Asleep At The Switch

I was recently on a consulting job where the company I was working for was providing my services to their client who needed an analysis of its information protection status. The single most critical flaw detected in the analysis was that the entire assets of the client could be electronically transferred to any desired recipient anywhere in the world. This could be done by thousands of different employees and it could happen accidentally or intentionally by simply telling the computer to make the transfer. If this was done, there would be no warning, no approval required, the incident would not be detected until checks started to bounce, and it could easily be made to appear that an innocent employee had made the transfer. When my report placed fixing this problem at the top of the list of issues to be addressed, the company I was working for decided to remove it because they thought the client wouldn't want to hear it. This is depressingly common in the information protection industry.

With this example in mind, asleep at the switch seems like an understatement. It's more like making sure that the switch doesn't work just in case someone is actually awake and might try to use it.

When I tell this sort of story to executives I know, they usually question my statements. The dialog might go something like this:


This may seem like it's a once in a lifetime situation, but in the information protection business, it is a daily occurrence. You may ask, How can this be?. The answer is not so simple. In order to screw things up this badly, it takes a major lapse by a lot of people over a long period of time. And that's just what happened.

From the start, information protection has been bungled, and there's plenty of blame to go around. The military, intelligence, legislative, executive, legal, law enforcement, university, industrial, business, computer, and standards communities have all failed us. It's a rare circumstance when this many people screw up this badly. To understand what happened, the history of information protection has to be examined.

A History of Secrecy

Information protection started as a field about four thousand years ago, when the Egyptians started using special hieroglyphics in the tombs of their pharaohs. [Kahn] Over the next 3,950 years, most of the technical developments were in the area of cryptography, and almost all of the results were directed toward keeping information secret. The other developments were almost all related to personnel restrictions and physical security, and involved background checks, various wall and moat technologies, the design of safes and lock boxes, and other similar things. Accounting seems to be the rare exception where integrity was a vital and well-developed component of technology.

Up until the end of the nineteenth century, the dominant form of communication was via courier. There was no electronic data processing and the times involved in long distance communication were substantial. The dominant information protection technologies were designed to keep written information from being attained or understood by outsiders.

A Short History of Cryptography

Cryptography is the study of secret writing or, in other words, of transforming information into a form that obscures its meaning. In cases where release of information could cause harm, cryptography was a dominant technology for a long time.

It is noteworthy that of all the cryptosystems developed in the last 4,000 years, only two systems in widespread use remain hard enough to break to be of real value.

One of them, the perfect cipher, takes too much space for most practical uses. The other, the RSA public key cryptosystem, is too slow for most practical uses. Both of them were developed in the last 50 years.

It was only after Shannon's information theory was published in 1948 [Shannon48] that reliable communications became systematically attainable in noisy environments. It was that breakthrough that led to the creation of coding theory, which in turn provided designers with the first systematic integrity and availability in communications systems.

A classification scheme for ciphers was given in 1978 by Gary Knight [Knight] in the first of a series of articles which posed ciphers to the reader. After a given period of time, Knight demonstrated reader solutions along with explanations of how they solved the ciphers. Versions of the solutions attained by the author were also given along with many mathematical techniques for ``attacking the unknown cipher''. In my mind, the most interesting thing about this series of articles was the way in which virtually every cryptosystem invented before the 1940s was systematically overcome by applying Shannon's information theory of secrecy systems, first published in 1949. [Shannon49] All of the systems had been broken piecemeal before that time, but for the first time, cryptanalysts had a general way to attack all imperfect cryptosystems.

Computer Security Kicks In

The first computer systems were just coming into being in the 1940s and they were first applied to two military applications. One application was to break cryptographic codes used by the Axis in World War II, and the other was to compute firing tables for long-range artillery, also in World War II. [Kahn] These systems were physically secured in secret facilities with guards and locked doors.

After the war, computers were applied to many other problems, but security remained essentially physical in nature until timesharing came into being in the late 1950s and early 1960s. In a timesharing system, two or more people can use the same system at the same time by literally sharing its time. With timesharing, it became necessary to separate the memory used by the users sharing the system in order to keep them from accidentally overwriting each others' programs and data. The scheme eventually settled on, and widely used even today, was to assign users unique identifying numbers and to associate storage with those numbers. You may not see those numbers being assigned and associated as a user of a system, but the underlying mechanism is still there.

Over time, there were developments such as the introduction of passwords used to keep users from accidentally using the wrong user number, and access controls to prevent users from accidentally destroying data associated with other users. As more users began to use computers for a wider range of applications, some of those people became concerned about privacy issues (such as access to payroll data), the assignment of priorities to tasks (so that time-critical functions could be done before less vital functions), and other issues related to the scarcity of the computing resource. The scarcity resulted in hoarding, which resulted in people getting mad at each other, and in some cases, even attempts to violate the system security measures so as to get more of the limited resource. As the attackers got better, the defenders worked harder, and the battle raged.

It was only in the middle of the 1970s that people began to really model computer security in a meaningful way and use mathematics to try to systematize the field. In 1973, Lampson discovered a confinement problem with all computer systems that share information [Lampson]. This demonstrated fundamental difficulties in confining information. Bell and LaPadula published a paper that modeled computer security after military secrecy methods [Bell], and secure operating systems were under widespread development following this model. Over the next several years, Biba published an integrity model for computing that was widely ignored when it came to implementation, [Biba] Harrison et. al. published the first mathematical treatment of the overall protection problem and introduced the subject/object model of computer security that prevails today, Denning published an alternative lattice model of protection, [Denning] and many authors reported on computer security developments. [Popek] [Gold] [McCauley]

By the early 1980s, summary papers [Linde] and books [Denning82] brought the picture into clear view. The basic picture was that secrets could be kept by limiting the flow of information to go only from untrusted users to trusted users. It was at that time widely believed that the computer security problem had been nearly solved, and that in very short order, the military model of security which was based on secrecy would prove ideal for all applications. But then ...

