ACM
Journal on
Computing and
Cultural
Heritage
�����
JOCCH publishes papers of
significant and lasting value in
all areas relating to the use of ICT
in support of Cultural Heritage,
seeking to combine the best of
computing science with real
attention to any aspect of the
cultural heritage sector.
�����
www.acm.org/jocch
www.acm.org/subscribe
way as to reduce the risk of compromise to an acceptable level; if the attack can be made to cost far more than
the perceived gain resulting from its
success, then that is usually sufficient.
By asking the wrong questions—
such as how to patch or modify existing
items rather than ask what is appropriate to build or acquire—we end up with
systems that cannot be adequately protected against the threats they face. Few
current systems are designed according to known security practices,c nor
are they operated within an appropriate
policy regime. Without understanding
the risks involved, management seeks
to “add on” security technology to the
current infrastructure, which may add
new vulnerabilities.
The costs of replacing existing systems with different ones requiring new
training seems so daunting that it is seldom considered, even by organizations
that face prospects of catastrophic loss.
There is so much legacy code that developers and customers alike believe they
cannot afford to move to something
else. Thus, the market tends toward
“add on” solutions and patches rather
than fundamental reengineering. Significant research funding is applied to
tinkering with current platforms rather
than addressing the more fundamental issues. Instead of asking “How do
we design and build systems that are
secure in a given threat environment?”
and “What tools and programming
constructs should we be using to produce systems that do not exhibit easily
exploited flaws?” we, as a community,
continue to ask the wrong questions.
Note that I am not arguing against
standards, per se. Standards are important for interoperability and innovation.
However, standards are best applied at
the interfaces so as to allow innovation
and good engineering practice to take
place inside. I am also not overlooking
the potential expense. Creating new systems, training developers, and developing new code bases might be costly, but
c There are many fine works on security engineering, including Ross Anderson’s opus of
that title. If we return to the fundamentals,
tried-and-true design principles were articulated by Jerome H. Saltzer and Michael D.
Schroeder in “The Protection of Information
in Computer Systems,” republished in
Communications of the ACM 17, 7 (July 1974) but few
systems are designed using these principles.
only initially—given current losses and
trends, this approach would eventually
reduce costs in many environments.
Robert H. (Bob) Courtney Jr., one of
the first computer security professionals and an early recipient of the NIST/
NCSC National Computer Systems Security Award articulated three “laws”
for those who seek to build secure, operational computational artifacts:d
• Nothing useful can be said about
the security of a mechanism except in
the context of a specific application
and environment.
• Never spend more mitigating a risk
than tolerating what it will cost you.
• There are management solutions
to technical problems but no technical
solutions to management problems.
Although not everyone will agree
with these three laws, they provide a
good starting point for thinking about
the practice of information security.
The questions we should be asking are
not about how to secure system “XYZ,”
but whether “XYZ” is appropriate for
use in the environment at hand. Can it
be configured and protected against the
expected threats to a level that matches
our risk tolerance? What policies and
procedures need to be put in place to
augment the technology? What is the
true value of what we are protecting? Do
we even know what we are protecting?e
As researchers and practitioners,
we need to stop looking for solutions
where the light is good and people
seem to be gathered. Consider a quote
I have been using recently: “
Insanity is doing the same thing over and
over again while expecting different
results.”f Asking the wrong questions
repeatedly is not only hindering us
from making real progress but may
even be considered insane.
So, what questions are you trying to
answer?
d My thanks to William Hugh Murray for his restatement of Courtney’s Laws.
e Many firms do not understand the value of
what they are protecting or where it is located;
see http://snipurl.com/sec-econ.
f This quote is widely attributed to Albert Einstein and to John Dryden. I have been unable
to find a definitive source for it, however.
Eugene H. Spafford ( spaf@cerias.purdue.edu) is a
professor of computer science and the executive director
of the center for education and research in information
assurance and security (cerias) at Purdue university.
copyright held by author.