <strong>the</strong> supercomputer, so-called<br />
supercomputer safeguard plans.<br />
APPENDIX 6.2—INSURANCE<br />
Insurance is a means for shar<strong>in</strong>g a risk. The <strong>in</strong>sured pays <strong>the</strong> <strong>in</strong>surer (up<br />
front, through a premium, and/or when receiv<strong>in</strong>g reimbursement, through a<br />
deductible or o<strong>the</strong>r copayment) to share his risks; if an adverse event takes<br />
place, <strong>the</strong> <strong>in</strong>surance policy provides for payment to compens<strong>at</strong>e for <strong>the</strong> damage<br />
or loss <strong>in</strong>curred. The bus<strong>in</strong>ess community already buys <strong>in</strong>surance for risks<br />
rang<strong>in</strong>g from fire to <strong>the</strong>ft as well as for protection aga<strong>in</strong>st employee dishonesty<br />
(bond<strong>in</strong>g).<br />
To be <strong>in</strong>surable requires <strong>the</strong> follow<strong>in</strong>g:<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
WHY THE SECURITY MARKET HAS NOT WORKED WELL 175<br />
• A volume base for risk spread<strong>in</strong>g (<strong>in</strong>surance on communic<strong>at</strong>ion s<strong>at</strong>ellites<br />
has a very small volume, someth<strong>in</strong>g th<strong>at</strong> contributes to its cost);<br />
• An establishable proof of loss;<br />
• A quantifiable loss (e.g., <strong>the</strong> value of mail<strong>in</strong>g lists and research d<strong>at</strong>a<br />
cannot be consistently and objectively quantified, accord<strong>in</strong>g to <strong>in</strong>surance<br />
represent<strong>at</strong>ives);<br />
• An ability to tie a loss to a time frame of occurrence;<br />
• An ability to credit responsibility for <strong>the</strong> loss; and<br />
• A knowable loss base.<br />
With <strong>the</strong>se elements, a purchaser of <strong>in</strong>surance can effectively transfer risk<br />
to a carrier and prove a loss. <strong>Risk</strong>s th<strong>at</strong> do not s<strong>at</strong>isfy <strong>the</strong>se elements <strong>in</strong>clude<br />
<strong>in</strong>herent bus<strong>in</strong>ess risks.<br />
Ano<strong>the</strong>r factor to consider is <strong>the</strong> n<strong>at</strong>ure of <strong>the</strong> consequences, which<br />
<strong>in</strong>fluences <strong>the</strong> liability base: a computer-aided manufactur<strong>in</strong>g program<br />
controll<strong>in</strong>g a robot may put lives <strong>at</strong> risk, whereas a number-crunch<strong>in</strong>g general<br />
ledger program will not.<br />
The earliest <strong>in</strong>surance offer<strong>in</strong>gs cover<strong>in</strong>g computer environments were<br />
directed <strong>at</strong> third-party providers of computer services (e.g., service bureaus)<br />
concerned about direct and cont<strong>in</strong>gent liability associ<strong>at</strong>ed with losses to <strong>the</strong>ir<br />
customers. Also lead<strong>in</strong>g <strong>the</strong> computer <strong>in</strong>surance market were banks—driven by<br />
st<strong>at</strong>e and federal auditors' concerns—and electronic funds transfer (EFT)<br />
systems, rang<strong>in</strong>g from those established by <strong>the</strong> Federal Reserve (e.g., Fedwire)<br />
to <strong>the</strong> autom<strong>at</strong>ed clear<strong>in</strong>ghouses, for which <strong>the</strong>re was legisl<strong>at</strong>ive impetus beh<strong>in</strong>d<br />
<strong>the</strong> establishment and use of <strong>in</strong>surance coverage. This governmental urg<strong>in</strong>g of<br />
provisions for <strong>in</strong>surance aga<strong>in</strong>st computer system risks was <strong>in</strong>itially resisted by<br />
<strong>the</strong> <strong>in</strong>surance <strong>in</strong>dustry, which claimed not to understand <strong>the</strong> risks.<br />
Insurance for banks and o<strong>the</strong>r f<strong>in</strong>ancial services <strong>in</strong>stitutions is rel<strong>at</strong>ively<br />
well developed, reflect<strong>in</strong>g both <strong>the</strong> size of <strong>the</strong> potential loss, <strong>the</strong> ease with<br />
which <strong>the</strong> risk can be underwritten, and regul<strong>at</strong>ions requir<strong>in</strong>g such protection.<br />
Much computer-rel<strong>at</strong>ed <strong>in</strong>surance for <strong>the</strong> bank<strong>in</strong>g <strong>in</strong>dustry, for example, builds<br />
on a historic base <strong>in</strong> bonds th<strong>at</strong> protect aga<strong>in</strong>st employee dishonesty, s<strong>in</strong>ce most<br />
crimes aga<strong>in</strong>st banks are perpetr<strong>at</strong>ed on <strong>the</strong> <strong>in</strong>side or with <strong>in</strong>sider particip<strong>at</strong>ion.<br />
Outside of f<strong>in</strong>ancial services, <strong>the</strong> <strong>in</strong>surance picture is mixed and less<br />
m<strong>at</strong>ure. There is some coverage aga<strong>in</strong>st computer system mishaps available<br />
through employee bond<strong>in</strong>g and property and casualty coverage. It is easiest to<br />
<strong>in</strong>sure <strong>the</strong> tangible elements of a computer system. By contrast, coverage may<br />
be available for restor<strong>in</strong>g a d<strong>at</strong>abase, but not for reconstruct<strong>in</strong>g it from scr<strong>at</strong>ch.<br />
Ano<strong>the</strong>r basis for <strong>in</strong>surance is found <strong>in</strong> bus<strong>in</strong>ess <strong>in</strong>terruption coverage. Thus<br />
recovery of costs for system downtime is available. A new development <strong>in</strong> <strong>the</strong><br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
WHY THE SECURITY MARKET HAS NOT WORKED WELL 176<br />
1980s was <strong>the</strong> <strong>in</strong>troduction of limited coverage aga<strong>in</strong>st external <strong>in</strong>trusions and<br />
associ<strong>at</strong>ed offenses, <strong>in</strong>clud<strong>in</strong>g tamper<strong>in</strong>g, extortion, and o<strong>the</strong>rs. Although <strong>the</strong><br />
<strong>in</strong>surance described above protects <strong>the</strong> system-us<strong>in</strong>g organiz<strong>at</strong>ion, <strong>in</strong>surance<br />
represent<strong>at</strong>ives suggest <strong>the</strong>re is a grow<strong>in</strong>g potential for coverage of errors and<br />
omissions on <strong>the</strong> part of <strong>the</strong> vendor, aris<strong>in</strong>g from <strong>the</strong> development of hardware,<br />
firmware, and software, to protect <strong>the</strong> vendor aga<strong>in</strong>st liability claims. Such<br />
coverage appears targeted to developers of such complex products as<br />
eng<strong>in</strong>eer<strong>in</strong>g design software.<br />
NOTES<br />
1. Note th<strong>at</strong> add-on controls are futile unless <strong>the</strong> user has full control over all <strong>the</strong> software on a<br />
mach<strong>in</strong>e.<br />
2. A glar<strong>in</strong>g example of a facility th<strong>at</strong> can compromise security is ''object reuse," which never was<br />
an issue <strong>in</strong> Unix, because it could not happen. Today's non-Unix systems from Digital Equipment<br />
Corpor<strong>at</strong>ion and IBM still allow object reuse.<br />
3. As noted by one analyst, Unix was orig<strong>in</strong>ally designed by programmers for use by o<strong>the</strong>r<br />
programmers <strong>in</strong> an environment foster<strong>in</strong>g open cooper<strong>at</strong>ion r<strong>at</strong>her than privacy (Curry, 1990).<br />
4. The fact th<strong>at</strong> consumers are preoccupied with thre<strong>at</strong>s posed by <strong>in</strong>siders and have problems today<br />
th<strong>at</strong> could benefit from better procedures and physical security measures, let alone technical<br />
measures, is discussed <strong>in</strong> <strong>the</strong> section titled "Consumer Awareness."<br />
5. For example, <strong>the</strong> most recent of a series of <strong>in</strong>tra-governmental advisories is <strong>the</strong> Office of<br />
Management and Budget's (OMB's) Guidance for Prepar<strong>at</strong>ion of Security Plans for Federal<br />
Computer Systems th<strong>at</strong> Conta<strong>in</strong> Sensitive Inform<strong>at</strong>ion (OMB, 1990). This bullet<strong>in</strong> addresses <strong>the</strong><br />
security plann<strong>in</strong>g process required by <strong>the</strong> Computer Security Act of 1987 (P.L. 100-235). It is<br />
expected to be superseded by a revision to OMB Circular Number A-130 and <strong>in</strong>corpor<strong>at</strong>ed <strong>in</strong>to<br />
future standards or guidel<strong>in</strong>es from <strong>the</strong> N<strong>at</strong>ional Institute of Standards and Technology.<br />
6. An exam<strong>in</strong><strong>at</strong>ion of this challenge for comput<strong>in</strong>g technologies generally can be found <strong>in</strong> a<br />
previous Computer Science and Technology Board report, Global Trends <strong>in</strong> Computer Technology<br />
and Their Impact on Export Control (NRC, 1988a).<br />
7. There may also have been <strong>in</strong>stances <strong>in</strong> which software implement<strong>at</strong>ions of DES or RSA were sent<br />
abroad by oversight or because <strong>the</strong> transmitter of <strong>the</strong> implement<strong>at</strong>ion was unaware of <strong>the</strong> law. The<br />
physical portability of software makes such slips almost <strong>in</strong>evitable.<br />
8. Note th<strong>at</strong> <strong>the</strong> United K<strong>in</strong>gdom and Australia set <strong>the</strong> threshold <strong>at</strong> B2 or <strong>the</strong> equivalent.<br />
9. Note th<strong>at</strong> <strong>in</strong> this time period only one A1 product has been on <strong>the</strong> evalu<strong>at</strong>ed product list. The<br />
<strong>in</strong>form<strong>at</strong>ion on approval r<strong>at</strong>es came from NSA brief<strong>in</strong>gs for <strong>the</strong> committee.<br />
10. This po<strong>in</strong>t was made by Digital Equipment Corpor<strong>at</strong>ion <strong>in</strong> July 1990 testimony before <strong>the</strong> House<br />
Subcommittee on Transport<strong>at</strong>ion, Avi<strong>at</strong>ion, and M<strong>at</strong>erials.<br />
11. For example, observers of <strong>the</strong> market for disaster recovery services have noted th<strong>at</strong> until a 1986<br />
fire <strong>in</strong> Montreal, a pr<strong>in</strong>cipal market<strong>in</strong>g tool was a 1978 study assess<strong>in</strong>g how long bus<strong>in</strong>esses could<br />
survive without <strong>the</strong>ir d<strong>at</strong>a process<strong>in</strong>g oper<strong>at</strong>ions; more recent fires (affect<strong>in</strong>g <strong>the</strong> H<strong>in</strong>sdale, Ill.,<br />
central office for telephone service and lower<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
WHY THE SECURITY MARKET HAS NOT WORKED WELL 177<br />
Manh<strong>at</strong>tan's bus<strong>in</strong>ess district) have also provided dram<strong>at</strong>ic evidence of <strong>the</strong> consequences of system<br />
mishaps (D<strong>at</strong>am<strong>at</strong>ion, 1987).<br />
12. This situ<strong>at</strong>ion and a variant, <strong>in</strong> which bad products effectively drive out good ones, is not unique<br />
(see Akerlof, 1970).<br />
13. A security officer may even occasionally need to decrypt an encrypted file th<strong>at</strong> was encrypted<br />
by a suspect us<strong>in</strong>g a key known only to <strong>the</strong> suspect; <strong>the</strong> security officer may have very mixed<br />
feel<strong>in</strong>gs about <strong>the</strong> optimum strength of an encryption method th<strong>at</strong> is available for rout<strong>in</strong>e use <strong>in</strong><br />
protect<strong>in</strong>g <strong>the</strong> company's d<strong>at</strong>a.<br />
14. These issues have been actively discussed on electronic bullet<strong>in</strong> boards and forums (e.g.,<br />
RISKS, CuD, <strong>the</strong> Well) and <strong>in</strong> <strong>the</strong> general and bus<strong>in</strong>ess press with <strong>the</strong> publicized launch of <strong>the</strong><br />
Electronic Frontiers Found<strong>at</strong>ion <strong>in</strong> response to recent <strong>in</strong>vestig<strong>at</strong>ions and prosecutions.<br />
15. "Insurance as a Market Lever" and Chapter Appendix 6.2 draw on discussions with <strong>in</strong>surance<br />
<strong>in</strong>dustry represent<strong>at</strong>ives, <strong>in</strong>clud<strong>in</strong>g carrier and agent personnel.<br />
16. Insurance <strong>in</strong>dustry represent<strong>at</strong>ives voice concern about technology outpac<strong>in</strong>g underwrit<strong>in</strong>g: if a<br />
policy is written <strong>at</strong> one po<strong>in</strong>t <strong>in</strong> time, will <strong>the</strong> language and exclusions prove appropri<strong>at</strong>e when a<br />
claim is filed l<strong>at</strong>er, after new technology has been developed and <strong>in</strong>troduced?<br />
17. Indeed, <strong>the</strong>re is some evidence th<strong>at</strong> universities should do even more. For example, based on a<br />
recent survey, John Higg<strong>in</strong>s observed <strong>the</strong> follow<strong>in</strong>g:<br />
It seems evident th<strong>at</strong> a substantial majority of current university gradu<strong>at</strong>es <strong>in</strong> computer science have<br />
no formal <strong>in</strong>troduction to <strong>the</strong> issues of <strong>in</strong>form<strong>at</strong>ion security as a result of <strong>the</strong>ir university tra<strong>in</strong><strong>in</strong>g.…<br />
While it is unlikely th<strong>at</strong> every <strong>in</strong>stitution would develop a variety of courses <strong>in</strong> security, it is<br />
important th<strong>at</strong> some <strong>in</strong>stitutions do. It establishes and helps to ma<strong>in</strong>ta<strong>in</strong> <strong>the</strong> credibility of <strong>the</strong> subject<br />
and provides a nucleus of students <strong>in</strong>terested <strong>in</strong> security topics. The most favorable <strong>in</strong>terpret<strong>at</strong>ion of<br />
<strong>the</strong> survey seems to suggest th<strong>at</strong> <strong>at</strong> present <strong>the</strong>re are <strong>at</strong> best only two or three such universities <strong>in</strong> <strong>the</strong><br />
n<strong>at</strong>ion. (Higg<strong>in</strong>s, 1989, p. 556)<br />
18. RISKS, formally known as <strong>the</strong> Forum on <strong>Risk</strong>s to <strong>the</strong> Public <strong>in</strong> <strong>the</strong> Use of <strong>Computers</strong> and<br />
Rel<strong>at</strong>ed Systems, was established <strong>in</strong> August 1985 by Peter G. Neumann as chair of <strong>the</strong> Associ<strong>at</strong>ion<br />
for <strong>Comput<strong>in</strong>g</strong> Mach<strong>in</strong>ery's (ACM) Committee on <strong>Computers</strong> and Public Policy. It is an electronic<br />
forum for discuss<strong>in</strong>g issues rel<strong>at</strong><strong>in</strong>g to <strong>the</strong> use and misuse of computers <strong>in</strong> applic<strong>at</strong>ions affect<strong>in</strong>g our<br />
lives. Involv<strong>in</strong>g many thousands of people around <strong>the</strong> world, RISKS has become a repository for<br />
anecdotes, news items, and assorted comments <strong>the</strong>reon. The most <strong>in</strong>terest<strong>in</strong>g cases discussed are<br />
<strong>in</strong>cluded <strong>in</strong> <strong>the</strong> regular issues of ACM's Software Eng<strong>in</strong>eer<strong>in</strong>g Notes (See Neumann, 1989). An<br />
upd<strong>at</strong>ed <strong>in</strong>dex to about a thousand cases is under development.<br />
19. The rel<strong>at</strong>ive reluctance of victims to report computer crimes was noted to <strong>the</strong> committee by<br />
prosecutors and <strong>in</strong>surance represent<strong>at</strong>ives.<br />
20. Experience shows th<strong>at</strong> many users do not repair flaws or <strong>in</strong>stall p<strong>at</strong>ches (software to correct a<br />
flaw) even given notific<strong>at</strong>ion. S<strong>in</strong>ce penetr<strong>at</strong>ors have demonstr<strong>at</strong>ed <strong>the</strong> ability to "reverse eng<strong>in</strong>eer"<br />
p<strong>at</strong>ches (and o<strong>the</strong>r remedies) and go look<strong>in</strong>g for systems th<strong>at</strong> lack <strong>the</strong> necessary corrections, <strong>the</strong><br />
proper str<strong>at</strong>egy for handl<strong>in</strong>g discovered flaws is not easy to devise.<br />
21. Computer hardware, for example, must meet <strong>the</strong> Federal Communic<strong>at</strong>ions Commission's<br />
regul<strong>at</strong>ions for electronic eman<strong>at</strong>ions, and European regul<strong>at</strong>ions on ergonomic and safety qualities<br />
of computer screens and keyboards have affected <strong>the</strong> appearance and oper<strong>at</strong>ion of systems<br />
worldwide.<br />
22. This po<strong>in</strong>t was made by Digital Equipment Corpor<strong>at</strong>ion <strong>in</strong> July 1990 testimony before <strong>the</strong> House<br />
Subcommittee on Transport<strong>at</strong>ion, Avi<strong>at</strong>ion, and M<strong>at</strong>erials.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
WHY THE SECURITY MARKET HAS NOT WORKED WELL 178<br />
23. Vendors also argue th<strong>at</strong> some consumers may prefer products with little security, but <strong>the</strong><br />
prevalent lack of consumer understand<strong>in</strong>g of <strong>the</strong> choices casts doubt on this explan<strong>at</strong>ion for <strong>the</strong><br />
weak market.<br />
24. For example, rope manufacturers use a system of standardized strength r<strong>at</strong><strong>in</strong>gs, s<strong>in</strong>ce one cannot<br />
tell <strong>at</strong> <strong>the</strong> po<strong>in</strong>t of manufacture whe<strong>the</strong>r a rope will be used to tie packages or to suspend objects, for<br />
example. Of course, some highly specialized rope, such as climb<strong>in</strong>g l<strong>in</strong>es, carries extra assurance,<br />
which comes with added cost.<br />
25. Michael Agranoff observes, "Such standards would not elim<strong>in</strong><strong>at</strong>e computer abuse, especially by<br />
'<strong>in</strong>siders'; <strong>the</strong>y would not elim<strong>in</strong><strong>at</strong>e computer-rel<strong>at</strong>ed negligence. They would, however, provide a<br />
'curb on technology,' a basel<strong>in</strong>e from which to judge both compens<strong>at</strong>ion for victims of computer<br />
abuse and <strong>the</strong> efficacy of measures to comb<strong>at</strong> computer crime" (Agranoff, 1989, p. 275).<br />
26. The terms and conditions govern<strong>in</strong>g <strong>the</strong> acquisition of oper<strong>at</strong><strong>in</strong>g-system and off-<strong>the</strong>-shelf<br />
software have many of <strong>the</strong> <strong>at</strong>tributes of an adhesion contract (although whe<strong>the</strong>r <strong>the</strong>re is a contract <strong>at</strong><br />
all is open to deb<strong>at</strong>e). An adhesion contract is a standardized contract form offered on a "take-it-orleave-it"<br />
basis, with no opportunity to barga<strong>in</strong>. The prospective buyer can acquire <strong>the</strong> item only<br />
under <strong>the</strong> st<strong>at</strong>ed terms and conditions. Of course, <strong>the</strong> "buyer" has <strong>the</strong> option of not acquir<strong>in</strong>g <strong>the</strong><br />
software, or of acquir<strong>in</strong>g a compet<strong>in</strong>g program th<strong>at</strong> is most likely subject to <strong>the</strong> same or a similar set<br />
of terms and conditions, but often <strong>the</strong> entire <strong>in</strong>dustry offers <strong>the</strong> item only under a similar set of<br />
terms and conditions.<br />
27. The UCC upholds express warranties <strong>in</strong> Section 2-313. An express warranty is cre<strong>at</strong>ed when <strong>the</strong><br />
seller affirms a "fact or promise, describes <strong>the</strong> product, and provides a sample or model, and <strong>the</strong><br />
buyer relies on <strong>the</strong> affirm<strong>at</strong>ion, description, sample, or model as part of <strong>the</strong> basis of <strong>the</strong> barga<strong>in</strong>." By<br />
<strong>the</strong>ir very n<strong>at</strong>ure, express warranties cannot be disclaimed. The UCC will not allow a vendor to<br />
make an express promise th<strong>at</strong> is <strong>the</strong>n disclaimed. Language th<strong>at</strong> cannot be reasonably reconciled is<br />
resolved <strong>in</strong> favor of <strong>the</strong> buyer.<br />
28. Most recently, Logisticon, Inc., apparently ga<strong>in</strong>ed telephone access to Revlon, Inc.'s computers<br />
and disabled software it supplied. Revlon, claim<strong>in</strong>g diss<strong>at</strong>isfaction with <strong>the</strong> software, had suspended<br />
payments. While Logisticon argued it was repossess<strong>in</strong>g its property, Revlon suffered a significant<br />
<strong>in</strong>terruption <strong>in</strong> bus<strong>in</strong>ess oper<strong>at</strong>ions and filed suit (Pollack, 1990).<br />
29. Although it would be <strong>in</strong>equitable to impose liability for clearly un<strong>in</strong>tended uses <strong>in</strong> un<strong>in</strong>tended<br />
oper<strong>at</strong><strong>in</strong>g environments, a vendor should not escape all liability for breach of warranty simply<br />
because a product can be used across a wide spectrum of applic<strong>at</strong>ions or oper<strong>at</strong><strong>in</strong>g environments.<br />
30. Th<strong>at</strong> superior knowledge is an argument for promot<strong>in</strong>g <strong>the</strong> technical steps discussed <strong>in</strong> <strong>the</strong><br />
section titled "Consumer Awareness," such as shipp<strong>in</strong>g systems with security fe<strong>at</strong>ures turned on.<br />
31. The Customer Warn<strong>in</strong>g System <strong>in</strong>volves a po<strong>in</strong>t of contact for report<strong>in</strong>g security problems;<br />
proactive alerts to customers of worms, viruses, or o<strong>the</strong>r security holes; and distribution of fixes.<br />
32. The Foreign Corrupt Practices Act is one step toward l<strong>in</strong>k<strong>in</strong>g account<strong>in</strong>g and <strong>in</strong>form<strong>at</strong>ion<br />
security practices; it requires account<strong>in</strong>g and o<strong>the</strong>r management controls th<strong>at</strong> security experts<br />
<strong>in</strong>terpret as <strong>in</strong>clud<strong>in</strong>g computer security controls (Snyders, 1983). Also, note th<strong>at</strong> an effort is under<br />
way on <strong>the</strong> part of a group of security practitioners to address <strong>the</strong> affirm<strong>at</strong>ive oblig<strong>at</strong>ions of<br />
corpor<strong>at</strong>e officers and directors to safeguard <strong>in</strong>form<strong>at</strong>ion assets (personal communic<strong>at</strong>ion from<br />
Sandra Lambert, July 1990).<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
THE NEED TO ESTABLISH AN INFORMATION SECURITY FOUNDATION 179<br />
7<br />
The Need to Establish an Inform<strong>at</strong>ion<br />
Security Found<strong>at</strong>ion<br />
In <strong>the</strong> preced<strong>in</strong>g chapters, this report identifies factors contribut<strong>in</strong>g to low<br />
levels of computer security <strong>in</strong> commercial or nonmilitary systems, and it<br />
recommends a variety of actions <strong>in</strong>tended to promote security <strong>in</strong> <strong>the</strong> design,<br />
selection, and use of computer systems. This chapter argues th<strong>at</strong> a new<br />
organiz<strong>at</strong>ion should carry out many of those actions. In <strong>the</strong> discussion below,<br />
<strong>the</strong> proposed organiz<strong>at</strong>ion is called <strong>the</strong> Inform<strong>at</strong>ion Security Found<strong>at</strong>ion, or ISF.<br />
M<strong>in</strong>dful th<strong>at</strong> U.S. efforts have been fragmented and <strong>in</strong>adequ<strong>at</strong>e whereas efforts<br />
<strong>in</strong> Europe are ga<strong>in</strong><strong>in</strong>g momentum and cohesion, this recommend<strong>at</strong>ion is<br />
<strong>in</strong>tended to fill a troubl<strong>in</strong>g void. After review<strong>in</strong>g <strong>the</strong> requirements and options<br />
for such an organiz<strong>at</strong>ion, <strong>the</strong> committee concluded th<strong>at</strong> <strong>the</strong> ISF should<br />
essentially be a priv<strong>at</strong>e, not-for-profit organiz<strong>at</strong>ion, largely outside <strong>the</strong><br />
government once it is launched. It would need <strong>the</strong> highest level of support from<br />
government as well as <strong>in</strong>dustry; <strong>the</strong> strongest expression of such support would<br />
be a congressional charter.<br />
ACTIONS NEEDED TO IMPROVE COMPUTER SECURITY<br />
As documented <strong>in</strong> o<strong>the</strong>r chapters, several actions are necessary to improve<br />
computer security. These actions form <strong>the</strong> basis for <strong>the</strong> mission of <strong>the</strong> ISF:<br />
• Def<strong>in</strong><strong>in</strong>g requirements and evalu<strong>at</strong>ion criteria for users of commercial<br />
systems, <strong>in</strong>clud<strong>in</strong>g priv<strong>at</strong>e sector users and government processors of<br />
sensitive but unclassified <strong>in</strong>form<strong>at</strong>ion. A major part of this effort is <strong>the</strong><br />
development and promulg<strong>at</strong>ion of <strong>the</strong> Generally Accepted<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
THE NEED TO ESTABLISH AN INFORMATION SECURITY FOUNDATION 180<br />
System Security Pr<strong>in</strong>ciples (GSSP), which would provide a set of<br />
requirements guidel<strong>in</strong>es for trustworthy computer and communic<strong>at</strong>ions<br />
system design and use.<br />
• Conduct<strong>in</strong>g research and development, especially <strong>in</strong>to criteria and<br />
evalu<strong>at</strong>ion procedures, <strong>in</strong> support of <strong>the</strong> above.<br />
• Evalu<strong>at</strong><strong>in</strong>g <strong>the</strong> quality of security measures <strong>in</strong> <strong>in</strong>dustry-developed<br />
products dur<strong>in</strong>g <strong>the</strong>ir development and throughout <strong>the</strong>ir life cycle, and<br />
publish<strong>in</strong>g evalu<strong>at</strong>ion results. In particular, evalu<strong>at</strong><strong>in</strong>g products for<br />
conformance to GSSP. Eventually evalu<strong>at</strong>ions should also consider o<strong>the</strong>r<br />
aspects of system trustworth<strong>in</strong>ess, such as safety. (See "Assurance<br />
Evalu<strong>at</strong>ion" <strong>in</strong> Chapter 5.)<br />
• Develop<strong>in</strong>g and ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g a system for track<strong>in</strong>g and report<strong>in</strong>g security<br />
and safety <strong>in</strong>cidents, thre<strong>at</strong>s, and vulnerabilities.<br />
• Promot<strong>in</strong>g effective use of security and safety tools, techniques, and<br />
management practices through educ<strong>at</strong>ion for commercial organiz<strong>at</strong>ions<br />
and users.<br />
• Broker<strong>in</strong>g and enhanc<strong>in</strong>g communic<strong>at</strong>ions between <strong>in</strong>dustry and<br />
government where commercial and n<strong>at</strong>ional security <strong>in</strong>terests may conflict.<br />
• Focus<strong>in</strong>g efforts to achieve standardiz<strong>at</strong>ion and harmoniz<strong>at</strong>ion of<br />
commercial security practice and system safety <strong>in</strong> <strong>the</strong> U.S. and<br />
<strong>in</strong>tern<strong>at</strong>ionally.<br />
These actions are complementary and would be pursued most effectively<br />
and economically by a s<strong>in</strong>gle organiz<strong>at</strong>ion. At present, some of <strong>the</strong>se actions are<br />
<strong>at</strong>tempted by <strong>the</strong> N<strong>at</strong>ional Security <strong>Age</strong>ncy (NSA), <strong>the</strong> N<strong>at</strong>ional Institute of<br />
Standards and Technology (NIST), and o<strong>the</strong>r organiz<strong>at</strong>ions. However, current<br />
efforts fall short of wh<strong>at</strong> is needed to accomplish <strong>the</strong> tasks <strong>at</strong> hand, and <strong>the</strong><br />
dom<strong>in</strong>ant missions of exist<strong>in</strong>g agencies and organiz<strong>at</strong>ions limit <strong>the</strong> scope of<br />
<strong>the</strong>ir <strong>in</strong>volvement <strong>in</strong> address<strong>in</strong>g <strong>the</strong> issues of computer security and<br />
trustworth<strong>in</strong>ess. In particular, relevant government agencies are poorly suited to<br />
represent <strong>the</strong> needs of nongovernmental system users (although <strong>the</strong>y may take<br />
some <strong>in</strong>put from major system users and gener<strong>at</strong>e public<strong>at</strong>ions of <strong>in</strong>terest to<br />
users).<br />
ATTRIBUTES AND FUNCTIONS OF THE PROPOSED NEW<br />
INSTITUTION<br />
The ISF should have <strong>the</strong> follow<strong>in</strong>g <strong>at</strong>tributes and functions:<br />
• It should be free from control by <strong>the</strong> computer and communic<strong>at</strong>ion<br />
vendors, but it must communic<strong>at</strong>e and work effectively with <strong>the</strong>m. This<br />
quality is important to prevent <strong>the</strong> appearance or reality<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
THE NEED TO ESTABLISH AN INFORMATION SECURITY FOUNDATION 181<br />
of bias or conflict of <strong>in</strong>terest. Vendors can be expected to be responsive to<br />
consistent and credible user demand, but <strong>the</strong>y have not shown (and cannot<br />
be expected to show) leadership <strong>in</strong> def<strong>in</strong><strong>in</strong>g and br<strong>in</strong>g<strong>in</strong>g to market<br />
systems with enhanced security. Thus trade associ<strong>at</strong>ions and conventional<br />
<strong>in</strong>dustry consortia are not credible vehicles for <strong>the</strong> needed activities,<br />
although <strong>the</strong>y would be a valuable conduit for <strong>in</strong>puts and for<br />
dissem<strong>in</strong><strong>at</strong>ion of outputs such as GSSP.<br />
• It should have a strong user presence, through membership and<br />
particip<strong>at</strong>ion <strong>in</strong> its governance.<br />
• It must have def<strong>in</strong>ed rel<strong>at</strong>ionships to exist<strong>in</strong>g governmental organiz<strong>at</strong>ions,<br />
particularly NIST and NSA, but also o<strong>the</strong>r organiz<strong>at</strong>ions relevant to its<br />
missions, such as <strong>the</strong> Defense Advanced Research Projects <strong>Age</strong>ncy<br />
(DARPA) and <strong>the</strong> N<strong>at</strong>ional Science Found<strong>at</strong>ion (NSF). By charter and by<br />
action, it must command <strong>the</strong> respect of both government and <strong>in</strong>dustry and<br />
must seek open personal and <strong>in</strong>stitutional communic<strong>at</strong>ions with both. It<br />
must have ready access to technical assistance from government agencies.<br />
Most importantly, because of exist<strong>in</strong>g agency activities <strong>the</strong>re would have<br />
to be a del<strong>in</strong>e<strong>at</strong>ion of where <strong>the</strong> ISF would have lead responsibility <strong>in</strong> <strong>the</strong><br />
above areas. Industry, for example, would not toler<strong>at</strong>e a situ<strong>at</strong>ion call<strong>in</strong>g<br />
for evalu<strong>at</strong>ions by both NSA and a new entity—but it should f<strong>in</strong>d<br />
tolerable a situ<strong>at</strong>ion <strong>in</strong>volv<strong>in</strong>g NSA evalu<strong>at</strong>ions for military-critical<br />
systems and ISF evalu<strong>at</strong>ions for o<strong>the</strong>r, GSSP-compliant systems, with<br />
coord<strong>in</strong><strong>at</strong>ion between ISF and NSA to m<strong>in</strong>imize any duplic<strong>at</strong>ion of effort.<br />
• It must serve more than just a s<strong>in</strong>gle <strong>in</strong>dustry or just <strong>the</strong> governmental<br />
sector, to ensure <strong>the</strong> broad relevance of GSSP and of <strong>the</strong> evalu<strong>at</strong>ions th<strong>at</strong><br />
would be performed to ensure conformance to GSSP.<br />
• It must strive to be <strong>at</strong> <strong>the</strong> forefront of <strong>the</strong> computer security field,<br />
<strong>at</strong>tract<strong>in</strong>g top-notch people to enable it to lead <strong>the</strong> field. Staff<strong>in</strong>g would<br />
take time, but <strong>the</strong> opportunity to do research is necessary to <strong>at</strong>tract <strong>the</strong><br />
most talented candid<strong>at</strong>es.<br />
• It should address <strong>the</strong> broader problem of how to make computer systems<br />
trustworthy, <strong>in</strong>tegr<strong>at</strong><strong>in</strong>g security with rel<strong>at</strong>ed requirements such as<br />
reliability and safety. Implement<strong>in</strong>g <strong>the</strong>se rel<strong>at</strong>ed requirements can benefit<br />
from similar techniques and mechanisms <strong>in</strong> many <strong>in</strong>stances. While <strong>the</strong><br />
ISF should focus <strong>in</strong>itially on security, it should consider rel<strong>at</strong>ed areas such<br />
as safety and reliability from <strong>the</strong> start. Although a security constituency<br />
seems to be emerg<strong>in</strong>g outside of government, <strong>the</strong>re is noth<strong>in</strong>g analogous<br />
for computer system reliability and safety. The ISF could lead <strong>in</strong> help<strong>in</strong>g<br />
to establish a constituency for system trustworth<strong>in</strong>ess.<br />
• It should have a strong, diversified fund<strong>in</strong>g base. In particular, it must not<br />
depend on government fund<strong>in</strong>g, although federal seed<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
THE NEED TO ESTABLISH AN INFORMATION SECURITY FOUNDATION 182<br />
money would be appropri<strong>at</strong>e. Although government has much <strong>in</strong> common<br />
with <strong>the</strong> rest of <strong>the</strong> economy <strong>in</strong> terms of <strong>the</strong> k<strong>in</strong>ds of computer systems<br />
and applic<strong>at</strong>ions it chooses, governmental priorities <strong>in</strong> system design, use,<br />
and management may differ from those found elsewhere, even for<br />
systems process<strong>in</strong>g sensitive but unclassified <strong>in</strong>form<strong>at</strong>ion. Perhaps most<br />
importantly, government fund<strong>in</strong>g is unlikely to reach <strong>the</strong> levels or have<br />
<strong>the</strong> stability necessary to susta<strong>in</strong> <strong>the</strong> ISF. F<strong>in</strong>ally, policy <strong>in</strong>dependence<br />
may be necessary <strong>in</strong> some cases, such as when <strong>the</strong> ISF is called on to seek<br />
a middle ground between commercial and defense perspectives.<br />
The development and dissem<strong>in</strong><strong>at</strong>ion of GSSP would be central functions of<br />
<strong>the</strong> ISF. These activities would build on research and on consensus across a<br />
variety of stakehold<strong>in</strong>g communities (vendors, commercial users, <strong>the</strong> general<br />
public, and government). The goal is to achieve universal recognition along <strong>the</strong><br />
l<strong>in</strong>es th<strong>at</strong> <strong>the</strong> F<strong>in</strong>ancial Account<strong>in</strong>g Standards Board (FASB) has for wh<strong>at</strong> have<br />
been called Generally Accepted Account<strong>in</strong>g Pr<strong>in</strong>ciples (GAAP). Although <strong>the</strong><br />
analogy to FASB is not perfect, it presents some notable parallels:<br />
The FASB plays a unique role <strong>in</strong> our society. It is a [de facto] regul<strong>at</strong>or th<strong>at</strong> is<br />
not a government agency. It is an <strong>in</strong>dependent priv<strong>at</strong>e found<strong>at</strong>ion f<strong>in</strong>anced by<br />
contributions and by revenues from <strong>the</strong> sale of its public<strong>at</strong>ions. Contributions<br />
are primarily from corpor<strong>at</strong>ions and public account<strong>in</strong>g firms, but <strong>the</strong> FASB is<br />
<strong>in</strong>dependent of <strong>the</strong> contributors by virtue of a carefully drawn charter. By <strong>the</strong><br />
same token, <strong>the</strong> FASB is <strong>in</strong>dependent of both <strong>the</strong> American Institute of CPAs<br />
and <strong>the</strong> Securities and Exchange Commission, even though its "clout" comes<br />
from <strong>the</strong> fact th<strong>at</strong> both <strong>in</strong>stitutions accept FASB pronouncements as <strong>the</strong> prime<br />
authority for purposes of prepar<strong>in</strong>g f<strong>in</strong>ancial st<strong>at</strong>ements <strong>in</strong> accordance with<br />
generally accepted account<strong>in</strong>g pr<strong>in</strong>ciples.…<br />
The FASB is <strong>the</strong> l<strong>at</strong>est <strong>in</strong> a l<strong>in</strong>e of account<strong>in</strong>g standard-sett<strong>in</strong>g bodies th<strong>at</strong> go<br />
back to <strong>the</strong> stock market crash of 1929 and <strong>the</strong> consequent Securities Acts of<br />
1933 and 1934. The stock market crash drove home <strong>the</strong> po<strong>in</strong>t th<strong>at</strong> <strong>the</strong> U.S.<br />
economy depends gre<strong>at</strong>ly on a smoothly function<strong>in</strong>g capital market.… (Mosso,<br />
1987)<br />
While FASB's GAAP are <strong>in</strong>tended to assure fair disclosure by companies<br />
to <strong>in</strong>vestors and creditors, GSSP are <strong>in</strong>tended to protect companies and<br />
<strong>in</strong>dividuals both <strong>in</strong>side and outside a computer-system-us<strong>in</strong>g entity. However,<br />
similar motiv<strong>at</strong>ions <strong>in</strong>form <strong>the</strong> proposed ISF and FASB. If <strong>in</strong>dustry does not<br />
pursue such an effort to protect itself and <strong>the</strong> public, <strong>the</strong>re is a possibility of<br />
gre<strong>at</strong>er government regul<strong>at</strong>ion (see "Regul<strong>at</strong>ion as a Market Influence" <strong>in</strong><br />
Chapter 6).<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
THE NEED TO ESTABLISH AN INFORMATION SECURITY FOUNDATION 183<br />
OTHER ORGANIZATIONS CANNOT FULFILL ISF'S MISSION<br />
Government Organiz<strong>at</strong>ions<br />
As noted above, <strong>the</strong> beg<strong>in</strong>n<strong>in</strong>gs of <strong>the</strong> ISF's mission can be found <strong>in</strong><br />
government. The history of government <strong>in</strong>volvement <strong>in</strong> computer and<br />
communic<strong>at</strong>ions security is outl<strong>in</strong>ed <strong>in</strong> Chapter Appendix 7.1. The forebear<br />
closest to <strong>the</strong> proposed ISF is <strong>the</strong> N<strong>at</strong>ional Computer Security Center (NCSC),<br />
which has supported <strong>the</strong> development of <strong>the</strong> Orange Book and performed<br />
evalu<strong>at</strong>ions of products aga<strong>in</strong>st its criteria (see Appendix A of this report). As is<br />
discussed <strong>in</strong> preced<strong>in</strong>g chapters, <strong>the</strong> Orange Book criteria and <strong>the</strong> associ<strong>at</strong>ed<br />
evalu<strong>at</strong>ion process fall short of wh<strong>at</strong> vendors, users, and a wide range of<br />
security experts consider necessary. Perhaps most important, <strong>the</strong> NCSC has<br />
undergone a reorganiz<strong>at</strong>ion and downsiz<strong>in</strong>g th<strong>at</strong> may severely limit its ability to<br />
meet its old mission, let alone an expanded mission.<br />
A number of significant events have shaped <strong>the</strong> role of <strong>the</strong> NCSC <strong>in</strong><br />
civilian comput<strong>in</strong>g. The promulg<strong>at</strong>ion of N<strong>at</strong>ional Security Decision Directive<br />
(NSDD) 145 <strong>in</strong> 1984 expanded <strong>the</strong> NCSC's scope to <strong>in</strong>clude civilian<br />
government and some aspects of <strong>the</strong> priv<strong>at</strong>e sector's concerns for protection of<br />
sensitive unclassified <strong>in</strong>form<strong>at</strong>ion. Subsequent passage of <strong>the</strong> Computer<br />
Security Act of 1987 (P.L. 100–235) and <strong>the</strong> July 1990 issuance of NSD 42,<br />
revis<strong>in</strong>g NSDD 145, substantially limited th<strong>at</strong> scope to classified, n<strong>at</strong>ionalsecurity-rel<strong>at</strong>ed<br />
activities. As a result, <strong>the</strong> NCSC's <strong>in</strong>fluence on commercial and<br />
civilian government use of computers has been gre<strong>at</strong>ly reduced.<br />
Start<strong>in</strong>g <strong>in</strong> 1985, <strong>in</strong>ternal reorganiz<strong>at</strong>ions with<strong>in</strong> <strong>the</strong> NSA have merged <strong>the</strong><br />
separ<strong>at</strong>e and dist<strong>in</strong>ct charter of <strong>the</strong> NCSC with NSA's traditional<br />
communic<strong>at</strong>ions security role. Most recently, <strong>the</strong> NCSC was reduced to a small<br />
organiz<strong>at</strong>ion to provide an external <strong>in</strong>terface to product developers. The actual<br />
evalu<strong>at</strong>ions will be performed by NSA staff, sometimes assisted by specific<br />
outsiders (e.g., MITRE Corpor<strong>at</strong>ion and Aerospace Corpor<strong>at</strong>ion), <strong>in</strong> direct<br />
response to requirements of <strong>the</strong> n<strong>at</strong>ional security community. Although<br />
outsourc<strong>in</strong>g evalu<strong>at</strong>ion work is a practical solution to NSA's limited resources,<br />
it raises questions about <strong>the</strong> accountability of and <strong>in</strong>centives fac<strong>in</strong>g <strong>the</strong><br />
evalu<strong>at</strong>ors. These questions are of gre<strong>at</strong> concern to <strong>in</strong>dustry, which has<br />
compla<strong>in</strong>ed about <strong>the</strong> dur<strong>at</strong>ion of evalu<strong>at</strong>ions and <strong>the</strong> l<strong>at</strong>eness with<strong>in</strong> <strong>the</strong><br />
product cycle of <strong>the</strong> evalu<strong>at</strong>ion process. Ano<strong>the</strong>r issue raised by <strong>the</strong><br />
reorganiz<strong>at</strong>ion is <strong>the</strong> extent to which NSA will rema<strong>in</strong> concerned with<br />
evalu<strong>at</strong>ion of systems <strong>at</strong> <strong>the</strong> lower levels of <strong>the</strong> Orange Book, such as C2. 1<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
THE NEED TO ESTABLISH AN INFORMATION SECURITY FOUNDATION 184<br />
The o<strong>the</strong>r major government player <strong>in</strong> this area is NIST, which through <strong>the</strong><br />
N<strong>at</strong>ional Computer Systems Labor<strong>at</strong>ory (NCSL) is concerned with computer<br />
and communic<strong>at</strong>ions security. At present NIST lacks <strong>the</strong> technical and f<strong>in</strong>ancial<br />
resources to execute <strong>the</strong> agenda def<strong>in</strong>ed here for ISF, and it also lacks <strong>the</strong><br />
necessary charter and organiz<strong>at</strong>ional support. The recent move by NIST to<br />
coord<strong>in</strong><strong>at</strong>e a clear<strong>in</strong>ghouse with <strong>in</strong>dustry focused on protections aga<strong>in</strong>st viruses<br />
illustr<strong>at</strong>es NIST's opportunities for expansion, but it also illustr<strong>at</strong>es NIST's<br />
limited resources—this is a small-scale limited-focus effort (Danca, 1990e).<br />
In <strong>the</strong> computer security arena, NIST has traditionally focused on<br />
support<strong>in</strong>g technical standards (e.g., those rel<strong>at</strong>ed to Open Systems<br />
Interconnection (OSI) and Integr<strong>at</strong>ed Services Digital Network<strong>in</strong>g) and<br />
develop<strong>in</strong>g guidel<strong>in</strong>es for system management and use. These activities are<br />
more straightforward than articul<strong>at</strong><strong>in</strong>g GSSP and develop<strong>in</strong>g guidel<strong>in</strong>es for<br />
associ<strong>at</strong>ed evalu<strong>at</strong>ions. Evalu<strong>at</strong><strong>in</strong>g <strong>the</strong> security functionality and assurance of a<br />
computer system, for example, is more difficult than evalu<strong>at</strong><strong>in</strong>g conformance to<br />
<strong>in</strong>teroperability standards. Although NIST has been <strong>in</strong>volved with standards<br />
conformance test<strong>in</strong>g (and has begun a program to establish test<strong>in</strong>g for<br />
conformance to certa<strong>in</strong> DES standards), it has so far not undertaken ei<strong>the</strong>r to<br />
specify evalu<strong>at</strong>ion criteria for <strong>the</strong> civil government or to evalu<strong>at</strong>e commercial<br />
products aga<strong>in</strong>st any criteria, or to offer guidel<strong>in</strong>es for system-level evalu<strong>at</strong>ion. 2<br />
Such guidel<strong>in</strong>es would have to describe how to judge <strong>the</strong> effectiveness of<br />
security safeguards aga<strong>in</strong>st an anticip<strong>at</strong>ed thre<strong>at</strong>.<br />
F<strong>in</strong>ally, its rel<strong>at</strong>ions with NSA, on which it relies for technical assistance<br />
and with which it has an agreement not to compete with <strong>the</strong> Orange Book<br />
process, have not given NIST <strong>the</strong> scope to act with substantial <strong>in</strong>dependence.<br />
The committee has doubts th<strong>at</strong> NIST's N<strong>at</strong>ional Computer Systems Labor<strong>at</strong>ory<br />
could play <strong>the</strong> role th<strong>at</strong> is required, given its present charter and <strong>in</strong> particular <strong>the</strong><br />
difficulty it has <strong>in</strong> achiev<strong>in</strong>g s<strong>at</strong>isfactory and consistent fund<strong>in</strong>g.<br />
Priv<strong>at</strong>e Organiz<strong>at</strong>ions<br />
As banks, <strong>in</strong>surance companies, and bus<strong>in</strong>ess <strong>in</strong> general have become<br />
<strong>in</strong>creas<strong>in</strong>gly <strong>in</strong>terested <strong>in</strong> computer security, <strong>the</strong>se organiz<strong>at</strong>ions have found th<strong>at</strong><br />
<strong>the</strong>ir <strong>in</strong>terests are not well served by <strong>the</strong> present activities of NCSC or NIST.<br />
This situ<strong>at</strong>ion is evidenced by ei<strong>the</strong>r ignorance of or resistance to <strong>the</strong> Orange<br />
Book (see Chapter 6) and by observ<strong>at</strong>ions on <strong>the</strong> <strong>in</strong>adequ<strong>at</strong>e budget and<br />
program of NIST.<br />
But exist<strong>in</strong>g priv<strong>at</strong>e organiz<strong>at</strong>ions are also poorly suited to undertake <strong>the</strong><br />
actions needed to improve computer security. Currently, much activity <strong>in</strong> <strong>the</strong><br />
priv<strong>at</strong>e sector is driven by vendors, regul<strong>at</strong>ed<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
THE NEED TO ESTABLISH AN INFORMATION SECURITY FOUNDATION 185<br />
<strong>in</strong>dustries, and large computer and communic<strong>at</strong>ions system users. They affect<br />
<strong>the</strong> overall st<strong>at</strong>e of commercial security through <strong>the</strong> marketplace, trade<br />
associ<strong>at</strong>ions, and relevant standards-sett<strong>in</strong>g ventures. As discussed <strong>in</strong> Chapter 6,<br />
<strong>the</strong> <strong>in</strong>fluence is uneven and tends to be reactive r<strong>at</strong>her than proactive.<br />
Largely (but not exclusively) <strong>in</strong> <strong>the</strong> priv<strong>at</strong>e sector are security specialists or<br />
practitioners and <strong>the</strong>ir rel<strong>at</strong>ively new professional societies (discussed <strong>in</strong><br />
Chapter Appendix 7.2). Security practitioners are <strong>the</strong> pr<strong>in</strong>cipal force promot<strong>in</strong>g<br />
computer and system security with<strong>in</strong> organiz<strong>at</strong>ions, but <strong>the</strong>y oper<strong>at</strong>e under a<br />
variety of constra<strong>in</strong>ts. In particular, <strong>the</strong> voluntary n<strong>at</strong>ure of professional<br />
societies for security practitioners limits <strong>the</strong>ir reach. Also, professional societies<br />
tend to focus exclusively on security and show no signs of address<strong>in</strong>g broader<br />
issues of system trustworth<strong>in</strong>ess (<strong>in</strong> particular, safety).<br />
WHY ISF'S MISSION SHOULD BE PURSUED OUTSIDE OF<br />
THE GOVERNMENT<br />
Apart from <strong>the</strong> specific limit<strong>at</strong>ions of NIST and <strong>the</strong> NCSC, <strong>the</strong>re are more<br />
general concerns about a governmental basis for <strong>the</strong> ISF.<br />
• The government has difficulty <strong>at</strong>tract<strong>in</strong>g and keep<strong>in</strong>g skilled computer<br />
professionals. The NCSC, for example, appears to have been largely<br />
staffed by young, recently gradu<strong>at</strong>ed computer scientists who have little<br />
practical experience <strong>in</strong> develop<strong>in</strong>g complex computer systems. Issues th<strong>at</strong><br />
constra<strong>in</strong> federal hir<strong>in</strong>g <strong>in</strong>clude salary ceil<strong>in</strong>gs and limit<strong>at</strong>ions on <strong>the</strong><br />
capitaliz<strong>at</strong>ion available to technical personnel.<br />
• The defense budget is shr<strong>in</strong>k<strong>in</strong>g. Department of Defense resources have<br />
supported <strong>the</strong> activities <strong>in</strong> <strong>the</strong> NCSC and relevant activities elsewhere <strong>in</strong><br />
NSA, DARPA, and research units of <strong>the</strong> armed services (e.g., <strong>the</strong> Naval<br />
Research Labor<strong>at</strong>ory). As noted <strong>in</strong> Chapter 8, defense resources will<br />
cont<strong>in</strong>ue to be valuable for support<strong>in</strong>g relevant research and development.<br />
• The <strong>in</strong>tern<strong>at</strong>ional standards arena may become a forum for <strong>the</strong> negoti<strong>at</strong>ion<br />
of standards for security and safety and for evalu<strong>at</strong>ion criteria. The<br />
American N<strong>at</strong>ional Standards Institute (ANSI) and o<strong>the</strong>r priv<strong>at</strong>e U.S.<br />
standards organiz<strong>at</strong>ions depend on voluntary contributions of time and<br />
talent, and <strong>the</strong> role th<strong>at</strong> NIST and o<strong>the</strong>r agencies can play <strong>in</strong> contribut<strong>in</strong>g<br />
to <strong>in</strong>tern<strong>at</strong>ional efforts is limited. The United St<strong>at</strong>es needs a strong<br />
presence <strong>in</strong> <strong>the</strong>se commercial standards-sett<strong>in</strong>g processes, complement<strong>in</strong>g<br />
<strong>the</strong> exist<strong>in</strong>g military standards process th<strong>at</strong> to d<strong>at</strong>e has been a major<br />
impetus to development of trusted systems.<br />
• Government's necessary concern for n<strong>at</strong>ional security sometimes<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
THE NEED TO ESTABLISH AN INFORMATION SECURITY FOUNDATION 186<br />
obscures legitim<strong>at</strong>e commercial <strong>in</strong>terests, occasionally handicapp<strong>in</strong>g<br />
technology and market development th<strong>at</strong> may be <strong>in</strong> <strong>the</strong> country's longterm<br />
economic security <strong>in</strong>terests.<br />
The realities of <strong>the</strong> government environment suggest th<strong>at</strong> acceler<strong>at</strong><strong>in</strong>g <strong>the</strong><br />
development and deployment of computer and communic<strong>at</strong>ions security<br />
requires a gre<strong>at</strong>er role for <strong>the</strong> commercial sector. 3<br />
A NEW NOT-FOR-PROFIT ORGANIZATION<br />
Given <strong>the</strong> limit<strong>at</strong>ions of priv<strong>at</strong>e and public organiz<strong>at</strong>ions, <strong>the</strong> committee<br />
concludes th<strong>at</strong> <strong>the</strong> proposed Inform<strong>at</strong>ion Security Found<strong>at</strong>ion will be most<br />
likely to succeed as a priv<strong>at</strong>e not-for-profit organiz<strong>at</strong>ion. To assure th<strong>at</strong> its<br />
viability would not depend on special-<strong>in</strong>terest fund<strong>in</strong>g, multiple sources are<br />
necessary.<br />
The ISF would need <strong>the</strong> highest level of governmental support, and <strong>the</strong><br />
strongest expression of such support would be a congressional charter th<strong>at</strong><br />
would def<strong>in</strong>e its scope and, <strong>in</strong> particular, set parameters th<strong>at</strong> would permit it to<br />
work with NSA, NIST, and o<strong>the</strong>r agencies as appropri<strong>at</strong>e. There are general<br />
precedents for government establishment of organiz<strong>at</strong>ions act<strong>in</strong>g <strong>in</strong> <strong>the</strong> public<br />
<strong>in</strong>terest, <strong>in</strong>clud<strong>in</strong>g organiz<strong>at</strong>ions th<strong>at</strong> perform tasks previously performed by<br />
public or priv<strong>at</strong>e entities. 4 In all of <strong>the</strong>se organiz<strong>at</strong>ions, effective work<strong>in</strong>g<br />
rel<strong>at</strong>ionships with government and oper<strong>at</strong>ional flexibility, which would be<br />
critical for <strong>the</strong> ISF, have been key.<br />
Good work<strong>in</strong>g rel<strong>at</strong>ionships with relevant agencies would be necessary so<br />
th<strong>at</strong> ISF could contribute to s<strong>at</strong>isfy<strong>in</strong>g government needs, especially <strong>in</strong><br />
develop<strong>in</strong>g GSSP and associ<strong>at</strong>ed evalu<strong>at</strong>ions, and to avoid unnecessary<br />
duplic<strong>at</strong>ion of effort. For example, as noted above, <strong>the</strong>re should be one<br />
recognized source of evalu<strong>at</strong>ions for a given type of system. Government<br />
recognition of evalu<strong>at</strong>ions conducted by <strong>the</strong> ISF would also be necessary to<br />
support <strong>in</strong>tern<strong>at</strong>ional reciprocity <strong>in</strong> handl<strong>in</strong>g <strong>the</strong> results of evalu<strong>at</strong>ions <strong>in</strong><br />
different countries (see Chapter 5).<br />
One rel<strong>at</strong>ively new government <strong>in</strong>iti<strong>at</strong>ive <strong>in</strong> computer security, <strong>the</strong><br />
establishment of Computer Emergency Response Teams (CERTs) to deal with<br />
thre<strong>at</strong>ened or actual <strong>at</strong>tacks <strong>in</strong> networks and systems, presents a specific<br />
opportunity for coord<strong>in</strong><strong>at</strong>ion between agencies and <strong>the</strong> ISF. The ISF could,<br />
build<strong>in</strong>g from <strong>the</strong> base already provided by DARPA, provide a common po<strong>in</strong>t<br />
for collect<strong>in</strong>g reports of security problems <strong>in</strong> vendor products and pass<strong>in</strong>g <strong>the</strong>se<br />
back to <strong>the</strong> vendor <strong>in</strong> a coord<strong>in</strong><strong>at</strong>ed way. This function could be a part of <strong>the</strong><br />
larger action of provid<strong>in</strong>g an <strong>in</strong>cident d<strong>at</strong>abase (which would not be limited to<br />
emergency situ<strong>at</strong>ions <strong>in</strong> large networked systems); <strong>the</strong> ISF should be<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
THE NEED TO ESTABLISH AN INFORMATION SECURITY FOUNDATION 187<br />
able to devote more resources to this important activity than does DARPA or<br />
NIST, although DARPA-funded CERT activities could be an <strong>in</strong>put <strong>in</strong>to <strong>the</strong> ISF.<br />
Success for <strong>the</strong> ISF would depend on strong particip<strong>at</strong>ion by users and<br />
vendors. The appeal to users is th<strong>at</strong> ISF would provide, through <strong>the</strong> GSSP and<br />
rel<strong>at</strong>ed evalu<strong>at</strong>ion processes, a mechanism for mak<strong>in</strong>g vendors more responsive<br />
to users' needs for systems th<strong>at</strong> are more trustworthy and a forum designed to<br />
identify and allevi<strong>at</strong>e user problems. Vendors would get a more responsive<br />
evalu<strong>at</strong>ion mechanism and broader guidance for develop<strong>in</strong>g trusted systems<br />
than <strong>the</strong>y have had <strong>in</strong> <strong>the</strong> NCSC. Both vendors and users would ga<strong>in</strong> from<br />
hav<strong>in</strong>g a s<strong>in</strong>gle, well-endowed focal po<strong>in</strong>t for system security and<br />
trustworth<strong>in</strong>ess.<br />
Critical Aspects of an ISF Charter<br />
If <strong>the</strong> concept of establish<strong>in</strong>g <strong>the</strong> ISF is accepted, <strong>the</strong> details of <strong>the</strong> ISF's<br />
form and function will be discussed extensively. This report cannot offer too<br />
detailed a vision of <strong>the</strong> ISF, lest it prem<strong>at</strong>urely over-constra<strong>in</strong> <strong>the</strong> approach.<br />
However, certa<strong>in</strong> aspects of <strong>the</strong> ISF seem critical. Summarized here, <strong>the</strong>y<br />
should be reflected <strong>in</strong> any legisl<strong>at</strong>ion th<strong>at</strong> might br<strong>in</strong>g <strong>the</strong> ISF <strong>in</strong>to existence.<br />
• The board of directors of <strong>the</strong> ISF must <strong>in</strong>clude government, vendor, and<br />
user represent<strong>at</strong>ives.<br />
• The ISF must be permitted to receive priv<strong>at</strong>e funds as its major source of<br />
<strong>in</strong>come. As discussed below, such funds would most likely be <strong>in</strong> <strong>the</strong> form<br />
of subscription fees and <strong>in</strong> charges to vendors for product evalu<strong>at</strong>ions.<br />
• The ISF must not have <strong>the</strong> salary levels of its employees tied to<br />
government scales but must be able to pay competitive r<strong>at</strong>es. The n<strong>at</strong>ure<br />
of its work means th<strong>at</strong> its most significant asset and <strong>the</strong> largest source of<br />
expense will be technical personnel.<br />
• The ISF must be able to solicit support from <strong>the</strong> government for specific<br />
activities, such as research. It should be able to regrant such funds, under<br />
appropri<strong>at</strong>e controls.<br />
• The legal liability th<strong>at</strong> <strong>the</strong> ISF might <strong>in</strong>cur by perform<strong>in</strong>g an evalu<strong>at</strong>ion<br />
must be recognized and managed, given <strong>the</strong> necessarily subjective n<strong>at</strong>ure<br />
of evalu<strong>at</strong>ions. The goal is to facilit<strong>at</strong>e evalu<strong>at</strong>ions to protect users and<br />
vendors; of course, <strong>the</strong> ISF must be accountable <strong>in</strong> <strong>the</strong> event of<br />
negligence. This problem, which has been addressed for product-test<strong>in</strong>g<br />
organiz<strong>at</strong>ions, might <strong>in</strong> ISF's case best be handled by careful explan<strong>at</strong>ion<br />
of wh<strong>at</strong> an evalu<strong>at</strong>ion does and does not signify; for example, it might<br />
signify a given probability of resistance to certa<strong>in</strong> types of <strong>at</strong>tack,<br />
although no amount of test<strong>in</strong>g and evalu<strong>at</strong>ion<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
THE NEED TO ESTABLISH AN INFORMATION SECURITY FOUNDATION 188<br />
can ever guarantee th<strong>at</strong> a system will be impervious to all <strong>at</strong>tacks. It might<br />
be necessary for <strong>the</strong> ISF to set up oper<strong>at</strong><strong>in</strong>g procedures to resolve disputes<br />
aris<strong>in</strong>g from evalu<strong>at</strong>ions; one option would be arbitr<strong>at</strong>ion, which, unlike<br />
litig<strong>at</strong>ion, would avoid <strong>in</strong>troduc<strong>in</strong>g details of product design and str<strong>at</strong>egy<br />
<strong>in</strong>to <strong>the</strong> public record.<br />
Start-up Consider<strong>at</strong>ions<br />
The NCSC experience shows how difficult it can be to launch an effective<br />
evalu<strong>at</strong>ion program, <strong>in</strong> which success <strong>in</strong>cludes widespread <strong>in</strong>dustry awareness<br />
and support as well as reasonable cost and time for evalu<strong>at</strong>ion. Consequently,<br />
<strong>the</strong> committee believes it might take longer to <strong>in</strong>augur<strong>at</strong>e an effective ISF<br />
evalu<strong>at</strong>ion program than to undertake o<strong>the</strong>r ISF activities. The committee<br />
believes th<strong>at</strong> GSSP is a vital found<strong>at</strong>ion for <strong>in</strong>creas<strong>in</strong>g customer awareness and<br />
vendor accountability, and by extension for build<strong>in</strong>g an effective evalu<strong>at</strong>ion<br />
program. A critical pac<strong>in</strong>g factor would be vendor demand for evalu<strong>at</strong>ions. This<br />
might be a function of true general acceptance for GSSP, coupled with case law<br />
trends th<strong>at</strong> might <strong>in</strong>crease vendors' perceived liability for software and system<br />
defects. If prudent customers were to specify GSSP, and vendors <strong>the</strong>n used<br />
compliance with GSSP <strong>in</strong> market<strong>in</strong>g, <strong>in</strong>dependent evalu<strong>at</strong>ion of GSSP<br />
compliance would protect both vendors and users. Evalu<strong>at</strong>ion provides for truth<br />
<strong>in</strong> advertis<strong>in</strong>g from <strong>the</strong> customer's po<strong>in</strong>t of view, and it provides a mechanism<br />
for <strong>the</strong> vendor to demonstr<strong>at</strong>e good faith. Note as a precedent th<strong>at</strong> recently<br />
proposed legisl<strong>at</strong>ion would ease <strong>the</strong> liability burden for vendors of products<br />
evalu<strong>at</strong>ed by <strong>the</strong> Food and Drug Adm<strong>in</strong>istr<strong>at</strong>ion (FDA) and <strong>the</strong> Federal<br />
Avi<strong>at</strong>ion Adm<strong>in</strong>istr<strong>at</strong>ion (Crenshaw, 1990).<br />
Selection of an appropri<strong>at</strong>e <strong>in</strong>itial leader for <strong>the</strong> organiz<strong>at</strong>ion would be a<br />
critical step; th<strong>at</strong> person's job would <strong>in</strong>volve not only develop<strong>in</strong>g a bus<strong>in</strong>ess<br />
