1997 Congressional HearingsIntelligence and Security
1997 Congressional HearingsPage 1 TOP OF DOCSECURE COMMUNICATIONS
TUESDAY, FEBRUARY 11, 1997
U.S. House of Representatives,
Committee on Science,
Subcommittee on Technology,
Washington, DC.
The Committee met at 10 a.m. in room 2318 of the Rayburn House Office Building, Hon. Vernon J. Ehlers presiding.
Mr. EHLERS (presiding). I would like to call this meeting to order.
My name is Vernon Ehlers. I am Vice Chair of the Science Committee. I am sitting in for Congresswoman Morella who chairs the Subcommittee on Technology. She unexpectedly was called to a meeting at the White House, and those type of summons we normally obey. So she will be here as soon as possible and I will be happy to relinquish the chair to her at that time.
However, we did not want to delay the hearing, or the briefing, and therefore I will be chairing this until such time as Congresswoman Morella arrives.
I certainly want to welcome everyone to this briefing. I particularly want to welcome the panel. I thank you very much for your willingness to appear and to testify on the important issue of communications security.
This is a very, very difficult topic. One of the prices we pay for living in a country with the freedoms we have is that we are constantly endangered by people who take advantage of those freedoms to engage in nefarious acts of one sort or another.
Computer hackers of course are the most notorious and the most widely publicized in terms of computer security, but there are many other types of security risks. The espionage that companies may engage in; and of course also the espionage that terrorists or foreign enemies may engage in. These are all a part of it.
Page 2 PREV PAGE TOP OF DOCIn addition, security of telephone lines is a matter of concern and particularly security of cellular transmissions. So there are many areas of life today where individuals are very much worried about their privacy and their security.
Something else that receives virtually no publicity but which is equally important, particularly in the world of commerce and government, is the authenticity of the messages being transmitted. And again that is--although the public has little knowledge of the concern in that area--a major concern.
I believe it is a very important topic that has to be examined. Both the Congress and the public have to be informed about the nature of security risks and some of the problems we have, the issues of privacy that are related to that, and therefore I am very pleased that Congresswoman Morella and Donna Farmer, the aide most responsible for this, I am pleased they have put this forum together. This will provide an opportunity for us to examine these issues in depth.
The format of the briefing will be that each of the panelists will have 10 minutes to present their viewpoint. The intent is not to interrupt with any questions until they have all completed their statements.
If, however, a Member happens to have a burning question and has to leave for another appointment, we might give them a brief opportunity to ask that question, but the intent is to proceed directly through the panel and take all questions afterwards.
I am pleased to welcome Representative Tom Davis from the Virginia area, and also I see Representative Goodlatte arriving who is on the Judiciary Committee but has sponsored a bill on encryption which I am pleased to co-sponsor, and we have worked on that issue together. He also deals with other computer security issues.
The panel before us is a very distinguished panel. I will give brief introductions for all of them at this point and then we will proceed rapidly through their presentations.
Page 3 PREV PAGE TOP OF DOCFirst we have Dr. Daniel Geer who has appeared before us once before as a panelist on our November 26th briefing on encryption. He is the Director of Engineering for Open Market, Incorporated, and was in charge of the MIT team that developed Kerberos during Project Athena in the late 1980's. This technology is widely enough adopted to approach a de facto standard for remote authentication in client/server environments.
He will be discussing how computer security relates to electronic commerce and the importance of trust in a digital economy.
Next we will have Mr. Daniel Lynch who founded the Interop Trade Show that yearly teaches over 300,000 computer systems people how to get their computers to talk to each other over the Internet. He also co-founded CyberCash, an early leader in electronic commerce payment, and Pretty Good Privacy--which is one of my favorite titles--the leading supplier of electronic message security.
He will focus on the interoperability and how all of these issues fit together.
Mr. Tsutomu Shimomura is a Senior Fellow at the San Diego Supercomputer Center and, with John Markoff, co-author of TAKEDOWN, a book which chronicles his pursuit of computer criminal Kevin Mitnick--and I am sure most of you have heard about that. The rights to his story have recently been sold to a major motion picture studio--and you have my sincere sympathies for engaging in that activity and getting involved in that world.
[Laughter.]
Mr. EHLERS. Mr. Shimomura is an expert in cellular and wireless security. He will be discussing issues relating to telecom security and its pervasive implications.
Next will be Mr. Geoff Mulligan who is a Senior Staff Engineer in the Security Products Group at SunSoft and is principal architect for Sun's premier firewall product ''Sunscreen'' as well as a founding member of the Internet Commerce Group.
Prior to joining Sun, Mr. Mulligan worked at Digital's Network Systems Laboratory developing the DEC SEAL firewall, developing networking courseware, and researching e-mail issues.
Page 4 PREV PAGE TOP OF DOCHe will be discussing inter- and intra-organizational security and the role of ''containment.''
Next will be Mr. Daniel Farmer who is an independent security consultant and co-author of the well-known SATAN software which aggressively audits the security of network computer systems.
He recently released a survey paper entitled, ''Shall We Dust Moscow?'' which discusses the current state of the Internet security.
He has worked at CERT, which is an acronym for the Computer Emergency Response Team. He has done security consulting and vulnerability assessments, as well as at Sun Microsystems and Silicon Graphics.
He will be discussing the role of security tools and their relation to the larger context of security.
Our final witness will be Dr. Eugene Spafford. Dr. Spafford is an Associate Professor of Computer Sciences at Purdue University. He is the founder and director of the world's largest academic research group dedicated to information security R&D: the COAST Laboratory at Purdue University.
He has been actively involved in computer and network security for 15 years. He is co-author of one of the most widely cited computer security books and a frequent lecturer.
He will be discussing what education can lend to this process.
Before we go to the panel, let me introduce the other Congresspersons who have arrived. I see Congresswoman Lynn Rivers from Ann Arbor, Michigan, the finest State in the Union----
Ms. RIVERS. We could say----
Mr. EHLERS. Yes, right, and one of the finest universities, exceeded only by Berkeley, of course.
Page 5 PREV PAGE TOP OF DOC[Laughter.]
Mr. EHLERS. And also Congresswoman Eddie Bernice Johnson from Texas. You have, I believe, the Space Center close to your area?
Ms. JOHNSON. It is in Texas.
Mr. EHLERS. Yes, it is in Texas. I know that.
[Laughter.]
Mr. EHLERS. She has also had a keen interest in science and technology issues because of the strength of those issues in Texas.
We welcome you all. We welcome the panel, and we will now proceed with the testimony.
Dr. Geer?
STATEMENT OF DANIEL GEER, Ph.D., DIRECTOR OF ENGINEERING, OPEN MARKET, INC., CAMBRIDGE, MASSACHUSETTS
Mr. GEER. Good morning----
Mr. EHLERS. Could you turn on your microphone, please?
Mr. GEER. Of course.
Mr. EHLERS. Thank you.
Mr. GEER. I want to give a bit of an overview that the other members of the panel will elaborate on. It is relatively simple. In fact, it is intended to be simple. I think if we cannot discuss this in simple terms, we are never going to get anywhere.
The conversion of much of the physical world to an electronic one, whether we are talking about government or business is simply inevitable. I would like to think that was a nondebatable point as we go forward here. It is just simply inevitable. It is already underway. The force of economy makes it so. There is no turning back.
Page 6 PREV PAGE TOP OF DOCIt will proceed in some locations faster than in others, but it is already well underway and it is simply a fact of nature.
It changes everything. Conversion of the physical world to an electronic one changes most everything that we know about, and yet at the same time in some odd sense it changes nothing.
The issues that are important to us in the physical world, whether it is trust or the ability to communicate with a counterparty and know whom you are talking to; the ability to have some recourse if things go awry; the ability to find the resources that you are looking for; all of those sorts of issues which were well familiar to us in the physical world also are issues in the electronic world.
The question at hand is: How do we get from here to there?
There are only three requirements, to my way of thinking, for an electronic world to happen. Two of the three of those are already well understood. It is the third one that is the issue of the panel today.
The first one is: You have to have network connectivity. You have the have the ability to participate in the first place. The wire has to reach where you are. There has been a lot of progress in the last few years on that. The rate of growth of the Internet which is chronicled in the lay press and the trade press alike, illustrates this point very well. It is almost growing so fast that we do not know how to even hand out the network addresses, how to hand out the identities, how to simply connect enough people up. The amount of fiber being laid and so forth is astonishing.
Yet I think it is fair to say that this is already a solved problem. There is almost no place on the planet--in fact, I would claim there is no place on the planet--where you cannot get reasonable network connectivity already. The price is dropping like a stone, and you can just simply assume that everything will be wired in reasonable order.
Page 7 PREV PAGE TOP OF DOCThere is certainly a role for Congress to play in what the terms of that wiring is, but speaking as a technologist there is no question but what it is going to happen, and it is already well underway. So that is the first requirement for an electronic world.
The second requirement is you have got to have something to sell, or something to say. I think that also is already taking place. It is already inevitable. It is already well underway.
Think back. It is only 4 years ago that the Web came into existence, the WorldWide Web and the Browser market, and think how pervasive it already is.
Or think, in a similar fashion, how long did it take after the invention of the video cassette recorder before the question was not, ''Are there any movies for this?'' but instead that there is a video store for every 10 square miles, or every 10,000 people, whichever is smaller.
It takes no time for there to come something to sell on a new medium. That is also true here. It is easy, in other words, and this is underway.
The third requirement for an electronic world, the conversion of the commerce that we know today to an electronic commerce, is trust or security. The security point of all of this is: If you are going to engage in real transactions for real dollars in real amounts over a wire, how do you know what is going on?
How do you know you are talking to the right person--the authenticity term that the Chairman spoke of earlier?
How do you know that the authorization is actually present to engage in that transaction?
How do you have any accountability when you are done?
How do you avoid having someone later claim the message that appeared to come from them did not, or the credential under which it took place was stolen?
Or in some other way the idea that what is needed for commerce to take place is contract and for what is needed for contract is the ability to have recourse.
Page 8 PREV PAGE TOP OF DOCThe basic message I want to bring you from where I sit today is that the Congress needs to help set the rules of the game so that recourse and liability and other issues of that form are well enough understood that the game can proceed at its own pace.
We have a trusted group of individuals here direct from the front. Everyone sitting on the panel here has in some sense been a participant at the very front of this wave of conversion of the physical world to an electronic world. I think each of them brings something similar and yet something different to this discussion, and I know that you will profit from hearing what they have to say.
The thing that I want to stress to you is that time runs quickly. Where I work we speak of it in terms of ''Web time'' or ''Web years.'' It is sort of like dog years. Time passes at a remarkably fast clip, and if you want to lead as opposed to follow or get out of the way, there is a very limited time to do so.
