Cybersecurity Today and Tomorrow

Download Cybersecurity Today and Tomorrow

Post on 18-Dec-2016




0 download

Embed Size (px)


  • Computer Science and Telecommunications Board

    Division on Engineering and Physical Sciences

    National Research Council



    CybersecurityTODAY andTOMORROW

  • NATIONAL ACADEMY PRESS 2101 Constitution Avenue, N.W. Washington, D.C. 20418

    NOTICE: The projects that are the basis of this synthesis report were approved bythe Governing Board of the National Research Council, whose members are drawnfrom the councils of the National Academy of Sciences, the National Academy ofEngineering, and the Institute of Medicine. The members of the committees re-sponsible for the final reports of these projects and of the board that produced thissynthesis were chosen for their special competences and with regard for appropri-ate balance.

    Core support for the Computer Science and Telecommunications Board(CSTB) is provided by its public and private sponsors, which include federalagencies (the Air Force Office of Scientific Research, Defense Advanced ResearchProjects Agency, Department of Energy, National Aeronautics and Space Admin-istration, National Institute of Standards and Technology, National Library ofMedicine, National Science Foundation, and the Office of Naval Research); theVadasz Family Foundation; and an evolving mix of charitable corporate and indi-vidual contributions. Sponsors enable but do not influence CSTBs work. Anyopinions, findings, conclusions, or recommendations expressed in this publica-tion are those of the authors and do not necessarily reflect the views of the organi-zations or agencies that provide support for CSTB.

    International Standard Book Number 0-309-08312-5

    Additional copies of this report are available from the Computer Science andTelecommunications Board, National Research Council, 2101 Constitution Av-enue, N.W., Washington, DC 20418. Call 202-334-2605 or e-mail the CSTB This report is also available online at .

    Copyright 2002 by the National Academy of Sciences. All rights reserved.

    Printed in the United States of America

    Suggested citation: Computer Science and Telecommunications Board, Cyber-security Today and Tomorrow: Pay Now or Pay Later, National Academy Press, Wash-ington, D.C., 2002.

    The National Academies intend for this document to be disseminated as far andas widely as possible, and you are encouraged to do so. To obtain permission toreproduce, reprint, or disseminate this document or portions of it (and it is theintent of the National Academies to grant such permission for noncommercialpurposes routinely and promptly), please apply in writing to Dick Morris, Per-missions Manager, National Academy Press, by e-mail ( or fax(202-334-2793), or phone 202-334-3335 for further information.

  • The National Academy of Sciences is a private, nonprofit, self-perpetuating soci-ety of distinguished scholars engaged in scientific and engineering research, dedi-cated to the furtherance of science and technology and to their use for the generalwelfare. Upon the authority of the charter granted to it by the Congress in 1863,the Academy has a mandate that requires it to advise the federal government onscientific and technical matters. Dr. Bruce M. Alberts is president of the NationalAcademy of Sciences.

    The National Academy of Engineering was established in 1964, under the charterof the National Academy of Sciences, as a parallel organization of outstandingengineers. It is autonomous in its administration and in the selection of its mem-bers, sharing with the National Academy of Sciences the responsibility for advis-ing the federal government. The National Academy of Engineering also sponsorsengineering programs aimed at meeting national needs, encourages educationand research, and recognizes the superior achievements of engineers. Dr. Wm. A.Wulf is president of the National Academy of Engineering.

    The Institute of Medicine was established in 1970 by the National Academy ofSciences to secure the services of eminent members of appropriate professions inthe examination of policy matters pertaining to the health of the public. TheInstitute acts under the responsibility given to the National Academy of Sciencesby its congressional charter to be an adviser to the federal government and, uponits own initiative, to identify issues of medical care, research, and education.Dr. Kenneth I. Shine is president of the Institute of Medicine.

    The National Research Council was organized by the National Academy of Sci-ences in 1916 to associate the broad community of science and technology withthe Academys purposes of furthering knowledge and advising the federal gov-ernment. Functioning in accordance with general policies determined by the Acad-emy, the Council has become the principal operating agency of both the NationalAcademy of Sciences and the National Academy of Engineering in providingservices to the government, the public, and the scientific and engineering commu-nities. The Council is administered jointly by both Academies and the Institute ofMedicine. Dr. Bruce M. Alberts and Dr. Wm. A. Wulf are chairman and vicechairman, respectively, of the National Research Council.