plan but also secur<strong>in</strong>g commitment from key stakeholders and recruit<strong>in</strong>g a<br />
strong core staff. A parent organiz<strong>at</strong>ion should be design<strong>at</strong>ed to shelter <strong>the</strong> ISF<br />
dur<strong>in</strong>g this first stage. Although us<strong>in</strong>g a government agency would expose <strong>the</strong><br />
ISF to government politics dur<strong>in</strong>g this first critical period, no obvious priv<strong>at</strong>e<br />
group could play this role. A suitable ''launch site" would have to be sought<br />
while <strong>the</strong> details of a charter, oper<strong>at</strong><strong>in</strong>g plan, and budget were be<strong>in</strong>g developed.<br />
Fund<strong>in</strong>g <strong>the</strong> ISF<br />
This committee recommends a not-for-profit consortium funded by<br />
consumers and procurers of secure systems and function<strong>in</strong>g as a found<strong>at</strong>ion.<br />
The most difficult aspect is to establish stable long-term<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
THE NEED TO ESTABLISH AN INFORMATION SECURITY FOUNDATION 189<br />
fund<strong>in</strong>g to ensure <strong>the</strong> ISF's effectiveness, enabl<strong>in</strong>g such a found<strong>at</strong>ion to be a<br />
credible source for requirements and evalu<strong>at</strong>ion and to <strong>at</strong>tract and keep a firstclass<br />
staff. The committee suggests th<strong>at</strong> fund<strong>in</strong>g be derived from two sources:<br />
basic subscription fees, and usage fees from <strong>the</strong> computer manufacturers and<br />
commercial users. 5 Also, <strong>the</strong> committee urges th<strong>at</strong> <strong>the</strong> federal government<br />
provide seed money to launch <strong>the</strong> oper<strong>at</strong>ion and susta<strong>in</strong> it <strong>in</strong> <strong>the</strong> early stages.<br />
The overall budget for this k<strong>in</strong>d of organiz<strong>at</strong>ion would likely be about $15<br />
million to $20 million. This assumes a budget devoted largely to costs for<br />
technical personnel, plus essential plant, equipment, and software tools. While<br />
evalu<strong>at</strong>ions, which are labor-<strong>in</strong>tensive, might be <strong>the</strong> most expensive activity,<br />
<strong>the</strong>y would be paid for by vendors.<br />
Membership fees paid by priv<strong>at</strong>e sector consumers of computer security<br />
products should be <strong>the</strong> basic source of funds, s<strong>in</strong>ce consumers r<strong>at</strong>her <strong>the</strong>n<br />
vendors would be <strong>the</strong> ma<strong>in</strong> beneficiaries and would need a guarantee th<strong>at</strong> <strong>the</strong>ir<br />
<strong>in</strong>terests are paramount. For example, <strong>the</strong> first <strong>in</strong>crement of funds could derive<br />
from basic subscription fees paid by all members. This fund<strong>in</strong>g would be used<br />
to establish <strong>the</strong> base of research and criteria development needed for <strong>the</strong><br />
found<strong>at</strong>ion to function efficiently. Note th<strong>at</strong> subscription fees for Fortune 500<br />
companies of, for example, $50,000 per year per company would gener<strong>at</strong>e $10<br />
million annually if 200 particip<strong>at</strong>ed. This seems to be a modest amount for a $5<br />
billion organiz<strong>at</strong>ion to spend. Successful fund-rais<strong>in</strong>g would likely h<strong>in</strong>ge on<br />
obta<strong>in</strong><strong>in</strong>g commitments from <strong>in</strong>dustry clusters (i.e., multiple organiz<strong>at</strong>ions <strong>in</strong><br />
each <strong>in</strong>dustry); this p<strong>at</strong>tern has been observed <strong>in</strong> o<strong>the</strong>r consortia.<br />
System manufacturers might be asked to pay a subscription fee rang<strong>in</strong>g<br />
from $50,000 to $500,000 based on <strong>the</strong>ir overall revenue. Twenty vendors<br />
contribut<strong>in</strong>g an average of $250,000 each would gener<strong>at</strong>e an additional $5<br />
million for <strong>the</strong> base fund. The basic subscription would entitle an organiz<strong>at</strong>ion<br />
to particip<strong>at</strong>e <strong>in</strong> <strong>the</strong> found<strong>at</strong>ion's research, evalu<strong>at</strong>ion, and educ<strong>at</strong>ion programs.<br />
As a reference po<strong>in</strong>t, note th<strong>at</strong> membership <strong>in</strong> <strong>the</strong> Corpor<strong>at</strong>ion for Open<br />
Systems, which promotes development of systems th<strong>at</strong> comply with open<br />
systems standards and conducts or supplies tools for conformance test<strong>in</strong>g, costs<br />
$200,000 for vendors and $25,000 for users.<br />
Contributions th<strong>at</strong> range <strong>in</strong>to six figures are difficult to obta<strong>in</strong>, especially <strong>at</strong><br />
a time when computer-rel<strong>at</strong>ed research and standards consortia have<br />
prolifer<strong>at</strong>ed (e.g., Open Software Found<strong>at</strong>ion, Corpor<strong>at</strong>ion for Open Systems,<br />
Microelectronics and Computer Technology Corpor<strong>at</strong>ion, Sem<strong>at</strong>ech, X/Open)<br />
and when competitive consider<strong>at</strong>ions and <strong>the</strong> prospect of a recession prompt<br />
budget cutt<strong>in</strong>g. The mission of <strong>the</strong> proposed ISF differs from th<strong>at</strong> of any o<strong>the</strong>r<br />
entity, but <strong>the</strong><br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
THE NEED TO ESTABLISH AN INFORMATION SECURITY FOUNDATION 190<br />
comb<strong>in</strong><strong>at</strong>ion of a government charter and an assured role <strong>in</strong> product evalu<strong>at</strong>ions<br />
will be central for ga<strong>in</strong><strong>in</strong>g <strong>the</strong> necessary corpor<strong>at</strong>e commitments. As noted<br />
above, <strong>the</strong> impact of GAAP comes not merely because a FASB exists but<br />
because <strong>the</strong> government, through <strong>the</strong> Securities and Exchange Commission and<br />
o<strong>the</strong>r vehicles, has endorsed GAAP (while <strong>in</strong>dustry has a strong voice <strong>in</strong> GAAP<br />
development).<br />
The second source of funds could be fees for <strong>the</strong> evalu<strong>at</strong>ion of <strong>in</strong>dustrydeveloped<br />
products. This is analogous to o<strong>the</strong>r k<strong>in</strong>ds of product test<strong>in</strong>g, from<br />
drug test<strong>in</strong>g (for which producers <strong>in</strong>cur costs directly) to test<strong>in</strong>g requested by<br />
vendors but carried out by <strong>in</strong>dependent labor<strong>at</strong>ories (e.g., Underwriters<br />
Labor<strong>at</strong>ories, Inc.). The actual cost <strong>in</strong>curred by <strong>the</strong> found<strong>at</strong>ion for each<br />
evalu<strong>at</strong>ion would be billed to <strong>the</strong> vendor. Because <strong>the</strong> base of research and<br />
criteria development activities would be funded by subscription fees, <strong>the</strong><br />
found<strong>at</strong>ion could ma<strong>in</strong>ta<strong>in</strong> a core staff to conduct evalu<strong>at</strong>ions and thus could<br />
establish its <strong>in</strong>dependence from vendors. The special n<strong>at</strong>ure of <strong>the</strong> ISF would<br />
elim<strong>in</strong><strong>at</strong>e any prospect of competition with vendors and would be consistent<br />
with <strong>the</strong> necessary protection of proprietary <strong>in</strong>form<strong>at</strong>ion. Fur<strong>the</strong>rmore, <strong>the</strong><br />
stability of <strong>the</strong> found<strong>at</strong>ion would mean th<strong>at</strong> evalu<strong>at</strong>ion fees could be held to a<br />
m<strong>in</strong>imum. Without <strong>the</strong> pool of subscription funds as general base fund<strong>in</strong>g, <strong>the</strong><br />
cost of an evalu<strong>at</strong>ion might be prohibitive.<br />
It is critical th<strong>at</strong> <strong>the</strong> evalu<strong>at</strong>ions be charged to <strong>the</strong> producer of <strong>the</strong> product.<br />
Although it would be nice to imag<strong>in</strong>e <strong>the</strong> government pay<strong>in</strong>g for this service,<br />
<strong>the</strong> committee concludes th<strong>at</strong> this option (which is provided by <strong>the</strong> NCSC<br />
today) is unrealistic. If <strong>the</strong> government pays, <strong>the</strong>re is no way to adjust <strong>the</strong> level<br />
of effort to meet vendor demands. If <strong>the</strong> vendor were to pay, <strong>the</strong> ISF could<br />
alloc<strong>at</strong>e funds to meet <strong>the</strong> product cycle of <strong>the</strong> vendor, and <strong>in</strong> this way <strong>the</strong><br />
evalu<strong>at</strong>ion process could be more responsive to vendor needs. Vendor fund<strong>in</strong>g<br />
would permit <strong>the</strong> organiz<strong>at</strong>ion to respond quickly with appropri<strong>at</strong>e levels of<br />
qualified <strong>in</strong>dividuals and would provide a critical <strong>in</strong>centive to complete <strong>the</strong><br />
evalu<strong>at</strong>ion process expeditiously yet thoroughly by work<strong>in</strong>g with vendors<br />
throughout <strong>the</strong> entire development process. The evalu<strong>at</strong>ions could be completed<br />
and available as <strong>the</strong> products enter <strong>the</strong> marketplace (<strong>in</strong>stead of years l<strong>at</strong>er). The<br />
government could use <strong>the</strong> results of <strong>the</strong> ISF directly <strong>in</strong> its own evalu<strong>at</strong>ion of<br />
particular systems.<br />
ALTERNATIVES TO THE ISF<br />
A number of altern<strong>at</strong>ives to <strong>the</strong> ISF, rang<strong>in</strong>g from government centers to<br />
<strong>in</strong>dustry facilities, must <strong>at</strong> least be considered. The base aga<strong>in</strong>st which<br />
altern<strong>at</strong>ives should be measured is <strong>the</strong> present situ<strong>at</strong>ion<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
THE NEED TO ESTABLISH AN INFORMATION SECURITY FOUNDATION 191<br />
where<strong>in</strong> <strong>the</strong> NCSC does detailed technical evalu<strong>at</strong>ions for <strong>the</strong> classified n<strong>at</strong>ional<br />
security community and NIST serves <strong>in</strong> a limited advisory role to <strong>the</strong> civilian<br />
government. The limit<strong>at</strong>ions of this situ<strong>at</strong>ion have been discussed.<br />
One altern<strong>at</strong>ive is th<strong>at</strong> NIST develop its own computer security evalu<strong>at</strong>ion<br />
facility comparable to <strong>the</strong> NCSC. The current NIST course of (<strong>at</strong> least limited)<br />
endorsement of <strong>the</strong> Orange Book plus no direct <strong>in</strong>volvement <strong>in</strong> actual<br />
evalu<strong>at</strong>ions argues aga<strong>in</strong>st this altern<strong>at</strong>ive. Without a significant change <strong>in</strong><br />
oper<strong>at</strong>ional orient<strong>at</strong>ion and fund<strong>in</strong>g for NIST, successfully implement<strong>in</strong>g this<br />
altern<strong>at</strong>ive is highly unlikely.<br />
An altern<strong>at</strong>ive considered <strong>in</strong> 1980, prior to <strong>the</strong> form<strong>at</strong>ion of <strong>the</strong> NCSC, was<br />
<strong>the</strong> establishment of a s<strong>in</strong>gle federal computer security evalu<strong>at</strong>ion center for all<br />
of government, separ<strong>at</strong>e from <strong>the</strong> NSA but <strong>in</strong>volv<strong>in</strong>g NSA, NIST, and o<strong>the</strong>r<br />
personnel represent<strong>in</strong>g o<strong>the</strong>r parts of government. The 1980 proposal would<br />
have been funded jo<strong>in</strong>tly by <strong>the</strong> Department of Defense (DOD) and <strong>the</strong><br />
Department of Commerce (DOC), and it would have resulted <strong>in</strong> a center loc<strong>at</strong>ed<br />
<strong>at</strong> <strong>the</strong> N<strong>at</strong>ional Bureau of Standards (now NIST) and thus capable of oper<strong>at</strong><strong>in</strong>g<br />
<strong>in</strong> an open, unclassified environment, but with <strong>the</strong> ability to deal with highly<br />
sensitive or classified issues as necessary.<br />
Tak<strong>in</strong>g such an approach now would require major changes <strong>in</strong><br />
management philosophy and fund<strong>in</strong>g by DOD and DOC and would most<br />
certa<strong>in</strong>ly require legisl<strong>at</strong>ive action cross<strong>in</strong>g many firmly established<br />
jurisdictional boundaries. For <strong>the</strong>se reasons and because this altern<strong>at</strong>ive echoes<br />
<strong>the</strong> weaknesses of <strong>the</strong> NIST altern<strong>at</strong>ive, <strong>the</strong> second altern<strong>at</strong>ive described is<br />
unlikely to succeed. However, if <strong>in</strong>dustry were to resist a nongovernmental<br />
entity, <strong>the</strong>n a s<strong>in</strong>gle federal computer security evalu<strong>at</strong>ion organiz<strong>at</strong>ion would<br />
offer improvements over wh<strong>at</strong> is currently available, and it could fulfill <strong>the</strong><br />
additional missions (development of GSSP or broader educ<strong>at</strong>ional efforts)<br />
proposed above.<br />
A third altern<strong>at</strong>ive th<strong>at</strong> might avoid <strong>the</strong> staff<strong>in</strong>g problems faced by<br />
government agencies would be an <strong>in</strong>dependent labor<strong>at</strong>ory <strong>in</strong>volved <strong>in</strong> computer<br />
security technology development and funded by <strong>the</strong> government <strong>at</strong> a federally<br />
funded research and development center (FFRDC) such as MITRE Corpor<strong>at</strong>ion,<br />
Aerospace Corpor<strong>at</strong>ion, or <strong>the</strong> Institute for Defense Analysis. Such<br />
organiz<strong>at</strong>ions already particip<strong>at</strong>e <strong>in</strong> NCSC evalu<strong>at</strong>ions on a limited basis and<br />
can pay higher salaries and reta<strong>in</strong> a core of knowledgeable experts, perhaps<br />
even rot<strong>at</strong><strong>in</strong>g experts from <strong>in</strong>dustry. Unfortun<strong>at</strong>ely, <strong>the</strong> experience ga<strong>in</strong>ed to<br />
d<strong>at</strong>e with <strong>the</strong>se organiz<strong>at</strong>ions assist<strong>in</strong>g <strong>the</strong> NCSC and <strong>the</strong> n<strong>at</strong>ure of <strong>the</strong><br />
contractual arrangement between <strong>the</strong>m and NCSC have not provided<br />
opportunities for improv<strong>in</strong>g <strong>the</strong> exist<strong>in</strong>g process or for conduct<strong>in</strong>g research and<br />
development on <strong>the</strong> process of evalu<strong>at</strong>ion. Also, <strong>the</strong><br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
THE NEED TO ESTABLISH AN INFORMATION SECURITY FOUNDATION 192<br />
<strong>in</strong>volvement of <strong>the</strong>se groups <strong>in</strong> develop<strong>in</strong>g systems for <strong>the</strong> government might<br />
cause vendors to perceive <strong>the</strong>m as potential or actual competitors, <strong>the</strong>reby<br />
<strong>in</strong>spir<strong>in</strong>g reluctance to divulge <strong>the</strong> proprietary <strong>in</strong>form<strong>at</strong>ion essential for<br />
thorough evalu<strong>at</strong>ion. This concern has been raised by U.S. vendors <strong>in</strong> response<br />
to <strong>the</strong> U.K. plans to establish commercial licensed evalu<strong>at</strong>ion facilities (CLEFs).<br />
Ano<strong>the</strong>r approach is th<strong>at</strong> taken by <strong>the</strong> FDA, a government organiz<strong>at</strong>ion<br />
th<strong>at</strong> reviews test<strong>in</strong>g done <strong>in</strong>-house by <strong>the</strong> producer of <strong>the</strong> product. In <strong>the</strong> case of<br />
computer and communic<strong>at</strong>ions systems, for which evalu<strong>at</strong>ion is of necessity<br />
r<strong>at</strong>her subjective and <strong>the</strong> quality of assessments not easily quantified, it seems<br />
unreasonable to expect th<strong>at</strong> us<strong>in</strong>g vendor staff as evalu<strong>at</strong>ors could yield an<br />
unbiased result. There is no effective way for a government agency to control<br />
<strong>the</strong> process of evalu<strong>at</strong><strong>in</strong>g computers and systems if it is limited to review of <strong>the</strong><br />
results of a vendor's evalu<strong>at</strong>ion.<br />
F<strong>in</strong>ally, note th<strong>at</strong> <strong>the</strong> mission envisioned for <strong>the</strong> ISF is not one th<strong>at</strong> current<br />
<strong>in</strong>dependent test<strong>in</strong>g labor<strong>at</strong>ories can fill. Evalu<strong>at</strong><strong>in</strong>g trusted systems is much<br />
more difficult and time-consum<strong>in</strong>g than evalu<strong>at</strong><strong>in</strong>g <strong>the</strong> performance of various<br />
forms of hardware or conformance to exist<strong>in</strong>g technical standards.<br />
APPENDIX 7.1—A HISTORY OF GOVERNMENT<br />
INVOLVEMENT<br />
The dom<strong>in</strong>ant public <strong>in</strong>stitutions affect<strong>in</strong>g computer and communic<strong>at</strong>ions<br />
security <strong>in</strong> <strong>the</strong> United St<strong>at</strong>es are government agencies—<strong>in</strong> particular, but far<br />
from exclusively, agencies with<strong>in</strong> <strong>the</strong> Department of Defense (DOD). Driven by<br />
n<strong>at</strong>ional security concerns, <strong>the</strong> U.S. government has actively supported and<br />
directed <strong>the</strong> advance of computer security s<strong>in</strong>ce <strong>the</strong> dawn of computer<br />
development; its <strong>in</strong>volvement with communic<strong>at</strong>ions security d<strong>at</strong>es back to <strong>the</strong><br />
Revolutionary War. The government's long history of <strong>in</strong>volvement <strong>in</strong> computer<br />
and communic<strong>at</strong>ions security illustr<strong>at</strong>es how public <strong>in</strong>stitutions can nurture new<br />
technology and stimul<strong>at</strong>e associ<strong>at</strong>ed markets; it also shows where work rema<strong>in</strong>s<br />
to be done.<br />
The N<strong>at</strong>ional Security <strong>Age</strong>ncy and <strong>the</strong> DOD Perspective<br />
The government's <strong>in</strong>volvement with computer security grew out of <strong>the</strong><br />
evolv<strong>in</strong>g field of communic<strong>at</strong>ions security <strong>in</strong> <strong>the</strong> early 1950s, when it was<br />
deemed necessary <strong>in</strong> <strong>the</strong> United St<strong>at</strong>es to establish a s<strong>in</strong>gle organiz<strong>at</strong>ion, <strong>the</strong><br />
<strong>the</strong>n very secret N<strong>at</strong>ional Security <strong>Age</strong>ncy (NSA), to deal with communic<strong>at</strong>ion<br />
security and rel<strong>at</strong>ed m<strong>at</strong>ters (e.g.,<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
THE NEED TO ESTABLISH AN INFORMATION SECURITY FOUNDATION 193<br />
signals <strong>in</strong>telligence) (Kahn, 1967). The historical role of <strong>the</strong> DOD and, <strong>in</strong><br />
particular, of <strong>the</strong> NSA, has been responsible for a longstand<strong>in</strong>g tension between<br />
<strong>the</strong> DOD, which seeks to fulfill its mission of protect<strong>in</strong>g n<strong>at</strong>ional security, and<br />
civilian agencies concerned with computer security, notably <strong>the</strong> N<strong>at</strong>ional<br />
Institute of Standards and Technology, toge<strong>the</strong>r with <strong>the</strong> general vendor<br />
community.<br />
The overall policy responsibility for communic<strong>at</strong>ions security m<strong>at</strong>ters was<br />
orig<strong>in</strong>ally assigned to <strong>the</strong> U.S. Communic<strong>at</strong>ions Security (COMSEC) Board,<br />
consist<strong>in</strong>g of cab<strong>in</strong>et-level officials from all branches of <strong>the</strong> government, th<strong>at</strong><br />
dealt with classified government <strong>in</strong>form<strong>at</strong>ion. This structure and NSA's highly<br />
classified responsibilities under th<strong>at</strong> board existed from <strong>the</strong> early 1950s until <strong>the</strong><br />
mid-1970s, when <strong>the</strong> issue of us<strong>in</strong>g encryption to protect o<strong>the</strong>r than classified<br />
<strong>in</strong>form<strong>at</strong>ion caused a division with<strong>in</strong> <strong>the</strong> government. The public<strong>at</strong>ion of <strong>the</strong><br />
D<strong>at</strong>a Encryption Standard (DES) <strong>in</strong> 1977 (NBS, 1977) (see discussion below)<br />
was a major triumph for both <strong>the</strong> civilian government and commercial<br />
communities (IBM contributed substantially to <strong>the</strong> development of DES) but<br />
has been regarded by some <strong>in</strong> <strong>the</strong> n<strong>at</strong>ional security community as a major<br />
disaster. 6 Up to th<strong>at</strong> time, cryptography had rema<strong>in</strong>ed largely a dark science,<br />
hidden <strong>in</strong> government secrecy. Encryption systems were designed by and for<br />
<strong>the</strong> government and were built and distributed under strict and highly classified<br />
government control. There had also been some open research, particularly <strong>in</strong><br />
public-key cryptography.<br />
Computer security does not have as extensive a history as does<br />
communic<strong>at</strong>ions security. It has been recognized as a difficult issue need<strong>in</strong>g<br />
<strong>at</strong>tention for <strong>at</strong> least <strong>the</strong> past two decades. In <strong>the</strong> early 1970s, <strong>the</strong> DOD funded<br />
research <strong>in</strong>to how to build computer systems th<strong>at</strong> could be relied on to separ<strong>at</strong>e<br />
access to sensitive <strong>in</strong>form<strong>at</strong>ion <strong>in</strong> accordance with a set of rules. In <strong>the</strong><br />
mid-1970s, several research projects (e.g., secure Multics) were <strong>in</strong>iti<strong>at</strong>ed to<br />
demonstr<strong>at</strong>e such systems, and <strong>in</strong> 1978, <strong>the</strong> DOD Computer Security Initi<strong>at</strong>ive<br />
was formed both to promote <strong>the</strong> development of such systems by <strong>in</strong>dustry and<br />
to explore how to evalu<strong>at</strong>e <strong>the</strong>m so th<strong>at</strong> <strong>the</strong>y could become widely available for<br />
both government and commercial use. Perhaps <strong>the</strong> most important result of <strong>the</strong><br />
work dur<strong>in</strong>g <strong>the</strong> 1970s was <strong>the</strong> formul<strong>at</strong>ion of a computer-relevant model of<br />
multilevel security, known as <strong>the</strong> Bell and La Padula Model (Bell and La<br />
Padula, 1976), which became <strong>the</strong> focal po<strong>in</strong>t of DOD computer security<br />
research and development. Th<strong>at</strong> model (discussed <strong>in</strong> Chapter 3) formalized<br />
decades of DOD policies regard<strong>in</strong>g how <strong>in</strong>form<strong>at</strong>ion could be accessed, and by<br />
whom, <strong>in</strong> manual paper-based systems.<br />
In 1981, <strong>the</strong> DOD Computer Security Evalu<strong>at</strong>ion Center was established<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
THE NEED TO ESTABLISH AN INFORMATION SECURITY FOUNDATION 194<br />
<strong>at</strong> NSA as an entity separ<strong>at</strong>e from <strong>the</strong> communic<strong>at</strong>ions security structure<br />
already <strong>in</strong> place. The reasons for this separ<strong>at</strong>ion <strong>in</strong>cluded <strong>the</strong> recognition th<strong>at</strong><br />
while communic<strong>at</strong>ions security had been largely a government-owned function<br />
<strong>in</strong> which NSA developed encryption algorithms, contracted for <strong>the</strong>ir production,<br />
and fully controlled <strong>the</strong>ir distribution and use throughout <strong>the</strong> government,<br />
computers were far more widely deployed even <strong>in</strong> <strong>the</strong> early 1980s and could not<br />
be developed, produced, and controlled <strong>in</strong> <strong>the</strong> same way as encryption systems.<br />
A separ<strong>at</strong>e organiz<strong>at</strong>ion capable of work<strong>in</strong>g with <strong>in</strong>dustry, <strong>in</strong>stead of direct<strong>in</strong>g it<br />
through procurement contracts, was needed.<br />
The DOD Computer Security Center, as it came to be called, published <strong>the</strong><br />
Trusted Computer System Evalu<strong>at</strong>ion Criteria (TCSEC, or Orange Book) <strong>in</strong><br />
1983 (superseded <strong>in</strong> 1985 by DOD 5200.28-STD; U.S. DOD, 1985d) and began<br />
work<strong>in</strong>g with <strong>in</strong>dustry to evalu<strong>at</strong>e how well <strong>the</strong>ir products met <strong>the</strong> various<br />
levels of those criteria. It should be noted th<strong>at</strong> <strong>the</strong> establishment of <strong>the</strong><br />
Computer Security Center as a separ<strong>at</strong>e function <strong>at</strong> NSA was opposed both<br />
with<strong>in</strong> and outside <strong>the</strong> agency <strong>at</strong> <strong>the</strong> time. The <strong>in</strong>ternal opposition stemmed<br />
from <strong>the</strong> perception th<strong>at</strong> computer security was merely a subset of<br />
communic<strong>at</strong>ions security and should be handled <strong>in</strong> <strong>the</strong> same way by <strong>the</strong> same<br />
organiz<strong>at</strong>ion. The opposite view was th<strong>at</strong> communic<strong>at</strong>ions security was<br />
becom<strong>in</strong>g <strong>in</strong>creas<strong>in</strong>gly dependent on computers, computer networks, and<br />
network protocols, and required a new technology base managed by a new<br />
organiz<strong>at</strong>ion. The external opposition derived from <strong>the</strong> neg<strong>at</strong>ive concerns of<br />
many <strong>in</strong> <strong>the</strong> defense community, <strong>in</strong>clud<strong>in</strong>g o<strong>the</strong>r parts of DOD and defense<br />
contractors, th<strong>at</strong> NSA's slowness to respond and dict<strong>at</strong>orial authority <strong>in</strong> <strong>the</strong><br />
communic<strong>at</strong>ions security arena would hamper <strong>the</strong> development of products<br />
needed to solve today's problems. These two oppos<strong>in</strong>g forces both with<strong>in</strong> and<br />
outside NSA cont<strong>in</strong>ue today to <strong>in</strong>fluence <strong>the</strong> evolution of both computer<br />
security and communic<strong>at</strong>ions security.<br />
Up until <strong>the</strong> establishment of <strong>the</strong> Computer Security Center, <strong>the</strong> preced<strong>in</strong>g<br />
U.S. COMSEC Board and ano<strong>the</strong>r key policy group, <strong>the</strong> N<strong>at</strong>ional<br />
Communic<strong>at</strong>ions Security Committee, largely ignored <strong>the</strong> computer security<br />
problem, lump<strong>in</strong>g it, if consider<strong>in</strong>g it <strong>at</strong> all, <strong>in</strong>to <strong>the</strong> communic<strong>at</strong>ions security<br />
arena. The 1977 Presidential Directive 24 (PD 24), which cre<strong>at</strong>ed <strong>the</strong> N<strong>at</strong>ional<br />
Communic<strong>at</strong>ions Security Committee, split <strong>the</strong> responsibility for<br />
communic<strong>at</strong>ions security, giv<strong>in</strong>g NSA authority over <strong>the</strong> protection of classified<br />
and n<strong>at</strong>ional security-rel<strong>at</strong>ed <strong>in</strong>form<strong>at</strong>ion and <strong>the</strong> N<strong>at</strong>ional Telecommunic<strong>at</strong>ions<br />
and Inform<strong>at</strong>ion Adm<strong>in</strong>istr<strong>at</strong>ion, a part of <strong>the</strong> Department of Commerce not<br />
rel<strong>at</strong>ed to <strong>the</strong> N<strong>at</strong>ional Bureau of Standards (NBS), responsibility for protect<strong>in</strong>g<br />
unclassified and non-n<strong>at</strong>ional security <strong>in</strong>form<strong>at</strong>ion. This<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
THE NEED TO ESTABLISH AN INFORMATION SECURITY FOUNDATION 195<br />
split <strong>in</strong> responsibility resulted <strong>in</strong> much confusion and was opposed by many <strong>in</strong><br />
<strong>the</strong> n<strong>at</strong>ional security community.<br />
Grow<strong>in</strong>g controversy over computer security led to <strong>in</strong>tense pressure dur<strong>in</strong>g<br />
<strong>the</strong> early days of <strong>the</strong> Reagan Adm<strong>in</strong>istr<strong>at</strong>ion to correct <strong>the</strong> situ<strong>at</strong>ion. Those<br />
efforts resulted <strong>in</strong> <strong>the</strong> public<strong>at</strong>ion <strong>in</strong> September 1984 of N<strong>at</strong>ional Security<br />
Decision Directive 145 (NSDD 145), <strong>the</strong> N<strong>at</strong>ional Policy on<br />
Telecommunic<strong>at</strong>ions and Autom<strong>at</strong>ed Inform<strong>at</strong>ion Systems Security, which<br />
expanded NSA's role <strong>in</strong> both communic<strong>at</strong>ions and computer security and<br />
extended its <strong>in</strong>fluence to <strong>the</strong> n<strong>at</strong>ional level, to <strong>the</strong> civilian government, and to a<br />
limited extent, to <strong>the</strong> commercial world. NSDD 145 required federal agencies to<br />
establish policies, procedures, and practices to protect both classified and<br />
unclassified <strong>in</strong>form<strong>at</strong>ion <strong>in</strong> computer systems. It established <strong>the</strong> N<strong>at</strong>ional<br />
Telecommunic<strong>at</strong>ions and Inform<strong>at</strong>ion Systems Security Committee (NTISSC)<br />
to develop and issue n<strong>at</strong>ional system security oper<strong>at</strong><strong>in</strong>g policies.<br />
When NSDD 145 was emerg<strong>in</strong>g <strong>in</strong> 1983–1984, computer security had<br />
come <strong>in</strong>to its own with a separ<strong>at</strong>e organiz<strong>at</strong>ion <strong>at</strong> NSA. NSDD 145 swept <strong>the</strong><br />
two forces toge<strong>the</strong>r and elev<strong>at</strong>ed <strong>the</strong> DOD Computer Security Center to <strong>the</strong><br />
N<strong>at</strong>ional Computer Security Center (NCSC), giv<strong>in</strong>g it and <strong>the</strong> NSA's COMSEC<br />
Board roles <strong>in</strong> <strong>the</strong> civilian government as well as <strong>in</strong> <strong>the</strong> commercial world.<br />
In l<strong>at</strong>e 1985 a reorganiz<strong>at</strong>ion <strong>at</strong> NSA cre<strong>at</strong>ed <strong>the</strong> Deputy Director<strong>at</strong>e for<br />
Inform<strong>at</strong>ion Security, merg<strong>in</strong>g <strong>the</strong> COMSEC and Computer Security functions<br />
and encompass<strong>in</strong>g <strong>the</strong> NCSC. S<strong>in</strong>ce it was becom<strong>in</strong>g clear th<strong>at</strong> <strong>the</strong> technologies<br />
needed to develop communic<strong>at</strong>ions security systems and computer security<br />
systems were becom<strong>in</strong>g <strong>in</strong>extricably l<strong>in</strong>ked, this merger was viewed by many as<br />
a positive force. O<strong>the</strong>rs, however, viewed <strong>the</strong> expansion of NSA's role beyond<br />
<strong>the</strong> defense and <strong>in</strong>telligence communities <strong>in</strong> a highly neg<strong>at</strong>ive way, and efforts<br />
began <strong>in</strong> Congress to redef<strong>in</strong>e roles and limit <strong>the</strong> scope of NSA to its traditional<br />
communities of <strong>in</strong>terest. The Computer Security Act of 1987 (U.S. Congress,<br />
1987, P.L. 100-235) def<strong>in</strong>ed <strong>the</strong> role of NBS (now NIST) <strong>in</strong> protect<strong>in</strong>g sensitive<br />
<strong>in</strong>form<strong>at</strong>ion (see below), and limited NSA to its traditional responsibilities for<br />
<strong>the</strong> protection of classified <strong>in</strong>form<strong>at</strong>ion.<br />
Two recent developments have cont<strong>in</strong>ued <strong>the</strong> withdrawal of NSA from<br />
direct and active <strong>in</strong>volvement <strong>in</strong> <strong>the</strong> nondefense marketplace and its refocus<strong>in</strong>g<br />
on <strong>the</strong> defense community and <strong>the</strong> protection of classified <strong>in</strong>form<strong>at</strong>ion and<br />
systems generally. First, <strong>in</strong> mid-1990, NCSC research and evalu<strong>at</strong>ion functions<br />
were <strong>in</strong>tegr<strong>at</strong>ed with <strong>the</strong> NSA's communic<strong>at</strong>ions security functions. Officially,<br />
however, <strong>the</strong> restructur<strong>in</strong>g was done to more effectively address network and<br />
system<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
THE NEED TO ESTABLISH AN INFORMATION SECURITY FOUNDATION 196<br />
security issues and was prompted by "<strong>in</strong>creas<strong>in</strong>g recognition th<strong>at</strong> current user<br />
applic<strong>at</strong>ions virtually elim<strong>in</strong><strong>at</strong>e traditional dist<strong>in</strong>ctions between<br />
telecommunic<strong>at</strong>ions and <strong>in</strong>form<strong>at</strong>ion systems" (NSA, 1990a).<br />
Second, NSDD 145 was revised <strong>in</strong> July 1990, result<strong>in</strong>g <strong>in</strong> NSD 42, so th<strong>at</strong><br />
NSA no longer had responsibility for sensitive but unclassified <strong>in</strong>form<strong>at</strong>ion. In<br />
compliance with <strong>the</strong> Computer Security Act of 1987, th<strong>at</strong> responsibility was<br />
assigned solely to NIST, and all references to <strong>the</strong> priv<strong>at</strong>e sector were removed.<br />
The NTISSC became <strong>the</strong> N<strong>at</strong>ional Security Telecommunic<strong>at</strong>ions and<br />
Inform<strong>at</strong>ion Systems Security Committee (NSTISSC), under <strong>the</strong> new N<strong>at</strong>ional<br />
Security Council Policy Coord<strong>in</strong><strong>at</strong><strong>in</strong>g Committee for N<strong>at</strong>ional Security<br />
Telecommunic<strong>at</strong>ions and Inform<strong>at</strong>ion Systems.<br />
The N<strong>at</strong>ional Institute of Standards and Technology<br />
The o<strong>the</strong>r government agency with a longstand<strong>in</strong>g <strong>in</strong>terest <strong>in</strong> enhanc<strong>in</strong>g<br />
computer and communic<strong>at</strong>ions security is <strong>the</strong> N<strong>at</strong>ional Institute of Standards<br />
and Technology (NIST; formerly <strong>the</strong> N<strong>at</strong>ional Bureau of Standards, (NBS)),<br />
which serves all government unclassified, non-Warner Amendment <strong>in</strong>terests.<br />
Involvement <strong>in</strong> computer and communic<strong>at</strong>ion security began <strong>in</strong> <strong>the</strong> l<strong>at</strong>e 1970s<br />
and early 1980s <strong>at</strong> NIST <strong>in</strong> wh<strong>at</strong> is now known as <strong>the</strong> N<strong>at</strong>ional Computer<br />
Systems Labor<strong>at</strong>ory (NCSL) (formerly <strong>the</strong> Institute for Computer Sciences and<br />
Technology).<br />
The N<strong>at</strong>ional Institute of Standards and Technology's <strong>in</strong>volvement <strong>in</strong><br />
computer security has most often resulted <strong>in</strong> <strong>the</strong> public<strong>at</strong>ion of federal standards<br />
or guidel<strong>in</strong>es on topics such as password protection, audit, risk analysis, and<br />
o<strong>the</strong>rs th<strong>at</strong> are important to <strong>the</strong> use of computers but do not necessarily rel<strong>at</strong>e to<br />
<strong>the</strong> technical aspects of protection with<strong>in</strong> computer systems. These documents,<br />
formally known as Federal Inform<strong>at</strong>ion Process<strong>in</strong>g Standards (FIPS)<br />
public<strong>at</strong>ions, are widely used with<strong>in</strong> <strong>the</strong> civilian government as <strong>the</strong> basis for<br />
computer process<strong>in</strong>g and computer system procurement. NIST has also issued<br />
o<strong>the</strong>r, tutorial public<strong>at</strong>ions to enhance awareness <strong>in</strong> government, <strong>in</strong> particular,<br />
of issues such as computer viruses. The FIPS public<strong>at</strong>ions provide valuable<br />
<strong>in</strong>form<strong>at</strong>ion to government computer managers who have little time to study <strong>the</strong><br />
detailed technical issues concern<strong>in</strong>g computer systems, but who are responsible<br />
for <strong>the</strong>ir proper use. FIPS public<strong>at</strong>ions may also be valuable to <strong>in</strong>dustry, but<br />
<strong>the</strong>y are not widely known outside <strong>the</strong> government (although <strong>the</strong>y are<br />
recognized by many security practitioners).<br />
In 1972–1973 <strong>in</strong>terest <strong>in</strong> <strong>the</strong> establishment of an encryption algorithm<br />
suitable for use by <strong>the</strong> nonclassified portions of <strong>the</strong> government and,<br />
potentially, <strong>the</strong> priv<strong>at</strong>e sector, led to <strong>the</strong> DES project <strong>at</strong> NBS. The<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
THE NEED TO ESTABLISH AN INFORMATION SECURITY FOUNDATION 197<br />
issue of wh<strong>at</strong> constitutes "<strong>in</strong>form<strong>at</strong>ion rel<strong>at</strong>ed to n<strong>at</strong>ional security" arose,<br />
perhaps not for <strong>the</strong> first time and def<strong>in</strong>itely not for <strong>the</strong> last time, dur<strong>in</strong>g this<br />
period. The DES controversy triggered <strong>the</strong> first <strong>in</strong> a series of actions <strong>in</strong>tended to<br />
ensure th<strong>at</strong> public policy addressed <strong>the</strong> broader public <strong>in</strong>terest <strong>in</strong> computer and<br />
communic<strong>at</strong>ions security, not just <strong>the</strong> military <strong>in</strong>terest. In particular, it helped to<br />
motiv<strong>at</strong>e PD 24, discussed above. It is worth not<strong>in</strong>g here th<strong>at</strong> <strong>the</strong> number of<br />
people <strong>in</strong>volved <strong>in</strong> cryptography and its rel<strong>at</strong>ed activities <strong>at</strong> NBS dur<strong>in</strong>g this<br />
time frame never approached 1 percent of <strong>the</strong> number <strong>in</strong>volved <strong>at</strong> NSA, and<br />
NBS's activities were substantially <strong>in</strong>fluenced on a cont<strong>in</strong>uous basis by <strong>the</strong><br />
constra<strong>in</strong>ts of NSA. NBS got by with few resources by leverag<strong>in</strong>g <strong>in</strong>vestments<br />
by IBM, which was responsible for <strong>the</strong> technical development of <strong>the</strong><br />
cryptographic algorithm th<strong>at</strong> became <strong>the</strong> DES.<br />
As noted above, <strong>the</strong> implement<strong>at</strong>ion of PD 24 contributed to <strong>the</strong> issuance<br />
of NSDD 145, and concern about <strong>the</strong> associ<strong>at</strong>ed expansion of NSA's role led to<br />
<strong>the</strong> passage of <strong>the</strong> Computer Security Act of 1987 (P.L. 100-235), which<br />
def<strong>in</strong>ed specific <strong>in</strong>form<strong>at</strong>ion-protection roles for NBS and <strong>the</strong>reby limited<br />
NSA's responsibilities. Shortly <strong>the</strong>reafter, NBS was renamed <strong>the</strong> N<strong>at</strong>ional<br />
Institute of Standards and Technology (NIST). Although <strong>the</strong> renamed<br />
organiz<strong>at</strong>ion has yet to be funded <strong>at</strong> a level commensur<strong>at</strong>e with its current or<br />
anticip<strong>at</strong>ed mission, <strong>the</strong> <strong>in</strong>tent was to streng<strong>the</strong>n <strong>the</strong> organiz<strong>at</strong>ion as a vehicle<br />
for stimul<strong>at</strong><strong>in</strong>g nondefense technology development. Under P.L. 100-235, NIST<br />
is primarily responsible for establishment and dissem<strong>in</strong><strong>at</strong>ion of standards and<br />
guidel<strong>in</strong>es for federal computer systems, <strong>in</strong>clud<strong>in</strong>g those needed "to assure <strong>the</strong><br />
cost-effective security and privacy of sensitive <strong>in</strong>form<strong>at</strong>ion <strong>in</strong> federal computer<br />
systems." NIST is also <strong>in</strong>volved with o<strong>the</strong>r objectives of P.L. 100-235 <strong>in</strong>tended<br />
to raise security awareness <strong>in</strong> <strong>the</strong> federal comput<strong>in</strong>g community: <strong>the</strong><br />
establishment of security plans by oper<strong>at</strong>ors of federal computer systems<br />
conta<strong>in</strong><strong>in</strong>g sensitive <strong>in</strong>form<strong>at</strong>ion, and tra<strong>in</strong><strong>in</strong>g of all persons associ<strong>at</strong>ed with<br />
such systems.<br />
The complementary n<strong>at</strong>ure of <strong>the</strong> respective computer security missions of<br />
NSA and NIST as well as NSA's larger role <strong>in</strong> its n<strong>at</strong>ional security arena<br />
necessit<strong>at</strong>es cooper<strong>at</strong>ion between <strong>the</strong> two. Th<strong>at</strong> cooper<strong>at</strong>ion has recently been<br />
shaped by a Memorandum of Understand<strong>in</strong>g (MOU) developed to help<br />
implement P.L. 100-235 and to assure n<strong>at</strong>ional security review of areas of<br />
mutual <strong>in</strong>terest (NIST/NSA, 1989). The Computer Security Act of 1987 calls<br />
for NIST to draw on NSA for technical assistance (e.g., research, development,<br />
evalu<strong>at</strong>ion, or endorsement) <strong>in</strong> certa<strong>in</strong> areas. The MOU calls for NIST to draw<br />
on NSA's expertise and products "to <strong>the</strong> gre<strong>at</strong>est extent possible" <strong>in</strong> develop<strong>in</strong>g<br />
telecommunic<strong>at</strong>ions security standards for protect<strong>in</strong>g sensitive but unclassified<br />
computer d<strong>at</strong>a, and to draw on NSA's guidel<strong>in</strong>es for<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
THE NEED TO ESTABLISH AN INFORMATION SECURITY FOUNDATION 198<br />
computer system security to <strong>the</strong> extent th<strong>at</strong> <strong>the</strong>y are ''consistent with <strong>the</strong><br />
requirements for protect<strong>in</strong>g sensitive <strong>in</strong>form<strong>at</strong>ion <strong>in</strong> federal computer systems."<br />
Under <strong>the</strong> MOU, a jo<strong>in</strong>t NSA-NIST technical work<strong>in</strong>g group was established<br />
"to review and analyze issues of mutual <strong>in</strong>terest" regard<strong>in</strong>g <strong>the</strong> protection of<br />
systems process<strong>in</strong>g sensitive <strong>in</strong>form<strong>at</strong>ion, especially those issues rel<strong>at</strong><strong>in</strong>g to<br />
cryptography.<br />
The N<strong>at</strong>ional Security <strong>Age</strong>ncy as well as NIST personnel are also <strong>in</strong>volved<br />
with <strong>the</strong> NIST Computer and Telecommunic<strong>at</strong>ions Security Council and with<br />
<strong>the</strong> Computer Systems Security and Advisory Board organized by NIST under<br />
P.L. 100-235.<br />
Accord<strong>in</strong>g to <strong>the</strong> MOU, NIST is prevented from develop<strong>in</strong>g a compet<strong>in</strong>g<br />
set of r<strong>at</strong><strong>in</strong>gs for security product evalu<strong>at</strong>ion. 7 It plans <strong>in</strong>stead to issue a<br />
management guide, aimed <strong>at</strong> civilian government, th<strong>at</strong> will expla<strong>in</strong> wh<strong>at</strong> trusted<br />
and evalu<strong>at</strong>ed systems are, and will po<strong>in</strong>t agencies toward evalu<strong>at</strong>ed systems as<br />
appropri<strong>at</strong>e (this topic has already been tre<strong>at</strong>ed <strong>in</strong> an NCSL Bullet<strong>in</strong>). Although<br />
NIST does not give specific product r<strong>at</strong><strong>in</strong>gs or endorsements, it is <strong>in</strong>volved with<br />
develop<strong>in</strong>g tests of products for conformance to its standards, and it has plans to<br />
accredit o<strong>the</strong>r organiz<strong>at</strong>ions to valid<strong>at</strong>e products for conformance to certa<strong>in</strong><br />
FIPS. NIST does not appear likely to follow <strong>the</strong> NSA <strong>in</strong> publish<strong>in</strong>g lists of<br />
evalu<strong>at</strong>ed products such as NCSC's Evalu<strong>at</strong>ed Products List.<br />
Unlike <strong>the</strong> NSA, NIST has had only a small program <strong>in</strong> security-rel<strong>at</strong>ed<br />
research. In particular, it has sponsored none of <strong>the</strong> fundamental oper<strong>at</strong><strong>in</strong>g<br />
system research needed to develop or evalu<strong>at</strong>e trusted computer systems,<br />
although NBS monitored <strong>the</strong> research and development activities of <strong>the</strong> 1970s<br />
and held an <strong>in</strong>vit<strong>at</strong>ional Rancho Santa Fe Access Control workshop <strong>in</strong> 1972.<br />
NIST cont<strong>in</strong>ues to particip<strong>at</strong>e <strong>in</strong> <strong>the</strong> DOD Computer Security Initi<strong>at</strong>ive through<br />
jo<strong>in</strong>t sponsorship of <strong>the</strong> "NBS" (now N<strong>at</strong>ional) Computer Security Conference,<br />
and NIST has recently held a series of workshops aimed <strong>at</strong> gener<strong>at</strong><strong>in</strong>g<br />
guidel<strong>in</strong>es for <strong>in</strong>tegrity.<br />
Observers suggest th<strong>at</strong> NSA cont<strong>in</strong>ues to have a substantial, although not<br />
always direct, <strong>in</strong>fluence on NIST's activities, draw<strong>in</strong>g on NSA's n<strong>at</strong>ional<br />
security mission. While NIST's computer security responsibilities grew as a<br />
result of P.L. 100-235, it was denied several budget <strong>in</strong>creases requested by <strong>the</strong><br />
Adm<strong>in</strong>istr<strong>at</strong>ion, and it rema<strong>in</strong>s funded <strong>in</strong> this area <strong>at</strong> <strong>the</strong> level (i.e., tak<strong>in</strong>g <strong>in</strong>to<br />
account growth <strong>in</strong> expenses like salaries) <strong>in</strong> place prior to <strong>the</strong> passage of <strong>the</strong><br />
law. Out of an appropri<strong>at</strong>ed NIST budget of approxim<strong>at</strong>ely $160 million (a<br />
level almost m<strong>at</strong>ched by externally sponsored research), <strong>the</strong> appropri<strong>at</strong>ed FY<br />
1990 NIST security program was $2.5 million; <strong>the</strong> NSA budget, <strong>the</strong> details of<br />
which are classified, is on <strong>the</strong> order of $10 billion (Lardner, 1990b).<br />
Accord<strong>in</strong>gly, <strong>the</strong> number of people <strong>in</strong>volved <strong>in</strong> computer<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
THE NEED TO ESTABLISH AN INFORMATION SECURITY FOUNDATION 199<br />
security <strong>at</strong> NBS/NIST has always been rel<strong>at</strong>ively small compared with <strong>the</strong><br />
number <strong>at</strong> NSA.<br />
O<strong>the</strong>r Government <strong>Age</strong>ncy Involvement<br />
The historic emphasis on <strong>the</strong> roles of NSA and NIST makes it easy to<br />
overlook <strong>the</strong> fact th<strong>at</strong> o<strong>the</strong>r government agencies and groups are also <strong>in</strong>volved<br />
<strong>in</strong> promot<strong>in</strong>g computer and communic<strong>at</strong>ions security. As discussed <strong>in</strong><br />
Chapter 8, o<strong>the</strong>r DOD agencies and <strong>the</strong> Department of Energy engage <strong>in</strong><br />
security-rel<strong>at</strong>ed research and development, although, with <strong>the</strong> exception of<br />
DARPA, much of this work is tied to <strong>the</strong> oper<strong>at</strong><strong>in</strong>g mission of <strong>the</strong> relevant<br />
organiz<strong>at</strong>ion; <strong>the</strong> N<strong>at</strong>ional Science Found<strong>at</strong>ion (NSF) funds basic research <strong>in</strong><br />
m<strong>at</strong>hem<strong>at</strong>ics and computer science th<strong>at</strong> is relevant to <strong>the</strong> development of secure<br />
and trusted systems. Note th<strong>at</strong> while <strong>the</strong> DOD's research and procurement have<br />
emphasized a specific area of computer security—namely access control, which<br />
has a long-established basis <strong>in</strong> manual systems—it took almost two decades to<br />
transform research concepts <strong>in</strong>to commercially produced, governmentevalu<strong>at</strong>ed<br />
products, which are only now beg<strong>in</strong>n<strong>in</strong>g to s<strong>at</strong>isfy DOD applic<strong>at</strong>ion<br />
needs. This lengthy gest<strong>at</strong>ion reflected <strong>the</strong> need to develop, and achieve some<br />
consensus on, complex technology and an associ<strong>at</strong>ed vocabulary.<br />
As recognized by P.L. 100-235, <strong>the</strong> computeriz<strong>at</strong>ion of government<br />
activities cre<strong>at</strong>es a need for computer and communic<strong>at</strong>ions security <strong>in</strong> all<br />
government agencies and organiz<strong>at</strong>ions. For example, <strong>in</strong> an <strong>in</strong>formal committee<br />
survey of 1989 government requests for proposals (RFPs), some of <strong>the</strong> highest<br />
computer security requirements were stipul<strong>at</strong>ed for systems be<strong>in</strong>g procured by<br />
<strong>the</strong> Treasury Department, <strong>the</strong> Federal Avi<strong>at</strong>ion Adm<strong>in</strong>istr<strong>at</strong>ion, and <strong>the</strong> Sen<strong>at</strong>e.<br />
Across <strong>the</strong> government, security is one of many concerns captured <strong>in</strong> Federal<br />
Inform<strong>at</strong>ion Resources Management Regul<strong>at</strong>ions (President's Council on<br />
Integrity and Efficiency, 1988; GSA, 1988), and P.L. 100-235 mand<strong>at</strong>es<br />
computer security plann<strong>in</strong>g and precautions for federal organiz<strong>at</strong>ions. However,<br />
merely hav<strong>in</strong>g a plan on paper is no guarantee th<strong>at</strong> sound or effective<br />
precautions have been taken. The GAO has repe<strong>at</strong>edly raised this concern <strong>in</strong><br />
connection with government computer systems (GAO, 1990c).<br />
Two agencies, <strong>the</strong> General Services Adm<strong>in</strong>istr<strong>at</strong>ion (GSA; which<br />
coord<strong>in</strong><strong>at</strong>es government procurement) and <strong>the</strong> Office of Management and<br />
Budget (OMB; which <strong>in</strong>fluences government procurement and has a general<br />
<strong>in</strong>terest <strong>in</strong> <strong>the</strong> efficient use of <strong>in</strong>form<strong>at</strong>ion and systems), set <strong>the</strong> oper<strong>at</strong><strong>in</strong>g<br />
clim<strong>at</strong>e for computer and communic<strong>at</strong>ions security<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
THE NEED TO ESTABLISH AN INFORMATION SECURITY FOUNDATION 200<br />
with<strong>in</strong> civil government through circulars (e.g., A-130) and o<strong>the</strong>r directives.<br />
Despite this nom<strong>in</strong>al breadth, defense agencies, which oper<strong>at</strong>e under a securityoriented<br />
culture and with a strong system of <strong>in</strong>form<strong>at</strong>ion classific<strong>at</strong>ion, have<br />
been more active than most civilian agencies <strong>in</strong> seek<strong>in</strong>g gre<strong>at</strong>er security. They<br />
have a rel<strong>at</strong>ively high degree of concern about unauthorized disclosure and<br />
access control, and <strong>the</strong>y have been prodded by military standards (e.g., <strong>the</strong><br />
Orange Book, which was made <strong>in</strong>to a military standard) and by procurement<br />
requirements for specific types of systems <strong>in</strong> certa<strong>in</strong> applic<strong>at</strong>ions (e.g., Tempest<br />
units th<strong>at</strong> have shield<strong>in</strong>g to m<strong>in</strong>imize electronic eman<strong>at</strong>ions).<br />
Federal concerns regard<strong>in</strong>g protection of unclassified systems and d<strong>at</strong>a<br />
<strong>in</strong>clude protection aga<strong>in</strong>st improper disclosure of personal d<strong>at</strong>a, as required by<br />
<strong>the</strong> Privacy Act of 1974 (P.L. 93-579), protection aga<strong>in</strong>st fraud, and protection<br />
of <strong>the</strong> availability and <strong>in</strong>tegrity of government systems (on which millions<br />
depend for a variety of payments and o<strong>the</strong>r services).<br />
Although <strong>the</strong> scale of and public <strong>in</strong>terest <strong>in</strong> government systems may be<br />
unique, <strong>the</strong> government shares many of <strong>the</strong> same problems found <strong>in</strong> commercial<br />
and o<strong>the</strong>r organiz<strong>at</strong>ions, <strong>in</strong>clud<strong>in</strong>g <strong>in</strong>adequ<strong>at</strong>e awareness and <strong>in</strong>adequ<strong>at</strong>e<br />
precautions. Because of <strong>the</strong>se commonalities, many of NIST's activities, while<br />
nom<strong>in</strong>ally aimed <strong>at</strong> meet<strong>in</strong>g civilian government needs, are relevant to <strong>in</strong>dustry.<br />
A third group of government entities <strong>in</strong>volved with computer and<br />
communic<strong>at</strong>ions security are <strong>the</strong> <strong>in</strong>vestig<strong>at</strong><strong>in</strong>g and prosecut<strong>in</strong>g agencies,<br />
<strong>in</strong>clud<strong>in</strong>g <strong>the</strong> Federal Bureau of Investig<strong>at</strong>ion (responsible for major federal law<br />
enforcement and also for counter<strong>in</strong>telligence), <strong>the</strong> Secret Service (responsible<br />
for <strong>in</strong>vestig<strong>at</strong><strong>in</strong>g computer crimes <strong>in</strong>volv<strong>in</strong>g f<strong>in</strong>ance and communic<strong>at</strong>ions<br />
fraud), <strong>the</strong> Department of justice and <strong>the</strong> U.S. Attorneys (both responsible for<br />
prosecut<strong>in</strong>g federal cases), agencies with specialized law enforcement<br />
responsibilities (e.g., U.S. Customs Service), and st<strong>at</strong>e and local law<br />
enforcement entities (Conly, 1989; Cook, 1989). These agencies are concerned<br />
with deterr<strong>in</strong>g and prosecut<strong>in</strong>g computer crimes, which may result from<br />
<strong>in</strong>adequ<strong>at</strong>e computer and communic<strong>at</strong>ions security. Among <strong>the</strong> challenges <strong>the</strong>y<br />
have faced are encourag<strong>in</strong>g <strong>the</strong> development of laws th<strong>at</strong> fit emerg<strong>in</strong>g and<br />
anticip<strong>at</strong>ed p<strong>at</strong>terns of crime, and apply<strong>in</strong>g laws developed under different<br />
technological regimes (e.g., laws aga<strong>in</strong>st wire fraud) to computer crimes. (See<br />
Box 7.1 for a list of relevant laws.) These agencies report difficulties <strong>in</strong><br />
achiev<strong>in</strong>g support from <strong>the</strong> public (computer-rel<strong>at</strong>ed crimes often go<br />
unreported), difficulties <strong>in</strong> obta<strong>in</strong><strong>in</strong>g <strong>the</strong> necessary technical expertise, and<br />
difficulties <strong>in</strong> obta<strong>in</strong><strong>in</strong>g management support for <strong>in</strong>vestig<strong>at</strong>ions of crimes th<strong>at</strong>,<br />
compared to o<strong>the</strong>rs, require a rel<strong>at</strong>ively large expenditure of resources for<br />
<strong>in</strong>vestig<strong>at</strong>ion rel<strong>at</strong>ive to <strong>the</strong> nom<strong>in</strong>al losses 8 <strong>in</strong>volved (Conly, 1989; Cook,<br />
1989).<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
THE NEED TO ESTABLISH AN INFORMATION SECURITY FOUNDATION 201<br />
BOX 7.1 LEGISLATIVE TOOLS<br />
Congress has responded to <strong>the</strong> computer and telecommunic<strong>at</strong>ion thre<strong>at</strong><br />
by provid<strong>in</strong>g federal <strong>in</strong>vestig<strong>at</strong>ors and prosecutors with impressive tools.<br />
18 U.S.C. §1029: Prohibits fraudulent activity <strong>in</strong> connection with us<strong>in</strong>g<br />
access devices <strong>in</strong> <strong>in</strong>terst<strong>at</strong>e commerce, <strong>in</strong>clud<strong>in</strong>g<br />
computer passwords, telephone access codes, and<br />
credit cards.<br />
18 U.S.C. §1030: Prohibits remote access with <strong>in</strong>tent to defraud <strong>in</strong><br />
connection with federal <strong>in</strong>terest computers and/or<br />
government-owned computers and prohibits<br />
unauthorized computer access by company<br />
employees.<br />
18 U.S.C. §1343: Prohibits <strong>the</strong> use of <strong>in</strong>terst<strong>at</strong>e communic<strong>at</strong>ions<br />
systems to fur<strong>the</strong>r a scheme to defraud.<br />
18 U.S.C. §2512: Prohibits mak<strong>in</strong>g, distribut<strong>in</strong>g, possess<strong>in</strong>g, and<br />
advertis<strong>in</strong>g communic<strong>at</strong>ion <strong>in</strong>terception devices and<br />
equipment.<br />
18 U.S.C. §2314: Prohibits <strong>in</strong>terst<strong>at</strong>e transport<strong>at</strong>ion of stolen property<br />
valued <strong>at</strong> over $5,000.<br />
17 U.S.C. §506: Prohibits copyright <strong>in</strong>fr<strong>in</strong>gement viol<strong>at</strong>ions—but only<br />
if <strong>the</strong> copyright is actually on file.<br />
22 U.S.C. §2778: Prohibits illegal export of Department of Defensecontrolled<br />
software and d<strong>at</strong>a.<br />
50 USCA p. 2510: Prohibits illegal export of Department of Commercecontrolled<br />
software and d<strong>at</strong>a.<br />
18 U.S.C. §793: Prohibits espionage—<strong>in</strong>clud<strong>in</strong>g obta<strong>in</strong><strong>in</strong>g (and/or<br />
copy<strong>in</strong>g) <strong>in</strong>form<strong>at</strong>ion concern<strong>in</strong>g telegraph, wireless,<br />
or signal st<strong>at</strong>ion, build<strong>in</strong>g, office, research labor<strong>at</strong>ory,<br />
or st<strong>at</strong>ion—for a foreign government, or to <strong>in</strong>jure <strong>the</strong><br />
United St<strong>at</strong>es.<br />
18 U.S.C. §2701: Prohibits unlawful access to electronically stored<br />
<strong>in</strong>form<strong>at</strong>ion.<br />
18 U.S.C. §1962: Prohibits racketeer<strong>in</strong>g, which is <strong>in</strong> turn def<strong>in</strong>ed as<br />
two or more viol<strong>at</strong>ions of specific crimes, <strong>in</strong>clud<strong>in</strong>g<br />
18 U.S.C. §1029, §1343, and §2314.<br />
SOURCE:Cook (1989).<br />
APPENDIX 7.2—SECURITY PRACTITIONERS<br />
Many organiz<strong>at</strong>ions rely on a security specialist or practitioner for<br />
guidance on computer and communic<strong>at</strong>ions security problems and practices.<br />
Most such <strong>in</strong>dividuals are associ<strong>at</strong>ed with <strong>in</strong>form<strong>at</strong>ion systems plann<strong>in</strong>g and<br />
oper<strong>at</strong>ion units; o<strong>the</strong>rs may be <strong>in</strong>volved with <strong>the</strong> security of larger corpor<strong>at</strong>e<br />
functions (<strong>in</strong>clud<strong>in</strong>g physical facilities security as well as computer system<br />
concerns), with <strong>in</strong>ternal or external audit<strong>in</strong>g responsibilities, or with an <strong>in</strong>ternal<br />
or external consult<strong>in</strong>g service. As this range of roles suggests, security<br />
practitioners have a<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
THE NEED TO ESTABLISH AN INFORMATION SECURITY FOUNDATION 202<br />
variety of backgrounds and tend to be <strong>in</strong> staff positions. Informal<br />
communic<strong>at</strong>ion with such <strong>in</strong>dividuals revealed a shared perception among<br />
security practitioners th<strong>at</strong> <strong>the</strong>ir job is often made difficult by management's<br />
resistance to recommend<strong>at</strong>ions for gre<strong>at</strong>er security-rel<strong>at</strong>ed controls.<br />
Never<strong>the</strong>less, while much of <strong>the</strong> deb<strong>at</strong>e about technology development has been<br />
dom<strong>in</strong><strong>at</strong>ed by technical (research, development, and evalu<strong>at</strong>ion) experts,<br />
security practitioners are a more prom<strong>in</strong>ent <strong>in</strong>fluence on <strong>the</strong> ever-grow<strong>in</strong>g<br />
system-us<strong>in</strong>g community. These are <strong>the</strong> <strong>in</strong>dividuals responsible for select<strong>in</strong>g,<br />
recommend<strong>in</strong>g, and implement<strong>in</strong>g security technology and procedures.<br />
Several professional societies provide guidel<strong>in</strong>es, cont<strong>in</strong>u<strong>in</strong>g educ<strong>at</strong>ion,<br />
and o<strong>the</strong>r tools and techniques to computer and communic<strong>at</strong>ions security<br />
practitioners. They <strong>in</strong>clude, for example, <strong>the</strong> Inform<strong>at</strong>ion Systems Security<br />
Associ<strong>at</strong>ion (ISSA), <strong>the</strong> Computer Security Institute (CSI), <strong>the</strong> Special Interest<br />
Group for Computer Security (SIG-CS) of <strong>the</strong> D<strong>at</strong>a Process<strong>in</strong>g Management<br />
Associ<strong>at</strong>ion (DPMA), <strong>the</strong> American Society for Industrial Security (ASIS), and<br />
<strong>the</strong> EDP Auditors Associ<strong>at</strong>ion. Ano<strong>the</strong>r such group has been organized by SRI<br />
Intern<strong>at</strong>ional, which offers a "cont<strong>in</strong>u<strong>in</strong>g multiclient service" called <strong>the</strong><br />
Intern<strong>at</strong>ional Inform<strong>at</strong>ion Integrity Institute (I-4). The membership of I-4 is<br />
limited, by membership decision, to approxim<strong>at</strong>ely 50 firms th<strong>at</strong> are typically<br />