I know in the commercial world we have discussions along the lines of, ''If we can bring that product out in 6 months we will have a killer; if we bring it out in 9 we might as well not bother.'' Those sorts of discussions dominate the world that I live in, and I think that they illustrate the time scale at which change is going to happen.
If the Congress wishes to set these rules before there is a substantial amount of sunk investment, before there are a lot of prior interests to reflect and to in some way calculate in and to compromise with, there is a very limited amount of time remaining for you to do so.
You are, in effect, I would argue, in competition with other countries, with other entities that make law. In the electronic commerce space there is no ''place'' there. There is no ''location.'' A wire leads off into the Internet. Where is the other end? In some sense it is not only independent of location, it is irrelevant of location, and you are in competition with all other entities that would make laws. And, just as there are Panamanian ships, Swiss bank accounts, and Delaware corporations, there is going to be something similar in the electronic commerce world and the question for you is: Do you want to have the most attractive and the most compelling place for this kind of activity to take place?
Page 9 PREV PAGE TOP OF DOCMy argument with you is: It will take place somewhere; the only question is, where?
So let me say that if you want to set those rules, you have a limited amount of time to do so, just as I on the commerce side, on the product side, have a very limited amount of time to actually make those products.
If you do not do so, if you do not set the rules of the game, if you choose to pass on this one, then the rules of the game will be set by some combination of other governments, trial lawyers, and the insurance industry; because somewhere the rules have to come from; somewhere, the rules have to come from.
I would request that the Congress take action in this regard as opposed to letting it happen in those other ways.
Finally, if you choose to not act, there is also the very tangible risk that the choice you will have made is to export jobs instead of products, because the technology that we are going to speak of here today has no way to sequester it in one locale. It travels. Everything we know is known anywhere else.
It is no longer possible to sequester an idea. It is no longer possible to ban a book. It is no longer possible to think of the Internet as anything else than Radio Free Europe on steroids. I invite you to listen to the rest of the panel here as they describe their viewpoints on this fact.
Thank you.
[The prepared statement of Mr. Geer follows:]
TESTIMONY OF DANIEL E. GEER, JR., SC.D.
U.S. HOUSE OF REPRESENTATIVES
COMMITTEE ON SCIENCE
SUBCOMMITTEE ON TECHNOLOGY
Page 10 PREV PAGE TOP OF DOCWASHINGTON, DC
11 FEBRUARY 1997
Thanks to the subcommittee on Technology for the invitation to be here today and thank you all for choosing to spend your time with us. Every member of this panel is a trusted subject matter expert of considerable standing. Our worlds and yours do not ordinarily cross, but they should. They will have to. What is happening in the electronic world is, to quote The Economist, more defining than the telephone and but one notch short of the printing press. Without rancor or hyperbole, there is really very little time remaining for Congress to itself choose whether to lead, follow or get out of the way. Where it is crucial that government lead is in setting the rules of the game.
We hope to educate you today, but we know that in your line of work there is no time to study subjects not germane to this term's legislative agenda; we panelists, therefore, have the burden of proof to say something relevant. I am reminded of what I know as the four verities of government:
Most exciting ideas are not important,
Most important ideas are not exciting,
Not every problem has a good solution, and
Every solution has side effects.
The trade press gets it wrong when it tries to talk about security as just a question of picking the right vendor. The lay press gets it wrong when it talks about exciting personalities and not about important ideas. Those of you in this room today have an inkling that something is up or you would not be here. Congratulations; you're right.
In one way or another, I have tried to make and sell computer security products for over a decade. Until the last year, I found that I could only sell to two kinds of organizations: Those that had already been hurt and those that had to answer to some higher authority and soon. Almost without exception, until 1996 no one talked about security in other than defensive terms. 1996 was the last year for that kind of thinking.
Page 11 PREV PAGE TOP OF DOCThe wholesale conversion of the commercial world into an electronic market is upon us. If I'm wrong by a year or two, that is all that I'm wrong about. Since the start of 1996, my phone rings incessantly with both public and private organizations wanting to know how to be part of this electronic revolution without embarrassing themselves. There are only three requirements for an electronic business, or an electronic government for that matter.
Requirement number one is network access; that's easy--it's universally available and the price is dropping fast; half the users on the Internet have been there less than a year and there is nowhere on this planet where an electronic business cannot be located, technically speaking.
Requirement number two is something to sell; that's easy, too--how long did it take the VCR to go from ''Are there any movies for this thing?'' to one video store for every 10 square miles? The market for ideas has never been greater and as governments everywhere will learn, with the Internet out there, it is no longer possible to ban a book or even an idea. The Internet is Radio Free Europe on steroids.
Requirement number three is some way to have trust in the transactions--that is, per se, why we're here today. Security technology is the single essential enabling technology other than the network itself. Those who get it right and agree on how to do trust management will dominate the next century.
I am here to convince you that security technology and security issues are worth the investment of your time and your brain cells. I want you to become educated consumers of security claims. In one of the Sherlock Holmes stories, Holmes, holding a scalpel in his hand, says ''Watson, isn't it interesting how the instruments of healing are so indistinguishable from those of crime?'' Security technology is like that precisely; there is a very subtle difference between the good and the evil here and there are already frank charlatans and charismatic quacks aplenty.
Let me assume for a moment that you of the Congress want the electronic markets to be as much dominated by enterprises within your sphere of control as the physical markets of today are, i.e., that you want the United States to continue to enjoy its economic position in a world of free trade and location-does-not-matter. Let me also assume that you are fond of entrepreneurial efforts as a way of taking advantage of change. Here is what you must do.
Page 12 PREV PAGE TOP OF DOCYou must not hinder the use of security technology. This means you must explicitly forbid domestic use controls on cryptographic technology. If you do not do this, you will have chosen to export jobs rather than products.
You must make enough rules that there can be recourse when electronic commerce goes awry. Today, the rules of liability for purely electronic businesses are without case law precedent or agreed-upon governance. If you do not do this, the insurance industry will do it for you and, again, you will export jobs rather than products.
That is only two things and they are simple things. Do not let anyone make it more complex or argue that we need to go slow or that we first have to let foreign governments or domestic law enforcement catch up. By the time that happens, you will definitely be somewhere between ''follow'' and ''get out of the way.'' I, we, beg you to invest some study time on this and talk to people like us. No leading company in electronic commerce is more than three years old; the companies you see every day are likely to be as in the dark as government is. The smarts are out there and, if you act informedly now, you can do the right thing before the calculus of sunk investment and private interest dominate the conversation.
Thank you.
Mr. EHLERS. Thank you very much for your testimony.
Dr. Lynch?
STATEMENT OF MR. DANIEL LYNCH, CHAIRMAN, CYBERCASH, REDWOOD CITY, CALIFORNIA
Mr. LYNCH. Where are we today?
Well, right now the Internet business in the United States is about a $30 billion a year business. That is, the manufacturers and service providers in this country for 1996 did about $30 billion in business.
Page 13 PREV PAGE TOP OF DOCWell I remember back in 1973 when I got into this game at Stanford Research Institute it was a $4 million business all supported by DARPA, the research of the ARPANET. What was going on then was, I was working in California. I had friends in London and Boston and in Salt Lake and in Linshopeng, Norway, and we were all programmers working on this ARPANET that became the Internet and helping each other solve problems, programming problems, and it was fun, and it was work, and we trusted each other. We helped each other. We were a community of people, and we learned to trust each other even though we had never seen each other, most of us.
Then it grew, and it grew, and it grew, as they say. Now what is the Internet?
It is this giant communications system for communities of interest to share. It is no longer just a dozen programmers who can figure out how to trust each other because they kind of know that if you are not speaking the language I am speaking, I know you are an imposter, and now we have this problem of trusting people at a distance.
The physical boundaries, as Dr. Geer said, the physical boundaries are kind of meaningless. It does not mean that you do not live in the place and obey those rules of that society that you are in, but the society that is being built worldwide on the Internet is confusing for those of us who are out there now because you say, I do not want to break a law that I am unaware of; so we have this space frontier in some sense, or space-less frontier, and the only way we have to figure out who each other are is through this nasty word called ''cryptology,'' or ''secret writing,'' as we all know it to be from long ago.
There have been many technologies developed in the last 20 years and techniques developed so that I can prove who I am. I can be sure I am talking to you. I can be sure that what I sent you, you can't forge or alter and pass on to someone else as if it were my, you know, kind of speaking or writing. And all of these techniques and technologies rely on some mathematics that, oh, by the way, is just math, folks.
The Israelis know it. The Russians know it. The Chinese know it. The Mexicans know it. Everybody knows it. And if we think we can keep it in a container somewhere, that is pretty fallacious thinking.
Page 14 PREV PAGE TOP OF DOCThis Internet system is an open system. It thrives on kind of like a biological environment, it thrives on other people adding their value, adding their ideas, adding their hopes, and seeing if it takes, seeing if other people like it. It is a world global village.
Marshall McClellan died before this thing came into being, but he predicted it, and it is definitely in place. The part that has been in place, interestingly enough, for quite a long time, is the business-to-business electronic commerce world. That is, businesses sending each other information, and bills, and making payments through the banking system, and all of that has been done for the last, oh, 10 or 15 years by businesses using dedicated links to each other, and building up--remember the old story about the telephone operators? You know, the streets of Boston and New York were going to be black with wires, and they would have to have one wire between every two speakers, and all that jazz?
Well, the Internet came along and basically made it so you do not have to have point-to-point wires between everybody. You can share the wires. That drives the cost down, makes the skies prettier, and oh, by the way, makes it so other people can see what you are doing.
Now sometimes you do not care about that, but sometimes you do. What we want to make sure of is that when you do care what other people are seeing what you are doing, that you can make it so they cannot see what you are doing.
That is in the business-to-business world.
What has happened now with the Internet is that the, I call them ''normals,'' regular human beings are on the Internet now, tens of millions of them. It is not just us couple hundred thousand programmers anymore.
They also have these cheap computers now. Anyone can get a computer for, you know, a thousand bucks to two thousand bucks, and they are beginning to do electronic commerce, and buying, and things like that on the Internet, and they are a little nervous.
I mean, one of my companies, we are sitting there waiting for them to come. It's a ''Field of Dreams.'' We've built a whole technology but it is not strong enough, cryptographically, to assuage everyone's fears that it is safe to use because it is invisible. It is hard to see.
Page 15 PREV PAGE TOP OF DOCSo we need to get these old laws that were military laws to protect us against ''the bad guys'' figuring out what was going on with our communications technology that is no longer relevant, I believe, we need to relax those rules.
