Communications - June 2009

ACM
Journal on
Computing and
Cultural
Heritage

��

JOCCH publishes papers of significant and lasting value in all areas relating to the use of ICT in support of Cultural Heritage, seeking to combine the best of computing science with real attention to any aspect of the cultural heritage sector.

��

www.acm.org/jocch
www.acm.org/subscribe

way as to reduce the risk of compromise to an acceptable level; if the attack can be made to cost far more than the perceived gain resulting from its success, then that is usually sufficient.

By asking the wrong questions— such as how to patch or modify existing items rather than ask what is appropriate to build or acquire—we end up with systems that cannot be adequately protected against the threats they face. Few current systems are designed according to known security practices,^cnor are they operated within an appropriate policy regime. Without understanding the risks involved, management seeks to “add on” security technology to the current infrastructure, which may add new vulnerabilities.

The costs of replacing existing systems with different ones requiring new training seems so daunting that it is seldom considered, even by organizations that face prospects of catastrophic loss. There is so much legacy code that developers and customers alike believe they cannot afford to move to something else. Thus, the market tends toward “add on” solutions and patches rather than fundamental reengineering. Significant research funding is applied to tinkering with current platforms rather than addressing the more fundamental issues. Instead of asking “How do we design and build systems that are secure in a given threat environment?” and “What tools and programming constructs should we be using to produce systems that do not exhibit easily exploited flaws?” we, as a community, continue to ask the wrong questions.

Note that I am not arguing against standards, per se. Standards are important for interoperability and innovation. However, standards are best applied at the interfaces so as to allow innovation and good engineering practice to take place inside. I am also not overlooking the potential expense. Creating new systems, training developers, and developing new code bases might be costly, but

c There are many fine works on security engineering, including Ross Anderson’s opus of that title. If we return to the fundamentals, tried-and-true design principles were articulated by Jerome H. Saltzer and Michael D. Schroeder in “The Protection of Information in Computer Systems,” republished in Communications of the ACM 17, 7 (July 1974) but few systems are designed using these principles.

only initially—given current losses and trends, this approach would eventually reduce costs in many environments.

Robert H. (Bob) Courtney Jr., one of the first computer security professionals and an early recipient of the NIST/ NCSC National Computer Systems Security Award articulated three “laws” for those who seek to build secure, operational computational artifacts:^d

• Nothing useful can be said about the security of a mechanism except in the context of a specific application and environment.

• Never spend more mitigating a risk than tolerating what it will cost you.

• There are management solutions to technical problems but no technical solutions to management problems.

Although not everyone will agree with these three laws, they provide a good starting point for thinking about the practice of information security. The questions we should be asking are not about how to secure system “XYZ,” but whether “XYZ” is appropriate for use in the environment at hand. Can it be configured and protected against the expected threats to a level that matches our risk tolerance? What policies and procedures need to be put in place to augment the technology? What is the true value of what we are protecting? Do we even know what we are protecting?^e

As researchers and practitioners, we need to stop looking for solutions where the light is good and people seem to be gathered. Consider a quote I have been using recently: “ Insanity is doing the same thing over and over again while expecting different results.”^f Asking the wrong questions repeatedly is not only hindering us from making real progress but may even be considered insane.

So, what questions are you trying to answer?

d My thanks to William Hugh Murray for his restatement of Courtney’s Laws.

e Many firms do not understand the value of what they are protecting or where it is located; see http://snipurl.com/sec-econ.

f This quote is widely attributed to Albert Einstein and to John Dryden. I have been unable to find a definitive source for it, however.

Eugene H. Spafford ( spaf@cerias.purdue.edu) is a professor of computer science and the executive director of the center for education and research in information assurance and security (cerias) at Purdue university.