Printer friendly version

Security key to future of computing, cybersecurity expert says

Engineers designing the computer systems of the future must find radical solutions to today's mounting security risks, a leader in cybersecurity said this week at a Director's Colloquium in the Physics Building Auditorium at Technical Area 3.

"You don't cross a canyon with small steps; you take a running leap," said Purdue University computer sciences professor Eugene Spafford. "If a solution is possible, it will change the way we look at the field."

Computing is central to the Laboratory and every other institution, from cafeteria menu-planning, to tracking badge information to the most complex collaborative research, Spafford said, adding, "Computing is at the heart of what science is today."

Yet the threats to the computing enterprise loom larger every day:

• 4,000 major security flaws were reported in 2003, and more than 4,000 were reported in the first six months of 2004.
• The number of large-scale network attacks doubles each year, and many more aren't reported.
• More than 100,000 viruses and worms have infected the Internet, with about 200 new ones unleashed every week.
• Spam now constitutes 60-80 percent of all electronic mail, demanding significant additional capacity and services than users actually require.

"We're spending all our time and energy on patching rather than innovating," Spafford said, arguing that software designers and network builders should focus instead on designing new, secure architectures and devising long-term security policies.

A year ago, the Computing Research Association identified four "grand challenges" that could lead to long-term information infrastructure improvements:

• "Eliminate epidemic-style attacks (viruses, worms, e-mail spam) within 10 years;
• "Develop tools and principles that allow construction of large-scale systems for important societal applications -- such as medical records systems -- that are highly trustworthy despite being attractive targets;
• "Develop quantitative information-systems risk management to be at least as good as quantitative financial risk management within the next decade; and
• "Give end-users security controls they can understand and privacy they can control for the dynamic, pervasive computing environments of the future."

These grand challenges are based on where computing is headed, Spafford said: smaller, cheaper embedded systems; pervasive, mobile networks; global, multicultural users; new, high-demand services in such areas as entertainment, telemedicine and electronic government; and rapidly expanding amounts of data. (The amount of storage available on the Internet doubles every 16 months.)

Spafford advocated for intuitive, reliable, predictable and adaptable systems that support personal privacy. In fact, he said, security must be intrinsic to the computer systems of the future, not an after-thought.

"Technology can easily outrun comprehensibility," Spafford said, and joked, "We're geeks building systems for geeks. We've disenfranchised the average user."

A successful system would be one in which users felt in total control and trusted the system to protect their personal information, Spafford argued. Information security shouldn't stop users from doing something; rather, good security should allow more people to do more things with greater confidence.

Organized crime is moving into the cyberworld in a big way, with identity-theft schemes and even protection rackets in which cybermafias extort money from businesses by threatening them with denial-of-service attacks, Spafford said.

The value of cyber targets is growing, as is the ease with which they can be exploited. Anyone with a quarter can walk into a cyber-café in a Third-World country, download and assemble an attack program, launch it and take down part of the infrastructure of a global power or major corporation by using the network's inherent connectivity and massive parallelism against itself, Spafford said.

Although the cost of cyber attacks now exceeds $100 billion a year and continues to grow, computer scientists really don't have any idea of the actual costs in loss of productivity, expensive defensive systems, redundant infrastructure and diminished confidence in key systems. Spafford said only when investments in cybersecurity are appropriate to the levels of risk will progress begin.

He gave several examples of global innovations that would save billions of dollars and improve humanity's lot, but can't get off the ground because of the lack of trustworthy networks, including electronic medical records, electronic voting and integrated law enforcement systems.

"Balancing privacy with security is very difficult," he said.

Spafford said he hoped his talk and a focus on the grand challenges would provide direction and inspiration to computer scientists and security professionals at Los Alamos.

He urged his audience to investigate the grand challenges and some of the work he and his colleagues are doing at the Center for Education and Research in Information Assurance and Security, a multi-disciplinary center that explores information resource protection. More information is available at http://www.cerias.purdue.edu/ online.

Spafford is a professor of computer sciences at Purdue, with courtesy appointments in the Philosophy, Communication and Electrical and Computer Engineering departments. Spafford is a Fellow of the Association for Computing Machinery, the American Academy for the Advancement of Science and the Institute of Electrical and Electronics Engineers. He co-chairs ACM's U.S. Public Policy Committee and is a member of the Board of Directors of the Computing Research Association, and is a member of the President's Information Technology Advisory Council.

His awards and honors include the following: the Computer Society's Golden Core award; selection as a Certified Information Systems Security Professional, honoris causa; the William Hugh Murray medal of the National Colloquium for Information Systems Security Education for contributions to research and education in information security; election to the Information Systems Security Association Hall of Fame; and the National Computer Systems Security Award from the National Institute of Standards and Technology's National Computer Security Conference, generally regarded as the field's most significant honor in information security research. He is a 2003 recipient of the Air Force medal for Meritorious Civilian Service.

--Jim Danneskiold

Other Headlines