Personal privacy and national security in the 21st century both depend on protecting a set of systems that didn’t even exist until late in the 20th — the electronic web of information-sharing known as cyberspace.
Electronic computing and communication pose some of the most complex challenges engineering has ever faced. They range from protecting the confidentiality and integrity of transmitted information and deterring identity theft to preventing the scenario recently dramatized in the Bruce Willis movie "Live Free or Die Hard," in which hackers take down the transportation system, then communications, and finally the power grid.
As that movie depicted, networks of electronic information flow are now embedded in nearly every aspect of modern life. From controlling traffic lights to routing airplanes, computer systems govern virtually every form of transportation. Radio and TV signals, cell phones, and (obviously) e-mail all provide vivid examples of how communication depends on computers — not only in daily life, but also for military, financial, and emergency services. Utility systems providing electricity, gas, and water can be crippled by cyberspace disruptions. Attacks on any of these networks would potentially have disastrous consequences for individuals and for society.
In fact, serious breaches of cybersecurity in financial and military computer systems have already occurred. Identity theft is a burgeoning problem. Viruses and other cyber-attacks plague computers small and large and disrupt commerce and communication on the Internet.
Yet research and development for security systems has not progressed much beyond a strategy akin to plugging the hole in the dike — cobbling together software patches when vulnerabilities are discovered.
Historically, the usual approach to computer protection has been what is called “perimeter defense.” It is implemented by placing routers and “firewalls” at the entry point of a sub-network to block access from outside attackers. Cybersecurity experts know well that the perimeter defense approach doesn’t work. All such defenses can eventually be penetrated or bypassed. And even without such breaches, systems can be compromised, as when flooding Web sites with bogus requests will cause servers to crash in what is referred to as a “denial of service” attack or when bad guys are already inside the perimeter.
The problems are currently more obvious than the potential solutions. It is clear that engineering needs to develop innovations for addressing a long list of cybersecurity priorities. For one, better approaches are needed to authenticate hardware, software, and data in computer systems and to verify user identities. Biometric technologies, such as fingerprint readers, may be one step in that direction.
A critical challenge is engineering more secure software. One way to do this may be through better programming languages that have security protection built into the ways programs are written. And technology is needed that would be able to detect vulnerable features before software is installed, rather then waiting for an attack after it is put into use.
Another challenge is providing better security for data flowing over various routes on the Internet so that the information cannot be diverted, monitored, or altered. Current protocols for directing data traffic on the Internet can be exploited to make messages appear to come from someplace other than their true origin.
All engineering approaches to achieving security must be accompanied by methods of monitoring and quickly detecting any security compromises. And then once problems are detected, technologies for taking countermeasures and for repair and recovery must be in place as well. Part of that process should be new forensics for finding and catching criminals who commit cybercrime or cyberterrorism.
Finally, engineers must recognize that a cybersecurity system’s success depends on understanding the safety of the whole system, not merely protecting its individual parts. Consequently cybercrime and cyberterrorism must be fought on the personal, social, and political fronts as well as the electronic front.
Among other things, that means considering the psychology of computer users — if security systems are burdensome, people may avoid using them, preferring convenience and functionality to security. More research is needed on how people interact with their computers, with the Internet, and with the information culture in general. Cultural and social influences can affect how people use computers and electronic information in ways that increase the risk of cybersecurity breaches.
It would also be helpful to gain a better understanding of the psychology and sociology that leads to deliberate computer crime. Systems must be secure not just against outsiders, but also against insiders who might sabotage a system from within.
Furthermore, laws and regulations concerning cybersecurity need to be evaluated for their influence on how people use or misuse electronic information. And perhaps most important, political forces need to be marshaled to support and fund the many lines of research that will be needed to accomplish the complex task of protecting cyberspace from attack.
Harrison, K. et al., “Security Through Uncertainty,” Network Security (February 2007), pp. 4-7.
Wulf, W.A. and Anita K. Jones, “Cybersecurity,” The Bridge 32 (Spring 2002), pp. 41-45.
President’s Information Technology Advisory Committee, “Cyber Security: A Crisis of Prioritization” (February 2005).
National Research Council, Cybersecurity Today and Tomorrow: Pay Now or Pay Later (Washington, D.C.: National Academies Press, 2002). Available online at http://www.nap.edu/catalog.php?record_id=10274
National Research Council, Toward a Safer and More Secure Cyberspace, eds. Seymour E. Goodman and Herbert S. Lin (Washington, D.C.: National Academies Press, 2007). Available online at http://www.nap.edu/catalog.php?record_id=11925