Ignorance Is Not Bliss

Late in 1984, two very important things happened to the field of information protection. One was the first published results on computer viruses, [Cohen84] and the other was the official introduction of the Trusted System Evaluation Criteria. [Klein]

With the introduction of the issue of computer viruses in 1984, it was clearly and definitively demonstrated, both by theory and by experiment on existing military and commercial computer security systems, that the model of security based on secrecy had a fatal flaw.

In essence, the vast majority of the work done over the past ten years in computer security had been demonstrated to be a house of cards that could be blown over by a programmer with nominal experience and only a few hours of effort.

No amount of adjustment of the computer security controls of the day could in any way reduce the impact of this result and there was no doubt about what it meant.

The computer security field had paid full attention to the issue of secrecy for almost ten years, and yet had completely ignored the issue of integrity. The result was seemingly devastating. All of the systems developed over years of painstaking effort could be overcome with almost no effort. Even worse, there was a federal criteria for computer security that had been developed over a number of years that was literally on the verge of being accepted as the official government and de facto global computer security standard, and there was nothing in that standard that could be used to help protect against computer viruses in the least. There were even systems waiting for the standard to be accepted so they could be certified for government use. There was a whole industry on the brink of starting a new era, and it turned out that they had missed a fatal flaw.

There was quite a stir and more than a few voices were raised, but in the end, momentum won out. The federal standard was accepted, the systems awaiting certification were certified, and the computer security world began a period of almost ten years of officially authorized insanity.

Insane: not mentally sound

It seemed hard for me to believe at the time, but the momentum explanation makes sense of it. There was simply too much money and personal pride at stake for the government to change its direction, even though the direction was clearly flawed in the deepest way. But in information protection, ignorance is not bliss, it's suicide.

The Birth of the Personal Computer As if it weren't bad enough to have the military-industrial complex leading us down the primrose path, this was the dawning of the age of the personal computer, and it must have been a cloudy day, because the infant personal computing industry apparently couldn't see the forest for the trees.

The Multi-State Computer I have already explained that since the beginning of timesharing in the late 1950s, computer designers knew how to provide limited protection in computers. What I haven't mentioned is the technical innovation that made this possible. This innovation was the multi-state computer. Now the technical people among you will probably get confused or upset by my terminology, but let me clarify before you call me names. All modern digital computers involve finite state automata wherein the machine uses its current mental state and current inputs to generate outputs and a next state. With such a machine and enough memory capacity, you can perform any computation that can ever be performed. [Turing] But this is not the innovation I am talking about. The multi-state computer was an innovation that provided two or more master states for a computer; one that is used by the operating system and one that is used by user programs.

In the operating system state, the computer allows physical input and output to take place so that the disk can be read or written, any of the video displays can be changed, any keyboard can be read, and all of memory is accessible.

In the user state, no physical input or output is allowed, only a limited part of the memory is accessible, and if any attempt to use an unauthorized capability is attempted, the state is changed to the operating system state, and the operating system program is run.

In this way, a user program can try to write to the disk, the operating system will intercept the attempt and act according to its programming. The operating system can be programmed to provide all sorts of services, such as making a physical disk appear as if it were a file system, providing separation of user files and memory space from each other, and supporting other information protection features.

A two-state computer can implement any protection scheme that any multi-state computer can implement, but with a one-state computer it is impossible to practically provide fully effective protection. For this reason, starting in the early 1960s, all widely used general-purpose computers were designed with multi-state capabilities. The one major exception was the microprocessor integrated circuit technology, which was primarily used to perform real-time control tasks. An example of a microprocessor application at that time was to control the video display terminals used to talk to timesharing computers. There was no reason for a real-time controller to have protection capabilities and, because it took space on the integrated circuit and the technology at that time wasn't advanced enough to put these features on the same integrated circuit as the rest of the computer, the multi-state machine was not implemented in those controllers.

The microprocessors at the heart of these control applications were very small and inexpensive. They could be placed on a single integrated circuit, and the control system manufacturers had made some standard control system printed circuit boards that exploited this technology by adding memory, input, and output to make control system design simpler and cheaper. When the fledgling personal computer industry grew up, there was little money to invest, and the companies had to go with the cheapest technology around. The result was a set of computer kits that allowed people to build a small computer from parts and implement programs by entering octal (i.e., base 8) or hex (i.e., base 16) codes of instructions into a set of switches. As these systems advanced, the microprocessors remained at their heart.

The One-State Computer Wins

The personal computer industry was miniscule compared to the large computer companies like IBM. For a while, IBM outwardly ignored PCs, but in time, the computer giant decided that if there was going to be a personal computing industry, IBM was going to be part of it. So they set off to enter the business quickly by having an internal contest. The contest was basically that the first group to come up with a working personal computer would have their product turned into the IBM product. The winner was an existing control system modified to meet the minimum requirements. The processor was an 8080 made by Intel, and IBM was in the market. [Levy]

At that time, the microprocessor was inexpensive, the design was workable from off-the-shelf components, and the project could be completed quickly. The relatively low cost in conjunction with the availability of a few tools and the CP-M operating system made the product a winner. To place protection into this architecture would have taken time and money, and nobody knew what would happen with computers over the next 20 years.

But the best intentions don't necessarily lead to the best long-term results. As it was said at that time (mostly by the well dressed IBM representatives), ``Nobody ever got fired for buying IBM'', and indeed, customers bought IBM personal computers by the millions. The operating system became DOS, the 8086 was the microprocessor, and all was well with the world, except for one thing:

When they created the PC, they forgot about protection.

I don't mean to slight Apple Computer in this discussion, and I will give them a dishonorable mention along the way. Apple chose the 6502 microprocessor as the basis for its early computer system designs, and as it moved to the 68000 and on up, Apple also ignored protection. As the only substantial competition for personal computer operating environments, they could have made protection into a market issue, but they did not. Instead, and perhaps rightly so from a business point of view, they emphasized ease of use and user interface as the differentiating factors for their products.

A Generation of PC Programmers

An entire generation of programmers was brought up on the PC and the Apple personal computer line. The result was devastating to much of the knowledge base gained from the first 20 years of widespread computing. Almost everything learned about timesharing, efficient allocation of resources, information protection, and other related fields was lost to the PC generation. Indeed, PCs have dominated the computing field now for more than half of its lifetime. Most 35-year-old programmers have never programmed anything else, and half the population of the world is under 35 years old. Most universities teach personal computers as the dominant technology, and if you look at the curriculum, you will find that information protection is not included.