Here is the debacle I do not want to see:
This Internet stuff was created in the United States and it has grown, as I said, to about a $30 billion a year business at about a 100 percent growth rate that just keeps doubling beautifully for quite a while and has been doubling ever since I started my InterOp Trade Show back in 1986; it is doubling every year; and it will eventually end, we all know that, but it still has a long run.
We built all this technology, and the public liked it and they bought it and no one told them they had to, and now we have--and there was this other technology called OSI, Open Systems, which mainly and European and Asian controlled, and it lost the battle in the marketplace.
I do not want to see us give over to the other countries our well-earned lead in building all this technology because of some rules that we impose on ourselves and then we just lose this marvelous lead.
Thank you.
[The prepared statement of Mr. Lynch follows:]
CYBERSPACE IS OUR NEW HOME
FEBRUARY 11, 1997
DAN LYNCH, CHAIRMAN, CYBERCASH, INC.
Cyberspace is about a new space, a new home, that our children will inhabit much more easily than we can imagine. Here is a short story about what could happen in that space.
Allen owns a small company that designs computer printed circuit boards. His four-engineer design group is located 10 miles outside of Boulder Creek in the mountains near Santa Cruz, California. This morning he checked his Internet mail and found a message from Irene, a design engineering manager at a large computer company in San Jose, California. She asked him to look at a sensitive Request for Quotation (RFQ) she had just posted. The RFQ was open only to three firms, and the message was encrypted in such a way that only those three firms could read it.
Page 16 PREV PAGE TOP OF DOCAfter analyzing the RFQ, Allen again used the Internet. He checked the current prices for the integrated circuits (ICs) he would need to build Irene's board. He examined several online catalogs for IC manufacturers, and he made rough estimates of the cost of materials. There was one thing left to deal with: a design issue he didn't quite understand.
Allen queried several engineers at Irene's company, as well as an engineer in Amsterdam he had met at Comdex. The Amsterdam engineer referred him to an article in a back issue of an electronics association journal, which Allen promptly downloaded from the journal's Internet forum.
After lunch, Allen prepared his quotation and sent it to Irene, encrypted. Not only was the bid secret, it was a legally binding offer. Allen mused about how his access to the Internet enabled his company to get jobs that used to go to the big boys on the other side of the hill. Allen's quotations are extremely accurate; he can always look up the most up-to-date prices and inventories in the online catalogs. His designers are very efficient, because they have access to the latest applications and utilities from colleagues all over the world. And Allen's company cash flow is improved because he sends his invoices and remittances over the Internet.
Irene, at the other end of the electronics food chain, remarks about how using the Internet has helped her company's profitability. The publications group cuts the printing costs by putting its data sheets, catalogs, and data books online. Her engineering group takes advantage of the special strengths of different board designers, no matter their location: The other two firms bidding on this RFQ were in Oregon and Taiwan.
The bottom line: For Allen and Irene, the Internet is secure and easy to use. It provides access to services and information around the globe. It is a commercial tool, as fundamental as a spreadsheet or a telephone, that they both use to stay competitive.
That is the end of the short story. What can go wrong to prevent that scenario from playing out in the next generation? Modern day ''Luddites'' are trying to stop the underlying encryption technology from being used to make electronic communications secure. They correctly point out that this technology helps criminals as well as nice people. Well, so do knives and automobiles, but we have not outlawed their use. Why should we outlaw the use of strong encryption? Furthermore it is pure folly to think it can effectively be done. Let me explain why.
Page 17 PREV PAGE TOP OF DOCA fundamental reality about encryption is that it cannot be stopped by technical means. Why not? Cryptographic material can be disguised within other material. For instance, it's not possible to tell whether you're looking at an encrypted message when it's hidden in a picture. To explain: Suppose you have a digitized picture of the Mona Lisa, in full 24-bit color. If you utilize the low-order bit to contain your encrypted message, the picture still looks like the picture. Why? That low-order bit is meaningless noise at the visual level. Furthermore, if the cost of transmission is low enough, it's worthwhile to transmit such pictures. And without the key, it's impossible to unlock the noise. (Is it or isn't it a secret message? Only the keyholder knows for sure.) This ability to hide information within another message is referred to as ''creating a subliminal channel.'' Subliminal channels, for better or worse, can provide some basic freedoms.
Do we want our citizens to resort to such subterfuges or do we want to simply recognize their right to converse digitally with whomever they wish with as much privacy as they wish in their new home?
Mr. EHLERS. Thank you, very much. We appreciate those comments.
We have been graced by the presence of a few additional Congresspersons. First, Congresswoman Zoe Lofgren from Silicon Valley, who has a keen personal interest; and Congressman Lampson. Welcome.
We will next go to Mr. Shimomura.
STATEMENT OF MR. TSUTOMU SHIMOMURA, SENIOR FELLOW, SAN DIEGO SUPERCOMPUTER CENTER, LA JOLLA, CALIFORNIA
Mr. SHIMOMURA. Yes. Hello.
I want to talk a little bit about how the world is changing in terms of communications. It used to be that when we engaged in commerce and when we talked to each other, we talked to each other face-to-face.
Page 18 PREV PAGE TOP OF DOCWe would meet in person and we knew each other. We knew each other by face, by what we do, and by mannerisms. Then we engaged in commerce for a while in non-face-to-face ways where you send in mail order, or where you send letters to communicate or by telephone, and even though for a long time it was face-to-face, we have learned to adapt to these technologies such as the mail where you can send someone a letter and you have some notion of how private it is or how not private it is; or you can call someone and you can recognize their voice and can tell something about who you are talking to, hopefully, but we are coming increasingly depended on these non-face-to-face technologies like telephone and like the Internet.
In a lot of ways we tend to misuse them. We have had a long time to become comfortable with mail. When we get a bill in the mail we will be suspicious--if we do not recognize who sent it, we will be a little bit suspicious and we will tend not to pay it immediately.
But often with computers, when we get a message we do not know whether to trust it or not, or how trustful it should be. There is a part of us that says, oh, we should trust this because it came from the computer.
There are a lot of mechanisms that are insecure but we try to use them as if they were secure because we want them to be secure. We want to be able to use them. We have to. As commerce moves on-line, as our lives have moved on-line, we cannot not use these things without being really handicapped.
So we have infrastructure. We have communications' infrastructure and other things which are not really trustable and not really secure but we use them as though they were.
In the real world, there are many things that are not secure but we get used to it as well. We come to understand those risks. But in the on-line world we often do not understand those risks and so we misuse these technologies.
There are a lot of risks. I was involved in the pursuit and capture of a fellow by the name of Kevin Mitnik, a computer criminal who has been on--I guess he has been in and out of prison and jail for 15 years. It is interesting.
Page 19 PREV PAGE TOP OF DOCI guess Dan Lynch here was the first guy to catch him and cause him to be prosecuted. I guess I am the most recent thus far. I hope I am the last, but I don't know. But there are many risks here.
I have a computer here which has transcripts on it from a computer cracker. We do not know who it was, but it was someone who broke into a machine at Los Alamos National Laboratory just about a year ago. It was February 10th last year.
Could I have the lights, please?
[A computer demonstration is presented.]
Mr. SHIMOMURA. The other set of lights also, please.
We have tools that will let us capture intruder sessions. This is an unknown intruder who broke into a machine at Los Alamos National Laboratory and they used it as a base of operations to break into what he thought was my computer at the San Diego Supercomputer Center funded, incidentally, by you guys.
It turns out that this machine is actually----
Mr. EHLERS. I have to correct that. It is funded by the American people.
[Laughter.]
Mr. SHIMOMURA. Indeed.
In any case, this is a machine that we put up as bait so that we can see people attacking and watch them, and study them. It is like putting test subjects in a cage.
We have tools that let us watch exactly what the guy was seeing on his screen as he was breaking in, or as he was doing whatever.
Here there is a session--this is a fellow who is trying to type up a message to mail out to the world to try to prove that he has broken into my computer. This guy does not know how to type, yet he has broken into a machine at Los Alamos.
In particular, he has not figured out the difference between the ''delete'' key and the ''backspace'' key on the keyboard. So every time he makes a mistake, he has to retype the entire line.
Page 20 PREV PAGE TOP OF DOC[Laughter.]
Mr. SHIMOMURA. ''The Mitnik Liberation Front,'' oops, try again.
[Laughter.]
Mr. SHIMOMURA. And this goes on, and this goes on.
So we have people like this. I think these are the people who vandalize WorldWide Web sites such as the Justice Department has had, the Air Force, the CIA, and this is what we see these days.
These guys are not the problem. These guys are juveniles. But they get in the infrastructure right now because we don't have secure communications and is weak enough to let these guys come and go as they will.
In this case, what we believe happened was: Since passwords are used to access these machines, you log in by using a user password, it is possible by intercepting--by monitoring the network and by intercepting communications, to acquire passwords, and we believe that is what happened in this case.
So the password of a legitimate user was monitored and then abused in this case. If we had strong cryptographic tools, this would be a little more difficult.
Something else that has been in the news recently is the issue of cellular privacy. We use cellular phones because they are a great convenience. We treat them as though they were secure, many times.
The current analog systems have no provisions for security. Even the digital systems often are operating with security disabled.
Mr. Chairman, we have a device that I guess is in front of you--or that is at the other end; okay--a device which I guess is being passed down, which is a Palmtop Personal Computer, just like a PC, and a regular cellular phone, unmodified, and a cable to connect the two.
Page 21 PREV PAGE TOP OF DOCThere is software which can be readily obtained running on the machine which lets you intercept cellular calls. In this case, all it is doing right now is monitoring the control channels, one of the control channels that is used by one of the local cells so that you can watch to see who is setting up calls.
So you get the phone number of every cellphone that is used in this area. Right now it is just displaying that, but someone could easily modify the software, or enable features in the software that would let you pick up any of those calls and actually monitor it with the audio, or search for other calls. There is no protection against this right now.
Right now you have people perhaps with scanners who sit there all day and record conversations, or attempt to record conversations. This can be fully automated. If someone is serious about trying to get information about industrial espionage, about trying to do harm, the technology is there.
There have been various attempts to try to restrict the availability of receivers such as this, but the cost of equipment to intercept a cellular call will probably never be any greater than the cost of a telephone.
This can be had for somewhere between 1 cent and $100, I guess, these days. That is because, again, there are technologies in cryptology that can be used to make these systems much more secure, but we do not have them deployed.
Consider the real problem when there is actually a profit motive. Consider situations with things like the direct-to-home broadcast stuff where you can save, or appear to save significant money by defrauding the satellite companies and whatnot.
Consider how much work people have put into defrauding these and making money off those. Consider that as we move commerce on-line and there is actual profit to be had by subverting these networks, how many more people are going to have incentive to actually subvert our communications for profit?