represented by security practitioners (SRI Intern<strong>at</strong>ional, 1989). O<strong>the</strong>r groups<br />
<strong>in</strong>clude large-scale users groups like Guide and Share for IBM system users and<br />
<strong>in</strong>dustry-specific associ<strong>at</strong>ions like <strong>the</strong> Bank Adm<strong>in</strong>istr<strong>at</strong>ion Institute.<br />
The need for professional certific<strong>at</strong>ion has been a grow<strong>in</strong>g concern among<br />
security practitioners. By <strong>the</strong> mid-1980s professional societies recognized th<strong>at</strong><br />
certific<strong>at</strong>ion programs <strong>at</strong>test<strong>in</strong>g to <strong>the</strong> qualific<strong>at</strong>ions of <strong>in</strong>form<strong>at</strong>ion security<br />
officers would enhance <strong>the</strong> credibility of <strong>the</strong> computer security profession.<br />
After <strong>at</strong>tempt<strong>in</strong>g without success to associ<strong>at</strong>e with exist<strong>in</strong>g accredited<br />
certific<strong>at</strong>ion programs, <strong>the</strong> Inform<strong>at</strong>ion Systems Security Associ<strong>at</strong>ion (ISSA)<br />
decided to develop its own. Committees were formed to develop <strong>the</strong> common<br />
body of knowledge, criteria for grandf<strong>at</strong>her<strong>in</strong>g (to accommod<strong>at</strong>e <strong>the</strong> transition<br />
to <strong>the</strong> new regime of certific<strong>at</strong>ion), and test questions. The common body of<br />
knowledge refers to <strong>the</strong> knowledge deemed necessary to accomplish <strong>the</strong> tasks<br />
or activities performed by members <strong>in</strong> <strong>the</strong> field.<br />
Elements of <strong>the</strong> common body of knowledge identified by a committee of<br />
a new consortium of professional societies described below <strong>in</strong>clude <strong>the</strong><br />
follow<strong>in</strong>g:<br />
• Access control—capabilities used by system management to achieve <strong>the</strong><br />
desired levels of <strong>in</strong>tegrity and confidentiality by prevent<strong>in</strong>g unauthorized<br />
access to system resources.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
THE NEED TO ESTABLISH AN INFORMATION SECURITY FOUNDATION 203<br />
• Cryptography—use of encryption techniques to achieve d<strong>at</strong>a<br />
confidentiality.<br />
• <strong>Risk</strong> management—m<strong>in</strong>imiz<strong>in</strong>g <strong>the</strong> effects of thre<strong>at</strong>s and exposures<br />
through <strong>the</strong> use of assessment or analysis, implement<strong>at</strong>ion of costeffective<br />
countermeasures, risk acceptance and assignment, and so on.<br />
• Bus<strong>in</strong>ess cont<strong>in</strong>uity plann<strong>in</strong>g—prepar<strong>at</strong>ion for actions to ensure th<strong>at</strong><br />
programs critical to preserv<strong>in</strong>g a bus<strong>in</strong>ess are run.<br />
• D<strong>at</strong>a classific<strong>at</strong>ion—implement<strong>at</strong>ion of rules for handl<strong>in</strong>g d<strong>at</strong>a <strong>in</strong><br />
accordance with its sensitivity or importance.<br />
• Security awareness—consciousness of <strong>the</strong> reality and significance of<br />
thre<strong>at</strong>s and risks to <strong>in</strong>form<strong>at</strong>ion resources.<br />
• Computer and systems security—understand<strong>in</strong>g computers, systems, and<br />
security architectures so as to be able to determ<strong>in</strong>e <strong>the</strong> appropri<strong>at</strong>e type<br />
and amount of security appropri<strong>at</strong>e for <strong>the</strong> oper<strong>at</strong>ion.<br />
• Telecommunic<strong>at</strong>ions security—protection of <strong>in</strong>form<strong>at</strong>ion <strong>in</strong> transit via<br />
telecommunic<strong>at</strong>ions media and control of <strong>the</strong> use of telecommunic<strong>at</strong>ions<br />
resources.<br />
• Organiz<strong>at</strong>ion architecture—structure for organiz<strong>at</strong>ion of employees to<br />
achieve <strong>in</strong>form<strong>at</strong>ion security goals.<br />
• Legal/regul<strong>at</strong>ory expertise—knowledge of applicable laws and regul<strong>at</strong>ions<br />
rel<strong>at</strong>ive to <strong>the</strong> security of <strong>in</strong>form<strong>at</strong>ion resources.<br />
• Investig<strong>at</strong>ion—collection of evidence rel<strong>at</strong>ed to <strong>in</strong>form<strong>at</strong>ion security<br />
<strong>in</strong>cidents while ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g <strong>the</strong> <strong>in</strong>tegrity of evidence for legal action.<br />
• Applic<strong>at</strong>ion program security—<strong>the</strong> controls conta<strong>in</strong>ed <strong>in</strong> applic<strong>at</strong>ion<br />
programs to protect <strong>the</strong> <strong>in</strong>tegrity and confidentiality of applic<strong>at</strong>ion d<strong>at</strong>a<br />
and programs.<br />
• Systems program security—those mechanisms th<strong>at</strong> ma<strong>in</strong>ta<strong>in</strong> <strong>the</strong> security<br />
of a system's programs.<br />
• Physical security—methods of provid<strong>in</strong>g a safe facility to support d<strong>at</strong>a<br />
process<strong>in</strong>g oper<strong>at</strong>ions, <strong>in</strong>clud<strong>in</strong>g provision to limit (physical) access to<br />
authorized personnel.<br />
• Oper<strong>at</strong>ions security—<strong>the</strong> controls over hardware, media, and <strong>the</strong> oper<strong>at</strong>ors<br />
with access privileges to <strong>the</strong> hardware and media.<br />
• Inform<strong>at</strong>ion ethics—<strong>the</strong> elements of socially acceptable conduct with<br />
respect to <strong>in</strong>form<strong>at</strong>ion resources.<br />
• Security policy development—methods of advis<strong>in</strong>g employees of<br />
management's <strong>in</strong>tentions with respect to <strong>the</strong> use and protection of<br />
<strong>in</strong>form<strong>at</strong>ion resources.<br />
In November 1988 a consortium of organiz<strong>at</strong>ions <strong>in</strong>terested <strong>in</strong> <strong>the</strong><br />
certific<strong>at</strong>ion of <strong>in</strong>form<strong>at</strong>ion security practitioners began to forge a jo<strong>in</strong>t<br />
certific<strong>at</strong>ion program. In mid-1989, <strong>the</strong> Intern<strong>at</strong>ional Inform<strong>at</strong>ion Systems<br />
Security Certific<strong>at</strong>ion Consortium or (ISC)2 was established<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
THE NEED TO ESTABLISH AN INFORMATION SECURITY FOUNDATION 204<br />
as a nonprofit corpor<strong>at</strong>ion (under <strong>the</strong> provisions of <strong>the</strong> General Laws, Chapter<br />
180, of <strong>the</strong> Commonwealth of Massachusetts) to develop a certific<strong>at</strong>ion<br />
program for <strong>in</strong>form<strong>at</strong>ion systems security practitioners. Particip<strong>at</strong><strong>in</strong>g<br />
organiz<strong>at</strong>ions <strong>in</strong>clude <strong>the</strong> Inform<strong>at</strong>ion Systems Security Associ<strong>at</strong>ion (ISSA), <strong>the</strong><br />
Computer Security Institute (CSI), <strong>the</strong> Special Interest Group for Computer<br />
Security (SIG-CS) of <strong>the</strong> D<strong>at</strong>a Process<strong>in</strong>g Management Associ<strong>at</strong>ion (DPMA),<br />
<strong>the</strong> Canadian Inform<strong>at</strong>ion Process<strong>in</strong>g Society (CIPS), <strong>the</strong> Intern<strong>at</strong>ional<br />
Feder<strong>at</strong>ion of Inform<strong>at</strong>ion Process<strong>in</strong>g, agencies of <strong>the</strong> U.S. and Canadian<br />
governments, and Idaho St<strong>at</strong>e University (which has developed computer<br />
security educ<strong>at</strong>ion modules). Committees of volunteers from <strong>the</strong> various<br />
found<strong>in</strong>g organiz<strong>at</strong>ions are currently develop<strong>in</strong>g <strong>the</strong> products needed to<br />
implement <strong>the</strong> certific<strong>at</strong>ion program, such as a code of ethics, <strong>the</strong> common body<br />
of knowledge, an RFP for obta<strong>in</strong><strong>in</strong>g a test<strong>in</strong>g service, a market<strong>in</strong>g brochure for<br />
fund rais<strong>in</strong>g, and prelim<strong>in</strong>ary grandf<strong>at</strong>her<strong>in</strong>g criteria. Funds are be<strong>in</strong>g sought<br />
from major computer-us<strong>in</strong>g and computer-produc<strong>in</strong>g organiz<strong>at</strong>ions.<br />
Accord<strong>in</strong>g to (ISC)2 liter<strong>at</strong>ure, certific<strong>at</strong>ion will be open to all who<br />
"qualify ethically" and pass <strong>the</strong> exam<strong>in</strong><strong>at</strong>ion—no particular affili<strong>at</strong>ion with any<br />
professional organiz<strong>at</strong>ion is a prerequisite for tak<strong>in</strong>g <strong>the</strong> test. The exam<strong>in</strong><strong>at</strong>ion<br />
will be a measure of professional competence and may be a useful element <strong>in</strong><br />
<strong>the</strong> selection process when personnel are be<strong>in</strong>g considered for <strong>the</strong> <strong>in</strong>form<strong>at</strong>ion<br />
security function. 9 Recertific<strong>at</strong>ion requirements will be established to ensure<br />
th<strong>at</strong> <strong>in</strong>dividual certific<strong>at</strong>ions rema<strong>in</strong> current <strong>in</strong> this field th<strong>at</strong> is chang<strong>in</strong>g rapidly<br />
as technological advancements make certa<strong>in</strong> measures obsolete and provide<br />
more effective solutions to security problems.<br />
The growth of security practitioner groups and activities is a positive force,<br />
one th<strong>at</strong> can help to stimul<strong>at</strong>e demand for trust technology. Because this<br />
profession is new, still evolv<strong>in</strong>g, and diverse <strong>in</strong> composition, it is not clear th<strong>at</strong><br />
it can have <strong>the</strong> impact on security th<strong>at</strong>, say, certified public accountants have on<br />
account<strong>in</strong>g. Th<strong>at</strong> assumption is based <strong>in</strong> part on <strong>the</strong> absence to d<strong>at</strong>e of generally<br />
accepted computer and communic<strong>at</strong>ions security pr<strong>in</strong>ciples and m<strong>at</strong>ure<br />
standards of practice <strong>in</strong> this arena, as well as <strong>the</strong> absence of <strong>the</strong> k<strong>in</strong>d of legal<br />
accountability th<strong>at</strong> o<strong>the</strong>r professions have achieved.<br />
NOTES<br />
1. The concerns discussed focus on <strong>the</strong> NCSC's ability to reach out <strong>in</strong>to <strong>the</strong> commercial world and<br />
<strong>in</strong>fluence <strong>the</strong> marketplace. The substantive thrust of <strong>the</strong> reorganized NCSC—a new emphasis on<br />
heterogeneous, networked systems—should gener<strong>at</strong>e valuable <strong>in</strong>sights and techniques, although<br />
who will benefit from <strong>the</strong>m outside <strong>the</strong> government is not <strong>at</strong> all clear.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
THE NEED TO ESTABLISH AN INFORMATION SECURITY FOUNDATION 205<br />
2. In September 1990, <strong>the</strong> Computer System Security and Privacy Advisory Board established under<br />
<strong>the</strong> Computer Security Act of 1987 proposed th<strong>at</strong> NIST issue guidel<strong>in</strong>es on civilian agency<br />
computer security analogous to <strong>the</strong> Ra<strong>in</strong>bow Series and published as Federal Inform<strong>at</strong>ion<br />
Process<strong>in</strong>g Standards. However, it is not clear how or by whom such a document would be<br />
developed, <strong>in</strong> part because NIST lacks relevant fund<strong>in</strong>g (Danca, 1990e).<br />
3. Ironically, it was a similar recognition th<strong>at</strong> led to <strong>the</strong> launch of <strong>the</strong> NCSC <strong>in</strong> <strong>the</strong> first place.<br />
4. Note th<strong>at</strong> <strong>the</strong> federal government already has a number of vehicles for action th<strong>at</strong> do not <strong>in</strong>volve<br />
direct adm<strong>in</strong>istr<strong>at</strong>ion by federal employees, such as nonprofit federally funded research and<br />
development centers (FFRDCs), government-owned/ contractor-oper<strong>at</strong>ed (GOCO) <strong>in</strong>dustrial plants,<br />
and specially chartered quasi-public organiz<strong>at</strong>ions such as federally sponsored f<strong>in</strong>anc<strong>in</strong>g agencies<br />
th<strong>at</strong> conduct activities formerly conducted by <strong>the</strong> priv<strong>at</strong>e sector. Coms<strong>at</strong> is perhaps <strong>the</strong> most widely<br />
recognized example; it was specially chartered by Congress, but it is profit mak<strong>in</strong>g and is funded by<br />
sell<strong>in</strong>g shares. More relevant is <strong>the</strong> FFRDC concept, also <strong>in</strong>volv<strong>in</strong>g congressional charters, which <strong>in</strong><br />
general does not, however, permit <strong>the</strong> flexibility <strong>in</strong> fund<strong>in</strong>g or <strong>in</strong> mission envisioned for <strong>the</strong> ISF<br />
(Musolf, 1983).<br />
5. Ano<strong>the</strong>r source of funds might eventually be sales of public<strong>at</strong>ions. Such sales provide about $10<br />
million <strong>in</strong> revenue for FASB, for example (FASB, 1990).<br />
6. The emergence of DES <strong>in</strong> <strong>the</strong> 1970s, its promotion by <strong>the</strong> <strong>the</strong>n Institute for Computer Sciences<br />
and Technology (ICST) of <strong>the</strong> <strong>the</strong>n N<strong>at</strong>ional Bureau of Standards (NBS), and <strong>the</strong> role of <strong>the</strong> NSA <strong>in</strong><br />
th<strong>at</strong> evolution, have been well publicized (OTA, 1987b).<br />
7. The MOU st<strong>at</strong>es th<strong>at</strong> NIST will "recognize <strong>the</strong> NSA-certified r<strong>at</strong><strong>in</strong>g of evalu<strong>at</strong>ed trusted systems<br />
under <strong>the</strong> Trusted Computer Security Evalu<strong>at</strong>ion Criteria Program without requir<strong>in</strong>g additional<br />
evalu<strong>at</strong>ion," and it also makes many references to coord<strong>in</strong><strong>at</strong>ion with NSA to avoid duplic<strong>at</strong>ion of<br />
effort or conflict with exist<strong>in</strong>g technical standards aimed <strong>at</strong> protect<strong>in</strong>g classified <strong>in</strong>form<strong>at</strong>ion.<br />
8. The nom<strong>in</strong>al losses <strong>in</strong> a specific case are mislead<strong>in</strong>g. They signal a potential for gre<strong>at</strong>er loss<br />
through repetitions of undetected abuse.<br />
9. Note th<strong>at</strong> <strong>the</strong> movement toward certific<strong>at</strong>ion among security practitioners contrasts with <strong>the</strong><br />
ongo<strong>in</strong>g he<strong>at</strong>ed deb<strong>at</strong>e among systems developers and software eng<strong>in</strong>eers over certific<strong>at</strong>ion.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
RESEARCH TOPICS AND FUNDING 206<br />
8<br />
Research Topics and Fund<strong>in</strong>g<br />
Earlier chapters of this report <strong>in</strong>cluded discussions of <strong>the</strong> st<strong>at</strong>e of <strong>the</strong> art <strong>in</strong><br />
computer security th<strong>at</strong> also addressed a variety of research activities. This<br />
chapter addresses <strong>the</strong> broader issue of <strong>the</strong> st<strong>at</strong>e and structure of <strong>the</strong> research<br />
community and also outl<strong>in</strong>es some areas of research where <strong>the</strong> current level of<br />
effort seems <strong>in</strong>sufficient. In addition, <strong>the</strong> committee also addresses directions<br />
for federally funded extramural research programs.<br />
The committee believes th<strong>at</strong> <strong>the</strong>re is a press<strong>in</strong>g need for a stronger program<br />
of university-based research <strong>in</strong> computer security. Such a program should have<br />
two explicit goals: address<strong>in</strong>g important technical problems and <strong>in</strong>creas<strong>in</strong>g <strong>the</strong><br />
number of qualified people <strong>in</strong> <strong>the</strong> field. This program should be strongly<br />
<strong>in</strong>terconnected with o<strong>the</strong>r fields of computer science and cognizant of trends <strong>in</strong><br />
both <strong>the</strong>ory and uses of computer systems.<br />
In <strong>the</strong> 1970s <strong>the</strong> Department of Defense (DOD) aggressively funded an<br />
external research program th<strong>at</strong> yielded many fundamental results <strong>in</strong> <strong>the</strong> security<br />
area, such as <strong>the</strong> reference monitor and <strong>the</strong> Bell and La Padula model (Bell and<br />
La Padula, 1976). But with <strong>the</strong> establishment of <strong>the</strong> N<strong>at</strong>ional Computer Security<br />
Center (NCSC) <strong>in</strong> <strong>the</strong> early 1980s, <strong>the</strong> DOD shifted its emphasis from basic<br />
research to <strong>the</strong> development and applic<strong>at</strong>ion of evalu<strong>at</strong>ion criteria and <strong>the</strong><br />
development of applic<strong>at</strong>ions th<strong>at</strong> meet mission needs. The specific focus of<br />
most DOD fund<strong>in</strong>g for basic research has been rel<strong>at</strong>ed to nondisclosure of<br />
<strong>in</strong>form<strong>at</strong>ion. Fur<strong>the</strong>rmore, rel<strong>at</strong>ively little of <strong>the</strong> DOD-funded research on<br />
computer security is currently be<strong>in</strong>g done <strong>at</strong> universities.<br />
The committee reviewed (unclassified) research on <strong>in</strong>form<strong>at</strong>ion security<br />
conducted by <strong>the</strong> N<strong>at</strong>ional Security <strong>Age</strong>ncy (NSA), and <strong>the</strong><br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
RESEARCH TOPICS AND FUNDING 207<br />
NCSC <strong>in</strong> particular. Now <strong>the</strong> research activities of <strong>the</strong> two are comb<strong>in</strong>ed, ow<strong>in</strong>g<br />
to NCSC's recent reorganiz<strong>at</strong>ion, and <strong>the</strong> committee is not <strong>in</strong> a position to<br />
comment on <strong>the</strong> newly structured program. Although NSA supports active<br />
research <strong>at</strong> several priv<strong>at</strong>e centers (e.g., SRI Intern<strong>at</strong>ional and MITRE<br />
Corpor<strong>at</strong>ion), its support for academic research <strong>in</strong> computer security appears to<br />
have been quite limited <strong>in</strong> scope and level. Th<strong>at</strong> support cannot be tracked<br />
straightforwardly, because some of it is passed through o<strong>the</strong>r agencies and some<br />
recipients have been asked not to divulge NSA's support. NSA has provided<br />
some fund<strong>in</strong>g for programs, such as <strong>the</strong> outside cryptographic research program<br />
(OCREAE) and DOD's University Research Initi<strong>at</strong>ive (URI), th<strong>at</strong> seek to<br />
<strong>in</strong>crease <strong>the</strong> pool of appropri<strong>at</strong>ely tra<strong>in</strong>ed American gradu<strong>at</strong>es. In l<strong>at</strong>e August<br />
1990, NSA announced a new Computer Security University Research Program,<br />
a modest effort aimed <strong>at</strong> support<strong>in</strong>g university summer study projects (which<br />
are <strong>in</strong>herently limited <strong>in</strong> scope and scale).<br />
At <strong>the</strong> same time, <strong>the</strong> o<strong>the</strong>r agencies with significant agendas rel<strong>at</strong>ed to<br />
research <strong>in</strong> computer security, such as <strong>the</strong> Department of Energy (DOE), <strong>the</strong><br />
Navy's Office of Naval Research (ONR), and <strong>the</strong> N<strong>at</strong>ional Institute of Standards<br />
and Technology (NIST), have had limited programs <strong>in</strong> funded external<br />
research. 1 In <strong>the</strong> area of <strong>in</strong>form<strong>at</strong>ion <strong>in</strong>tegrity, NIST has <strong>at</strong>tempted to establish a<br />
role for itself by hold<strong>in</strong>g a series of workshops, but no significant research<br />
fund<strong>in</strong>g has resulted. 2<br />
Not-for-profit and vendor labor<strong>at</strong>ories are pursu<strong>in</strong>g a variety of projects,<br />
many of which are discussed elsewhere <strong>in</strong> this report (e.g., see Chapter 4).<br />
However, support for <strong>the</strong>se activities fluctu<strong>at</strong>es with both government <strong>in</strong>terest<br />
<strong>in</strong> security and short-term bus<strong>in</strong>ess needs. Although many of <strong>the</strong> topics<br />
proposed below are relevant to <strong>in</strong>dustrial research conducted <strong>in</strong>dependently or<br />
<strong>in</strong> collabor<strong>at</strong>ion with universities, <strong>the</strong> committee focused on <strong>the</strong> need to<br />
stimul<strong>at</strong>e academic research.<br />
University-based research <strong>in</strong> computer security is <strong>at</strong> a dangerously low<br />
level. 3 Whereas considerable research is be<strong>in</strong>g done on <strong>the</strong>oretical issues rel<strong>at</strong>ed<br />
to security—for example, number <strong>the</strong>ory, cryptology, and zero-knowledge<br />
proofs—few research projects directly address <strong>the</strong> problem of achiev<strong>in</strong>g system<br />
security. This lack of direct <strong>at</strong>tention to system security is particularly serious<br />
given <strong>the</strong> ongo<strong>in</strong>g dram<strong>at</strong>ic changes <strong>in</strong> <strong>the</strong> technology of comput<strong>in</strong>g (e.g., <strong>the</strong><br />
emergence of distributed systems and networks) th<strong>at</strong> make it necessary to<br />
reth<strong>in</strong>k some of <strong>the</strong> current approaches to security. High-risk and long-term<br />
research, a traditional strength of universities, is essential. Fur<strong>the</strong>rmore, <strong>the</strong><br />
small number of academicians with research <strong>in</strong>terests <strong>in</strong> <strong>the</strong> area of computer<br />
security makes it impossible to tra<strong>in</strong> a sufficient number of<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
RESEARCH TOPICS AND FUNDING 208<br />
qualified experts capable of particip<strong>at</strong><strong>in</strong>g <strong>in</strong> commercial research and<br />
development projects.<br />
Various issues contribute to <strong>the</strong> lack of academic research <strong>in</strong> <strong>the</strong> computer<br />
security field. One is <strong>the</strong> occasional need for secrecy, which conflicts with <strong>the</strong><br />
tradition of open public<strong>at</strong>ion of research results. Ano<strong>the</strong>r is <strong>the</strong> holistic n<strong>at</strong>ure of<br />
security. There is a risk <strong>in</strong> study<strong>in</strong>g one aspect of security <strong>in</strong> isol<strong>at</strong>ion; <strong>the</strong><br />
results may be irrelevant because of changes or advances <strong>in</strong> some o<strong>the</strong>r part of<br />
<strong>the</strong> computer field. In many academic environments, it is difficult to do <strong>the</strong><br />
large demonstr<strong>at</strong>ion projects th<strong>at</strong> provide worked examples (proofs of concepts)<br />
of total security solutions.<br />
Meanwhile, evidence suggests a grow<strong>in</strong>g European research and<br />
development effort tied to n<strong>at</strong>ional and regional efforts to develop <strong>the</strong> European<br />
<strong>in</strong>dustrial base. Although not focused specifically on security, several of <strong>the</strong>se<br />
projects are develop<strong>in</strong>g advanced assurance techniques (e.g., formal methods<br />
and safety analysis). The Portable Common Tool Environment (PCTE)<br />
consortium of vendors and universities has proposed extensions to PCTE th<strong>at</strong><br />
allow programm<strong>in</strong>g tools to utilize common security functions, modeled after<br />
but more general than those outl<strong>in</strong>ed <strong>in</strong> <strong>the</strong> Orange Book (IEPG, 1989;<br />
European Commission, 1989a, p. 8). On ano<strong>the</strong>r front, Esprit fund<strong>in</strong>g is<br />
establish<strong>in</strong>g a p<strong>at</strong>tern of collabor<strong>at</strong>ion th<strong>at</strong> could pay off significantly <strong>in</strong><br />
systems-oriented fields such as security and safety, as researchers learn to work<br />
effectively <strong>in</strong> rel<strong>at</strong>ively large academic and <strong>in</strong>dustrial teams. 4 Although MITI <strong>in</strong><br />
Japan is conduct<strong>in</strong>g a study of security problems <strong>in</strong> networks, <strong>the</strong> committee<br />
has found no widespread Japanese <strong>in</strong>terest <strong>in</strong> develop<strong>in</strong>g <strong>in</strong>digenous security<br />
technology <strong>at</strong> this time.<br />
A PROPOSED AGENDA FOR RESEARCH TO ENHANCE<br />
COMPUTER SECURITY<br />
The committee identified several specific technical issues currently ripe for<br />
research. It is expected th<strong>at</strong> <strong>the</strong> issues described will have aspects th<strong>at</strong> are best<br />
addressed variously by universities, contractors, nonprofit research labor<strong>at</strong>ories,<br />
government labor<strong>at</strong>ories, and vendor labor<strong>at</strong>ories. The key is to develop a broad<br />
range of system security expertise, comb<strong>in</strong><strong>in</strong>g <strong>the</strong> knowledge ga<strong>in</strong>ed <strong>in</strong> both<br />
academic and <strong>in</strong>dustrial environments. The list th<strong>at</strong> follows is by no means<br />
complete (r<strong>at</strong>her, a research agenda must always reflect an openness to new<br />
ideas) but is provided to show <strong>the</strong> scope and importance of relevant research<br />
topics and to underscore <strong>the</strong> need to cultiv<strong>at</strong>e progress <strong>in</strong> areas th<strong>at</strong> have<br />
received <strong>in</strong>sufficient <strong>at</strong>tention.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
RESEARCH TOPICS AND FUNDING 209<br />
• Security modularity: How can a set of system components with known<br />
security properties be comb<strong>in</strong>ed or composed to form a larger system with<br />
known security properties?<br />
• Security models: The disclosure control problem has benefited from a<br />
formal model, <strong>the</strong> Bell and La Padula model, which captures some of <strong>the</strong><br />
desired functionality <strong>in</strong> an abstract manner. O<strong>the</strong>r security requirements,<br />
such as <strong>in</strong>tegrity, availability, and distributed au<strong>the</strong>ntic<strong>at</strong>ion and<br />
authoriz<strong>at</strong>ion, do not have such clean models. Lack<strong>in</strong>g a clean model, it is<br />
difficult to describe wh<strong>at</strong> a system does or to confirm th<strong>at</strong> it does so. For<br />
example, models are needed th<strong>at</strong> deal with separ<strong>at</strong>ion of duty and with<br />
belief and trust <strong>in</strong> situ<strong>at</strong>ions of <strong>in</strong>complete knowledge. Efforts should be<br />
directed <strong>at</strong> establish<strong>in</strong>g a sound found<strong>at</strong>ion for security models. The<br />
models th<strong>at</strong> have been used <strong>in</strong> <strong>the</strong> past lack, for <strong>the</strong> most part, any formal<br />
found<strong>at</strong>ion. The Franconia workshops (IEEE, 1988–1990) have addressed<br />
this issue, but more work is necessary. Security models should be<br />
<strong>in</strong>tegr<strong>at</strong>ed with o<strong>the</strong>r systems models, such as those rel<strong>at</strong>ed to reliability<br />
and safety.<br />
• Cost/benefit models for security: How much does security really cost, and<br />
wh<strong>at</strong> are its real benefits? Both <strong>the</strong> cost of production and <strong>the</strong> cost of use<br />
should be addressed. Benefit analysis must be based on careful risk<br />
analysis. This is particularly difficult for computer security because<br />
accur<strong>at</strong>e <strong>in</strong>form<strong>at</strong>ion on penetr<strong>at</strong>ions and loss of assets is often not<br />
available, and analyses must depend on expert op<strong>in</strong>ion. The<br />
recommended report<strong>in</strong>g and track<strong>in</strong>g function envisioned for <strong>the</strong><br />
Inform<strong>at</strong>ion Security Found<strong>at</strong>ion proposed <strong>in</strong> Chapter 7 would facilit<strong>at</strong>e<br />
model gener<strong>at</strong>ion and valid<strong>at</strong>ion.<br />
• New security mechanisms: As new requirements are proposed, as new<br />
thre<strong>at</strong>s are considered, and as new technologies become prevalent, new<br />
mechanisms will be required to ma<strong>in</strong>ta<strong>in</strong> security effectively. Recent<br />
examples of such mechanisms are <strong>the</strong> challenge-response devices<br />
developed for user au<strong>the</strong>ntic<strong>at</strong>ion. Among <strong>the</strong> mechanisms currently<br />
needed are those to support critical aspects of <strong>in</strong>tegrity (e.g., separ<strong>at</strong>ion of<br />
duty), distributed key management on low-security systems, multiway<br />
and transitive au<strong>the</strong>ntic<strong>at</strong>ion (<strong>in</strong>volv<strong>in</strong>g multiple systems and/or users),<br />
availability (especially <strong>in</strong> distributed systems and networks), privacy<br />
assurance, and limit<strong>at</strong>ions on access <strong>in</strong> networks, to permit<br />
<strong>in</strong>terconnection of mutually suspicious organiz<strong>at</strong>ions.<br />
• Assurance techniques: The assurance techniques th<strong>at</strong> can be applied to<br />
secure systems range from <strong>the</strong> impractical extremes of exhaustive test<strong>in</strong>g<br />
to proofs of all functions and properties <strong>at</strong> all levels of a system. It would<br />
be beneficial to know <strong>the</strong> complete spectrum of assurance techniques, <strong>the</strong><br />
practicality of <strong>the</strong>ir applic<strong>at</strong>ion, and to wh<strong>at</strong><br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
RESEARCH TOPICS AND FUNDING 210<br />
aspects of security <strong>the</strong>y best apply. For <strong>in</strong>stance, formal specific<strong>at</strong>ion and<br />
verific<strong>at</strong>ion techniques can be applied to some encryption protocols but<br />
may be more useful for test<strong>in</strong>g formal specific<strong>at</strong>ions <strong>in</strong> an effort to<br />
discover design weaknesses (Millen et al., 1987; Kemmerer, 1989a).<br />
Also, formally specify<strong>in</strong>g and verify<strong>in</strong>g an entire oper<strong>at</strong><strong>in</strong>g system may<br />
not be cost-effective, yet it may be reasonable to thoroughly analyze a<br />
particular aspect of <strong>the</strong> system us<strong>in</strong>g formal specific<strong>at</strong>ion and verific<strong>at</strong>ion<br />
techniques. (This is one of <strong>the</strong> reasons for group<strong>in</strong>g <strong>the</strong> security-relevant<br />
aspects of a secure oper<strong>at</strong><strong>in</strong>g system <strong>in</strong>to a security kernel th<strong>at</strong> is small<br />
enough to be thoroughly analyzed.) Identify<strong>in</strong>g effective and easily usable<br />
comb<strong>in</strong><strong>at</strong>ions of techniques, particularly ones th<strong>at</strong> can be applied early <strong>in</strong><br />
software production, is a current area of <strong>in</strong>terest <strong>in</strong> <strong>the</strong> field of test<strong>in</strong>g,<br />
analysis, and verific<strong>at</strong>ion. In addition, <strong>at</strong>tention must be given to<br />
moderniz<strong>in</strong>g <strong>the</strong> exist<strong>in</strong>g technology base of verific<strong>at</strong>ion and test<strong>in</strong>g tools,<br />
which are used to implement <strong>the</strong> techniques, to keep pace with new<br />
technology.<br />
• Altern<strong>at</strong>ive represent<strong>at</strong>ions and present<strong>at</strong>ions: New represent<strong>at</strong>ions of<br />
security properties may yield new analysis techniques. For example,<br />
graphics tools th<strong>at</strong> allow system oper<strong>at</strong>ors to set, explore, and analyze<br />
proposed policies (who should get access to wh<strong>at</strong>) and system<br />
configur<strong>at</strong>ions (who has access to wh<strong>at</strong>) may help identify weaknesses or<br />
unwanted restrictions as policies are <strong>in</strong>stituted and deployed systems are<br />
used.<br />
• Autom<strong>at</strong>ed security procedures: A practical observ<strong>at</strong>ion is th<strong>at</strong> many, if<br />
not most, actual system penetr<strong>at</strong>ions <strong>in</strong>volve faults <strong>in</strong> oper<strong>at</strong>ional<br />
procedures, not system architecture. For example, poor choice of<br />
passwords or failure to change default passwords is a common failure<br />
documented by Stoll (1989). Research is needed <strong>in</strong> autom<strong>at</strong><strong>in</strong>g critical<br />
aspects of system oper<strong>at</strong>ion, to assist system managers <strong>in</strong> avoid<strong>in</strong>g<br />
security faults <strong>in</strong> this area. Examples <strong>in</strong>clude tools to check <strong>the</strong> security<br />
st<strong>at</strong>e of a system (Baldw<strong>in</strong>, 1988), models of oper<strong>at</strong>ional requirements<br />
and desired controls, and thre<strong>at</strong> assessment aids. Fault-tree analysis can be<br />
used to identify and assess system vulnerabilities, and <strong>in</strong>trusion detection<br />
(Lunt, 1988) through anomaly analysis can warn system adm<strong>in</strong>istr<strong>at</strong>ors of<br />
possible security problems.<br />
• Mechanisms to support nonrepudi<strong>at</strong>ion: To protect proprietary rights it<br />
may be necessary to record user actions so as to bar a user from l<strong>at</strong>er<br />
repudi<strong>at</strong><strong>in</strong>g <strong>the</strong>se actions. Research <strong>in</strong>to methods of record<strong>in</strong>g user actions<br />
<strong>in</strong> a way th<strong>at</strong> respects <strong>the</strong> privacy of users is difficult.<br />
• Control of comput<strong>in</strong>g resources: Resource control is associ<strong>at</strong>ed with <strong>the</strong><br />
prevention of unauthorized use and piracy of proprietary software or<br />
d<strong>at</strong>abases owned or licensed by one party and legitim<strong>at</strong>ely <strong>in</strong>stalled <strong>in</strong> a<br />
comput<strong>in</strong>g system belong<strong>in</strong>g to ano<strong>the</strong>r. It has <strong>at</strong>tracted little<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
RESEARCH TOPICS AND FUNDING 211<br />
research and implement<strong>at</strong>ion effort, but it poses some difficult technical<br />
problems and possibly privacy problems as well, and it is, <strong>the</strong>refore, an<br />
area th<strong>at</strong> warrants fur<strong>the</strong>r research.<br />
• Systems with security perimeters: Most network protocol design efforts<br />
have tended to assume th<strong>at</strong> networks will provide general <strong>in</strong>terconnection.<br />
However, as observed <strong>in</strong> Chapter 3, a common practical approach to<br />
achiev<strong>in</strong>g security <strong>in</strong> a distributed system is to partition <strong>the</strong> system <strong>in</strong>to<br />
regions th<strong>at</strong> are separ<strong>at</strong>ed by a security perimeter. This is not easy to do.<br />
If, for example, a network permits mail but not directory services<br />
(because of security concerns about directory searches), <strong>the</strong> mail may not<br />
be deliverable due to <strong>the</strong> <strong>in</strong>ability to look up <strong>the</strong> address of a recipient. To<br />
address this problem, research is needed <strong>in</strong> <strong>the</strong> area of network protocols<br />
th<strong>at</strong> will allow partition<strong>in</strong>g for security purposes without sacrific<strong>in</strong>g <strong>the</strong><br />
advantages of general connectivity.<br />
DIRECTIONS FOR FUNDING SECURITY RESEARCH<br />
There are several str<strong>at</strong>egic issues basic to broaden<strong>in</strong>g computer security<br />
research and <strong>in</strong>tegr<strong>at</strong><strong>in</strong>g it with <strong>the</strong> rest of computer science: fund<strong>in</strong>g agencies'<br />
policies, cross-field fertiliz<strong>at</strong>ion, and <strong>the</strong> k<strong>in</strong>ds of projects to be undertaken. The<br />
areas of study sketched above are suitable for fund<strong>in</strong>g by any agency with a<br />
charter to address technical research topics.<br />
The committee recommends th<strong>at</strong> <strong>the</strong> relevant agencies of <strong>the</strong> federal<br />
government (e.g., DARPA and NSF) undertake funded programs of technology<br />
development and research <strong>in</strong> computer security. These programs should foster<br />
<strong>in</strong>tegr<strong>at</strong>ion of security research with o<strong>the</strong>r rel<strong>at</strong>ed research areas, such as<br />
promot<strong>in</strong>g common techniques for <strong>the</strong> analysis of security, safety, and<br />
reliability properties. The committee recommends th<strong>at</strong> NIST, <strong>in</strong> recognition of<br />
its <strong>in</strong>terest <strong>in</strong> computer security (and its charter to enhance security for sensitive<br />
but unclassified d<strong>at</strong>a and systems), work to assure fund<strong>in</strong>g for research <strong>in</strong> areas<br />
of key concern to it, ei<strong>the</strong>r <strong>in</strong>ternally or <strong>in</strong> collabor<strong>at</strong>ion with o<strong>the</strong>r agencies<br />
more traditionally associ<strong>at</strong>ed with research. NIST may be particularly effective,<br />
under its current regime, <strong>at</strong> organiz<strong>in</strong>g workshops th<strong>at</strong> br<strong>in</strong>g toge<strong>the</strong>r<br />
researchers and practitioners and <strong>the</strong>n widely dissem<strong>in</strong><strong>at</strong><strong>in</strong>g <strong>the</strong> result<strong>in</strong>g<br />
workshop reports.<br />
Although federal agencies have traditionally been viewed as <strong>the</strong> primary<br />
source of fund<strong>in</strong>g for computer science research, many st<strong>at</strong>es, such as Texas,<br />
Virg<strong>in</strong>ia, and California, have substantial fund<strong>in</strong>g programs geared toward<br />
regional <strong>in</strong>dustry and academic needs. The proposed research agenda should be<br />
brought to <strong>the</strong> <strong>at</strong>tention of st<strong>at</strong>e fund<strong>in</strong>g<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
RESEARCH TOPICS AND FUNDING 212<br />
agencies, especially <strong>in</strong> those st<strong>at</strong>es where <strong>in</strong>dustrial support and <strong>in</strong>teraction are<br />
likely.<br />
Both <strong>the</strong> Defense Advanced Research Projects <strong>Age</strong>ncy (DARPA) and <strong>the</strong><br />
N<strong>at</strong>ional Science Found<strong>at</strong>ion (NSF) should proceed to justify a program <strong>in</strong><br />
extramural computer security research. However, because of differences <strong>in</strong> <strong>the</strong><br />
traditional roles of DARPA and NSF, this committee has identified specific<br />
activities th<strong>at</strong> it recommends to each.<br />
Fund<strong>in</strong>g by <strong>the</strong> Defense Advanced Research Projects <strong>Age</strong>ncy<br />
The Defense Advanced Research Projects <strong>Age</strong>ncy has traditionally been<br />
will<strong>in</strong>g to fund significant system-development projects. The committee<br />
believes th<strong>at</strong> this class of activity would be highly beneficial for security<br />
research. Security is a hands-on field <strong>in</strong> which mechanisms should be evalu<strong>at</strong>ed<br />
by deploy<strong>in</strong>g <strong>the</strong>m <strong>in</strong> real systems. Some examples of suitable projects are <strong>the</strong><br />
follow<strong>in</strong>g:<br />
• Use of st<strong>at</strong>e-of-<strong>the</strong>-art software development techniques and tools to<br />
produce a secure system. The explicit goal of this effort should be to<br />
evalu<strong>at</strong>e <strong>the</strong> development process and to assess <strong>the</strong> expected ga<strong>in</strong> <strong>in</strong><br />
system quality.<br />
• Development of distributed systems with a variety of security properties.<br />
A project now under way, and funded by DARPA, is aimed <strong>at</strong> develop<strong>in</strong>g<br />
encryption-based priv<strong>at</strong>e electronic mail. Ano<strong>the</strong>r candid<strong>at</strong>e for study is<br />
decentralized, peer-connected name servers.<br />
• Development of a system support<strong>in</strong>g an approach to ensur<strong>in</strong>g <strong>the</strong> <strong>in</strong>tegrity<br />
of d<strong>at</strong>a. There are now some proposed models for <strong>in</strong>tegrity, but without<br />
worked examples it will be impossible to valid<strong>at</strong>e <strong>the</strong>m. This represents<br />
an opportunity for a cooper<strong>at</strong>ive effort by DARPA and NIST.<br />
Fund<strong>in</strong>g by <strong>the</strong> N<strong>at</strong>ional Science Found<strong>at</strong>ion<br />
The N<strong>at</strong>ional Science Found<strong>at</strong>ion has tended to fund smaller, less<br />
development-oriented projects. A key role for NSF (and for DARPA, as well),<br />
beyond specific fund<strong>in</strong>g of relevant projects, is to facilit<strong>at</strong>e <strong>in</strong>creased <strong>in</strong>teraction<br />
between security specialists and specialists <strong>in</strong> rel<strong>at</strong>ed fields (such as distributed<br />
comput<strong>in</strong>g, safety, and fault-tolerant comput<strong>in</strong>g). Examples of areas <strong>in</strong> which<br />
cre<strong>at</strong>ive collabor<strong>at</strong>ion might advance computer security <strong>in</strong>clude:<br />
• <strong>Safe</strong>ty: Concern about <strong>the</strong> safety-rel<strong>at</strong>ed aspects of computer process<strong>in</strong>g is<br />
grow<strong>in</strong>g both <strong>in</strong> <strong>the</strong> United St<strong>at</strong>es and <strong>in</strong>tern<strong>at</strong>ionally. Gre<strong>at</strong> Brita<strong>in</strong> has<br />
already formul<strong>at</strong>ed a policy th<strong>at</strong> requires <strong>the</strong> use of<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
RESEARCH TOPICS AND FUNDING 213<br />
str<strong>in</strong>gent assurance techniques <strong>in</strong> <strong>the</strong> development of computer systems<br />
th<strong>at</strong> affect <strong>the</strong> safety of humans (U.K. M<strong>in</strong>istry of Defence, 1989a,b).<br />
Unfortun<strong>at</strong>ely, safety and rel<strong>at</strong>ed issues perta<strong>in</strong><strong>in</strong>g to computer systems—<br />
unlike security—have no constituency <strong>in</strong> <strong>the</strong> United St<strong>at</strong>es.<br />
• Fault-tolerant comput<strong>in</strong>g: Over <strong>the</strong> years a gre<strong>at</strong> deal of research has been<br />
directed <strong>at</strong> <strong>the</strong> problem of fault-tolerant comput<strong>in</strong>g. Most of this work has<br />
addressed problems rel<strong>at</strong>ed to availability and <strong>in</strong>tegrity; little <strong>at</strong>tention has<br />
been directed to <strong>the</strong> problems of malicious surreptitious <strong>at</strong>tacks. An<br />
<strong>at</strong>tempt should also be made to extend this work to o<strong>the</strong>r aspects of<br />
security.<br />
• Code analysis: Researchers work<strong>in</strong>g on optimiz<strong>in</strong>g and paralleliz<strong>in</strong>g<br />
compilers have extensive experience <strong>in</strong> analyz<strong>in</strong>g both source and object<br />
code for a variety of properties. Some of <strong>the</strong>ir techniques have been used<br />
for covert channel analysis (Haigh et al., 1987; Young and McHugh,<br />
1987). An <strong>at</strong>tempt should be made to use similar techniques to analyze<br />
code for o<strong>the</strong>r properties rel<strong>at</strong>ed to security.<br />
• Security <strong>in</strong>terfaces: People experienced <strong>at</strong> writ<strong>in</strong>g careful specific<strong>at</strong>ions of<br />
<strong>in</strong>terfaces and verify<strong>in</strong>g high-level properties from <strong>the</strong>se specific<strong>at</strong>ions<br />
should be encouraged to specify standardized <strong>in</strong>terfaces to security<br />
services and to apply <strong>the</strong>ir techniques to <strong>the</strong> specific<strong>at</strong>ion and analysis of<br />
high-level security properties.<br />
• Theoretical research: Theoretical work needs to be properly <strong>in</strong>tegr<strong>at</strong>ed <strong>in</strong><br />
actual systems. Often both <strong>the</strong>oreticians and system practitioners<br />
misunderstand <strong>the</strong> system aspects of security or <strong>the</strong> <strong>the</strong>oretical limit<strong>at</strong>ions<br />
of secure algorithms. Practitioners and <strong>the</strong>oreticians should be encouraged<br />
to work toge<strong>the</strong>r.<br />
Promot<strong>in</strong>g Needed Collabor<strong>at</strong>ion<br />
Both DARPA and NSF have a tradition of work<strong>in</strong>g with <strong>the</strong> broad science<br />
community and should <strong>in</strong>iti<strong>at</strong>e programs to facilit<strong>at</strong>e collabor<strong>at</strong>ion. Some<br />
suggestions for specific actions are <strong>the</strong> follow<strong>in</strong>g:<br />
• Start a program aimed specifically <strong>at</strong> br<strong>in</strong>g<strong>in</strong>g toge<strong>the</strong>r people with<br />
different backgrounds and skills, for example, by provid<strong>in</strong>g grants to<br />
support visit<strong>in</strong>g researchers for a period of one to two years.<br />
• Show a will<strong>in</strong>gness to support research <strong>in</strong> computer security by people<br />
with complementary expertise (<strong>in</strong> account<strong>in</strong>g or distributed systems, for<br />
example), although <strong>the</strong>y may have no track record <strong>in</strong> <strong>the</strong> security area.<br />
• Run a series of one- or two-week-long workshops for gradu<strong>at</strong>e students<br />
who are <strong>in</strong>terested <strong>in</strong> do<strong>in</strong>g research on problems rel<strong>at</strong>ed to computer<br />
security. Prior experience <strong>in</strong> security should be secondary<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
RESEARCH TOPICS AND FUNDING 214<br />
to <strong>in</strong>terest and evidence of accomplishment <strong>in</strong> rel<strong>at</strong>ed fields. Workshops<br />
should, where possible, <strong>in</strong>clude labor<strong>at</strong>ory experience with security<br />
products and assurance technology.<br />
Traditionally, computer security research has been performed <strong>in</strong> computer<br />
science and eng<strong>in</strong>eer<strong>in</strong>g departments. However, ano<strong>the</strong>r research approach th<strong>at</strong><br />
seems relevant is <strong>the</strong> methodology of <strong>the</strong> bus<strong>in</strong>ess school. Although bus<strong>in</strong>ess<br />
schools have <strong>in</strong> <strong>the</strong> past shown little <strong>in</strong>terest <strong>in</strong> security research, obvious study<br />
topics <strong>in</strong>clude:<br />
• Value of security: A current research topic <strong>in</strong> bus<strong>in</strong>ess schools is assess<strong>in</strong>g<br />
<strong>in</strong>form<strong>at</strong>ion technology's actual value to an organiz<strong>at</strong>ion. As a part of<br />
<strong>the</strong>se studies, it might be possible to develop models for <strong>the</strong> value of <strong>the</strong><br />
security aspects of <strong>in</strong>form<strong>at</strong>ion technology from a bus<strong>in</strong>ess perspective,<br />
for example, draw<strong>in</strong>g on <strong>the</strong> value of a corpor<strong>at</strong>e <strong>in</strong>form<strong>at</strong>ion base to be<br />
protected.<br />
• Privacy <strong>in</strong> <strong>in</strong>form<strong>at</strong>ion systems: The use of a computer system <strong>in</strong> <strong>the</strong><br />
corpor<strong>at</strong>e environment will be <strong>in</strong>fluenced by <strong>the</strong> degree to which <strong>the</strong> users<br />
perceive <strong>the</strong> <strong>in</strong>form<strong>at</strong>ion <strong>in</strong> <strong>the</strong> system as public or priv<strong>at</strong>e. The<br />
sociological aspects of privacy may have a strong impact on <strong>the</strong> effective<br />
use of <strong>in</strong>form<strong>at</strong>ion technology. A valuable contribution would be case<br />
studies lead<strong>in</strong>g to a work<strong>in</strong>g model th<strong>at</strong> rel<strong>at</strong>es perceived protection of<br />
privacy to an applic<strong>at</strong>ion's effectiveness. Those <strong>in</strong>volved <strong>in</strong> <strong>the</strong> emerg<strong>in</strong>g<br />
field of computer-supported cooper<strong>at</strong>ive work (also known as<br />
collabor<strong>at</strong>ion technology or groupware) should be made aware of (1) <strong>the</strong><br />
need for security mechanisms when <strong>in</strong>form<strong>at</strong>ion is shared and (2) <strong>the</strong><br />
<strong>in</strong>fluence of requirements for privacy on <strong>the</strong> processes be<strong>in</strong>g autom<strong>at</strong>ed or<br />
coord<strong>in</strong><strong>at</strong>ed. In general, any study of <strong>in</strong>form<strong>at</strong>ion flow <strong>in</strong> an organiz<strong>at</strong>ion<br />
should also note and assess <strong>the</strong> security and privacy aspects of th<strong>at</strong><br />
<strong>in</strong>form<strong>at</strong>ion flow.<br />
NOTES<br />
1. The Office of Naval Research, however, has an ongo<strong>in</strong>g <strong>in</strong>ternal program (<strong>at</strong> <strong>the</strong> Naval Research<br />
Labor<strong>at</strong>ory) <strong>in</strong> applied security research th<strong>at</strong> <strong>in</strong>cludes such projects as methodologies for secure<br />
system developers and tools for secure software development. The lack of appropri<strong>at</strong>ely tra<strong>in</strong>ed<br />
<strong>in</strong>dividuals has been cited by ONR as a major impediment to expand<strong>in</strong>g <strong>the</strong>ir research efforts.<br />
The Department of Energy has responded to <strong>the</strong> recent sp<strong>at</strong>e of computer security breaches with an<br />
effort centered <strong>at</strong> <strong>the</strong>ir Lawrence Livermore N<strong>at</strong>ional Labor<strong>at</strong>ory to develop tools, techniques, and<br />
guidel<strong>in</strong>es for secur<strong>in</strong>g computer systems. Areas currently under <strong>in</strong>vestig<strong>at</strong>ion <strong>in</strong>clude viruses,<br />
<strong>in</strong>trusion detection systems, and security ma<strong>in</strong>tenance software tools. The DOE also cre<strong>at</strong>ed a<br />
Computer Incident Advisory Capability (CIAC) similar to DARPA's Internet CERT, but specifically<br />
to support DOE. Fur<strong>the</strong>r effort is be<strong>in</strong>g expended on develop<strong>in</strong>g guidel<strong>in</strong>es for system security<br />
test<strong>in</strong>g, <strong>in</strong>cident handl<strong>in</strong>g, and o<strong>the</strong>rs. DOE is also support<strong>in</strong>g efforts to develop a university-based<br />
research capability.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
RESEARCH TOPICS AND FUNDING 215<br />
2. A limited computer security budget has hampered even <strong>in</strong>ternal NIST efforts to d<strong>at</strong>e, although<br />
several programs are under development th<strong>at</strong> would group funds from priv<strong>at</strong>e <strong>in</strong>dustry or o<strong>the</strong>r<br />
federal agencies to address mutual security concerns (see Chapter 7 for a more complete discussion<br />
of NIST activities).<br />
3. Consider, for example, <strong>the</strong> follow<strong>in</strong>g <strong>in</strong>dic<strong>at</strong>ors of low academic particip<strong>at</strong>ion <strong>in</strong> <strong>the</strong> field of<br />
computer security. At <strong>the</strong> January 1989 NIST <strong>in</strong>tegrity workshop, of <strong>the</strong> 66 listed <strong>at</strong>tendees, only 6<br />
were from U.S. academic <strong>in</strong>stitutions. At <strong>the</strong> 1988 Institute of Electrical and Electronics Eng<strong>in</strong>eers<br />
Symposium on Security and Privacy, a more general security conference with considerable <strong>at</strong>tention<br />
to DOD <strong>in</strong>terests, less than 6 percent were academic <strong>at</strong>tendees out of an approxim<strong>at</strong>e total of 316. In<br />
contrast, <strong>at</strong> a broad conference on computer systems, <strong>the</strong> 1989 Associ<strong>at</strong>ion of <strong>Comput<strong>in</strong>g</strong><br />
Mach<strong>in</strong>ery Symposium on Oper<strong>at</strong><strong>in</strong>g System Pr<strong>in</strong>ciples, approxim<strong>at</strong>ely 36 percent of <strong>the</strong> <strong>at</strong>tendees<br />
were from U.S. academic <strong>in</strong>stitutions.<br />
4. Examples <strong>in</strong>clude provably correct systems (ProCoS), a result of basic research oriented toward<br />
language design, compiler systems, and so on, appropri<strong>at</strong>e for safety-critical systems; Software<br />
Certific<strong>at</strong>ion On Programs <strong>in</strong> Europe (SCOPE), which will def<strong>in</strong>e, experiment with, and valid<strong>at</strong>e an<br />
economic European software certific<strong>at</strong>ion procedure applicable to all types of software and<br />
acceptable and legally recognized throughout Europe; and Demonstr<strong>at</strong>ion of Advanced Reliability<br />
Techniques for <strong>Safe</strong>ty-rel<strong>at</strong>ed computer systems (DARTS), whose aim is to facilit<strong>at</strong>e <strong>the</strong> selection<br />
of reliable systems for safety-critical applic<strong>at</strong>ions (European Commission, 1989a, pp. 27 and 55;<br />
1989b).<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
BIBLIOGRAPHY 216<br />
Bibliography<br />
Adams, E. 1984. ''Optimiz<strong>in</strong>g prevent<strong>at</strong>ive service of software products," IBM Journal of R&D,<br />
Vol. 28, No. 1.<br />
Adrion, W. R. 1989. Test<strong>in</strong>g Techniques for Concurrent and Real-time Systems, University of<br />
Massachusetts, Amherst.<br />
Agranoff, Michael H. 1989. "Curb on technology: Liability for failure to protect computerized d<strong>at</strong>a<br />
aga<strong>in</strong>st unauthorized access," Computer and High Technology Law Journal, Vol. 5, pp.<br />
265–320.<br />
Akerlof, George A. 1970."The market for 'lemons': Quality uncerta<strong>in</strong>ty and <strong>the</strong> market mechanism,"<br />
Quarterly Journal of Economics, 87, pp. 488–500.<br />
Alexander, Michael. 1989a. "Computer crime fight stymied," Federal Computer Week, October 23,<br />
pp. 43–45.<br />
Alexander, Michael. 1989b. "Bus<strong>in</strong>ess foots hackers' bill," Computerworld , December 11.<br />
Alexander, Michael. 1989c. "Trojan horse sneaks <strong>in</strong> with AIDS program," Computerworld,<br />
December 18, p. 4.<br />
Alexander, Michael. 1990a. "Biometric system use widen<strong>in</strong>g—security devices measure physicalbased<br />
traits to restrict access to sensitive areas," Computerworld, January 8, p. 16.<br />
Alexander, Michael. 1990b. "High-tech boom opens security gaps," Computerworld, April 2, pp. 1,<br />
119.<br />
Allen, Michael. 1990. "Identity crisis: To repair bad credit, advisers give clients someone else's<br />
d<strong>at</strong>a," Wall Street Journal, August 14, p. Al.<br />
Allen-Tonar, Larry. 1989. "Networked computers <strong>at</strong>tract security problems abuse," Network<strong>in</strong>g<br />
Management, December, p. 48.<br />
American Bar Associ<strong>at</strong>ion. 1984. Report on Computer Crime, Task Force on Computer Crime,<br />
Section on Crim<strong>in</strong>al Justice, Chicago, Ill., June.<br />
American Institute of Certified Public Accountants (AICPA). 1984. Report on <strong>the</strong> Study of EDP-<br />
Rel<strong>at</strong>ed Fraud <strong>in</strong> <strong>the</strong> Bank<strong>in</strong>g and Insurance Industries, EDP Fraud Review Task Force,<br />
AICPA, New York.<br />
Anderson, J. P. 1972. Computer Security Technology Plann<strong>in</strong>g Study, ESD-TR-73-51, Vol. I,<br />
AD-758 206, ESD/AFSC, Hanscom AFB, Bedford, Mass., October.<br />
Anderson, J. P. 1980. Computer Security Thre<strong>at</strong> Monitor<strong>in</strong>g and Surveillance , James P. Anderson<br />
Co., Fort Wash<strong>in</strong>gton, Pa., April.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
BIBLIOGRAPHY 217<br />
An<strong>the</strong>s, Gary, H. 1989a. "ACC tunes <strong>in</strong> to illicit hack<strong>in</strong>g activity—firm ferrets out thre<strong>at</strong>s," Federal<br />
Computer Week, September 18, pp. 1, 53.<br />
An<strong>the</strong>s Gary, H. 1989b. "U.S. software experts track British standards," Federal Computer Week,<br />
September 18, pp. 3, 8.<br />
An<strong>the</strong>s, Gary H. 1989c. "DARPA response team spawns priv<strong>at</strong>e sp<strong>in</strong>offs," Federal Computer Week,<br />
December 11.<br />
An<strong>the</strong>s, Gary H. 1989d. "Vendors skirt NCSC evalu<strong>at</strong>ions: Security system test<strong>in</strong>g faulted for<br />
length and cost <strong>in</strong> process," Federal Computer Week, December 11, p. 4.<br />
An<strong>the</strong>s, Gary H. 1990a. "NIST comb<strong>at</strong>s confusion on encryption standard," Federal Computer<br />
Week, January 29, p. 7.<br />
An<strong>the</strong>s, Gary H. 1990b. "Oracle, AF to build secure d<strong>at</strong>a base system: Project will build oper<strong>at</strong>ional<br />
rel<strong>at</strong>ional DBMS to meet Al trust," Federal Computer Week, March 12.<br />
Armed Forces Communic<strong>at</strong>ions and Electronics Associ<strong>at</strong>ion (AFCEA). 1989. Inform<strong>at</strong>ion Security<br />
Study, Fairfax, Va., April.<br />
Bailey, David. 1984. "Attacks on computers: Congressional hear<strong>in</strong>gs and pend<strong>in</strong>g legisl<strong>at</strong>ion,"<br />
Proceed<strong>in</strong>gs of <strong>the</strong> 1984 IEEE Symposium on Security and Privacy, IEEE Computer<br />
Society, Oakland, Calif., April 29–May 2, pp. 180–186.<br />
Baldw<strong>in</strong>, Robert W. 1988. Rule Based Analysis of Computer Security, Technical Report 401,<br />
Massachusetts Institute of Technology, Labor<strong>at</strong>ory for Computer Science, Cambridge,<br />
Mass., March.<br />
Be<strong>at</strong>son, Jim. 1989. "Is America ready to 'fly by wire'?" Wash<strong>in</strong>gton Post, April 2, p. C3.<br />
Becker, L. G. 1987. An Assessment of Resource Centers and Future Requirements for Inform<strong>at</strong>ion<br />
Security Technology, prepared for <strong>the</strong> N<strong>at</strong>ional Security <strong>Age</strong>ncy, Fort Meade, Md.,<br />
September.<br />
Bell, Elliott D. 1983. "Secure computer systems: A retrospective," Proceed<strong>in</strong>gs of <strong>the</strong> 1983 IEEE<br />
Symposium on Security and Privacy, IEEE Computer Society, Oakland, Calif., April 25–<br />
27, pp. 161–162.<br />
Bell, Elliot D. 1988. "Concern<strong>in</strong>g model<strong>in</strong>g of computer security," Proceed<strong>in</strong>gs of <strong>the</strong> 1988 IEEE<br />
Symposium on Security and Privacy, IEEE Computer Society, Oakland, Calif., April 18–<br />
21, pp. 8–13.<br />
Bell, Elliott D. and L. J. La Padula. 1976. Secure Computer System: Unified Exposition and Multics<br />
Interpret<strong>at</strong>ion, ESD-TR-75-306, MITRE Corp., Bedford, Mass., March.<br />
Beresford, Dennis R., et al. 1988. "Wh<strong>at</strong> is <strong>the</strong> FASB's role, and how well is it perform<strong>in</strong>g?"<br />
F<strong>in</strong>ancial Executive, September/October, pp. 20–26.<br />
Berman, Jerry and Janlori Goldman. 1989. A Federal Right of Inform<strong>at</strong>ion Privacy: The Need for<br />
Reform, American Civil Liberties Union/Computer Professionals for Social Responsibility,<br />
Wash<strong>in</strong>gton, D.C.<br />
Berton, Lee. 1989. "Audit firms are hit by more <strong>in</strong>vestor suits for not f<strong>in</strong>d<strong>in</strong>g fraud," The Wall Street<br />
Journal, January 24, pp. A1, A12.<br />
Betts, Mitch. 1989. "Sen<strong>at</strong>e takes tent<strong>at</strong>ive look <strong>at</strong> virus legisl<strong>at</strong>ion," Computerworld, May 22.<br />
Biba, K. J. 1975. Integrity Consider<strong>at</strong>ions for Secure Computer Systems , Report MTR 3153,<br />
MITRE Corp., Bedford, Mass., June.<br />
Birrell, Andrew D., B. W. Lampson, R. M. Needham, and M. D. Schroeder. 1986. "A global<br />
au<strong>the</strong>ntic<strong>at</strong>ion service without global trust," Proceed<strong>in</strong>gs of <strong>the</strong> 1986 IEEE Symposium on<br />
Security and Privacy, IEEE Computer Society, Oakland, Calif., April 7–9, pp. 223–230.<br />
BloomBecker, Jay, Esq. (Ed). 1988. Introduction To Computer Crime, 2nd ed., N<strong>at</strong>ional Center for<br />
Computer Crime D<strong>at</strong>a, Los Angeles, Calif.<br />
Bloomfield, R. E. 1990. <strong>Safe</strong>IT: The <strong>Safe</strong>ty of Programmable Electronic Systems, a government<br />
consult<strong>at</strong>ion document on activities to promote <strong>the</strong> safety of computer controlled<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
BIBLIOGRAPHY 218<br />
systems, Volume 1: Overall Approach and Volume 2: A Framework for <strong>Safe</strong>ty Standards,<br />
ICSE Secretari<strong>at</strong>, Department of Trade and Industry, London, United K<strong>in</strong>gdom, June.<br />
Boebert, E. 1985. "A practical altern<strong>at</strong>ive to hierarchical <strong>in</strong>tegrity policies," Proceed<strong>in</strong>gs of <strong>the</strong> 8th<br />
N<strong>at</strong>ional Computer Security Conference , September 30, NIST, Gai<strong>the</strong>rsburg, Md.<br />
Boebert, W. E., R. Y. Ka<strong>in</strong>, W. D. Young, and S. A. Hansohn. 1985. "Secure ADA target: Issues,<br />