Early personal computers had a big problem. The problem was communication, which they largely lacked. The modem was used for communicating to mainframes, terminal emulators allowed them to be used as terminals for mainframe computers, and the floppy disks were very useful for physically handing data from one person to another, but there was no really effective way to get personal computers to communicate until the local area network (LAN) came into widespread use. With the advent of the LAN, the protection problem reared its ugly head again.

With standalone PCs, protection is essentially a physical issue, just as it was in the early days of computing. If someone can gain physical access to the computer, they are in control. If they cannot, they have no way to access information. But in the LAN environment, like in timesharing environments, access to any entry point may provide access to everything. The LAN environment essentially extends the computer to a larger physical domain.

The larger the organization, the greater the need for widespread communication in order to attain the leverage of information technology, and so LANs were soon extended to the wide area network (WAN) technology already used by timesharing systems. Today, it is not unusual for a PC to be connected to millions of computers via the Internet. [NSF]

But the PC generation didn't know how to design and implement protection, and the lessons of the first 20 years of computing were widely ignored. Even as the computing power increased in the early 1990s and the 80386 processor made the two-state machine available to the personal computer operating system designers, the designers simply didn't know what to do with the new capability. OS/2 and Windows came into popularity, but neither had any substantial protection capability because the PC generation hasn't been taught the lessons of the past. Even the file servers of the PC generation were not designed with good protection, and the result is a wide open, globally accessible environment.

Today, protection is essentially non-existent in more than 90 percent of the world's computers.

A Suppressed Technology

But dropping all of the blame on market forces and a lack of vision only begins to address the underlying causes of today's problems. For, at the same time as these events were occurring, there was a systematic movement by the Government to suppress the information protection technology base of the United States.

Cryptography Leashed

The dilemma of cryptography has haunted governments throughout history. The people in governments want their cryptography to be very strong in order to keep their secrets secret, but they also want everyone else's cryptography to be very weak so they can read everyone else's secrets.

Nowhere was this made more clear than in World War II, where the Unites States and United Kingdom were successfully reading secret transmissions of Germany and Japan, and the Allied transmissions were not being read effectively by Germany or Japan. [Kahn] The cryptographic advantage literally made the difference in the Battle of Britain, the Battle of Midway, and in many other decisive occasions. It also played a major supporting role in Patton's victories over the Africa Corps, the war in Europe, and throughout the South Pacific.

One of the results of the success of cryptography in World War II was that it came to be viewed as such a vital national military asset, that open research was suppressed. For example, cryptography is the only large class of information technology that is banned from export. Cryptographic results, as nuclear weapons results, are considered classified as soon as they are created. Research grant applications submitted to the National Science Foundation (NSF) in the areas of cryptography and computer security are required to be sent to the National Security Agency (NSA) for review and, to date, the NSA has not rated any proposal high enough to get funding from the NSF.

When the RSA public key cryptosystem now used in so many commercial applications [Rivest] was first published, there was an attempt by the U.S. government to suppress its widespread release. It ended up in Federal court, where the NSA refused to show any evidence, but told the judge that it would be against the national interest to allow the already published information to be further published. The court ruled against the NSA.

During the explosion of information technology, the government was trying rather hard to control the research in information protection by restricting research funding, bringing researchers who published results to court, and trying to discredit researchers. The problem with this strategy was that as our individual, corporate, and national dependency on information technology increased dramatically, our knowledge base in protecting that technology was suppressed. It's like suppressing the immune system of a person with a deadly disease. The person will eventually die.

But even with the national government's efforts to suppress the widespread development of information protection technology at the height of the Cold War, some of its most precious secrets were being leaked to its worst enemies. As research was being suppressed at a national level, government employees were leaking information in exchange for cash, sex, and other reasons. The Falcon and The Snowman case [Lindsey], the Ames case, [Anonymous] and the Walker family case [McGrath] are three widely published examples. So our enemies were learning the secrets of our protection, while our own people were being kept in the dark.

Law Enforcement Is Clueless

Recently, law enforcement has started to take computer crime seriously, but until the early 1990s, they were literally clueless. When Cliff Stoll called the FBI [Stoll91] to report the attack on his computer, the FBI asked how much was stolen. Cliff answered, ``seventy five cents'' ($0.75). The FBI ignored all of the information about national laboratories being broken into via computer and concentrated on the known loss which was too small to be bothered with.

``But the times they are a-changin'.'' The recent introduction of federal laws and an increased awareness by the FBI and other police organizations of the import of computers in crime has led to a lot more attention to this issue of late. Unfortunately, law enforcement personnel are not even close to expert in this field today, and by the time they are called, if they are called, it is rarely possible to catch an attacker.

Attacks Covered Up

You have no idea of how often computers are attacked.

You are probably unaware that late in 1993, successful attacks were underway against large numbers of U.S. DoD computers throughout the world. In fact, even the DoD wasn't aware of this until early 1994.

Until you read this book, you were probably unaware that more than 100,000 computer system passwords had been gathered in recent attacks on the Internet and that those attacks are still underway at this time. If you are unaware of attacks against hundreds of thousands of computers at one time where those attacks are announced in the media, you are almost certainly unaware of the many more attacks that happen every day and are covered up.

An example of a coverup from my personal experience might be helpful in understanding the issue. I was asked in to do some consulting for a large company I have worked with before and was given no particular details ahead of time. This may seem unusual, but in the information protection business, it's fairly common for people under attack to give no unnecessary details over the telephone. In this particular meeting I went to, I was told that about $100 million had been stolen and that nobody had been told about it because the company was afraid their customers would lose confidence. By the time they called me, it was apparently too late to recover the money because the incident had happened more than six months earlier. I was later told that the theft was eventually written off as a one-time loss due to restructuring (or some such thing) and the stockholders were never told the truth.

