Computers at Risk Safe Computing in the Information Age (1991) / Chapter Skim
Currently Skimming:
Why the Security Market Has Not Worked Well
Why the Security Market Has Not Worked Well
Pages 143-178
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 143... ...
Overall, the market for these systems has developed slowly, although the pace is picking up somewhat now. Whereas He market in 1980 was dominated by commercial computer and communications systems with no security features, the market in 1990 includes a significant number of systems that offer discretionary access control and a growing number from both major and niche vendors with both discretionary and mandatory access control, which provides significant protections against breaches of confidentiality.
|
From page 144... ...
. Prominent in the market has been host access control software for IBM mainframes, especially IBM's RACE and Computer Associates' ACF2 and Top Secret.
|
From page 145... ...
Retail distribution itself may constrain the marketing of security products. Vendors of encryption and access control products have indicated that some retailers may avoid offering security products because "the issue of security dampens enthusiasm," while some of these relatively small vendors avoid re
|
From page 146... ...
A SOFT MARKET: CONCERNS OF VENDORS Vendors argue that a lack of broad-based consumer understanding of security risks and safeguard options results in relatively low levels of demand for computer and communications security. For example, one survey of network users found that only 17 percent of Fortune 1000 sites and 10 percent of other sites used network security systems (Network World, 1990~.
|
From page 147... ...
For example, one customer told a sales representative that he did not need the capabilities required by the Orange Book and then proceeded to list, in his own words, requirements for mandatory access control and complete auditing safeguards, which are covered extensively in the Orange Book. Overall, vendors maintained that the Orange Book has had limited appeal outside the government contracting market, in part because it is associated with the military and in part because it adds yet more jargon to an already technically complex subject.
|
From page 148... ...
. The Secure Server, as it is called, was designed and developed to meet B1-level requirements for mandatory access control as defined in the Orange Book.
|
From page 149... ...
This directive is widely believed to have stimulated the production of C2-level systems. However, its impact in the future is in question, given the divergence in programs for protecting classified and sensitive but unclassified information that has been reinforced by the Computer Security Act of 1987 and the revision of National Security Decision Directive 145 (see Chapter 7~.
|
From page 150... ...
None of the DOD RFPs specified encryption requirements; three civil agency RFPs required Data Encryption Standard (DES) encryption, and one required NSA-approved encryption technology Access control features were required by 13 RFPs.
|
From page 151... ...
In the security field specifically, projects such as Multics and ADEPT 50 (which provided strong access control mechanisms) , LOCK (hardware-based integrity and assurance)
|
From page 152... ...
also have security considerations that could provide useful testbeds for innovative approaches or demonstrations of known technology. Export Controls as a Market Inhibitor Vendors maintain that controls on exports inhibit the development of improved commercial computer and communications security products.
|
From page 153... ...
makes reconsideration of export controls on trusted systems especially timely. Balancing the possible temporary military benefit against the longrun interests of both national security applications and commercial viability, tlie committee concludes that Orange Book ratings, per se, do not signify military-critical technology, even at the B3 and A1 levels.
|
From page 154... ...
Export Control of Cryptographic Systems and Components Historically, because of the importance of encryption to intelligence operations and the importance of secrecy to maintaining the effectiveness of a given encryption scheme, cryptographic algorithms and their implementations could not be exported at all, even to other countries that participate in the Coordinating Committee on Multilateral Export Controls (CoCom)
|
From page 155... ...
Similarly, the RSA public-key algorithm (see "Selected Topics in Computer Security Technology," Appendix B) is well known and is, in fact, not patented outside the United States because the basic principles were first published in an academic journal (Rivest et al., 1978~.
|
From page 156... ...
. Export Control of Trusted Systems Trusted systems that have been evaluated at the Orange Book's levels B3 and above are subject to a case-by-case review, whether or not Hey incorporate cryptography or other technologies deemed militarycritical.8 That is, the government must approve the export of a given system to a given customer for a given application if it is, or could be, rated as B3 or above; products with lower ratings are not regarded
|
From page 157... ...
The Commercial Imperative Because of the national security interests that dominate the ITAR, the current export control regime for high-level trusted systems and for most encryption products does not contain mechanisms for addressing vendor concerns about competitiveness. By contrast, commercial competitiveness concerns affect both the evolution of the Control List (CL)
|
From page 158... ...
under a Commerce Department license with no delay or advance processing would become subject to the full State Department munitions licensing process. No vendor will consider subjecting a mainstream commercial product to such restrictions.~° The push by industry for expanded export flexibility for securityrated systems and low-grade encryption units highlights the tension between government encouragement of the supply of computer security technology, notably through the Orange Book evaluation of commercial products, and potential government restriction of the market for security products through export controls.
|
From page 159... ...
The bread-and-butter work of the corporate computer security investigator is mostly devoted to worrying about such incidents as the following: 1. Two members of management extract valuable proprietary data from a company's computer and attempt to sell the data to a competitor;
|
From page 160... ...
