"Grand Challenges" in Cyber Security Risks

The Computing Research Association recently invited 50 of the top scientists, educators, business people, and futurists in cyber security to an executive retreat in Virginia and locked them away for three days until they identified a set of "Grand Challenges" in information security research -- ideas that should "shape the research agenda in the field over the next few decades." The conference participants identified four: eliminate epidemic-style attacks (viruses, worms, email spam) within 10 years; develop tools and principles that allow construction of large-scale systems for important societal applications -- such as medical records systems -- that are highly trustworthy despite being attractive targets; develop quantitative information-systems risk management to be at least as good as quantitative financial risk management within the next decade; and give end-users security controls they can understand and privacy they can control for the dynamic, pervasive computing environments of the future. They haven't written the final report yet (due in early 2004), but they've already told Congress about it. Sounds like they've got a lot of work to do.

business people???

.... i guess that means the world is now safe!!! i guess i can safely boot up that old win95 machine now!!

Hogwash!

[damu]

The whole point of the future is that it is unknown, this is just wishful thinking, nothing else. This is like saying, we would like to eliminate, AIDS, world hunger, increase the life expentancy to 200 years, and to populate Uranus and we want this done in 10 years. The whole point of technology is that it is new, unknown, and quickly changing. What these guys should have concentrated on is things that can be solved now or in the very near future, something that is more feasible and where the variables are more controlled.

Just a rant!

Re:Hogwash!

That's idiotic. Someone needs to be focused on the long-term. There's already too much emphasis on short-term, incremental fixes to the current f'd up systems. Let's start looking beyond existing models.

Re:Hogwash!

[Uma+Thurman]

"I believe that this nation should commit itself to achieving the goal, before this decade is out, of landing a man on the moon and returning him safely to the Earth. Ah, fuck it. How about we just increase profits by 3% next quarter?"
-- Pres. Kennedy, May 25, 1961

Re:Hogwash!

[maximilln]

The moderators have got to be on crack. To rate the original post as "Troll" is to deny reality.

Security for computers is like security in society: the more money you spend on it from a centralized level the worse it gets. The only way to really increase security is for each individual to work on it, individually. At the end of the day if someone really really wants to break into your house it doesn't matter how many locks, entry systems, or guard dogs you have.

Advocating a consortium of experts to make recommendations on security is similar to asking a group of politicians to make recommendations on improving society. They'll come up with some grand recommendations but we, the people, aren't going to see any benefit from it. If anything it will make life more cumbersome and less fulfilling. Most of us should be familiar with the cumbersome secure computing (formerly Palladium) initiative that the industry is embarking on.

Privacy

[mopslik]

...privacy they can control for the dynamic, pervasive computing environments of the future.

I'd like to see how this jives with the slowly-growing move toward "trusted computing". The dynamic, pervasive computing environments of the future may be designed to give the illusion of privacy, while silently reporting back to $CORPORATION. "Control" might be little more than a toggle switch which disables the "now transmitting data" message box.

The grandest security challenge of all...

[S.+Baldrick]

...is how to keep 50 top experts locked up in an executive retreat for three days.

..viruses, worms, email spam..

[jdoe407]

The conference participants identified four: eliminate epidemic-style attacks (viruses, worms, email spam) within 10 years

Well in 10 years I'm quite positive that there will be many different and more creative ways of performing attacks, we just have to wait for the newer generations to get out of elementary school.

Mobile phones...?

[Fulkkari]

I hope they didn't exclude mobile phones from their final report. While most of the mobile phones still are plain old phones, there still is a great potential of insecurity among these "new generation" phones. As covered on Slashdot last week, it would be smart to understand the problems with integrating the phones into the Internet. I'm pretty sure that developers at Nokia hasn't yet seen the really big problems, and that's good - in a way.

How do you patch your mobile phone if someone finds a security bug in it anyway?

Mixed Bag

eliminate epidemic-style attacks (viruses, worms, email spam) within 10 years

Simple: eliminate the monoculture. If there were 10 or 12 competing operating systems in wide use, this would not be a problem. (OK, maybe, since you'd see something like Java or .NET being used as middleware to make software applications work on more than one problem, the issue would simply move down the food chain a little.)

Develop tools and principles that allow construction of large-scale systems for important societal applications -- such as medical records systems -- that are highly trustworthy despite being attractive targets

Isn't that Meditech's job (and other vendors in that field)?

Develop quantitative information-systems risk management to be at least as good as quantitative financial risk management within the next decade

Different kind of risks, totally different kinds of risks.

Give end-users security controls they can understand and privacy they can control for the dynamic, pervasive computing environments of the future.

Well, isn't THAT wishful thinking!

Re: Mixed Bag

[Adumbratus]

I think you're being a little over-critical. I suspect the main thrust of that meeting (potential jokes aside) was less about specific policies, goals, tools, etc...and more towards the development of ISO-like standards and the like so as to be able to judge and/or compare various solutions to these problems. Concerning the virii section: I dont think that one can simply "remove the monoculture". Any seriously popular program could be considered one. Didn't Quake have a few problems? Would it be that difficult to write a Quake specific virii? What about the UT engine? Any holes in that? How many games use that anyways? My point is that simply blaming the monoculture is a cop-out. As for those medical program vendors, having a set of standards to hold those companies to might actually be useful, if only from a comparison standpoint and the ability to be able to ask the salesdroid "Is it compliant? No? Why not?" For the drive to raise the level of IS risk analysis to finan. risk analysis, yes, they're different risks. I think the point is that they believe the current level available of IS RA is less then the current capabilities of Fin. RA and they wish to move research in a direction to reduce that apparent gap. If there is such a gap, is there anything bad in moving to reduce that difference? As for the section on giving the users an easy-to-understand security controls and privacy "primer", personally I think it's a laudable goal that's worth some looking into. It used to be that half of a given presentation I would do in this area was explaining background issues and risks. "Easy-to-understand" would involve some seriously good training fundimentals, and frankly, anything to raise the base level of consciousness. IMO, perhaps a little knowledge is dangerous, but it makes explaining stuff a lot easier.

E - voting

[StrawberryFrog]

How about getting private, secure, verifiable electronic voting right. Or if it can't be done without a paper trail, showing the limitations of electronic methods.

Or is this too easy for people who genuinely want to do it?