Now I must say that there probably are not very many cases of $100 million losses due to computer fraud per year. For example, the FBI claims to know of only two such cases still unsolved from 1989. [Cox] But, of course, the example I just described was not reported to the FBI, so these numbers are at least a little bit low. How low are they?

It is impossible to tell you how low the official figures on losses due to computer crime are. One reason is that there is no uniform way to evaluate such losses. For example, the Internet Virus in 1988 resulted in estimated losses ranging from a few million dollars to tens of millions of dollars, but in court, the official losses in the criminal charges were placed at or about $50,000. This difference is in part because the legal requirements for the crime Morris (the admitted and convicted perpetrator) was charged with were only $5,000 in damage, so it was unnecessary to try to elevate the figures above that. But the real value of a loss of this sort should include lost time for all of the users, damage to the reputation of the affected companies, the cost of replacing lost or corrupted data, incidental damages created by the downtime, and a whole host of other factors. [ISSA]

Another factor is that only a portion of actual computer crimes are ever detected and, of those, only a portion are ever reported. I obviously don't know what portion of the crimes are detected, since I would have to detect all the undetected crimes in order to know that, but you may legitimately ask how I know that all of the crimes are not detected. It is not because I am a criminal who hasn't been caught. I have three types of evidence that convince me that this is the case.

I have spoken to a number of computer criminals that have never been caught.
I have performed tests to demonstrate weaknesses that show that certain types of crimes are undetectable in certain environments.
When computer criminals are caught, they sometimes admit to crimes that were not detected.

Even when computer crimes are detected, they are not always reported. For example, in one recent study I did for a large company, about 20 incidents were detected by employees over the last year, but only two of those were reported to the police. One reason the police were not called was that the employees detecting the incidents had no official mandate or mechanism for reporting incidents to management. Top-level decision makers never had the choice of reporting or not. The executives only found out about the incidents in the course of the study.

Another reason many incidents are not reported is because they involve information that the company does not want released. In papers published by American Telephone and Telegraph (AT&T) [Cheswick] [Bellovin] and Digital Equipment Corporation (DEC), [Ranum] computer crimes are described and their frequency is given, but if these published papers are accurate, few, if any, of these incidents were reported to the police. For some reason, these criminal acts were eventually disclosed to the public, but they were apparently never reported to the police.

Perhaps the best way to measure actual incidents is to look at how many attacks have been detected in your organization and how many of those have been reported to the police. Assume that everyone else acts about the same way, and you should have an idea of the level of crime today.

The Universities Fail Us

While you would expect universities to be in the forefront of information technology, they certainly are lagging in information protection, at least in the United States. The story here begins with the late 1970s. At that point, there was a growing interest in information protection in the university community as reflected by the increased number of journal articles from universities at about that time. [Cohen-Wiley] But three things happened to prevent the further growth. One part of the problem was the suppression by the government of sponsored research into information protection described earlier. Another part has to do with the general lack of funding for university research in the 1980s. The third part has to do with inbreeding.

The general lack of research funding started in about 1980 when Ronald Reagan became President of the United States. In his first year in office, the budget for unclassified research and development went from 4 percent of the federal budget to under 2 percent. The effect was devastating to the universities because they had depended on the government for research funding to such a large extent that many programs were eliminated. Many of those that survived did so by converting to low-cost development programs for local industry. In the following years, most businesses followed the government's lead and reduced research and development spending, and those reductions also affected the universities.

As spending is cut, research programs tend to move from looking far into the future toward solving today's most pressing problems. Thus, research becomes a reactive effort rather than a proactive effort, and advances in fields like information protection tend to fall by the wayside.

The inbreeding problem is caused by the tendency for research in universities to follow the same lines as previous research in those universities. In the 1960s and 1970s, the computer science community was fairly young, and widely associated with the hippies of that era. The whole idea of secrecy was in violent opposition to the goals of open research, and the computer science community was one small and happy family. The result was that a large portion of the best known researchers in the field and most of their students took a perspective of ignoring information protection except in a few areas where it made computing easier. They didn't teach their students about protection, the subject was poorly covered in even the best of textbooks, and the curriculum lacked in this area to the point where the average graduate had only about 15 minutes of exposure to the field. [Cohen-Wiley] The best of these students commonly became graduate students, and eventually, after being weeded out by professors with little or no interest in information protection, some of them became the new generation of professors. Thus, the inbreeding caused a neglected field to be further neglected until it was almost forgotten.

An Industry of Charlatans

If the universities failed us, it was unintentional, but the computer security industry had a much different agenda. Their goal was to promote ignorance and fear so they could sell more low quality products with lower development cost. If you know this business, you know that there are many legitimate companies that have good products, but there are also a lot of companies that think they are legitimate, but lack in the underlying knowledge needed to qualify them to do good work in this field.

One class of good examples are the products on the market today that provide PC security in the form of a program to associate a password with each file. Now I don't want to make the blanket claim that there is no application in which this technique is workable. But I think I should point out just a few of the problems with this scheme that you should be aware of before you buy.

Effective password protection requires hard-to-guess passwords and a secure channel from the user to the computer. Most of these schemes don't provide adequate protection against easily guessed passwords or provide a secure channel.

The use of multiple passwords leads to forgetfulness, while the repeated use of the same password is a waste of time and effort. If you want one password to protect your files, you should have a different sort of protection scheme.

Implementations tend to be flawed in that they are easily attacked. For example, most such schemes don't prevent widely used commercial utilities such as Norton Utilities from accessing files unhindered.

Forgotten passwords lead to easy breaking schemes or lost files. In the former case, the providers of the protection provide a utility program used to break the scheme or another vendor will provide it for a fee. For example, WordPerfect's encryption was trivially broken by researchers at Queensland University of Technology, and hundreds of people requested copies of the code-breaking program so they could recover files they lost when someone forgot a password. Lost files are often more of a risk than the risk of their contents being released.

Repeated password entry is inconvenient. Most users prefer to enter a password when they begin use and have access to whatever they are authorized to do from that point forward.

Trojan horses easily bypass this protection. For example, it is simple to record keystrokes without the user knowing it by using an inexpensive off-the-shelf product. By recording the passwords as they are entered, access can be gained.