Page 22 PREV PAGE TOP OF DOCIt is just like the real world. There is really no difference in the on-line world and the real world. We have criminals in the real world and we will have them in the on-line world.
We have had a long time to learn to deal with criminals in the real world, and we are just learning how to deal with them in the on-line world.
The thing is, in the real world we have a notion of risk. When we lock a door, we have a good, intuitive feel of how secure that is. When we put something in our desks, we know how secure that is, and we use these appropriately. We know how strong the screen door latch is.
The problem is that in the on-line world right now it is hard for us to know in many cases just how trustworthy something is. Partly this is because we do not know how to build systems that are both usable, that do what we expect, and provide us security. So we tend to misuse these, as I mentioned.
I think we need a lot of research into how to build secure systems--not just secure systems, but secure systems that are usable, that are usable for the kinds of things we need to do for commerce, for private communication, for business.
There are many impediments; this is not just technology. We have problems with, for example, as both Dan and Dan here have mentioned, there are tools in cryptology, technologies of cryptology that can be used to make these things much more secure. Unfortunately, they are very difficult to deploy right now due to, in some cases, government controls and having to do with inability to export products.
It is a world market, and it is not economical for a company to develop products that are usable only in one country. So we need to address those issues unless we wish to lose our lead, as Mr. Geer has said. And we need to learn how to build secure systems. Research I think is critical at this point.
Thank you, very much.
Page 23 PREV PAGE TOP OF DOC
Mr. EHLERS. Thank you, very much. We appreciate your testimony. Could we have the lights up again, and the room lights, as well? We would appreciate that.
Thank you, very much.
I notice the room is very, very crowded. If some of those standing near the doorways would like to sit in the desks in the front row, that is permissible, just so that you can be comfortable and we can be accommodating. So feel free to move forward. It is perhaps one of your few times to pretend that you have a position of supposed power.
[Laughter.]
Mr. DAVIS. And they will find out how little it is.
Mr. EHLERS. Yes, as Congressman Davis says, you will find out how little power you actually do have.
[Laughter.]
Mr. EHLERS. Our next witness is Mr. Geoff Mulligan. You may proceed.
STATEMENT OF MR. GEOFF MULLIGAN, SENIOR STAFF ENGINEER, SECURITY PRODUCTS GROUP, SUNSOFT, COLORADO SPRINGS, COLORADO
Mr. MULLIGAN. Thank you, very much.
For the past 17 years as I have helped to build the Internet, I have noticed that one of the fundamental conflicts that we have is that we have built the Internet to share data and it conflicts with the idea of security of trying to limit the sharing of data.
We tend to trade off one for the other.
As the Internet has grown, we have noticed basically three types of attacks. Tsutomu has mentioned one: interception; intercepting your cellular conversation. People do this to try to gain your passwords, to get your credit card information or other private information about your conversations about what you are doing today.
Page 24 PREV PAGE TOP OF DOCThe other is an intrusion. It is the type of attack where they actually break into your system to change or to steal other information from your systems or your network. And the last is a denial of service attack where they are not actually trying to steal any information, but instead they are trying to keep you from your information which can be just as devastating.
Can you imagine what would happen if I were able to block all communications with the Federal Reserve for a period of 15 minutes during some change in monetary events? I could conceivably change, or during that time while the communications is down take advantage of that?
The United States infrastructure, technology infrastructure, is very susceptible to denial of service attacks, taking out power grids, taking down telecommunications and the like.
We do have the start of solutions. It starts with a well-defined security policy, what it is that you do, and you do not want to allow in and out of your network in and out of your systems.
We have tools like Network Containment, or Perimeter Defense. It is much like putting a guard or a receptionist that companies put at their front door to control people coming in and out, but you allow free access when someone is past the receptionist and they can move around from office to office and allow that free flow of information.
But we guard the perimeter of the network, or our buildings. Today the best known technology of perimeter defense is known as ''firewalls.''
One thing that is interesting to note, and I believe is of major concern, the most popular firewall today is built by a foreign corporation, not a U.S. corporation, and it is being used today to guard our banking industry, our government, and our national defense.
This is a true major concern I believe for the security and the sanctity of the United States, some technology infrastructure.
But firewalls are not perfect. Just as you may try to check credentials when somebody comes into the building and you are not sure about what happens when they are inside your building. We need protection in depth.
Page 25 PREV PAGE TOP OF DOCOne of the ways to do that is through application containment, colloquially known as ''the sandbox.'' It gives you the control, or it gives you the ability to control what each program does, what each specific application does.
It can stop viruses from infecting your system, and it can keep it from doing some other nefarious things. We recently found out that a technology that is being deployed throughout the United States and through the Internet called ''Active X'' has the ability to modify files on your system such that your financial program can automatically do fund transfers without your knowledge.
So you fire up your thing to check your account balance, and it just happens to transfer $5,000 or whatever you have from one account to someone else's account unbeknownst to you and uncontrolled by you.
We need to develop. We need research and time spent on researching things like application containment, network containment so that we can better build these tools and the United States can move again into the front of this development.
In the United States we are readily accepting new technologies without really understanding the security implications or doing any education as far as the security relationship of those new technologies.
Tsutomu has talked about and discussed cellular phones, but if you want to plug one of the largest possible security leaks in your office, reach into your pocket and pull out something like this pager [indicating] and look at it. When you realize that when someone sends you a page, if you are on a nationwide paging service, that paging is being perceived in every city, every major city in the United States, and go along with that, understand that for less than $50 I can build a connecter to this to monitor and read every single one of those pages, you realize what a security potential risk there is involved here.
Not only that, for slightly more than $50 I can build a connecter to this to now start sending pages to you, and looking as though they came from anybody else. Consider the risk, or the havoc I could wreak on the Nation should I decide to do this and to start sending out pages nationwide and say that the stock market suddenly is off 140 points.
Page 26 PREV PAGE TOP OF DOCAs everybody goes to run and sell their stock, or to do whatever they would normally do if the market was down, I could cause considerable economic impact to the United States.
Yet, we have no constraints, and we have no thought behind accepting technology like pagers and cellular phones. We certainly use them to do our job, but we need to have more research. We need to have education, and we need to have funding put into advancing the security aspects of this.
The technology is there. We can start to build it. But we also need the ability from Congress to implement and deploy that in an unconstrained manner.
Thank you, very much.
[The prepared statement of Mr. Mulligan follows:]
SECURITY THROUGH CONTAINMENT
A WHITE PAPER
BY GEOFF MULLIGAN
SUN NETWORK SECURITY PRODUCTS GROUP
About the Author
Geoff Mulligan is a Senior Staff Engineer in the Security Products Group at SunSoft. He works on emerging network technologies and network/system security products such as telecommuting tools, firewalls and encryption. He was the principal architect for Sun's premiere firewall product--SunScreen and a founding member of the Internet Commerce Group. Prior to joining Sun, Geoff worked at Digital's Network Systems Laboratory developing the DEC SEAL firewall, developing Networking courseware and researching e-mail issues. Before working at Digital, he spent 11 years in the Air Force working at the Pentagon on computer and network security, building local and wide area networks and teaching computer science at the Air Force Academy. Geoff received his M.S. in 1988 from the University of Denver and B.S. in 1979 from the United States Air Force Academy.
Page 27 PREV PAGE TOP OF DOCSECURITY THROUGH CONTAINMENT
1.1 Introduction
Is Network Security an oxymoron? Networks are designed and built to facilitate the sharing and distribution of data and information, while the goal of security is to limit and control the distribution of information. Ideally, networks are built to increase the ease of use while security reduces this convenience--passwords are difficult to remember, and certain systems are not allowed to exchange information. We end up trading some ease of use for the sake of added security and we give up some security to increase the sharing of data and information. One method for providing both connectivity and security is through the use of containment.
1.2 What is Containment?
Containment is a methodology whereby access to information, files, systems or networks is controlled via access points. Much as a bank vault has only a single well-controlled entry and exit with various security procedures and protections, the security container also has controlled entries and exits known as connectivity points, though when using security containment, there may be more than a single connectivity point. Each of these may handle a specific type of service, such as electronic mail or file transfers. They may also control connections to other systems or networks, such as from the internal network to the global Internet or from an application to the files on the local system. The container has well defined security policies that it enforces and has security protection mechanisms to guard against attack.
1.2.1 Security Policies
Without well defined security policies, even the best container will leak like a sieve. These policies outline the procedures used to pass or move information into and out of the container. Examples of some connectivity security policies might be:
No users or systems outside the company will have access to the financial network.
Page 28 PREV PAGE TOP OF DOCEmployees can only have access to the Internet during work hours.
No files downloaded from the Internet are to be run on corporate systems.
Any attempts to access the executive network will be logged.
Alerts will be generated whenever sensitive files are being accessed.
Once the policies have been defined they are implemented and enforced using security containment.
1.2.2 Taxonomy of Security Attacks
There are three main groups of security attacks: intrusion, information interception, and denial of service.
1.2.2.1 Intrusion
Intrusion is when unauthorized persons gain access to internal networks, systems or files. They may only be able to read the data or they may gain complete access to read and modify the information. In the second case their entry may go undetected if they can modify security log files to hide the intrusion. They may also be able to cause actions to be taken by the user without his knowledge, such as initiating funds transfers or equipment purchases by modifying the appropriate files. Intrusions are usually accomplished by guessing or cracking passwords, using IP spoofing, or exploiting operating system bugs.
1.2.2.2 Information Interception
Information interception doesn't require the intruder to actually penetrate the internal networks or systems, but instead merely eavesdrop on data being passed into and out of the systems. He may capture electronic mail messages, conversations, paging messages or even the key strokes while you type. Interception is most commonly used to collect credit card or other sensitive information such as passwords. Using a simple packet sniffer, the intruder watches each packet looking for usernames and passwords and stores them for later use. They then use this information to gain access to internal systems in an intrusion attack.
Page 29 PREV PAGE TOP OF DOC1.2.2.3 Denial of Service
The final type of attack is the denial of service attack. While the attacker cannot read the data or listen to the conversation, they can keep you from doing it. Jamming, as used by the military, is a denial of service attack and when properly initiated can be devastating to the target group. Overloading a system with invalid requests so that valid users are not able to access the system or causing the system or network to crash are both examples of denial of service attacks. It may not be necessary to access its systems to hurt a company. Interfering or jamming the phone lines of a bank causing financial transactions to be delayed or lost can result in irreparable financial damage.
There are tools and mechanisms that can be used to diffuse most of these attacks, though the most difficult to defend against is the denial of service attack. The attacker can remain focused on the single point of failure or weakest link in the connection and either crash it or overload it. Quite often these attacks are used against the security system to try to circumvent the procedures or to stop all connectivity.
