Computer-security experts called on researchers last month to develop long-term cures for security problems instead of just creating “patches” to fix immediate failures.
Eugene Spafford, director of the Center for Education and Research in Information Assurance and Security at Purdue University, told a news conference here that computer scientists should rethink the construction of computer networks so that security is embedded, effective, and easy to use. But smaller, immediate security problems are getting in the way of accomplishing that goal, he said.
“Near-term needs are so pressing that they have soaked up most of the resources and most of the funding and left little for long-term thinking,” Mr. Spafford said. “It’s an ongoing arms race in cyberspace.”
The Computing Research Association and the Association for Computing Machinery organized the news briefing for Mr. Spafford and four other experts to present their conclusions after a four-day conference in Virginia. The briefing also followed a recent announcement by the National Science Foundation that the agency will soon start accepting research proposals for improving computer security under its Cyber Trust program.
Mr. Spafford, who has helped advise the science foundation on computer-security matters, said that some people are choosing not to go online because they are fed up with spam and sick of viruses. With greater network security, he said, people will do more online and better services will become available.
He proposed that researchers should meet four “grand challenges” within 10 years. He identified those challenges as:
- Stopping the spam, viruses, worms, and denial-of-service attacks that cripple computer networks.
- Developing tools to create large-scale networks that are highly trustworthy despite being an attractive target for hackers.
- Creating systems that allow users to be comfortable controlling their own privacy and security.
- Creating risk-management analyses for computer systems that are as reliable as risk-management analyses for financial investments.
Susan Landau, senior staff engineer at Sun Microsystems, had just begun a presentation on building trustworthy computer networks when her computer slide show went on the fritz. “The problem is, we have a large network environment that doesn’t behave,” she said to laughter in the audience. After the problem was fixed, she added, “We really did not try to plan it this way.”
Medical care could improve tremendously if computer networks were dependable and secure enough to put crucial patient information online, Ms. Landau said. But doctors don’t want to rely on computer networks that could jeopardize the accuracy and confidentiality of patient information. “You need trustworthiness in your networks,” she said.
Dan Geer, an independent security consultant, said risk analyses are important because managers have trouble making decisions about network security without considering the costs and benefits. He encouraged researchers to develop ways to measure security risks. Right now, he said, managers might think they’re spending too much on security if no problems occur.
“We have to have a way to measure things,” Mr. Geer said. “We cannot manage if we cannot measure.”
The other two speakers were Annie I. Antón, an associate professor of software engineering at North Carolina State University, and John Richardson, government technical-liaison director at Intel.
Carl E. Landwehr, program director for Cyber Trust at the National Science Foundation, was not at the event but said he hoped it will encourage researchers across the country to come up with proposals for redesigning computer networks and security standards.
“NSF’s special role relative to other research funders, in the government even, is the long-term approach,” Mr. Landwehr says. “NSF tries to energize the research community in some direction, and this is a direction we think we need to go.”
Mr. Spafford said accomplishing the “grand challenges” within 10 years was not just wishful thinking. He used the example of the growth of the telephone industry. Years ago, when relatively few people had telephones, people picked up the receiver and asked the operator to connect them with another party. The operator would manually connect wires to make the call go through.
At the time, observers saw telephone use growing so rapidly that eventually, as Mr. Spafford put it, “everybody would have to be a telephone operator.”
And that has, in fact, come true, he said. Because everyone feels comfortable dialing numbers, there is relatively little need for telephone operators any longer. He hopes the same can happen for computer security.
Congress passed a bill last year to authorize more spending on cybersecurity research. Mr. Spafford said he hoped that more money could be made available to help researchers create secure computer networks. “What progress has been made tends to be very episodic,” he said.
http://chronicle.com Section: Information Technology Volume 50, Issue 15, Page A22