In many of these schemes, booting the computer from a floppy disk allows protection to be ignored.

This scheme ignores human factors, integrity requirements, availability requirements, and the history of protection.

Most importantly, this scheme is, at best, only a small part of an overall protection effort. It has to fit into the rest of the protection effort in order to be effective. Most products don't fit well into an overall protection scheme unless they are made to operate in that scheme. That means that regardless of how low the purchase price of this scheme may be, it is likely to cost a lot more to use than it's worth.

By far, the vast majority of the current protection products have similar problems. They are, at best, quick fixes to one problem applied to a different problem without ample consideration of the real issues.

One of the prepublication readers of this book commented that ignorance is not malice and neither is doing something cheaply for a profit motive. I must strongly disagree. When a company presents itself or its products as anything other than what they are, this is intentional and therefore malicious. I would not find fault if companies like this presented a product as a cheap and only mildly secure solution to a common problem, but when a company presents itself as expert in the field of information protection and it is not, this is no different than a group of medical technicians presenting themselves as doctors.

Information Assurance Ignored

One of the major side effects of widespread leakage has been an undue concentration of the information protection field on the issue of keeping secrets from being leaked. Of that effort, the vast majority of the work assumes a model based on military classification methods in use since before electronic information technology existed. The net effect is a set of protection technologies that are almost entirely aimed at addressing only one of the three areas of protection of vital concern today, and the least important one at that.

Information Assurance is Vital

Information assurance is assuring the availability and integrity of information over the entire range of potential disruptions from accidental to malicious. This is the most vital issue in information protection today and is widely misunderstood and ignored, especially by the people who practice computer security. [DISAdoc]

The information assurance problem seems to stem from a desire for efficiency that overrides all other considerations. Many people have heard the term optimal used to describe the most efficient method for doing a particular thing, and there seems to be an almost religious vigor for pursuing optimal solutions. What a lot of people miss is that the term optimal only has meaning in a context. That context inherently limits the scope of what optimality implies.

The most common context for seeking optimality in information technology today is minimizing computer time or minimizing computer storage space. But minimum time leaves no slack room to check the propriety of results, and minimum space leaves no spares to be used in case of failure. The combination leaves no redundancy that can be used to assure integrity or availability, and the result is that any fault, no matter how minor, delivers a wrong result, delivers a result to the wrong place, or delivers it at the wrong time.

A good example of efficiency replacing effectiveness is in the way compilers are commonly used. When programs are written and tested, programmers commonly use debugging options and bounds checking on arrays. The debugging option allows program elements to be traced as the program is executed so that the programmer can find errors and determine their origin. Bounds checking on arrays performs tests every time memory is accessed to make certain that only the proper portion of memory is being used. If the program is perfect, debugging and bounds checking perform no useful function, but programs of substantial size are almost never perfect, even after substantial testing. The problem comes when the program is ready to be delivered to the customer. In order to make the program as small and fast as possible, software manufacturers commonly turn off debugging and bounds checking, recompile the programs, and ship them out. But this means that errors not detected during testing may go unnoticed during operation. Users may simply get wrong results, and since there is no error detection in place, they may never know about the errors or be able to trace them back to the computer program.

The cost and efficiency advantages brought about by implementing the NII will increase the nation's dependency on it. If elements of the NII are not available, information is inaccurate, or the NII does not properly provide required functional or information transfer capabilities, time will be lost and overall effectiveness will be diminished. It is precisely the standards designers use to make technology efficient that make it easy to attack. \cite[pp316-320]{Creveld}

Secrecy Standards DO NOT Address Information Assurance

It is critical in understanding the information assurance challenge to understand the difference between information assurance issues which relate to all information and information systems, and secrecy issues which relate to confidential data. Confidential data is almost always controlled based on its content, and is controlled because knowledge of it might be useful in ways that could adversely affect the owner's interests or actions, because release could be a violation of laws, or because release could result in the assumption of financial risk. Information assurance requirements apply to all information, and are based on use rather than content.

Existing policies and standards that guide protection of data sensitivity are not adequate for addressing information assurance. [Clark] [DISAdoc] The strongest evidence is that no computer security system designed to protect sensitive data from release is effective against malicious computer viruses. The reason is that malicious viruses corrupt information and sometimes deny services, while secrecy systems protect against information leakage, and not corruption or denial of services.

Fault-Tolerant Computing Standards DO NOT Address Information Assurance

It would be natural to assume that information assurance is already provided by existing fault-tolerant computing standards and practices such as protection against random noise, [BOC] [NCSD3-8] lightning, [MIL-HDBK-419] RF noise, [RS-252-A] loss of packets, [ISO8208] and other transient factors that cause disruptions in information systems. Unfortunately, intentional attackers are not accurately modeled by the statistical models of faults used to develop existing reliability standards.

Let's look at what a typical text says on the subject: ``The noise analysis of communications systems is customarily based on an idealized form of noise called `white noise', the power spectral density of which is independent of the operating frequency. The adjective `white' is used in the sense that white light contains equal amounts of all frequencies within the visible band of electromagnetic radiation. \dots'' [Haykin] The reason cited for the random noise models is the ease of analysis, [Minoli] but ease and adequacy of analysis are not always compatible.

One of the most common techniques for detecting corruption in memory and transmission is the use of a `parity' bit associated with each byte. The parity bit is set to 1 or 0 to make the total number of `1's even or odd, depending on whether the even or odd parity convention is being used. This technique detects all single bit errors, which is quite effective against particular sorts of random noise that cause transient faults. It is not effective against an intentional attacker who can change sets of bits collectively while maintaining parity, thus corrupting the information and avoiding detection.

On disk storage, in LAN packets, and in some satellite transmission, cyclical redundancy check (CRC) codes are used to detect classes of faults that result in errors to linear sequences of bits of, at most, some predefined length. [ISO8208] Again, these codes are ineffective against an intentional attacker, because it is easy to determine the constant coefficients of the coding equations by watching packets, and from this it is easy to forge packets at will undetected. [Cohen-Wiley]

``Most communication channels incorporate some facilities designed to ensure availability, but most do so only under the assumptions of benign error, not in the context of malicious attack.'' \cite[note 6, p. 160]{NRC}

Perfect Systems Are Infeasible

The field of high assurance computing addresses information systems for the most critical applications (e.g., life support systems, flight controls, nuclear warhead detonation). Unfortunately, building perfect systems is far too costly and resource-intensive for the wide variety of systems and networks found in the NII, and only adequately addresses certain types of very well-defined control applications.

