Spafford On Infrastructure Risks

nealmcb writes "In a major report from the AAAS, Eugene Spafford, director of CERIAS, summarizes the many risks to our information infrastructure (viruses, bugs, single points of failure, etc.), their causes (explosive growth, primacy of time-to-market over quality, lack of support for basic information security research, etc.), and the negative effects of the DMCA, CBDTPA, and other corporate maneuvers."

Well written, but I have some quibbles

[Beryllium+Sphere(tm)]

One problem is not so much lack of basic research as it is lack of a "literature" to search. It's routine for someone to present some time-consuming research at a security conference only to have the Q&A consist of "did you know that's been done already?"

Also, we don't know how much research is being done behind closed doors. The NSA has a lot of bright people and is big enough to do basic research *if* they choose. Their mission does include infrastructure protection.

Spafford's comments about the pressure of time to market were on target. Bruce Schneier spoke at Microsoft once. An employee asked him what MS could do to make secure products. Schneier's response was, simply, that Microsoft shouldn't -- that security is expensive, slows development, and won't result in more sales. That last may have changed by now.

For perspective, some of the government's cyberwarfare investigators have said that any hostile power's virus attack would get lost in the noise of daily blue screens, system "upgrades" and random viruses. On the offensive side, they recommend that if you want to stop a computer from working you should use an OS-independent attack from an F-18. Such an attack can't be fixed by downloading a patch.