    National Academy of SciencesNational Academy of EngineeringInstitute of MedicineNational Research Council

  • iv


    DAVID D. CLARK, Massachusetts Institute of Technology, ChairDAVID BORTH, Motorola LabsJAMES CHIDDIX, AOL Time WarnerJOHN M. CIOFFI, Stanford UniversityELAINE COHEN, University of UtahW. BRUCE CROFT, University of Massachusetts at AmherstTHOMAS E. DARCIE, AT&T Labs ResearchJOSEPH FARRELL, University of California at BerkeleyJEFFREY M. JAFFE, Bell Laboratories, Lucent TechnologiesANNA KARLIN, University of WashingtonBUTLER W. LAMPSON, Microsoft CorporationEDWARD D. LAZOWSKA, University of WashingtonDAVID LIDDLE, U.S. Venture PartnersTOM M. MITCHELL, Carnegie Mellon UniversityDONALD NORMAN, Nielsen Norman GroupDAVID A. PATTERSON, University of California at BerkeleyHENRY (HANK) PERRITT, Chicago-Kent College of LawBURTON SMITH, Cray Inc.TERRY SMITH, University of California at Santa BarbaraLEE SPROULL, New York UniversityJEANNETTE M. WING, Carnegie Mellon University

    MARJORY S. BLUMENTHAL, DirectorHERBERT S. LIN, Senior ScientistALAN S. INOUYE, Senior Program OfficerJON EISENBERG, Senior Program OfficerLYNETTE I. MILLETT, Program OfficerCYNTHIA PATTERSON, Program OfficerSTEVEN WOO, Program OfficerDAVID PADGHAM, Research AssociateJANET BRISCOE, Administrative OfficerMARGARET HUYNH, Senior Project AssistantDAVID DRAKE, Senior Project AssistantJANICE SABUDA, Senior Project AssistantJENNIFER BISHOP, Senior Project AssistantBRANDYE WILLIAMS, Staff Assistant

    NOTE: For more information on CSTB, see its Web site at , orwrite to CSTB, National Research Council, 2101 Constitution Avenue, N.W., Washington,DC 20418, call at (202) 334-2605, or e-mail the CSTB at

  • v


    Starting with the publication of the report Computers at Risk: Safe Com-puting in the Information Age in 1991 (National Academy Press, Washing-ton, D.C.), the Computer Science and Telecommunications Board (CSTB)has examined the issue of computer and communications security a num-ber of times, from a number of perspectives. While there has beenprogress in security, it is a sad commentary on the state of the world thatwhat CSTB wrote more than 10 years ago is still timely and relevant. Forthose who work in computer security, there is a deep frustration thatresearch and recommendations do not seem to translate easily into de-ployment and utilization.

    The events of September 11, 2001, suggestindeed demandthat wetake a renewed look at the security and robustness of our nations infra-structure. Now, if ever, we see the importance of having critical systemsresistant to attack and serviceable in times of crisis. From our telephonesystem to air traffic control to the Internet, we will be greatly harmed ifthese systems fail us just when we need them most.

    The vulnerabilities are not new, only freshly brought into focus. Andthe approaches that will mitigate these threats are not unknown, onlyunderutilized. So CSTB has taken the approach of drawing on its pastwork to point out that much of what we need to do is available to us now,if only we choose to act.

    The staff of the CSTB have assembled this report from the broad baseof its existing reports. Herb Lin deserves special thanks for the effortnecessary to produce this report quickly.

    David D. Clark, ChairComputer Science andTelecommunications Board

  • vii

    Acknowledgment of Reviewers

    This report was reviewed in draft form by individuals chosen fortheir diverse perspectives and technical expertise, in accordance with pro-cedures approved by the National Research Councils (NRCs) ReportReview Committee. The purpose of this independent review is to pro-vide candid and critical comments that will assist the institution in mak-ing the published report as sound as possible and to ensure that the reportmeets institutional standards for objectivity, evidence, and responsive-ness to the study charge. The review comments and draft manuscriptremain confidential to protect the integrity of the deliberative process.We wish to thank the following individuals for their participation in thereview of this report:

    Steven Bellovin, AT&T Labs Research,Thomas Berson, Anagram Laboratories,John Davis, Mitretek Systems Inc.,Carl Landwehr, National Science Foundation,Fred Schneider, Cornell University, andWillis Ware, RAND Corporation.

    Although the reviewers listed above have provided many construc-tive comments and suggestions, they were not asked to endorse the con-clusions or recommendations, nor did they see the final draft of the reportbefore