Research Horizons Magazine
For instance, computer users will have to put a priority on security
and be prepared to pay for it. They may have to retain well-tested software
rather than install the newest version rushed to market. And they'll have
to bear the costs of rebuilding worldwide networks on secure foundations.
"Computers are being used more extensively, more widely and in more
critical applications. They are a part of our lives today. They will be
even more a part of our lives in the future," says Ralph
Merkle, director of the Georgia
Tech Information Security Center (GTISC). "And for the past couple
of decades we have put up with buggy code, unreliable computers, insecure
computers, and computers that are vulnerable to viruses, worms, spam and
other problems. All of this has to change. We need to have reliable computers,
systems and networks that we can trust."
From individual users to network administrators to senior government
and industry officials, interest in information security is capturing
people's attention. GTISC researchers and others are now hopeful that
consumer demand will boost efforts to solve myriad issues in the field.
"Information security is not just a technological problem,"
says Professor of Computing Mustaque
Ahamad, the GTISC co-director of technology. "There's a lot more
to it. It's a complex problem, and its solutions will require new technology,
policy, awareness and education. We're looking at the whole problem."
Though the task is daunting, the world's information security problems
can be solved, Merkle confidently predicts. Because these issues have
been resolved in special applications, such as aircraft navigation and
national defense, researchers know it can be done for computer systems
everywhere. Merkle concedes, however, that producing such secure software
will be costly in dollars, time and, perhaps, convenience, as well.
Costs in dollars and time will mount as programmers rewrite a lot of
computer code, as researchers build new systems with security as a basic
component, and then as individuals and organizations have to update or
replace insecure systems, Merkle explains.
"It will take fundamental changes in how we deal with computer software
development, which will require fundamental changes in our use of secure
systems," Merkle says. "We will have to rethink a lot of the
basic approaches that have been used."
Computer users may also have to trade some convenience for security.
"The ideal information security system is transparent to the user,
but that's extremely difficult to design," says Georgia
Tech Research Institute (GTRI) researcher Jim Cannady, the GTISC co-director
of applied research. "Users don't like having to keep up with things
like 'smart cards' (used by the U.S. Department of Defense and other organizations
for electronic identification). It's better to make a system as secure
as possible before you turn it on."
While GTISC and other researchers address the complexity of this design
challenge, beleaguered computer users are beginning to favor security
and reliability over features and pricing, Merkle says.
"In general, commercially available products face very real marketing
and pricing pressures that force companies to write code that is not always
perfectly secure," Merkle says. "Customers have voted in favor
of this because if you write code with lots of features and it's done
quickly, they will buy it even though it's hard to make it reliable. Now
the message is changing. Customers would rather have computers that work
reliably, and companies are taking that message to heart."
This marketplace change in the understanding of what information security
really means may go a long way toward solving the crisis, Cannady says.
"What is the true cost of information security?" he asks. "We
may have to sacrifice flexibility, speed and performance to make systems
more secure. When people go to Best Buy and want security more than they
want a large monitor, things may change."
Another solution may lie in users' willingness to forsake the latest
software updates and computer platforms for those that are tested and
proven reliable, Cannady adds.
"In the 1980s, NASA wrote the software for the space shuttle, tested
it and made it the best they could," he explains. "They continued
to fix the bugs in the same software on the same computing platforms.
The Hubble space telescope, for example, first ran on a 386 processor,
and now it operates on a 486. It doesn't have to have the latest Pentium
processor. It works. It's been tested so many times. It meets the objective,
and it's very reliable and secure. If every year, you upgrade to the next
operating system, there will be new problems and vulnerabilities.
"So we must come to a general consensus that information security
is important and recognize the costs, or keep the same software and computers
that have all the bugs worked out," Cannady summarizes.
As the marketplace debate continues on the tradeoffs between retrofitting
old, insecure computer systems versus efforts to design new systems with
security built in from the ground up, there will be incremental increases
in information security, Merkle predicts.
Some of those incremental increases will result from startup companies'
information security products, such as those for spam e-mail management.
Others will stem from research at GTISC and elsewhere, Merkle adds.
As they move toward solutions, GTISC researchers are considering how
new information security systems would be deployed. Commercially available
security solutions must offer good quality and be economical and easy
to use, Merkle notes. Policy issues must also be addressed as new threats
and technologies emerge.
Merkle believes GTISC researchers will make significant contributions
to solving the range of information security problems because of their
level of expertise and the cross-disciplinary approach they are taking.
But the pressure is on these researchers and others to deliver solutions.
"We have to make the transition from a world where most computers cannot be trusted with high confidence to a world where we can trust them," Merkle says. "This transition is happening now in large measure because people are finding it very expensive as a society to have unreliable computer systems. We're discovering by experience - the most expensive, but perhaps the most effective teacher - that insecure computers cost time, money and, in some cases, lives."
RESEARCH NEWS & PUBLICATIONS OFFICE
Georgia Institute of Technology
75 Fifth Street, N.W., Suite 100
Atlanta, Georgia 30308 USA
TECHNICAL CONTACT: Ralph Merkle (404-385-4272); E-mail: (firstname.lastname@example.org).
WRITER: Jane Sanders