system design, and verific<strong>at</strong>ion," Proceed<strong>in</strong>gs of <strong>the</strong> 1985 IEEE Symposium on Security<br />
and Privacy, IEEE Computer Society, Oakland, Calif., April 22–24, pp. 176–183.<br />
Boss, A. H. and W. J. Woodward. 1988. "Scope of <strong>the</strong> uniform commercial code; survey of<br />
computer contract<strong>in</strong>g cases," The Bus<strong>in</strong>ess Lawyer 43, August, pp. 1513–1554.<br />
Bozman, Jean S. 1989. "Runaway program gores sabre," Computerworld , May 22.<br />
Brand, Russell L. 1989. Cop<strong>in</strong>g with <strong>the</strong> Thre<strong>at</strong> of Computer Security Incidents: A Primer from<br />
Prevention through Recovery, July. Available from <strong>the</strong> Defense Advanced Research<br />
Projects <strong>Age</strong>ncy, Arl<strong>in</strong>gton, Va., or <strong>at</strong> <strong>the</strong> follow<strong>in</strong>g address: 1862 Euclid, Department<br />
136, Berkeley, CA 94709.<br />
Branstad, D. 1973. "Security aspects of computer networks," Proceed<strong>in</strong>gs of <strong>the</strong> AIAA Computer<br />
Network Systems Conference, Paper 73–427, Huntsville, Ala., April, American Institute of<br />
Aeronautics and Astronautics (AIAA), Wash<strong>in</strong>gton, D.C.<br />
Branstad, Dennis K. and Miles E. Smid. 1982. "Integrity and security standard based on<br />
cryptography," <strong>Computers</strong> & Security, Vol. 1, pp. 225–260.<br />
Brewer, D. F. C. 1985. Software Integrity: (Verific<strong>at</strong>ion, Valid<strong>at</strong>ion, and Certific<strong>at</strong>ion), Admiral<br />
<strong>Comput<strong>in</strong>g</strong> Limited, Camberley, Surrey, England, January, pp. 111–124.<br />
Brown, Bob. 1989a. "Security risks boost encryption outlays," Network World, January 9, pp. 11–12.<br />
Brown, Bob. 1989b. "CO fire, virus <strong>at</strong>tack raise awareness, not prepar<strong>at</strong>ion," Network World, July 3,<br />
p. 1.<br />
Browne, Malcolm W. 1988. "Most ferocious m<strong>at</strong>h problem is tamed," New York Times, October 12,<br />
p. A1.<br />
Buckley, T. F. and J. W. Wise. 1989. "Tutorial: A guide to <strong>the</strong> VIPER microprocessor,"<br />
Proceed<strong>in</strong>gs: COMPASS '89 (Computer Assurance), IEEE Computer Society, New York,<br />
June 23.<br />
Burgess, John. 1989. "Computer virus sparks a user scare," Wash<strong>in</strong>gton Post, September 17, p. H3.<br />
Burgess, John. 1990. "Hacker's case may shape computer security law," Wash<strong>in</strong>gton Post, January<br />
9, p. A4.<br />
Burrows, M., M. Abadi, and R. Needham. 1989. A Logic of Au<strong>the</strong>ntic<strong>at</strong>ion , Digital Systems<br />
Research Center, Palo Alto, Calif., February.<br />
Bus<strong>in</strong>ess Week. 1988. "Is your computer secure," (cover story), August 1, pp. 64–72.<br />
California, St<strong>at</strong>e of. 1985. Inform<strong>at</strong>ional Hear<strong>in</strong>g: <strong>Computers</strong> and Warranty Protection for<br />
Consumers, Sacramento, Calif., October.<br />
Canadian Government, System Security Centre, Communic<strong>at</strong>ions Security Establishment. 1989.<br />
Canadian Trusted Computer Product Evalu<strong>at</strong>ion Criteria, Version 1.0, draft, Ottawa,<br />
Canada, May.<br />
Carnevale, Mary Lu and Julie Amparano Lopez. 1989. "Mak<strong>in</strong>g a phone call might mean tell<strong>in</strong>g <strong>the</strong><br />
world about you," Wall Street Journal, November 28, pp. A1, A8.<br />
Cas<strong>at</strong>elli, Christ<strong>in</strong>e. 1989a. "Smart sign<strong>at</strong>ures <strong>at</strong> FED," Federal Computer Week, May 22.<br />
Cas<strong>at</strong>elli, Christ<strong>in</strong>e. 1989b. "Disaster recovery," Federal Computer Week, December 11, pp. 28–29,<br />
33.<br />
Casey, Peter. 1980. "Proposals to curb computer misuse," JFIT News , No. 8, November, p. 2.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
BIBLIOGRAPHY 219<br />
Chalmers, Leslie S. 1986. "An analysis of <strong>the</strong> differences between <strong>the</strong> computer security practices <strong>in</strong><br />
<strong>the</strong> military and priv<strong>at</strong>e sectors," Proceed<strong>in</strong>gs of <strong>the</strong> 1986 IEEE Symposium on Security<br />
and Privacy, IEEE Computer Society, Oakland, Calif., April 7–9, pp. 71–74.<br />
Chandler, James P. 1977. "Computer transactions: Potential liability of computer users and<br />
vendors," Wash<strong>in</strong>gton University Law Quarterly , Vol. 1977, No. 3, pp. 405–443.<br />
Chaum, David (Ed.). 1983. Advances <strong>in</strong> Cryptology: Proceed<strong>in</strong>gs of Crypto 83, Plenum, New York.<br />
Chor, Ben-Zion. 1986. Two Issues <strong>in</strong> Public-Key Cryptography: RSA Bit Security and a New<br />
Knapsack Type System, MIT Press, Cambridge, Mass.<br />
Christian Science Monitor. 1989. "Computer and spy: Worrisome mix," March 7, p. 4.<br />
Chronicle of Higher Educ<strong>at</strong>ion. 1988a. "Virus' destroys campus computer d<strong>at</strong>a," February 3.<br />
Chronicle of Higher Educ<strong>at</strong>ion. 1988b. "Worries over computer 'viruses' lead campuses to issue<br />
guidel<strong>in</strong>es," March 2.<br />
Clark, D. D. and D. R. Wilson. 1987. "A comparison of commercial and military computer security<br />
policies," Proceed<strong>in</strong>gs of <strong>the</strong> 1987 IEEE Symposium on Security and Privacy, IEEE<br />
Computer Society, Oakland, Calif., April 27–29, pp. 184–194.<br />
Cohen, Fred. 1984. "Computer viruses: Theory and experiments," Seventh DOD/NBS Conference<br />
on Computer Security, Gai<strong>the</strong>rsburg, Md.<br />
Cole, P<strong>at</strong>rick and Joh<strong>at</strong>han B. Lev<strong>in</strong>e. 1989. "Are ATMs easy targets for crooks?" Bus<strong>in</strong>ess Week,<br />
March 6, p. 30.<br />
Comer, Douglas. 1988. Internetwork<strong>in</strong>g with TCP/IP Pr<strong>in</strong>ciples, Protocols, and Architectures,<br />
Prentice-Hall, Englewood Cliffs, N.J.<br />
Communic<strong>at</strong>ions Week. 1990a. "Hack it through packet," April 16, p. 10.<br />
Communic<strong>at</strong>ions Week. 1990b. "Wh<strong>at</strong>'s <strong>in</strong> <strong>the</strong> mail?" editorial, July 16, p. 20.<br />
Computer and Bus<strong>in</strong>ess Equipment Manufacturers Associ<strong>at</strong>ion (CBEMA). 1989a. St<strong>at</strong>ement to U.S.<br />
Congress (101st), Sen<strong>at</strong>e, Subcommittee on Technology and <strong>the</strong> Law, Hear<strong>in</strong>g on<br />
Computer Viruses, May 19.<br />
Computer and Bus<strong>in</strong>ess Equipment Manufacturers Associ<strong>at</strong>ion (CBEMA). 1989b. St<strong>at</strong>ement to U.S.<br />
Congress (101st), House of Represent<strong>at</strong>ives, Committee on <strong>the</strong> Judiciary, Subcommittee<br />
on Crim<strong>in</strong>al Justice, Hear<strong>in</strong>g on Computer Virus Legisl<strong>at</strong>ion, November 8.<br />
Computer Crime Law Reporter. 1989. "Computer crime st<strong>at</strong>utes <strong>at</strong> <strong>the</strong> st<strong>at</strong>e level," August 21<br />
upd<strong>at</strong>e based on <strong>the</strong> "St<strong>at</strong>e-Net" d<strong>at</strong>abase and compiled and distributed by <strong>the</strong> N<strong>at</strong>ional<br />
Center for Computer Crime D<strong>at</strong>a, 2700 N. Cahuenga Blvd., Los Angeles, CA 90068.<br />
Computer Fraud & Security Bullet<strong>in</strong>. 1989–1990. Elsevier Science Publish<strong>in</strong>g Co., Oxford, United<br />
K<strong>in</strong>gdom.<br />
Computer Law Associ<strong>at</strong>es Annual Meet<strong>in</strong>g. 1978. Unpublished proceed<strong>in</strong>gs: Brooks, Daniel J.,<br />
"N<strong>at</strong>ures of liabilities of software program suppliers"; DeRensis, Paul R., "Impact of<br />
computer systems on <strong>the</strong> liabilities of various types of professionals"; Hutcheon, Peter D.,<br />
"Computer system as means for avoidance of liability''; Jenk<strong>in</strong>s, Martha M., "Effects of<br />
computer-system records on liabilities of suppliers, users, and o<strong>the</strong>rs"; Freed, Roy N.,<br />
"How to handle exposures to, and impacts of, liability aris<strong>in</strong>g from computer use."<br />
Wash<strong>in</strong>gton, D.C., Computer Law Associ<strong>at</strong>ion, Fairfax, Va., March 6.<br />
Computer Security Journal. 1986–1988. Computer Security Institute, 500 Howard Street, San<br />
Francisco, CA 94105.<br />
<strong>Computers</strong> & Security. 1988. "Special supplement: Computer viruses," Vol. 7, No. 2, Elsevier<br />
Advanced Technology Public<strong>at</strong>ions, Oxford, United K<strong>in</strong>gdom, April.<br />
<strong>Computers</strong> & Security. 1988–1990. Elsevier Advanced Technology Public<strong>at</strong>ions, Oxford, United<br />
K<strong>in</strong>gdom.<br />
Computerworld. 1988a. "OSI security system revealed," October 5, pp. 53, 58.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
BIBLIOGRAPHY 220<br />
Computerworld. 1988b. "Virus ravages thousands of systems," November 7, pp. 1, 157.<br />
Conly, C<strong>at</strong>her<strong>in</strong>e H. 1989. Organiz<strong>in</strong>g for Computer Crime Investig<strong>at</strong>ion and Prosecution, U.S.<br />
Department of justice, N<strong>at</strong>ional Institute of Justice, Wash<strong>in</strong>gton, D.C., July.<br />
Consult<strong>at</strong>ive Committee on Intern<strong>at</strong>ional Telephony and Telegraphy (CCITT). 1989a. D<strong>at</strong>a<br />
Communic<strong>at</strong>ion Networks Message Handl<strong>in</strong>g Systems , Vol. VIII, Fascicle VIII.7,<br />
Recommend<strong>at</strong>ions X.400-X.420, CCITT, Geneva, p. 272.<br />
Consult<strong>at</strong>ive Committee on Intern<strong>at</strong>ional Telephony and Telegraphy (CCITT). 1989b. D<strong>at</strong>a<br />
Communic<strong>at</strong>ions Networks Directory, Vol. VIII, Fascicle VIII.8, Recommend<strong>at</strong>ions X.500-<br />
X.521, CCITT, Geneva.<br />
Cook, William J. 1989. "Access to <strong>the</strong> access codes '88–'89: A prosecutor's perspective,"<br />
Proceed<strong>in</strong>gs of <strong>the</strong> 12th N<strong>at</strong>ional Computer Security Conference , N<strong>at</strong>ional Institute of<br />
Standards and Technology/N<strong>at</strong>ional Computer Security Center, Baltimore, Md., October<br />
10–13.<br />
Cooper, James Arl<strong>in</strong>. 1989. Computer & Communic<strong>at</strong>ions Security-Str<strong>at</strong>egies for <strong>the</strong> 1990s,<br />
McGraw-Hill Communic<strong>at</strong>ions Series, McGraw-Hill, New York.<br />
Cornell University. 1989. The Computer Worm. A Report to <strong>the</strong> Provost from <strong>the</strong> Commission of<br />
Prelim<strong>in</strong>ary Enquiry, Ithaca, N.Y., February 6.<br />
Cowan, Alison Leigh. 1990. "The $290,000 job nobody wants," New York Times, October 11, D1,<br />
D9.<br />
Craigen, D. and K. Summerskill (Eds.). 1990. Formal Methods for Trustworthy Computer Systems<br />
(FM '89), a Workshop on <strong>the</strong> Assessment of Formal Methods for Trustworthy Computer<br />
Systems, Spr<strong>in</strong>ger-Verlag, New York.<br />
Crawford, Diane. 1989. "Two bills equal forewarn<strong>in</strong>g," Communic<strong>at</strong>ions of <strong>the</strong> ACM, Vol. 32, No.<br />
7, July.<br />
Crenshaw, Albert B. 1990. "Sen<strong>at</strong>e panel approves liability bill," Wash<strong>in</strong>gton Post, May 23.<br />
Cullyer, W. 1989. "Implement<strong>in</strong>g high <strong>in</strong>tegrity systems: The Viper microprocessor," IEEE AES<br />
Magaz<strong>in</strong>e, May 13.<br />
Curry, David A. 1990. Improv<strong>in</strong>g <strong>the</strong> Security of Your UNIX System, ITSTD-721-FR-90-21,<br />
Inform<strong>at</strong>ion and Telecommunic<strong>at</strong>ions Sciences and Technology Division, SRI<br />
Intern<strong>at</strong>ional, Menlo Park, Calif., April.<br />
Cutler, Ken and Fred Jones. 1990. "Commercial <strong>in</strong>tern<strong>at</strong>ional security requirements," unpublished<br />
draft paper, American Express Travel Rel<strong>at</strong>ed Services Company, Inc., Phoenix, Ariz.,<br />
August 3.<br />
Danca, Richard A. 1989. "LAN group helps managers handle security risks," Federal Computer<br />
Week, July 10.<br />
Danca, Richard A. 1990a. "Sybase unveils multilevel secure DBMS," Network World, February 19,<br />
pp. 1, 37.<br />
Danca, Richard A. 1990b. "NCSC decim<strong>at</strong>ed, security role weakened," Federal Computer Week,<br />
July 16, pp. 1, 6.<br />
Danca, Richard A. 1990c. "Bush revises NSDD 145," Federal Computer Week, July 16, pp. 6, 41.<br />
Danca, Richard A. 1990d. "NCSC affirms shakeup <strong>in</strong> its structure," Federal Computer Week,<br />
August 27, pp. 1, 4.<br />
Danca, Richard A. 1990e. "NIST may issue civilian computer security guide: Proposed document<br />
could become federal <strong>in</strong>form<strong>at</strong>ion process<strong>in</strong>g standard," Federal Computer Week,<br />
September 17, p. 60.<br />
Danca, Richard A. 1990f. "NIST, <strong>in</strong>dustry team up for anti-virus consortium," Federal Computer<br />
Week, October 8, p. 2.<br />
Danca, Richard A. 1990g. "Torricelli charges NIST with foot-dragg<strong>in</strong>g on security," Federal<br />
Computer Week, October 8, p. 9.<br />
D<strong>at</strong>am<strong>at</strong>ion. 1987. "Disaster recovery: Who's worried?" February 1, pp. 60–64.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
BIBLIOGRAPHY 221<br />
D<strong>at</strong>apro Research. 1989a. "All about d<strong>at</strong>a encryption devices," D<strong>at</strong>apro Reports: Inform<strong>at</strong>ion<br />
Security, Report no. IS37-001, McGraw-Hill, Delran, N.j., pp. 101–109.<br />
D<strong>at</strong>apro Research. 1989b. "All about microcomputer encryption and access control," D<strong>at</strong>apro<br />
Reports: Inform<strong>at</strong>ion Security, Report no. IS31-001, McGraw-Hill, Delran, N.J., pp. 101–<br />
108.<br />
D<strong>at</strong>apro Research. 1989c. Security Issues of 1988: A Retrospective, McGraw-Hill, Delran, N.J.,<br />
March.<br />
D<strong>at</strong>apro Research. 1990a. "Host access control software: Market overview," D<strong>at</strong>apro Reports:<br />
Inform<strong>at</strong>ion Security, Report no. IS52-001, McGraw-Hill, Delran, N.J., pp. 101–104.<br />
D<strong>at</strong>apro Research. 1990b. "Bull security capabilities of Multics," D<strong>at</strong>apro Reports: Inform<strong>at</strong>ion<br />
Security, Report no. IS56-115, McGraw-Hill, Delran, N.J., pp. 101–106.<br />
Daunt, Robert T. 1985. "Warranties and mass distributed software," <strong>Computers</strong> and High-<br />
Technology Law Journal, Vol. 1, pp. 255–307.<br />
Davies, D. and W. Price. 1984. Security for Computer Networks: An Introduction to D<strong>at</strong>a Security<br />
<strong>in</strong> Teleprocess<strong>in</strong>g and Electronic Funds Transfers, Wiley, New York.<br />
Davis, Bob. 1988. "A supersecret agency f<strong>in</strong>ds sell<strong>in</strong>g secrecy to o<strong>the</strong>rs isn't easy," Wall Street<br />
Journal, March 28, p. A1.<br />
Davis, Bob. 1989. "NASA discloses computer virus <strong>in</strong>fected network," Wall Street Journal, October<br />
18, p. B4.<br />
Davis, G. Gervaise, III. 1985. Software Protection: Practical and Legal Steps to Protect and Market<br />
Computer Programs, Van Nostrand Re<strong>in</strong>hold, New York.<br />
Davis, Otto A. and Morton I. Kamien. 1969. "Externalities, <strong>in</strong>form<strong>at</strong>ion, and altern<strong>at</strong>ive collective<br />
action," The Analysis and Evalu<strong>at</strong>ion of Public Expenditures: The PPB System,<br />
compendium of papers submitted to <strong>the</strong> Subcommittee on Economy <strong>in</strong> Government of <strong>the</strong><br />
Jo<strong>in</strong>t Economic Committee of <strong>the</strong> U.S. Congress, Wash<strong>in</strong>gton, D.C., U.S. GPO, pp. 67–86.<br />
Davis, Ruth M. 1989. "CALS D<strong>at</strong>a Protection—Computer-aided Acquisition and Logistic Support,<br />
D<strong>at</strong>a Protection and Security Policy St<strong>at</strong>ement," The Pym<strong>at</strong>un<strong>in</strong>g Group, Arl<strong>in</strong>gton, Va.,<br />
January.<br />
Defense Communic<strong>at</strong>ions <strong>Age</strong>ncy (DCA). 1989. "DDN Security Coord<strong>in</strong><strong>at</strong>ion Center oper<strong>at</strong>ional,"<br />
Defense D<strong>at</strong>a Network Security Bullet<strong>in</strong>, DDN Security Coord<strong>in</strong><strong>at</strong>ion Center, DCA DDN<br />
Defense Communic<strong>at</strong>ions System, September 22.<br />
Denn<strong>in</strong>g, D. E. 1987. "An <strong>in</strong>trusion-detection model," Proceed<strong>in</strong>gs of <strong>the</strong> 1986 Symposium on<br />
Security and Privacy, N<strong>at</strong>ional Bureau of Standards, Gai<strong>the</strong>rsburg, Md., September.<br />
Denn<strong>in</strong>g, D. E., T. F. Lunt, R. R. Schell, W. R. Shockley, and M. Heckman. 1988. "The SeaView<br />
security model," Proceed<strong>in</strong>gs of <strong>the</strong> 1988 IEEE Symposium on Security and Privacy, IEEE<br />
Computer Society, Oakland, Calif., April 18–21, pp. 218–233.<br />
Denn<strong>in</strong>g, Dorothy. 1976. "A l<strong>at</strong>tice model of secure <strong>in</strong>form<strong>at</strong>ion flow," Communic<strong>at</strong>ions of <strong>the</strong><br />
ACM, Vol. 19.<br />
Denn<strong>in</strong>g, Dorothy E., Peter G. Neumann, and Donn B. Parker. 1987. "Social aspects of computer<br />
security," Proceed<strong>in</strong>gs of <strong>the</strong> 10th N<strong>at</strong>ional Computer Security Conference, N<strong>at</strong>ional<br />
Bureau of Standards/N<strong>at</strong>ional Computer Security Center, Baltimore, Md., September 21–<br />
24, pp. 320–325.<br />
Dewdney, A. K. 1989. "Of worms, viruses, and core war," Scientific American, March, pp. 110–113.<br />
Dickman, Steven. 1989. "Hackers revealed as spies," N<strong>at</strong>ure, March 9, p. 108.<br />
DiDio, Laura. 1989. "Rash of viruses puts spotlight on security," Network World, October 30, p. 19.<br />
DiDio, Laura. 1990. "Virus thre<strong>at</strong> obscured by slow growth <strong>in</strong> early stages," Network World, April<br />
23, p. 23.<br />
Diffie, W. and M. Hellman. 1976. "New directions <strong>in</strong> cryptography," IEEE Transactions on<br />
Inform<strong>at</strong>ion Theory, IT-22, November 16, pp. 644–654.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
BIBLIOGRAPHY 222<br />
Dillon, Laura K. 1989. Research on Valid<strong>at</strong>ion of Concurrent and Real-time Software Systems",<br />
University of California, Santa Barbara.<br />
Dobson, J. E. and B. Randell. 1986. "Build<strong>in</strong>g reliable secure comput<strong>in</strong>g systems out of unreliable<br />
<strong>in</strong>secure components," Proceed<strong>in</strong>gs of <strong>the</strong> 1986 IEEE Symposium on Security and Privacy,<br />
IEEE Computer Society, Oakland, Calif., April 7–9, pp. 187–193.<br />
Early, Peter. 1988. Family of Spies: Inside <strong>the</strong> John Walker Spy R<strong>in</strong>g , Bantam Books, New York.<br />
Eason, Tom S., Susan Higley Russell, and Brian Ruder. 1977. Systems Auditability and Control<br />
Study: D<strong>at</strong>a Process<strong>in</strong>g Control Practices Report, Vol. 1 of 3 volumes, Institute of<br />
Internal Auditors, Altamonte Spr<strong>in</strong>gs, Fla.<br />
Economist. 1988. "Keep<strong>in</strong>g out <strong>the</strong> Kaos Club," Science and Technology Section, July 9, pp. 77–78.<br />
Electronic Industries Associ<strong>at</strong>ion (EIA). 1987. Proceed<strong>in</strong>gs: Communic<strong>at</strong>ions & Computer Security<br />
(COMSEC & COMPUSEC): Requirements, Opportunities and Issues, EIA, Wash<strong>in</strong>gton,<br />
D.C., January 14.<br />
Emergency Care Research Institute (ECRI). 1985. "Unauthorized use of computers: An oftenneglected<br />
security problem," Issues <strong>in</strong> Health Care Technology, ECRI, Plymouth Meet<strong>in</strong>g,<br />
Pa., July, pp. 1–6.<br />
Emergency Care Research Institute (ECRI). 1988a. "Legal implic<strong>at</strong>ions of computerized p<strong>at</strong>ient<br />
care," Health Technology, Vol. 2, No. 3, May/June, pp. 86–95, ECRI, Plymouth Meet<strong>in</strong>g,<br />
Pa.<br />
Emergency Care Research Institute (ECRI). 1988b. An Election Adm<strong>in</strong>istr<strong>at</strong>or's Guide to<br />
Computerized Vot<strong>in</strong>g Systems, Vol. 1 and 2, ECRI, Plymouth Meet<strong>in</strong>g, Pa.<br />
Ernst & Young. 1989. Computer Security Survey: A Report, Cleveland, Ohio.<br />
Estr<strong>in</strong>, D. and G. Tsudik. 1987. "VISA scheme for <strong>in</strong>ter-organiz<strong>at</strong>ion network security,"<br />
Proceed<strong>in</strong>gs of <strong>the</strong> 1987 IEEE Symposium on Security and Privacy, IEEE Computer<br />
Society, Oakland, Calif., April 27–29, pp. 174–183.<br />
European Commission. 1989a. Basis for a Portable Common Tool Environment (PCTE), Esprit<br />
Project Number 32, Esprit, The Project Synopses, Inform<strong>at</strong>ion Process<strong>in</strong>g Systems, Vol. 3<br />
of a series of 8, September.<br />
European Commission. 1989b. Basis for a Portable Common Tool Environment (PCTE), Esprit<br />
Project Number 32, Basic Research Actions and Work<strong>in</strong>g Groups, Vol. 8 of a series of 8,<br />
September.<br />
European Computer Manufacturers Associ<strong>at</strong>ion (ECMA). 1989. Standard ECMA-XXX Security <strong>in</strong><br />
Open Systems: D<strong>at</strong>a Elements and Service Def<strong>in</strong>itions , ECMA, Geneva.<br />
Falk, David. 1975. "Build<strong>in</strong>g codes <strong>in</strong> a nutshell," Real Est<strong>at</strong>e Review , Vol. 5, No. 3, Fall, pp. 82–91.<br />
Federal Computer Week. 1988. "Analysis, task forces work to keep Internet safe," November 14,<br />
pp. 1, 49.<br />
Federal Computer Week. 1989. "Sell<strong>in</strong>g viruses," November 27, p. 25.<br />
Federal Republic of Germany, M<strong>in</strong>istry of Interior. 1990. Inform<strong>at</strong>ion Technology Security<br />
Evalu<strong>at</strong>ion Criteria (ITSEC), <strong>the</strong> harmonized criteria of France, Germany, <strong>the</strong><br />
Ne<strong>the</strong>rlands, and <strong>the</strong> United K<strong>in</strong>gdom, draft version 1, May 2, Bonn, Federal Republic of<br />
Germany.<br />
Federal Trade Commission (FTC). 1983. Standards and Certific<strong>at</strong>ion, f<strong>in</strong>al staff report, Bureau of<br />
Consumer Protection, Wash<strong>in</strong>gton, D.C., April.<br />
Fetzer, James H. 1988. "Program verific<strong>at</strong>ion: The very idea," Communic<strong>at</strong>ions of <strong>the</strong> ACM, Vol.<br />
31, No. 9, September, pp. 1048–1063.<br />
F<strong>in</strong>ancial Account<strong>in</strong>g Found<strong>at</strong>ion (FAF) (n.d.). "Establish<strong>in</strong>g standards for f<strong>in</strong>ancial report<strong>in</strong>g,"<br />
FASB, Norwalk, Conn. [und<strong>at</strong>ed pamphlet]<br />
F<strong>in</strong>ancial Account<strong>in</strong>g Found<strong>at</strong>ion (FAF). 1990. F<strong>in</strong>ancial Account<strong>in</strong>g Found<strong>at</strong>ion Annual Report<br />
1989, FAF, Norwalk, Conn.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
BIBLIOGRAPHY 223<br />
F<strong>in</strong>ancial Account<strong>in</strong>g Standards Board (FASB). 1990. "Facts about FASB," FASB, Norwalk, Conn.<br />
Fitzgerald, Karen. 1989. "The quest for <strong>in</strong>truder-proof computer systems," IEEE Spectrum, August,<br />
pp. 22–26.<br />
Flaherty, David. 1990. Protect<strong>in</strong>g Privacy <strong>in</strong> Surveillance Societies , The University of North<br />
Carol<strong>in</strong>a Press, Chapel Hill.<br />
Florida St<strong>at</strong>e Legisl<strong>at</strong>ure. 1984. Overview of Computer Security, a report of <strong>the</strong> jo<strong>in</strong>t Committee on<br />
Inform<strong>at</strong>ion Technology Resources, Jacksonville, Fla., January.<br />
Forcht, Karen A. 1985. "Computer security: The grow<strong>in</strong>g need for concern," The Journal of<br />
Computer Inform<strong>at</strong>ion Systems, Fall.<br />
Francett, Barbara. 1989. "Can you loosen <strong>the</strong> bolts without disarm<strong>in</strong>g <strong>the</strong> locks?" (Executive<br />
Report: Security <strong>in</strong> Open Times), ComputerWorld , October 23.<br />
Frenkel, Karen A. 1990. "The politics of standards and <strong>the</strong> EC," Communic<strong>at</strong>ions of <strong>the</strong> ACM, Vol.<br />
33, No. 7, pp. 41–51.<br />
Galen, Michele and Jeffrey Rothfeder. 1989. "Is noth<strong>in</strong>g priv<strong>at</strong>e?" Bus<strong>in</strong>ess Week, September 4, pp.<br />
74–77, 80–82.<br />
Gasser, Morrie. 1988. Build<strong>in</strong>g a Secure Computer System, Van Nostrand Re<strong>in</strong>hold, New York.<br />
Gasser, Morrie, A. Goldste<strong>in</strong>, C. Kaufman, and B. Lampson. 1989. "The Digital distributed system<br />
security architecture," Proceed<strong>in</strong>gs of <strong>the</strong> 12th N<strong>at</strong>ional Computer Security Conference,<br />
N<strong>at</strong>ional Institute of Standards and Technology /N<strong>at</strong>ional Computer Security Center,<br />
Baltimore, Md., October 10–13, pp. 305–319.<br />
Gemignani, Michael C. 1982. "Product liability and software," Rutgers Journal of <strong>Computers</strong>,<br />
Technology and Law, Vol. 8, p. 173.<br />
General Account<strong>in</strong>g Office. 1980. Increas<strong>in</strong>g Use of D<strong>at</strong>a Telecommunic<strong>at</strong>ions Calls for Stronger<br />
Protection and Improved Economies, Wash<strong>in</strong>gton, D.C.<br />
General Account<strong>in</strong>g Office (GAO). 1987. Space Oper<strong>at</strong>ions: NASA's Use of Inform<strong>at</strong>ion<br />
Technology, GAO/IMTEC-87-20, Wash<strong>in</strong>gton, D.C., April.<br />
General Account<strong>in</strong>g Office (GAO). 1988a. Inform<strong>at</strong>ion Systems: <strong>Age</strong>ncies Overlook Security<br />
Controls Dur<strong>in</strong>g Development, GAO/IMTEC-88-11, Wash<strong>in</strong>gton, D.C., May.<br />
General Account<strong>in</strong>g Office (GAO). 1988b. Inform<strong>at</strong>ion Systems: <strong>Age</strong>ncies Overlook Security<br />
Controls Dur<strong>in</strong>g Development, GAO/IMTEC-88-11S, Wash<strong>in</strong>gton, D.C., May.<br />
General Account<strong>in</strong>g Office (GAO). 1988c. S<strong>at</strong>ellite D<strong>at</strong>a Archiv<strong>in</strong>g: U.S. and Foreign Activities<br />
and Plans for Environmental Inform<strong>at</strong>ion , GAO/RCED-88-201, Wash<strong>in</strong>gton, D.C.,<br />
September.<br />
General Account<strong>in</strong>g Office (GAO). 1989a. Federal ADP Personnel: Recruitment and Retention,<br />
GAO/IMTEC-89-12BR, Wash<strong>in</strong>gton, D.C., February.<br />
General Account<strong>in</strong>g Office (GAO). 1989b. Electronic Funds: Inform<strong>at</strong>ion on Three Critical<br />
Bank<strong>in</strong>g Systems, Wash<strong>in</strong>gton, D.C., February.<br />
General Account<strong>in</strong>g Office (GAO). 1989c. Computer Security: Compliance With Tra<strong>in</strong><strong>in</strong>g<br />
Requirements of <strong>the</strong> Computer Security Act of 1987, GAO/IMTEC-89-16BR, Wash<strong>in</strong>gton,<br />
D.C., February.<br />
General Account<strong>in</strong>g Office (GAO). 1989d. Computer Security: Virus Highlights Need for Improved<br />
Internet Management, GAO/IMTEC-89-57, Wash<strong>in</strong>gton, D.C., June.<br />
General Account<strong>in</strong>g Office (GAO). 1989e. Computer Security: Unauthorized Access to a NASA<br />
Scientific Network, GAO/IMTEC-90-2, Wash<strong>in</strong>gton, D.C., November.<br />
General Account<strong>in</strong>g Office (GAO). 1990a. Electronic Funds Transfer: Oversight of Critical<br />
Bank<strong>in</strong>g Systems Should Be Streng<strong>the</strong>ned, Wash<strong>in</strong>gton, D.C., January.<br />
General Account<strong>in</strong>g Office (GAO). 1990b. F<strong>in</strong>ancial Markets: Tighter Computer Security Needed,<br />
GAO/IMTEC-90-15, Wash<strong>in</strong>gton, D.C., January.<br />
General Account<strong>in</strong>g Office (GAO). 1990c. Computer Security: Government Plann<strong>in</strong>g Process Had<br />
Limited Impact, GAO/IMTEC-90-48, Wash<strong>in</strong>gton, D.C., May.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
BIBLIOGRAPHY 224<br />
General Account<strong>in</strong>g Office (GAO). 1990d. Justice Autom<strong>at</strong>ion: Tighter Computer Security Needed,<br />
GAO/IMTEC-90-69, Wash<strong>in</strong>gton, D.C., July.<br />
General Account<strong>in</strong>g Office (GAO). 1990e. <strong>Computers</strong> and Privacy: How <strong>the</strong> Government Obta<strong>in</strong>s,<br />
Verifies, Uses, and Protects Personal D<strong>at</strong>a , GAO/IMTEC-90-70BR, Wash<strong>in</strong>gton, D.C.,<br />
August.<br />
General Services Adm<strong>in</strong>istr<strong>at</strong>ion (GSA). 1988. Inform<strong>at</strong>ion Technology Install<strong>at</strong>ion Security, Office<br />
of Technical Assistance, Federal Systems Integr<strong>at</strong>ion and Management Center, Falls<br />
Church, Va., December.<br />
German Inform<strong>at</strong>ion Security <strong>Age</strong>ncy (GISA). 1989. IT Security Criteria: Criteria for <strong>the</strong><br />
Evalu<strong>at</strong>ion of Trustworth<strong>in</strong>ess of Inform<strong>at</strong>ion Technology (IT) Systems, 1st version, Koln,<br />
Federal Republic of Germany.<br />
Gilbert, Dennis M. and Bruce K. Rosen. 1989. Computer Security Issues <strong>in</strong> <strong>the</strong> Applic<strong>at</strong>ion of New<br />
and Emerg<strong>in</strong>g Inform<strong>at</strong>ion Technologies, a white paper, N<strong>at</strong>ional Institute of Standards<br />
and Technology, Gai<strong>the</strong>rsburg, Md., March.<br />
Godes, James N. 1987. "Develop<strong>in</strong>g a new set of liability rules for a new gener<strong>at</strong>ion of technology:<br />
Assess<strong>in</strong>g liability for computer-rel<strong>at</strong>ed <strong>in</strong>juries <strong>in</strong> <strong>the</strong> health care field," Computer Law<br />
Journal, Vol. VII, pp. 517–534.<br />
Government Computer News. 1986. "DP courses don't <strong>in</strong>clude ethics study," July 4.<br />
Government Computer News. 1988. "GCN spotlight: Security," April 29, pp. 35–54.<br />
Gray, J. 1987. "Why do computers stop and wh<strong>at</strong> can we do about it?" 6th Intern<strong>at</strong>ional Conference<br />
on Reliability and Distributed D<strong>at</strong>abases , IEEE Computer Society, Eng<strong>in</strong>eer<strong>in</strong>g Societies<br />
Library, New York.<br />
Green, Virg<strong>in</strong>ia D. 1989a. "Overview of federal st<strong>at</strong>utes perta<strong>in</strong><strong>in</strong>g to computer-rel<strong>at</strong>ed crime,"<br />
(memorandum), Reed, Smith, Shaw, and McClay, Wash<strong>in</strong>gton, D.C., July 7.<br />
Green, Virg<strong>in</strong>ia D. 1989b. "St<strong>at</strong>e computer crime st<strong>at</strong>utes and <strong>the</strong> use of traditional doctr<strong>in</strong>es to<br />
prosecute <strong>the</strong> computer crim<strong>in</strong>al," (memorandum), Reed, Smith, Shaw, and McClay,<br />
Wash<strong>in</strong>gton, D.C., July 7.<br />
Greenberg, Ross M. 1988. "A form of protection for you and your computer," 2600 Magaz<strong>in</strong>e,<br />
Summer.<br />
Greenhouse, Steven. 1990. "India crash revives French dispute over safety of Airbus jet," New York<br />
Times, February 24.<br />
Gregg, Robert E. and Thomas R. Folk. 1986. "Liability for substantive errors <strong>in</strong> computer software,"<br />
Computer Law Reporter (Wash<strong>in</strong>gton D.C.), Vol. 5, No. 1, July, pp. 18–26.<br />
Grimm, Vanessa Jo. 1989. "Hill halves NIST budget for security," Government Computer News,<br />
Vol. 8, No. 22, October 30.<br />
Gruman, Galen. 1989a. "Software safety focus of new British standard," IEEE Software, May.<br />
Gruman, Galen. 1989b. "Major changes <strong>in</strong> federal software policy urged," IEEE Software,<br />
November, pp. 78–80.<br />
Haigh, J., R. A. Kemmerer, J. McHugh, and B. Young. 1987. "An experience us<strong>in</strong>g two covert<br />
channel analysis techniques on a real system design," IEEE Transactions on Software<br />
Eng<strong>in</strong>eer<strong>in</strong>g, Vol. SE-13, No. 2, February.<br />
Hamlet, Richard. 1988. "Special section on software test<strong>in</strong>g," Communic<strong>at</strong>ions of <strong>the</strong> ACM, Vol. 31,<br />
No. 6, June.<br />
Hanna, Keith, Neil Daeche, and Mark Longley. 1989. VERITAS+: A Specific<strong>at</strong>ion Language Based<br />
on Type Theory, Technical Report, Faculty of Inform<strong>at</strong>ion Technology, University of<br />
Kent, Canterbury, United K<strong>in</strong>gdom, May.<br />
Harrison, Warren. 1988. "Us<strong>in</strong>g software metrics to alloc<strong>at</strong>e test<strong>in</strong>g resources," Journal of<br />
Management Systems, Vol. 4, Spr<strong>in</strong>g.<br />
Helfant, Robert and Glenn J. McLoughl<strong>in</strong>. 1988. Computer Viruses: Technical Overview and Policy<br />
Consider<strong>at</strong>ions, Science Policy Research Division, Congressional Research Service,<br />
Wash<strong>in</strong>gton, D.C., August 15.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
BIBLIOGRAPHY 225<br />
Hellman, M. 1979. "The m<strong>at</strong>hem<strong>at</strong>ics of public-key cryptography," Scientific American, 241(2):146–<br />
157.<br />
Henderson, Nell. 1989. "Programm<strong>in</strong>g flaw, keyboard cited <strong>in</strong> airl<strong>in</strong>e delays twice <strong>in</strong> 2 weeks,"<br />
Wash<strong>in</strong>gton Post, November 18, p. B4.<br />
Higg<strong>in</strong>s, John C. 1989. "Inform<strong>at</strong>ion security as a topic <strong>in</strong> undergradu<strong>at</strong>e educ<strong>at</strong>ion of computer<br />
scientists," Proceed<strong>in</strong>gs of <strong>the</strong> 12th N<strong>at</strong>ional Computer Security Conference, N<strong>at</strong>ional<br />
Institute of Standards and Technology/N<strong>at</strong>ional Computer Security Center, Baltimore,<br />
Md., October 10–13.<br />
Hilts, Philip J. 1988. "<strong>Computers</strong> face epidemic of '<strong>in</strong>form<strong>at</strong>ion diseases,'" Wash<strong>in</strong>gton Post, May 8,<br />
p. A3.<br />
Hoffman, Lance J. 1988. Mak<strong>in</strong>g Every Vote Count: Security and Reliability of Computerized Votecount<strong>in</strong>g<br />
Systems, George Wash<strong>in</strong>gton University, School of Eng<strong>in</strong>eer<strong>in</strong>g and Applied<br />
Science, Department of Electrical Eng<strong>in</strong>eer<strong>in</strong>g and Computer Science, Wash<strong>in</strong>gton D.C.,<br />
March.<br />
Holl<strong>in</strong>ger, Richard C. and Lonn Lanza-Kaduce. 1988. "The process of crim<strong>in</strong>aliz<strong>at</strong>ion: The case of<br />
computer crime laws," Crim<strong>in</strong>ology, Vol. 26, No. 1.<br />
Holmes, James P., R. L. Maxwell, and L. J. Wright. 1990. A Performance Evalu<strong>at</strong>ion of Biometric<br />
Identific<strong>at</strong>ion Devices, Sandia N<strong>at</strong>ional Labor<strong>at</strong>ories, Albuquerque, N. Mex., July.<br />
Honeywell, Secure <strong>Comput<strong>in</strong>g</strong> Technology Center. 1985–1988. LOCK: Selected Papers,<br />
Honeywell, St. Anthony, M<strong>in</strong>n.<br />
Horn<strong>in</strong>g, James J., P. G. Neumann, D. D. Redell, J. Goldman, and D. R. Gordon. 1989. A Review of<br />
NCIC 2000: The Proposed Design for <strong>the</strong> N<strong>at</strong>ional Crime Inform<strong>at</strong>ion Center, American<br />
Civil Liberties Union, Project on Privacy and Technology, Wash<strong>in</strong>gton, D.C., February.<br />
Horovitz, Bonna Lynn. 1985. "Computer software as a good under <strong>the</strong> uniform commercial code:<br />
Tak<strong>in</strong>g a byte out of <strong>the</strong> <strong>in</strong>tangibility myth," Boston University Law Review, Vol. 65, pp.<br />
129–164.<br />
Houston, M. Frank. 1987. "Wh<strong>at</strong> do <strong>the</strong> simple folks do? Software safety <strong>in</strong> <strong>the</strong> cottage <strong>in</strong>dustry,"<br />
Food and Drug Adm<strong>in</strong>istr<strong>at</strong>ion, Center for Devices and Radiological Health, Rockville,<br />
Md., pp. S/20-S/24.<br />
Houston, M. Frank. 1989. Design<strong>in</strong>g <strong>Safe</strong>r, More Reliable Software Systems, Food and Drug<br />
Adm<strong>in</strong>istr<strong>at</strong>ion, Center for Devices and Radiological Health, Rockville, Md.<br />
Howden, William E. 1987. Functional Program Test<strong>in</strong>g and Analysis, McGraw Hill, New York.<br />
Independent European Programme Group (IEPG), Technical Area 13 (TA-13). 1989. "Introduc<strong>in</strong>g<br />
PCTE+," (April); and "R<strong>at</strong>ionale for <strong>the</strong> changes between <strong>the</strong> PCTE+ specific<strong>at</strong>ions issue<br />
3 d<strong>at</strong>ed 28 October 1988 and <strong>the</strong> PCTE specific<strong>at</strong>ions version 1.5 d<strong>at</strong>ed 15 November<br />
1988," (January 6), IEPG, Eurogroup of NATO, Brussels.<br />
Inform<strong>at</strong>ion Systems Security Associ<strong>at</strong>ion. 1988–1990. ISSA Access, Newport Beach, Calif.<br />
Info World. 1988. "Wh<strong>at</strong> were simple viruses may fast become a plague," Tech Talk, May 2.<br />
Institute for Defense Analyses (IDA). 1987. IDA memorandum reports: Introduction to Inform<strong>at</strong>ion<br />
Protection (M-379), Oper<strong>at</strong><strong>in</strong>g Systems Security (M-380), Network Security (M-381),<br />
D<strong>at</strong>abase System Security (M-382), Formal Specific<strong>at</strong>ion and Verific<strong>at</strong>ion (M-383), and<br />
<strong>Risk</strong> Analysis (M-384), IDA, Alexandria, Va., October.<br />
Institute of Electrical and Electronics Eng<strong>in</strong>eers (IEEE). 1984. IEEE Guide to Software<br />
Requirements Specific<strong>at</strong>ions, ANSI/IEEE Std. 830-1984, IEEE, New York.<br />
Institute of Electrical and Electronics Eng<strong>in</strong>eers (IEEE). 1988. Proceed<strong>in</strong>gs: COMPASS '88<br />
(Computer Assurance), June 27-July 1, IEEE, New York.<br />
Institute of Electrical and Electronics Eng<strong>in</strong>eers (IEEE). 1988–1990. Proceed<strong>in</strong>gs of <strong>the</strong> Computer<br />
Security Found<strong>at</strong>ions Workshop, Franconia, N.H., IEEE, New York.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
BIBLIOGRAPHY 226<br />
Institute of Electrical and Electronics Eng<strong>in</strong>eers (IEEE). 1989a. Proceed<strong>in</strong>gs: COMPASS '89<br />
(Computer Assurance), June, IEEE, New York.<br />
Institute of Electrical and Electronics Eng<strong>in</strong>eers (IEEE). 1989b. Cipher, Newsletter of <strong>the</strong> Technical<br />
Committee on Security & Privacy, IEEE Computer Society, Wash<strong>in</strong>gton, D.C.<br />
Institute of Electrical and Electronics Eng<strong>in</strong>eers (IEEE). 1990a. Cipher, Newsletter of <strong>the</strong> Technical<br />
Committee on Security & Privacy, Special Issue, "M<strong>in</strong>utes of <strong>the</strong> First Workshop on<br />
Covert Channels Analysis," IEEE Computer Society, Wash<strong>in</strong>gton, D.C.<br />
Institute of Electrical and Electronics Eng<strong>in</strong>eers (IEEE). 1990b. IEEE Software (issue on formal<br />
methods <strong>in</strong> software eng<strong>in</strong>eer<strong>in</strong>g), September.<br />
Institute of Electrical and Electronics Eng<strong>in</strong>eers (IEEE). 1990c. IEEE Transactions on Software<br />
Eng<strong>in</strong>eer<strong>in</strong>g (issue on formal methods <strong>in</strong> software eng<strong>in</strong>eer<strong>in</strong>g), September.<br />
Intern<strong>at</strong>ional Standards Organiz<strong>at</strong>ion (ISO). 1989. "Security Architecture," Part 2 of 4, Inform<strong>at</strong>ion<br />
Process<strong>in</strong>g Systems Open System Interconnection Basic Reference Model, ISO-7498-2,<br />
available from <strong>the</strong> American N<strong>at</strong>ional Standards Institute, New York.<br />
Jackson, Kelly. 1989a. "Plans grounded by FAA computer glitches," Federal Computer Week,<br />
November 20, p. 20.<br />
Jackson, Kelly. 1989b. "Congress pushes computer crime law," Federal Computer Week, November<br />
20, p. 23.<br />
Jacobs, Jane. 1972. The De<strong>at</strong>h and Life of Gre<strong>at</strong> American Cities, Pengu<strong>in</strong>, Harmondsworth, United<br />
K<strong>in</strong>gdom.<br />
Jaffe, M<strong>at</strong><strong>the</strong>w S. and Nancy G. Leveson. 1989. Completeness, Robustness, and <strong>Safe</strong>ty <strong>in</strong> Real-Time<br />
Software Requirements Specific<strong>at</strong>ion, Technical Report 89-01, Inform<strong>at</strong>ion and Computer<br />
Science, University of California, Irv<strong>in</strong>e, February.<br />
Japanese M<strong>in</strong>istry of Intern<strong>at</strong>ional Trade and Industry (MITI). 1989. The Present St<strong>at</strong>e and<br />
Problems of Computer Virus, <strong>Age</strong>ncy of Industrial Science and Technology, Inform<strong>at</strong>ion-<br />
Technology Promotion <strong>Age</strong>ncy , Tokyo.<br />
Johnson, David R. and David Post. 1989. Computer Viruses, a white paper on <strong>the</strong> legal and policy<br />
issues fac<strong>in</strong>g colleges and universities, American Council on Educ<strong>at</strong>ion and Wilmer,<br />
Cutler & Picker<strong>in</strong>g, Wash<strong>in</strong>gton, D.C.<br />
Johnson, William. 1989. "Inform<strong>at</strong>ion espionage: An old problem with a new face," (Executive<br />
Report: Security <strong>in</strong> Open Times), Computerworld , October 23.<br />
Joseph, Mark K. and Algirdas Avizienis. 1988. "A fault tolerance approach to computer viruses,"<br />
Computer, IEEE, May.<br />
Juitt, David. 1989. "Security assurance through system management," Proceed<strong>in</strong>gs of <strong>the</strong> 12th<br />
N<strong>at</strong>ional Computer Security Conference, N<strong>at</strong>ional Institute of Standards and Technology/<br />
N<strong>at</strong>ional Computer Security Center, Baltimore, Md., October 10–13.<br />
Kahn, David. 1967. The Codebreakers: The Story of Secret Writ<strong>in</strong>g, Macmillan, New York.<br />
Karger, P. 1988. "Implement<strong>in</strong>g commercial d<strong>at</strong>a <strong>in</strong>tegrity with secure capabilities," Proceed<strong>in</strong>gs of<br />
<strong>the</strong> 1988 IEEE Symposium on Security and Privacy, IEEE Computer Society, Oakland,<br />
Calif., April 18–21, pp. 130–139.<br />
Karon, Paul. 1988. "The hype beh<strong>in</strong>d computer viruses: Their bark may be worse than <strong>the</strong>ir 'byte,'"<br />
PC Week, May 31, p. 49.<br />
Kass, Elliot M. 1990. "D<strong>at</strong>a <strong>in</strong>security," Inform<strong>at</strong>ion Week, March 19, p. 22.<br />
Keller, John J. 1990. "Software glitch <strong>at</strong> AT&T cuts off phone service for millions," Wall Street<br />
Journal, January 16, p. B1.<br />
Kemmerer, R. A. 1985. "Test<strong>in</strong>g formal specific<strong>at</strong>ions to detect design errors," IEEE Transactions<br />
on Software Eng<strong>in</strong>eer<strong>in</strong>g, SE-11(1), pp. 32–43.<br />
Kemmerer, R. A. 1986. Verific<strong>at</strong>ion Assessment Study F<strong>in</strong>al Report, Volume I, Overview,<br />
Conclusions, and Future Directions, Library No. S-228,204, N<strong>at</strong>ional Computer Security<br />
Center, Fort Meade, Md., March 27.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
BIBLIOGRAPHY 227<br />
Kemmerer, R. A. 1989a. "Analyz<strong>in</strong>g encryption protocols us<strong>in</strong>g formal verific<strong>at</strong>ion techniques,"<br />
IEEE Journal on Selected Areas <strong>in</strong> Communic<strong>at</strong>ions,Vol. 7, No. 4., pp. 448–457.<br />
Kemmerer, R. A. 1989b. "Integr<strong>at</strong>ion of formal methods <strong>in</strong>to <strong>the</strong> development process," IEEE<br />
Software, September, pp. 37–50.<br />
Kent, Stephen T. 1976. "Encryption-based protection protocols for <strong>in</strong>teractive user-computer<br />
communic<strong>at</strong>ion," Technical Report 162 (MIT-LCS TR-162), Labor<strong>at</strong>ory for Computer<br />
Science, Massachusetts Institute of Technology , Cambridge, Mass., May.<br />
Kent, Stephen T. 1981. Protect<strong>in</strong>g Externally Supplied Software <strong>in</strong> Small <strong>Computers</strong>, Technical<br />
Report 255, Labor<strong>at</strong>ory for Computer Science, Massachusetts Institute of Technology,<br />
Cambridge, Mass.<br />
Kent, Stephen T., P. Sevcik, and J. Herman. 1982. "Personal au<strong>the</strong>ntic<strong>at</strong>ion system for access<br />
control to <strong>the</strong> defense d<strong>at</strong>a network," EASCON '82—15th Annual Electronics and<br />
Aerospace Systems Conference, 82CH-182833, IEEE Wash<strong>in</strong>gton Section and IEEE<br />
Aerospace and Electronics Systems Society, Wash<strong>in</strong>gton, D.C., September 20–22.<br />
K<strong>in</strong>g, Julia. 1989. "Executive tech brief<strong>in</strong>g: Network security," Federal Computer Week, July 10,<br />
pp. 28–35.<br />
Kolkhorst, B. G. and A. J. Mac<strong>in</strong>a. 1988. "Develop<strong>in</strong>g error-free software," IEEE AES Magaz<strong>in</strong>e,<br />
November.<br />
Lab<strong>at</strong>on, Stephen. 1989. "Rules weighed on transfer of big sums electronically," New York Times,<br />
October 31, pp. D1, D8.<br />
Lamport, Leslie. 1989. "A simple approach to specify<strong>in</strong>g concurrent systems," Communic<strong>at</strong>ions of<br />
<strong>the</strong> ACM, Vol. 32, No. 1, January, pp. 32–45.<br />
Lampson, Butler. 1973. "A note on <strong>the</strong> conf<strong>in</strong>ement problem," Communic<strong>at</strong>ions of <strong>the</strong> ACM , Vol.<br />
16, No. 10, October, pp. 613–615.<br />
Lampson, Butler. 1985. "Protection," ACM Oper<strong>at</strong><strong>in</strong>g Systems Review, Vol. 19, No. 5, December,<br />
pp. 13–24.<br />
Landry, John. 1990. St<strong>at</strong>ement of ADAPSO, a computer software and services <strong>in</strong>dustry associ<strong>at</strong>ion,<br />
before <strong>the</strong> Sen<strong>at</strong>e Judiciary Subcommittee on Technology and <strong>the</strong> Law, July 31.<br />
Lardner, Jr., George. 1990a. "CIA director: E. European spies <strong>at</strong> work," Wash<strong>in</strong>gton Post, February<br />
21, p. A15.<br />
Lardner, Jr., George. 1990b. "N<strong>at</strong>ional Security <strong>Age</strong>ncy: Turn<strong>in</strong>g on and tun<strong>in</strong>g <strong>in</strong>," (two-part<br />
article), Wash<strong>in</strong>gton Post, March 18–19, p. A1.<br />
Law Commission. 1989. Crim<strong>in</strong>al Law, Computer Misuse, HMSO, London, United K<strong>in</strong>gdom,<br />
October.<br />
Leveson, Nancy G. 1986. "Software safety: Why, wh<strong>at</strong>, and how," Computer Surveys, Vol. 18, No.<br />
2, June, pp. 125–164.<br />
Lewis, Peter H. 1989. "Build<strong>in</strong>g a mo<strong>at</strong> with software," The New York Times, September 3, p. F7.<br />
Lewis, Peter H. 1990. "Privacy: The tip of <strong>the</strong> iceberg," New York Times, October 2, p. C8.<br />
Lewyn, Mark. 1989. "Hackers: Is a cure worse than <strong>the</strong> disease?" Bus<strong>in</strong>ess Week, December 4, p. 37.<br />
L<strong>in</strong>dsay, Peter. 1988. "Survey of <strong>the</strong>orem provers," Software Eng<strong>in</strong>eer<strong>in</strong>g Journal, IEEE, January.<br />
L<strong>in</strong>ger, R. C. and H. D. Mills. 1988. "A case study <strong>in</strong> cleanroom software eng<strong>in</strong>eer<strong>in</strong>g: The IBM<br />
COBOL structur<strong>in</strong>g facility," Proceed<strong>in</strong>gs of COMPSAC '88, IEEE Computer Society,<br />
Wash<strong>in</strong>gton, D.C.<br />
L<strong>in</strong>n, John. 1989. "Privacy enhancement for Internet electronic mail," (memorandum—e-mail),<br />
Request for Comments 1113, Network Work<strong>in</strong>g Group, IAB Privacy Task Force, July 17.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
BIBLIOGRAPHY 228<br />
L<strong>in</strong>owes, David F. 1989. Privacy <strong>in</strong> America—Is Your Priv<strong>at</strong>e Life <strong>in</strong> <strong>the</strong> Public Eye? University of<br />
Ill<strong>in</strong>ois Press, Urbana and Chicago.<br />
Lipner, S. B. 1982. "Non-discretionary controls for commercial applic<strong>at</strong>ions," Proceed<strong>in</strong>gs of <strong>the</strong><br />
1982 IEEE Symposium on Security and Privacy, IEEE Computer Society, Oakland, Calif.,<br />
April 26–28, pp. 2–10.<br />
Lipton, R. J. 1989. A New Approach to Test<strong>in</strong>g, Pr<strong>in</strong>ceton University, Pr<strong>in</strong>ceton, N.J.<br />
Loew, Sue J. 1989. "Encrypted EDI: Scrambl<strong>in</strong>g to cre<strong>at</strong>e a security product—sans standard," D<strong>at</strong>a<br />
Communic<strong>at</strong>ions, October, p. 50.<br />
Luckham, David and Sriram Sankar. 1989. Future Directions <strong>in</strong> Software Analysis and Test<strong>in</strong>g,<br />
Stanford University, Stanford, Calif.<br />
Lunt, T. F. 1988. "Autom<strong>at</strong>ed audit trail analysis and <strong>in</strong>trusion detection: A survey," Proceed<strong>in</strong>gs of<br />
<strong>the</strong> 11th N<strong>at</strong>ional Computer Security Conference , N<strong>at</strong>ional Institute of Standards and<br />
Technology/N<strong>at</strong>ional Computer Security Center, Baltimore, Md.<br />
Lunt, T. F., R. R. Schell, W. R. Shockley, M. Heckman, and D. Warren. 1988. "A near-term design<br />
for <strong>the</strong> Sea View multilevel d<strong>at</strong>abase system," Proceed<strong>in</strong>gs of <strong>the</strong> 1988 IEEE Symposium<br />
on Security and Privacy, IEEE Computer Society, Oakland, Calif., April, pp. 234–244.<br />
Lunt, Teresa F. 1989. "Aggreg<strong>at</strong>ion and <strong>in</strong>ference: Facts and fallacies," Proceed<strong>in</strong>gs of <strong>the</strong> 1989<br />
IEEE Symposium on Security and Privacy, IEEE Computer Society, Oakland, Calif., May<br />
1–3, pp. 102–109.<br />
Lyons, John. 1990. Testimony before <strong>the</strong> Subcommittee on Transport<strong>at</strong>ion, Avi<strong>at</strong>ion, and M<strong>at</strong>erials,<br />
U.S. House of Represent<strong>at</strong>ives, N<strong>at</strong>ional Institute of Standards and Technology,<br />
Gai<strong>the</strong>rsburg, Md.<br />
Markoff, John. 1988a. "West German secretly ga<strong>in</strong>s access to U.S. military computers," New York<br />
Times, April 17.<br />
Markoff, John. 1988b. "Breach reported <strong>in</strong> U.S. computers," New York Times, April 18, p. A1.<br />
Markoff, John. 1989a. "Virus outbreaks thwart computer experts," New York Times, May 30.<br />
Markoff, John. 1989b. "Paper on codes sent to 8,000 computers over U.S. objection," New York<br />
Times, August 9, A1.<br />
Markoff, John. 1989c. "Computer virus cure may be worse than disease," New York Times, October<br />
7, pp. A1, A35.<br />
Markoff, John. 1990a. "Breakdown's lesson: Failure occurs on superhuman scale," New York Times,<br />
January 16, p. A24.<br />
Markoff, John. 1990b. "Caller says he broke <strong>in</strong>to U.S. computers to taunt <strong>the</strong> experts," New York<br />
Times, March 21, pp. A1, A21.<br />
Markoff, John. 1990c. "Arrests <strong>in</strong> computer break-<strong>in</strong>s show a global peril," New York Times, April<br />
4, pp. A1, A16.<br />
Markoff, John. 1990d. "Wash<strong>in</strong>gton is relax<strong>in</strong>g its stand on guard<strong>in</strong>g computer security," New York<br />
Times, August 18, pp. 1, 20.<br />
McIlroy, M. 1989. "Virology 101," <strong>Comput<strong>in</strong>g</strong> Systems (USENIX Associ<strong>at</strong>ion, Berkeley, Calif.),<br />
Vol. 2, No. 2, pp. 173–181.<br />
McLoughl<strong>in</strong>, Glenn J. 1987. Computer Crime and Security, Science Policy Research Division,<br />
Congressional Research Service, Wash<strong>in</strong>gton, D.C., January 3.<br />
Meyer, C. and S. M<strong>at</strong>yas. 1983. Cryptography: A New Dimension <strong>in</strong> Computer D<strong>at</strong>a Security,<br />
Wiley, New York.<br />
Microelectronics and Computer Technology Corpor<strong>at</strong>ion (MCC). 1989. SpecTra: A Formal<br />
Methods Environment, MCC Technical Report no. ACT-ILO-STP-324-89, MCC, Aust<strong>in</strong>,<br />
Tex.<br />
Millen, Jon<strong>at</strong>han K. 1987. "Covert channel capacity," Proceed<strong>in</strong>gs of <strong>the</strong> 1987 IEEE Symposium on<br />
Security and Privacy, IEEE Computer Society, Oakland, Calif., April 27–29, pp. 60–66.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
BIBLIOGRAPHY 229<br />
Millen, J. K., S. C. Clark, and S. B. Freedman. 1987. ''The <strong>in</strong>terrog<strong>at</strong>or: Protocol security analysis,"<br />
IEEE Transactions on Software Eng<strong>in</strong>eer<strong>in</strong>g , Vol. SE-13, No. 2, February.<br />
Miller, Donald V. and Robert W. Baldw<strong>in</strong>. 1989. "Access control by boolean expression<br />
evalu<strong>at</strong>ion," Proceed<strong>in</strong>gs of <strong>the</strong> Computer Security Applic<strong>at</strong>ion Conference, Tucson, Ariz.,<br />
December 8, IEEE Computer Society, Wash<strong>in</strong>gton, D.C.<br />
Miller, Edward and W. E. Howden. 1981. Software Test<strong>in</strong>g and Valid<strong>at</strong>ion Techniques, 2nd rev. ed.,<br />
IEEE Computer Society, Wash<strong>in</strong>gton, D.C.<br />
Miller, S. P., C. Neuman, J. I. Schiller, and J. H. Saltzer. 1987. "Kerberos au<strong>the</strong>ntic<strong>at</strong>ion and<br />
authoriz<strong>at</strong>ion system," Project A<strong>the</strong>na Technical Plan, Section E.2.1, Massachusetts<br />
Institute of Technology, Cambridge, Mass., July.<br />
Mitchell, J. G., W. Maybury, and R. Sweet. 1979. Mesa Language Manual (version 5.0), CSL-79-3,<br />
Xerox Palo Alto Research Center, Palo Alto, Calif., April.<br />
Mitchell, William. 1990. "Enterprise networks: The multivendor networks of <strong>the</strong> 1990s,"<br />
Network<strong>in</strong>g Management, Vol. 8, No. 2, February, pp. 69–72.<br />
Mo<strong>at</strong>es, Jr., William H. and Karen A. Forcht. 1986. "Computer security educ<strong>at</strong>ion: Are bus<strong>in</strong>ess<br />
schools lagg<strong>in</strong>g beh<strong>in</strong>d?" D<strong>at</strong>a Management, March.<br />
Moeller, Robert R. 1989. Computer Audit, Control and Security, John Wiley & Sons, New York.<br />
Morris, R. and K. Thompson. 1979. "UNIX password security: A case history," Communic<strong>at</strong>ions of<br />
<strong>the</strong> ACM, Vol. 22, No. 11, November, pp. 594–597.<br />
Mossbert, Walter S. and John Walcott. 1988. "U.S. redef<strong>in</strong>es policy on security to place less stress<br />
on Soviets," Wall Street Journal, August 11.<br />
Mosso, David. 1987. "Public policy and <strong>the</strong> FASB: As seen by one of its board members,"<br />
Bottoml<strong>in</strong>e, December.<br />
Munro, Neil. 1990. "NSA plan may stymie improved computer security," Defense News, September<br />
10, pp. 3, 36.<br />
Musolf, Lloyd. 1983. Uncle Sam's Priv<strong>at</strong>e, Profitseek<strong>in</strong>g Corpor<strong>at</strong>ions: Coms<strong>at</strong>, Fannie Mae,<br />
Amtrak, and Conrail, Lex<strong>in</strong>gton Books, D.C. He<strong>at</strong>h and Company, Lex<strong>in</strong>gton, Mass.<br />
N<strong>at</strong>ional Academy of Sciences. 1987. Balanc<strong>in</strong>g <strong>the</strong> N<strong>at</strong>ional Interest: U.S. N<strong>at</strong>ional Security<br />
Export Controls and Global Economic Competition , (also known as <strong>the</strong> Allen Report),<br />
Committee on Science, Eng<strong>in</strong>eer<strong>in</strong>g, and Public Policy, N<strong>at</strong>ional Academy Press,<br />
Wash<strong>in</strong>gton, D.C.<br />
N<strong>at</strong>ional Aeronautics and Space Adm<strong>in</strong>istr<strong>at</strong>ion (NASA). 1984. NASA ADP <strong>Risk</strong> Analysis<br />
Guidel<strong>in</strong>e, (prepared by EDP Audit Controls, Inc.), Autom<strong>at</strong>ed Inform<strong>at</strong>ion Systems<br />
Division: NASA Headquarters, July.<br />
N<strong>at</strong>ional Aeronautics and Space Adm<strong>in</strong>istr<strong>at</strong>ion (NASA). 1989a. Autom<strong>at</strong>ed Inform<strong>at</strong>ion Systems<br />
Security Plan, Johnson Space Center, April.<br />
N<strong>at</strong>ional Aeronautics and Space Adm<strong>in</strong>istr<strong>at</strong>ion (NASA). 1989b. Autom<strong>at</strong>ed Inform<strong>at</strong>ion Systems<br />
Security Plan Executive Summary, Goddard Space Flight Center, July.<br />
N<strong>at</strong>ional Aeronautics and Space Adm<strong>in</strong>istr<strong>at</strong>ion (NASA). 1989c. Assur<strong>in</strong>g <strong>the</strong> Security and Integrity<br />
of <strong>the</strong> GSFC Autom<strong>at</strong>ed Inform<strong>at</strong>ion Resources , Issuance Inform<strong>at</strong>ion Sheet GMI<br />
2410.6B, Goddard Space Flight Center, May.<br />
N<strong>at</strong>ional Aeronautics and Space Adm<strong>in</strong>istr<strong>at</strong>ion (NASA). 1989d. Assur<strong>in</strong>g <strong>the</strong> Security and<br />
Integrity of NASA Autom<strong>at</strong>ed Inform<strong>at</strong>ion Resources , NMI: 2410.7A, NASA Management<br />
Instruction, Inform<strong>at</strong>ion Resources Management Office, Wash<strong>in</strong>gton, D.C.<br />
N<strong>at</strong>ional Bureau of Standards (NBS). 1977. D<strong>at</strong>a Encryption Standard , Federal Inform<strong>at</strong>ion<br />
Process<strong>in</strong>g Standards Public<strong>at</strong>ion 46, NBS, Gai<strong>the</strong>rsburg, Md., January. Reissued as<br />
Federal Inform<strong>at</strong>ion Process<strong>in</strong>g Standards Public<strong>at</strong>ion 46-1, January 1988.<br />
N<strong>at</strong>ional Bureau of Standards (NBS). 1978. Consider<strong>at</strong>ions <strong>in</strong> <strong>the</strong> Selection of Security Measures<br />
for Autom<strong>at</strong>ic D<strong>at</strong>a Process<strong>in</strong>g Systems, NBS, Gai<strong>the</strong>rsburg, Md., June.<br />
N<strong>at</strong>ional Bureau of Standards (NBS). 1980a. Guidel<strong>in</strong>es on User Au<strong>the</strong>ntic<strong>at</strong>ion Techniques for<br />
Computer Network Access Control, Federal Inform<strong>at</strong>ion Process<strong>in</strong>g Standards<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
BIBLIOGRAPHY 230<br />
Public<strong>at</strong>ion 83, N<strong>at</strong>ional Technical Inform<strong>at</strong>ion Service, Spr<strong>in</strong>gfield, Va., September 29.<br />
N<strong>at</strong>ional Bureau of Standards (NBS). 1980b. DES Modes of Oper<strong>at</strong>ion, Federal Inform<strong>at</strong>ion<br />
Process<strong>in</strong>g Standards Public<strong>at</strong>ion 81, N<strong>at</strong>ional Technical Inform<strong>at</strong>ion Service, Spr<strong>in</strong>gfield,<br />
Va., December.<br />
N<strong>at</strong>ional Bureau of Standards (NBS). 1981a. Guidel<strong>in</strong>es for ADP Cont<strong>in</strong>gency Plann<strong>in</strong>g, Federal<br />
Inform<strong>at</strong>ion Process<strong>in</strong>g Standards Public<strong>at</strong>ion 87, N<strong>at</strong>ional Technical Inform<strong>at</strong>ion Service,<br />
Spr<strong>in</strong>gfield, Va., March 27.<br />
N<strong>at</strong>ional Bureau of Standards (NBS). 1981b. Guidel<strong>in</strong>e on Integrity Assurance and Control <strong>in</strong><br />
D<strong>at</strong>abase Adm<strong>in</strong>istr<strong>at</strong>ion, Federal Inform<strong>at</strong>ion Process<strong>in</strong>g Standards Public<strong>at</strong>ion 88,<br />
N<strong>at</strong>ional Technical Inform<strong>at</strong>ion Service, Spr<strong>in</strong>gfield, Va., August 14.<br />
N<strong>at</strong>ional Bureau of Standards (NBS). 1982. Executive Guide to ADP Cont<strong>in</strong>gency Plann<strong>in</strong>g, Stuart<br />
W. K<strong>at</strong>zke and James W. Shaw, NBS Special Public<strong>at</strong>ion 500-85, NBS, Wash<strong>in</strong>gton, D.C.,<br />
January.<br />
N<strong>at</strong>ional Bureau of Standards (NBS). 1983. Guidel<strong>in</strong>e for Computer Security and Certific<strong>at</strong>ion and<br />
Accredit<strong>at</strong>ion, Federal Inform<strong>at</strong>ion Process<strong>in</strong>g Standards Public<strong>at</strong>ion 102, N<strong>at</strong>ional<br />
Technical Inform<strong>at</strong>ion Service, Spr<strong>in</strong>gfield, Va., September 27.<br />
N<strong>at</strong>ional Bureau of Standards (NBS). 1984. Security of Personal Computer Systems: A Grow<strong>in</strong>g<br />
Concern, NBS, Gai<strong>the</strong>rsburg, Md., April.<br />
N<strong>at</strong>ional Bureau of Standards (NBS). 1985a. Security of Personal Computer Systems: A<br />
Management Guide, NBS Special Public<strong>at</strong>ion 500-120, NBS, Gai<strong>the</strong>rsburg, Md., January.<br />
N<strong>at</strong>ional Bureau of Standards (NBS). 1985b. Security for Dial-Up L<strong>in</strong>es , NBS Special Public<strong>at</strong>ion<br />
500-137, NBS, Gai<strong>the</strong>rsburg, Md., May.<br />
N<strong>at</strong>ional Bureau of Standards (NBS). 1986. Work Priority Scheme for EDP Audit and Computer<br />
Security Review, NBS, Gai<strong>the</strong>rsburg, Md., March.<br />
N<strong>at</strong>ional Bureau of Standards (NBS). 1988. Guide to Audit<strong>in</strong>g for Controls and Security: A System<br />
Development Life Cycle Approach, NBS Special Public<strong>at</strong>ion 500-153, NBS, Gai<strong>the</strong>rsburg,<br />
Md., April.<br />
N<strong>at</strong>ional Bureau of Standards/N<strong>at</strong>ional Computer Security Center (NBS/NCSC). 1987. Proceed<strong>in</strong>gs<br />
of <strong>the</strong> 10th N<strong>at</strong>ional Computer Security Conference , NBS/NCSC, Baltimore, Md.,<br />
September.<br />
N<strong>at</strong>ional Bureau of Standards/N<strong>at</strong>ional Computer Security Center (NBS/NCSC). 1988. Proceed<strong>in</strong>gs<br />
of <strong>the</strong> 11th N<strong>at</strong>ional Computer Security Conference , NBS/NCSC, Baltimore, Md., October.<br />
N<strong>at</strong>ional Center for Computer Crime D<strong>at</strong>a (NCCCD) and RGC Associ<strong>at</strong>es. 1989. Commitment to<br />
Security, NCCCD, Los Angeles, Calif.<br />
N<strong>at</strong>ional Institute of Standards and Technology (NIST). 1988. Smart Card Technology: New<br />
Methods for Computer Access Control, NIST Special Public<strong>at</strong>ion 500-157, NIST,<br />
Gai<strong>the</strong>rsburg, Md.<br />
N<strong>at</strong>ional Institute of Standards and Technology (NIST). 1989a. Report of <strong>the</strong> Invit<strong>at</strong>ional Workshop<br />
on Integrity Policy <strong>in</strong> Computer Inform<strong>at</strong>ion Systems (WIPCIS), NIST Special Public<strong>at</strong>ion<br />
500-160, NIST, Gai<strong>the</strong>rsburg, Md., January.<br />
N<strong>at</strong>ional Institute of Standards and Technology (NIST). 1989b. Computer Viruses and Rel<strong>at</strong>ed<br />
Thre<strong>at</strong>s: A Management Guide, NIST Special Public<strong>at</strong>ion 500-166, NIST, Gai<strong>the</strong>rsburg,<br />
Md., August.<br />
N<strong>at</strong>ional Institute of Standards and Technology (NIST). 1989c. Report of <strong>the</strong> Invit<strong>at</strong>ional Workshop<br />
on D<strong>at</strong>a Integrity, NIST Special Public<strong>at</strong>ion 500-168, NIST, Gai<strong>the</strong>rsburg, Md., September.<br />
N<strong>at</strong>ional Institute of Standards and Technology (NIST). 1990a. Secure D<strong>at</strong>a Network Systems<br />
(SDNS) Network, Transport, and Message Security Protocols (NISTIR 90-4250), Secure<br />
D<strong>at</strong>a Network Systems (SDNS) Access Control Documents (NISTIR 90-4259), Se<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
BIBLIOGRAPHY 231<br />
cure D<strong>at</strong>a Network Systems (SDNS) Key Management Documents (NISTIR 90-4262),<br />
NIST, Gai<strong>the</strong>rsburg, Md.<br />
