The Future of Computer Security

A look at the Grand Challenges ahead for computer security

February 01, 2004 — CSO — Forty-two years ago, John F. Kennedy's commitment to landing a man on the moon and returning him safely to the Earth was the epitome of a "Grand Challenge"—the attempt to tackle a problem in science or engineering that is easy to describe but monumentally difficult to solve. More recently, the field of supercomputing has used the Grand Challenge concept as a tool for guiding research and funding priorities for such activities as modeling the global climate or accurately predicting weather many days in advance.

The notion of a Grand Challenge had left someincluding mewondering if computer security has an appropriate equivalent.

Well, it does. In November, I had the honor of being included among 50 of the leading computer security researchers in the world in doing just thathelping to pinpoint the "Grand Research Challenges" we are facing today in information security and assurance. Conference organizers from the Computing Research Association (CRA) and the Association for Computing Machinery solicited short essays from around the world, then invited the authors of the 50 most promising proposals to a four-day intensive workshop aimed at finding the commonalities in those proposals and articulating them.

After days of round-the-clock meetings and late-night wordsmithing, this predictably cantankerous crowd managed to come up with four challenges deemed worthy of "sustained commitments." We identified the hard problems that we don't know how to solve today but that might be solvable within a decade (assuming enough research dollars are spent). Perhaps most important, they are problems that need to be solved if we want to continue to enjoy the fruits of the computer revolution.

First on the list of Grand Challenges is the elimination of "epidemic-style attacks" within 10 years. Certainly it would be nice to return to an Internet that is largely free of viruses, worms and spam. But it is interesting to note that the conference attendees don't think the solution to viruses and worms is for people to install antivirus software and keep their systems up-to-datetwo of the primary solutions recommended last year by the National Strategy to Secure Cyberspace. Instead, we agreed that what's needed is a fundamentally new approach to solving the problem, perhaps by moving more of the responsibility to Internet service providers.Large-Scale SystemsThe second Grand Challenge: Develop tools and principles for creating large-scale systems for applications that are really importantso important, in fact, that today these systems are largely still on paper (or at least on standalone computers not connected to the Internet). Two examples from the CRA workshop are medical records systems and electronic voting. In the case of medical records, we agreed that doctors and patients should be able to benefit from Internet technology without having patient records routinely stolen by Russians and ransomed back to the hospital administration (right?). And voting systems present all of the same security challenges with the added twist of auditing. We asked ourselves, How do you build a system that ensures the privacy of the ballot box while still preventing somebody from electronically stealing an election?