1.3 Network/Connectivity Containment
One level of security containment is at the network or connectivity layer of the system. In the United States, we control our security with guards and border patrols while allowing unrestricted movement between the states. Companies control the access to their buildings with receptionists or guards stationed at the entrances and again allow free access to the offices within the building. Using network containment we put our ''guards'' and ''patrols'' at the edge of our network, where it connects to the global Internet, phone system, or customers. In fact, wherever there is a connection to a network or system that is not controlled under the same security policy, a ''fence'' should be installed. This type of security containment is called perimeter defense.
The benefits derived from a perimeter defense are ease of use and ease of implementation. Putting the controls at the edge or perimeter of the network allows a free flow of information within the network. This has been termed the ''Cadbury Egg'' security model, where there is a hard shell with a soft middle. Should an attacker break through the hard shell, they have unrestrained access to all the systems within the interior. It is, therefore, necessary to ensure that the perimeter is well maintained and guarded.
Page 30 PREV PAGE TOP OF DOCThe other benefit of perimeter defense is ease of implementation. Quite often there are legacy systems that cannot be secured, such as MS-DOS and Windows systems. These machines, if connected to a network, can be quite easily compromised. In addition, it may be impossible due to the sheer number of machines and networks to completely protect each and every system. In these cases a connectivity container provides the best mechanism to defend against attacks.
1.3.1 Firewalls/Proxies
The current and most popular implementation of connectivity containers is the Firewall. These systems reside between your internal network and the external Internet. They check each and every piece of information (packet) that attempts to pass through the Firewall, but do not interfere with data passing inside the network, much like a receptionist only checks visitors coming in or leaving.
Firewalls are very effective at protecting and limiting the flow of information into and out of the network. They work well at stopping or blocking various types of intrusion attacks, such as IP spoofing, password guessing/cracking and other operating system service level attacks or operating system security deficiencies. In addition, they can provide some measure of protection against denial of service attacks, but the Firewall themselves may be vulnerable to these same attacks and shutting down the information flow through the Firewall can be equally destructive.
Firewalls cannot protect against ''inside jobs.'' If the attacker gains access to the inside or ''soft middle'' of the network, the firewall provides very little protection. It may be able to track and log the attackers' activities which can be used in the future to learn what was done and how to better protect the network.
Firewalls also cannot protect against content level attacks. This means that they cannot completely filter or control what is being carried via electronic mail messages or inside downloaded programs. There are some tools that can provide the most rudimentary filtering to try to catch viruses, worms and e-mail bombs, but it is impossible to completely protect against these attacks with just a connectivity container. This is best accomplished with the use of the software/application container discussed later.
Page 31 PREV PAGE TOP OF DOC1.3.2 Encryption and Authentication
By combining encryption and authentication technologies with connectivity containment (Firewalls), it is possible to eliminate information interception. The eavesdropper will only see the encrypted data and therefore cannot capture usernames and passwords, thereby also preventing that type of intrusion attack.
It is also possible to stop password eavesdropping by using authentication via digital tokens or one-time passwords. This method uses a challenge/response scenario, where the user is asked to prove who they are by answering with a ''secret'' that only they know. This is usually done by sending the user some data and asking them to encrypt or ''sign'' it using their digital signature. The strongest level of protection is created by encrypting all data sent from the user's system and decrypting it at the destination. This is known as ''end-to-end'' encryption and makes it virtually impossible to intercept the data at any place between the two systems.
Encryption also protects the user from the intruder making changes to information being sent. For example, if the user is sending payment information to a mail order house an intruder could modify the data to transfer the funds to their account rather than the account originally specified. Carried out on a large scale, it would be possible to divert huge sums to the attackers account.
1.3.3 Virtual Private/Secure Networks
Many companies are now implementing telecommuting and are becoming geographically dispersed. In order to have secure communications, these companies currently must use costly leased-lines. Firewalls facilitate the creation of Virtual Private Networks (VPN) and combining these with encryption will create Virtual Secure Networks (VSN). This technology allows users who are at different locations to communicate as though they are directly connected to each other while using the much less expensive public Internet to carry the data. Encryption is required so that attackers cannot intercept and/or change the data and the users' communications are still afforded the same level of security as with leased lines.
Page 32 PREV PAGE TOP OF DOC1.4 Software/Application Containment
Software or Application containment is similar to connectivity containment except that the perimeter surrounds only the single program or application rather than an entire network or system. This container is colloquially called the sandbox. The program is allowed to do whatever it wants within the sandbox, but in order for it to access or use anything outside the sandbox, the ''parent'' must be asked. Access is only granted if the request follows and meets the security policies. In this case, a security policy might be ''programs loaded over the Internet are not allowed to read or write to local files or systems, but a program loaded from the local disk drive can access files on that disk.'' Any attempt to violate the security policies causes an alert to be signaled and applications determined to be inappropriate may be shut down.
The sandbox approach can provide security against content level attacks. Should a virus try to infect a system, alerts would be generated when the virus attempts to modify operating system files and the virus' attempted infection would be blocked.
1.4.1 Component
Components are re-usable software modules and systems that can range from an on-screen button to a complete application, such as a word processor. Each component is a software module that includes a specific programming interface and program logic that defines how that module will process data and user events sent to it. The key technologies that components provide are re-use and dynamic interconnection. These two technologies allow programmers to build very large and complex systems by combining simpler, already developed and well tested modules. A Programmer building a banking application can use a pre-written, tested and validated balance sheet module, rather than having to write a new program which very likely could contain bugs. This can save significant development, testing and maintenance time and dollars.
1.4.2 The ''Sandbox''
Page 33 PREV PAGE TOP OF DOCThe sandbox, just like the Firewall, implements a predefined security policy. This security policy, if well designed, will allow for the safe execution of downloaded programs and modules and will not compromise the security of the company. For example, some standard security policies might be:
Only programs or modules loaded from the local system can read or write to files on the local system.
No modules can write or change any operating system files.
Execution of modules that do not bear the digital signature of the user's company will be disallowed
Communication with any systems other than where this module was retrieved is prohibited.
The program is free to do whatever is needs to do with the data provided in the module and is only constrained when it tries to access data, systems or networks that are outside the security perimeter.
1.4.3 Digital Signatures
Digital signatures allow a receiver of a message to verify who sent the original message with non-repudiation, meaning that the sender cannot deny sending the message and that the message was received unchanged. Digital signatures use the properties of complex mathematical functions combining exponentiation and factoring very large numbers to create two ''keys.'' The public key is available to everyone, while the private key is kept strictly to the user. When the user signs a message, program or module, he uses his private key. Anyone receiving that module can verify where it originated and that it wasn't changed before receipt.
By combining digital signatures with application containment it becomes possible to finely control the execution of programs and modules. Based upon the digital signature carried by the module the user can either allow or disallow the execution of that code. Only programs written by authors or companies that are trusted by the user will be loaded, thereby stopping viruses and intruders.
Page 34 PREV PAGE TOP OF DOC1.5 Conclusions
Deployment of security through containment, Firewalls and ''the sandbox,'' and encryption can greatly improve the usability and functionality of current and future systems. By installing Firewalls with encryption and authentication most methods of attack can be eliminated and communications can be protected from eavesdropping. In addition, protection can be afforded to those systems that systems that are inherently insecure, such as MS-DOS and Windows. The use of application containment, as in Sun Microsystems JAVA security model, enables the sharing of pre-written applications without the security issues of rogue programs stealing corporate secrets or requesting funds transfers without the user's knowledge.
Mr. EHLERS. Thank you. We appreciate your comments.
This is getting downright depressing, you know?
[Laughter.]
Mr. MULLIGAN. We do not mean to be depressing, but----
Mr. EHLERS. Yes; right. Thank you.
Well, next we turn to Mr. Farmer. I do have to say as an individual who is obviously follicly challenged----
[Laughter.]
Mr. EHLERS. I do have a bit of envy of you, Mr. Farmer. You may proceed.
STATEMENT OF MR. DANIEL FARMER, INDEPENDENT SECURITY CONSULTANT, BERKELEY, CALIFORNIA
Mr. FARMER. Thank you.
I am afraid I do not have a lot of good news to say in my 10 minutes, as well, just to forewarn you.
Page 35 PREV PAGE TOP OF DOCBriefly, I am going to talk about security programs and sort of the state of the Net, as I see it.
Security programs are nothing more than other programs you might encounter such as LOTUS 1-2-3, EXCEL, NOTES, whatever. They are just programs written to do things.
Typically they fall into one of two categories: offensive and defensive programs. Now unfortunately for perhaps the good people, the people in the white hats, the defensive programs have been far outstripped by the offensive programs. It is much easier to build a gun than it is to build a wall that is going to stop this kind of weapon.
The offensive tools generally do very simple things. They can either, as Geoff commented, they can disable a machine by a denial of service attack of some other form of attack. They allow you to spy on people, capture transmissions, or they essentially allow you to take control of the machine, whether it is individual files, or the actual hardware itself.
Programs can do anything to a computer. Anything that can be done by a human being typing on a computer can be done by a program that takes over the computer. I just want to emphasize that in 1988, probably one of the most influential and famous security programs ever was released, the Internet Morris Worm written by Robert T. Morris.
What it did is, at the time the Internet was at about 50,000 systems, broken into about 10 percent of the systems, about 5,000 systems, and it was just as if someone was individually typing in and attacking all of these systems by hand. But the age of automation makes this considerably more easy and very much more effective.
Almost 10 years later now, this last December, I decided to take a look at the network today and to examine whether we have gone any further.
The Internet is pretty ubiquitous. Almost everyone is on it, including the Congress, the Senate, and the White House. What is the difference, if any, between the physical and the virtual realms? Is there any difference in terms of security?
Page 36 PREV PAGE TOP OF DOCI examined banks, government systems, newspapers, other very highly visible, highly laden with information content and sometimes financial content systems, and found that just using the most simple tests, not even trying to break in at all, I can easily compromise about 2/3 of the systems. I am talking about things like the White House Web Site and so forth. These are not Joe's Garage's Web Site. And I estimate that if further tests were done, you could probably break into about 3/4 of the systems.
So I estimate on the Internet today you have about a 75 percent vulnerability rate on all systems out there. For instance with the government, we had the CIA and the DOJ recently broken into, their Web Sites, and there should be no excuse for this.
If the CIA cannot protect its own resources, how can you expect a business to do this with orders of magnitude less resources and such.
When I was doing the survey, I discovered that there was a problem with the White House security on their Web Site. I sent them mail to the system manager and I never got a response. I explained that I was a security researcher; I had found a significant problem. They never responded to me.