N<strong>at</strong>ional Institute of Standards and Technology (NIST). 1990b. "D<strong>at</strong>a Encryption Standard Fact<br />
Sheet," NIST, Gai<strong>the</strong>rsburg, Md., January.<br />
N<strong>at</strong>ional Institute of Standards and Technology (NIST). 1990c. Computer Security Public<strong>at</strong>ions,<br />
NIST Public<strong>at</strong>ion List 91, NIST, Gai<strong>the</strong>rsburg, Md., March.<br />
N<strong>at</strong>ional Institute of Standards and Technology (NIST). 1990d. Security Requirements for<br />
Cryptographic Modules, draft, Federal Inform<strong>at</strong>ion Process<strong>in</strong>g Standards Public<strong>at</strong>ion<br />
140-1, N<strong>at</strong>ional Technical Inform<strong>at</strong>ion Service, Spr<strong>in</strong>gfield, Va., July 13.<br />
N<strong>at</strong>ional Institute of Standards and Technology (NIST). 1990e. Guidel<strong>in</strong>es and Recommend<strong>at</strong>ions<br />
on Integrity, draft, NIST, Gai<strong>the</strong>rsburg, Md., July 23.<br />
N<strong>at</strong>ional Institute of Standards and Technology/N<strong>at</strong>ional Computer Security Center (NIST/NCSC).<br />
1989. Proceed<strong>in</strong>gs of <strong>the</strong> 12th N<strong>at</strong>ional Computer Security Conference, NIST/NCSC,<br />
Baltimore, Md., October.<br />
N<strong>at</strong>ional Institute of Standards and Technology/N<strong>at</strong>ional Computer Security Center (NIST/NCSC).<br />
1990. Analysis and Comments on <strong>the</strong> Draft Inform<strong>at</strong>ion Technology Security Evalu<strong>at</strong>ion<br />
Criteria (ITSEC), NIST, Gai<strong>the</strong>rsburg, Md., August 2.<br />
N<strong>at</strong>ional Institute of Standards and Technology/N<strong>at</strong>ional Security <strong>Age</strong>ncy (NIST/NSA). 1989.<br />
Memorandum of Understand<strong>in</strong>g Between Directors Concern<strong>in</strong>g <strong>the</strong> Implement<strong>at</strong>ion of<br />
Public Law 100-235, Wash<strong>in</strong>gton, D.C., March 24.<br />
N<strong>at</strong>ional Research Council (NRC). 1983. Multilevel D<strong>at</strong>a Management Security, Air Force Studies<br />
Board, N<strong>at</strong>ional Academy Press, Wash<strong>in</strong>gton, D.C.<br />
N<strong>at</strong>ional Research Council (NRC). 1984. Methods for Improv<strong>in</strong>g Software Quality and Life Cycle<br />
Cost, Air Force Studies Board, N<strong>at</strong>ional Academy Press, Wash<strong>in</strong>gton, D.C.<br />
N<strong>at</strong>ional Research Council (NRC). 1988a. Global Trends <strong>in</strong> Computer Technology and Their<br />
Impact on Export Control, Computer Science and Technology Board, N<strong>at</strong>ional Academy<br />
Press, Wash<strong>in</strong>gton, D.C.<br />
N<strong>at</strong>ional Research Council (NRC). 1988b. Toward a N<strong>at</strong>ional Research Network, Computer<br />
Science and Technology Board, N<strong>at</strong>ional Academy Press, Wash<strong>in</strong>gton, D.C.<br />
N<strong>at</strong>ional Research Council (NRC). 1988c. Selected Issues <strong>in</strong> Space Science D<strong>at</strong>a Management and<br />
Comput<strong>at</strong>ion, Space Sciences Board, N<strong>at</strong>ional Academy Press, Wash<strong>in</strong>gton, D.C.<br />
N<strong>at</strong>ional Research Council (NRC). 1989a. Scal<strong>in</strong>g Up: A Research <strong>Age</strong>nda for Software<br />
Eng<strong>in</strong>eer<strong>in</strong>g, Computer Science and Technology Board, N<strong>at</strong>ional Academy Press,<br />
Wash<strong>in</strong>gton, D.C.<br />
N<strong>at</strong>ional Research Council (NRC). 1989b. Grow<strong>in</strong>g Vulnerability of <strong>the</strong> Public Switched Networks:<br />
Implic<strong>at</strong>ions for N<strong>at</strong>ional Security Emergency Preparedness, Board on<br />
Telecommunic<strong>at</strong>ions and Computer Applic<strong>at</strong>ions, N<strong>at</strong>ional Academy Press, Wash<strong>in</strong>gton,<br />
D.C.<br />
N<strong>at</strong>ional Research Council (NRC). 1989c. NASA Space Communic<strong>at</strong>ions R&D: Issues, Derived<br />
Benefits, and Future Directions, Space Applic<strong>at</strong>ions Board, N<strong>at</strong>ional Academy Press,<br />
Wash<strong>in</strong>gton, D.C., February.<br />
N<strong>at</strong>ional Research Council (NRC). 1989d. Use of Build<strong>in</strong>g Codes <strong>in</strong> Federal <strong>Age</strong>ncy Construction,<br />
Build<strong>in</strong>g Research Board, N<strong>at</strong>ional Academy Press, Wash<strong>in</strong>gton, D.C.<br />
N<strong>at</strong>ional Research Council (NRC). 1990. Keep<strong>in</strong>g <strong>the</strong> U.S. Computer Industry Competitive:<br />
Def<strong>in</strong><strong>in</strong>g <strong>the</strong> <strong>Age</strong>nda, Computer Science and Technology Board, N<strong>at</strong>ional Academy Press ,<br />
Wash<strong>in</strong>gton, D.C.<br />
N<strong>at</strong>ional Security <strong>Age</strong>ncy (NSA). 1985. Personal Computer Security Consider<strong>at</strong>ions, NCSC-<br />
WA-002—85, N<strong>at</strong>ional Computer Security Center, Fort Meade, Md., December.<br />
N<strong>at</strong>ional Security <strong>Age</strong>ncy (NSA). 1990a. "Press St<strong>at</strong>ement: NCSC's Restructur<strong>in</strong>g," NSA, Fort<br />
Meade, Md., August.<br />
N<strong>at</strong>ional Security <strong>Age</strong>ncy (NSA). 1990b. "Evalu<strong>at</strong>ed products list for trusted computer<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
BIBLIOGRAPHY 232<br />
systems," Inform<strong>at</strong>ion Security Products and Services C<strong>at</strong>alogue, N<strong>at</strong>ional Computer<br />
Security Center, Fort Meade, Md.<br />
N<strong>at</strong>ional Security <strong>Age</strong>ncy/Central Security Service (NSA/CSS). 1986. Software Acquisition<br />
Manual, NSAM 81-2, Fort Meade, Md., May 15.<br />
N<strong>at</strong>ional Security <strong>Age</strong>ncy/Central Security Service (NSA/CSS). 1987. Software Product Standards<br />
Manual, NSAM 81-3/DOD-STD-1703(NS), Fort Meade, Md., April 15.<br />
N<strong>at</strong>ional Technical Inform<strong>at</strong>ion Service (NTIS). January 1988/October 1989. U.S. Department of<br />
Commerce, Published Search. Cit<strong>at</strong>ions from <strong>the</strong> Computer D<strong>at</strong>abase: Computer Viruses<br />
and Computer Software Vacc<strong>in</strong>es for Software Protection, NTIS, Wash<strong>in</strong>gton, D.C.<br />
Needham, R. and M. Schroeder. 1978. "Us<strong>in</strong>g encryption for au<strong>the</strong>ntic<strong>at</strong>ion <strong>in</strong> large networks of<br />
computers," Communic<strong>at</strong>ions of <strong>the</strong> ACM, Vol. 21, No. 12, December , pp. 993–998.<br />
Network World. 1990. "Network security still slack," (art captioned "Computer Intelligence"),<br />
February 5, p. 33.<br />
Neumann, Peter G. 1986. "On hierarchical design of computer systems for critical applic<strong>at</strong>ions,"<br />
IEEE Transactions on Software Eng<strong>in</strong>eer<strong>in</strong>g , Vol. 12, No. 9, September, pp. 905–920.<br />
Neumann, Peter G. 1988. "A glitch <strong>in</strong> our computer th<strong>in</strong>k<strong>in</strong>g: We cre<strong>at</strong>e powerful systems with<br />
pervasive vulnerabilities," Los Angeles Times , August 2, p. 7.<br />
Neumann, Peter G. 1989. "RISKS: Cumul<strong>at</strong>ive <strong>in</strong>dex of software eng<strong>in</strong>eer<strong>in</strong>g notes—Illustr<strong>at</strong>ive<br />
risks to <strong>the</strong> public <strong>in</strong> <strong>the</strong> use of computer systems and rel<strong>at</strong>ed technology," ACM Software<br />
Eng<strong>in</strong>eer<strong>in</strong>g Notes, Vol. 14, No. 1, January, pp. 22–26. (An upd<strong>at</strong>ed <strong>in</strong>dex is to be<br />
published <strong>in</strong> <strong>the</strong> January 1991 issue, Vol. 16, No. 1.)<br />
Neumann, Peter G. 1990a. "Ra<strong>in</strong>bows and arrows: How <strong>the</strong> security criteria address computer<br />
misuse," Proceed<strong>in</strong>gs of <strong>the</strong> 13th N<strong>at</strong>ional Computer Security Conference, N<strong>at</strong>ional<br />
Institute of Standards and Technology/N<strong>at</strong>ional Computer Security Center, Wash<strong>in</strong>gton,<br />
D.C., October.<br />
Neumann, Peter G. 1990b. "A perspective from <strong>the</strong> RISKS forum," <strong>Computers</strong> Under Attack:<br />
Intruders, Worms, and Viruses, Peter J. Denn<strong>in</strong>g (Ed.), ACM Press, New York.<br />
Neumann, Peter G. and D. B. Parker. 1989. "A summary of computer misuse techniques,"<br />
Proceed<strong>in</strong>gs of <strong>the</strong> 12th N<strong>at</strong>ional Computer Security Conference, N<strong>at</strong>ional Institute of<br />
Standards and Technology/N<strong>at</strong>ional Computer Security Center, Baltimore, Md., October<br />
10–13, pp. 396–407.<br />
New York St<strong>at</strong>e, Committee on Investig<strong>at</strong>ions, Tax<strong>at</strong>ion, and Government Oper<strong>at</strong>ions. 1989.<br />
Beware Computer 'Virus Attack', a staff report on <strong>the</strong> lack of security <strong>in</strong> st<strong>at</strong>e owned and<br />
oper<strong>at</strong>ed computers, Albany, N.Y., July 28.<br />
New York Times. 1987. "German computer hobbyists rifle NASA's files," September 16.<br />
New York Times. 1988. "Computer systems under siege, here and abroad," January 31.<br />
New York Times. 1988. "Top secret, and vulnerable," April 15.<br />
New York Times. 1988. "Computer users fall victim to a new breed of vandals," May 19.<br />
New York Times. 1988. "Newspaper computer <strong>in</strong>fected with a 'virus,'" May 25.<br />
New York Times. 1988. "Sabotage aimed <strong>at</strong> computer company destroys government computer<br />
d<strong>at</strong>a," July 4.<br />
New York Times. 1988. "Programmer convicted after plant<strong>in</strong>g a 'virus,'" September 21, p. D15.<br />
New York Times. 1988. "Car computer <strong>in</strong>quiry begun," November 17.<br />
New York Times. 1988. "Cyberpunks seek thrills <strong>in</strong> computerized mischief," November 26.<br />
New York Times. 1989. "2 accused of computer crimes <strong>in</strong> TV rivalry," May 11, p. A21.<br />
New York Times. 1990. "G.A.O. study of computers," February 21, p. D4.<br />
Newsweek. 1988. "Is your computer <strong>in</strong>fected?" February 1.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
BIBLIOGRAPHY 233<br />
Nordwall, Bruce D. 1989. "ITT avionics emphasizes development of software, improves electronic<br />
systems," Avi<strong>at</strong>ion Week & Space Technology , July 17, pp. 83, 85.<br />
Norman, Adrian R. D. 1983. Computer Insecurity, Chapman and Hall, New York.<br />
Nycum, Susan H. 1989. "Legal Exposures of <strong>the</strong> Victim of Computer Abuse under U.S. Law,"<br />
Intern<strong>at</strong>ional Bar Associ<strong>at</strong>ion (IBA) SBL Conference, Strasbourg, October 2–6, IBA,<br />
London, England.<br />
Nycum, Susan Hubbell. 1976. "The crim<strong>in</strong>al law aspects of computer abuse, Part 1: St<strong>at</strong>e penal<br />
laws," Journals of <strong>Computers</strong> and Law, Vol. 5, pp. 271–295.<br />
Office of Management and Budget (OMB). 1988. Guidance for Prepar<strong>at</strong>ion of Security Plans for<br />
Federal Computer Systems Conta<strong>in</strong><strong>in</strong>g Sensitive Inform<strong>at</strong>ion, OMB Bullet<strong>in</strong> No. 88-16,<br />
Wash<strong>in</strong>gton, D.C., July.<br />
Office of Management and Budget (OMB). 1990. Guidance for Prepar<strong>at</strong>ion of Security Plans for<br />
Federal Computer Systems th<strong>at</strong> Conta<strong>in</strong> Sensitive Inform<strong>at</strong>ion, OMB Bullet<strong>in</strong> No. 90-08,<br />
Wash<strong>in</strong>gton, D.C., July.<br />
Office of Science and Technology Policy (OSTP). 1989. The Federal High-Performance<br />
<strong>Comput<strong>in</strong>g</strong> Program, Wash<strong>in</strong>gton, D.C., September 8.<br />
Office of Technology Assessment (OTA). 1985. Federal Government Inform<strong>at</strong>ion Technology:<br />
Electronic Surveillance and Civil Liberties, OTA-CIT-293, October, U.S. GPO,<br />
Wash<strong>in</strong>gton, D.C.<br />
Office of Technology Assessment (OTA). 1986a. Federal Government Inform<strong>at</strong>ion Technology:<br />
Management, Security, and Congressional Oversight , OTA-CIT-297, February, U.S.<br />
GPO, Wash<strong>in</strong>gton, D.C.<br />
Office of Technology Assessment (OTA). 1986b. Federal Government Inform<strong>at</strong>ion Technology:<br />
Electronic Record Systems and Individual Privacy, OTA-CIT-296, June, U.S. GPO,<br />
Wash<strong>in</strong>gton, D.C.<br />
Office of Technology Assessment (OTA). 1987a. The Electronic Supervisor: New Technology, New<br />
Tensions, OTA-CIT-333, September, U.S. GPO, Wash<strong>in</strong>gton, D.C.<br />
Office of Technology Assessment (OTA). 1987b. Defend<strong>in</strong>g Secrets, Shar<strong>in</strong>g D<strong>at</strong>a: New Locks and<br />
Keys for Electronic Inform<strong>at</strong>ion , OTA-CIT-310, October, U.S. GPO, Wash<strong>in</strong>gton, D.C.<br />
Office of Technology Assessment (OTA). 1990. Critical Connections: Communic<strong>at</strong>ions for <strong>the</strong><br />
Future, OTA-CIT-407, January, U.S. GPO, Wash<strong>in</strong>gton, D.C.<br />
Office of <strong>the</strong> Federal Register, N<strong>at</strong>ional Archives and Records Adm<strong>in</strong>istr<strong>at</strong>ion. 1990. Code of<br />
Federal Regul<strong>at</strong>ions, Foreign Rel<strong>at</strong>ions, Title 22, Parts 1 to 299, Subchapter M—<br />
Intern<strong>at</strong>ional Traffic <strong>in</strong> Arms Regul<strong>at</strong>ions, revised April 1, pp. 333–390.<br />
Parker, Donn B. 1976. Crime by Computer, Charles Scribner's Sons, New York.<br />
Parker, Donn B. 1983. Fight<strong>in</strong>g Computer Crime, Charles Scribner's Sons, New York.<br />
Parnas, David L., A. J. van Schouwen, and S. P. Kwan. 1990. "Evalu<strong>at</strong>ion of safety critical<br />
software," Communic<strong>at</strong>ions of <strong>the</strong> ACM, Vol. 33, No. 6, June, pp. 636–648.<br />
Paul, Bill. 1989. "Electronic <strong>the</strong>ft is rout<strong>in</strong>e and costs firms billions, security experts say," Wall<br />
Street Journal, October 20, p. 1.<br />
Paul, Bill. 1990. "Blackouts on East Coast are called unavoidable," Wall Street Journal, February<br />
28, p. B4.<br />
Paul, James. 1989. Bugs <strong>in</strong> <strong>the</strong> Program—Problems <strong>in</strong> Federal Government Computer Software<br />
Development and Regul<strong>at</strong>ion, Subcommittee on Investig<strong>at</strong>ions and Oversight, U.S. House<br />
of Represent<strong>at</strong>ives, September.<br />
Paulk, Mark C. 1989. "Review of <strong>the</strong> computer virus crisis," IEEE Computer, July, p. 122.<br />
PC Magaz<strong>in</strong>e. 1988a. "Virus wars: A serious warn<strong>in</strong>g," February 29.<br />
PC Magaz<strong>in</strong>e. 1988b. "Why it's time to talk about viruses," June 28, pp. 33–36.<br />
Pearson, Dorothy. 1988. "MIS mangers launch counter<strong>at</strong>tack to stem ris<strong>in</strong>g virus epidemic," PC<br />
Week, August 29, pp. 23–24.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
BIBLIOGRAPHY 234<br />
Peller<strong>in</strong>, Cheryl. 1990. "Lights-out comput<strong>in</strong>g: <strong>Age</strong>ncies are discover<strong>in</strong>g <strong>the</strong> benefits of un<strong>at</strong>tended<br />
computer centers," Federal Computer Week , March 19.<br />
Peterson, Ivars. 1988. "A digital m<strong>at</strong>ter of life and de<strong>at</strong>h," Science News, March 12, pp. 170–171.<br />
Pittelli, Frank M. and Hector Garcia-Mol<strong>in</strong>a. 1989. "Reliable schedul<strong>in</strong>g <strong>in</strong> a TMR d<strong>at</strong>abase<br />
system," ACM Transactions on Computer Systems, Vol. 7, No. 1, February.<br />
Podell, Harold J. and Marshall D. Abrams. 1989. "A computer security glossary for <strong>the</strong> advanced<br />
practitioner," Computer Security Journal , Vol. IV, No. 1, pp. 69–88.<br />
Pollack, Andrew. 1990. "Revlon sues supplier over software disabl<strong>in</strong>g," New York Times, October<br />
25, pp. D1, D4.<br />
Pont<strong>in</strong>g, Bob. 1988. "Some common sense about network viruses, and wh<strong>at</strong> to do about <strong>the</strong>m,"<br />
(Newsfront section), D<strong>at</strong>a Communic<strong>at</strong>ions, April, p. 60.<br />
Poore, Jesse H. and Harlan D. Mills. 1989. An Overview of <strong>the</strong> Cleanroom Software Development<br />
Process, unpublished paper presented <strong>at</strong> <strong>the</strong> Formal Methods Workshop, Halifax, Nova<br />
Scotia, July. Available from <strong>the</strong> Department of Computer Science, University of<br />
Tennessee, Knoxville.<br />
Poos, Bob. 1990. "AF amends RFP to clarify security needs," Federal Computer Week, February<br />
19, p. 4.<br />
Potts, Mark. 1989. "When computers go down, so can firms' bottom l<strong>in</strong>es," Wash<strong>in</strong>gton Post,<br />
November 2.<br />
Prefonta<strong>in</strong>e, Daniel C., Canadian Department of justice. 1990. "Future trends," presented <strong>at</strong> <strong>the</strong><br />
Forum on <strong>the</strong> Intern<strong>at</strong>ional Legal Vulnerability of F<strong>in</strong>ancial Inform<strong>at</strong>ion, Royal Bank of<br />
Canada, Toronto, February 26–28.<br />
President's Council on Integrity and Efficiency. 1988. Review of General Controls <strong>in</strong> Federal<br />
Computer Systems, U.S. GPO, Wash<strong>in</strong>gton, D.C., October.<br />
President's Council on Management Improvement & President's Council on Integrity and<br />
Efficiency. 1988. Model Framework for Management Control Over Autom<strong>at</strong>ed<br />
Inform<strong>at</strong>ion Systems, U.S. GPO, Wash<strong>in</strong>gton, D.C., January.<br />
Privacy Times (Evan Hendricks, Ed.). 1989. Vol. 9, No. 16, September 19, Wash<strong>in</strong>gton, D.C.<br />
Rab<strong>in</strong>, Michael O. and J. D. Tygar. 1987. An Integr<strong>at</strong>ed Toolkit for Oper<strong>at</strong><strong>in</strong>g System Security,<br />
Harvard University, Cambridge, Mass., May.<br />
Reuter. 1990. "Man faces charges of computer fraud," Wash<strong>in</strong>gton Post , February 4, p. A18.<br />
Richards, Evelyn. 1989. "Study: Software bugs cost<strong>in</strong>g U.S. billions," Wash<strong>in</strong>gton Post, October 17,<br />
pp. D1, D5.<br />
Richardson, Jennifer. 1990a. "Federal reserve defends Fedwire security," Federal Computer Week,<br />
February 26, p. 4.<br />
Richardson, Jennifer. 1990b. "Federal reserve adds security to Fedwire," Federal Computer Week,<br />
April 9.<br />
R<strong>in</strong>kerman, Gary. 1983. "Potential liabilities of <strong>in</strong>dependent software test<strong>in</strong>g and certific<strong>at</strong>ion<br />
organiz<strong>at</strong>ions," Computer Law Reporter, Vol. 1, No. 5, March, pp. 725–727.<br />
Rivest, R., A. Shamir, and L. Adelman. 1978. "A method for obta<strong>in</strong><strong>in</strong>g digital sign<strong>at</strong>ures and publickey<br />
cryptosystems," Communic<strong>at</strong>ions of <strong>the</strong> ACM, Vol. 21, No. 2, February, pp. 120–126.<br />
Rochlis, Jon A. and Mark W. Eich<strong>in</strong>. 1989. "With microscope and tweezers: The worm from MIT's<br />
perspective," Communic<strong>at</strong>ions of <strong>the</strong> ACM, Vol. 32, No. 6, June, pp. 689–698.<br />
Rothfeder, Jeffrey, et al. 1990. "Is your boss spy<strong>in</strong>g on you?" Bus<strong>in</strong>ess Week, January 15, p. 74.<br />
Rumbelow, Clive. 1981. "Liability for programm<strong>in</strong>g errors," Intern<strong>at</strong>ional Bus<strong>in</strong>ess Lawyer, Vol. 9,<br />
(vii/viii), United K<strong>in</strong>gdom.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
BIBLIOGRAPHY 235<br />
Rutz, Frank. 1988. "DOD fights off computer virus," Government Computer News, Vol. 7, No. 3,<br />
February 5, p. 1.<br />
Safire, William. 1990. "Spies of <strong>the</strong> future," New York Times, March 16, p. A35.<br />
Salpukas, Agis. 1989. "Computer chaos for air travelers," New York Times, May 13, p. A1.<br />
Saltman, Roy. 1988. "Accuracy, <strong>in</strong>tegrity and security <strong>in</strong> computerized vote-tally<strong>in</strong>g,"<br />
Communic<strong>at</strong>ions of <strong>the</strong> ACM, Vol. 31, No. 10, October, pp. 1184–1191.<br />
Saltzer, J. and M. Schroeder. 1975. "The protection of <strong>in</strong>form<strong>at</strong>ion <strong>in</strong> computer systems,"<br />
Proceed<strong>in</strong>gs: IEEE, Vol. 63, No. 9, September, pp. 1278–1308.<br />
Savage, J. A. 1990. "Apollo blasted by users over system security glitches," Computerworld,<br />
October 8, p. 49.<br />
Saydjari, O. Sami, Joseph M. Beckman, and Jeffrey R. Leaman. 1987. "Lock<strong>in</strong>g computers<br />
securely," Proceed<strong>in</strong>gs of <strong>the</strong> 10th N<strong>at</strong>ional Computer Security Conference, N<strong>at</strong>ional<br />
Bureau of Standards/N<strong>at</strong>ional Computer Security Center, Baltimore, Md., September 21–<br />
24, pp. 129–141.<br />
Saydjari, O. Sami, J. M. Beckman, and J. R. Leaman. 1989. "LOCK trek: Navig<strong>at</strong><strong>in</strong>g uncharted<br />
space," Proceed<strong>in</strong>gs of <strong>the</strong> 1989 IEEE Computer Society Symposium on Security and<br />
Privacy, IEEE Computer Society, Oakland, Calif., May, pp. 167–175.<br />
Scherlis, William L., Stephen L. Squires, and Richard D. Pethia. 1990. "Computer Emergency<br />
Response," <strong>Computers</strong> Under Attack: Intruders, Worms, and Viruses, Peter Denn<strong>in</strong>g (Ed.),<br />
ACM Press, New York.<br />
Schlicht<strong>in</strong>g, R. and R. Schneider. 1983. "Fail-stop processors: An approach to design<strong>in</strong>g faulttolerant<br />
comput<strong>in</strong>g systems," ACM Transactions on Computer Systems, Vol. 1, No. 3,<br />
August, pp. 222–238.<br />
Schmitt, Warren. 1990. Inform<strong>at</strong>ion Classific<strong>at</strong>ion and Control, Sears Technology Services,<br />
Schaumburg Ill., January.<br />
Schultz, Eugene. 1990. "Form<strong>in</strong>g and manag<strong>in</strong>g CIAC: Lessons learned," unpublished present<strong>at</strong>ion<br />
<strong>at</strong> CERT Workshop, June 20, Pleasanton, Calif., Lawrence Livermore N<strong>at</strong>ional<br />
Labor<strong>at</strong>ory, Livermore, Calif.<br />
Schuman, Evan. 1989. "Never m<strong>in</strong>d OSF/1, here's OSF/2," UNIX Today, November 27, pp. 1, 26.<br />
Selby, R. W., V. R. Basili, and F. T. Baker. 1987. "Cleanroom software development: An empirical<br />
evalu<strong>at</strong>ion," IEEE Transactions on Software Eng<strong>in</strong>eer<strong>in</strong>g, Vol. SE-13, No. 9.<br />
Selz, Michael. 1989. "Computer vacc<strong>in</strong>es or snake oil?" Wall Street Journal, October 13, p. B6.<br />
Sennett, C. T. 1989. Formal Methods <strong>in</strong> <strong>the</strong> Production of Secure Software , Royal Signals and<br />
Radar Establishment, Malvern, United K<strong>in</strong>gdom, pp. 1–2.<br />
Seymour, Jim, and Jon<strong>at</strong>han M<strong>at</strong>zk<strong>in</strong>. 1988. "Confront<strong>in</strong>g <strong>the</strong> grow<strong>in</strong>g thre<strong>at</strong> of computer software<br />
viruses," PC Magaz<strong>in</strong>e, June 28, pp. 33–36.<br />
Sh<strong>at</strong>z, Willie. 1990. "The term<strong>in</strong>al men: Crackdown on <strong>the</strong> 'Legion of Doom' ends an era for<br />
computer hackers," Wash<strong>in</strong>gton Post, June 24, pp. H1, H6.<br />
Shoch, John F. and Jon A. Hupp. 1982. "The 'worm' programs—Early experience with a distributed<br />
comput<strong>at</strong>ion," <strong>Comput<strong>in</strong>g</strong> Practices, March, pp. 172–180.<br />
Shore, John. 1988. "Why I never met a programmer I could trust," Communic<strong>at</strong>ions of <strong>the</strong> ACM,<br />
Vol. 31, No. 4, April, p. 372.<br />
Simitis, S. (Ed.). 1987. The Hessian D<strong>at</strong>a Protection Act, Editor: <strong>the</strong> Hessian D<strong>at</strong>a Protection<br />
Commissioner, Uhlandstrasse 4, 6200 Wiesbaden, Federal Republic of Germany.<br />
Publisher: Wiesbadener Graphische Betriebe GmbH, Wiesbaden.<br />
Simmons, G. 1988. "A survey of <strong>in</strong>form<strong>at</strong>ion au<strong>the</strong>ntic<strong>at</strong>ion," Proceed<strong>in</strong>gs: IEEE, Vol. 76, No. 5,<br />
May, pp. 603–620.<br />
Simpson, Glenn. 1989. "Can you count on <strong>the</strong> vote count?" Insight, January 9, p. 23.<br />
Sims, Calv<strong>in</strong>. 1989. "Not everyone applauds new phone services," New York Times, December 13,<br />
p. 6.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
BIBLIOGRAPHY 236<br />
Sims, Calv<strong>in</strong>. 1990. "Computer failure disrupts AT&T long distance," New York Times, January 16,<br />
pp. A1, A24.<br />
Sloan, Irv<strong>in</strong>g J. 1984. <strong>Computers</strong> and <strong>the</strong> Law, Oceana Public<strong>at</strong>ions, New York.<br />
Smith, Kerry M. L. 1988. "Su<strong>in</strong>g <strong>the</strong> provider of computer software: How courts are apply<strong>in</strong>g<br />
U.C.C. Article Two, strict tort liability, and professional malpractice," Willamette Law<br />
Review, Vol. 24, No. 3, Summer, pp. 743–766.<br />
Smith, Tom. 1989. "IBM's new release of RACF, o<strong>the</strong>r security tools bow," Network World,<br />
October 30, pp. 4, 60.<br />
Snyders, Jan. 1983. "Security software doubles your protection," Computer Decisions, Vol. 15, No.<br />
9, September, pp. 46, 50–56.<br />
Solomon, J. 1982. "Specific<strong>at</strong>ion-to-code correl<strong>at</strong>ion," Proceed<strong>in</strong>gs of <strong>the</strong> 1982 IEEE Symposium on<br />
Security and Privacy, IEEE Computer Society, Oakland, Calif., April.<br />
Soma, John T. 1983. Computer Technology and <strong>the</strong> Law, Shepard's/McGraw-Hill, Colorado<br />
Spr<strong>in</strong>gs, Colo.<br />
Soper, Keith. 1989. "Integrity vs. security: Avoid<strong>in</strong>g <strong>the</strong> trade-off," Computerworld, June 12, pp.<br />
79–83.<br />
Spafford, Eugene H. 1989a. The Internet Worm Program: An Analysis, Purdue Technical Report<br />
CSD-TR-823, Department of Computer Science, Purdue University, West Lafayette, Ind.<br />
Spafford, Eugene H. 1989b. "Crisis and afterm<strong>at</strong>h," Communic<strong>at</strong>ions of <strong>the</strong> ACM, Vol. 32, No. 6,<br />
June, pp. 678–687.<br />
Specter, Michael. 1990. "Revenge on <strong>the</strong> nerds," Wash<strong>in</strong>gton Post, February 11, p. C5.<br />
Sprouse, Robert T. 1987. "Commentary: On <strong>the</strong> SEC-FASB partnership," Account<strong>in</strong>g Horizons,<br />
December, pp. 92–95.<br />
SRI Intern<strong>at</strong>ional. 1989. Intern<strong>at</strong>ional Inform<strong>at</strong>ion Integrity Institute (I-4) Annual Report 1989,<br />
Menlo Park, Calif.<br />
Ste<strong>in</strong>er, Jennifer, C. Neuman, and J. I. Schiller. 1988. "Kerberos: An au<strong>the</strong>ntic<strong>at</strong>ion service for open<br />
network systems," USENIX Dallas W<strong>in</strong>ter 1988 Conference Proceed<strong>in</strong>gs, USENIX<br />
Associ<strong>at</strong>ion, Berkeley, Calif., pp. 191–202.<br />
Stipp, David. 1990. "Virus verdict likely to have limited impact," Wall Street Journal, January 24,<br />
pp. B1, B7.<br />
Stoll, Clifford. 1988. "Stalk<strong>in</strong>g <strong>the</strong> Wily Hacker," Communic<strong>at</strong>ions of <strong>the</strong> ACM, Vol. 31, No. 5,<br />
May, pp. 484–497.<br />
Stoll, Clifford. 1989. The Cuckoos's Egg, Doubleday, New York.<br />
Strauss, Paul R. 1989. "Lesson of <strong>the</strong> lurk<strong>in</strong>g software glitch," D<strong>at</strong>a Communic<strong>at</strong>ions, June 21, p. 9.<br />
Streitfeld, David. 1989. "Personal d<strong>at</strong>a, on <strong>the</strong> record," Wash<strong>in</strong>gton Post, September 26, p. D5.<br />
Sweet, Walter. 1990. "Global nets elev<strong>at</strong>e security concerns," Network World, July 30, pp. 23–24.<br />
Tanebaum, A. 1981. Computer Networks, Prentice-Hall, Englewood Cliffs, N.J.<br />
Thackeray, Gail. 1985. "Computer-rel<strong>at</strong>ed crimes: An outl<strong>in</strong>e," Jurimetrics Journal, Spr<strong>in</strong>g, pp.<br />
300–318.<br />
Thompson, K. 1984. "Reflections on trust<strong>in</strong>g trust," (1983 Tur<strong>in</strong>g Award Lecture), Communic<strong>at</strong>ions<br />
of <strong>the</strong> ACM, Vol. 27, No. 8, August, pp. 761–763.<br />
Time. 1988. "Computer viruses," (cover story), September 26.<br />
Toigo, Jon William. 1990. "SECURITY: Biometrics creep <strong>in</strong>to bus<strong>in</strong>ess," Computerworld, June 11,<br />
pp. 75–78.<br />
Tompk<strong>in</strong>s, F. G. 1984. NASA Guidel<strong>in</strong>es for Assur<strong>in</strong>g <strong>the</strong> Adequacy and Appropri<strong>at</strong>eness of<br />
Security <strong>Safe</strong>guards <strong>in</strong> Sensitive Applic<strong>at</strong>ions, MTR-84W179, The MITRE Corp., Metrek<br />
Division, McLean, Va., September.<br />
Turn, Re<strong>in</strong>. 1980. "An overview of transborder d<strong>at</strong>a flow issues," Proceed<strong>in</strong>gs of <strong>the</strong> 1980<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
BIBLIOGRAPHY 237<br />
IEEE Computer Society Symposium on Security and Privacy, IEEE Computer Society,<br />
Oakland, Calif., April 14–16, pp. 3–8.<br />
Turn, Re<strong>in</strong>. 1990. "Inform<strong>at</strong>ion privacy issues for <strong>the</strong> 1990s," Proceed<strong>in</strong>gs of <strong>the</strong> 1990 IEEE<br />
Computer Society Symposium on Security and Privacy , IEEE Computer Society, Oakland,<br />
Calif., May 7–8.<br />
Turner, Judith Axler. 1988. "Security officials ask researchers not to make 'virus' copies available,"<br />
The Chronicle of Higher Educ<strong>at</strong>ion , No. 13, November 23, pp. 1, A12.<br />
Tzu, Sun. 1988. The Art of War, (transl<strong>at</strong>ed by Thomas Cleary), Shambhala, Boston.<br />
U.K. Communic<strong>at</strong>ions-Electronics Security Group/Department of Trade and Industry (CESG/DTI).<br />
1990. UKIT Security Evalu<strong>at</strong>ion and Certific<strong>at</strong>ion Scheme, Public<strong>at</strong>ion No. 1: Description<br />
of <strong>the</strong> Scheme, F<strong>in</strong>al Draft Version 2.3, UKSP 01, Cheltenham, England, July 13.<br />
U.K. Department of Trade and Industry (DTI). 1989. Overview Manual (V01), Glossary (V02),<br />
Index (V03), Users' Code of Practice (V11), Security Functionality Manual (V21),<br />
Evalu<strong>at</strong>ion Levels Manual (V22), Evalu<strong>at</strong>ion and Certific<strong>at</strong>ion Manual (V23), Vendors'<br />
Code of Practice (V31), Version 3.0, Commercial Computer Security Centre, London,<br />
England, February.<br />
U.K. M<strong>in</strong>istry of Defence. 1989a. Requirements for <strong>the</strong> Procurement of <strong>Safe</strong>ty Critical Software <strong>in</strong><br />
Defense Equipment, Interim Defense Standard 00-55, Glasgow, United K<strong>in</strong>gdom, May.<br />
U.K. M<strong>in</strong>istry of Defence. 1989b. Requirements for <strong>the</strong> Analysis of <strong>Safe</strong>ty Critical Hazards, Interim<br />
Defense Standard 00–56, Glasgow, United K<strong>in</strong>gdom, May.<br />
Ulbrich, B. and J. Coll<strong>in</strong>s. 1990. "Announc<strong>in</strong>g Sun Microsystem's Customer Warn<strong>in</strong>g System for<br />
security <strong>in</strong>cident handl<strong>in</strong>g," X-Sun-Spots-Digest , Vol. 9, No. 308, message 13.<br />
Underwriters Labor<strong>at</strong>ories, Inc. 1989. Underwriters Labor<strong>at</strong>ories, Inc. 1988 Annual Report,<br />
Underwriters Labor<strong>at</strong>ories, Inc., Northbrook, Ill.<br />
Underwriters Labor<strong>at</strong>ories, Inc. 1990a. The Proposed First Edition of <strong>the</strong> Standards for <strong>Safe</strong>tyrel<strong>at</strong>ed<br />
Software , UL-1998, Underwriters Labor<strong>at</strong>ories, Inc., Northbrook, Ill., August 17.<br />
Underwriters Labor<strong>at</strong>ories, Inc. 1990b. UL Yesterday today tomorrow , Underwriters Labor<strong>at</strong>ories,<br />
Inc., Northbrook, Ill.<br />
University of California, Los Angeles (UCLA). 1989. Sixth Annual UCLA Survey of Bus<strong>in</strong>ess<br />
School Computer Usage, John E. Anderson Gradu<strong>at</strong>e School of Management, UCLA, Los<br />
Angeles, Calif., September.<br />
U.S. Bureau of Alcohol, Tobacco and Firearms. 1988. "Explosive Incidents Report 1987,"<br />
Wash<strong>in</strong>gton, D.C.<br />
U.S. Congress, House, Committee on <strong>the</strong> Judiciary, Subcommittee on Crime. 1983. Counterfeit<br />
Access Device and Computer Crime: Hear<strong>in</strong>gs on H.R. 3181, H.R. 3570, and H.R. 5112,<br />
98th Cong., 1st and 2nd sess., September 29 and November 10, 1983, and March 28,1984,<br />
U.S. GPO, Wash<strong>in</strong>gton, D.C.<br />
U.S. Congress, House, Committee on <strong>the</strong> Judiciary, Subcommittee on Crime. 1985. Computer<br />
Crime and Computer Security: Hear<strong>in</strong>g on H.R. 1001 and H.R. 930, 99th Cong., 1st sess.,<br />
May 25, U.S. GPO, Wash<strong>in</strong>gton, D.C.<br />
U.S. Congress, House. 1986. Computer Fraud and Abuse Act of 1986, Public Law 99–474, H.R.<br />
4718, October 16, H. Rept. 100–153(I), U.S. GPO, Wash<strong>in</strong>gton, D.C.<br />
U.S. Congress, House, Committee on <strong>the</strong> Judiciary. 1986. Computer Fraud and Abuse Act of 1986:<br />
Report to Accompany H.R. 4712, 99th Cong., 2nd sess. , U.S. GPO, Wash<strong>in</strong>gton, D.C.<br />
U.S. Congress, House, Committee on <strong>the</strong> Judiciary. 1986. Computer Fraud and Abuse Act of 1986:<br />
Report to Accompany H.R. 5616, 99th Cong., 2nd sess., U.S. GPO, Wash<strong>in</strong>gton, D.C.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
BIBLIOGRAPHY 238<br />
U.S. Congress, House, Committee on Government Oper<strong>at</strong>ions, Legisl<strong>at</strong>ion and N<strong>at</strong>ional Security<br />
Subcommittee. 1987. Computer Security Act of 1987: Hear<strong>in</strong>gs on H.R. 145 Before a<br />
Subcommittee of <strong>the</strong> Committee on Government Oper<strong>at</strong>ions, 100th Cong., 1st sess.,<br />
February 25 and 26 and March 17, U.S. GPO, Wash<strong>in</strong>gton, D.C.<br />
U.S. Congress, House, Committee on Science, Space, and Technology. 1987. Computer Security<br />
Act of 1987: Report to Accompany H.R. 145, 100th Cong., 1st sess., U.S. GPO,<br />
Wash<strong>in</strong>gton, D.C.<br />
U.S. Congress, House, Technology Policy Task Force of <strong>the</strong> Committee on Science, Space, and<br />
Technology. 1987. Communic<strong>at</strong>ions and <strong>Computers</strong> <strong>in</strong> <strong>the</strong> 21st Century: Hear<strong>in</strong>g, 100th<br />
Cong., 1st sess., June 25, U.S. GPO, Wash<strong>in</strong>gton, D.C.<br />
U.S. Congress, House. 1989. Computer Protection Act of 1989, H.R. 287, 101st Cong., 1st sess.,<br />
January 3, U.S. GPO, Wash<strong>in</strong>gton, D.C.<br />
U.S. Congress, House, Committee on Energy and Commerce, Subcommittee on<br />
Telecommunic<strong>at</strong>ions and F<strong>in</strong>ance. 1989. Hear<strong>in</strong>g to Exam<strong>in</strong>e <strong>the</strong> Vulnerability of N<strong>at</strong>ional<br />
Telecommunic<strong>at</strong>ions Networks to Computer Viruses, 101st Cong., 1st sess., July 20, U.S.<br />
GPO, Wash<strong>in</strong>gton, D.C.<br />
U.S. Congress, House. 1989. Computer Network Protection Act of 1989 , H.R. 3524, 101st Cong.,<br />
1st sess., October 25, U.S. GPO, Wash<strong>in</strong>gton, D.C.<br />
U.S. Congress, House. 1989. D<strong>at</strong>a Protection Act of 1989, H.R. 3669, 101st Cong., 1st sess.,<br />
November 15, U.S. GPO, Wash<strong>in</strong>gton, D.C.<br />
U.S. Congress, House. 1989. Computer Virus Eradic<strong>at</strong>ion Act of 1989 , H.R. 55, 101st Cong., 1st<br />
sess., U.S. GPO, Wash<strong>in</strong>gton, D.C.<br />
U.S. Congress, House, Committee on Energy and Commerce, Subcommittee on<br />
Telecommunic<strong>at</strong>ions and F<strong>in</strong>ance. 1990. Oversight Hear<strong>in</strong>g to Receive <strong>the</strong> F<strong>in</strong>d<strong>in</strong>gs of <strong>the</strong><br />
U.S. General Account<strong>in</strong>g Office on <strong>the</strong> Vulnerability of United St<strong>at</strong>es Securities Trad<strong>in</strong>g,<br />
Electronic Funds Transfer, and F<strong>in</strong>ancial Message Systems to Computer Viruses, 101st<br />
Cong., 2nd sess., February 21, U.S. GPO, Wash<strong>in</strong>gton, D.C.<br />
U.S. Congress, Sen<strong>at</strong>e, Committee on <strong>the</strong> Judiciary. 1986. Electronic Communic<strong>at</strong>ions Privacy Act<br />
of 1986: Report to Accompany S. 2575, 99th Cong., 2nd sess., U.S. GPO, Wash<strong>in</strong>gton, D.C.<br />
U.S. Congress, Sen<strong>at</strong>e, Judiciary Subcommittee on P<strong>at</strong>ents, Copyrights, and Trademarks. 1989.<br />
Computer Software Rental Amendments Act (S. 198): Hear<strong>in</strong>gs, 101st Cong., 1st sess.,<br />
April 19, U.S. GPO, Wash<strong>in</strong>gton, D.C.<br />
U.S. Congress, Sen<strong>at</strong>e, Judiciary Subcommittee on Technology and <strong>the</strong> Law. 1989. Hear<strong>in</strong>g on<br />
Computer Viruses, 101st Cong., 1st sess., May 15, U.S. GPO, Wash<strong>in</strong>gton, D.C.<br />
U.S. Congress, Sen<strong>at</strong>e. 1990. Computer Abuse Amendment Act of 1990, S. 2476, 101st Cong., 2nd<br />
sess., April 19, U.S. GPO, Wash<strong>in</strong>gton, D.C.<br />
U.S. Department of Defense (DOD). 1985a. Password Management Guidel<strong>in</strong>e , CSC-STD-002-85,<br />
also known as <strong>the</strong> Green Book, N<strong>at</strong>ional Computer Security Center, Fort Meade, Md.,<br />
April 12.<br />
U.S. Department of Defense (DOD). 1985b. Technical R<strong>at</strong>ionale Beh<strong>in</strong>d CSC-STD-003-85:<br />
Computer Security Requirements, Guidance for Apply<strong>in</strong>g <strong>the</strong> Department of Defense<br />
Trusted Computer System Evalu<strong>at</strong>ion Criteria <strong>in</strong> Specific Environments, also known as <strong>the</strong><br />
Yellow Book, N<strong>at</strong>ional Computer Security Center, Fort Meade, Md., June 25.<br />
U.S. Department of Defense (DOD). 1985c. Keep<strong>in</strong>g <strong>the</strong> N<strong>at</strong>ion's Secrets , Commission to Review<br />
DOD Security Policies and Practices, Wash<strong>in</strong>gton, D.C., November.<br />
U.S. Department of Defense (DOD). 1985d. Trusted Computer System Evalu<strong>at</strong>ion Criteria, DOD<br />
5200.28-STD, also known as <strong>the</strong> Orange Book, N<strong>at</strong>ional Computer Security Center, Fort<br />
Meade, Md., December (superseded CSC-STD-001-83 d<strong>at</strong>ed August 15, 1983).<br />
U.S. Department of Defense (DOD). 1987. Trusted Network Interpret<strong>at</strong>ion of <strong>the</strong> Trusted<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
BIBLIOGRAPHY 239<br />
Computer System Evalu<strong>at</strong>ion Criteria, NCSC-TG-005, Version 1, also known as <strong>the</strong> Red<br />
Book, or TNI, N<strong>at</strong>ional Computer Security Center, Fort Meade, Md., July 31.<br />
U.S. Department of Defense (DOD). 1988a. ''Improvements <strong>in</strong> computer security procedures,"<br />
Office of Assistant Secretary of Defense, Public Affairs, Wash<strong>in</strong>gton, D.C., January 6.<br />
U.S. Department of Defense (DOD). 1988b. Glossary of Computer Security Terms, NCSC-TG-004,<br />
Version 1, N<strong>at</strong>ional Computer Security Center, Fort Meade, Md., October 21.<br />
U.S. Department of Defense (DOD). 1988c. "DARPA establishes computer emergency response<br />
team," Office of Assistant Secretary of Defense, Public Affairs, Wash<strong>in</strong>gton, D.C.,<br />
December 6.<br />
U.S. Department of Defense (DOD), Defense Acquisition Board. 1990. Department of Defense<br />
Software Master Plan, draft, February 9.<br />
U.S. Department of Energy. 1985. Sensitive Unclassified Computer Security Program Compliance<br />
Review Guidel<strong>in</strong>es, DOE/MA-0188/1, Assistant Secretary, Management and<br />
Adm<strong>in</strong>istr<strong>at</strong>ion, Director<strong>at</strong>e of Adm<strong>in</strong>istr<strong>at</strong>ion, Office of ADP Management, Wash<strong>in</strong>gton,<br />
D.C., June (revised September 1985).<br />
U.S. Department of Energy, Energy Inform<strong>at</strong>ion Adm<strong>in</strong>istr<strong>at</strong>ion. 1986. Sensitive Computer<br />
Applic<strong>at</strong>ions Certific<strong>at</strong>ion/Recertific<strong>at</strong>ion Policy and Procedures, EI 5633.1, <strong>in</strong>iti<strong>at</strong>ed by<br />
ADP Services Staff, Wash<strong>in</strong>gton, D.C., October.<br />
U.S. Department of Energy. 1988. Unclassified Computer Security Program , DOE 1360.2A,<br />
<strong>in</strong>iti<strong>at</strong>ed by Office of ADP Management, Wash<strong>in</strong>gton, D.C., May.<br />
U.S. Department of Justice (DOJ), N<strong>at</strong>ional Institute of Justice. 1989. Computer Crime: Crim<strong>in</strong>al<br />
Justice Resource Manual, Wash<strong>in</strong>gton, D.C., August.<br />
U.S. Department of <strong>the</strong> Treasury. 1989. "Reports of crimes and suspected crimes," Federal Register,<br />
Vol. 54, No. 117, June 20.<br />
U.S. Food and Drug Adm<strong>in</strong>istr<strong>at</strong>ion (FDA). 1987. Policy for <strong>the</strong> Regul<strong>at</strong>ion of Computer Products,<br />
draft, FDA, Rockville, Md., September 9.<br />
U.S. Food and Drug Adm<strong>in</strong>istr<strong>at</strong>ion (FDA). 1988. Reviewer Guidance for Computer-Controlled<br />
Medical Devices, draft, FDA, Rockville, Md., July 25.<br />
Veterans Adm<strong>in</strong>istr<strong>at</strong>ion, Office of Inform<strong>at</strong>ion, Systems, and Telecommunic<strong>at</strong>ions. 1987.<br />
Computer Security: A Handbook for VA Managers and End-Users, July. Available from<br />
U.S. Department of Veterans Affairs, Wash<strong>in</strong>gton, D.C.<br />
Voelcker, John. 1988. "Spread of computer viruses worries users," The Institute (a public<strong>at</strong>ion of <strong>the</strong><br />
Institute of Electrical and Electronics Eng<strong>in</strong>eers), Vol. 12, No. 6, June, p. 1.<br />
Wald, M<strong>at</strong><strong>the</strong>w L. 1990. "Experts diagnose telephone 'crash'," New York Times, January 16, p. A25.<br />
Waldrop, Mitchell M. 1989. "Fly<strong>in</strong>g <strong>the</strong> electric skies," Science, Vol. 244, pp. 1532–1534.<br />
Walker, B. J., R. A. Kemmerer, and G. J. Popek. 1980. "Specific<strong>at</strong>ion and verific<strong>at</strong>ion of <strong>the</strong> UCLA<br />
Unix security kernel," Communic<strong>at</strong>ions of <strong>the</strong> ACM, Vol. 23, No. 2, 1980, pp. 118–131.<br />
Walker, Stephen T. 1985. "Network security overview," Proceed<strong>in</strong>gs of <strong>the</strong> 1985 IEEE Symposium<br />
on Security and Privacy, IEEE Computer Society, Oakland, Calif., April 22–24, pp. 62–76.<br />
Wall Street Journal. 1988. "First computer message on stopp<strong>in</strong>g virus took 48 hours to reach<br />
target," November 8, p. B5.<br />
Wall, Wendy L. 1989. "Few firms plan well for mishaps th<strong>at</strong> disable computer facilities," Wall<br />
Street Journal, May 31.<br />
Wash<strong>in</strong>gton Post. 1988. "Search<strong>in</strong>g for a better computer shield," November 13, pp. H1, H6.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
BIBLIOGRAPHY 240<br />
Wash<strong>in</strong>gton Post. 1989. "Computer virus strikes Michigan hospital," March 23.<br />
Wash<strong>in</strong>gton Post. 1990. "Man faces charges of computer fraud," February 4, p. A18.<br />
Wash<strong>in</strong>gton University Law Quarterly. 1977. "Potential liability: Conclusion," Vol. 405, No. 3, p.<br />
433.<br />
Webb, Ben. 1989. "Plan to outlaw hack<strong>in</strong>g," N<strong>at</strong>ure, Vol. 341, October 19, p. 559.<br />
Weil, Mart<strong>in</strong>. 1989. "Double malfunction grounds thousands," Wash<strong>in</strong>gton Post, November 4, pp.<br />
B1, B4.<br />
Williams, Gurney III. 1988. "UL: Wh<strong>at</strong>'s beh<strong>in</strong>d <strong>the</strong> label," Home Mechanix , pp. 78–80, 87–88.<br />
W<strong>in</strong>ans, Christopher. 1990. "Personal d<strong>at</strong>a travels, too, through agencies," Wall Street Journal,<br />
March 27, p. B1.<br />
W<strong>in</strong>es, Michael. 1990. "Security agency deb<strong>at</strong>es new role: Economic spy<strong>in</strong>g," New York Times,<br />
June 18, p. A1.<br />
W<strong>in</strong>g Jeannette. 1990. "A specifier's <strong>in</strong>troduction to formal methods," IEEE Computer, September.<br />
Wright, Karen. 1990. "The road to <strong>the</strong> global village," Scientific American, March, pp. 83–94.<br />
Young C<strong>at</strong>her<strong>in</strong>e L. 1987. "Taxonomy of computer virus defense mechanisms," Proceed<strong>in</strong>gs of <strong>the</strong><br />
10th N<strong>at</strong>ional Computer Security Conference, N<strong>at</strong>ional Bureau of Standards/N<strong>at</strong>ional<br />
Computer Security Center, Baltimore, Md., September 21–24, pp. 220–225.<br />
Young W. D. and J. McHugh. 1987. "Cod<strong>in</strong>g for a believable specific<strong>at</strong>ion to implement<strong>at</strong>ion<br />
mapp<strong>in</strong>g," Proceed<strong>in</strong>gs of <strong>the</strong> 1987 IEEE Symposium on Security and Privacy, IEEE<br />
Computer Society, Oakland, Calif., April 27–29, pp. 140–148.<br />
Youngblut, Christ<strong>in</strong>e, et al. 1989. "SDS Software Test<strong>in</strong>g and Evalu<strong>at</strong>ion," IDA Paper P-2132,<br />
Institute for Defense Analyses, Alexandria, Va., February.<br />
Zachary, G. Pascal. 1990. "U.S. agency stands <strong>in</strong> way of computer-security tool," Wall Street<br />
Journal, July 9, pp. B1, B3.<br />
Zeil, Steven J. 1989. Constra<strong>in</strong>t S<strong>at</strong>isfaction and Test D<strong>at</strong>a Gener<strong>at</strong>ion," Old Dom<strong>in</strong>ion University,<br />
Norfolk, Va.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIXES 241<br />
Appendixes<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIXES 242<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX A 243<br />
Appendix A<br />
The Orange Book<br />
The Department of Defense's Trusted Computer System Evalu<strong>at</strong>ion<br />
Criteria, or Orange Book, conta<strong>in</strong>s criteria for build<strong>in</strong>g systems th<strong>at</strong> provide<br />
specific sets of security fe<strong>at</strong>ures and assurances (U.S. DOD, 1985d; see<br />
Box A.1). However, <strong>the</strong> Orange Book does not provide a complete basis for<br />
security:<br />
• Its orig<strong>in</strong> <strong>in</strong> <strong>the</strong> defense arena is associ<strong>at</strong>ed with an emphasis on<br />
disclosure control th<strong>at</strong> seems excessive to many commercial users of<br />
computers. There is also a perception <strong>in</strong> <strong>the</strong> marketplace th<strong>at</strong> it articul<strong>at</strong>es<br />
defense requirements only.<br />
• It specifies a coherent, targeted set of security functions th<strong>at</strong> may not be<br />
general enough to cover a broad range of requirements <strong>in</strong> <strong>the</strong> commercial<br />
world. For example, it does not provide sufficient <strong>at</strong>tention to <strong>in</strong>form<strong>at</strong>ion<br />
<strong>in</strong>tegrity and audit<strong>in</strong>g. It says little about networked systems (despite <strong>the</strong><br />
<strong>at</strong>tempts made by <strong>the</strong> current and anticip<strong>at</strong>ed versions of <strong>the</strong> Trusted<br />
Network Interpret<strong>at</strong>ion, or Red Book (U.S. DOD, 1987). Also, it provides<br />
only weak support for management control practices, notably <strong>in</strong>dividual<br />
accountability and separ<strong>at</strong>ion of duty.<br />
• The Orange Book process comb<strong>in</strong>es published system criteria with system<br />
evalu<strong>at</strong>ion and r<strong>at</strong><strong>in</strong>g (rel<strong>at</strong>ive to <strong>the</strong> criteria) by <strong>the</strong> staff of <strong>the</strong> N<strong>at</strong>ional<br />
Computer Security Center. This process provides no <strong>in</strong>centive or reward<br />
for security capabilities th<strong>at</strong> go beyond, or do not literally answer, <strong>the</strong><br />
Orange Book's specific requirements.<br />
• Familiarity with <strong>the</strong> Orange Book is uneven with<strong>in</strong> <strong>the</strong> broader<br />
community of computer manufacturers, managers, auditors, and <strong>in</strong>surers,<br />
and system users. Its def<strong>in</strong>itions and concepts have not been expressed <strong>in</strong><br />
<strong>the</strong> vocabulary typically used <strong>in</strong> general <strong>in</strong>form<strong>at</strong>ion<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX A 244<br />
BOX A.1 SUMMARY OF EVALUATION CRITERIA CLASSES<br />
The classes of systems recognized under <strong>the</strong> trusted computer systems<br />
evalu<strong>at</strong>ion criteria are as follows. They are presented <strong>in</strong> <strong>the</strong> order of<br />
<strong>in</strong>creas<strong>in</strong>g desirability from a computer security po<strong>in</strong>t of view.<br />
Class (D): M<strong>in</strong>imal Protection<br />
This class is reserved for those systems th<strong>at</strong> have been evalu<strong>at</strong>ed but<br />
th<strong>at</strong> fail to meet <strong>the</strong> requirements for a higher evalu<strong>at</strong>ion class.<br />
Class (C1): Discretionary Security Protection<br />
The Trusted <strong>Comput<strong>in</strong>g</strong> Base (TCB) of a class (C1) system nom<strong>in</strong>ally<br />
s<strong>at</strong>isfies <strong>the</strong> discretionary security requirements by provid<strong>in</strong>g separ<strong>at</strong>ion of<br />
users and d<strong>at</strong>a. It <strong>in</strong>corpor<strong>at</strong>es some form of credible controls capable of<br />
enforc<strong>in</strong>g access limit<strong>at</strong>ions on an <strong>in</strong>dividual basis, i.e., ostensibly suitable for<br />
allow<strong>in</strong>g users to be able to protect project or priv<strong>at</strong>e <strong>in</strong>form<strong>at</strong>ion and to keep<br />
o<strong>the</strong>r users from accidentally read<strong>in</strong>g or destroy<strong>in</strong>g <strong>the</strong>ir d<strong>at</strong>a. The class (C1)<br />
environment is expected to be one of cooper<strong>at</strong><strong>in</strong>g users process<strong>in</strong>g d<strong>at</strong>a <strong>at</strong><br />
<strong>the</strong> same level(s) of sensitivity.<br />
Class (C2): Controlled Access Protection<br />
Systems <strong>in</strong> this class enforce a more f<strong>in</strong>ely gra<strong>in</strong>ed discretionary access<br />
control than (C1) systems, mak<strong>in</strong>g users <strong>in</strong>dividually accountable for <strong>the</strong>ir<br />
actions through log<strong>in</strong> procedures, audit<strong>in</strong>g of security-relevant events, and<br />
resource isol<strong>at</strong>ion.<br />
Class (B1): Labeled Security Protection<br />
Class (B1) systems require all <strong>the</strong> fe<strong>at</strong>ures required for class (C2). In<br />
addition, an <strong>in</strong>formal st<strong>at</strong>ement of <strong>the</strong> security policy model, d<strong>at</strong>a label<strong>in</strong>g,<br />
and mand<strong>at</strong>ory access control over named subjects and objects must be<br />
present. The capability must exist for accur<strong>at</strong>ely label<strong>in</strong>g exported<br />
<strong>in</strong>form<strong>at</strong>ion. Any flaws identified by test<strong>in</strong>g must be removed.<br />
Class (B2): Structured Protection<br />
In class (B2) systems, <strong>the</strong> TCB is based on a clearly def<strong>in</strong>ed and<br />
documented formal security policy model th<strong>at</strong> requires <strong>the</strong> discretionary and<br />
mand<strong>at</strong>ory access control enforcement found <strong>in</strong> class (B1) systems to be<br />
extended to all subjects and objects <strong>in</strong> <strong>the</strong> ADP system. In addition, covert<br />
channels are addressed. The TCB must be carefully structured <strong>in</strong>to<br />
protection-critical and non-protection-critical elements. The TCB <strong>in</strong>terface is<br />
well-def<strong>in</strong>ed and <strong>the</strong> TCB design and implement<strong>at</strong>ion enable it to be<br />
subjected to more thorough test<strong>in</strong>g and more complete review.<br />
Au<strong>the</strong>ntic<strong>at</strong>ion mechanisms are streng<strong>the</strong>ned, trusted facility management is<br />
provided <strong>in</strong> <strong>the</strong> form of support for system adm<strong>in</strong>istr<strong>at</strong>or and oper<strong>at</strong>or<br />
functions, and str<strong>in</strong>gent configur<strong>at</strong>ion management controls are imposed.<br />
The system is rel<strong>at</strong>ively resistant to penetr<strong>at</strong>ion.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX A 245<br />
Class (B3): Security Doma<strong>in</strong>s<br />
The class (B3) TCB must s<strong>at</strong>isfy <strong>the</strong> reference monitor requirements th<strong>at</strong><br />
it medi<strong>at</strong>e all accesses of subjects to objects, be tamperproof, and be small<br />
enough to be subjected to analysis and tests. To this end, <strong>the</strong> TCB is<br />
structured to exclude code not essential to security policy enforcement, with<br />
significant system eng<strong>in</strong>eer<strong>in</strong>g dur<strong>in</strong>g TCB design and implement<strong>at</strong>ion<br />
directed toward m<strong>in</strong>imiz<strong>in</strong>g its complexity. A security adm<strong>in</strong>istr<strong>at</strong>or is<br />
supported, audit mechanisms are expanded to signal security-relevant<br />
events, and system recovery procedures are required. The system is highly<br />
resistant to penetr<strong>at</strong>ion.<br />
Class (A1): Verified Design<br />
Systems <strong>in</strong> class (A1) are functionally equivalent to those <strong>in</strong> class (B3) <strong>in</strong><br />
th<strong>at</strong> no additional architectural fe<strong>at</strong>ures or policy requirements are added.<br />
The dist<strong>in</strong>guish<strong>in</strong>g fe<strong>at</strong>ure of systems <strong>in</strong> this class is <strong>the</strong> analysis derived<br />
from formal design specific<strong>at</strong>ion and verific<strong>at</strong>ion techniques and <strong>the</strong> result<strong>in</strong>g<br />
high degree of assurance th<strong>at</strong> <strong>the</strong> TCB is correctly implemented. This<br />
assurance is developmental <strong>in</strong> n<strong>at</strong>ure, start<strong>in</strong>g with a formal model of <strong>the</strong><br />
security policy and a formal top-level specific<strong>at</strong>ion (FTLS) of <strong>the</strong> design. In<br />
keep<strong>in</strong>g with extensive design and development analysis of <strong>the</strong> TCB required<br />
of systems <strong>in</strong> class (A1), more str<strong>in</strong>gent configur<strong>at</strong>ion management is<br />
required and procedures are established for securely distribut<strong>in</strong>g <strong>the</strong> system<br />
to sites. A system security adm<strong>in</strong>istr<strong>at</strong>or is supported.<br />
SOURCE: Department of Defense Trusted Computer System Evalu<strong>at</strong>ion<br />
Criteria, DOD 5200.28-STD, December 1985, Appendix C, pp. 93–94.<br />
process<strong>in</strong>g. It has been codified as a military standard, mak<strong>in</strong>g it a<br />
requirement for defense systems, and its dissem<strong>in</strong><strong>at</strong>ion has been directed<br />
largely to major vendors of centralized systems, notably vendors who are<br />
or who supply government contractors.<br />
Because of its shortcom<strong>in</strong>gs, which have been deb<strong>at</strong>ed <strong>in</strong> <strong>the</strong> computer<br />
security community for several years, <strong>the</strong> Orange Book must be regarded as<br />
only an <strong>in</strong>terim stage <strong>in</strong> <strong>the</strong> codific<strong>at</strong>ion of prudent protection practices.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX B 246<br />
Appendix B<br />
Selected Topics <strong>in</strong> Computer Security<br />
Technology<br />
This appendix discusses <strong>in</strong> considerable detail selected topics <strong>in</strong> computer<br />
security technology chosen ei<strong>the</strong>r because <strong>the</strong>y are well understood and<br />
fundamental, or because <strong>the</strong>y are solutions to current urgent problems. Several<br />
sections expand on topics presented <strong>in</strong> Chapter 3.<br />
ORANGE BOOK SECURITY<br />
A security policy is a set of rules by which people are given access to<br />
<strong>in</strong>form<strong>at</strong>ion and/or resources. Usually <strong>the</strong>se rules are broadly st<strong>at</strong>ed, allow<strong>in</strong>g<br />
<strong>the</strong>m to be <strong>in</strong>terpreted somewh<strong>at</strong> differently <strong>at</strong> various levels with<strong>in</strong> an<br />
organiz<strong>at</strong>ion. With regard to secure computer systems, a security policy is used<br />
to derive a security model, which <strong>in</strong> turn is used to develop <strong>the</strong> requirements,<br />
specific<strong>at</strong>ions, and implement<strong>at</strong>ion of a system.<br />
Library Example<br />
A "trusted system" th<strong>at</strong> illustr<strong>at</strong>es a number of pr<strong>in</strong>ciples rel<strong>at</strong>ed to security<br />
policy is a library. In a very simple library th<strong>at</strong> has no librarian, anyone (a<br />
subject) can take out any book (an object) desired: no policy is be<strong>in</strong>g enforced<br />
and <strong>the</strong>re is no mechanism of enforcement. In a slightly more sophistic<strong>at</strong>ed<br />
case, a librarian checks who should have access to <strong>the</strong> library but does not<br />
particularly care who takes out which book: <strong>the</strong> policy enforced is, "Anyone<br />
allowed <strong>in</strong> <strong>the</strong> room is allowed access to anyth<strong>in</strong>g <strong>in</strong> <strong>the</strong> room." Such a policy<br />
requires only identific<strong>at</strong>ion of <strong>the</strong> subject. In a third case, a simple<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX B 247<br />
extension of <strong>the</strong> previous one, no one is allowed to take out more than five<br />
books <strong>at</strong> a time. In a sophistic<strong>at</strong>ed version of this system, a librarian first<br />
determ<strong>in</strong>es how many books a subject already has out before allow<strong>in</strong>g th<strong>at</strong><br />
subject to take more out. Such a policy requires a check of <strong>the</strong> subject's identity<br />
and current st<strong>at</strong>us.<br />
In a library with an even more complex policy, only certa<strong>in</strong> people are<br />
allowed to access certa<strong>in</strong> books. The librarian performs a check by name of who<br />
is allowed to access which books. This policy frequently <strong>in</strong>volves <strong>the</strong><br />
development of long lists of names and may evolve toward, <strong>in</strong> some cases, a<br />
neg<strong>at</strong>ive list, th<strong>at</strong> is, a list of people who should not be able to have access to<br />
specific <strong>in</strong>form<strong>at</strong>ion. In large organiz<strong>at</strong>ions, determ<strong>in</strong><strong>in</strong>g which users have<br />
access to specific <strong>in</strong>form<strong>at</strong>ion frequently is based on <strong>the</strong> project <strong>the</strong>y are<br />
work<strong>in</strong>g on or <strong>the</strong> level of sensitivity of d<strong>at</strong>a for which <strong>the</strong>y are authorized. In<br />
each of <strong>the</strong>se cases, <strong>the</strong>re is an access control policy and an enforcement<br />
mechanism. The policy def<strong>in</strong>es <strong>the</strong> access th<strong>at</strong> an <strong>in</strong>dividual will have to<br />
<strong>in</strong>form<strong>at</strong>ion conta<strong>in</strong>ed <strong>in</strong> <strong>the</strong> library. The librarian serves as <strong>the</strong> policyenforc<strong>in</strong>g<br />
mechanism.<br />
Orange Book Security Models<br />
The best-known and most widely used formal models of computer security<br />
functionality, <strong>the</strong> Bell and LaPadula model and its variants (Bell and LaPadula,<br />
1976), emphasize confidentiality (protection from unauthorized disclosure of<br />
<strong>in</strong>form<strong>at</strong>ion) as <strong>the</strong>ir primary security service. In particular, <strong>the</strong>se models<br />
<strong>at</strong>tempt to capture <strong>the</strong> "mand<strong>at</strong>ory" (wh<strong>at</strong> ISO Standard 7498-2 (ISO, 1989)<br />
refers to as "adm<strong>in</strong>istr<strong>at</strong>ively directed, label-based") aspects of security policy.<br />
This is especially important <strong>in</strong> provid<strong>in</strong>g protection aga<strong>in</strong>st "Trojan horse"<br />
software, a significant concern among those who process classified d<strong>at</strong>a.<br />
Mand<strong>at</strong>ory controls are typically enforced by oper<strong>at</strong><strong>in</strong>g-system mechanisms <strong>at</strong><br />
<strong>the</strong> rel<strong>at</strong>ively coarse granularity of processes and files. This st<strong>at</strong>e of affairs has<br />
resulted from a number of factors, several of which are noted below:<br />
1. The basic security models were accur<strong>at</strong>ely perceived to represent<br />
Department of Defense (DOD) security concerns for protect<strong>in</strong>g<br />
classified <strong>in</strong>form<strong>at</strong>ion from disclosure, especially <strong>in</strong> <strong>the</strong> face of Trojan<br />
horse <strong>at</strong>tacks. S<strong>in</strong>ce it was under <strong>the</strong> auspices of DOD fund<strong>in</strong>g th<strong>at</strong> <strong>the</strong><br />
work <strong>in</strong> formal security policy models was carried out, it is not<br />
surpris<strong>in</strong>g th<strong>at</strong> <strong>the</strong> emphasis was on models th<strong>at</strong> reflected DOD<br />
requirements for confidentiality.<br />
2. The embodiment of <strong>the</strong> model <strong>in</strong> <strong>the</strong> oper<strong>at</strong><strong>in</strong>g system has been<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX B 248<br />
deemed essential <strong>in</strong> order to achieve a high level of assurance and to<br />
make available a secure pl<strong>at</strong>form on which untrusted (or less trusted)<br />
applic<strong>at</strong>ions could be executed without fear of compromis<strong>in</strong>g overall<br />
system security. It was recognized early th<strong>at</strong> <strong>the</strong> development of<br />
trusted software, th<strong>at</strong> is, software th<strong>at</strong> is trusted to not viol<strong>at</strong>e <strong>the</strong><br />
security policy imposed on <strong>the</strong> computer system, is a very difficult and<br />
expensive task. This is especially true if a security policy calls for a<br />
high level of assurance <strong>in</strong> a potentially "hostile" environment, for<br />
example, execution of software from untrusted sources.<br />
The str<strong>at</strong>egy evolved of develop<strong>in</strong>g trusted oper<strong>at</strong><strong>in</strong>g systems<br />
th<strong>at</strong> could segreg<strong>at</strong>e <strong>in</strong>form<strong>at</strong>ion and processes (represent<strong>in</strong>g users)<br />
to allow controlled shar<strong>in</strong>g of computer system resources. If trusted<br />
