Home   President's NSTAC    R & D Exchange 2003   Break Out Session

Research and Development (R&D) Exchange Workshop
March 13 - March 14, 2003
Atlanta, Georgia

Break Out Session

Chart - Papers - Briefings

You will need Adobe Acrobat Reader to view .pdf files.

Breakout Chart

Breakout Papers

Human Factors Break Out Session

The efficacy of any technology is directly dependent upon the ability of humans to configure, implement, and manage it as it was designed. Several factors—user awareness, policy and procedures, legal issues, and business pressures—all shape how trust is instilled in systems. Poor user awareness or inadequate policies, for example, can manifest two problems. First, users unfamiliar with key technologies designed to engineer trust into networked information systems can inadvertently expose those systems to risk through poor configuration, implementation, or management. Second, insiders remain a vexing problem in terms of building trustworthy systems. Without strong protections (such as background checks, strong access controls), insiders may be able to exploit what might be technically considered a “trustworthy system.” To better instill trust in NS/EP telecommunications systems, the group will discuss the following questions:

• What is the current state of affairs with regarding R&D of human factors affected trusted systems? What technologies - or other research avenues - offer the most promise?
  
  • What technologies support a “secure by default” installation, that does not require users to “lock down” the technology via extensive, confusing configuration choices?
  • What technologies support creation of “security templates” so that organizations can make organization-specific security configuration choices, and then provide the templates to users?
  • What technologies prevent malicious trusted insiders from installing and running unauthorized software? (cryptographically authenticating software integrity before execution would reduce such risks)
    
• What technology areas offer the most potential to improve the human element of trustworthiness? Which area(s) warrant the most attention?
• What impediments might inhibit further R&D in the area of human factors (e.g., legal, policy, sociological, business considerations)?
• Based on the breakout session discussions, what input would you provide to the White House’s Office of Science and Technology Policy in its preparation of the President’s research agenda and budget requests? What are the underlying policy issues that should be studied by the President’s NSTAC or other body?
• What would be your 3-4 key points related to developing an “Agenda for Action: Trusted NS/EP Telecommunications” on the issues related to human factors?

Integration Break Out Session

Research and development of “trusted computing” places an understandable emphasis on improved design and implementation. A key question is how can trust be effectively managed and integrated as technology continues to evolve at a rapid pace; vendors produce new, proprietary solutions; network providers deploy those solutions; and users employ a host of new applications never accounted for in the original design of some operating platforms. Given the complexity and continuous evolution of computer networks (and the physical locations that house them and humans that operate them), “trust” is a moving target. Developing new integration tools and techniques—large-scale testbeds to test trustworthiness before deployment; modeling/simulation techniques to continuously assess the “weak links in the chain;” and common test and evaluation criteria—are essential to promoting trusted systems. To better instill trust in NS/EP telecommunications systems, the group will discuss the following questions:

• What is the current state of affairs with respect to integration of tools/techniques (e.g., testbeds, pilots, and prototype applications) in the R&D process? What other mechanisms offer the most promise of promoting integration?
• What technology approaches offer the most potential to improve the ability to accelerate integration of advanced technologies into a trusted system? Which area(s) warrant the most attention?
• What impediments might inhibit further R&D integration (e.g., funding; legal and policy issues; cultural issues between industry, government, and academia)?
• Based on the session discussions, what input would you provide to the White House’s Office of Science and Technology Policy in its preparation of the President’s research agenda and budget requests? What are the underlying policy issues that should be studied by the President’s NSTAC or other body?
• What would be your 3-4 key points related to developing an “Agenda for Action: Trusted NS/EP Telecommunications” on the issues related to integration?
  

Physical Break Out Session

As the September 11 attacks clearly illustrated, trusted systems may also be compromised via damage to and/or infiltration of the physical locality in which the system is housed. Damage to the facility itself may be caused by a variety of environmental and human-based factors (e.g., hurricanes, earthquakes, unintentional cable cuts, malicious terrorist attacks) and has the potential to destroy or severely disable trusted systems. In addition, vulnerabilities in site protection (e.g., lack of security guards, internal personnel access controls) leave trusted systems susceptible to tampering both from external and internal threats. To better instill trust in NS/EP telecommunications systems, the group will discuss the following questions:

• What is the current state of affairs regarding R&D related to physical security? What technologies - or other research avenues - offer the most promise (e.g., biometrics, token-based tools)?
• What technology areas offer the most potential to improve the physical security of trusted systems? Which area(s) warrant the most attention?
• What impediments might inhibit further R&D in the area of physical security (economic, political, social)?
• Based on the breakout session discussions, what input would you provide to the White House’s Office of Science and Technology Policy in its preparation of the President’s research agenda and budget requests? What are the underlying policy issues that should be studied by the President’s NSTAC or other body?
• What would be your 3-4 key points related to developing an “Agenda for Action: Trusted NS/EP Telecommunications” on physical security issues?
  

