GT Research News

2005 Research News
2004 Research News
2003 Research News
Research Horizons magazine

Information Technology
Management & Policy

- Economic Development News
- GTRI Annual
- Georgia Tech News
& Information
- Research News
& Publications


Research Horizons Magazine
March 24, 2004

Under Attack: Information Security Battle will Require Computer Users to Make Tough Choices

Whenever a new virus begins flooding the world's computer networks, individual users rush to download the latest anti-virus updates while network administrators hastily apply the latest patches to vulnerable equipment - then work overtime to repair the inevitable damage and limit the financial costs.

There must be a better way.

Researchers at the Georgia Institute of Technology say solving the world's growing information security problems will demand tough choices involving tradeoffs in cost, convenience and computing performance.

The world's information security problems can be solved, GTISC Director Ralph Merkle predicts, because these issues have been resolved in special applications, such as aircraft navigation and national defense.
Georgia Tech Photo: Gary Meek

For instance, computer users will have to put a priority on security and be prepared to pay for it. They may have to retain well-tested software rather than install the newest version rushed to market. And they'll have to bear the costs of rebuilding worldwide networks on secure foundations.

"Computers are being used more extensively, more widely and in more critical applications. They are a part of our lives today. They will be even more a part of our lives in the future," says Ralph Merkle, director of the Georgia Tech Information Security Center (GTISC). "And for the past couple of decades we have put up with buggy code, unreliable computers, insecure computers, and computers that are vulnerable to viruses, worms, spam and other problems. All of this has to change. We need to have reliable computers, systems and networks that we can trust."

From individual users to network administrators to senior government and industry officials, interest in information security is capturing people's attention. GTISC researchers and others are now hopeful that consumer demand will boost efforts to solve myriad issues in the field.

"Information security is not just a technological problem," says Professor of Computing Mustaque Ahamad, the GTISC co-director of technology. "There's a lot more to it. It's a complex problem, and its solutions will require new technology, policy, awareness and education. We're looking at the whole problem."

Though the task is daunting, the world's information security problems can be solved, Merkle confidently predicts. Because these issues have been resolved in special applications, such as aircraft navigation and national defense, researchers know it can be done for computer systems everywhere. Merkle concedes, however, that producing such secure software will be costly in dollars, time and, perhaps, convenience, as well.

Costs in dollars and time will mount as programmers rewrite a lot of computer code, as researchers build new systems with security as a basic component, and then as individuals and organizations have to update or replace insecure systems, Merkle explains.

Air traffic controllers in the Carrier Air Traffic Control Center on board the USS Enterprise assist in guiding strike aircraft into and out of Iraq in December 1998 as part of Operation Desert Fox. Information security has long been a high priority in air traffic control and defense applications.
U.S. Navy Photo: Petty Officer 2nd Class Michael W. Pendergrass

"It will take fundamental changes in how we deal with computer software development, which will require fundamental changes in our use of secure systems," Merkle says. "We will have to rethink a lot of the basic approaches that have been used."

Computer users may also have to trade some convenience for security.

"The ideal information security system is transparent to the user, but that's extremely difficult to design," says Georgia Tech Research Institute (GTRI) researcher Jim Cannady, the GTISC co-director of applied research. "Users don't like having to keep up with things like 'smart cards' (used by the U.S. Department of Defense and other organizations for electronic identification). It's better to make a system as secure as possible before you turn it on."

While GTISC and other researchers address the complexity of this design challenge, beleaguered computer users are beginning to favor security and reliability over features and pricing, Merkle says.

"In general, commercially available products face very real marketing and pricing pressures that force companies to write code that is not always perfectly secure," Merkle says. "Customers have voted in favor of this because if you write code with lots of features and it's done quickly, they will buy it even though it's hard to make it reliable. Now the message is changing. Customers would rather have computers that work reliably, and companies are taking that message to heart."

This marketplace change in the understanding of what information security really means may go a long way toward solving the crisis, Cannady says.

"What is the true cost of information security?" he asks. "We may have to sacrifice flexibility, speed and performance to make systems more secure. When people go to Best Buy and want security more than they want a large monitor, things may change."

A crew member on an Endeavor mission makes adjustments to the Hubble Space Telescope. The Hubble operates on a 486 processor, which has been thoroughly tested, meets the objective and is reliable, notes GTRI researcher Jim Cannady..
Photo Courtesy of NASA

Another solution may lie in users' willingness to forsake the latest software updates and computer platforms for those that are tested and proven reliable, Cannady adds.

"In the 1980s, NASA wrote the software for the space shuttle, tested it and made it the best they could," he explains. "They continued to fix the bugs in the same software on the same computing platforms. The Hubble space telescope, for example, first ran on a 386 processor, and now it operates on a 486. It doesn't have to have the latest Pentium processor. It works. It's been tested so many times. It meets the objective, and it's very reliable and secure. If every year, you upgrade to the next operating system, there will be new problems and vulnerabilities.

"So we must come to a general consensus that information security is important and recognize the costs, or keep the same software and computers that have all the bugs worked out," Cannady summarizes.

As the marketplace debate continues on the tradeoffs between retrofitting old, insecure computer systems versus efforts to design new systems with security built in from the ground up, there will be incremental increases in information security, Merkle predicts.

Some of those incremental increases will result from startup companies' information security products, such as those for spam e-mail management. Others will stem from research at GTISC and elsewhere, Merkle adds.

As they move toward solutions, GTISC researchers are considering how new information security systems would be deployed. Commercially available security solutions must offer good quality and be economical and easy to use, Merkle notes. Policy issues must also be addressed as new threats and technologies emerge.

Merkle believes GTISC researchers will make significant contributions to solving the range of information security problems because of their level of expertise and the cross-disciplinary approach they are taking. But the pressure is on these researchers and others to deliver solutions.

"We have to make the transition from a world where most computers cannot be trusted with high confidence to a world where we can trust them," Merkle says. "This transition is happening now in large measure because people are finding it very expensive as a society to have unreliable computer systems. We're discovering by experience - the most expensive, but perhaps the most effective teacher - that insecure computers cost time, money and, in some cases, lives."

Georgia Institute of Technology
177 North Avenue NW
Atlanta, Georgia 30332 USA


TECHNICAL CONTACT: Ralph Merkle (404-385-4272); E-mail: (

WRITER: Jane Sanders