applic<strong>at</strong>ion software were written, it would require a trusted<br />
oper<strong>at</strong><strong>in</strong>g system as a pl<strong>at</strong>form on top of which it would execute.<br />
(If <strong>the</strong> oper<strong>at</strong><strong>in</strong>g system were not trusted, it, or o<strong>the</strong>r untrusted<br />
software, could circumvent <strong>the</strong> trusted oper<strong>at</strong>ion of <strong>the</strong> applic<strong>at</strong>ion<br />
<strong>in</strong> question.) Thus development of trusted oper<strong>at</strong><strong>in</strong>g systems is a<br />
n<strong>at</strong>ural precursor to <strong>the</strong> development of trusted applic<strong>at</strong>ions.<br />
At <strong>the</strong> time this str<strong>at</strong>egy was developed, <strong>in</strong> <strong>the</strong> l<strong>at</strong>e 1960s and <strong>in</strong><br />
<strong>the</strong> 1970s, computer systems were almost exclusively time-shared<br />
computers (ma<strong>in</strong>frames or m<strong>in</strong>is), and <strong>the</strong> resources to be shared<br />
(memory, disk storage, and processors) were expensive. With <strong>the</strong><br />
advent of trusted oper<strong>at</strong><strong>in</strong>g systems, <strong>the</strong>se expensive comput<strong>in</strong>g<br />
resources could be shared among users who would develop and<br />
execute applic<strong>at</strong>ions without requir<strong>in</strong>g trust <strong>in</strong> each applic<strong>at</strong>ion to<br />
enforce <strong>the</strong> system security policy. This has become an accepted<br />
model for systems <strong>in</strong> which <strong>the</strong> primary security concern is<br />
disclosure of <strong>in</strong>form<strong>at</strong>ion and <strong>in</strong> which <strong>the</strong> <strong>in</strong>form<strong>at</strong>ion is labeled <strong>in</strong><br />
a fashion th<strong>at</strong> reflects its sensitivity.<br />
3. The granularity <strong>at</strong> which <strong>the</strong> security policy is enforced is determ<strong>in</strong>ed<br />
largely by characteristics of typical oper<strong>at</strong><strong>in</strong>g system <strong>in</strong>terfaces and<br />
concerns for efficient implement<strong>at</strong>ion of <strong>the</strong> mechanisms th<strong>at</strong> enforce<br />
security. Thus, for example, s<strong>in</strong>ce files and processes are <strong>the</strong> objects<br />
managed by most oper<strong>at</strong><strong>in</strong>g systems, <strong>the</strong>se were <strong>the</strong> objects protected<br />
by <strong>the</strong> security policy embodied <strong>in</strong> <strong>the</strong> oper<strong>at</strong><strong>in</strong>g system. In support of<br />
Bell-LaPadula, d<strong>at</strong>a sensitivity labels are associ<strong>at</strong>ed with files, and<br />
authoriz<strong>at</strong>ions for d<strong>at</strong>a access are associ<strong>at</strong>ed with processes oper<strong>at</strong><strong>in</strong>g<br />
on behalf of users. The oper<strong>at</strong><strong>in</strong>g system enforces <strong>the</strong> security policy<br />
by controll<strong>in</strong>g access to d<strong>at</strong>a based on file labels and process (user)<br />
authoriz<strong>at</strong>ions. This type of security policy implement<strong>at</strong>ion is <strong>the</strong><br />
hallmark of high-assurance systems as def<strong>in</strong>ed by <strong>the</strong> Orange Book.<br />
Concern<strong>in</strong>g <strong>in</strong>tegrity <strong>in</strong> <strong>the</strong> Orange Book, note th<strong>at</strong> if an <strong>in</strong>tegrity policy<br />
(like Clark-Wilson) and an <strong>in</strong>tegrity mechanism (like type enforcement<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX B 249<br />
or r<strong>in</strong>gs) are <strong>the</strong>n differenti<strong>at</strong>ed, an <strong>in</strong>variant property of mechanisms is th<strong>at</strong><br />
<strong>the</strong>y enforce a "protected subsystem" k<strong>in</strong>d of property. Th<strong>at</strong> is, <strong>the</strong>y undertake<br />
to ensure th<strong>at</strong> certa<strong>in</strong> d<strong>at</strong>a is touchable only by certa<strong>in</strong> code irrespective of <strong>the</strong><br />
privileges th<strong>at</strong> code <strong>in</strong>herits because of <strong>the</strong> person on whose behalf it is<br />
execut<strong>in</strong>g. Thus a proper <strong>in</strong>tegrity mechanism would ensure th<strong>at</strong> one's personal<br />
privilege to upd<strong>at</strong>e a payroll file could not be used to manipul<strong>at</strong>e payroll d<strong>at</strong>a<br />
with a text editor, but r<strong>at</strong>her th<strong>at</strong> <strong>the</strong> privilege could be used only to access<br />
payroll d<strong>at</strong>a through <strong>the</strong> payroll subsystem, which presumably performs<br />
applic<strong>at</strong>ion-dependent consistency checks on wh<strong>at</strong> one does.<br />
While <strong>the</strong> Orange Book does not explicitly call out a set of <strong>in</strong>tegrity-based<br />
access rules, it does require th<strong>at</strong> B2-level1 systems and those above execute out<br />
of a protected doma<strong>in</strong>, th<strong>at</strong> is, th<strong>at</strong> <strong>the</strong> trusted comput<strong>in</strong>g base (TCB) itself be a<br />
protected subsystem. The mechanism used to do this (e.g., r<strong>in</strong>gs) is usually, but<br />
not always, exported to applic<strong>at</strong>ions. Thus an <strong>in</strong>tegrity mechanism is generally<br />
available as a byproduct of a system oper<strong>at</strong><strong>in</strong>g <strong>at</strong> <strong>the</strong> B2 level.<br />
The Orange Book does not mand<strong>at</strong>e mechanisms to support d<strong>at</strong>a <strong>in</strong>tegrity,<br />
but it easily could do so <strong>at</strong> <strong>the</strong> B2 level and above, because it mand<strong>at</strong>es th<strong>at</strong><br />
such a mechanism exist to protect <strong>the</strong> TCB. It is now possible to devise<br />
mechanisms th<strong>at</strong> protect <strong>the</strong> TCB but th<strong>at</strong> cannot be made readily available to<br />
applic<strong>at</strong>ions; however, such cases are <strong>in</strong> <strong>the</strong> m<strong>in</strong>ority and can be considered<br />
p<strong>at</strong>hological.<br />
HARDWARE ENFORCEMENT OF SECURITY AND<br />
INTEGRITY<br />
The complexity and difficulty of develop<strong>in</strong>g secure applic<strong>at</strong>ions can be<br />
reduced by modify<strong>in</strong>g <strong>the</strong> hardware on which those applic<strong>at</strong>ions run. Such<br />
modific<strong>at</strong>ions may add functionality to <strong>the</strong> oper<strong>at</strong><strong>in</strong>g system or applic<strong>at</strong>ion<br />
software, <strong>the</strong>y may guarantee specific behavior th<strong>at</strong> is not normally provided by<br />
conventional hardware, or <strong>the</strong>y may enhance <strong>the</strong> performance of basic security<br />
functions, such as encryption. This section describes two projects th<strong>at</strong> serve as<br />
worked examples of wh<strong>at</strong> can be accomplished when hardware is designed with<br />
security and/or <strong>in</strong>tegrity <strong>in</strong> m<strong>in</strong>d, and wh<strong>at</strong> is ga<strong>in</strong>ed or lost through such an<br />
approach.<br />
VIPER Microprocessor<br />
The VIPER microprocessor was designed specifically for high-<strong>in</strong>tegrity<br />
control applic<strong>at</strong>ions <strong>at</strong> <strong>the</strong> Royal Signals and Radar Establishment<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX B 250<br />
(RSRE), which is part of <strong>the</strong> U.K.'s M<strong>in</strong>istry of Defence (MOD). VIPER<br />
<strong>at</strong>tempts to achieve high <strong>in</strong>tegrity with a simple architecture and <strong>in</strong>struction set<br />
designed to meet <strong>the</strong> requirements of formal verific<strong>at</strong>ion and to provide support<br />
for high-<strong>in</strong>tegrity software.<br />
VIPER 1 was designed as a primitive build<strong>in</strong>g block th<strong>at</strong> could be used to<br />
construct complete systems capable of runn<strong>in</strong>g high-<strong>in</strong>tegrity applic<strong>at</strong>ions. Its<br />
most important requirement is <strong>the</strong> ability to stop immedi<strong>at</strong>ely if any hardware<br />
error is detected, <strong>in</strong>clud<strong>in</strong>g illegal <strong>in</strong>struction codes and numeric underflow and<br />
overflow. By stopp<strong>in</strong>g when an error is detected, VIPER assures th<strong>at</strong> no<br />
<strong>in</strong>correct external actions are taken follow<strong>in</strong>g a failure. Such ''fail-stop"<br />
oper<strong>at</strong>ion (Schlicht<strong>in</strong>g and Schneider, 1983) simplifies <strong>the</strong> design of higherlevel<br />
algorithms used to ma<strong>in</strong>ta<strong>in</strong> <strong>the</strong> reliability and <strong>in</strong>tegrity of <strong>the</strong> entire system.<br />
VIPER 1 is a memory-based processor th<strong>at</strong> makes use of a uniform<br />
<strong>in</strong>struction set (i.e., all <strong>in</strong>structions are <strong>the</strong> same width). The processor has only<br />
three programmable 32-bit registers. The <strong>in</strong>struction set limits <strong>the</strong> amount of<br />
addressable memory to 1 megaword, with all access on word boundaries. There<br />
is no support for <strong>in</strong>terrupts, stack process<strong>in</strong>g or micro-pipel<strong>in</strong><strong>in</strong>g.<br />
The VIPER 1 architecture provides only basic program support. In fact,<br />
multiplic<strong>at</strong>ion and division are not supported directly by <strong>the</strong> hardware. This<br />
approach was taken primarily to simplify <strong>the</strong> design of VIPER, <strong>the</strong>reby<br />
allow<strong>in</strong>g it to be verified. If more programm<strong>in</strong>g convenience is desired, it must<br />
be handled by a high-level compiler, assum<strong>in</strong>g th<strong>at</strong> <strong>the</strong> result<strong>in</strong>g loss <strong>in</strong><br />
performance is tolerable.<br />
The VIPER 1A processor allows two chips to be used <strong>in</strong> tandem <strong>in</strong> an<br />
active-monitor rel<strong>at</strong>ionship. Th<strong>at</strong> is, one of <strong>the</strong> chips can be used to monitor <strong>the</strong><br />
oper<strong>at</strong>ion of <strong>the</strong> o<strong>the</strong>r. This is achieved by compar<strong>in</strong>g <strong>the</strong> memory and <strong>in</strong>put/<br />
output (I/O) addresses gener<strong>at</strong>ed by both chips as <strong>the</strong>y are sent off-chip. If<br />
ei<strong>the</strong>r chip detects a difference <strong>in</strong> this d<strong>at</strong>a, <strong>the</strong>n both chips are stopped. In this<br />
model, a set of two chips is used to form a s<strong>in</strong>gle fail-stop processor mak<strong>in</strong>g use<br />
of a s<strong>in</strong>gle memory module and an I/O l<strong>in</strong>e.<br />
It is generally accepted th<strong>at</strong> VIPER's performance falls short of<br />
conventional processors' performance, and always will. Because it is be<strong>in</strong>g<br />
developed for high-<strong>in</strong>tegrity applic<strong>at</strong>ions, <strong>the</strong> VIPER processor must always<br />
depend on well-established, m<strong>at</strong>ure implement<strong>at</strong>ion techniques and<br />
technologies. Many of <strong>the</strong> decisions about VIPER's design were made with<br />
st<strong>at</strong>ic analysis <strong>in</strong> m<strong>in</strong>d. Consequently, <strong>the</strong> <strong>in</strong>struction set was kept simple,<br />
without <strong>in</strong>terrupt process<strong>in</strong>g, to allow st<strong>at</strong>ic analysis to be done effectively.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX B 251<br />
Lock Project<br />
The Logical Coprocess<strong>in</strong>g Kernel (LOCK) Project <strong>in</strong>tends to develop a<br />
secure microcomputer prototype by 1990 th<strong>at</strong> provides A1-level security for<br />
general-purpose process<strong>in</strong>g. The LOCK design makes use of a hardware-based<br />
reference monitor, known as SIDEARM, th<strong>at</strong> can be used to build new, secure<br />
variants of exist<strong>in</strong>g architectures or can be <strong>in</strong>cluded <strong>in</strong> <strong>the</strong> design of new<br />
architectures as an option. The goal is to provide <strong>the</strong> highest level of security as<br />
currently def<strong>in</strong>ed by N<strong>at</strong>ional Computer Security Center (NCSC) standards,<br />
while provid<strong>in</strong>g 80 percent of <strong>the</strong> performance achievable by an unmodified,<br />
<strong>in</strong>secure computer. SIDEARM is designed to achieve this goal by controll<strong>in</strong>g<br />
<strong>the</strong> memory references made by applic<strong>at</strong>ions runn<strong>in</strong>g on <strong>the</strong> processor to which<br />
it is <strong>at</strong>tached. Assum<strong>in</strong>g th<strong>at</strong> SIDEARM is always work<strong>in</strong>g properly and has<br />
been <strong>in</strong>tegr<strong>at</strong>ed <strong>in</strong>to <strong>the</strong> host system <strong>in</strong> a manner th<strong>at</strong> guarantees its controls<br />
cannot be circumvented, it provides high assurance th<strong>at</strong> applic<strong>at</strong>ions can access<br />
d<strong>at</strong>a items only <strong>in</strong> accordance with a well-understood security policy. The<br />
LOCK Project centers on guarantee<strong>in</strong>g th<strong>at</strong> <strong>the</strong>se assumptions are valid.<br />
The SIDEARM module is <strong>the</strong> basis of <strong>the</strong> LOCK architecture and is itself<br />
an embedded computer system, mak<strong>in</strong>g use of its own processor, memory,<br />
communic<strong>at</strong>ions, and storage subsystems, <strong>in</strong>clud<strong>in</strong>g a laser disk for audit<strong>in</strong>g. It<br />
is logically placed between <strong>the</strong> host processor and memory, and <strong>in</strong>tegr<strong>at</strong>ed <strong>in</strong>to<br />
those exist<strong>in</strong>g host facilities, such as memory management units, th<strong>at</strong> control<br />
access <strong>in</strong>to memory. S<strong>in</strong>ce it is a separ<strong>at</strong>e hardware component, applic<strong>at</strong>ions<br />
can not modify any of <strong>the</strong> security <strong>in</strong>form<strong>at</strong>ion used to control SIDEARM<br />
directly.<br />
Security policy is enforced by assign<strong>in</strong>g security labels to all subjects (i.e.,<br />
applic<strong>at</strong>ions or users) and objects (i.e., d<strong>at</strong>a files and programs) and mak<strong>in</strong>g<br />
security policy decisions without rely<strong>in</strong>g on <strong>the</strong> host system. The security policy<br />
enforced by SIDEARM <strong>in</strong>cludes type-enforcement controls, provid<strong>in</strong>g<br />
configurable, mand<strong>at</strong>ory <strong>in</strong>tegrity. Th<strong>at</strong> is, "types" can be assigned to d<strong>at</strong>a<br />
objects and used to restrict access to subjects th<strong>at</strong> are perform<strong>in</strong>g functions<br />
appropri<strong>at</strong>e to th<strong>at</strong> type. Thus type-enforcement can be used, for example, to<br />
ensure th<strong>at</strong> a payroll d<strong>at</strong>a file is accessed only by payroll programs, or th<strong>at</strong><br />
specific transforms, such as label<strong>in</strong>g or encryption, are performed on d<strong>at</strong>a prior<br />
to output. Mand<strong>at</strong>ory access control (MAC), discretionary access control<br />
(DAC), and type enforcement are "additive" <strong>in</strong> th<strong>at</strong> a subject must pass all three<br />
criteria before be<strong>in</strong>g allowed to access an object.<br />
The LOCK Project makes use of multiple TEPACHE-based TYPE-I<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX B 252<br />
encryption devices to safeguard SIDEARM media (security d<strong>at</strong>abases and<br />
audit) and d<strong>at</strong>a stored on host system media, and to close covert channels. As<br />
such, LOCK comb<strong>in</strong>es aspects of both COMSEC (communic<strong>at</strong>ions security)<br />
and COMPUSEC (computer security) <strong>in</strong> an <strong>in</strong>terdependent manner. The<br />
security provided by both approaches is critical to LOCK's proper oper<strong>at</strong>ion.<br />
The LOCK architecture requires few but complex trusted software<br />
components, <strong>in</strong>clud<strong>in</strong>g a SIDEARM device driver and software th<strong>at</strong> ensures<br />
th<strong>at</strong> decisions made by <strong>the</strong> SIDEARM are enforced by exist<strong>in</strong>g host facilities<br />
such as a memory management unit. An important class of trusted software<br />
comprises "kernel extensions," security-critical software th<strong>at</strong> runs on <strong>the</strong> host to<br />
handle mach<strong>in</strong>e-dependent support, such as pr<strong>in</strong>ter and term<strong>in</strong>al security<br />
label<strong>in</strong>g, and applic<strong>at</strong>ion-specific security policies, such as th<strong>at</strong> required by a<br />
d<strong>at</strong>abase management system. Kernel extensions are protected and controlled<br />
by <strong>the</strong> reference monitor and provide <strong>the</strong> flexibility needed to allow <strong>the</strong> LOCK<br />
technology to support a wide range of applic<strong>at</strong>ions, without becom<strong>in</strong>g too large<br />
or becom<strong>in</strong>g architecture-dependent.<br />
One of LOCK's advantages is th<strong>at</strong> a major portion of <strong>the</strong> oper<strong>at</strong><strong>in</strong>g system,<br />
outside of <strong>the</strong> kernel extensions and <strong>the</strong> reference monitor, can be considered<br />
"hostile." Th<strong>at</strong> is, even if <strong>the</strong> oper<strong>at</strong><strong>in</strong>g system is corrupted, LOCK will not<br />
allow an unauthorized applic<strong>at</strong>ion to access d<strong>at</strong>a objects. However, parts of <strong>the</strong><br />
oper<strong>at</strong><strong>in</strong>g system must still be modified or removed to make use of <strong>the</strong><br />
functionality provided by SIDEARM. The LOCK Project <strong>in</strong>tends to support <strong>the</strong><br />
UNIX System V <strong>in</strong>terface on <strong>the</strong> LOCK architecture and to <strong>at</strong>ta<strong>in</strong> certific<strong>at</strong>ion<br />
of <strong>the</strong> entire system <strong>at</strong> <strong>the</strong> A1 level.<br />
CRYPTOGRAPHY<br />
Cryptography is <strong>the</strong> art of keep<strong>in</strong>g d<strong>at</strong>a secret, primarily through <strong>the</strong> use of<br />
m<strong>at</strong>hem<strong>at</strong>ical or logical functions th<strong>at</strong> transform <strong>in</strong>telligible d<strong>at</strong>a <strong>in</strong>to seem<strong>in</strong>gly<br />
un<strong>in</strong>telligible d<strong>at</strong>a and back aga<strong>in</strong>. Cryptography is probably <strong>the</strong> most important<br />
aspect of communic<strong>at</strong>ions security and is becom<strong>in</strong>g <strong>in</strong>creas<strong>in</strong>gly important as a<br />
basic build<strong>in</strong>g block for computer security.<br />
Fundamental Concepts of Encryption<br />
Cryptography and cryptanalysis have existed for <strong>at</strong> least 2,000 years,<br />
perhaps beg<strong>in</strong>n<strong>in</strong>g with a substitution algorithm used by Julius Caesar<br />
(Tanebaum, 1981). In his method, every letter <strong>in</strong> <strong>the</strong> orig<strong>in</strong>al message, known<br />
now as <strong>the</strong> pla<strong>in</strong>text, was replaced by <strong>the</strong> letter th<strong>at</strong><br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX B 253<br />
occurred three places l<strong>at</strong>er <strong>in</strong> <strong>the</strong> alphabet. Th<strong>at</strong> is, A was replaced by D, B was<br />
replaced by E, and so on. For example, <strong>the</strong> pla<strong>in</strong>text "VENI VIDI VICI" would<br />
yield "YHQL YLGL YLFL." The result<strong>in</strong>g message, now known as <strong>the</strong><br />
ciphertext, was <strong>the</strong>n couriered to an await<strong>in</strong>g centurion, who decrypted it by<br />
replac<strong>in</strong>g each letter with <strong>the</strong> letter th<strong>at</strong> occurred three places "before" it <strong>in</strong> <strong>the</strong><br />
alphabet. The encryption and decryption algorithms were essentially controlled<br />
by <strong>the</strong> number three, which thus was <strong>the</strong> encryption and decryption key. If<br />
Caesar suspected th<strong>at</strong> an unauthorized person had discovered how to decrypt<br />
<strong>the</strong> ciphertext, he could simply change <strong>the</strong> key value to ano<strong>the</strong>r number and<br />
<strong>in</strong>form <strong>the</strong> field generals of th<strong>at</strong> new value by us<strong>in</strong>g some o<strong>the</strong>r method of<br />
communic<strong>at</strong>ion. Although Caesar's cipher is a rel<strong>at</strong>ively simple example of<br />
cryptography, it clearly depends on a number of essential components: <strong>the</strong><br />
encryption and decryption algorithms, a key th<strong>at</strong> is known by all authorized<br />
parties, and <strong>the</strong> ability to change <strong>the</strong> key. Figure B.1 shows <strong>the</strong> encryption<br />
process and how <strong>the</strong> various components <strong>in</strong>teract.<br />
FIGURE B.1 The encryption process.<br />
If any of <strong>the</strong>se components is compromised, <strong>the</strong> security of <strong>the</strong> <strong>in</strong>form<strong>at</strong>ion<br />
be<strong>in</strong>g protected decreases. If a weak encryption algorithm is chosen, an<br />
opponent may be able to guess <strong>the</strong> pla<strong>in</strong>text once a copy of <strong>the</strong> ciphertext is<br />
obta<strong>in</strong>ed. In many cases, <strong>the</strong> cryptanalyst need only know <strong>the</strong> type of encryption<br />
algorithm be<strong>in</strong>g used <strong>in</strong> order to break it. For example, know<strong>in</strong>g th<strong>at</strong> Caesar<br />
used only a cyclic substitution of <strong>the</strong> alphabet, one could simply try every key<br />
value from 1 to 25, look<strong>in</strong>g for <strong>the</strong> value th<strong>at</strong> resulted <strong>in</strong> a message conta<strong>in</strong><strong>in</strong>g<br />
L<strong>at</strong><strong>in</strong> words. Similarly, many encryption algorithms th<strong>at</strong> appear to be very<br />
complic<strong>at</strong>ed are rendered <strong>in</strong>effective by an improper choice of a key value. In a<br />
more practical sense, if <strong>the</strong> receiver forgets <strong>the</strong> key value or uses <strong>the</strong> wrong one,<br />
<strong>the</strong>n <strong>the</strong> result<strong>in</strong>g message will probably be un<strong>in</strong>telligible, requir<strong>in</strong>g additional<br />
effort to retransmit <strong>the</strong> message and/or <strong>the</strong> key. F<strong>in</strong>ally, it is possible th<strong>at</strong> <strong>the</strong><br />
enemy will break <strong>the</strong> code even if <strong>the</strong> strongest possible comb<strong>in</strong><strong>at</strong>ion of<br />
algorithms and key values is used. Therefore, keys and possibly even <strong>the</strong><br />
algorithms need to be changed over a period of time to limit<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX B 254<br />
<strong>the</strong> loss of security when <strong>the</strong> enemy has broken <strong>the</strong> current system. The process<br />
of chang<strong>in</strong>g keys and distribut<strong>in</strong>g <strong>the</strong>m to all parties concerned is known as key<br />
management and is <strong>the</strong> most difficult aspect of security management after an<br />
encryption method has been chosen.2<br />
In <strong>the</strong>ory, any logical function can be used as an encryption algorithm. The<br />
function may act on s<strong>in</strong>gle bits of <strong>in</strong>form<strong>at</strong>ion, s<strong>in</strong>gle letters <strong>in</strong> some alphabet,<br />
or s<strong>in</strong>gle words <strong>in</strong> some language or groups of words. The Caesar cipher is an<br />
example of an encryption algorithm th<strong>at</strong> oper<strong>at</strong>es on s<strong>in</strong>gle letters with<strong>in</strong> a<br />
message. Throughout history a number of "codes" have been used <strong>in</strong> which a<br />
two-column list of words is used to def<strong>in</strong>e <strong>the</strong> encryption and decryption<br />
algorithms. In this case, pla<strong>in</strong>text words are loc<strong>at</strong>ed <strong>in</strong> one of <strong>the</strong> columns and<br />
replaced by <strong>the</strong> correspond<strong>in</strong>g word from <strong>the</strong> o<strong>the</strong>r column to yield <strong>the</strong><br />
ciphertext. The reverse process is performed to regener<strong>at</strong>e <strong>the</strong> pla<strong>in</strong>text from <strong>the</strong><br />
ciphertext. If more than two columns are distributed, a key can be used to<br />
design<strong>at</strong>e both <strong>the</strong> pla<strong>in</strong>text and ciphertext columns to be used. For example,<br />
given 10 columns, <strong>the</strong> key [3,7] might design<strong>at</strong>e th<strong>at</strong> <strong>the</strong> third column<br />
represents pla<strong>in</strong>text words and <strong>the</strong> seventh column represents ciphertext words.<br />
Although code books (e.g., multicolumn word lists) are convenient for manual<br />
encipher<strong>in</strong>g and decipher<strong>in</strong>g, <strong>the</strong>ir very existence can lead to compromise. Th<strong>at</strong><br />
is, once a code book falls <strong>in</strong>to enemy hands, ciphertext is rel<strong>at</strong>ively simple to<br />
decipher. Fur<strong>the</strong>rmore, code books are difficult to produce and to distribute,<br />
requir<strong>in</strong>g accur<strong>at</strong>e accounts of who has which books and which parties can<br />
communic<strong>at</strong>e us<strong>in</strong>g those books. Consequently, mechanical and electronic<br />
devices have been developed to autom<strong>at</strong>e <strong>the</strong> encryption and decryption<br />
process, us<strong>in</strong>g primarily m<strong>at</strong>hem<strong>at</strong>ical functions on s<strong>in</strong>gle bits of <strong>in</strong>form<strong>at</strong>ion or<br />
s<strong>in</strong>gle letters <strong>in</strong> a given alphabet.<br />
Priv<strong>at</strong>e vs. Public Crypto-Systems<br />
The security of a given crypto-system depends on <strong>the</strong> amount of<br />
<strong>in</strong>form<strong>at</strong>ion known by <strong>the</strong> cryptanalyst about <strong>the</strong> algorithms and keys <strong>in</strong> use. In<br />
<strong>the</strong>ory, if <strong>the</strong> encryption algorithm and keys are <strong>in</strong>dependent of <strong>the</strong> decryption<br />
algorithm and keys, <strong>the</strong>n full knowledge of <strong>the</strong> encryption algorithm and key<br />
will not help <strong>the</strong> cryptanalyst break <strong>the</strong> code. However, <strong>in</strong> many practical<br />
crypto-systems, <strong>the</strong> same algorithm and key are used for both encryption and<br />
decryption. The security of <strong>the</strong>se symmetric cipher systems depends on keep<strong>in</strong>g<br />
<strong>at</strong> least <strong>the</strong> key secret from o<strong>the</strong>rs, mak<strong>in</strong>g such systems priv<strong>at</strong>e-key cryptosystems.<br />
An example of a symmetric, priv<strong>at</strong>e-key crypto-system is <strong>the</strong> D<strong>at</strong>a<br />
Encryption Standard (DES) (see below, "D<strong>at</strong>a Encryption Standard").<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX B 255<br />
In this case, <strong>the</strong> encryption and decryption algorithm is widely known and<br />
has been widely studied; <strong>the</strong> privacy of <strong>the</strong> encryption and decryption key is<br />
relied on to ensure security. O<strong>the</strong>r priv<strong>at</strong>e-key systems have been implemented<br />
and deployed by <strong>the</strong> N<strong>at</strong>ional Security <strong>Age</strong>ncy (NSA) for <strong>the</strong> protection of<br />
classified government <strong>in</strong>form<strong>at</strong>ion. In contrast to <strong>the</strong> DES, <strong>the</strong> encryption and<br />
decryption algorithms with<strong>in</strong> those crypto-systems have been kept classified, to<br />
<strong>the</strong> extent th<strong>at</strong> <strong>the</strong> computer chips on which <strong>the</strong>y are implemented are co<strong>at</strong>ed <strong>in</strong><br />
such a way as to prevent <strong>the</strong>m from be<strong>in</strong>g exam<strong>in</strong>ed.<br />
Users are often <strong>in</strong>tolerant of priv<strong>at</strong>e encryption and decryption algorithms<br />
because <strong>the</strong>y do not know how <strong>the</strong> algorithms work or if a "trapdoor" exists th<strong>at</strong><br />
would allow <strong>the</strong> algorithm designer to read <strong>the</strong> user's secret <strong>in</strong>form<strong>at</strong>ion. In an<br />
<strong>at</strong>tempt to elim<strong>in</strong><strong>at</strong>e this lack of trust, a number of crypto-systems have been<br />
developed around encryption and decryption algorithms based on<br />
fundamentally difficult problems, or one-way functions, th<strong>at</strong> have been studied<br />
extensively by <strong>the</strong> research community. Ano<strong>the</strong>r approach used <strong>in</strong> public-key<br />
systems, such as th<strong>at</strong> taken by <strong>the</strong> RSA (see <strong>the</strong> section below headed "RSA"),<br />
is to show th<strong>at</strong> <strong>the</strong> most obvious way to break <strong>the</strong> system <strong>in</strong>volves solv<strong>in</strong>g a<br />
hard problem (although this means th<strong>at</strong> such systems may be broken simpler<br />
means).<br />
For practical reasons, it is desirable to use different encryption and<br />
decryption keys <strong>in</strong> a crypto-system. Such asymmetric systems allow <strong>the</strong><br />
encryption key to be made available to anyone, while preserv<strong>in</strong>g confidence<br />
th<strong>at</strong> only people who hold <strong>the</strong> decryption key can decipher <strong>the</strong> <strong>in</strong>form<strong>at</strong>ion.<br />
These systems, which depend solely on <strong>the</strong> privacy of <strong>the</strong> decryption key, are<br />
known as public-key crypto-systems. An example of an asymmetric, public-key<br />
cipher is <strong>the</strong> p<strong>at</strong>ented RSA system.<br />
Digital Sign<strong>at</strong>ures<br />
Society accepts handwritten sign<strong>at</strong>ures as legal proof th<strong>at</strong> a person has<br />
agreed to <strong>the</strong> terms of a contract as st<strong>at</strong>ed on a sheet of paper, or th<strong>at</strong> a person<br />
has authorized a transfer of funds as <strong>in</strong>dic<strong>at</strong>ed on a check. But <strong>the</strong> use of written<br />
sign<strong>at</strong>ures <strong>in</strong>volves <strong>the</strong> physical transmission of a paper document; this is not<br />
practical if electronic communic<strong>at</strong>ion is to become more widely used <strong>in</strong><br />
bus<strong>in</strong>ess. R<strong>at</strong>her, a digital sign<strong>at</strong>ure is needed to allow <strong>the</strong> recipient of a<br />
message or document to irrefutably verify <strong>the</strong> orig<strong>in</strong><strong>at</strong>or of th<strong>at</strong> message or<br />
document.<br />
A written sign<strong>at</strong>ure can be produced by one person (although forgeries<br />
certa<strong>in</strong>ly occur), but it can be recognized by many people as belong<strong>in</strong>g<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX B 256<br />
uniquely to its author. To be accepted as a replacement for a written sign<strong>at</strong>ure, a<br />
digital sign<strong>at</strong>ure, <strong>the</strong>n, would have to be easily au<strong>the</strong>ntic<strong>at</strong>ed by anyone, but be<br />
producible only by its author.<br />
A digital sign<strong>at</strong>ure system consists of three elements, each carry<strong>in</strong>g out a<br />
procedure:<br />
1. The gener<strong>at</strong>or, which produces two numbers called <strong>the</strong> mark (which<br />
should be unforgeable) and <strong>the</strong> secret;<br />
2. The signer, which accepts a secret and an arbitrary sequence of bytes<br />
called <strong>the</strong> <strong>in</strong>put, and produces a number called <strong>the</strong> sign<strong>at</strong>ure; and<br />
3. The checker, which accepts a mark, an <strong>in</strong>put, and a sign<strong>at</strong>ure and says<br />
whe<strong>the</strong>r or not <strong>the</strong> sign<strong>at</strong>ure m<strong>at</strong>ches <strong>the</strong> <strong>in</strong>put for th<strong>at</strong> mark.<br />
The procedures have <strong>the</strong> follow<strong>in</strong>g properties:<br />
• If <strong>the</strong> gener<strong>at</strong>or produces a mark and a secret, and <strong>the</strong> signer produces a<br />
sign<strong>at</strong>ure when given <strong>the</strong> secret and an <strong>in</strong>put, <strong>the</strong>n <strong>the</strong> checker will say<br />
th<strong>at</strong> <strong>the</strong> sign<strong>at</strong>ure m<strong>at</strong>ches <strong>the</strong> <strong>in</strong>put for th<strong>at</strong> mark.<br />
• If one has a mark produced by <strong>the</strong> gener<strong>at</strong>or but does not have <strong>the</strong> secret,<br />
<strong>the</strong>n even with a large number of <strong>in</strong>puts and m<strong>at</strong>ch<strong>in</strong>g sign<strong>at</strong>ures for th<strong>at</strong><br />
mark, one still cannot produce an additional <strong>in</strong>put and m<strong>at</strong>ch<strong>in</strong>g sign<strong>at</strong>ure<br />
for th<strong>at</strong> mark. In particular, even if <strong>the</strong> sign<strong>at</strong>ure m<strong>at</strong>ches one of <strong>the</strong><br />
<strong>in</strong>puts, one cannot produce ano<strong>the</strong>r <strong>in</strong>put th<strong>at</strong> it m<strong>at</strong>ches. A digital<br />
sign<strong>at</strong>ure system is useful because if one has a mark produced by <strong>the</strong><br />
gener<strong>at</strong>or, as well as an <strong>in</strong>put and m<strong>at</strong>ch<strong>in</strong>g sign<strong>at</strong>ure, <strong>the</strong>n one can be<br />
sure th<strong>at</strong> <strong>the</strong> sign<strong>at</strong>ure was computed by a system th<strong>at</strong> knew <strong>the</strong><br />
correspond<strong>in</strong>g secret, because a system th<strong>at</strong> did not know <strong>the</strong> secret could<br />
not have computed <strong>the</strong> sign<strong>at</strong>ure.<br />
For <strong>in</strong>stance, one can trust a mark to certify an un<strong>in</strong>fected program if<br />
• one believes th<strong>at</strong> it came from <strong>the</strong> gener<strong>at</strong>or, and<br />
• one also believes th<strong>at</strong> any system th<strong>at</strong> knows <strong>the</strong> correspond<strong>in</strong>g secret is<br />
one th<strong>at</strong> can be trusted not to sign a program image if it is corrupted.<br />
Known methods for digital sign<strong>at</strong>ures are often based on comput<strong>in</strong>g a<br />
secure checksum (see below) of <strong>the</strong> <strong>in</strong>put to be signed and <strong>the</strong>n encrypt<strong>in</strong>g <strong>the</strong><br />
checksum with <strong>the</strong> secret. If <strong>the</strong> encryption uses public-key encryption, <strong>the</strong><br />
mark is <strong>the</strong> public key th<strong>at</strong> m<strong>at</strong>ches <strong>the</strong> secret, and <strong>the</strong> checker simply decrypts<br />
<strong>the</strong> sign<strong>at</strong>ure.<br />
For more details, see Chapter 9 <strong>in</strong> Davies and Price (1984).<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX B 257<br />
Cryptographic Checksums<br />
A cryptographic checksum or one-way hash function accepts any amount<br />
of <strong>in</strong>put d<strong>at</strong>a (<strong>in</strong> this case a file conta<strong>in</strong><strong>in</strong>g a program) and computes a small<br />
result (typically 8 or 16 bytes) called <strong>the</strong> checksum. Its important property is<br />
th<strong>at</strong> it requires th<strong>at</strong> much work be done to f<strong>in</strong>d a different <strong>in</strong>put with <strong>the</strong> same<br />
checksum. Here "a lot of work" means "more comput<strong>in</strong>g than an adversary can<br />
afford." A cryptographic checksum is useful because it identifies <strong>the</strong> <strong>in</strong>put: any<br />
change to <strong>the</strong> <strong>in</strong>put, even a very clever one made by a malicious person, is sure<br />
to change <strong>the</strong> checksum. Suppose a trusted person tells ano<strong>the</strong>r th<strong>at</strong> <strong>the</strong> program<br />
with checksum 7899345668823051 does not have a virus (perhaps he does this<br />
by sign<strong>in</strong>g <strong>the</strong> checksum with a digital sign<strong>at</strong>ure). One who computes <strong>the</strong><br />
checksum of file WORDPROC.EXE and gets 7899345668823051 should<br />
believe th<strong>at</strong> he can run WORDPROC.EXE without worry<strong>in</strong>g about a virus.<br />
For more details, see Davies and Price (1984), Chapter 9.<br />
Public-Key Crypto-systems and Digital Sign<strong>at</strong>ures<br />
Public-key crypto-systems offer a means of implement<strong>in</strong>g digital<br />
sign<strong>at</strong>ures. In a public-key system <strong>the</strong> sender enciphers a message us<strong>in</strong>g <strong>the</strong><br />
receiver's public key, cre<strong>at</strong><strong>in</strong>g ciphertext1. To sign <strong>the</strong> message he enciphers<br />
ciphertext1 with his priv<strong>at</strong>e key, cre<strong>at</strong><strong>in</strong>g ciphertext2. Ciphertext2 is <strong>the</strong>n sent to<br />
<strong>the</strong> receiver. The receiver applies <strong>the</strong> sender's public key to decrypt ciphertext2,<br />
yield<strong>in</strong>g ciphertext1. F<strong>in</strong>ally, <strong>the</strong> receiver applies his priv<strong>at</strong>e key to convert<br />
ciphertext1 to pla<strong>in</strong>text. The au<strong>the</strong>ntic<strong>at</strong>ion of <strong>the</strong> sender is evidenced by <strong>the</strong><br />
fact th<strong>at</strong> <strong>the</strong> receiver successfully applied <strong>the</strong> sender's public key and was able<br />
to cre<strong>at</strong>e pla<strong>in</strong>text. S<strong>in</strong>ce encryption and decryption are opposites, us<strong>in</strong>g <strong>the</strong><br />
sender's public key to decipher <strong>the</strong> sender's priv<strong>at</strong>e key proves th<strong>at</strong> only <strong>the</strong><br />
sender could have sent it.<br />
To resolve disputes concern<strong>in</strong>g <strong>the</strong> au<strong>the</strong>nticity of a document, <strong>the</strong> receiver<br />
can save <strong>the</strong> ciphertext, <strong>the</strong> public key, and <strong>the</strong> pla<strong>in</strong>text as proof of <strong>the</strong> sender's<br />
sign<strong>at</strong>ure. If <strong>the</strong> sender l<strong>at</strong>er denies th<strong>at</strong> <strong>the</strong> message was sent, <strong>the</strong> receiver can<br />
present <strong>the</strong> signed message to a court of law where <strong>the</strong> judge <strong>the</strong>n uses <strong>the</strong><br />
sender's public key to check th<strong>at</strong> <strong>the</strong> ciphertext corresponds to a mean<strong>in</strong>gful<br />
pla<strong>in</strong>text message with <strong>the</strong> sender's name, <strong>the</strong> proper time sent, and so forth.<br />
Only <strong>the</strong> sender could have gener<strong>at</strong>ed <strong>the</strong> message, and <strong>the</strong>refore <strong>the</strong> receiver's<br />
claim would be upheld <strong>in</strong> court.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX B 258<br />
Key Management<br />
In order to use a digital sign<strong>at</strong>ure to certify a program (or anyth<strong>in</strong>g else,<br />
such as an electronic message), it is necessary to know <strong>the</strong> mark th<strong>at</strong> should be<br />
trusted. Key management is <strong>the</strong> process of reliably distribut<strong>in</strong>g <strong>the</strong> mark to<br />
everyone who needs to know it. When only one mark needs to be trusted, this is<br />
quite simple: a trusted person tells ano<strong>the</strong>r wh<strong>at</strong> <strong>the</strong> mark is. He cannot do this<br />
us<strong>in</strong>g <strong>the</strong> computer system, which cannot guarantee th<strong>at</strong> <strong>the</strong> <strong>in</strong>form<strong>at</strong>ion<br />
actually came from him. Some o<strong>the</strong>r communic<strong>at</strong>ion channel is needed: a faceto-face<br />
meet<strong>in</strong>g, a telephone convers<strong>at</strong>ion, a letter written on official st<strong>at</strong>ionery,<br />
or anyth<strong>in</strong>g else th<strong>at</strong> gives adequ<strong>at</strong>e assurance. When several agents are<br />
certify<strong>in</strong>g programs, each us<strong>in</strong>g its own mark, th<strong>in</strong>gs are more complex. The<br />
solution is for one trusted agent to certify <strong>the</strong> marks of <strong>the</strong> o<strong>the</strong>r agents, us<strong>in</strong>g<br />
<strong>the</strong> same digital sign<strong>at</strong>ure scheme used to certify anyth<strong>in</strong>g else. Consult<strong>at</strong>ive<br />
Committee on Intern<strong>at</strong>ional Telephony and Telegraphy (CCITT) standard<br />
X.509 describes procedures and d<strong>at</strong>a form<strong>at</strong>s for accomplish<strong>in</strong>g this multilevel<br />
certific<strong>at</strong>ion (CCITT, 1989b).<br />
One-Time Pads<br />
Algorithms<br />
There is a collection of rel<strong>at</strong>ively simple encryption algorithms, known as<br />
one-time pad algorithms, whose security is m<strong>at</strong>hem<strong>at</strong>ically provable. Such<br />
algorithms comb<strong>in</strong>e a s<strong>in</strong>gle pla<strong>in</strong>text value (e.g., bit, letter, or word) with a<br />
random key value to gener<strong>at</strong>e a s<strong>in</strong>gle ciphertext value. The strength of onetime<br />
pad algorithms lies <strong>in</strong> <strong>the</strong> fact th<strong>at</strong> separ<strong>at</strong>e random key values are used for<br />
each of <strong>the</strong> pla<strong>in</strong>text values be<strong>in</strong>g enciphered, and <strong>the</strong> stream of key values used<br />
for one message is never used for ano<strong>the</strong>r, as <strong>the</strong> name implies. Assum<strong>in</strong>g <strong>the</strong>re<br />
is no rel<strong>at</strong>ionship between <strong>the</strong> stream of key values used dur<strong>in</strong>g <strong>the</strong> process, <strong>the</strong><br />
cryptanalyst has to try every possible key value for every ciphertext value, a<br />
task th<strong>at</strong> can be made very difficult simply by <strong>the</strong> use of different<br />
represent<strong>at</strong>ions for <strong>the</strong> pla<strong>in</strong>text and key values.<br />
The primary disadvantage of a one-time pad system is th<strong>at</strong> it requires an<br />
amount of key <strong>in</strong>form<strong>at</strong>ion equal to <strong>the</strong> size of <strong>the</strong> pla<strong>in</strong>text be<strong>in</strong>g enciphered.<br />
S<strong>in</strong>ce <strong>the</strong> key <strong>in</strong>form<strong>at</strong>ion must be known by both parties and is never reused,<br />
<strong>the</strong> amount of <strong>in</strong>form<strong>at</strong>ion exchanged between parties is twice th<strong>at</strong> conta<strong>in</strong>ed <strong>in</strong><br />
<strong>the</strong> message itself. Fur<strong>the</strong>rmore, <strong>the</strong> key <strong>in</strong>form<strong>at</strong>ion must be transmitted us<strong>in</strong>g<br />
mechanisms different from those for <strong>the</strong> message, <strong>the</strong>reby doubl<strong>in</strong>g <strong>the</strong><br />
resources required.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX B 259<br />
F<strong>in</strong>ally, <strong>in</strong> practice, it is rel<strong>at</strong>ively difficult to gener<strong>at</strong>e large streams of<br />
"random" values effectively and efficiently. Any nonrandom p<strong>at</strong>terns th<strong>at</strong><br />
appear <strong>in</strong> <strong>the</strong> key stream provide <strong>the</strong> cryptanalyst with valuable <strong>in</strong>form<strong>at</strong>ion th<strong>at</strong><br />
can be used to break <strong>the</strong> system.<br />
One-time pads can be implemented efficiently on computers us<strong>in</strong>g any of<br />
<strong>the</strong> primitive logical functions supported by <strong>the</strong> processor. For example, <strong>the</strong><br />
Exclusive-Or (XOR) oper<strong>at</strong>or is a convenient encryption and decryption<br />
function. When two bits are comb<strong>in</strong>ed us<strong>in</strong>g <strong>the</strong> XOR oper<strong>at</strong>or, <strong>the</strong> result is 1 if<br />
one and only one of <strong>the</strong> <strong>in</strong>put bits is 1; o<strong>the</strong>rwise <strong>the</strong> result is 0, as def<strong>in</strong>ed by<br />
<strong>the</strong> table <strong>in</strong> Figure B.2<br />
FIGURE B.2 The XOR function.<br />
The XOR function is convenient because it is fast and permits decrypt<strong>in</strong>g<br />
<strong>the</strong> encrypted <strong>in</strong>form<strong>at</strong>ion simply by "XOR<strong>in</strong>g" <strong>the</strong> ciphertext with <strong>the</strong> same<br />
d<strong>at</strong>a (key) used to encrypt <strong>the</strong> pla<strong>in</strong>text, as shown <strong>in</strong> Figure B.3.<br />
FIGURE B.3 Encryption and decryption us<strong>in</strong>g <strong>the</strong> XOR function.<br />
D<strong>at</strong>a Encryption Standard<br />
In 1972, <strong>the</strong> N<strong>at</strong>ional Bureau of Standards (NBS; now <strong>the</strong> N<strong>at</strong>ional<br />
Institute of Standards and Technology (NIST)) identified a need for a standard<br />
crypto-system for unclassified applic<strong>at</strong>ions and issued a call for proposals.<br />
Although it was poorly received <strong>at</strong> first, IBM proposed, <strong>in</strong> 1975, a priv<strong>at</strong>e-key<br />
crypto-system th<strong>at</strong> oper<strong>at</strong>ed on 64-bit blocks of<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX B 260<br />
<strong>in</strong>form<strong>at</strong>ion and used a s<strong>in</strong>gle 128-bit key for both encryption and decryption.<br />
After accept<strong>in</strong>g <strong>the</strong> <strong>in</strong>itial proposal, NBS sought both <strong>in</strong>dustry and NSA<br />
evalu<strong>at</strong>ions. Industry evalu<strong>at</strong>ion was desired because NBS wanted to provide a<br />
secure encryption th<strong>at</strong> <strong>in</strong>dustry would want to use, and NSA's advice was<br />
requested because of its historically strong background <strong>in</strong> cryptography and<br />
cryptanalysis. NSA responded with a generally favorable evalu<strong>at</strong>ion but<br />
recommended th<strong>at</strong> some of <strong>the</strong> fundamental components, known as S-boxes, be<br />
redesigned. Based primarily on th<strong>at</strong> recommend<strong>at</strong>ion, <strong>the</strong> D<strong>at</strong>a Encryption<br />
Standard (DES; NBS, 1977) became a federal <strong>in</strong>form<strong>at</strong>ion process<strong>in</strong>g standard<br />
<strong>in</strong> 1977 and an American N<strong>at</strong>ional Standards Institute (ANSI) standard (number<br />
X3.92-1981/R1987) <strong>in</strong> 1980, us<strong>in</strong>g a 56-bit key.<br />
The D<strong>at</strong>a Encryption Standard (DES) represents <strong>the</strong> first cryptographic<br />
algorithm openly developed by <strong>the</strong> U.S. government. Historically, such<br />
algorithms have been developed by <strong>the</strong> NSA as highly classified projects.<br />
However, despite <strong>the</strong> openness of its design, many researchers believed th<strong>at</strong><br />
NSA's <strong>in</strong>fluence on <strong>the</strong> S-box design and <strong>the</strong> length of <strong>the</strong> key <strong>in</strong>troduced a<br />
trapdoor th<strong>at</strong> allowed <strong>the</strong> NSA to read any message encrypted us<strong>in</strong>g <strong>the</strong> DES. In<br />
fact, one researcher described <strong>the</strong> design of a special-purpose parallel<br />
process<strong>in</strong>g computer th<strong>at</strong> was capable of break<strong>in</strong>g a DES system us<strong>in</strong>g 56-bit<br />
keys and th<strong>at</strong>, accord<strong>in</strong>g to <strong>the</strong> researcher, could be built by <strong>the</strong> NSA us<strong>in</strong>g<br />
conventional technology. None<strong>the</strong>less, <strong>in</strong> over ten years of academic and<br />
<strong>in</strong>dustrial scrut<strong>in</strong>y, no flaw <strong>in</strong> <strong>the</strong> DES has been made public (although some<br />
examples of weak keys have been discovered). Unfortun<strong>at</strong>ely, as with all cryptosystems,<br />
<strong>the</strong>re is no way of know<strong>in</strong>g if <strong>the</strong> NSA or any o<strong>the</strong>r organiz<strong>at</strong>ion has<br />
succeeded <strong>in</strong> break<strong>in</strong>g <strong>the</strong> DES.<br />
The controversy surround<strong>in</strong>g <strong>the</strong> DES was reborn when <strong>the</strong> NSA<br />
announced th<strong>at</strong> it would discont<strong>in</strong>ue <strong>the</strong> FS-1027 DES device certific<strong>at</strong>ion<br />
program after 1987, although it did recertify <strong>the</strong> algorithm (until 1993) for use<br />
primarily <strong>in</strong> unclassified government applic<strong>at</strong>ions and for electronic funds<br />
transfer applic<strong>at</strong>ions, most notably FedWire, which had <strong>in</strong>vested substantially <strong>in</strong><br />
<strong>the</strong> use of DES. NSA cited <strong>the</strong> widespread use of <strong>the</strong> DES as a disadvantage,<br />
st<strong>at</strong><strong>in</strong>g th<strong>at</strong> if it were used too much it would become <strong>the</strong> prime target of<br />
crim<strong>in</strong>als and foreign adversaries. In its place, NSA has offered a range of<br />
priv<strong>at</strong>e-key algorithms based on classified algorithms th<strong>at</strong> make use of keys<br />
gener<strong>at</strong>ed and managed by NSA.<br />
The D<strong>at</strong>a Encryption Standard (DES) algorithm has four approved modes<br />
of oper<strong>at</strong>ion: <strong>the</strong> electronic codebook, cipher block cha<strong>in</strong><strong>in</strong>g, cipher feedback,<br />
and output feedback. Each of <strong>the</strong>se modes has certa<strong>in</strong> characteristics th<strong>at</strong> make<br />
it more appropri<strong>at</strong>e than <strong>the</strong> o<strong>the</strong>rs for<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX B 261<br />
specific purposes. For example, <strong>the</strong> cipher block cha<strong>in</strong><strong>in</strong>g and cipher feedback<br />
modes are <strong>in</strong>tended for message au<strong>the</strong>ntic<strong>at</strong>ion purposes, while <strong>the</strong> electronic<br />
codebook mode is used primarily for encryption and decryption of bulk d<strong>at</strong>a<br />
(NBS, 1980b).<br />
RSA<br />
The RSA is a public key crypto-system, <strong>in</strong>vented and p<strong>at</strong>ented by Ronald<br />
Rivest, Adi Shamir, and Leonard Adelman, th<strong>at</strong> is based on large prime<br />
numbers (Rivest et al., 1978). In <strong>the</strong>ir method, <strong>the</strong> decryption key is gener<strong>at</strong>ed<br />
by select<strong>in</strong>g a pair of prime numbers, P and Q, (i.e., numbers th<strong>at</strong> are not<br />
divisible by any o<strong>the</strong>r) and ano<strong>the</strong>r number, E, which must pass a special<br />
m<strong>at</strong>hem<strong>at</strong>ical test based on <strong>the</strong> values of <strong>the</strong> pair of primes. The encryption key<br />
consists of <strong>the</strong> product of P and Q, which is called N, and <strong>the</strong> number E, which<br />
can be made publicly available. The decryption key consists of N and ano<strong>the</strong>r<br />
number, called D, which results from a m<strong>at</strong>hem<strong>at</strong>ical calcul<strong>at</strong>ion us<strong>in</strong>g N and E.<br />
The decryption key must be kept secret.<br />
A given message is encrypted by convert<strong>in</strong>g <strong>the</strong> text to numbers (us<strong>in</strong>g<br />
conventional conversion mechanisms) and replac<strong>in</strong>g each number with a<br />
number computed us<strong>in</strong>g N and E. Specifically, each number is multiplied by<br />
itself E times, with <strong>the</strong> result be<strong>in</strong>g divided by N, yield<strong>in</strong>g a quotient, which is<br />
discarded, and a rema<strong>in</strong>der. The rema<strong>in</strong>der is used to replace <strong>the</strong> orig<strong>in</strong>al<br />
number as part of <strong>the</strong> ciphertext. The decryption process is similar, multiply<strong>in</strong>g<br />
<strong>the</strong> ciphertext number by itself D times (versus E times) and divid<strong>in</strong>g it by N,<br />
with <strong>the</strong> rema<strong>in</strong>der represent<strong>in</strong>g <strong>the</strong> desired pla<strong>in</strong>text number (which is<br />
converted back to a letter). RSA's security depends on <strong>the</strong> fact th<strong>at</strong>, although<br />
f<strong>in</strong>d<strong>in</strong>g large prime numbers is comput<strong>at</strong>ionally easy, factor<strong>in</strong>g large <strong>in</strong>tegers<br />
<strong>in</strong>to <strong>the</strong>ir component primes is not, and it is comput<strong>at</strong>ionally <strong>in</strong>tensive.3<br />
However, <strong>in</strong> recent years, parallel process<strong>in</strong>g techniques and improvements <strong>in</strong><br />
factor<strong>in</strong>g algorithms have significantly <strong>in</strong>creased <strong>the</strong> size of numbers (measured<br />
as <strong>the</strong> number of decimal digits <strong>in</strong> its represent<strong>at</strong>ion) th<strong>at</strong> can be factored <strong>in</strong> a<br />
rel<strong>at</strong>ively short period of time (i.e., less than 24 hours). Seventy-digit numbers<br />
are well with<strong>in</strong> reach of modern computers and process<strong>in</strong>g techniques, with 80-<br />
digit numbers on <strong>the</strong> horizon. Most commercial RSA systems use 512-bit keys<br />
(i.e., 154 digits), which should be out of <strong>the</strong> reach of conventional computers<br />
and algorithms for quite some time. However, <strong>the</strong> best factor<strong>in</strong>g approaches<br />
currently use networks of workst<strong>at</strong>ions (perhaps several hundred or thousand of<br />
<strong>the</strong>m), work<strong>in</strong>g part-time for weeks on end (Browne, 1988). This suggests th<strong>at</strong><br />
factor<strong>in</strong>g numbers up to 110 digits is on <strong>the</strong> horizon.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX B 262<br />
PROTECTION OF PROPRIETARY SOFTWARE AND<br />
DATABASES<br />
The problem of protect<strong>in</strong>g proprietary software or proprietary d<strong>at</strong>abases is<br />
an old and difficult one. The bl<strong>at</strong>ant copy<strong>in</strong>g of a large commercial program,<br />
such as a payroll program, and its system<strong>at</strong>ic use with<strong>in</strong> <strong>the</strong> pir<strong>at</strong><strong>in</strong>g<br />
organiz<strong>at</strong>ion are often detectable and will <strong>the</strong>n lead to legal action. Similar<br />
consider<strong>at</strong>ions apply to large d<strong>at</strong>abases, and for <strong>the</strong>se <strong>the</strong> pir<strong>at</strong><strong>in</strong>g organiz<strong>at</strong>ion<br />
has <strong>the</strong> additional difficulty of obta<strong>in</strong><strong>in</strong>g <strong>the</strong> vendor-supplied periodic upd<strong>at</strong>es,<br />
without which <strong>the</strong> pir<strong>at</strong>ed d<strong>at</strong>abase will become useless.<br />
The problem of software piracy is fur<strong>the</strong>r exacerb<strong>at</strong>ed <strong>in</strong> <strong>the</strong> context of<br />
personal comput<strong>in</strong>g. Vendors supply programs for word process<strong>in</strong>g,<br />
spreadsheets, game-play<strong>in</strong>g programs, compilers, and so on, and <strong>the</strong>se are<br />
system<strong>at</strong>ically copied by pir<strong>at</strong>e vendors and by priv<strong>at</strong>e users. While large-scale<br />
pir<strong>at</strong>e vendors may eventually be detected and stopped, <strong>the</strong>re is no hope of<br />
prevent<strong>in</strong>g, through detection and legal action, <strong>the</strong> mass of <strong>in</strong>dividual users<br />
from copy<strong>in</strong>g from each o<strong>the</strong>r.<br />
Various technical solutions have been proposed for <strong>the</strong> problem of<br />
software piracy <strong>in</strong> <strong>the</strong> personal comput<strong>in</strong>g world. Some <strong>in</strong>volve a mach<strong>in</strong>ecustomized<br />
layout of <strong>the</strong> d<strong>at</strong>a on a disk. O<strong>the</strong>rs <strong>in</strong>volve <strong>the</strong> use of vol<strong>at</strong>ile<br />
transcription of certa<strong>in</strong> parts of a program text. Cryptography employ<strong>in</strong>g<br />
mach<strong>in</strong>e- or program-<strong>in</strong>stance customized keys has been suggested, <strong>in</strong><br />
conjunction with coprocessors th<strong>at</strong> are physically impenetrable so th<strong>at</strong><br />
cryptographic keys and crucial decrypted program text cannot be captured.<br />
Some of <strong>the</strong>se approaches, especially those employ<strong>in</strong>g special hardware, and<br />
hence requir<strong>in</strong>g cooper<strong>at</strong>ion between hardware and software manufacturers,<br />
have not penetr<strong>at</strong>ed <strong>the</strong> marketplace. The safeguards deployed by software<br />
vendors are usually <strong>in</strong>complete and after a while succumb to <strong>at</strong>tacks by talented<br />
am<strong>at</strong>eur hackers who produce copyable versions of <strong>the</strong> protected disks. There<br />
even exist programs to help a user overcome <strong>the</strong> protections of many available<br />
proprietary programs. (These thiev<strong>in</strong>g programs are <strong>the</strong>n presumably<br />
<strong>the</strong>mselves copied through use of <strong>the</strong>ir own devices!) It should be po<strong>in</strong>ted out<br />
th<strong>at</strong> <strong>the</strong>re is even a deb<strong>at</strong>e as to whe<strong>the</strong>r <strong>the</strong> prevalent <strong>the</strong>ft of proprietary<br />
personal comput<strong>in</strong>g software by <strong>in</strong>dividuals is sufficiently harmful to warrant<br />
<strong>the</strong> cost of develop<strong>in</strong>g and deploy<strong>in</strong>g really effective countermeasures (Kent,<br />
1981).<br />
The problem of copy<strong>in</strong>g proprietary software and d<strong>at</strong>abases, while<br />
important, lies outside <strong>the</strong> purview of system security. Software piracy is an<br />
issue between <strong>the</strong> rightful owner and <strong>the</strong> thief, and its resolution depends on<br />
tools and methods, and represents a goal, which are separ<strong>at</strong>e from those<br />
associ<strong>at</strong>ed with system security.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX B 263<br />
There is, however, an important aspect of protection of proprietary<br />
software and/or d<strong>at</strong>abases th<strong>at</strong> lies directly with<strong>in</strong> <strong>the</strong> doma<strong>in</strong> of system security<br />
as it is commonly understood. It <strong>in</strong>volves <strong>the</strong> unauthorized use of proprietary<br />
software and d<strong>at</strong>abases by parties o<strong>the</strong>r than <strong>the</strong> organiz<strong>at</strong>ion licensed to use<br />
such software or d<strong>at</strong>abases, and <strong>in</strong> systems o<strong>the</strong>r than with<strong>in</strong> <strong>the</strong> organiz<strong>at</strong>ion's<br />
system where <strong>the</strong> proprietary software is legitim<strong>at</strong>ely <strong>in</strong>stalled. Consider, for<br />
example, a large d<strong>at</strong>abase with <strong>the</strong> associ<strong>at</strong>ed complex-query software th<strong>at</strong> is<br />
licensed by a vendor to an organiz<strong>at</strong>ion. This may be done with <strong>the</strong> contractual<br />
oblig<strong>at</strong>ion th<strong>at</strong> <strong>the</strong> licensee obta<strong>in</strong>s <strong>the</strong> d<strong>at</strong>abase for his own use and not for<br />
mak<strong>in</strong>g query services available to outsiders. Two modes of transgression<br />
aga<strong>in</strong>st <strong>the</strong> proprietary rights of <strong>the</strong> vendor are possible. The organiz<strong>at</strong>ion itself<br />
may breach its oblig<strong>at</strong>ion not to provide <strong>the</strong> query services to o<strong>the</strong>rs, or some<br />
employee who himself may have legitim<strong>at</strong>e access to <strong>the</strong> d<strong>at</strong>abase may provide<br />
or even sell query services to outsiders. In <strong>the</strong> l<strong>at</strong>ter case <strong>the</strong> licensee<br />
organiz<strong>at</strong>ion may be held responsible, under certa<strong>in</strong> circumstances, for not<br />
hav<strong>in</strong>g properly guarded <strong>the</strong> proprietary rights of <strong>the</strong> vendor. Thus <strong>the</strong>re is a<br />
security issue associ<strong>at</strong>ed with <strong>the</strong> prevention of unauthorized use of proprietary<br />
software or d<strong>at</strong>abases legitim<strong>at</strong>ely <strong>in</strong>stalled <strong>in</strong> a comput<strong>in</strong>g system. In <strong>the</strong><br />
committee's classific<strong>at</strong>ion of security services, it comes under <strong>the</strong> head<strong>in</strong>g of<br />
resource (usage) control. Namely, <strong>the</strong> proprietary software is a resource and its<br />
owners wish to protect aga<strong>in</strong>st its unauthorized use (say, for sale of services to<br />
outsiders) by a user who is o<strong>the</strong>rwise authorized to access th<strong>at</strong> software.<br />
Resource control as a security service has <strong>in</strong>spired very few, if any,<br />
research and implement<strong>at</strong>ion efforts. It poses some difficult technical problems,<br />