If this was a physical problem, if I had talked to the Secret Service about something that was a physical issue with the White House security, they would have met immediately with me, or perhaps taken me away with the men in black suits.
The important thing is there is a big disparity of how we view physical and how we view virtual security. We think of them as kind of being the same as a consumer, but when you actually get down to the actual physical operations and running these things, they are treated very differently.
Now there are banks, and Internet commerce is being done, $30 billion, was it? You would think that with this amount of money at stake they would know what is going on. Again, I run into the same sorts of issues. We are talking about real dollars that are at stake here.
Page 37 PREV PAGE TOP OF DOCNewspapers: There is an old ''Bloom County'' strip where Oliver, the little hacker boy, goes into The New York Times, breaks in, and changes a Reagan quote to say ''Women Are America's Little Dumplings'' or something, and it was a joke, at the time, but you can do this now. You can break into The New York Times. You can go into Reuters. You can go into the wire services and make headlines.
And it is not just papers. We are talking about actual physical press. In addition, we are getting more and more of our information from the electronic sources that are easily mutable.
I was talking to CNN a few weeks ago and they said they were about 6 seconds from airing that George Bush died in Japan because of the food poisoning incident.
What would be the impact if the President dies on the news, or even that something like there is an early freeze in the Florida orange groves? How is this going to affect prices of such things? And who is going to check on these things? And how are we going to tell what is actually going to happen with our electronic information, and how can we validate and verify this kind of thing?
In the military--I was once a Marine----
[Laughter.]
Mr. FARMER. With hair significantly closer to the ears than it is now----
[Laughter.]
Mr. FARMER. And I know how they use computers. They put all their stuff on-line on their computers, and then a gunner or staff sergeant will sit on the computer and they will dial up the Internet, or they will dial up the local BDS, without any knowledge of how the information is stored on the computer and how it might get out.
I was at the Watergate last night, the Watergate Hotel, and it struck me that perhaps what needs to happen now is that a Senator or a Congressperson, perhaps the President, will get their information taken from the computer and somehow it will be used by someone else, or be publicized in a very public thing--maybe an Electronicgate, or an E-Gate of some sort in the future; that maybe--it seems that we only react to disasters.
Page 38 PREV PAGE TOP OF DOCThere is lots of stuff on all of our computers. Most people certainly in businesses, and most people in government, use computers now for sending campaign funds. We heard about the White House has this huge Rolodex of campaign funds.
What if somebody went in and modified, or was able to publish this kind of thing? This is really serious stuff we are talking about here.
When I go to people, I say, well, I work in computers. Their first response is: Oh, I know nothing about computers. My daughter or my son is the real whiz. There is a real resistance to even listening to anything about computers.
We are trained in such that somehow computers are difficult, or somehow they are beyond our comprehension and so we will just ignore them and hope they will either go away or we will die before they get too important.
[Laughter.]
Mr. FARMER. So where are we now? The Internet now is--I was talking to someone at AT&T and their internal network now is larger than the Internet was when the Internet Worm hit. We are talking about orders of magnitude in size difference.
If someone took the existing Worm code that was used then, put in new tests and all this kind of stuff, it would not take much work. We could probably get about a 5 percent saturation hit rate on that. That means like something on the order of a million computers compromised in a couple of hours. That is a lot of machines. A lot of those machines are machines that you people are depending on every day for your kind of transactions.
Just in closing, I would hope that the government does not try to throw billions and billions of dollars into some black hole into buying the latest and greatest hardware or software. That is not the answer. These problems are not technical problems. These are real social problems we are facing here.
It is not hard to defend the system. It is not hard to protect the system. It takes a lot of resources and it takes a lot of education, and I hope that any efforts on your part will fund these.
Page 39 PREV PAGE TOP OF DOCThank you.
Mr. EHLERS. Thank you very much. I will use my prerogative as Chair to just make a few comments at this point, because I will have to leave shortly.
I certainly appreciate the comments you have made. I think one that you made, Mr. Farmer, that others have alluded to is the difficulty of the public in understanding this.
I think it is simply because it is the difference between a Watergate where you spot masking tape over the lock on a door and that is a very physical event and everyone can identify with that.
My experience as a scientist in dealing with the public over the years is that anything that is abstract that is nonphysical, so to speak, is simply not of interest or not of concern. I have battled that for years in trying to deal with the energy resources of this country.
In fact, I have written an article called, ''I Wish Energy Were Purple,'' simply on the basis that if people could see energy and be aware of the loss of energy in today's world, they would take action. But it is something that is intangible. To a physicist, it is real; but to the average person, energy is intangible and it is not something to worry about.
I think that is true also of the Internet. The messages--the public would be amazed to realize that when they are talking on the phone their little message packet is going all over the country, that their message is being spit up and going 27 different ways from their telephone to the receiving telephone. There is no conception of what is actually going on in today's telephone and Internet systems.
I frankly do not have much hope of educating the public. I think the key is to make certain that everyone realizes the insecurity of the system and the necessity for laws that govern the security and that punish those who violate the security.
I believe the policymakers here are capable of understanding that and will take action as some of us have tried to do already.
Page 40 PREV PAGE TOP OF DOCHaving said my piece, I will--first of all, I notice that Congresswoman Morella has arrived and I will be happy to turn the chair over to her, since this is her hearing. I will first introduce Dr. Spafford and ask that you proceed with your testimony.
Thank you very much.
STATEMENT OF EUGENE SPAFFORD, Ph.D., ASSOCIATE PROFESSOR OF COMPUTER SCIENCES, PURDUE UNIVERSITY, WEST LAFAYETTE, INDIANA
Mr. SPAFFORD. As an academic I have been conditioned so that to give presentations I either have to have some chalk in my hand or be at an overhead projector. So with your indulgence, I will move over to there. If I could have the lights brought down, as well.
[Vu-graphs are shown.]
Mr. SPAFFORD. Problems with technology. That was a hardware problem, yes.
[Laughter.]
Mr. SPAFFORD. We have 10 minutes to try to summarize concerns covering hundreds of items, perhaps thousands of important items. The issues of security and communication and computing are difficult to package nicely and describe because there are so many different aspects.
So what I have tried to do is find a way to illustrate what I think is the current state of security, and then to try to present to you one of the causes of this picture.
So I looked about and I found an illustration that shows some very careful thought given to what the current state of security is in our national infrastructure.
This was a cartoon that was drawn by John Klossner and published in Federal Computer Week last year. I think it adequately captures exactly the state of things. We have put in a great deal of time, effort, and technology in building up our national infrastructure, and of course security is the gentleman down here behind the box [indicating].
Page 41 PREV PAGE TOP OF DOCSimply to get across that this is not quite as depressing as you might think: Let me note that the saucepan that he is wearing as a helmet was built to milspec standards and cost $89,000----
[Laughter.]
Mr. SPAFFORD. And the fly swatter he is using is export controlled as a ''critical weapons' technology.''
[Laughter.]
Mr. SPAFFORD. Let's try to look at the big picture of where we are. I have gone back 17 years as a starting point to 1980.
At that point, 17 years--which is generally considered to be 1/2 of a generation, or perhaps a third of one's productive career. The ARPANET was the biggest network going in many respects and it had fewer than 200 hosts on it. There was no Internet. There was no WorldWide Web.
Work stations had not yet been marketed. The PC industry was in its infancy. This was prior to even the introduction of the IBM PC.
Bill Gates was known to only a few people.
As an environment, this showed great promise. The government helped fund this development. The infrastructure was in place. The technology was cutting edge. It had an incredible lead. There were some attempts at networking going on in other places in the world, but the ARPANET soon grew to take over.
Where are we now? We have tens of millions of people around the world and millions of systems connected. Over 120 countries (at least) with direct connections, including connections on all seven continents.
I have regular conversations with sites in Antarctica. (So all seven continents.) And, in fact, the ALVIN-2 submersible that is operated out of Woods Hole: they have an Internet connection, and when they are on long dives some of the people there cruise the Web and participate in mailing lists. The Internet really is ubiquitous.
Page 42 PREV PAGE TOP OF DOCWe are even talking about Internet appliances, very low-cost items that we can hook up to our cable systems at home, or to the network so that everybody will have access. In truth, that is coming very quickly with population with access to the Network doubling approximately every 8 to 12 months. Doubling! That is an incredible rate of growth.
Unfortunately, with this we have a steady background of vandalism, fraud, various anarchy types of behavior. Law enforcement has not been able to keep up. The laws have not kept up. The technology is not there. Law enforcement personnel do not have the training or tools.
Users cannot protect themselves because the technology is not available to them. Most of them, if they had the technology, they do not have the training. And if they had the training, they have not had the education to even recognize what the threats are.
The result is that we have incredible losses. Some of the material that has been prepared for you in the background statements and other materials indicate losses in some cases ranging into the millions of dollars per incident in computer crime and fraud already, not to mention down time and other kinds of concerns. National security interests are also involved here, and those are impossible really to put a price on.
One of the big problems from my point of view is that our research and education infrastructure has not kept up with the pace of technology. We have not done a good job in designing for tomorrow.
The students we are educating today at our universities and colleges around the country are going to be designing what we are going to be seeing over the next 15 to 20 years. Our educational programs and our research programs in academia are where these products are coming from, and we are not training the students who are developing those products and who go out in the industry to produce them commercially to consider issues of security, of privacy, of reliability.
Those are secondary issues. The primary motivating factors are:
Can we make it work?
Page 43 PREV PAGE TOP OF DOCCan we make it work cheaply?
Can we make it work even more cheaply?
Can we sell it to people and have them buy it despite the bugs being present and taking our explanation of it'll be fixed in the next release?
That is the level of education; that is the level of marketing.
We need to do better than that, or else what we are going to have in our environment over the next few decades is going to be a breeding ground for a major disaster.
Now there is some good news. I think after all you have heard a little bit of good news is warranted. We do have at least four places where there is cutting edge, state-of-the-art research being done, and where education is really important in computer security.
There are more than this, but these four centers represent the best in some senses, because these four centers have collected at least three faculty members each, a body of students, research funding from the outside, they have recognition as centers within their universities, and recognition from their peers on the outside.
I am not going to go through each one. Ours is one of these. We have been successful in attracting students from all over the world. We have been successful in attracting research funding from companies and from government, and sort of the good news is that the COAST group is probably the largest such academic center in the world.
The bad news is: We aren't very big. We do not really have much in the way of resources--and I will say more about that on this next transparency. Here is the bad news:
For those four centers--places where there is state-of-the-art, integrated education and research and computing security--if we look nationally over the last 5 years we have graduated about 5,500 Ph.D.s in computer sciences and engineering total. Of those, only 16 have received their degrees in computer security from these four centers: 16 new Ph.D.s in the last 5 years to help with cutting edge research in computer security.
