Communications of the ACM

• An attacker’s priority target is the
cybersecurity system { 19. 17}.

Description. Closely following from the primacy-of-integrity principle {03.06} is the criticality of the cybersecurity subsystem. To attack the mission, it is necessary first to disable any security controls that effectively defend against the adversary’s attack path—including the security controls that defend the security subsystem itself. Great care must be taken to protect and monitor the cybersecurity subsystem carefully { 23. 12}.

Rationale. The security subsystem protects the mission system. Therefore, attempted attacks on the cybersecurity subsystem are harbingers of attacks on the mission system itself { 22.08}. The cybersecurity system is therefore a prime target of the adversary because it is the key to attacking the mission system. Protection of the cybersecurity system is thus paramount { 21.03}. For example, the cybersecurity audit log integrity is important because attackers attempt to alter the log to hide evidence of their cyberattack activities.

Implications. The cybersecurity system must be carefully designed to itself be secure. The cybersecurity of the cybersecurity system cannot depend on any other less secure systems. Doing so creates an indirect avenue for attack. For example, if the identity and authentication process for access maintenance ports for updating the cybersecurity system use simple passwords over remotely accessible network ports, that becomes the weakest link of the entire system. In addition,

cybersecurity engineers cannot simply
use the cybersecurity mechanism that
the cybersecurity system provides to
protect the mission systems. In other
words, the cybersecurity system cannot
use itself to protect itself; that creates
a circular dependency that will almost
certainly create an exploitable flaw an
attacker can use. Lastly, the cyberse-
curity mechanisms are usually hosted
on operating systems and underlying
hardware, which become the under-
belly of the cybersecurity system. That
underbelly must be secured using dif-
ferent cybersecurity mechanisms, and
it is best if those mechanisms can be as
simple as possible. Complexity is the
to create virtual bulkheads in the sys-
tem and to detect and thwart attacks
propagating from one part of the sys-
tem (where the attacker may have a
toehold) to the next. This is a wise ap-
proach because many sophisticated at-
tacks, such as worms, often propagate
within the system once they find their
way in (for example, through a phish-
ing attack on an unsuspecting user
who clicked on an attacker’s malicious
link in an email message).

• Without integrity, no other cyber-
security properties matter {03.06}.

Description. Cybersecurity is sometimes characterized as having three pillars, using the mnemonic C-I-A: preserving confidentiality of data, ensuring the integrity of both the data and the system, and ensuring the availability of the system to provide the services for which it was designed. Sometimes, cybersecurity engineers become hyperfo-cused on one pillar to the exclusion of adequate attention to the others. This is particularly true of cybersecurity engineers who have their roots in U.S. Department of Defense (DoD) cybersecurity because confidentiality of classified data is a high-priority concern in the DoD. The reality is that all other system properties depend on system integrity, which therefore has primacy.

Rationale. System integrity is the single most important property because, without it, no other system properties are possible. No matter what properties a system may possess when deployed, they can be immediately subverted by the attacker altering the system to undo those properties and replace them with properties desirable to the attacker. This gives rise to the fundamental concept of the reference monitor { 20.02}, which requires the security-critical subsystem be correct (perform the required security functions), non-bypassable (so that the attacker cannot circumvent the correct controls to access protected resources), and tamperproof (so the system cannot be altered without authorization).

Implications. This primacy-of-integrity principle means that cybersecurity engineers must focus attention on access control to the system as a first priority, including heavy monitoring of the system for any unauthorized changes. This priority extends to the earlier stages of system life cycle such as up-