Cyber/Software Break Out Session

The National Research Council’s seminal report, Trust in Cyberspace, framed a set of issues related to trustworthiness. Specifically, the report focused on the correctness, security, reliability, safety, and survivability of the PSN and the Internet; logical elements of computer networks; and systems, devices, and applications employed by end users. To protect against the threat of malicious software and distributed denial of service attacks, an array of technologies have been researched, developed, and fielded—firewalls, intrusion detection systems, virtual private networks, etc. Those technologies, however, are limited by several factors, including the inability to keep pace with attack profiles, interoperability issues between proprietary solutions, and inconsistent patch implementation.

Software plays an integral role in achieving trustworthiness in networked information systems as it is the software that integrates and customizes general-purpose system components to accomplish any given task. Consequently, inadequate software security can have many far-reaching negative consequences that detract from the overall trustworthiness of information systems. Factors related to software that can affect the trustworthiness of systems include, but are not limited to: (1) complex source code that could contain millions of lines of code to be tested and evaluated in short time periods; (2) the connection of legacy systems with more current, diverse systems; (3) the movement toward using commercial off the shelf (COTS) software which in many cases causes developers to become dependent on third party vendors for the design and security of important components; (4) inability to ensure that system administrators are updating system software patches in a timely manner, and (5) other influences, such as standards and/or regulations, that compete with efforts to develop trusted systems. To better instill trust in NS/EP telecommunications systems, the group will discuss the following questions:

• What is the current state of affairs regarding R&D of trustworthiness in cyber systems? What technologies (e.g., firewalls, IDS, etc) offer the most promise? Which cyber technologies are on the cusp of a major breakthrough?
  
  • What technologies are using Digital Signal Processing techniques to evaluate transfer control protocol/Internet protocol (TCP/IP) session control loop behavior in support of intrusion detection?
  • What technologies are using stateful network diverters to redirect intruder packet streams to deception networks?
  • What technologies are using neural networks for two stage intrusion detection? (anomaly detection followed by autonomous classification of anomalous network events)
  • What technologies are analyzing role-based network behavior by means of neural network autonomous classification?
  • What technologies implement a “deny all, except” security model based on cryptographically authenticating software integrity before execution?
  • What technologies offer the promise of cryptographically authenticating software integrity before execution?
  • How can the use of high-level languages reduce software bugs that adversely impact security?
  • How could development of non-executable stacks in commercial operating systems reduce the impact of buffer exploits?
    
• What technology areas offer the most potential to improve the trustworthiness of cyber systems in the future? Which area(s) should receive the most attention?
  
  • What efforts are underway to develop and field secure network protocols? What is NSTAC recommending to the Internet Engineering Task Force working groups regarding near-term implementation of secure network protocols?
    
• What impediments might inhibit further R&D for building trustworthy cyber systems?
  
  • What are the impacts of software patents on the R&D of security technologies?
  • What are the impacts of legacy code in the development of secure software?
  • What are the security risks associated with offshore software development?
  • What are the impacts of software patents on the R&D of security technologies?
    
• Based on the breakout session discussions, what input would you provide to the White House’s Office of Science and Technology Policy in its preparation of the President’s research agenda and budget requests? What are the underlying policy issues that should be studied by the President’s NSTAC or other bodies?
• What would be your 3-4 key points related to developing an “Agenda for Action: Trusted NS/EP Telecommunications” on instilling trustworthiness in cyber systems?

Break Out Session Briefings (all documents are in PDF format)

Human Factor Break Out Session pdf
Integration Break Out Session.pdf
Physical Break Out Session.pdf
Cyber/Software Session 1.pdf
Cyber/Software Session 2.pdf

Privacy Policy