Page 44 PREV PAGE TOP OF DOCOnly 8 of those people were U.S. nationals. And of those 16, only 3 went into academic careers to help teach more people about computer security. I hope you can understand this is not good.
Those same centers have produced only 50 Masters students in the last 5 years, and only 50 percent of those were U.S. nationals.
Now I am not pointing that out to say that this is a bad thing. I think it is wonderful that we are attracting high-quality, very dedicated students from around the world. Many of them stay and add to our industrial base; they add to our population; and they certainly add to our tax rolls when they go into high-technology jobs.
At the same time, we are educating people who are going back to their countries and competing with us and we are not educating enough of our own citizens on how to deal with computer security.
In the history of those four centers there are only three companies that have provided multi-year ongoing support for research in computer security. So an argument that has been made is: If there was a need, then the commercial sector would be providing for it. Unfortunately that has not been the case. I am pleased to say that Sun Microsystems, employer of Geoff Mulligan, is one of those three companies.
In the history of these centers also we have only had three government agencies that have provided nonsolicitation support; that is, who have provided any kind of infrastructure support that was not the result of a broad agency widespread solicitation where we had to compete for the funds for specific research projects.
There has been no effective government underlying infrastructure funding for these centers. They can make a bigger difference if they had more resources. Unfortunately, most of them are in a very fragile state right now whereby the departure of one senior faculty member at any one of those centers would basically cause its dissolution. The prospects, in some senses, are bleak from the academic standpoint because outside opportunities lure away our students and our faculty.
Page 45 PREV PAGE TOP OF DOCGraduates at every level, undergraduate, Masters, Ph.D., from my center, are receiving offers from industry ranging from $10,000 to $25,000 more than the other average graduates out of our program. We have a very good program, and our students are much in demand. The security students are in greater demand.
Recruiters are seeking those students prior to their graduation and luring some of them away before they even finish their degrees. I am typical of many of the academic faculty working in computer security in that I get unsolicited offers that are absolutely astonishing in what they are offering to lure us away from academia.
Unless one is really dedicated or has other reasons why one would be staying in that environment, it is easy to leave and further reduce our capabilities in education.
Advancement and recognition has been a problem in applied computer security. It has been difficult to evaluate someone's work because of the lack of support from the outside.
Our peers have judged it to be not an important area and therefore do not take seriously many of the people who work in practical computing security. Because if there is no recognition from outside, then why should it be recognized inside the profession?
The resources are often limited and unsustainable because we do not have long-term infrastructure funding. Faculty--and I can speak from my own experience here--sometimes have to spend up to 50 percent of our time on clerical work, on simple maintenance and trying to find replacements for software and hardware.
Instead of me spending time doing research and educating my students, I am filling out paperwork and installing software because I cannot get funding for personnel to help with that.
The sense of reward is not encouraged within academia, for all of these reasons and more, some of which are listed in the statement I submitted to the record, and the national focus and attention for research so far has been on spot problems.
Page 46 PREV PAGE TOP OF DOCThere are big initiatives that have been generated for high-performance computing, the NII, information warfare, and large amounts of money for specific project areas and spot projects but they don't cover the broad picture.
So we have seen a lot of funding that has gone into ideas for electronic commerce, universal access, information warfare, but we have not really gotten to the point of trying to look at the overall picture of what is required to lay down a future to research future issues in education and security.
Well, I would like to close with some specific recommendations for things you might consider, and that others might consider to help redress some of this problem.
First of all, I think it would be worthwhile to set up some program that would fund fellowships for students to go into computing security and communications security so that we can build up more training in this area, so that we can get more people involved in faculty positions, more people with appropriate training in the industry.
Second is: Provide some form of fellowship or grants specifically to those individuals who might go into faculty positions, to encourage them to do so, to give them a sense of reward, and to make it clear to our academic colleagues that the application of computer security is a worthwhile area and is taken seriously, and therefore provide an environment that is conducive to them to want to stay there.
Third, provide some form of long-term infrastructure funding for the existing centers. They are a critical national resource and they are in a fragile state. Unless something is provided to allow them to continue and to grow, to develop educational outreach, to build a stable set of resources, we may lose them.
Fourth, we need to involve industry more in security education and application. The fact that only three major commercial firms have provided any consistent funding in this area is, (at least for our centers--I am not going to claim that is true nationwide)--is really distressing. We need to develop long-term collaborative partnerships there.
Page 47 PREV PAGE TOP OF DOCFifth, we need to encourage more development of educational outreach because, although some of our students of today are going to be designing the systems of tomorrow, the people who are out there right now in industry are also going to be designing those systems and we need to re-educate them because the field is moving so quickly.
And sixth, we need to encourage collaborative relationships across all of these--industry, education, and government--if we are going to make this work.
A hearing such as this is a wonderful start, and I thank you for the opportunity to speak to you.
[The prepared statement and attachment of Mr. Spafford follow:]
ONE VIEW OF A CRITICAL NATIONAL NEED: SUPPORT FOR INFORMATION SECURITY EDUCATION AND RESEARCH
EUGENE H. SPAFFORD
DIRECTOR, COAST PROJECT AND LABORATORY
PURDUE UNIVERSITY
W. LAFAYETTE, IN 47907-1398
Abstract
We are facing a national crisis in the near term that threatens our national security, our individual safety, and our economic dominance. The rapid growth of information technology is a driving factor in this threat: we are relying on new and often fragile technology in critical applications. Furthermore, those applications present attractive targets to criminals, vandals, and foreign adversaries.
Our students and soon-to-be students will be designing our information technologies of the future. We are endangering them and ourselves because the majority of them will receive no training in information security. This is largely because of a severe shortage of resources for computer security education and research. Current programs in place in industry and government do not address these needs, and some may actually serve to increase the problem.
Page 48 PREV PAGE TOP OF DOCThis paper serves to introduce the crisis in providing good computer security education. It presents some of the history and context of this problem. It then provides some suggestions for near-term actions that should help to ensure a safer future for us all.
Introduction
It is clear that computer security is an area of increasing, major concern and that all of society is facing an increasing number of severe challenges related to security. Incidents related to disclosure of information, wide-scale computer breakins, and the exponential growth in the number of computer viruses being written and discovered all indicate an increasing threat to effective use of computing resources.(see footnote 1) There have already been many documented cases of economic espionage, vandalism, theft, and other major economic crimes, some of which involve losses in the tens of millions of dollars per incident.[Pow96]
Many computer crimes go undetected. Others go unreported because the victims fear that any publicity about their losses (and by implication, their vulnerabilities) will result in a loss of confidence in their businesses. Additionally, there has been a huge number of cases involving smaller losses, most of which may not have been reported to the authorities for a simple reason: nearly everyone is aware that law enforcement is hopelessly undertrained, underequipped, and understaffed to cope with even a minute fraction of the current flood of computer crime--and this imbalance is steadily improving for the vandals and crooks.
The threat from violations of computer security are numerous and diverse. They include loss from fraud and theft, economic and international espionage, sabotage, terroristic activities, computer viruses, vandalism, and support of other forms of crime. Furthermore, not all of the criminal activities are directed at government, commerce and other organizations: violations of personal privacy, harassment, ''stalking,'' libel, and other activities threaten individuals as well.
Page 49 PREV PAGE TOP OF DOCA few years ago, the report Computers at Risk[SSSC91], forcefully outlined several critical security problems facing computer users. Few of the recommendations in that study were addressed, and the problems have become even more pressing in the intervening years. Our increasing reliance on computers for critical applications poses increasing temptation for unauthorized criminal and terroristic activity. Our increased connectivity provided by new network technologies simply amplifies the existing threats that we do not yet completely understand. For example, sixteen years ago, the experimental IP protocol suite was introduced as the number of ARPANET hosts exceeded 210; today, we have a worldwide network of several million machines using the same protocol.
The increasingly widespread use of computer technologies involving distributed databases and parallel and distributed processing adds new variables that have not, as yet, been adequately examined. Initiatives that link together computing systems from around the world and that provide access to more users will only add to the potential for security problems. In his State of the Union Address in January 1997, President Clinton voiced a goal of connecting every school and library into the Internet. Are we prepared for the problems that may arise in addition to the perceived benefits of having such widespread access available by the general public?
As was noted in an Office of Technology Assessment report[OTA94, Forward]:
Information networks are changing the way we do business, educate our children, deliver government services, and dispense health care. Information technologies are intruding in our lives in both positive and negative ways . . . . As businesses and governments become more dependent on networked computer information, the more vulnerable we are to having private and confidential information fall into the hands of the unintended or unauthorized person . . . [Safeguards are required] Otherwise, concerns for the security and privacy of networked information may limit the usefulness and acceptance of the global information infrastructure.
Page 50 PREV PAGE TOP OF DOC
The problems are especially pressing in the arena of national defense. Consider this statement in Duane Andrews' cover letter in the Defense Science Board's November 1996 task force report on Information Warfare--Defense[Boa96]:
We conclude that there is a need for extraordinary action to deal with the present and emerging challenges of defending against possible information warfare attacks on facilities, information, information systems, and networks of the United States which would seriously affect the ability of the Department of Defense to carry out its assigned missions and functions. We have observed an increasing dependency on the Defense Information Infrastructure and increased doctrinal assumptions regarding the continued availability of that infrastructure. This dependency and these assumptions are ingredients in a recipe for a national security disaster.
It is interesting to note that this conclusion is independent of whether or not there is concern for protection against directed ''information warfare.'' Widespread criminal enterprises, selected actions by anarchists, or random acts of vandalism can also have ruinous effects on our safety as a nation. Furthermore, as more and more commercial entities move to ''internet commerce,'' the potential for serious disruption of our national economy also looms large.
Consider: in 1980, there were under 200 hosts on the ARPANET.[Sal95] A few countries were beginning to experiment with national networks. The first commercial workstations were not yet on the market, and the PC industry was in its infancy. The first, primitive Usenet newsgroups were flowing among a few dozen machines using 30 cps(see footnote 2) modem technology. And the World-Wide Web was pure science fiction and a dozen years away.
Page 51 PREV PAGE TOP OF DOCNow, a mere 17 years later--one-half of a human generation or one-fifth of human lifetime--we have a global network that reaches to over 120 countries on all seven continents. We have tens of millions of people using the Internet daily. Governments are using the Internet to run their daily affairs. Commercial overload of service providers makes front-page news in all the major newspapers. Late night comics and editorial cartoons commonly refer to the WWW and network address. The President's State of the Union address is broadcast live around the world over the Internet. Some people estimate that billions of dollars are already invested and changing hands in commerce facilitated through on-line communications.
