The Select Security Study Committee formed by the National Research Council has assembled an impressive body of material on computer security. The crux of the volume’s contents is its set of six recommendations for “increasing the levels of security in new and existing computer and communications systems.” The recommendations are
Promulgate comprehensive Generally Accepted System Security Principles (GSSPs).
Take specific short-term actions that build on readily available capabilities.
Gather information and provide education.
Clarify export control criteria and set up a forum for arbitration.
Fund and pursue needed research.
Establish an information security foundation.
While the justification for the recommendations fills the body of the text, the best evidence for every recommendation but the last is that considerable work related to each one is already under way. That work, and the fact that much of it has already been assigned to the National Institute of Standards and Technology and the National Security Agency, despite the shortcomings the authors mention, argues against the last recommendation. Those who read the report should bear in mind that the authors do not distinguish between the vulnerabilities found in two very different environments. The first is the academic environment, wherein systems are designed to promote the free exchange of information among benign and cooperative people who build on one another’s work. International conglomerations of interconnected networks now dominate this environment. The “highly publicized abuses of computer systems” characterized in the literature as “the Internet worm” and “the wily hacker,” as well as more recent incidents involving arguably uncooperative or malicious perpetrators in Australia and the Netherlands, all involved unauthorized acts that affected such networks. Most of what the authors say about all but the fourth of their recommendations is specific to such unauthorized acts and to the systems that predominate in such networks. The material supports those recommendations in the context of this environment.
The authors, however, indiscriminately include references to incidents that have occurred in a second environment, the commercial one. There, systems are designed to process valuable data securely. In this context, the authors seem to argue against many details of their own recommendations when they cite “misusing authority” as the predominant type of attack “in a sampling of a collection of over 3,000 cases of computer system abuse” (p. 61). The authors note that “the bread-and-butter work of the corporate security investigator is mostly devoted to worrying about incidents…in none of [which] did any single computer action of the perpetrator, as a computer action, extend beyond the person’s legitimate authority to access, modify, transmit, and print data” (pp.159–160). This implicit acknowledgment that systems in the commercial environment may provide adequate protection against unauthorized acts seems inconsistent with the title of the volume’s sixth chapter, “Why the Security Market Has Not Worked Well.”
Notwithstanding questions about the novelty and value of the report’s recommendations and the discrimination the authors exercise in marshaling evidence for them, the report is an excellent piece of work and well worth the time of readers with an academic interest in its subject. Its analysis of computer security issues may lead to debatable conclusions, but its collection and organization of data are uniquely valuable. Ample references permit the reader to track down more detail on any point of interest. Those who wish to begin study of the subject can hardly find a better place to start. On the other hand, readers well-versed in the area may find little new information of substance.