Substantial work is oriented toward designing a perfect system wherein all inputs, states, outputs, and state transitions are specified in full detail and mathematical proofs are provided to show that the design is properly implemented. [Gove] [Lubbes] Although this type of solution may be applicable to certain limited control problems in embedded systems, these sorts of solutions are computationally infeasible for any large system, cover only sufficiency and not necessity [Cohen86], only cover limited function systems against disruption, [Cohen-Wiley] and are beyond current and anticipated capabilities over the next 20 years for the sorts of systems desired in the NII.

An alternative path to a similar solution is the use of programs to generate programs. In this technology, a small number of programs are designed to automatically write the rest of the programs. Designers spend a great deal of time and effort in perfecting the design automation system which, in turn, designs other systems. [DPS] This technology is far from perfected, and even if it were perfected, it leaves the problem of writing perfect specifications, which is at least as hard as writing perfect programs.

In the hardware realm, design automation has been highly successful, but this does not imply that it will be as successful in the software realm. There are substantial differences between hardware and software. For example, the complexity of current software is many orders of magnitude higher than the most complex designs now done by automated systems, the physical properties of hardware are abstracted out of most software design, and software is designed based on a finite but unbounded, randomly accessible space, while hardware is designed based on a relatively small, finite, and bounded space with only local access as provided by explicitly created wires. Furthermore, hardware design automation takes substantial amounts of computer time, still leaves design flaws such as data dependencies that have resulted in disruption, and is based on specifications that are susceptible to errors.

Another alternative is the use of extremely intensive testing to detect the presence of errors and correct them. The problem with this approach is that testing for 100 percent coverage is as complex as perfect design. Imperfect testing leaves systems that fail when rare events occur. The problem with the recent Intel Pentium microprocessor is a good example of how testing fails.

In one study, the combination of two events characterized as low probability caused 50 percent of systematically designed, well-tested, small control programs to fail. [Hecht] If this is the current state of the art for low probability events in small programs, extremes in testing are not likely to be successful against intentional attacks on large, globally networked infrastructures.

For the sorts of general-purpose systems in the NII, there are classes of attacks that cannot be perfectly defended against. Two well known examples are computer viruses [Cohen86] and exploitation of covert channels. [Lampson] If people spend their resources trying to implement perfect solutions to these problems, they will surely fail and go bankrupt in the process. But as individuals and as a nation, we cannot simply ignore these and other similar problems, because they present a real and identifiable threat to our economic and national security and directly affect all aspects of our society.

Feasible solutions will not be perfect. Rather, they should responsibly trade cost with protection.

Poor Assumptions Lead To Disruptions

Well-trained intentional attackers understand the common assumptions made by designers of information and secrecy systems, and explicitly design attacks to exploit the weaknesses resulting from these assumptions. Protective techniques that work against statistically characterized events are rarely effective against directed attack, and techniques designed to provide secrecy are rarely effective against disruption. One relatively limited study of the impact of malicious node destruction using a structure that works very well against random destruction found that preventing intentional attacks with standard fault-tolerant computing techniques may require an order of magnitude increase in costs. [Minoli] Studies and demonstrations of computer viruses in secrecy systems approved for government use have demonstrated that these systems are ineffective against disruption. [Cohen-Wiley]

Current system reliability estimates do not account for deliberate software corruption. \cite[p 55]{NRC} Telecommunication networks can fail from software malfunction, failures can propagate in operations or control systems, \cite[p32]{Falconer} and system availability estimates seem to overlook this cascading effect. One company advertises that if 800 service fails, restoration is guaranteed in under one hour, and telephone networks are supposedly designed for something like five minutes of downtime per year. [Gray] Yet in a single incident in 1990, the American Telephone and Telegraph (AT&T) 800 network was unavailable for more than four hours, [Falconer] which seems to imply that this failure covers expected outages over the next 48 years! (5 minutes per year = 4 hours per 48 years)

Considering that a similar failure brought down telephones in several major cities for several days in 1991, [FCC] there appears to have been a flaw in this availability analysis.

Gateways, terminal servers, and routers are commonly used to control traffic in networked environments, and they are quite effective against random or accidental misrouting of information, but in a hostile environment, they commonly fall prey to disruptive attacks. General-purpose computers used as gateways are easily overwhelmed and corrupted. Terminal servers are commonly accessible by users logged into any computer in the network and can be altered to remove usage restrictions, connect users to wrong systems, or even lock out legitimate terminal server administrators. [Cohen93] Routers designed to control network traffic and prevent overloading in large networks are also easily bypassed by using the administrative mechanisms which permit remote control of the router or forgery of machine identities with authorized access. [Cohen-QUT]

The public telecommunications networks are a critical part of the NII, but they lack the information assurance features required for critical operations. Service assurance features are designed into these systems at every level, [Falconer] and yet they still fail to meet even the challenge of accidental errors and omissions. As an example, in 1991 there was a major failure in telephone switches in several large U.S. cities that lasted for several days, and was finally traced to a 3-bit error (a `D' instead of a `6') in one byte of a software upgrade. [FCC] This is the simple sort of mistake that even minimal software change control detects. The change was apparently never tested at all, was put into widespread use, and caused widespread disruption.

In many cases, telecommunications disruption must be resolved in very short time frames. For example, some telephone switching systems must be repaired within 1.5 seconds or the circuit failure errors passing through the network will cause a propagating positive feedback which may deadlock more of the network, [Pekarske] eventually cascading into a major problem. An attacker only needs to disrupt two sites for 1.5 seconds to cause such a cascading effect.