as well as possible privacy problems. The obvious approach is to audit, on a<br />
selective and possibly random basis, access to <strong>the</strong> proprietary resource <strong>in</strong><br />
question. Such an audit trail can <strong>the</strong>n be evalu<strong>at</strong>ed by human scrut<strong>in</strong>y, or<br />
autom<strong>at</strong>ically, for <strong>in</strong>dic<strong>at</strong>ions of unauthorized use as def<strong>in</strong>ed <strong>in</strong> <strong>the</strong> present<br />
context. It may well be th<strong>at</strong> effective resource control will require record<strong>in</strong>g, <strong>at</strong><br />
least on a spot-check basis, aspects of <strong>the</strong> content of a user's <strong>in</strong>teraction with<br />
software and/or a d<strong>at</strong>abase. For obvious reasons, this may provoke resistance.<br />
Ano<strong>the</strong>r security service th<strong>at</strong> may come <strong>in</strong>to play <strong>in</strong> this context of<br />
resource control is nonrepudi<strong>at</strong>ion. The legal aspects of <strong>the</strong> protection of<br />
proprietary rights may require th<strong>at</strong> certa<strong>in</strong> actions taken by a user <strong>in</strong> connection<br />
with <strong>the</strong> proprietary resource be such th<strong>at</strong> once <strong>the</strong> actions are recorded, <strong>the</strong> user<br />
is barred from l<strong>at</strong>er repudi<strong>at</strong><strong>in</strong>g his connection to <strong>the</strong>se actions.<br />
It is clear th<strong>at</strong> such measures for resource control, if properly<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX B 264<br />
implemented and <strong>in</strong>stalled, will serve to deter <strong>the</strong> unauthorized use of<br />
proprietary resources by <strong>in</strong>dividual users. But wh<strong>at</strong> about <strong>the</strong> organiz<strong>at</strong>ion<br />
controll<strong>in</strong>g <strong>the</strong> trusted system <strong>in</strong> which <strong>the</strong> proprietary resource is embedded?<br />
On <strong>the</strong> one hand, such an organiz<strong>at</strong>ion may well have <strong>the</strong> ability to dismantle<br />
<strong>the</strong> very mechanisms designed to control <strong>the</strong> use of proprietary resources,<br />
<strong>the</strong>reby evad<strong>in</strong>g effective scrut<strong>in</strong>y by <strong>the</strong> vendor or its represent<strong>at</strong>ions. On <strong>the</strong><br />
o<strong>the</strong>r hand, <strong>the</strong> design and n<strong>at</strong>ure of security mechanisms are such th<strong>at</strong> <strong>the</strong><br />
mechanisms are difficult to change selectively, and especially <strong>in</strong> a manner<br />
ensur<strong>in</strong>g th<strong>at</strong> <strong>the</strong>ir subsequent behavior will emul<strong>at</strong>e <strong>the</strong> untampered-with<br />
mode, thus mak<strong>in</strong>g <strong>the</strong> change undetectable. Thus <strong>the</strong> expert effort and people<br />
<strong>in</strong>volved <strong>in</strong> effect<strong>in</strong>g such changes will open <strong>the</strong> organiz<strong>at</strong>ion to danger of<br />
exposure.<br />
There is now no documented major concern about <strong>the</strong> unauthorized use, <strong>in</strong><br />
<strong>the</strong> sense of <strong>the</strong> present discussion, of proprietary programs or d<strong>at</strong>abases. It may<br />
well be th<strong>at</strong> <strong>in</strong> <strong>the</strong> future, when <strong>the</strong> sale of proprietary d<strong>at</strong>abases assumes<br />
economic significance, <strong>the</strong> possibility of abuse of proprietary rights by licensed<br />
organiz<strong>at</strong>ions and authorized users will be an important issue. At th<strong>at</strong> po<strong>in</strong>t an<br />
appropri<strong>at</strong>e technology for resource control will be essential.<br />
USE OF PASSWORDS FOR AUTHENTICATION<br />
Passwords have been used throughout military history as a mechanism to<br />
dist<strong>in</strong>guish friends from foes. When sentries were posted, <strong>the</strong>y were told <strong>the</strong><br />
daily password th<strong>at</strong> would be given by any friendly soldier who <strong>at</strong>tempted to<br />
enter <strong>the</strong> camp. Passwords represent a shared secret th<strong>at</strong> allows strangers to<br />
recognize each o<strong>the</strong>r, and <strong>the</strong>y have a number of advantageous properties. They<br />
can be chosen to be easily remembered (e.g., ''Betty Boop") without be<strong>in</strong>g<br />
easily guessed by <strong>the</strong> enemy (e.g., "Mickey Mouse"). Fur<strong>the</strong>rmore, passwords<br />
allow any number of people to use <strong>the</strong> same au<strong>the</strong>ntic<strong>at</strong>ion method, and <strong>the</strong>y<br />
can be changed frequently (as opposed to physical keys, which must be<br />
duplic<strong>at</strong>ed). The extensive use of passwords for user au<strong>the</strong>ntic<strong>at</strong>ion <strong>in</strong> human-tohuman<br />
<strong>in</strong>teractions has led to <strong>the</strong>ir extensive use <strong>in</strong> human-to-computer<br />
<strong>in</strong>teractions.<br />
Accord<strong>in</strong>g to <strong>the</strong> NCSC Password Management Guidel<strong>in</strong>e, "A password is<br />
a character str<strong>in</strong>g used to au<strong>the</strong>ntic<strong>at</strong>e an identity. Knowledge of <strong>the</strong> password<br />
th<strong>at</strong> is associ<strong>at</strong>ed with a user ID is considered proof of authoriz<strong>at</strong>ion to use <strong>the</strong><br />
capabilities associ<strong>at</strong>ed with th<strong>at</strong> user ID" (U.S. DOD, 1985a).<br />
Passwords can be issued to users autom<strong>at</strong>ically by a random gener<strong>at</strong>ion<br />
rout<strong>in</strong>e, provid<strong>in</strong>g excellent protection aga<strong>in</strong>st commonly used<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX B 265<br />
passwords. However, if <strong>the</strong> random password gener<strong>at</strong>or is not good, break<strong>in</strong>g<br />
one may be equivalent to break<strong>in</strong>g all. At one <strong>in</strong>stall<strong>at</strong>ion, a person<br />
reconstructed <strong>the</strong> entire master list of passwords by guess<strong>in</strong>g <strong>the</strong> mapp<strong>in</strong>g from<br />
random numbers to alphabetic passwords and <strong>in</strong>ferr<strong>in</strong>g <strong>the</strong> random number<br />
gener<strong>at</strong>or (McIlroy, 1989). For th<strong>at</strong> reason, <strong>the</strong> random gener<strong>at</strong>or must base its<br />
seed on a vary<strong>in</strong>g source, such as <strong>the</strong> system clock. Often <strong>the</strong> user will not f<strong>in</strong>d<br />
a randomly selected password acceptable because it is too difficult to memorize.<br />
This can significantly decrease <strong>the</strong> advantage of random passwords, because <strong>the</strong><br />
user may write <strong>the</strong> password down somewhere <strong>in</strong> an effort to remember it. This<br />
may cause <strong>in</strong>f<strong>in</strong>ite exposure of <strong>the</strong> password, thus thwart<strong>in</strong>g all <strong>at</strong>tempts to<br />
ma<strong>in</strong>ta<strong>in</strong> security. For this reason it can be helpful to give a user <strong>the</strong> option to<br />
accept or reject a password, or choose one from a list. This may <strong>in</strong>crease <strong>the</strong><br />
probability th<strong>at</strong> <strong>the</strong> user will f<strong>in</strong>d an acceptable password.<br />
User-def<strong>in</strong>ed passwords can be a positive method for assign<strong>in</strong>g passwords<br />
if <strong>the</strong> users are aware of <strong>the</strong> classic weaknesses. If <strong>the</strong> password is too short,<br />
say, four digits, a potential <strong>in</strong>truder can exhaust all possible password<br />
comb<strong>in</strong><strong>at</strong>ions and ga<strong>in</strong> access quickly. Th<strong>at</strong> is why every system must limit <strong>the</strong><br />
number of tries any user can make toward enter<strong>in</strong>g his password successfully. If<br />
<strong>the</strong> user picks very simple passwords, potential <strong>in</strong>truders can break <strong>the</strong> system<br />
by us<strong>in</strong>g a list of common names or a dictionary. A dictionary of 100,000 words<br />
has been shown to raise <strong>the</strong> <strong>in</strong>truder's chance of success by 50 percent (McIlroy,<br />
1989). Specific guidel<strong>in</strong>es on how to pick passwords are important if users are<br />
allowed to pick <strong>the</strong>ir own passwords. Voluntary password systems should guide<br />
users to never reveal <strong>the</strong>ir password to o<strong>the</strong>r users and to change <strong>the</strong>ir password<br />
on a regular basis, a practice th<strong>at</strong> can be enforced by <strong>the</strong> system. (The NCSC's<br />
Password Management Guidel<strong>in</strong>e (U.S. DOD, 1985a) represents such a<br />
guidel<strong>in</strong>e.)<br />
Some form of access control must be provided to prevent unauthorized<br />
persons from ga<strong>in</strong><strong>in</strong>g access to a password list and read<strong>in</strong>g or modify<strong>in</strong>g <strong>the</strong> list.<br />
One way to protect passwords <strong>in</strong> <strong>in</strong>ternal storage is by a one-way hash. The<br />
passwords of each user are stored as ciphertext. If <strong>the</strong> passwords were<br />
encrypted, per se, <strong>the</strong> key would be present and an <strong>at</strong>tacker who ga<strong>in</strong>ed access<br />
to <strong>the</strong> password file could decrypt <strong>the</strong>m. When a user signs on and enters his<br />
password, <strong>the</strong> password is processed by <strong>the</strong> algorithm to produce <strong>the</strong><br />
correspond<strong>in</strong>g ciphertext. The pla<strong>in</strong>text password is immedi<strong>at</strong>ely deleted, and<br />
<strong>the</strong> ciphertext version of <strong>the</strong> password is compared with <strong>the</strong> one stored <strong>in</strong><br />
memory. The advantage of this technique is th<strong>at</strong> passwords cannot be stolen<br />
from <strong>the</strong> computer (absent a lucky guess). However, a person obta<strong>in</strong><strong>in</strong>g<br />
unauthorized access could delete or change <strong>the</strong> ciphertext<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX B 266<br />
passwords and effectively deny service. The file of encrypted passwords should<br />
be protected aga<strong>in</strong>st unauthorized read<strong>in</strong>g, to fur<strong>the</strong>r foil <strong>at</strong>tempts to guess<br />
passwords.<br />
The longer a password is used, <strong>the</strong> more opportunities exist for expos<strong>in</strong>g it.<br />
The probability of compromise of a password <strong>in</strong>creases dur<strong>in</strong>g its lifetime. This<br />
probability is considered acceptably low for an <strong>in</strong>itial time period; after a longer<br />
time period it becomes unacceptably high. There should be a maximum lifetime<br />
for all passwords. It is recommended th<strong>at</strong> <strong>the</strong> maximum lifetime of a password<br />
be no gre<strong>at</strong>er than one year (U.S. DOD, 1985a).<br />
NETWORKS AND DISTRIBUTED SYSTEMS<br />
Security Perimeters<br />
Security is only as strong as its weakest l<strong>in</strong>k. The methods described above<br />
can <strong>in</strong> pr<strong>in</strong>ciple provide a very high level of security even <strong>in</strong> a very large system<br />
th<strong>at</strong> is accessible to many malicious pr<strong>in</strong>cipals. But implement<strong>in</strong>g <strong>the</strong>se<br />
methods throughout <strong>the</strong> system is sure to be difficult and time consum<strong>in</strong>g.<br />
Ensur<strong>in</strong>g th<strong>at</strong> <strong>the</strong>y are used correctly is likely to be even more difficult. The<br />
pr<strong>in</strong>ciple of "divide and conquer" suggests th<strong>at</strong> it may be wiser to divide a large<br />
system <strong>in</strong>to smaller parts and to restrict severely <strong>the</strong> ways <strong>in</strong> which <strong>the</strong>se parts<br />
can <strong>in</strong>teract with each o<strong>the</strong>r.<br />
The idea is to establish a security perimeter around part of a system and to<br />
disallow fully general communic<strong>at</strong>ion across <strong>the</strong> perimeter. Instead, <strong>the</strong>re are<br />
g<strong>at</strong>es <strong>in</strong> <strong>the</strong> perimeter th<strong>at</strong> are carefully managed and audited and th<strong>at</strong> allow<br />
only certa<strong>in</strong> limited k<strong>in</strong>ds of traffic (e.g., electronic mail, but not file transfers<br />
or general network "d<strong>at</strong>agrams"). A g<strong>at</strong>e may also restrict <strong>the</strong> pairs of source<br />
and dest<strong>in</strong><strong>at</strong>ion systems th<strong>at</strong> can communic<strong>at</strong>e through it.<br />
It is important to understand th<strong>at</strong> a security perimeter is not foolproof. If it<br />
passes electronic mail, <strong>the</strong>n users can encode arbitrary programs or d<strong>at</strong>a <strong>in</strong> <strong>the</strong><br />
mail and get <strong>the</strong>m across <strong>the</strong> perimeter. But this is less likely to happen by<br />
mistake, and it is more difficult to do th<strong>in</strong>gs <strong>in</strong>side <strong>the</strong> perimeter us<strong>in</strong>g only<br />
electronic mail than to do th<strong>in</strong>gs us<strong>in</strong>g term<strong>in</strong>al connections or arbitrary<br />
network d<strong>at</strong>agrams. Fur<strong>the</strong>rmore, if, for example, a mail-only perimeter is an<br />
important part of system security, users and managers will come to understand<br />
th<strong>at</strong> it is dangerous and harmful to implement autom<strong>at</strong>ed services th<strong>at</strong> accept<br />
electronic mail requests.<br />
As with any security measure, a price is paid <strong>in</strong> convenience and flexibility<br />
for a security perimeter: it is harder to do th<strong>in</strong>gs across <strong>the</strong><br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX B 267<br />
perimeter. Users and managers must decide on <strong>the</strong> proper balance between<br />
security and convenience.<br />
A computer virus is a program th<strong>at</strong><br />
Viruses<br />
• is hidden <strong>in</strong> ano<strong>the</strong>r program (called its host) so th<strong>at</strong> it runs whenever <strong>the</strong><br />
host program runs, and<br />
• can make a copy of itself.<br />
When a virus runs, it can do a gre<strong>at</strong> deal of damage. In fact, it can do<br />
anyth<strong>in</strong>g th<strong>at</strong> its host can do: delete files, corrupt d<strong>at</strong>a, send a message with a<br />
user's secrets to ano<strong>the</strong>r mach<strong>in</strong>e, disrupt <strong>the</strong> oper<strong>at</strong>ion of a host, waste mach<strong>in</strong>e<br />
resources, and so on. There are many places to hide a virus: <strong>the</strong> oper<strong>at</strong><strong>in</strong>g<br />
system, an executable program, a shell command file, or a macro <strong>in</strong> a<br />
spreadsheet or word process<strong>in</strong>g program are only a few of <strong>the</strong> possibilities. In<br />
this respect a virus is just like a Trojan horse. And like a Trojan horse, a virus<br />
can <strong>at</strong>tack any k<strong>in</strong>d of computer system, from a personal computer to a<br />
ma<strong>in</strong>frame. (Many of <strong>the</strong> problems and solutions discussed <strong>in</strong> this section apply<br />
equally well <strong>in</strong> a discussion of Trojan horses.)<br />
A virus can also make a copy of itself, <strong>in</strong>to ano<strong>the</strong>r program or even<br />
ano<strong>the</strong>r mach<strong>in</strong>e th<strong>at</strong> can be reached from <strong>the</strong> current host over a network, or by<br />
<strong>the</strong> transfer of a floppy disk or o<strong>the</strong>r removable medium. Like a liv<strong>in</strong>g cre<strong>at</strong>ure,<br />
a virus can spread quickly. If it copies itself just once a day, <strong>the</strong>n after a week<br />
<strong>the</strong>re will be more than 50 copies (because each copy copies itself), and after a<br />
month about a billion. If it reproduces once a m<strong>in</strong>ute (still slow for a computer),<br />
it takes only half an hour to make a billion copies. Their ability to spread<br />
quickly makes viruses especially dangerous.<br />
There are only two reliable methods for keep<strong>in</strong>g a virus from do<strong>in</strong>g harm:<br />
• Make sure th<strong>at</strong> every program is un<strong>in</strong>fected before it runs.<br />
• Prevent an <strong>in</strong>fected program from do<strong>in</strong>g damage.<br />
Keep<strong>in</strong>g a Virus Out<br />
S<strong>in</strong>ce a virus can potentially <strong>in</strong>fect any program, <strong>the</strong> only sure way to keep<br />
it from runn<strong>in</strong>g on a system is to ensure th<strong>at</strong> every program run comes from a<br />
reliable source. In pr<strong>in</strong>ciple this can be done by adm<strong>in</strong>istr<strong>at</strong>ive and physical<br />
means, ensur<strong>in</strong>g th<strong>at</strong> every program arrives on a disk <strong>in</strong> an unbroken wrapper<br />
from a trusted supplier. In<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX B 268<br />
practice it is very difficult to enforce such procedures, because <strong>the</strong>y rule out any<br />
k<strong>in</strong>d of <strong>in</strong>formal copy<strong>in</strong>g of software, <strong>in</strong>clud<strong>in</strong>g shareware, public doma<strong>in</strong><br />
programs, and spreadsheets written by a colleague. Moreover, <strong>the</strong>re have been<br />
numerous <strong>in</strong>stances of virus-<strong>in</strong>fected software arriv<strong>in</strong>g on a disk freshly shr<strong>in</strong>kwrapped<br />
from a vendor. For this reason, vendors and <strong>at</strong> least one trade<br />
associ<strong>at</strong>ion (ADAPSO) are explor<strong>in</strong>g ways to prevent contam<strong>in</strong><strong>at</strong>ion <strong>at</strong> <strong>the</strong><br />
source. A more practical method uses digital sign<strong>at</strong>ures.<br />
Informally, a digital sign<strong>at</strong>ure system is a procedure th<strong>at</strong> one can run on a<br />
computer and th<strong>at</strong> should be believed when it says, "This <strong>in</strong>put d<strong>at</strong>a came from<br />
this source" (a more precise def<strong>in</strong>ition is given below). With a trusted source<br />
th<strong>at</strong> is believed when it says th<strong>at</strong> a program image is un<strong>in</strong>fected, one can make<br />
sure th<strong>at</strong> every program is un<strong>in</strong>fected before it runs by refus<strong>in</strong>g to run it unless<br />
• a certific<strong>at</strong>e says, "The follow<strong>in</strong>g program is un<strong>in</strong>fected," followed by <strong>the</strong><br />
text of <strong>the</strong> program, and<br />
• <strong>the</strong> digital sign<strong>at</strong>ure system says th<strong>at</strong> <strong>the</strong> certific<strong>at</strong>e came from <strong>the</strong> trusted<br />
source.<br />
Each place where this protection is applied adds to security. To make <strong>the</strong><br />
protection complete, it should be applied by any agent th<strong>at</strong> can run a program.<br />
The program image loader is not <strong>the</strong> only such agent; o<strong>the</strong>rs <strong>in</strong>clude <strong>the</strong> shell, a<br />
spreadsheet program load<strong>in</strong>g a spreadsheet with macros, or a word process<strong>in</strong>g<br />
program load<strong>in</strong>g a macro, s<strong>in</strong>ce shell scripts, macros, and so on are all programs<br />
th<strong>at</strong> can host viruses. Even <strong>the</strong> program th<strong>at</strong> boots <strong>the</strong> mach<strong>in</strong>e should apply this<br />
protection when it loads <strong>the</strong> oper<strong>at</strong><strong>in</strong>g system. An important issue is distribution<br />
of <strong>the</strong> public key for verify<strong>in</strong>g sign<strong>at</strong>ures (see "Digital Sign<strong>at</strong>ures," above).<br />
Prevent<strong>in</strong>g Damage<br />
Because <strong>the</strong>re are so many k<strong>in</strong>ds of programs, it may be hard to live with<br />
<strong>the</strong> restriction th<strong>at</strong> every program must be certified as un<strong>in</strong>fected. This means,<br />
for example, th<strong>at</strong> a spreadsheet cannot be freely copied <strong>in</strong>to a system if it<br />
conta<strong>in</strong>s macros. Because it might be <strong>in</strong>fected, an uncertified program th<strong>at</strong> is<br />
run must be prevented from do<strong>in</strong>g damage— leak<strong>in</strong>g secrets, chang<strong>in</strong>g d<strong>at</strong>a, or<br />
consum<strong>in</strong>g excessive resources.<br />
Access control can do this if <strong>the</strong> usual mechanisms are extended to specify<br />
programs, or a set of programs, as well as users. For example, <strong>the</strong> form of an<br />
access control rule could be "user A runn<strong>in</strong>g program B can read" or "set of<br />
users C runn<strong>in</strong>g set of programs D can read and write." Then a set of un<strong>in</strong>fected<br />
programs can be def<strong>in</strong>ed, namely<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX B 269<br />
<strong>the</strong> ones th<strong>at</strong> are certified as un<strong>in</strong>fected, and <strong>the</strong> default access control rule can<br />
be "user runn<strong>in</strong>g un<strong>in</strong>fected" <strong>in</strong>stead of "user runn<strong>in</strong>g anyth<strong>in</strong>g." This ensures<br />
th<strong>at</strong> by default an uncertified program will not be able to read or write anyth<strong>in</strong>g.<br />
A user can <strong>the</strong>n relax this protection selectively if necessary, to allow <strong>the</strong><br />
program access to certa<strong>in</strong> files or directories.<br />
Note th<strong>at</strong> strong protection on current personal computers is ultim<strong>at</strong>ely<br />
impossible, s<strong>in</strong>ce <strong>the</strong>y lack memory protection and hence cannot ultim<strong>at</strong>ely<br />
enforce access control. Yet most of <strong>the</strong> damage from viruses has <strong>in</strong>volved<br />
personal computers, and protection has frequently been sought from so-called<br />
vacc<strong>in</strong>e programs.<br />
Provid<strong>in</strong>g and Us<strong>in</strong>g Vacc<strong>in</strong>es<br />
It is well understood how to implement <strong>the</strong> complete protection aga<strong>in</strong>st<br />
viruses just described, but it requires changes <strong>in</strong> many places: oper<strong>at</strong><strong>in</strong>g<br />
systems, command shells, spreadsheet programs, programmable editors, and<br />
any o<strong>the</strong>r k<strong>in</strong>ds of programs, as well as procedures for distribut<strong>in</strong>g software.<br />
These changes ought to be implemented. In <strong>the</strong> meantime, however, various<br />
stopgap measures can help somewh<strong>at</strong>. Generally known as vacc<strong>in</strong>es, <strong>the</strong>y are<br />
widely available for personal computers.<br />
The idea beh<strong>in</strong>d a vacc<strong>in</strong>e is to look for traces of viruses <strong>in</strong> programs,<br />
usually by search<strong>in</strong>g <strong>the</strong> program images for recognizable str<strong>in</strong>gs. The str<strong>in</strong>gs<br />
may be ei<strong>the</strong>r parts of known viruses th<strong>at</strong> have <strong>in</strong>fected o<strong>the</strong>r systems, or<br />
sequences of <strong>in</strong>structions or oper<strong>at</strong><strong>in</strong>g system calls th<strong>at</strong> are considered<br />
suspicious. This idea is easy to implement, and it works well aga<strong>in</strong>st known<br />
thre<strong>at</strong>s (e.g., specific virus programs), but an <strong>at</strong>tacker can circumvent it with<br />
only a little effort. For example, many viruses now produce pseudo-random<br />
<strong>in</strong>stances of <strong>the</strong>mselves us<strong>in</strong>g encryption. Vacc<strong>in</strong>es can help, but <strong>the</strong>y do not<br />
provide any security th<strong>at</strong> can be relied on. They are ultim<strong>at</strong>ely out of d<strong>at</strong>e as<br />
soon as a new virus or a stra<strong>in</strong> of a virus emerges.<br />
Wh<strong>at</strong> a G<strong>at</strong>eway Is<br />
Applic<strong>at</strong>ion G<strong>at</strong>eways<br />
The term "g<strong>at</strong>eway" has been used to describe a wide range of devices <strong>in</strong><br />
<strong>the</strong> computer communic<strong>at</strong>ion environment. Most devices described as g<strong>at</strong>eways<br />
can be c<strong>at</strong>egorized as one of two major types, although some devices are<br />
difficult to characterize <strong>in</strong> this fashion.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX B 270<br />
• The term "applic<strong>at</strong>ion g<strong>at</strong>eway" usually refers to devices th<strong>at</strong> convert<br />
between different protocol suites, often <strong>in</strong>clud<strong>in</strong>g applic<strong>at</strong>ion<br />
functionality, for example, conversion between DECNET and SNA<br />
protocols for file transfer or virtual term<strong>in</strong>al applic<strong>at</strong>ions.<br />
• The term "router" is usually applied to devices th<strong>at</strong> relay and route packets<br />
between networks, typically oper<strong>at</strong><strong>in</strong>g <strong>at</strong> layer 2 (LAN bridges) or layer 3<br />
(<strong>in</strong>ternetwork g<strong>at</strong>eways). These devices do not convert between protocols<br />
<strong>at</strong> higher layers (e.g, layer 4 and above).<br />
Mail g<strong>at</strong>eways, devices th<strong>at</strong> route and relay electronic mail (a layer-7<br />
applic<strong>at</strong>ion) may fall <strong>in</strong>to ei<strong>the</strong>r c<strong>at</strong>egory. If <strong>the</strong> device converts between two<br />
different mail protocols, for example, X.400 and SMTP, <strong>the</strong>n it is an applic<strong>at</strong>ion<br />
g<strong>at</strong>eway as described above. In many circumstances an X.400 message transfer<br />
agent (MTA) will act strictly as a router, but it may also convert X.400<br />
electronic mail to facsimile and thus oper<strong>at</strong>e as an applic<strong>at</strong>ion g<strong>at</strong>eway. The<br />
multifaceted n<strong>at</strong>ure of some devices illustr<strong>at</strong>es <strong>the</strong> difficulty of characteriz<strong>in</strong>g<br />
g<strong>at</strong>eways <strong>in</strong> simple terms.<br />
G<strong>at</strong>eways as Access Control Devices<br />
G<strong>at</strong>eways are often employed to connect a network under <strong>the</strong> control of<br />
one organiz<strong>at</strong>ion (an <strong>in</strong>ternal network) to a network controlled by ano<strong>the</strong>r<br />
organiz<strong>at</strong>ion (an external network such as a public network). Thus g<strong>at</strong>eways are<br />
n<strong>at</strong>ural po<strong>in</strong>ts <strong>at</strong> which to enforce access control policies; th<strong>at</strong> is, <strong>the</strong> g<strong>at</strong>eways<br />
provide an obvious security perimeter. The access control policy enforced by a<br />
g<strong>at</strong>eway can be used <strong>in</strong> two basic ways:<br />
1. Traffic from external networks can be controlled to prevent<br />
unauthorized access to <strong>in</strong>ternal networks or <strong>the</strong> computer systems<br />
<strong>at</strong>tached to <strong>the</strong>m. This means of controll<strong>in</strong>g access by outside users to<br />
<strong>in</strong>ternal resources can help protect weak <strong>in</strong>ternal systems from <strong>at</strong>tack.<br />
2. Traffic from computers on <strong>the</strong> <strong>in</strong>ternal networks can be controlled to<br />
prevent unauthorized access to external networks or computer systems.<br />
This access control facility can help mitig<strong>at</strong>e Trojan horse concerns by<br />
constra<strong>in</strong><strong>in</strong>g <strong>the</strong> telecommunic<strong>at</strong>ion p<strong>at</strong>hs by which d<strong>at</strong>a can be<br />
transmitted outside an organiz<strong>at</strong>ion, as well as support<strong>in</strong>g concepts<br />
such as release authority, th<strong>at</strong> is, a design<strong>at</strong>ed <strong>in</strong>dividual authorized to<br />
communic<strong>at</strong>e on behalf of an organiz<strong>at</strong>ion <strong>in</strong> an official capacity.<br />
Both applic<strong>at</strong>ion g<strong>at</strong>eways and routers can be used to enforce access<br />
control policies <strong>at</strong> network boundaries, but each has its own advantages and<br />
disadvantages, as described below.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX B 271<br />
Applic<strong>at</strong>ion G<strong>at</strong>eways as PAC Devices<br />
Because an applic<strong>at</strong>ion g<strong>at</strong>eway performs protocol transl<strong>at</strong>ion <strong>at</strong> layer 7, it<br />
does not pass through packets <strong>at</strong> lower protocol layers. Thus, <strong>in</strong> normal<br />
oper<strong>at</strong>ion, such a device provides a n<strong>at</strong>ural barrier to traffic transit<strong>in</strong>g it; th<strong>at</strong> is,<br />
<strong>the</strong> g<strong>at</strong>eway must engage <strong>in</strong> significant explicit process<strong>in</strong>g <strong>in</strong> order to convert<br />
from one protocol suite to ano<strong>the</strong>r <strong>in</strong> <strong>the</strong> course of d<strong>at</strong>a transit<strong>in</strong>g <strong>the</strong> device.<br />
Different applic<strong>at</strong>ions require different protocol-conversion process<strong>in</strong>g. Hence a<br />
g<strong>at</strong>eway of this type can easily permit traffic for some applic<strong>at</strong>ions to transit <strong>the</strong><br />
g<strong>at</strong>eway while prevent<strong>in</strong>g <strong>the</strong> transit of o<strong>the</strong>r traffic, simply by not provid<strong>in</strong>g<br />
<strong>the</strong> software necessary to perform <strong>the</strong> conversion. Thus, <strong>at</strong> <strong>the</strong> coarse<br />
granularity of different applic<strong>at</strong>ions, such g<strong>at</strong>eways can provide protection of<br />
<strong>the</strong> sort described above.<br />
For example, an organiz<strong>at</strong>ion could elect to permit electronic mail (e-mail)<br />
to pass bidirectionally by putt<strong>in</strong>g <strong>in</strong> place a mail g<strong>at</strong>eway while prevent<strong>in</strong>g<br />
<strong>in</strong>teractive log-<strong>in</strong> sessions and file transfers (by not pass<strong>in</strong>g any traffic o<strong>the</strong>r<br />
than e-mail). This access control policy could be ref<strong>in</strong>ed also to permit<br />
restricted <strong>in</strong>teractive log-<strong>in</strong>, for example, th<strong>at</strong> <strong>in</strong>iti<strong>at</strong>ed by an <strong>in</strong>ternal user to<br />
access a remote computer system, by <strong>in</strong>stall<strong>in</strong>g software to support <strong>the</strong><br />
transl<strong>at</strong>ion of <strong>the</strong> virtual term<strong>in</strong>al protocol <strong>in</strong> only one direction (outbound).<br />
An applic<strong>at</strong>ion g<strong>at</strong>eway often provides a n<strong>at</strong>ural po<strong>in</strong>t <strong>at</strong> which to require<br />
<strong>in</strong>dividual user identific<strong>at</strong>ion and au<strong>the</strong>ntic<strong>at</strong>ion <strong>in</strong>form<strong>at</strong>ion for f<strong>in</strong>ergranularity<br />
access control. This is because many such g<strong>at</strong>eways require human<br />
<strong>in</strong>tervention to select services <strong>in</strong> transl<strong>at</strong><strong>in</strong>g from one protocol suite to ano<strong>the</strong>r,<br />
or because <strong>the</strong> applic<strong>at</strong>ion be<strong>in</strong>g supported <strong>in</strong>tr<strong>in</strong>sically <strong>in</strong>volves human<br />
<strong>in</strong>tervention, for example, virtual term<strong>in</strong>al or <strong>in</strong>teractive d<strong>at</strong>abase query. In such<br />
circumstances it is straightforward for <strong>the</strong> g<strong>at</strong>eway to enforce access control on<br />
an <strong>in</strong>dividual user basis as a byproduct of establish<strong>in</strong>g a "session" between <strong>the</strong><br />
two protocol suites.<br />
Not all applic<strong>at</strong>ions lend <strong>the</strong>mselves to such authoriz<strong>at</strong>ion checks,<br />
however. For example, a file transfer applic<strong>at</strong>ion may be <strong>in</strong>voked autom<strong>at</strong>ically<br />
by a process dur<strong>in</strong>g off hours, and thus no human user may be present to<br />
particip<strong>at</strong>e <strong>in</strong> an au<strong>the</strong>ntic<strong>at</strong>ion exchange. B<strong>at</strong>ch d<strong>at</strong>abase queries or upd<strong>at</strong>es are<br />
similarly non<strong>in</strong>teractive and might be performed when no "users" are present. In<br />
such circumstances <strong>the</strong>re is a tempt<strong>at</strong>ion to employ passwords for user<br />
identific<strong>at</strong>ion and au<strong>the</strong>ntic<strong>at</strong>ion, as though a human be<strong>in</strong>g were present dur<strong>in</strong>g<br />
<strong>the</strong> activity, and <strong>the</strong> result is th<strong>at</strong> <strong>the</strong>se passwords are stored <strong>in</strong> files <strong>at</strong> <strong>the</strong><br />
<strong>in</strong>iti<strong>at</strong><strong>in</strong>g computer system, mak<strong>in</strong>g <strong>the</strong>m vulnerable to disclosure (see<br />
"Au<strong>the</strong>ntic<strong>at</strong>ion" <strong>in</strong> Chapter 3). Thus <strong>the</strong>re are limit<strong>at</strong>ions on <strong>the</strong> use of<br />
applic<strong>at</strong>ion g<strong>at</strong>eways for <strong>in</strong>dividual access control.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX B 272<br />
As noted elsewhere <strong>in</strong> this report, <strong>the</strong> use of cryptography to protect user<br />
d<strong>at</strong>a from source to dest<strong>in</strong><strong>at</strong>ion (end-to-end encryption) is a powerful tool for<br />
provid<strong>in</strong>g network security. This form of encryption is typically applied <strong>at</strong> <strong>the</strong><br />
top of <strong>the</strong> network layer (layer 3) or <strong>the</strong> bottom of <strong>the</strong> transport layer (layer 4).<br />
End-to-end encryption cannot be employed (to maximum effectiveness) if<br />
applic<strong>at</strong>ion g<strong>at</strong>eways are used along <strong>the</strong> p<strong>at</strong>h between communic<strong>at</strong><strong>in</strong>g entities.<br />
The reason is th<strong>at</strong> <strong>the</strong>se g<strong>at</strong>eways must, by def<strong>in</strong>ition, be able to access<br />
protocols <strong>at</strong> <strong>the</strong> applic<strong>at</strong>ion layer, above <strong>the</strong> layer <strong>at</strong> which <strong>the</strong> encryption is<br />
employed. Hence <strong>the</strong> user d<strong>at</strong>a must be decrypted for process<strong>in</strong>g <strong>at</strong> <strong>the</strong><br />
applic<strong>at</strong>ion g<strong>at</strong>eway and <strong>the</strong>n re-encrypted for transmission to <strong>the</strong> dest<strong>in</strong><strong>at</strong>ion<br />
(or to ano<strong>the</strong>r applic<strong>at</strong>ion g<strong>at</strong>eway). In such an event <strong>the</strong> encryption be<strong>in</strong>g<br />
performed is not really end-to-end.<br />
If an applic<strong>at</strong>ion-layer g<strong>at</strong>eway is part of <strong>the</strong> p<strong>at</strong>h for (end-to-end)<br />
encrypted user traffic, <strong>the</strong>n one will, <strong>at</strong> a m<strong>in</strong>imum, want <strong>the</strong> g<strong>at</strong>eway to be<br />
trusted (s<strong>in</strong>ce it will have access to <strong>the</strong> user d<strong>at</strong>a <strong>in</strong> clear text form). Note,<br />
however, th<strong>at</strong> use of a trusted comput<strong>in</strong>g base (TCB) for a g<strong>at</strong>eway does not<br />
necessarily result <strong>in</strong> as much security as if (un<strong>in</strong>terrupted) encryption were <strong>in</strong><br />
force from source to dest<strong>in</strong><strong>at</strong>ion. The physical, procedural, and eman<strong>at</strong>ions<br />
security of <strong>the</strong> g<strong>at</strong>eway must also be taken <strong>in</strong>to account as breaches of any of<br />
<strong>the</strong>se security facets could subject a user's d<strong>at</strong>a to unauthorized disclosure or<br />
modific<strong>at</strong>ion. Thus it may be especially difficult, if not impossible, to achieve<br />
as high a level of security for a user's d<strong>at</strong>a if an applic<strong>at</strong>ion g<strong>at</strong>eway is traversed<br />
as <strong>the</strong> level obta<strong>in</strong>able us<strong>in</strong>g end-to-end encryption <strong>in</strong> <strong>the</strong> absence of such<br />
g<strong>at</strong>eways.<br />
In <strong>the</strong> context of electronic mail <strong>the</strong> conflict between end-to-end<br />
encryption and applic<strong>at</strong>ion g<strong>at</strong>eways is a bit more complex. The secure<br />
massag<strong>in</strong>g facilities def<strong>in</strong>ed <strong>in</strong> X.400 (CCITT, 1989a) allow for encrypted e-<br />
mail to transit MTAs without decryption, but only when <strong>the</strong> MTAs are<br />
oper<strong>at</strong><strong>in</strong>g as routers r<strong>at</strong>her than as applic<strong>at</strong>ion g<strong>at</strong>eways, for example, when <strong>the</strong>y<br />
are not perform<strong>in</strong>g "content conversion" or similar <strong>in</strong>vasive services. The<br />
privacy-enhanced mail facilities developed for <strong>the</strong> TCP/IP Internet (L<strong>in</strong>n, 1989)<br />
<strong>in</strong>corpor<strong>at</strong>e encryption facilities th<strong>at</strong> can transcend e-mail protocols, but only if<br />
<strong>the</strong> recipients are prepared to process <strong>the</strong> decrypted mail <strong>in</strong> a fashion th<strong>at</strong><br />
suggests protocol-layer<strong>in</strong>g viol<strong>at</strong>ion. Thus, <strong>in</strong> <strong>the</strong> context of e-mail, only those<br />
devices th<strong>at</strong> are more ak<strong>in</strong> to routers than to applic<strong>at</strong>ion g<strong>at</strong>eways can be used<br />
without degrad<strong>in</strong>g <strong>the</strong> security offered by true end-to-end encryption.<br />
Routers as PAC Devices<br />
S<strong>in</strong>ce routers can provide higher performance and gre<strong>at</strong>er robustness and<br />
are less <strong>in</strong>trusive than applic<strong>at</strong>ion g<strong>at</strong>eways, access control<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX B 273<br />
facilities th<strong>at</strong> can be provided by routers are especially <strong>at</strong>tractive <strong>in</strong> many<br />
circumstances. Also, user d<strong>at</strong>a protected by end-to-end encryption technology<br />
can pass through routers without hav<strong>in</strong>g to be decrypted, thus preserv<strong>in</strong>g <strong>the</strong><br />
security imparted by <strong>the</strong> encryption. Hence <strong>the</strong>re is substantial <strong>in</strong>centive to<br />
explore access-control facilities th<strong>at</strong> can be provided by routers.<br />
One way a router <strong>at</strong> layer 3 (and to a lesser extent <strong>at</strong> layer 2) can effect<br />
access control is through <strong>the</strong> use of "packet filter<strong>in</strong>g" mechanisms. A router<br />
performs packet filter<strong>in</strong>g by exam<strong>in</strong><strong>in</strong>g protocol control <strong>in</strong>form<strong>at</strong>ion (PCI) <strong>in</strong><br />
specified fields <strong>in</strong> packets <strong>at</strong> layer 3 (and perhaps <strong>at</strong> layer 4). The router accepts<br />
or rejects (discards) a packet based on <strong>the</strong> values <strong>in</strong> <strong>the</strong> fields as compared to a<br />
profile ma<strong>in</strong>ta<strong>in</strong>ed <strong>in</strong> an access-control d<strong>at</strong>abase. For example, source and<br />
dest<strong>in</strong><strong>at</strong>ion computer system addresses are conta<strong>in</strong>ed <strong>in</strong> layer-3 PCI, and thus an<br />
adm<strong>in</strong>istr<strong>at</strong>or could authorize or deny <strong>the</strong> flow of d<strong>at</strong>a between a pair of<br />
computer systems based on exam<strong>in</strong><strong>at</strong>ion of <strong>the</strong>se address fields.<br />
If one "peeks" <strong>in</strong>to layer-4 PCI, an em<strong>in</strong>ently feasible viol<strong>at</strong>ion of protocol<br />
layer<strong>in</strong>g for many layer-3 routers, one can effect somewh<strong>at</strong> f<strong>in</strong>er-gra<strong>in</strong>ed access<br />
control <strong>in</strong> some protocol suites. For example, <strong>in</strong> <strong>the</strong> TCP/IP suite one can<br />
dist<strong>in</strong>guish among electronic mail, virtual term<strong>in</strong>al, and several o<strong>the</strong>r types of<br />
common applic<strong>at</strong>ions through exam<strong>in</strong><strong>at</strong>ion of certa<strong>in</strong> fields <strong>in</strong> <strong>the</strong> TCP header.<br />
However, one cannot ascerta<strong>in</strong> which specific applic<strong>at</strong>ion is be<strong>in</strong>g accessed via<br />
a virtual term<strong>in</strong>al connection, and so <strong>the</strong> granularity of such access control may<br />
be more limited than <strong>in</strong> <strong>the</strong> context of applic<strong>at</strong>ion g<strong>at</strong>eways. Several vendors of<br />
layer-3 routers already provide facilities of this sort for <strong>the</strong> TCP/IP community,<br />
so th<strong>at</strong> this is largely an exist<strong>in</strong>g access-control technology.<br />
As noted above, <strong>the</strong>re are limit<strong>at</strong>ions to <strong>the</strong> granularity of access control<br />
achievable with packet filter<strong>in</strong>g. There is also a concern as to <strong>the</strong> assurance<br />
provided by this mechanism. Packet filter<strong>in</strong>g relies on <strong>the</strong> accuracy of certa<strong>in</strong><br />
protocol control <strong>in</strong>form<strong>at</strong>ion <strong>in</strong> packets. The underly<strong>in</strong>g assumption is th<strong>at</strong> if<br />
this header <strong>in</strong>form<strong>at</strong>ion is <strong>in</strong>correct, <strong>the</strong>n packets will probably not be correctly<br />
routed or processed, but this assumption may not be valid <strong>in</strong> all cases. For<br />
example, consider an access-control policy th<strong>at</strong> authorizes specified computers<br />
on an <strong>in</strong>ternal network to communic<strong>at</strong>e with specified computers on an external<br />
network. If one computer system on <strong>the</strong> <strong>in</strong>ternal network can masquerade as<br />
ano<strong>the</strong>r authorized <strong>in</strong>ternal system (by construct<strong>in</strong>g layer-3 PCI with <strong>in</strong>correct<br />
network addresses), <strong>the</strong>n this access-control policy could be subverted.<br />
Altern<strong>at</strong>ively, if a computer system on an external network gener<strong>at</strong>es packets<br />
with false addresses, it too can subvert <strong>the</strong> policy.<br />
O<strong>the</strong>r schemes have been developed to provide more sophistic<strong>at</strong>ed<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX B 274<br />
access-control facilities with higher assurance, while still reta<strong>in</strong><strong>in</strong>g most of <strong>the</strong><br />
advantages of router-enforced access control. For example, <strong>the</strong> VISA system<br />
(Estr<strong>in</strong> and Tsudik, 1987) requires a computer system to <strong>in</strong>teract with a router<br />
as part of an explicit authoriz<strong>at</strong>ion process for sessions across organiz<strong>at</strong>ional<br />
boundaries. This scheme also employs a cryptographic checksum applied to<br />
each packet (<strong>at</strong> layer 3) to enable <strong>the</strong> router to valid<strong>at</strong>e th<strong>at</strong> <strong>the</strong> packet is<br />
authorized to transit <strong>the</strong> router. Because of performance concerns, it has been<br />
suggested th<strong>at</strong> this checksum be computed only over <strong>the</strong> layer-3 PCI, <strong>in</strong>stead of<br />
<strong>the</strong> whole packet. This would allow <strong>in</strong>form<strong>at</strong>ion surreptitiously tacked onto an<br />
authorized packet PCI to transit <strong>the</strong> router. Thus even this more sophistic<strong>at</strong>ed<br />
approach to packet filter<strong>in</strong>g <strong>at</strong> routers has security shortcom<strong>in</strong>gs.<br />
Conclusions About G<strong>at</strong>eways<br />
Both applic<strong>at</strong>ion g<strong>at</strong>eways and routers can be used to enforce access<br />
control <strong>at</strong> <strong>the</strong> <strong>in</strong>terfaces between networks adm<strong>in</strong>istered by different<br />
organiz<strong>at</strong>ions. Applic<strong>at</strong>ion g<strong>at</strong>eways, by <strong>the</strong>ir n<strong>at</strong>ure, tend to exhibit reduced<br />
performance and robustness, and are less transparent than routers, but <strong>the</strong>y are<br />
essential <strong>in</strong> <strong>the</strong> heterogeneous protocol environments <strong>in</strong> which much of <strong>the</strong><br />
world oper<strong>at</strong>es today. As n<strong>at</strong>ional and <strong>in</strong>tern<strong>at</strong>ional protocol standards become<br />
more widespread, <strong>the</strong>re will be less need for such g<strong>at</strong>eways. Thus, <strong>in</strong> <strong>the</strong> long<br />
term, it would be disadvantageous to adopt security architectures th<strong>at</strong> require<br />
th<strong>at</strong> <strong>in</strong>terorganiz<strong>at</strong>ional access control (across network boundaries) be enforced<br />
through <strong>the</strong> use of such g<strong>at</strong>eways. The <strong>in</strong>comp<strong>at</strong>ibility between true end-to-end<br />
encryption and applic<strong>at</strong>ion g<strong>at</strong>eways fur<strong>the</strong>r argues aga<strong>in</strong>st such access-control<br />
mechanisms for <strong>the</strong> long term.<br />
However, <strong>in</strong> <strong>the</strong> short term, especially <strong>in</strong> circumstances where applic<strong>at</strong>ion<br />
g<strong>at</strong>eways are required due to <strong>the</strong> use of <strong>in</strong>comp<strong>at</strong>ible protocols, it is appropri<strong>at</strong>e<br />
to exploit <strong>the</strong> opportunity to implement perimeter access controls <strong>in</strong> such<br />
g<strong>at</strong>eways. Over <strong>the</strong> long term, more widespread use of trusted computer<br />
systems is anticip<strong>at</strong>ed, and thus <strong>the</strong> need for g<strong>at</strong>eway-enforced perimeter access<br />
control to protect <strong>the</strong>se computer systems from unauthorized external access<br />
will dim<strong>in</strong>ish. It is also anticip<strong>at</strong>ed th<strong>at</strong> <strong>in</strong>creased use of end-to-end encryption<br />
mechanisms and associ<strong>at</strong>ed access control facilities will provide security for<br />
end-user d<strong>at</strong>a traffic. None<strong>the</strong>less, centrally managed access control for<br />
<strong>in</strong>terorganiz<strong>at</strong>ional traffic is a facility th<strong>at</strong> may best be accomplished through<br />
<strong>the</strong> use of g<strong>at</strong>eway-based access control. If fur<strong>the</strong>r research can provide higherassurance<br />
packet-filter<strong>in</strong>g facilities <strong>in</strong> routers, <strong>the</strong> result<strong>in</strong>g system, <strong>in</strong><br />
comb<strong>in</strong><strong>at</strong>ion with trusted comput<strong>in</strong>g systems for<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX B 275<br />
end users and end-to-end encryption, would yield significantly improved<br />
security capabilities <strong>in</strong> <strong>the</strong> long term.<br />
NOTES<br />
1. See TCSEC Section 3.2.3.1.1 (U.S. DOD, 1985d).<br />
2. To appreci<strong>at</strong>e cryptography, note th<strong>at</strong> we do not always understand wh<strong>at</strong> ''<strong>in</strong>form<strong>at</strong>ion" is.<br />
Inform<strong>at</strong>ion, <strong>in</strong> <strong>the</strong> sense of semantic content, is always <strong>in</strong> <strong>the</strong> m<strong>in</strong>d of <strong>the</strong> beholder and is a<br />
comb<strong>in</strong><strong>at</strong>ion of ord<strong>in</strong>ary symbols (e.g., "East W<strong>in</strong>d, Ra<strong>in</strong>") or extraord<strong>in</strong>ary ones (e.g., Wehrmacht<br />
beer orders) and some richer context. To differenti<strong>at</strong>e, "d<strong>at</strong>a" is an encod<strong>in</strong>g, and "<strong>in</strong>form<strong>at</strong>ion" is<br />
<strong>the</strong> (always to some degree unknowable) mean<strong>in</strong>g th<strong>at</strong> <strong>the</strong> encod<strong>in</strong>g may or may not convey to a<br />
human observer. With regard to autom<strong>at</strong>a, "<strong>in</strong>form<strong>at</strong>ion" refers to d<strong>at</strong>a th<strong>at</strong> alters <strong>the</strong> behavior of <strong>the</strong><br />
robots.<br />
For example, <strong>the</strong> str<strong>in</strong>g RDAQN QRHIH FECCA DRSWV KIKSS HSPAX CUBS conveys 34<br />
characters of d<strong>at</strong>a to everyone who has "read" access to this transaction but conveys a significant<br />
amount of <strong>in</strong>form<strong>at</strong>ion only to those who know <strong>the</strong> richer context of cryptosystem and key. Readers<br />
are <strong>in</strong>vited to determ<strong>in</strong>e <strong>the</strong> key from <strong>the</strong> substantial h<strong>in</strong>t th<strong>at</strong> <strong>the</strong> pla<strong>in</strong>text is THERE ARE MORE<br />
THINGS IN HEAVEN AND EARTH; solutions may be verified by transform<strong>in</strong>g RCVQD ALCFV<br />
CLLLL DLSCK KRVKT BRVAO AVUA from d<strong>at</strong>a to <strong>in</strong>form<strong>at</strong>ion.<br />
3. The security of RSA is not known to be provably equivalent to <strong>the</strong> problem of factor<strong>in</strong>g <strong>the</strong><br />
modulus, although th<strong>at</strong> seems to be <strong>the</strong> best way to <strong>at</strong>tack it.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX C 276<br />
Appendix C<br />
Emergency Response Teams<br />
In <strong>the</strong> afterm<strong>at</strong>h of <strong>the</strong> Internet worm <strong>in</strong>cident has come a flurry of<br />
<strong>at</strong>tempts to anticip<strong>at</strong>e <strong>the</strong> next occurrences of a virus, propag<strong>at</strong><strong>in</strong>g Trojan horse,<br />
or o<strong>the</strong>r widespread <strong>at</strong>tack. As a result, several emergency response teams<br />
offer<strong>in</strong>g 24-hour service have been established, <strong>in</strong>clud<strong>in</strong>g <strong>the</strong> follow<strong>in</strong>g:<br />
• The Computer Emergency Response Team (CERT): Formed by <strong>the</strong><br />
Defense Advanced Research Projects <strong>Age</strong>ncy and centered <strong>at</strong> <strong>the</strong><br />
Software Eng<strong>in</strong>eer<strong>in</strong>g Institute <strong>at</strong> Carnegie Mellon University, CERT<br />
provides access to technical experts around <strong>the</strong> country. CERT is <strong>in</strong>tended<br />
to provide both <strong>in</strong>cident-prevention and <strong>in</strong>cident-response services. It was<br />
an outgrowth of <strong>the</strong> November 1988 Internet worm <strong>in</strong>cident, which was<br />
managed and resolved by an <strong>in</strong>formal network of Internet users and<br />
adm<strong>in</strong>istr<strong>at</strong>ors. CERT was established to provide <strong>the</strong> capability for a more<br />
system<strong>at</strong>ic and structured response; <strong>in</strong> particular, it is <strong>in</strong>tended to facilit<strong>at</strong>e<br />
communic<strong>at</strong>ion dur<strong>in</strong>g system emergencies. Ano<strong>the</strong>r role th<strong>at</strong> has evolved<br />
is communic<strong>at</strong>ion with vendors about software weaknesses or<br />
vulnerabilities th<strong>at</strong> have emerged through practical experience with<br />
<strong>at</strong>tacks on systems. CERT draws on <strong>the</strong> computer system user and<br />
development communities, and it also coord<strong>in</strong><strong>at</strong>es with <strong>the</strong> N<strong>at</strong>ional<br />
Institute of Standards and Technology and <strong>the</strong> N<strong>at</strong>ional Security <strong>Age</strong>ncy.<br />
It sponsors workshops to <strong>in</strong>volve its constituents <strong>in</strong> def<strong>in</strong><strong>in</strong>g its role and to<br />
share <strong>in</strong>form<strong>at</strong>ion about perceived problems and issues (Scherlis et al.,<br />
1990).<br />
• The Defense D<strong>at</strong>a Network (DDN) Security Coord<strong>in</strong><strong>at</strong>ion Center (SSC):<br />
Cre<strong>at</strong>ed by <strong>the</strong> Defense Communic<strong>at</strong>ions <strong>Age</strong>ncy <strong>at</strong> SRI Intern<strong>at</strong>ional to<br />
serve <strong>the</strong> (unclassified) DDN community as a clear<strong>in</strong>ghouse for host and<br />
user security problems and fixes, <strong>the</strong> SSC expands on <strong>the</strong><br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX C 277<br />
functions provided by SRI through <strong>the</strong> Network Inform<strong>at</strong>ion Center (NIC)<br />
th<strong>at</strong> has served Milnet users but was not set up to address security<br />
problems. Interest<strong>in</strong>gly, <strong>the</strong> SSC was launched after DARPA's CERT <strong>in</strong><br />
recognition of <strong>the</strong> fact th<strong>at</strong> <strong>the</strong>re was no central clear<strong>in</strong>g-house to<br />
coord<strong>in</strong><strong>at</strong>e and dissem<strong>in</strong><strong>at</strong>e security-rel<strong>at</strong>ed fixes to Milnet users (DCA,<br />
1989).<br />
• The Computer Incident Advisory Capability (CIAC): This capability was<br />
established by Lawrence Livermore N<strong>at</strong>ional Labor<strong>at</strong>ory to provide<br />
CERT-type services for classified and unclassified comput<strong>in</strong>g with<strong>in</strong> <strong>the</strong><br />
Department of Energy (DOE). The scale of DOE computer oper<strong>at</strong>ions and<br />
<strong>at</strong>tendant risks provided a strong motiv<strong>at</strong>ion for an agency-specific<br />
mechanism; <strong>the</strong> DOE community has over 100,000 computers loc<strong>at</strong>ed <strong>at</strong><br />
over 70 classified and unclassified sites. Like <strong>the</strong> Defense<br />
Communic<strong>at</strong>ions <strong>Age</strong>ncy, DOE saw th<strong>at</strong> a "central capability for<br />
analyz<strong>in</strong>g events, coord<strong>in</strong><strong>at</strong><strong>in</strong>g technical solutions, ensur<strong>in</strong>g th<strong>at</strong><br />
necessary <strong>in</strong>form<strong>at</strong>ion is conveyed to those who need such <strong>in</strong>form<strong>at</strong>ion,<br />
and tra<strong>in</strong><strong>in</strong>g o<strong>the</strong>rs to deal with computer security <strong>in</strong>cidents is essential."<br />
DOE was able to draw on an established research capability <strong>in</strong> <strong>the</strong><br />
computer security arena, <strong>at</strong> Lawrence Livermore N<strong>at</strong>ional Labor<strong>at</strong>ory<br />
(Schultz, 1990).<br />
Because of <strong>the</strong> rapidity with which computer pest programs can spread<br />
both with<strong>in</strong> <strong>the</strong> United St<strong>at</strong>es and worldwide, it is vital th<strong>at</strong> such efforts be well<br />
<strong>in</strong>formed, coord<strong>in</strong><strong>at</strong>ed with one ano<strong>the</strong>r, and ready to mobilize rapidly <strong>in</strong><br />
emergencies. Note th<strong>at</strong> none of <strong>the</strong>se systems has yet been tested with a fullscale<br />
emergency on <strong>the</strong> scale of <strong>the</strong> Internet worm.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX D 278<br />
Appendix D<br />
Models for GSSP<br />
This section discusses three areas <strong>in</strong> which technical standards are set by<br />
<strong>the</strong> k<strong>in</strong>d of priv<strong>at</strong>e sector-public sector <strong>in</strong>teraction th<strong>at</strong> this committee is<br />
recommend<strong>in</strong>g for Generally Accepted System Security Pr<strong>in</strong>ciples (GSSP): <strong>the</strong><br />
build<strong>in</strong>g codes, <strong>the</strong> Underwriters Labor<strong>at</strong>ories, Inc., and <strong>the</strong> F<strong>in</strong>ancial<br />
Account<strong>in</strong>g Standards Board. The l<strong>at</strong>ter organiz<strong>at</strong>ion is responsible for wh<strong>at</strong><br />
have been called Generally Accepted Account<strong>in</strong>g Pr<strong>in</strong>ciples (GAAP), a set of<br />
standards th<strong>at</strong> provides a model for <strong>the</strong> GSSP proposal.<br />
SETTING STANDARDS—PRECEDENTS<br />
Build<strong>in</strong>g Codes<br />
Build<strong>in</strong>g codes endeavor to establish standards for safe construction. The<br />
field is marked by extreme decentraliz<strong>at</strong>ion, with codes mand<strong>at</strong>ed and enforced<br />
by local municipalities. The quality of code enforcement depends on <strong>the</strong><br />
particular code enforcement officials (Falk, 1975). The codes <strong>the</strong>mselves are<br />
based on so-called model codes th<strong>at</strong> are produced by a small number of<br />
compet<strong>in</strong>g organiz<strong>at</strong>ions. These code-writ<strong>in</strong>g organiz<strong>at</strong>ions are associ<strong>at</strong>ions of<br />
enforcement officers and <strong>the</strong>refore can be thought of as represent<strong>in</strong>g <strong>the</strong><br />
government sector exclusively. There is, however, significant priv<strong>at</strong>e sector<br />
<strong>in</strong>put <strong>in</strong>to <strong>the</strong> process from <strong>the</strong> various m<strong>at</strong>erials suppliers and <strong>the</strong>ir trade<br />
associ<strong>at</strong>ions.<br />
Build<strong>in</strong>g codes conta<strong>in</strong> both performance and specific<strong>at</strong>ion standards. A<br />
pure performance standard would stipul<strong>at</strong>e someth<strong>in</strong>g like, "Walls of residences<br />
must resist <strong>the</strong> spread of fire to <strong>the</strong> degree necessary<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX D 279<br />
to allow occupants to escape." Such standards, because <strong>the</strong>y are so difficult to<br />
evalu<strong>at</strong>e (<strong>the</strong> only true test of failure would be <strong>in</strong> an actual fire) are generally<br />
recast <strong>in</strong> a testable form, such as, "M<strong>at</strong>erials used <strong>in</strong> residence walls must resist<br />
an x degree fire for y m<strong>in</strong>utes." Uphold<strong>in</strong>g even this standard requires <strong>the</strong><br />
existence of test<strong>in</strong>g capabilities th<strong>at</strong> may be beyond <strong>the</strong> resources of an<br />
enforcement activity, and so <strong>the</strong> pressure from <strong>the</strong> evalu<strong>at</strong>ion community is for<br />
specific<strong>at</strong>ion standards, such as, "Residence walls must be covered with a<br />
double layer of 3/4-<strong>in</strong>ch sheetrock."<br />
Performance standards are viewed as be<strong>in</strong>g fairer and as provid<strong>in</strong>g gre<strong>at</strong>er<br />
room for <strong>in</strong>nov<strong>at</strong>ion, but <strong>the</strong>y impose a much gre<strong>at</strong>er burden on <strong>the</strong> evalu<strong>at</strong>ors.<br />
Build<strong>in</strong>g codes have been widely criticized as <strong>in</strong>hibit<strong>in</strong>g <strong>in</strong>nov<strong>at</strong>ion and<br />
rais<strong>in</strong>g construction costs by mand<strong>at</strong><strong>in</strong>g outd<strong>at</strong>ed m<strong>at</strong>erials and labor practices.<br />
In part, this is a n<strong>at</strong>ural byproduct of <strong>the</strong> specific<strong>at</strong>ion approach, which milit<strong>at</strong>es<br />
aga<strong>in</strong>st new technologies th<strong>at</strong> devi<strong>at</strong>e from <strong>the</strong> required specific<strong>at</strong>ions. In some<br />
cases <strong>the</strong> problem reflects local failures to adopt <strong>the</strong> l<strong>at</strong>est revisions to model<br />
codes (Falk, 1975).<br />
Underwriters Labor<strong>at</strong>ories, Inc.<br />
Underwriters Labor<strong>at</strong>ories, Inc. (UL) was established essentially by an<br />
entrepreneurial process because <strong>in</strong>surance companies could not r<strong>at</strong>e <strong>the</strong> hazards<br />
result<strong>in</strong>g from new technology, <strong>in</strong> this case, electric light<strong>in</strong>g. It began as a<br />
purely priv<strong>at</strong>e sector activity and <strong>the</strong>n, because of <strong>the</strong> quality of its work,<br />
became recognized by <strong>the</strong> government. It oper<strong>at</strong>es as both a standard-sett<strong>in</strong>g<br />
and an evalu<strong>at</strong>ion organiz<strong>at</strong>ion, issu<strong>in</strong>g its famous "Seal of Approval" to<br />
equipment and components th<strong>at</strong> meet its standards (Underwriters Labor<strong>at</strong>ories,<br />
Inc., 1989, 1990b). As described by one journalist,<br />
The UL Mark … means th<strong>at</strong> <strong>the</strong> equipment has been checked for potential<br />
hazards, us<strong>in</strong>g objective tests laid out <strong>in</strong> detailed handbooks called Standards.<br />
No federal law mand<strong>at</strong>es such test<strong>in</strong>g. But UL's clients, manufacturers who<br />
pay to have <strong>the</strong>ir products tortured and <strong>the</strong>n listed by <strong>the</strong> lab, know th<strong>at</strong> <strong>the</strong><br />
Mark is an important sell<strong>in</strong>g po<strong>in</strong>t. (Williams, 1988, p. 79)<br />
Underwriters Labor<strong>at</strong>ories, Inc., has developed a prelim<strong>in</strong>ary draft of a<br />
