Science, Technology, and Security: Knowledge for the Post-9/11 World logo Symposium October 10-11, 2002 logo
shim
Workshop Report button
Workshop Background button
Executive Summary button
Integrated Summary button
Integrated Summary PDF button
Panel Leader Remarks button
Breakout Groups button
Contributed Material button
Sponsored by the Center for Science and Technology Policy Research

Information Technology Security Report

Thursday October 10, 2002

Alexander Wolf, Group Leader
William Ayen, Rapporteur

Information Technology and Society

Today's world has changed drastically from that of 50 years ago. Shifts in geopolitical relationships have redefined the concept of nation-state. No longer can the boundaries of nations draw the boundaries of their threats. The advance of the information society, and its deep dependence on information technology, has had a large part to play in this redefinition, inexorably transforming the very nature of personal, community, and national defense.

Societal dependence on computer-based systems is so engrained in the fabric of our lives that we take their very existence for granted. We are generally more concerned about the benefits of expanding information technology services (e.g., on-line banking, integrated travel management, automated water-flow management, or automated load shedding within the national power grid) than about the dangerous implications of making these services so widely accessible. We frequently focus on the technical side of information technology, but seldom consider related issues that have vast societal impact: the need to consider the interplay between information technology and policy development, the digital divide that separates some parts of our society from others, and the risk of compromises to the information technology base. The vulnerability of technology translates into vulnerabilities for all other critical national infrastructures.

Society has embraced advances in information technology without sufficient consideration of potential impact. The pervasive nature of information technology leads to a myopic sense of confidence in our ability to understand and manage its uses, without a plan to counter the negative consequences that might result. The success of information technology is also its curse, since our easy contact with it makes us falsely believe that we are all "experts", that the technology is inherently "good", and that our main concern should be with raw functionality. Contrast this to the field of biology, where public exposure to knowledge is relatively limited (i.e., to scientists), where few people have the opportunity to experience first hand its technologies (e.g., bio-agents), but where a naïve public can more easily comprehend its threats (e.g., widespread outbreak of disease). It is no wonder that we feel more threatened by bio-terrorism than we do cyber-terrorism. Yet if a terrorist or criminal were able to disrupt the national power grid by manipulating the automated load shedding capability, would we be in any less danger?

These differences in perceived threat (or lack thereof) extend to the way we conduct research and education. For example, restrictions are beginning to be placed on who may conduct certain kinds of biological research. Such a "closed" approach is currently not found in information technology. Of course, the sword has two edges: When we teach students how to defend against computer-based security threats, we are at the same time teaching them how to become criminals and terrorists. Some argue convincingly that the general spirit of openness associated with information technology research and education is what has led to its unprecedented pace of innovation, and remarkably rapid ascent to prominence in our society. Do we want to threaten such growth through a more closed approach? Can we calculate the social and economic tradeoffs between closed and open approaches to information technology research and education? These questions require careful study and considered attention.

Information technology has advanced over the last five decades from an isolated academic field of study with limited real application to one of the most powerful tools of our society. Yet threats to the information technology base are largely ignored. Issues of privacy, protection of personal and commercial assets, openness of research and of education, and the legal and ethical responsibilities of information technology providers are but a few of the policy questions still unanswered by a largely uninformed and unsuspecting society. We have seen that miniscule outbreaks of treatable diseases can garner the attention of the news media, but when serious security vulnerabilities are discovered in a computer-based system used by literally millions of people every day, they go virtually ignored. Why is this significant? Simply put, it is significant because society's commitment to countering threats of any sort is strongly influenced by the public's perception of the severity of that threat. We need to properly align perception and threat in information technology if we are to have sufficient resources to solve its problems. This begins with research and education, and the science and technology policy issues that surround.

Opportunities

Underlying the broad issues discussed above is the need to address many information technology security policy questions. The group raised a number of such questions, including the following.

  • Can monitoring of message traffic for security management of the network be done without unduly invading the privacy of an individual or company?
  • In the context of security, are there differences between workplace and home information system use?
  • How can an appropriate level of security be provided without making access control too onerous?
  • To what extent must different information artifacts be protected?
  • How can system designs be developed to provide an appropriate failure response ("failure in context")?
  • Where should control of information system security exist? Should control be top down (i.e., imposed by a government) or bottom up (i.e., left to individuals to define and implement)?
  • What changes in liability, responsibility, and criminal codes are needed given the role of information systems and their vulnerabilities in critical infrastructure?
  • How do we resolve the conflicting issues of global product development, intellectual property, and national security?
  • What role can (should) professional societies take in developing educational programs and standards of conduct?
  • Can security-related measurable standards be developed?
  • What are the economics of providing a secure information technology base? What is the business case and strategy for investing in information technology security?
  • How do we formulate a common understanding of the intellectual challenges of information technology security? How can that understanding be best presented to the public at large, as well as to decision makers?