According to a National Research Council report: ``As computer systems become more prevalent, sophisticated, embedded in physical processes, and interconnected, society becomes more vulnerable to poor systems design, accidents that disable systems, and attacks on computer systems. Without more responsible design, implementation, testing, and use, system disruptions will increase, with harmful consequences for society. They will also result in lost opportunities from the failure to put computer and communications systems to their best use.'' (The opening paragraph of [NRC])


It is enlightening to examine the current U.S. Government standards base upon which open systems are now being acquired. [OSE] The DoD standards document begins with a list of protection service standards, including some that seem to be information assurance standards needed to fulfill requirements of the NII. Unfortunately, almost none of the list of service standards is currently specified:

 Service Standard  Status
 Authentication  Not Available - In Process
 Access Control  Not Available - In Process
 Non-Repudiation  Not Available - In Process
 Confidentiality  Not Available - In Process
 Integrity  Not Available - In Process
 Auditing  Not Available - In Process
 Key Management  Not Available - In Process

Most of the `Not Available - In Process' items are specified as ``This work is still in the early stages and is not yet of practical use. It should not be referenced in a procurement.'' Further, there is no clear migration path from current designs to designs with these services, so there is no defined way for the designers of the NII to even plan for future assurance. Notice that availability of service is not even on the list of standards to be developed.

By way of reference, the International Standards Organization (ISO) standard upon which this list was based was in approximately the same incomplete state about 10 years ago, when the protection addendum to the ISO standard was newly created. [ISOOSI] To date, no significant progress has been made in these areas and no current open system products provide substantial coverage of these areas.

Risk analysis for many other areas is fundamentally different than the techniques that apply to malicious disruption. Specifically, if an attacker knows how to disrupt a system, success in an attack is virtually certain. The probabilistic approach to analyzing defenses and attacks may not be appropriate for considering human agents with malicious intent. That's why 50 years worth of theoretical downtime can be exhausted in a single incident. [Falconer] Obviously, the standards for risk assessment used to derive infrastructure availability figures are not up to the information assurance task.

Another place where information assurance standards are lacking relates to common mode failures and correlated events. [Neumann] Common mode failures are failures wherein the same mechanism affects several different components. Several major incidents per year involving common mode failure in redundant systems now occur and there seems to be a strong correlation between these events and inadequate standards or capabilities for redundancy. The White Plains telephone cable incident in December of 1986 involved seven redundant circuit connections for the Advanced Research Projects Agency Network (ARPAnet) intended to assure that no single (or multiple up to 6) failure could disable the network connection. Unfortunately, the telephone company ended up routing all seven connections through the same optical fiber and, when that cable was cut, all seven redundant connections were disrupted.

In many cases where redundant input is required, it isn't exploited for error detection and correction, which is the worst of both worlds. An example may help clarify this point. In the United States, postal zip codes directly imply the state. Why then ask for the state? For efficiency reasons, systems should not. On the other hand, by asking for the state and zip code, systems could detect inconsistency and act to correct the error before it creates a larger problem (e.g., sending a paycheck to the wrong place).

In most current systems, we have the worst of both worlds. Systems ask for both zip code and state, but never compare them to find errors. Such systems have both extra data entry and inadequate coverage of errors. [Cohen89]

Current Disruption Defenses Depend on People

Current defenses against disruption depend almost entirely on human prevention, detection, differentiation, warning, response, and recovery. Detection of most disruption attacks comes only when people notice something is going wrong. In many cases, detection never occurs, while in other cases, detection takes several months. Differentiating natural, accidental, mischievous, and malicious disruption is a manual process, and the root cause is often undetermined or misidentified as accidental. Warning has to be properly controlled to prevent false positives and false negatives, and depends on forensic analysis. Response commonly takes from hours to days and is almost entirely manual. Recovery too is almost always a manual process, takes from hours to days, and is often performed improperly.

In many cases, attacks are not detected at all. For example, in more than 100 legitimate computer virus experiments, no user has ever noticed the presence of a computer virus. [Cohen-Wiley]

The vast majority of known information system attacks are first detected by attentive users noticing unusual behavior. This is widely known in the computer security community and is supported by virtually every source that discusses the issue. For example, more than 5,000 computer viruses have been detected in the last three years and almost all of them were detected by users noticing anomalies. The Internet virus of 1988 was detected when users noticed dramatic network slowdowns. [InetWorm] [InetWorm2] Hundreds of other failures in national telecommunications networks and individual systems are first detected by user complaints. [FCC-NRC] [NRC] [NRC-Nets] In major bank frauds involving electronic funds transfers, it is common for the first detection to be at the next bank audit, typically several months later.

Indirection between cause and effect dramatically increases the time required to track an attack to the source. Whereas total denial of services to a system or infrastructure is widely noticed almost immediately, business disruption caused by subtle denial of services or corruptions may be far harder to detect and associate with a cause. For example, suppose a disruption caused orders placed for certain replacement parts to be ignored by the output routines in the order fulfillment subsystem of a supply and logistics system. Orders would be placed and the computer would indicate that the orders had been processed and shipped, but no shipments would arrive. Similarly, disruption in the form of subtle corruption could transform airplane engine part numbers into similar part numbers indicating different components, perhaps toothpicks. The order would be processed, but the resulting shipment would contain the wrong parts. It would probably be blamed on a data entry error, and if it only happened 10 percent of the time, the cause might go unnoticed for a long time, while the efficiency loss could be quite substantial. Another subtle disruption approach is to slowly increase the level of denial of services over time so that the operators become acclimated to the slower and slower pace over a long period.

Differentiating natural disaster from other causes is generally not too difficult because natural disasters are easily detected on a wide scale. Differentiating accident from mischief from malice is yet another problem. The Internet Virus was apparently an accident, and yet clearly many believe it was mischief and a few still believe it was malicious.

Many disruptions are treated as accidental to avoid investigation. Almost no current organization has a way to tell one sort of disruption from another.