Further, most people have difficulty relating to the intricacies of malicious computer actions. Yet it is understood that installing computer security safeguards has negative aspects such as added cost, diminished performance (e.g., slower response times)
|
From page 161... ...
. In the public's eye, computer crimes are perpetrated by overzealous whiz-kids or spies, not disgruntled employees or professional criminals; prosecutors also complain that the media portray perpetrators as smarter than investigators and prosecutors (comments of federal prosecutor William Cook at the 1989 National Computer Security Conference.
|
From page 162... ...
95-215) and a variety of accounting principles and standards have encouraged stronger management controls in general (and, in some instances, stronger information security in particular (Snyders, 1983~.
|
From page 163... ...
What is known about security breaches is largely anecdotal, as many security events happen off the record; one source of such information within the computer science and engineering community is the electronic forum or digest known as RISKS. Estimates of aggregate losses vary widely, ranging from millions to billions of dollars, and estimates cited frequently in news reports are challenged by prosecutors (comments of federal prosecutor William Cook at the 1989 National Computer Security Conference)
|
From page 164... ...
Just as depersonalized "renewed" cities of high-rises and doormen sacrifice the safely provided by observant neighbors in earlier, apparently chaotic, gossip-ridden, ethnic neighborhoods (Jacobs, 1972) , so a system that relies on carefully administered access controls and firewalls sacrifices the social pressure and community alertness that prevented severe malfeasance in older nonsecure systems.
|
From page 165... ...
This is one of the criticisms directed against export controls. However, regulation can also open up markets, when market forces do not produce socially desirable outcomes, by requiring all manufacturers to provide capabilities that would otherwise be too risky for individual vendors to introduce.
|
From page 166... ...
. The widespread havoc that various computer viruses have wreaked amply demonstrates the damage that can occur when a weak spot in a single type of system is exploited.
|
From page 167... ...
Thus standardized ratings have been used in other settings.24 Product Liability as a Market Influence In addition to being directly regulated, the quality of software and systems and, in particular, their security and safety aspects, may be regulated implicitly if courts find vendors legally liable for safety- or security-relevant flaws. Those flaws could be a result of negligence or of misrepresentation; the law involved might involve contracts, torts, or consumer protection (e.g., warranties)
|
From page 168... ...
The UCC is a uniform law, drafted by the National Conference of Commissioners on Uniform State Laws and adopted as law by 49 states, that governs commercial transactions, including the sale of goods. While there is no law requiring express warranties in software licenses, the UCC addresses what constitutes an express warranty where provided, how it is to be enforced, and how to disclaim implied warranties.27 The acquisition of a good by license is a "transaction" in goods and is generally covered by Article 2 of the UCC, although some provisions of the code refer specifically to "sale" and may not be applicable to licensed goods.
|
From page 169... ...
This provision is already seen as motivating greater wire transfer network security among banks (Datapro Research, l989b)
|
From page 170... ...
More trustworthy software may, like safer and cleaner automobiles, carry a higher product price tag and may also suffer from a perception of reduced performance. In the absence of general consumer demand for more trustworthy software, should manufacturers of offthe-shelf software be subjected to governmental action?
|
From page 171... ...
The superior knowledge and skill of the software vendor itself should impose a duty of care on that vendor toward the unskilled licensee, who in purchasing the product must rely on the vendor's representations, skill, and knowledge.30 At the same time, any imposition of liability on the vendor must imply a concomitant imposition of responsibility on the user to make a reasonable effort to learn how to use the software properly. Perhaps the most compelling argument against increasing product liability for software and systems vendors is the potential for adverse impacts on the dynamic software industry, where products come quickly to the market and advances are continually made both of which are major consumer benefits.
|
From page 172... ...
The British move to require greater testing of safety-relevant software illustrates that these concerns are not just local, but are in fact relevant to a worldwide marketplace. The resulting increased use of verification techniques would not only improve Me level of software trustworthiness in the most general sense, but would also necessarily improve the level of trust in the specific information security context.
|
From page 173... ...
It should be noted that even the tightest export controls do not totally block access to protected technology. Four organizations have been the principal influences on the export control policy and process of the United States, namely the Coordinating Committee for Multilateral Export Control (CoCom)
|
From page 174... ...
Commerce maintains the Control List (CL) , which has classified elements, and the Commodity Control List (CCL)
|
From page 175... ...
to the automated clearinghouses, for which there was legislative impetus behind the establishment and use of insurance coverage. This governmental urging of provisions for insurance against computer system risks was initially resisted by the insurance industry, which claimed not to understand the risks.
|
From page 176... ...
. This bulletin addresses the security planning process required by the Computer Security Act of 1987 (P.L.
|
From page 177... ...
15. "Insurance as a Market Lever" and Chapter Appendix 6.2 draw on discussions with insurance industry representatives, including carrier and agent personnel.
|
From page 178... ...
32. Ike Foreign Corrupt Practices Act is one step toward linking accounting and information security practices; it requires accounting and over management controls that security experts interpret as including computer security controls (Snyders, 1983)
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.