Where will we be in another 17 years? Although it is difficult for any of us to even imagine the changes in store, there is at least one clear aspect of that future: it will be designed tomorrow, in large part, by today's students. Some of them will enter the workforce and design the technology that will change our lives. Others will initiate the changes with their research projects soon to be underway. And still others will be wrought by those who are soon to be seeking re-education in high-tech fields so as to be productive employees of the 21st century.
Academic Security Education in the U.S.
This incredible pace of technology is changing our world so rapidly, there is clearly little chance to roll back the clock and reimplement decisions that may have negative security implications. To ensure safe computing, the security (and other desirable properties) must be designed in from the start. To do that, we need to be sure all of our students understand the many concerns of security, privacy, integrity, and reliability.
Unfortunately, this has not happened in recent years. For instance, consider the production of the software on which we currently depend. Commercial software vendors are still writing and releasing software needing patches for ''bugs'' that were well-known as security problems over 20 years ago!(see footnote 3) Even when highly-publicized problems occur, such as the buffer overflow problem exploited by the 1989 Morris ''Internet Worm'' [Spa89a, Spa89b], or the year 2000 date problem, those same software faults continue to be incorporated into existing operating systems.
Page 52 PREV PAGE TOP OF DOC
Systems continue to be built using techniques known to be unsafe. Why aren't these problems avoided? Why is it that our students do not learn better security techniques? It is almost certainly because so few of them have access to appropriate education in such topics.
Information security/computer and network security, as an area of specialization, is difficult to accurately define. Even professionals working in the this area have difficulty agreeing on an exact definition that appropriately encompasses the field. Part of the reason that security is difficult to describe is because it draws heavily upon so many areas of computing. In at least one sense, it seems closely related to software engineering--computer security is devoted to ensuring that software and hardware meet their specifications and requirements when used in a potentially hostile environment. Computer security thus includes issues in computer system specification, verification, testing, validation, safety, and reliability. However, security encompasses much more than these issues, including topics in (at the least) operating systems design, architectural design, information security, risk analysis and prediction, database organization, encryption and coding, formal models of computation, fault tolerance, network and protocol design, supportive interface design, government regulation and policy, managerial decisions, security awareness, and education.
The difficulty in defining computer security is also reflected in the scattered and underdeveloped educational and research programs in the area. Many other fields of computing research have well-defined bodies of educational literature, major research centers funded by government and industry, and a substantial student interest. Meanwhile, the field of computer security has been represented in academic life in the past dozen years by short chapters in textbooks on operating systems, data communications, and databases, and by a few individuals working in isolation in academia. The field currently has only a few widely-circulated archival journals in computer security topics: e.g., Computers & Security, Cryptologia, and the Journal of Computer Security. And the public perception of computer security is shaped(see footnote 4) by sensationalism such as computer virus scares, stories of 14-year old children breaking into sensitive military systems, and movies such as ''The Net'' and ''Hackers.''
Page 53 PREV PAGE TOP OF DOC
Few universities or colleges offer in-depth education in computer security. As of mid-1996, there were only three declared, dedicated computer security research centers in degree-granting departments at universities in the United States (these are discussed in the next section); in November of 1996, a fourth center came into public existence. When computer security courses are taught, relatively few textbooks on computer security are in use, and several of the most commonly used ones are principally devoted to cryptography (e.g., [Den83]).
Research in academia is being done by a limited number of faculty at scattered locations working with a few students. What research is being done, in academia or commercially, has traditionally been oriented towards limited military requirements because until recently that is where the major demand has been (and where the funding has been available). The recent trend has been somewhat more open, but is still focused on a few narrow areas involving cryptographic support for electronic commerce and network firewalls. Although these technologies are significant, they are not addressing more important security needs. By way of illustration, I have been using the following analogy in my lectures and seminars on this topic over the past few years:
Focusing our research on cryptographic protocols for secure electronic commerce is akin to investing all our money to build heavily armored cars. However, those armored cars will spend their lifetimes transferring checks written in crayon by people on park benches to merchants doing business in cardboard boxes under highway overpasses. Meanwhile, there are no traffic regulations, anyone on a skateboard can change the traffic lights with a screwdriver, and there are no police.
This lack of visibility, training, and coordinated research efforts has led to a significant shortage of practitioners trained in practical computing security, and to a critical shortage of academic faculty prepared to offer advanced instruction in this area. This contributes to a lack of consideration of security issues when new computer systems are being designed, thus placing those new systems at risk. As technology propels us into a future where global networks of communicating, multi-vendor computer systems are commonplace, the lack of universally-accepted social norms and laws will lead to difficulties that only well-designed computer security tools and techniques may prevent. To design those tools and train that workforce, we need an experienced, well-educated core of faculty.(see footnote 5)
Page 54 PREV PAGE TOP OF DOC
Educations and research in computer security-related issues has usually been conducted under a number of different rubrics reflecting its cross-disciplinary nature. Work in areas such as computer architecture, operating systems, data communications, database systems, and software engineering has addressed questions of computer security. Despite advances in all these areas, most direct security-related research in the last few decades has been largely directed towards only a few selected topics. For instance, most of the systems-oriented research done to date has been in support of formal trust models for multi-level secure machines employed in military settings, including compartmented-mode workstations. The results of this research is usually of little use in ''real-world'' computing environments. This is because the traditional focus of such research has primarily been focused on issues of confidentiality [Nat85, Nat88] (keeping information secret), rather than on related issues such as availability and integrity.(see footnote 6) Thus, there has been little support for research in the area of designing security tools and techniques for everyday use on commercial and educational computing platforms. Furthermore, as more computer users seek to use COTS (commercial, off-the-shelf) components, we will need better protection methods built in to these common systems.
In particular, considerable research in computer security methods and protocols over the last few decades has largely been focused on theoretical models of secure systems, multi-level systems, covert channels, statistical intrusion detection systems, and communications security issues (e.g., cryptography). Insufficient research has been focused on the development of tools for improving general security, policy formation, audit techniques, availability models, network security, computer forensics, countering malicious software (e.g., computer viruses and worms), policy formation, and integrity methods. In fact, research in many of these necessary areas has been discouraged by the military for fear that people might collaterally discover ways of penetrating government systems. Another reason work in these areas has been limited may be because such efforts require an interdisciplinary approach and few researchers and research groups have both the breadth and depth of expertise necessary to conduct such investigation. To conduct good research in this area with application potential requires a broad base of resources and focus.
Page 55 PREV PAGE TOP OF DOCEducation and research tend to track sources of demand. Thus, over the past few decades, research funding was made available by the military to researchers to conduct research issues related to military concerns. This tended to direct narrowly the research done in computing security. Journals and conferences came into being to provide outlets for this research, thus leading to a climate that did not readily accommodate research in other areas. The demand for students also shaped this picture, as the majority of job offers for graduates in security would come from either the government itself, from military contractors, or from vendors supplying the military. The overall demand for such graduates was not large. The Internet ''explosion'' has taken many in the community by surprise, to put it mildly.
One result, education in computer and network security in the U.S. is currently provided in a narrow, haphazard and inconsistent fashion. Some standard undergraduate and graduate texts in major course areas (e.g., operating systems) may have a brief chapter on security. These chapters often contain vague information about general security properties that are not particularly helpful in actual use. The instructors have not had direct experience or education in security, so they are unable to augment the material in the texts in any meaningful ways. The result, in the usual case, is that the material is presented in a cursory and compressed manner. As the material is in a separate chapter rather than integrated into the rest of the text, students are further given the implicit impression that security is unimportant, lacking in detail, and a separable concern.
Luckily, this is not true at every college and university. There are a number of faculty with some deeper background and concern with security. These faculty members do attempt to present information security concepts at greater depth in their courses. Even so, few students are given the opportunity to concentrate in security as a specialty, or to see how it cuts across several areas of study. There are only a few score faculty at institutions in the U.S. who conduct some research or specialized education in computer or network security. There are fewer still who have any experience with front-line security response experience.(see footnote 7)
Page 56 PREV PAGE TOP OF DOC
At the high-end of this specialization, there are four recognized academic centers in areas related to computer and network security in the U.S. Each of the four has several senior faculty whose research specialization is in one or more fields of information security. Each of the four centers has outside funding, recognition by its home university as a center of education and research, and recognition in the community. These four centers are (in order of their founding):
The Center for Secure Information Systems at George Mason University. This center has several faculty involved in research and education, with a primary emphasis on issues of information system security, database system security, and authentication methodologies.(see footnote 8)
The Computer Security Lab at the University of California, Davis. This group includes seven faculty and four post-doc staff, with a primary emphasis on verification methodologies, and security for large-scale systems and networks.
The COAST Laboratory at Purdue University. This group consists of almost a dozen faculty (half with current funding for research projects), and several staff. The COAST group has a primary emphasis on issues of host security, intrusion and misuse detection, computer forensics, and audit technologies.(see footnote 9) With over 35 students involved in research projects, this is the largest and most widely known of the four centers.
Page 57 PREV PAGE TOP OF DOC
The Center for Cryptography, Computer, and Network Security at the University of Wisconsin, Milwaukee. This center was formally announced in November of 1996, although the (three) faculty members involved have been working in security for several years. The primary focus of this group is on application and extension of cryptography and cryptographic methods.
As a set, these represent the most advanced groups involved in both security research and education in the U.S. today. One of the labs (COAST) is widely believed to be the largest such academic lab in the world; it is also located at the highest-ranked department of the four, according to statistics published by the National Research Council.(see footnote 10)
Consider the following information about these four centers combined:
Over the last five years, approximately 5500 PhDs in Computer Sciences and Engineering were awarded by universities in the U.S. and Canada.(see footnote 11) Only 16 of those (average of three per year) were awarded for security-related research at these major centers.
Page 58 PREV PAGE TOP OF DOCOnly eight of those 16 graduates were U.S. nationals.(see footnote 12)
Only three of the 16 went into academic careers.
The average production of Ph.D.-level students from these combined centers may rise to as many as five per year over the next three years; however, the ratios of citizens and of graduates entering academia is expected to remain constant.
The four centers combined produced fewer than 50 students with research-oriented Masters degree training over the last five years. Only 50% of those students were U.S. nationals. There is no significant increase in M.S. production beyond this level expected over the next few years.
In the history of all these centers, only three commercial sponsors have provided funding for research and education in security over a majority of the years the centers have been in existence.
In the history of all these centers, only three government agencies have provided multi-year support of any kind other than through competitive research bidding (e.g., DARPA BAA or NSF program solicitations).(see footnote 13) This is not because of any lack of quality or need at these centers, but rather because there is no Federal program in place that would provide such funding, even when despera