Limiting damage often takes too long to be effective. In the case of the IBM Christmas Card Virus of 1987, several days after the attack was launched, it was widely noticed, and over the next several days, IBM staff members tried unsuccessfully to disconnect their internal networks from the global networks. [IBMconv] [Cohen-Wiley] A defense against the Internet Virus was only devised after more than a full day of effort by people nationwide, and implementation of the workaround took several days. [InetWorm] [InetWorm2]

Recovery is sometimes impossible, while in other cases it takes from days to weeks. For example, a company in Germany was the subject of extortion from a hacker (1988-89), who showed them a few lines of program code which would have caused the gradual corruption of all inventory records. They did not find the altered code for several weeks. [Ginn] The Chicago telephone center fire in 1989 took months to recover from, and tens of thousands of customers were without service for extended periods. [NRC]

If the recovery process is improperly performed, many other problems can result. Audit trails may be lost, thus preventing accurate determination of cause. The recovered system may be more vulnerable to disruption than the original. The recovery process may itself cause disruptions.

Human attack detection has several problems in addition to the limited response time and large numbers of false negatives. Perhaps the most important problem is the expectation of breakage and the inability to differentiate properly between breakage and malicious attack. Another problem is the tendency to detect fewer faults over time in an environment where faults are commonplace. [Molloy] This can be exploited by the attack wherein the number of disruptions are slowly increased, while the human operator becomes increasingly insensitive to them. Enhanced training improves performance, but humans are clearly still limited, particularly when it comes to detecting subtle attacks characterized by the coordination of numerous seemingly different and dispersed events and attacks designed to exploit the reflexive control aspects of human behavior. [Giessler]

Automated tools for detecting misuse in computer systems and local area networks are currently emerging and this technology is rapidly approaching commercial viability. [Denning86] The most advanced misuse detection systems include localized responses to statistical anomalies and rule-based response to known attack patterns. [Proctor] [Proctor2] [Lunt88-2] [Lunt88] [Lunt] [Snapp]

Based on observations made during one recent study, [DISAdoc] some authors believed that response to attacks is characterized by thresholds of detection and response capacity. By lowering thresholds of detection, the defender is likely to detect more attacks, but the number and likelihood of false positives will also increase, and so will the cost of responding to the relatively minor incidents. By increasing the threshold of detection, response resources may be concentrated on the most important incidents, but a small incident with widespread impact may not be noticed until the damage becomes severe.

This leads to the issue of attack and defense. Given the option of a directed attack against a specific target or a more general attack which increases the overall noise level, the threshold scheme employed for defense has a substantial effect on the optimal attack decision. It is always possible for an attacker to remain below the threshold of detection for any imperfect detection system, so a fixed threshold system leaves the defender open to noise-based attack. Similarly, a substantial directed attack will sound off any capable detection system and generate a response, but it may also be possible to create the appearance of substantial attack in order to force the defender to respond more strongly than necessary, thus creating an environment where the defender constantly cries wolf. In either situation, a fixed response level is easily exploited, so a flexible and adaptive response is necessary in order to be effective.

In addition to detection thresholds, there is a response capacity inherently limited by the available response resources. In a human-based response system such as the one currently in place in the NII, response time lags further and further behind as the number of incidents increase, eventually leading to a situation where important attacks are not noticed for a substantial amount of time. Increasing human resources is quite expensive and is only effective when the level of attack warrants the number of respondents. It takes a long time to train experts in this field, and there are relatively few experts available and woefully few places where new experts can be trained.

An attacker can alternatively create and not create attacks so as to force a defender to waste resources with an overblown defensive capability or an attacker can use attacks to determine response characteristics and work out ways to overwhelm the defense. This area is particularly amenable to analysis based on reflexive control. To form a strong defense, the flexibility must be designed so as to prevent this sort of analysis. [Giessler]

Clearance processes do not detect people who change sides after they are cleared, people who have breakdowns, and people subjected to extortion. Many sources claim that the majority of computer crimes come as a result of an authorized person using that authority inappropriately. Although sufficient evidence is not available to support this contention, there is clearly a potential for soft-kill harm from an insider that is greater than from an outsider, because the insider has fewer barriers to bypass in order to succeed.

The current NII design assumes that insiders act properly to a large extent. A proper infrastructure design should not make such an assumption or depend on it for meeting design criteria.

The Rest of the World Responds

There are a small number of research groups around the world that have been working on the information assurance problem for a number of years. Known foreign research locations include The People's Republic of China, Russia, Germany, Israel, Australia, Denmark, England, and Japan.

The People's Republic of China has a group headed by Yue-Jiang Huang that has produced both internal and international hardware enhancements to personal computers for protecting against many forms of disruption. This group is also doing substantial work in the use of nonlinear feedback shift registers for both secrecy and integrity applications.

In Russia, there is at least one group working on disruption prevention, detection, and response systems. This Moscow-based group at the Central Research Institute Center in Moscow is working on new hardware architectures that provide enhanced integrity protection and limited availability against general classes of malicious threats. They seem to have an emphasis on computer viruses, but far more general application can be made of their architecture. [Titov]

Research groups in Israel regularly publish results on their research in international journals and several groups have started work on protection of information systems against general classes of malicious corruption. [Goldreich] [Shamir] [Radai]

An Australian research group directed by Bill Caelli and centered at Queensland University of Technology is concentrating a substantial amount of effort in the design of high integrity networks capable of withstanding malicious disruption. They also have people working on cryptographic integrity techniques and key management systems with revocation for use in systems similar to the NII.

At least one Canadian author has published work on limits of testing and coding spaces against malicious disruption attacks. [Khasnabish]

A German research team at the University of Hamburg has gone a step further than most groups in this area by forming a database of parts of computer viruses. They essentially break the thousands of known viruses into component parts (i.e., self-encryption, find file, hide in memory, attach to victim, etc.) and store the partial programs in a database. Many known viruses have common components, but there are on the order of several hundred of each different component part. This gives them both the capability to detect and automatically analyze many viruses in very short time frames, and the capability to generate on the order of 10^20 different viruses automatically by mixing techniques together. [Fischer]

Several other countries have started to publish papers in the information assurance areas and, although there is no apparent evidence of massive efforts, it seems that the international interest in this field has increased substantially since the Gulf War.

Yet, with all of this international attention to this problem, the United States doesn't even support adequate response to widely publicized ongoing attacks throughout the DoD.

fred at