The promise of information technology is staggering in its scope. Since it is ubiquitous and global reaching, people touch it, and are touched by it, every day. Its functionality is easily extended, even by inexperienced users, and the barrier to entry is extremely low. Information technology is still a relatively young and evolving field. Thus, the decisions we take now can have broad impact on the future uses of information technology. This is not to say that information technology is by any means "simple". In fact, we are only now beginning to appreciate as a field the deep intellectual challenge that it embodies. Unlike physical systems, such as power, water, and agriculture, there are no laws that define information technology's boundaries. The only boundary that it faces is the imagination of its creators and users, which makes the development of sound policy all that much more difficult.

The opportunities derive largely from the fact that information technology is an enabler. It underlies support for the operation of such critical infrastructure as communications, banking, finance, power utilities, water utilities, health care, transportation, emergency response, and national defense. We can leverage this role as enabler in a remarkable way: to implement policy and to deliver training in that policy. For example, one can imagine establishing regulations (similar to civil building codes) demanding that policies about the privacy of personal financial information be properly implemented within the information technology systems that support the financial industry. These systems could be subjected to inspection, and the vendors of those systems held accountable for compliance.

Obstacles

Information technology is a ubiquitous service that in many ways is not unlike electric or gas services. Everyone is happy when it is available (and unhappy when it is not), and everyone wants it to be faster, cheaper, and more reliable. However, the general population knows little about how it functions, including basic operating principles, vulnerabilities, and impacts of disruptions in services. Worse, the same characterization can be made of the government agencies responsible (or soon to be responsible) for establishing policies, procedures, and regulations related to the use of information technology or systems based on information technology. Decision making at this point is often driven by the market place, not by what is best from a societal, or even a systems point of view.

Information technology has rapidly evolved over the past few decades without establishing a base of standard knowledge. The information technology community is not represented by an organization with a strong voice, as are the more established technology communities. The depth of information technology is typically hidden under deceptively simply user interfaces or altogether rendered invisible beneath the broader infrastructure services (e.g., banking and power) it is supporting. These and other factors have left information security investment woefully undervalued.

The challenge for policy makers is to bring information technology security to the foreground of public debate. Many options exist, including regulatory, market-driven, education, research, and resource approaches.

One approach would be to mandate security features for information technology systems. This approach has already been taken in selected application areas such as military, medical (HIPPA), and financial systems. Experience in these specific application areas has shown that success is possible, but the cost is high, both from financial and interoperability standpoints. Extending the concept to general information technology systems will have similar, even if not as dramatic, effects.

The market approach must overcome the "service" view of information technology. One option is to sell security as a feature that enhances the quality and reliability of the product. Since the loss of availability and the dangers of confidentiality or integrity violations are reduced, the cost benefit could be evaluated. This approach would also help to enhance the management and maintainability of computer-based systems.

Educational programs can address a broad range of security issues, including privacy, threats/vulnerabilities, social behavior, dependencies, and ethics. They can target a wide range of population from policy decision makers to systems engineers to end users. Education can be provided in many ways. For example, targeted tutorials can be developed and delivered to key groups of individuals such as K-12 educators and policy makers of all levels. Modules can be included in university-level courses, both technical and non-technical. Knowledgeable neighbors and citizens can find ways to talk to other community members in terms they can understand.

Academia, industry, and government can engage in research that will have long-term impact on the problem. Supported by grants and sponsored research programs, a large research capability can be focused on this problem. Although results will not be immediately available, the knowledge and understanding gained can have a positive long-term affect. Research must be broad based and include social implications as well as the more normal technology focus.

The need for resources lies at the foundation of all of these initiatives. Without resources the effort will continue to be piecemeal and focused on tactical, not strategic, issues. Of course, while the possibilities are infinite, the resources are finite and have many demands on them that are currently judged as having higher priority than information technology security. Nevertheless, we must realize that information technology now ties all parts of the critical infrastructure together, and that proper information technology policy must be developed so that it can reflect the policy constraints for each component of the critical infrastructure individually and all of them together cooperatively.
shim
Sponsors: University of Colorado at Boulder; University of Colorado at Denver; University of Colorado at Colorado Springs; University of Colorado Health Sciences Center; Sloan Foundation; University of Denver Graduate School of International Studies; Colorado State University Rocky Mountain Institute for Biosecurity Research