software safety standard, scheduled to be completed <strong>in</strong> 1990 (Underwriters<br />
Labor<strong>at</strong>ories, Inc., 1990a). It is form<strong>in</strong>g an Industry Advisory Committee, open<br />
to <strong>in</strong>terested parties, to assist it <strong>in</strong> draft<strong>in</strong>g a formal UL standard. Burglary<br />
protection systems, motor control mechanisms (e.g., for temper<strong>at</strong>ure, speed),<br />
<strong>in</strong>dustrial computers (i.e., programmable mach<strong>in</strong>es), "smart" appliances, and<br />
medical devices have been identified by UL as hav<strong>in</strong>g software th<strong>at</strong> affects<br />
safety and<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX D 280<br />
thus should be evalu<strong>at</strong>ed. Note, however, th<strong>at</strong> UL is a public safety<br />
organiz<strong>at</strong>ion. It does not necessarily deal with certific<strong>at</strong>ion, verific<strong>at</strong>ion, and so<br />
on, unless a device affects safety.<br />
F<strong>in</strong>ancial Account<strong>in</strong>g Standards Board<br />
The history of <strong>the</strong> F<strong>in</strong>ancial Accout<strong>in</strong>g Standards Board (FASB) d<strong>at</strong>es to<br />
<strong>the</strong> stock market crash of 1929 and <strong>the</strong> entry of <strong>the</strong> government <strong>in</strong>to <strong>the</strong> capital<br />
markets through <strong>the</strong> establishment of <strong>the</strong> Securities and Exchange Commission<br />
(SEC). In <strong>the</strong> l<strong>at</strong>e 1930s, when SEC activism was <strong>at</strong> a peak, <strong>the</strong> American<br />
Institute of Certified Public Accountants formed a part-time and volunteer<br />
Account<strong>in</strong>g Practices Board to set account<strong>in</strong>g standards. The clear aim of this<br />
activity was to forestall government-mand<strong>at</strong>ed standards; this aim persists <strong>in</strong><br />
FASB's own description of wh<strong>at</strong> causes a standard to be promulg<strong>at</strong>ed, where<br />
potential SEC or congressional action is explicitly mentioned as a criterion <strong>in</strong><br />
decid<strong>in</strong>g whe<strong>the</strong>r a new standard is needed. Overwhelmed by <strong>the</strong> changes <strong>in</strong> <strong>the</strong><br />
f<strong>in</strong>ancial markets <strong>in</strong> <strong>the</strong> 1960s, <strong>the</strong> Account<strong>in</strong>g Practices Board <strong>in</strong>stituted a<br />
study <strong>in</strong> <strong>the</strong> early 1970s th<strong>at</strong> led to <strong>the</strong> establishment of a full-time <strong>in</strong>dependent<br />
<strong>in</strong>stitute, <strong>the</strong> F<strong>in</strong>ancial Account<strong>in</strong>g Found<strong>at</strong>ion (FAF), to oversee <strong>the</strong> FASB and<br />
<strong>the</strong> production of wh<strong>at</strong> have been referred to as Generally Accepted Account<strong>in</strong>g<br />
Pr<strong>in</strong>ciples (GAAP) and o<strong>the</strong>r standards of f<strong>in</strong>ancial account<strong>in</strong>g and report<strong>in</strong>g for<br />
priv<strong>at</strong>e sector organiz<strong>at</strong>ions. Similar standards are established by a newer sister<br />
unit of <strong>the</strong> FASB for <strong>the</strong> public sector, <strong>the</strong> Government Account<strong>in</strong>g Standards<br />
Board (GASB). Accord<strong>in</strong>g to its own liter<strong>at</strong>ure,<br />
The mission of <strong>the</strong> F<strong>in</strong>ancial Account<strong>in</strong>g Standards Board is to establish and<br />
improve standards of f<strong>in</strong>ancial account<strong>in</strong>g and report<strong>in</strong>g for <strong>the</strong> guidance and<br />
educ<strong>at</strong>ion of <strong>the</strong> public, <strong>in</strong>clud<strong>in</strong>g issuers, auditors, and users of f<strong>in</strong>ancial<br />
<strong>in</strong>form<strong>at</strong>ion.…<br />
The FASB develops broad account<strong>in</strong>g concepts as well as standards for<br />
f<strong>in</strong>ancial report<strong>in</strong>g. It also provides guidance on implement<strong>at</strong>ion of standards.…<br />
The Board's work on both concepts and standards is based on research<br />
conducted by <strong>the</strong> FASB staff and by o<strong>the</strong>rs. (FASB, 1990)<br />
The F<strong>in</strong>ancial Account<strong>in</strong>g Found<strong>at</strong>ion, FASB, and GASB serve to<br />
ma<strong>in</strong>ta<strong>in</strong> <strong>the</strong> <strong>in</strong>dependence of <strong>the</strong> account<strong>in</strong>g profession by provid<strong>in</strong>g an<br />
effective altern<strong>at</strong>ive to government regul<strong>at</strong>ion. The effectiveness of <strong>the</strong><br />
altern<strong>at</strong>ive rests on <strong>the</strong> use of standards to ma<strong>in</strong>ta<strong>in</strong> wh<strong>at</strong> is called <strong>the</strong> "decision<br />
usefulness" of account<strong>in</strong>g <strong>in</strong>form<strong>at</strong>ion. In simplified form, account<strong>in</strong>g<br />
<strong>in</strong>form<strong>at</strong>ion has decision usefulness if <strong>the</strong> standards under which it was<br />
gener<strong>at</strong>ed permit mean<strong>in</strong>gful comparison of f<strong>in</strong>ancial d<strong>at</strong>a from different<br />
companies th<strong>at</strong> are compet<strong>in</strong>g for capital (e.g., from potential purchasers of<br />
common stock). Account<strong>in</strong>g standards<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX D 281<br />
differ from eng<strong>in</strong>eer<strong>in</strong>g standards <strong>in</strong> th<strong>at</strong> <strong>the</strong>y are not subject to verific<strong>at</strong>ion by<br />
experiment (e.g., failure of a beam under load<strong>in</strong>g) and <strong>the</strong>ir word<strong>in</strong>g balances<br />
<strong>the</strong> concerns of buyers and sellers <strong>in</strong> <strong>the</strong> capital markets.<br />
In order to achieve this balance, <strong>the</strong> FASB has established an elabor<strong>at</strong>e due<br />
process for <strong>the</strong> establishment of standards. The process appears to work<br />
reasonably well; <strong>the</strong> primary criticisms levied aga<strong>in</strong>st <strong>the</strong> FASB are those of<br />
"standards overload," <strong>in</strong> which <strong>the</strong> establishment of a full-time standards-sett<strong>in</strong>g<br />
body has had <strong>the</strong> not surpris<strong>in</strong>g outcome th<strong>at</strong> a large number of standards have<br />
been established. This prolificness comb<strong>in</strong>ed with <strong>the</strong> large number of<br />
practic<strong>in</strong>g accountants may be one reason why <strong>the</strong> FAF has earned some $10<br />
million <strong>in</strong> revenue from sales of public<strong>at</strong>ions (FAF, 1990). Also, <strong>the</strong> FASB and<br />
GASB are <strong>in</strong>dependent of relevant professional organiz<strong>at</strong>ions.<br />
At <strong>the</strong> end of its first decade <strong>the</strong> FASB received approxim<strong>at</strong>ely 40 percent<br />
of its f<strong>in</strong>ancial support from <strong>the</strong> account<strong>in</strong>g profession and 60 percent from<br />
outside sources such as f<strong>in</strong>ancial <strong>in</strong>stitutions and banks. More recently, <strong>the</strong><br />
FASB has run deficits, <strong>in</strong> part because it "has always had <strong>the</strong> delic<strong>at</strong>e problem<br />
of hav<strong>in</strong>g to seek contributions from <strong>the</strong> very companies it sometimes alien<strong>at</strong>es"<br />
(Cowan, 1990). The FAF considers contributions as essential to its viability<br />
(FAF, 1990).<br />
The FASB and <strong>the</strong> GAAP can be viewed as a modified or hybrid form of<br />
professional self-regul<strong>at</strong>ion, <strong>in</strong> which a professional community, under constant<br />
thre<strong>at</strong> of government <strong>in</strong>tervention, prevents th<strong>at</strong> <strong>in</strong>tervention by s<strong>at</strong>isfactorily<br />
handl<strong>in</strong>g <strong>the</strong> various problems <strong>the</strong>mselves. The GAAP have force of law <strong>in</strong> th<strong>at</strong><br />
<strong>the</strong>ir use is required for f<strong>in</strong>ancial report<strong>in</strong>g by companies th<strong>at</strong> raise capital <strong>in</strong> <strong>the</strong><br />
regul<strong>at</strong>ed markets. They are recognized as authorit<strong>at</strong>ive by <strong>the</strong> SEC (Sprouse,<br />
1987). The SEC and <strong>the</strong> General Account<strong>in</strong>g Office ma<strong>in</strong>ta<strong>in</strong> liaison with both<br />
<strong>the</strong> FASB and GASB.<br />
LESSONS RELEVANT TO ESTABLISHING GSSP<br />
Each of <strong>the</strong> undertak<strong>in</strong>gs discussed <strong>in</strong> this appendix offers lessons th<strong>at</strong> are<br />
relevant to <strong>the</strong> concept of GSSP and <strong>the</strong> manner <strong>in</strong> which GSSP may be def<strong>in</strong>ed<br />
and enforced.<br />
The experience with build<strong>in</strong>g codes <strong>in</strong>dic<strong>at</strong>es clearly th<strong>at</strong> hav<strong>in</strong>g<br />
compet<strong>in</strong>g standards and decentralized evalu<strong>at</strong>ion and enforcement is<br />
counterproductive; <strong>the</strong>se factors <strong>in</strong>hibit technological progress. It is also clear<br />
th<strong>at</strong> any set of standards will always have some mix of performance and<br />
specific<strong>at</strong>ion requirements. It appears to be a fundamental pr<strong>in</strong>ciple of standards<br />
and evalu<strong>at</strong>ion th<strong>at</strong> performance standards permit more rapid evolution than do<br />
specific<strong>at</strong>ion standards,<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX D 282<br />
but <strong>at</strong> <strong>the</strong> cost of difficulty of evalu<strong>at</strong>ion. Note th<strong>at</strong> <strong>in</strong> both build<strong>in</strong>g code and<br />
computer security experience, major <strong>in</strong>nov<strong>at</strong>ions have taken some ten years to<br />
go from concept to general acceptance.<br />
The UL experience shows th<strong>at</strong> an evalu<strong>at</strong>ion process can be <strong>in</strong>iti<strong>at</strong>ed <strong>in</strong> <strong>the</strong><br />
priv<strong>at</strong>e sector and <strong>the</strong>n accepted by government, and th<strong>at</strong> it is not necessary to<br />
beg<strong>in</strong> such an activity with a legal or adm<strong>in</strong>istr<strong>at</strong>ive mand<strong>at</strong>e. The FASB is also<br />
an example of a priv<strong>at</strong>e effort th<strong>at</strong> achieved government recognition.<br />
The FASB's history shows quite clearly th<strong>at</strong> a forc<strong>in</strong>g function is needed<br />
both <strong>in</strong>itially and <strong>in</strong> <strong>the</strong> long term. In <strong>the</strong> case of <strong>the</strong> FASB it is <strong>the</strong> thre<strong>at</strong> of<br />
government regul<strong>at</strong>ion of a particular profession. The experience with <strong>the</strong><br />
FASB, and to a lesser extent <strong>the</strong> build<strong>in</strong>g codes, shows <strong>the</strong> importance of<br />
determ<strong>in</strong><strong>in</strong>g, by consensus, standards th<strong>at</strong> balance <strong>the</strong> <strong>in</strong>terests of all <strong>in</strong>volved<br />
parties, and of sett<strong>in</strong>g up those standards accord<strong>in</strong>g to a due process. The<br />
FASB's history also illustr<strong>at</strong>es <strong>the</strong> importance of <strong>in</strong>stitutional <strong>in</strong>dependence <strong>in</strong><br />
balanc<strong>in</strong>g pressures and criticisms from <strong>in</strong>terested parties.<br />
Those concerned with sett<strong>in</strong>g standards for computer security should<br />
never<strong>the</strong>less be cautious <strong>in</strong> draw<strong>in</strong>g too close an analogy to <strong>the</strong> FASB.<br />
Computer security does not <strong>in</strong>volve an organized, recognized profession whose<br />
prerog<strong>at</strong>ives are thre<strong>at</strong>ened. Much less money is <strong>in</strong>volved (<strong>at</strong> least directly), and<br />
a clear forc<strong>in</strong>g function, ei<strong>the</strong>r <strong>in</strong> <strong>the</strong> form of an <strong>in</strong>iti<strong>at</strong><strong>in</strong>g <strong>in</strong>cident or ongo<strong>in</strong>g<br />
thre<strong>at</strong> of government action, is not present, although a liability crisis for system<br />
vendors, were it to develop, could serve th<strong>at</strong> purpose.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX E 283<br />
Appendix E<br />
High-grade Thre<strong>at</strong>s<br />
lt is impossible to build systems th<strong>at</strong> are guaranteed to be <strong>in</strong>vulnerable to a<br />
high-grade thre<strong>at</strong>, th<strong>at</strong> is, a dedic<strong>at</strong>ed and resourceful adversary capable of and<br />
motiv<strong>at</strong>ed to organize an <strong>at</strong>tack as an <strong>in</strong>dustrial r<strong>at</strong>her than an <strong>in</strong>dividual or<br />
small-group enterprise. Such activities have historically been conducted by <strong>the</strong><br />
<strong>in</strong>telligence-g<strong>at</strong>her<strong>in</strong>g activities of governments and have generally posed a<br />
thre<strong>at</strong> to <strong>the</strong> confidentiality of <strong>in</strong>form<strong>at</strong>ion. The rapidly decreas<strong>in</strong>g cost of<br />
computer resources, <strong>the</strong> rapid spread of computer technology, and <strong>the</strong> <strong>in</strong>creased<br />
value of <strong>in</strong>form<strong>at</strong>ion-based assets make it likely th<strong>at</strong> high-grade thre<strong>at</strong>s will be<br />
encountered from o<strong>the</strong>r sources and with aims o<strong>the</strong>r than traditional espionage.<br />
A high-grade thre<strong>at</strong> is dist<strong>in</strong>guished from <strong>the</strong> common "hacker" or crim<strong>in</strong>al by<br />
<strong>the</strong> follow<strong>in</strong>g characteristics:<br />
• The thre<strong>at</strong> has extensive resources <strong>in</strong> money, personnel, and technology.<br />
In particular, <strong>the</strong> thre<strong>at</strong> is able to construct or acquire, by legitim<strong>at</strong>e or<br />
clandest<strong>in</strong>e means, a duplic<strong>at</strong>e of <strong>the</strong> system under <strong>at</strong>tack. The <strong>at</strong>tack<br />
team can <strong>the</strong>n conduct extensive analysis and experiment<strong>at</strong>ion without <strong>the</strong><br />
risk th<strong>at</strong> <strong>the</strong>ir activities will alert <strong>the</strong> adm<strong>in</strong>istr<strong>at</strong>ors of <strong>the</strong> target system.<br />
The <strong>at</strong>tacker may also have more powerful computer resources.<br />
• The thre<strong>at</strong> is p<strong>at</strong>ient and motiv<strong>at</strong>ed. The <strong>at</strong>tack resembles an<br />
entrepreneurial enterprise <strong>in</strong> th<strong>at</strong> <strong>the</strong> equivalent to risk capital is raised <strong>in</strong><br />
advance and <strong>in</strong>vested <strong>in</strong> anticip<strong>at</strong>ion of a major future reward. The <strong>at</strong>tack<br />
is conducted as a full-time, organized effort with a multidiscipl<strong>in</strong>ary staff,<br />
each of whom is eager to "break" <strong>the</strong> system.<br />
• The thre<strong>at</strong> is capable of exploit<strong>in</strong>g a successful <strong>at</strong>tack for maximum longterm<br />
ga<strong>in</strong>. In particular, <strong>the</strong> <strong>at</strong>tack<strong>in</strong>g team is able to take<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX E 284<br />
extraord<strong>in</strong>ary measures to keep <strong>the</strong> existence of a successful <strong>at</strong>tack secret<br />
from <strong>the</strong> target.<br />
• The thre<strong>at</strong> is adept <strong>in</strong> circumvent<strong>in</strong>g physical and procedural safeguards<br />
and has access to clandest<strong>in</strong>e technology.<br />
• The thre<strong>at</strong> will deliber<strong>at</strong>ely seek <strong>the</strong> most obscure vulnerability hidden <strong>in</strong><br />
<strong>the</strong> darkest corner of <strong>the</strong> system—on <strong>the</strong> grounds th<strong>at</strong> this is <strong>the</strong> one th<strong>at</strong><br />
will permit <strong>the</strong> maximum long-term exploit<strong>at</strong>ion. 1<br />
The designers, implementors, and adm<strong>in</strong>istr<strong>at</strong>ors of high-grade<br />
countermeasures must beg<strong>in</strong> with <strong>the</strong> requirement th<strong>at</strong> <strong>the</strong>ir system be safe from<br />
hacker or crim<strong>in</strong>al <strong>at</strong>tacks and <strong>the</strong>n work to counter <strong>the</strong> specialized thre<strong>at</strong> of<br />
large-scale, long-term, highly covert assaults. Hacker and crim<strong>in</strong>al <strong>at</strong>tacks must<br />
be prevented to preclude <strong>the</strong> high-grade <strong>at</strong>tacker from obta<strong>in</strong><strong>in</strong>g "<strong>in</strong>side<br />
<strong>in</strong>form<strong>at</strong>ion" about <strong>the</strong> target system from cheap (if short-lived) penetr<strong>at</strong>ions<br />
and to ensure th<strong>at</strong> <strong>the</strong> oper<strong>at</strong>ion of <strong>the</strong> system is as stable as possible.<br />
The functionality of system elements eng<strong>in</strong>eered to high-grade security<br />
standards must be even more modest than <strong>the</strong> functionality th<strong>at</strong> is affordable for<br />
elements eng<strong>in</strong>eered to withstand hacker and crim<strong>in</strong>al <strong>at</strong>tacks. High-grade<br />
countermeasure eng<strong>in</strong>eer<strong>in</strong>g has traditionally been associ<strong>at</strong>ed with<br />
communic<strong>at</strong>ions security devices and subsystems; <strong>the</strong> committee anticip<strong>at</strong>es<br />
th<strong>at</strong> it will, <strong>in</strong> <strong>the</strong> future, be applied to selected computer security functions such<br />
as reference monitors. In particular, this committee does not foresee th<strong>at</strong> it will<br />
ever be feasible to apply high-grade countermeasures to a multitude of system<br />
elements, s<strong>in</strong>ce technical advances th<strong>at</strong> benefit <strong>the</strong> designer of countermeasures<br />
often benefit <strong>the</strong> <strong>at</strong>tacker even more. 2 This circumstance has important<br />
implic<strong>at</strong>ions for <strong>the</strong> system-wide trade-offs th<strong>at</strong> have to be made when a highgrade<br />
thre<strong>at</strong> is considered.<br />
The <strong>in</strong>evitability of "tunnel<strong>in</strong>g" <strong>at</strong>tacks has to be taken <strong>in</strong>to account and <strong>the</strong><br />
analysis and control carried down to <strong>the</strong> lowest possible layer of abstraction. A<br />
tunnel<strong>in</strong>g <strong>at</strong>tack <strong>at</strong>tempts to exploit a weakness <strong>in</strong> a system th<strong>at</strong> exists <strong>at</strong> a level<br />
of abstraction lower than th<strong>at</strong> used by <strong>the</strong> developer to design and/or test <strong>the</strong><br />
system. For example, an <strong>at</strong>tacker might discover a way to modify <strong>the</strong> microcode<br />
of a processor th<strong>at</strong> is used when encrypt<strong>in</strong>g some d<strong>at</strong>a, r<strong>at</strong>her than <strong>at</strong>tempt<strong>in</strong>g to<br />
break <strong>the</strong> system's encryption scheme. The requirement th<strong>at</strong> tunnel<strong>in</strong>g <strong>at</strong>tacks<br />
be anticip<strong>at</strong>ed can substantially <strong>in</strong>crease <strong>the</strong> cost of high-grade<br />
countermeasures, because it can preclude <strong>the</strong> use of offshore components (<strong>in</strong> <strong>the</strong><br />
case of n<strong>at</strong>ional security systems) or components made by commercial rivals (<strong>in</strong><br />
<strong>the</strong> case of <strong>in</strong>dustrial systems.)<br />
A higher emphasis on reliability is required, because a high-grade thre<strong>at</strong><br />
must be assumed to have <strong>the</strong> ability to monitor system behavior and take<br />
advantage of component failures. This raises cost and<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX E 285<br />
leng<strong>the</strong>ns <strong>the</strong> schedule <strong>in</strong> several ways; for example, add<strong>in</strong>g redundancy<br />
<strong>in</strong>creases both hardware and software costs.<br />
F<strong>in</strong>ally, <strong>the</strong> knowledge th<strong>at</strong> a high-grade thre<strong>at</strong> is wait<strong>in</strong>g to <strong>at</strong>tack a<br />
system or component leads developers of high-grade countermeasures to<br />
surround <strong>the</strong>ir system development with <strong>the</strong> most extreme forms of secrecy, so<br />
as to deny <strong>the</strong> <strong>at</strong>tacker lead time <strong>in</strong> analyz<strong>in</strong>g <strong>the</strong> design and develop<strong>in</strong>g <strong>at</strong>tacks.<br />
Because of <strong>the</strong> extreme cost, short ''security life," and difficult tradeoffs<br />
associ<strong>at</strong>ed with high-grade countermeasures, oper<strong>at</strong>ions th<strong>at</strong> assess a high-grade<br />
thre<strong>at</strong> as possible but not likely should seriously consider str<strong>at</strong>egies th<strong>at</strong> focus<br />
on recovery from, r<strong>at</strong>her than prevention of, <strong>at</strong>tack.<br />
NOTES<br />
1. Designers of countermeasures who anticip<strong>at</strong>e hacker or common crim<strong>in</strong>al <strong>at</strong>tacks can ignore large<br />
classes of vulnerabilities on <strong>the</strong> grounds th<strong>at</strong> <strong>the</strong>re are easier ways to <strong>at</strong>tack a system, because <strong>the</strong><br />
low-grade thre<strong>at</strong> will look for <strong>the</strong> easiest way <strong>in</strong>.<br />
2. For example, as high-speed digital encryption system chips become more readily available, <strong>the</strong>y<br />
may be used to encrypt specific d<strong>at</strong>a channels with<strong>in</strong> a computer system. However, <strong>the</strong>y may also be<br />
used by <strong>at</strong>tackers to build special-purpose mach<strong>in</strong>es capable of break<strong>in</strong>g <strong>the</strong> encryption algorithm<br />
itself.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX F 286<br />
Access<br />
Access control<br />
Access control<br />
list<br />
Appendix F<br />
Glossary<br />
A subject's right to use an object. Examples <strong>in</strong>clude read and write access<br />
for d<strong>at</strong>a objects, execute access for programs, or cre<strong>at</strong>e and delete access<br />
for directory objects.<br />
The grant<strong>in</strong>g or deny<strong>in</strong>g to a subject (pr<strong>in</strong>cipal) of certa<strong>in</strong> permissions to<br />
access an object, usually done accord<strong>in</strong>g to a particular security model.<br />
A list of <strong>the</strong> subjects th<strong>at</strong> are permitted to access an object, and <strong>the</strong> access<br />
rights of each subject.<br />
Access label See Label.<br />
Access level A level associ<strong>at</strong>ed with a subject (e.g., a clearance level) or with an object<br />
(e.g., a classific<strong>at</strong>ion level).<br />
Accountability<br />
Accredit<strong>at</strong>ion<br />
The concept th<strong>at</strong> <strong>in</strong>dividual subjects can be held responsible for actions th<strong>at</strong><br />
occur with<strong>in</strong> a system.<br />
1. The adm<strong>in</strong>istr<strong>at</strong>ive act of approv<strong>in</strong>g a computer system for use <strong>in</strong> a<br />
particular applic<strong>at</strong>ion. See Certific<strong>at</strong>ion. 2. The act of approv<strong>in</strong>g an<br />
organiz<strong>at</strong>ion as, for example, an evalu<strong>at</strong>ion facility.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX F 287<br />
Adm<strong>in</strong>istr<strong>at</strong>ively<br />
objects. Contrast with user-directed access control (UDAC). See<br />
Access control <strong>in</strong> which adm<strong>in</strong>istr<strong>at</strong>ors control who can access which<br />
directed Mand<strong>at</strong>ory access control.<br />
access control<br />
(ADAC)<br />
Assurance Confidence th<strong>at</strong> a system design meets its requirements, or th<strong>at</strong> its<br />
implement<strong>at</strong>ion meets its specific<strong>at</strong>ion, or th<strong>at</strong> some specific property is<br />
s<strong>at</strong>isfied.<br />
Audit<strong>in</strong>g The process of mak<strong>in</strong>g and keep<strong>in</strong>g <strong>the</strong> records necessary to support<br />
accountability. See Audit trail analysis.<br />
Audit trail The results of monitor<strong>in</strong>g each oper<strong>at</strong>ion of subjects on objects; for<br />
example, an audit trail might be a record of all actions taken on a<br />
particularly sensitive file.<br />
Audit trail<br />
analysis<br />
Au<strong>the</strong>ntic<strong>at</strong>ion<br />
Au<strong>the</strong>ntic<strong>at</strong>ion<br />
sequence<br />
Authoriz<strong>at</strong>ion<br />
Exam<strong>in</strong><strong>at</strong>ion of an audit trail, ei<strong>the</strong>r manually or autom<strong>at</strong>ically, possibly <strong>in</strong><br />
real time (Lunt, 1988).<br />
Provid<strong>in</strong>g assurance regard<strong>in</strong>g <strong>the</strong> identity of a subject or object, for<br />
example, ensur<strong>in</strong>g th<strong>at</strong> a particular user is who he claims to be.<br />
A sequence used to au<strong>the</strong>ntic<strong>at</strong>e <strong>the</strong> identity of a subject or object.<br />
Determ<strong>in</strong><strong>in</strong>g whe<strong>the</strong>r a subject (a user or system) is trusted to act for a<br />
given purpose, for example, allowed to read a particular file.<br />
Availability The property th<strong>at</strong> a given resource will be usable dur<strong>in</strong>g a given time period.<br />
Bell and La<br />
Padula<br />
model<br />
An <strong>in</strong>form<strong>at</strong>ion-flow security model couched <strong>in</strong> terms of subjects and<br />
objects and based on <strong>the</strong> concept th<strong>at</strong> <strong>in</strong>form<strong>at</strong>ion shall not flow to an<br />
object of lesser or noncomparable classific<strong>at</strong>ion (Bell and La Padula, 1976).<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX F 288<br />
Beta test<strong>in</strong>g Use of a product by selected users before formal release.<br />
Biba model An <strong>in</strong>tegrity model <strong>in</strong> which no subject may depend on a less trusted object<br />
(<strong>in</strong>clud<strong>in</strong>g ano<strong>the</strong>r subject) (Biba, 1975).<br />
Capability An au<strong>the</strong>ntic<strong>at</strong><strong>in</strong>g entity acceptable as evidence of <strong>the</strong> right to perform<br />
some oper<strong>at</strong>ion on some object.<br />
Certific<strong>at</strong>ion<br />
CESG<br />
Challengeresponse<br />
Checksum<br />
The adm<strong>in</strong>istr<strong>at</strong>ive act of approv<strong>in</strong>g a computer system for use <strong>in</strong> a<br />
particular applic<strong>at</strong>ion. See Accredit<strong>at</strong>ion.<br />
The Communic<strong>at</strong>ions-Electronics Security Group of <strong>the</strong> U.K. Government<br />
Communic<strong>at</strong>ions Headquarters (GCHQ).<br />
An au<strong>the</strong>ntic<strong>at</strong>ion procedure th<strong>at</strong> requires calcul<strong>at</strong><strong>in</strong>g a correct response to<br />
an unpredictable challenge.<br />
Digits or bits summed accord<strong>in</strong>g to arbitrary rules and used to verify <strong>the</strong><br />
<strong>in</strong>tegrity of d<strong>at</strong>a.<br />
Ciphertext The result of transform<strong>in</strong>g pla<strong>in</strong>text with an encryption algorithm. Also<br />
known as cryptotext.<br />
Claims language<br />
Clark-<br />
Wilson<br />
<strong>in</strong>tegrity<br />
model<br />
In <strong>the</strong> ITSEC, <strong>the</strong> language th<strong>at</strong> describes <strong>the</strong> desired security fe<strong>at</strong>ures of a<br />
"target of evalu<strong>at</strong>ion" (a product or system), and aga<strong>in</strong>st which <strong>the</strong> product<br />
or system can be evalu<strong>at</strong>ed.<br />
An approach to provid<strong>in</strong>g d<strong>at</strong>a <strong>in</strong>tegrity for common commercial activities,<br />
<strong>in</strong>clud<strong>in</strong>g software eng<strong>in</strong>eer<strong>in</strong>g concepts of abstract d<strong>at</strong>a types, separ<strong>at</strong>ion<br />
of privilege, alloc<strong>at</strong>ion of least privilege, and nondiscretionary access<br />
control (Clark and Wilson, 1987).<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX F 289<br />
Classific<strong>at</strong>ion<br />
level<br />
Cleanroom<br />
approach<br />
Clear text<br />
Clearance<br />
level<br />
CLEF<br />
CoCom<br />
COM-<br />
PUSEC<br />
COMSEC<br />
Confidentiality<br />
The security level of an object. See Sensitivity label.<br />
A software development process designed to reduce errors and <strong>in</strong>crease<br />
productivity (Poore and Mills, 1989).<br />
Unencrypted text. Also known as pla<strong>in</strong>text. Contrast with ciphertext,<br />
cryptotext.<br />
The security level of a subject.<br />
In <strong>the</strong> ITSEC, a Commercial Licensed Evalu<strong>at</strong>ion Facility.<br />
Coord<strong>in</strong><strong>at</strong><strong>in</strong>g Committee for Multil<strong>at</strong>eral Export Controls, which began<br />
oper<strong>at</strong>ions <strong>in</strong> 1950 to control export of str<strong>at</strong>egic m<strong>at</strong>erials and technology to<br />
communist countries; participants <strong>in</strong>clude Australia, Belgium, Canada,<br />
Denmark, France, Germany, Greece, Italy, Japan, Luxembourg, <strong>the</strong><br />
Ne<strong>the</strong>rlands, Norway, Portugal, Spa<strong>in</strong>, Turkey, <strong>the</strong> United K<strong>in</strong>gdom, and<br />
<strong>the</strong> United St<strong>at</strong>es.<br />
Computer security.<br />
Communic<strong>at</strong>ions security.<br />
Ensur<strong>in</strong>g th<strong>at</strong> d<strong>at</strong>a is disclosed only to authorized subjects.<br />
Correctness 1. The property of be<strong>in</strong>g consistent with a correctness criterion, such as a<br />
program be<strong>in</strong>g correct with respect to its system specific<strong>at</strong>ion, or a<br />
specific<strong>at</strong>ion be<strong>in</strong>g consistent with its requirements. 2. In ITSEC, a<br />
component of assurance (toge<strong>the</strong>r with effectiveness).<br />
Countermeasure<br />
A mechanism th<strong>at</strong> reduces <strong>the</strong> vulnerability of a thre<strong>at</strong>.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX F 290<br />
Covert<br />
channel<br />
Criteria<br />
Criticality<br />
A communic<strong>at</strong>ions channel th<strong>at</strong> allows two cooper<strong>at</strong><strong>in</strong>g processes to<br />
transfer <strong>in</strong>form<strong>at</strong>ion <strong>in</strong> a manner th<strong>at</strong> viol<strong>at</strong>es a security policy, but without<br />
viol<strong>at</strong><strong>in</strong>g <strong>the</strong> access control.<br />
Def<strong>in</strong>itions of properties and constra<strong>in</strong>ts to be met by system functionality<br />
and assurance. See TCSEC, ITSEC.<br />
The condition <strong>in</strong> which nons<strong>at</strong>isfaction of a critical requirement can result<br />
<strong>in</strong> serious consequences, such as damage to n<strong>at</strong>ional security or loss of life.<br />
A system is critical if any of its requirements are critical.<br />
Crypto-key An <strong>in</strong>put to an encryption device th<strong>at</strong> results <strong>in</strong> cryptotext.<br />
Cryptotext See Ciphertext.<br />
D<strong>at</strong>a A sequence of symbols to which mean<strong>in</strong>g may be assigned. Un<strong>in</strong>terpreted<br />
<strong>in</strong>form<strong>at</strong>ion. D<strong>at</strong>a can be <strong>in</strong>terpreted as represent<strong>in</strong>g numerical bits, literal<br />
characters, programs, and so on. (The term is used often throughout this<br />
report as a collective, s<strong>in</strong>gular noun.) See Inform<strong>at</strong>ion.<br />
D<strong>at</strong>a Encryption<br />
Standard<br />
(DES)<br />
Deleg<strong>at</strong>e<br />
Denial of<br />
service<br />
Dependability<br />
A popular secret-key encryption algorithm orig<strong>in</strong>ally released <strong>in</strong> 1977 by<br />
<strong>the</strong> N<strong>at</strong>ional Bureau of Standards.<br />
To authorize one subject to exercise some of <strong>the</strong> authority of ano<strong>the</strong>r.<br />
Reduc<strong>in</strong>g <strong>the</strong> availability of an object below <strong>the</strong> level needed to support<br />
critical process<strong>in</strong>g or communic<strong>at</strong>ion, as can happen, for example, <strong>in</strong> a<br />
system crash.<br />
The facet of reliability th<strong>at</strong> rel<strong>at</strong>es to <strong>the</strong> degree of certa<strong>in</strong>ty th<strong>at</strong> a system<br />
will oper<strong>at</strong>e correctly.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX F 291<br />
Dependence The existence of a rel<strong>at</strong>ionship <strong>in</strong> which <strong>the</strong> subject may not work properly<br />
unless <strong>the</strong> object (possibly ano<strong>the</strong>r subject) behaves properly. One system<br />
may depend on ano<strong>the</strong>r system.<br />
Digital sign<strong>at</strong>ure<br />
Discretionary<br />
access control<br />
(DAC)<br />
DTI<br />
Dual-use<br />
system<br />
Effectiveness<br />
D<strong>at</strong>a th<strong>at</strong> can be gener<strong>at</strong>ed only by an agent th<strong>at</strong> knows some secret, and<br />
hence is evidence th<strong>at</strong> such an agent must have gener<strong>at</strong>ed it.<br />
An access-control mechanism th<strong>at</strong> permits subjects to specify <strong>the</strong> access<br />
controls, subject to constra<strong>in</strong>ts such as changes permitted to <strong>the</strong> owner of an<br />
object. (DAC is usually equivalent to IBAC and UDAC, although hybrid<br />
DAC policies might be IBAC and ADAC.)<br />
Department of Trade and Industry, U.K<br />
A system with both military and civilian applic<strong>at</strong>ions.<br />
1. The extent to which a system s<strong>at</strong>isfies its criteria. 2. In ITSEC, a<br />
component of assurance (toge<strong>the</strong>r with correctness).<br />
Eman<strong>at</strong>ion A signal emitted by a system th<strong>at</strong> is not explicitly allowed by its<br />
specific<strong>at</strong>ion.<br />
Evalu<strong>at</strong>ion 1. The process of exam<strong>in</strong><strong>in</strong>g a computer product or system with respect to<br />
certa<strong>in</strong> criteria. 2. The results of th<strong>at</strong> process.<br />
Fe<strong>at</strong>ure 1. An advantage <strong>at</strong>tributed to a system. 2. A euphemism for a fundamental<br />
flaw th<strong>at</strong> cannot or will not be fixed.<br />
Firmware The programmable <strong>in</strong>form<strong>at</strong>ion used to control <strong>the</strong> low-level oper<strong>at</strong>ions of<br />
hardware. Firmware is commonly stored <strong>in</strong> Read-Only Memorys (ROMs),<br />
which are <strong>in</strong>itially <strong>in</strong>stalled <strong>in</strong> <strong>the</strong> factory and may be replaced <strong>in</strong> <strong>the</strong> field<br />
to fix mistakes or to improve system capabilities.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX F 292<br />
Formal Hav<strong>in</strong>g a rigorous respect for form, th<strong>at</strong> is, a m<strong>at</strong>hem<strong>at</strong>ical or logical basis.<br />
FTLS Formal top-level specific<strong>at</strong>ion. (See "Security Characteristics" <strong>in</strong> Chapter 5.)<br />
Functionality<br />
Functionality requirements <strong>in</strong>clude, for example, confidentiality, <strong>in</strong>tegrity,<br />
As dist<strong>in</strong>ct from assurance, <strong>the</strong> functional behavior of a system.<br />
availability, au<strong>the</strong>ntic<strong>at</strong>ion, and safety.<br />
G<strong>at</strong>eway A system connected to different computer networks th<strong>at</strong> medi<strong>at</strong>es transfer<br />
of <strong>in</strong>form<strong>at</strong>ion between <strong>the</strong>m.<br />
GCHQ Government Communic<strong>at</strong>ions Headquarters, U.K.<br />
Group A set of subjects.<br />
Identitybased<br />
ac-<br />
object. Contrast with rule-based access control. See Discretionary access<br />
An access control mechanism based only on <strong>the</strong> identity of <strong>the</strong> subject and<br />
cess control control.<br />
(IBAC)<br />
Implement<strong>at</strong>ion<br />
The mechanism th<strong>at</strong> (supposedly) realizes a specified design.<br />
Inform<strong>at</strong>ion D<strong>at</strong>a to which mean<strong>in</strong>g is assigned, accord<strong>in</strong>g to context and assumed<br />
conventions.<br />
Inform<strong>at</strong>ion-flow<br />
control<br />
INFOSEC<br />
Access control based on restrict<strong>in</strong>g <strong>the</strong> flow of <strong>in</strong>form<strong>at</strong>ion <strong>in</strong>to an object.<br />
See, for example, Bell and La Padula model.<br />
Inform<strong>at</strong>ion security. See also COMPUSEC and COMSEC.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX F 293<br />
Integrity<br />
Integrity<br />
level<br />
Integrity<br />
policy<br />
ITAR<br />
ITSEC<br />
Kernel<br />
Key<br />
Label<br />
The property th<strong>at</strong> an object is changed only <strong>in</strong> a specified and authorized<br />
manner. D<strong>at</strong>a <strong>in</strong>tegrity, program <strong>in</strong>tegrity, system <strong>in</strong>tegrity, and network<br />
<strong>in</strong>tegrity are all relevant to consider<strong>at</strong>ion of computer and system security.<br />
A level of trustworth<strong>in</strong>ess associ<strong>at</strong>ed with a subject or object.<br />
See Policy.<br />
Intern<strong>at</strong>ional Traffic <strong>in</strong> Arms Regul<strong>at</strong>ions (Office of <strong>the</strong> Federal Register,<br />
1990).<br />
The Inform<strong>at</strong>ion Technology Security Evalu<strong>at</strong>ion Criteria, <strong>the</strong> harmonized<br />
criteria of France, Germany, <strong>the</strong> Ne<strong>the</strong>rlands, and <strong>the</strong> United K<strong>in</strong>gdom<br />
(Federal Republic of Germany, 1990).<br />
A most trusted portion of a system th<strong>at</strong> enforces a fundamental property,<br />
and on which <strong>the</strong> o<strong>the</strong>r portions of <strong>the</strong> system depend.<br />
An <strong>in</strong>put th<strong>at</strong> controls <strong>the</strong> transform<strong>at</strong>ion of d<strong>at</strong>a by an encryption algorithm.<br />
A level associ<strong>at</strong>ed with a subject or object and def<strong>in</strong><strong>in</strong>g its clearance or<br />
classific<strong>at</strong>ion, respectively. In TCSEC usage, <strong>the</strong> security label consists of a<br />
hierarchical security level and a nonhierarchical security c<strong>at</strong>egory. An<br />
<strong>in</strong>tegrity label may also exist, consist<strong>in</strong>g of a hierarchical <strong>in</strong>tegrity level and<br />
a nonhierarchical <strong>in</strong>tegrity c<strong>at</strong>egory (Biba, 1975).<br />
Letter bomb A logic bomb, conta<strong>in</strong>ed <strong>in</strong> electronic mail, th<strong>at</strong> is triggered when <strong>the</strong> mail<br />
is read.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX F 294<br />
Level 1. The comb<strong>in</strong><strong>at</strong>ion of hierarchical and nonhierarchical components<br />
(TCSEC usage). See Security level, Integrity level. 2. The hierarchical<br />
component of a label, more precisely referred to as "hierarchical level" to<br />
avoid confusion. In <strong>the</strong> absence of nonhierarchical c<strong>at</strong>egories, <strong>the</strong> two<br />
def<strong>in</strong>itions are identical.<br />
Logic bomb A Trojan horse set to trigger upon <strong>the</strong> occurrence of a particular logical<br />
event.<br />
Mand<strong>at</strong>ory 1. Access controls th<strong>at</strong> cannot be made more permissive by users or<br />
access control<br />
(MAC) <strong>in</strong>form<strong>at</strong>ion sensitivity represented, for example, by security labels for<br />
subjects (general usage, roughly ADAC). 2. Access controls based on<br />
clearance and classific<strong>at</strong>ion (TCSEC usage, roughly RBAC and ADAC).<br />
Often based on <strong>in</strong>form<strong>at</strong>ion flow rules.<br />
Model An expression of a policy <strong>in</strong> a form th<strong>at</strong> a system can enforce, or th<strong>at</strong><br />
analysis can use for reason<strong>in</strong>g about <strong>the</strong> policy and its enforcement.<br />
Monitor<strong>in</strong>g Record<strong>in</strong>g of relevant <strong>in</strong>form<strong>at</strong>ion about each oper<strong>at</strong>ion by a subject on an<br />
object, ma<strong>in</strong>ta<strong>in</strong>ed <strong>in</strong> an audit trail for subsequent analysis.<br />
Mutual au<strong>the</strong>ntic<strong>at</strong>ion<br />
objects. For example, a system needs to au<strong>the</strong>ntic<strong>at</strong>e a user, and <strong>the</strong> user<br />
Provid<strong>in</strong>g mutual assurance regard<strong>in</strong>g <strong>the</strong> identity of subjects and/or<br />
needs to au<strong>the</strong>ntic<strong>at</strong>e th<strong>at</strong> <strong>the</strong> system is genu<strong>in</strong>e.<br />
NCSC The N<strong>at</strong>ional Computer Security Center, part of <strong>the</strong> N<strong>at</strong>ional Security<br />
<strong>Age</strong>ncy, which is part of <strong>the</strong> Department of Defense.<br />
Node A computer system th<strong>at</strong> is connected to a communic<strong>at</strong>ions network and<br />
particip<strong>at</strong>es <strong>in</strong> <strong>the</strong> rout<strong>in</strong>g of messages with<strong>in</strong> th<strong>at</strong> network. Networks are<br />
usually described as a collection of nodes th<strong>at</strong> are connected by<br />
communic<strong>at</strong>ions l<strong>in</strong>ks.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX F 295<br />
Nondiscretionary<br />
Nonrepudi<strong>at</strong>ion<br />
Object<br />
Oper<strong>at</strong><strong>in</strong>g<br />
system<br />
Orange<br />
Book<br />
OSI<br />
Equivalent to mand<strong>at</strong>ory <strong>in</strong> TCSEC usage, o<strong>the</strong>rwise equivalent to<br />
adm<strong>in</strong>istr<strong>at</strong>ively directed access controls.<br />
An au<strong>the</strong>ntic<strong>at</strong>ion th<strong>at</strong> with high assurance can be asserted to be genu<strong>in</strong>e,<br />
and th<strong>at</strong> cannot subsequently be refuted.<br />
Someth<strong>in</strong>g to which access is controlled. An object may be, for example, a<br />
system, subsystem, resource, or ano<strong>the</strong>r subject.<br />
A collection of software programs <strong>in</strong>tended to directly control <strong>the</strong> hardware<br />
of a computer (e.g., <strong>in</strong>put/output requests, resource alloc<strong>at</strong>ion, d<strong>at</strong>a<br />
management), and on which all <strong>the</strong> o<strong>the</strong>r programs runn<strong>in</strong>g on <strong>the</strong><br />
computer generally depend. UNIX, VAX/VMS, and DOS are all examples<br />
of oper<strong>at</strong><strong>in</strong>g systems.<br />
Common name for <strong>the</strong> Department of Defense document th<strong>at</strong> is <strong>the</strong> basic<br />
def<strong>in</strong>ition of <strong>the</strong> TCSEC, derived from <strong>the</strong> color of its cover (U.S. DOD,<br />
1985d). The Orange Book provides criteria for <strong>the</strong> evalu<strong>at</strong>ion of different<br />
classes of trusted systems and is supplemented by many documents rel<strong>at</strong><strong>in</strong>g<br />
to its extension and <strong>in</strong>terpret<strong>at</strong>ion. See Red Book, Yellow Book.<br />
Open Systems Interconnection. A seven-layer network<strong>in</strong>g model.<br />
Outsourc<strong>in</strong>g The practice of procur<strong>in</strong>g from external sources r<strong>at</strong>her than produc<strong>in</strong>g<br />
with<strong>in</strong> an organiz<strong>at</strong>ion.<br />
Password A sequence th<strong>at</strong> a subject presents to a system for purposes of au<strong>the</strong>ntic<strong>at</strong>ion.<br />
P<strong>at</strong>ch A section of software code th<strong>at</strong> is <strong>in</strong>serted <strong>in</strong>to a program to correct<br />
mistakes or to alter <strong>the</strong> program.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX F 296<br />
Perimeter A boundary with<strong>in</strong> which security controls are applied to protect assets. A<br />
security perimeter typically <strong>in</strong>cludes a security kernel, some trusted-code<br />
facilities, hardware, and possibly some communic<strong>at</strong>ions channels.<br />
PIN Personal identific<strong>at</strong>ion number. Typically used <strong>in</strong> connection with<br />
autom<strong>at</strong>ed teller mach<strong>in</strong>es to au<strong>the</strong>ntic<strong>at</strong>e a user.<br />
Pla<strong>in</strong>text See Clear text.<br />
Policy An <strong>in</strong>formal, generally n<strong>at</strong>ural-language description of desired system<br />
behavior. Policies may be def<strong>in</strong>ed for particular requirements, such as<br />
security, <strong>in</strong>tegrity, and availability.<br />
Pr<strong>in</strong>cipal A person or system th<strong>at</strong> can be authorized to access objects or can make<br />
st<strong>at</strong>ements affect<strong>in</strong>g access control decisions. See <strong>the</strong> equivalent, Subject.<br />
Priv<strong>at</strong>e Key See Secret key.<br />
Protected A program or subsystem th<strong>at</strong> can act as a subject.<br />
subsystem<br />
Public key A key th<strong>at</strong> is made available without concern for secrecy. Contrast with<br />
priv<strong>at</strong>e key, secret key.<br />
Public-key<br />
encryption<br />
RAMP<br />
Receivers<br />
An encryption algorithm th<strong>at</strong> uses a public key to encrypt d<strong>at</strong>a and a<br />
correspond<strong>in</strong>g secret key to decrypt d<strong>at</strong>a.<br />
R<strong>at</strong><strong>in</strong>g Ma<strong>in</strong>tenance Phase. Part of <strong>the</strong> N<strong>at</strong>ional Computer Security Center's<br />
product evalu<strong>at</strong>ion process.<br />
Subjects read<strong>in</strong>g from a communic<strong>at</strong>ion channel.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX F 297<br />
Red Book<br />
Reference<br />
monitor<br />
Requirement<br />
<strong>Risk</strong><br />
RSA<br />
The Trusted Network Interpret<strong>at</strong>ion of <strong>the</strong> Trusted Computer System<br />
Evalu<strong>at</strong>ion Criteria, or TNI (U.S. DOD, 1987).<br />
A system component th<strong>at</strong> enforces access controls on an object.<br />
A st<strong>at</strong>ement of <strong>the</strong> system behavior needed to enforce a given policy.<br />
Requirements are used to derive <strong>the</strong> technical specific<strong>at</strong>ion of a system.<br />
The likelihood th<strong>at</strong> a vulnerability may be exploited, or th<strong>at</strong> a thre<strong>at</strong> may<br />
become harmful.<br />
The Rivest-Shamir-Adelman public key encryption algorithm (Rivest et al.,<br />
1978).<br />
Rule-based Access control based on specific rules rel<strong>at</strong><strong>in</strong>g to <strong>the</strong> n<strong>at</strong>ure of <strong>the</strong> subject<br />
access control<br />
(RBAC) with identity-based access control. See Mand<strong>at</strong>ory access control.<br />
and object, beyond just <strong>the</strong>ir identities—such as security labels. Contrast<br />
<strong>Safe</strong>ty The property th<strong>at</strong> a system will s<strong>at</strong>isfy certa<strong>in</strong> criteria rel<strong>at</strong>ed to <strong>the</strong><br />
preserv<strong>at</strong>ion of personal and collective safety.<br />
Secrecy See Confidentiality.<br />
Secret Known <strong>at</strong> most to an authorized set of subjects. (A real secret is possible<br />
only when <strong>the</strong> size of <strong>the</strong> set is one or less.)<br />
Secret key A key th<strong>at</strong> is kept secret. Also known as a priv<strong>at</strong>e key.<br />
Secret-key<br />
encryption<br />
An encryption algorithm th<strong>at</strong> uses only secret keys. Also known as priv<strong>at</strong>ekey<br />
encryption.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX F 298<br />
Secure<br />
channel<br />
Security<br />
Security<br />
level<br />
Security<br />
policy<br />
Sender<br />
Sensitivity<br />
label<br />
Separ<strong>at</strong>ion<br />
of duty<br />
An <strong>in</strong>form<strong>at</strong>ion p<strong>at</strong>h <strong>in</strong> which <strong>the</strong> set of all possible senders can be known<br />
to <strong>the</strong> receivers, or <strong>the</strong> set of all possible receivers can be known to <strong>the</strong><br />
senders, or both.<br />
1. Freedom from danger; safety. 2. Computer security is protection of d<strong>at</strong>a<br />
<strong>in</strong> a system aga<strong>in</strong>st disclosure, modific<strong>at</strong>ion, or destruction. Protection of<br />
computer systems <strong>the</strong>mselves. <strong>Safe</strong>guards can be both technical and<br />
adm<strong>in</strong>istr<strong>at</strong>ive. 3. The property th<strong>at</strong> a particular security policy is enforced,<br />
with some degree of assurance. 4. Often used <strong>in</strong> a restricted sense to signify<br />
confidentiality, particularly <strong>in</strong> <strong>the</strong> case of multilevel security.<br />
A clearance level associ<strong>at</strong>ed with a subject, or a classific<strong>at</strong>ion level (or<br />
sensitivity label) associ<strong>at</strong>ed with an object.<br />
See Policy.<br />
A subject writ<strong>in</strong>g to a channel.<br />
A security level (i.e., a classific<strong>at</strong>ion level) associ<strong>at</strong>ed with an object.<br />
A pr<strong>in</strong>ciple of design th<strong>at</strong> separ<strong>at</strong>es functions with differ<strong>in</strong>g requirements<br />
for security or <strong>in</strong>tegrity <strong>in</strong>to separ<strong>at</strong>e protection doma<strong>in</strong>s. Separ<strong>at</strong>ion of<br />
duty is sometimes implemented as an authoriz<strong>at</strong>ion rule specify<strong>in</strong>g th<strong>at</strong> two<br />
or more subjects are required to authorize an oper<strong>at</strong>ion.<br />
Shareware Software offered publicly and shared r<strong>at</strong>her than sold.<br />
Sign<strong>at</strong>ure See Digital sign<strong>at</strong>ure.<br />
Simple security<br />
property<br />
An <strong>in</strong>form<strong>at</strong>ion-flow rule st<strong>at</strong><strong>in</strong>g th<strong>at</strong> a subject <strong>at</strong> a given security level can<br />
read only from an object with a security label th<strong>at</strong> is <strong>the</strong> same or lower<br />
(Bell and La Padula, 1976).<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX F 299<br />
Smart card A small computer <strong>in</strong> <strong>the</strong> shape of a credit card. Typically used to identify<br />
and au<strong>the</strong>ntic<strong>at</strong>e its bearer, although it may have o<strong>the</strong>r comput<strong>at</strong>ional<br />
functions.<br />
Source code The textual form <strong>in</strong> which a program is entered <strong>in</strong>to a computer (e.g.,<br />
FORTRAN).<br />
Specific<strong>at</strong>ion<br />
Spoof<strong>in</strong>g<br />
St<strong>at</strong>e<br />
St<strong>at</strong>e mach<strong>in</strong>e<br />
STU-III<br />
Stub<br />
Subject<br />
A technical description of <strong>the</strong> desired behavior of a system, as derived from<br />
its requirements. A specific<strong>at</strong>ion is used to develop and test an<br />
implement<strong>at</strong>ion of a system.<br />
Assum<strong>in</strong>g <strong>the</strong> characteristics of ano<strong>the</strong>r computer system or user, for<br />
purposes of deception.<br />
An abstraction of <strong>the</strong> total history of a system, usually <strong>in</strong> terms of st<strong>at</strong>e<br />
variables. The represent<strong>at</strong>ion can be explicit or implicit.<br />
In <strong>the</strong> classical model of a st<strong>at</strong>e mach<strong>in</strong>e, <strong>the</strong> outputs and <strong>the</strong> next st<strong>at</strong>e of<br />
<strong>the</strong> mach<strong>in</strong>e are functionally dependent on <strong>the</strong> <strong>in</strong>puts and <strong>the</strong> present st<strong>at</strong>e.<br />
This model is <strong>the</strong> basis for all computer systems.<br />
A secure telephone system us<strong>in</strong>g end-to-end priv<strong>at</strong>e-key encryption.<br />
An artifact, usually software, th<strong>at</strong> can be used to simul<strong>at</strong>e <strong>the</strong> behavior of<br />
parts of a system. It is usually used <strong>in</strong> test<strong>in</strong>g software th<strong>at</strong> relies on those<br />
parts of <strong>the</strong> system simul<strong>at</strong>ed by <strong>the</strong> stub. Stubs make it possible to test a<br />
system before all parts of it have been completed.<br />
An active entity—e.g., a process or device act<strong>in</strong>g on behalf of a user, or <strong>in</strong><br />
some cases <strong>the</strong> actual user—th<strong>at</strong> can make a request to perform an<br />
oper<strong>at</strong>ion on an object. See <strong>the</strong> equivalent, Pr<strong>in</strong>cipal.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX F 300<br />
System 1. A st<strong>at</strong>e mach<strong>in</strong>e, th<strong>at</strong> is, a device th<strong>at</strong>, given <strong>the</strong> current st<strong>at</strong>e and <strong>in</strong>puts,<br />
yields a set of outputs and a new st<strong>at</strong>e (see St<strong>at</strong>e mach<strong>in</strong>e). 2. An<br />
<strong>in</strong>terdependent collection of components th<strong>at</strong> can be considered as a unified<br />
whole, for example, a networked collection of computer systems, a<br />
distributed system, a compiler or editor, a memory unit, and so on.<br />
TCB See Trusted comput<strong>in</strong>g base.<br />
TCSEC The Department of Defense Trusted Computer System Evalu<strong>at</strong>ion Criteria<br />
(U.S. DOD, 1985d). See Orange Book.<br />
Tempest U.S. government rules for limit<strong>in</strong>g compromis<strong>in</strong>g signals (eman<strong>at</strong>ions)<br />
from electrical equipment.<br />
Thre<strong>at</strong> The potential for exploit<strong>at</strong>ion of a vulnerability.<br />
Time bomb A Trojan horse set to trigger <strong>at</strong> a particular time.<br />
Token When used <strong>in</strong> <strong>the</strong> context of au<strong>the</strong>ntic<strong>at</strong>ion, a physical device necessary for<br />
user identific<strong>at</strong>ion.<br />
Token au<strong>the</strong>ntic<strong>at</strong>or<br />
Trapdoor<br />
Trojan<br />
horse<br />
A pocket-sized computer th<strong>at</strong> can particip<strong>at</strong>e <strong>in</strong> a challenge-response<br />
au<strong>the</strong>ntic<strong>at</strong>ion scheme. The au<strong>the</strong>ntic<strong>at</strong>ion sequences are called tokens.<br />
A hidden flaw <strong>in</strong> a system mechanism th<strong>at</strong> can be triggered to circumvent<br />
<strong>the</strong> system's security.<br />
A computer program whose execution would result <strong>in</strong> undesired side<br />
effects, generally unanticip<strong>at</strong>ed by <strong>the</strong> user. A Trojan horse program may<br />
o<strong>the</strong>rwise give <strong>the</strong> appearance of provid<strong>in</strong>g normal functionality.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX F 301<br />
Trust<br />
Belief th<strong>at</strong> a system meets its specific<strong>at</strong>ions.<br />
Trusted A portion of a system th<strong>at</strong> enforces a particular policy. The TCB must be<br />
comput<strong>in</strong>g resistant to tamper<strong>in</strong>g and circumvention. Under <strong>the</strong> TCSEC, it must also<br />
base (TCB) be small enough to be analyzed system<strong>at</strong>ically. A TCB for security is part<br />
of <strong>the</strong> security perimeter.<br />
Trusted<br />
system<br />
Trustworth<strong>in</strong>ess<br />
Tunnel<strong>in</strong>g<br />
<strong>at</strong>tack<br />
A system believed to enforce a given set of <strong>at</strong>tributes to a st<strong>at</strong>ed degree of<br />
assurance (confidence).<br />
Assurance th<strong>at</strong> a system deserves to be trusted.<br />
An <strong>at</strong>tack th<strong>at</strong> <strong>at</strong>tempts to exploit a weakness <strong>in</strong> a system <strong>at</strong> a low level of<br />
abstraction.<br />
User au<strong>the</strong>ntic<strong>at</strong>ion<br />
Assur<strong>in</strong>g <strong>the</strong> identity of a user. See Authoriz<strong>at</strong>ion.<br />
User-directed<br />
access rights. Such alter<strong>at</strong>ions may, for example, be restricted to certa<strong>in</strong><br />
Access control <strong>in</strong> which users (or subjects generally) may alter <strong>the</strong> access<br />
control <strong>in</strong>dividuals by <strong>the</strong> access controls, for example, limited to <strong>the</strong> owner of an<br />
(UDAC) object. Contrast with adm<strong>in</strong>istr<strong>at</strong>ively directed access control. See<br />
Discretionary access control.<br />
Vacc<strong>in</strong>e A program th<strong>at</strong> <strong>at</strong>tempts to detect and disable viruses.<br />
Virus A program, typically hidden, th<strong>at</strong> <strong>at</strong>taches itself to o<strong>the</strong>r programs and has<br />
<strong>the</strong> ability to replic<strong>at</strong>e. In personal computers, ''viruses" are generally<br />
Trojan horse programs th<strong>at</strong> are replic<strong>at</strong>ed by <strong>in</strong>advertent human action. In<br />
general computer usage, viruses are more likely to be self-replic<strong>at</strong><strong>in</strong>g<br />
Trojan horses.<br />
Vulnerability<br />
<strong>in</strong>tended behavior. There may be security, <strong>in</strong>tegrity, availability, and o<strong>the</strong>r<br />
A weakness <strong>in</strong> a system th<strong>at</strong> can be exploited to viol<strong>at</strong>e <strong>the</strong> system's<br />
vulnerabilities. The act of exploit<strong>in</strong>g a vulnerability represents a thre<strong>at</strong>,<br />
which has an associ<strong>at</strong>ed risk of be<strong>in</strong>g exploited.<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX F 302<br />
Worm <strong>at</strong>tack<br />
A worm is a program th<strong>at</strong> distributes itself <strong>in</strong> multiple copies with<strong>in</strong> a<br />
system or across a distributed system. A worm <strong>at</strong>tack is a worm th<strong>at</strong> may<br />
act beyond normally permitted behavior, perhaps exploit<strong>in</strong>g security<br />
vulnerabilities or caus<strong>in</strong>g denial of service.<br />
Yellow Book The Department of Defense Technical R<strong>at</strong>ionale Beh<strong>in</strong>d<br />
CSC-STD-003-85 (U.S. DOD, 1985b). Guidance for apply<strong>in</strong>g <strong>the</strong> TCSEC<br />
to specific environments.<br />
ZSI Zentralstelle für Sicherheit <strong>in</strong> der Inform<strong>at</strong>ionstechnik. The German<br />
Inform<strong>at</strong>ion Security <strong>Age</strong>ncy (GISA).<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.
<strong>Computers</strong> <strong>at</strong> <strong>Risk</strong>: <strong>Safe</strong> <strong>Comput<strong>in</strong>g</strong> <strong>in</strong> <strong>the</strong> Inform<strong>at</strong>ion <strong>Age</strong><br />
http://www.nap.edu/c<strong>at</strong>alog/1581.html<br />
About this PDF file: This new digital represent<strong>at</strong>ion of <strong>the</strong> orig<strong>in</strong>al work has been recomposed from XML files cre<strong>at</strong>ed from <strong>the</strong> orig<strong>in</strong>al paper book, not from <strong>the</strong><br />
orig<strong>in</strong>al typesett<strong>in</strong>g files. Page breaks are true to <strong>the</strong> orig<strong>in</strong>al; l<strong>in</strong>e lengths, word breaks, head<strong>in</strong>g styles, and o<strong>the</strong>r typesett<strong>in</strong>g-specific form<strong>at</strong>t<strong>in</strong>g, however, cannot be<br />
reta<strong>in</strong>ed, and some typographic errors may have been accidentally <strong>in</strong>serted. Please use <strong>the</strong> pr<strong>in</strong>t version of this public<strong>at</strong>ion as <strong>the</strong> authorit<strong>at</strong>ive version for <strong>at</strong>tribution.<br />
APPENDIX G 303<br />
Appendix G<br />
List of Members of <strong>the</strong> Former<br />
Commission on Physical Sciences,<br />
M<strong>at</strong>hem<strong>at</strong>ics, and Resources<br />
NORMAN HACKERMAN, Robert A. Welch Found<strong>at</strong>ion, Chairman<br />
ROBERT C. BEARDSLEY, Woods Hole Oceanographic Institution<br />
B. CLARK BURCHFIEL, Massachusetts Institute of Technology<br />
GEORGE F. CARRIER, Harvard University<br />
RALPH J. CICERONE, N<strong>at</strong>ional Center for Atmospheric Research<br />
HERBERT D. DOAN, The Dow Chemical Company (retired)<br />
PETER S. EAGLESON, Massachusetts Institute of Technology<br />
DEAN E. EASTMAN, IBM T.J. W<strong>at</strong>son Research Center<br />
MARYE ANNE FOX, University of Texas<br />
GERHART FRIEDLANDER, Brookhaven N<strong>at</strong>ional Labor<strong>at</strong>ory<br />
LAWRENCE W. FUNKHOUSER, Chevron Corpor<strong>at</strong>ion (retired)<br />
PHILLIP A. GRIFFITHS, Duke University<br />
NEAL F. LANE, Rice University<br />
CHRISTOPHER F. McKEE, University of California <strong>at</strong> Berkeley<br />
RICHARD S. NICHOLSON, American Associ<strong>at</strong>ion for <strong>the</strong> Advancement<br />
of Science<br />
JACK E. OLIVER, Cornell University<br />
JEREMIAH P. OSTRIKER, Pr<strong>in</strong>ceton University Observ<strong>at</strong>ory<br />
PHILIP A. PALMER, E.I. du Pont de Nemours & Company<br />
FRANK L. PARKER, Vanderbilt University<br />
DENIS J. PRAGER, MacArthur Found<strong>at</strong>ion<br />
DAVID M. RAUP, University of Colorado<br />
ROY F. SCHWITTERS, Superconduct<strong>in</strong>g Super Collider Labor<strong>at</strong>ory<br />
LARRY L. SMARR, University of Ill<strong>in</strong>ois <strong>at</strong> Urbana-Champaign<br />
KARL K. TUREKIAN, Yale University<br />
Copyright © N<strong>at</strong>ional Academy of Sciences. All rights reserved.