ENPM 808s
Information Systems Survivability:
14. Conclusions
- - - - - - - - - - - - - - - - - - -
Representative Discussion Topics for the Final Class
- - - - - - - - - - - - - - - - - - -
The final class period includes considerable open discussion, providing an overview of the most important issues raised by the course, an assessment of where we need to go from here, and how to get there.Topics include roles of formal methods, testing, more on architectural alternatives, what is needed to make open-source robustification realistic, residual risks, lessons learned, etc. Hopes for the future
[As it turned out, the first third of the last lecture was devoted to a discussion of the new air-traffic control system concept of "free flight", with many of the existing controller functions being relocated into the cockpits. This introduces much more stringent security requirements (including nondenial of service) into the mix, and creates a highly distributed system that is highly relevant for this course.
Some Discussion Topics
- - - - - - - - - - - - - - - - - - -
In the recent National Information Systems Security Conference in Crystal City, 18 October 1999, I chaired a panel in which Virgil Gligor, George Dinolt, Sami Saydjari, and Brian Snow participated. These are some of the discussion topics that I had suggested we consider relating to the realistic challenges of achieving dependably secure systems and networks. Appropriate perspectives include computer science education, software engineering, criteria, formal methods, multilevel security, government funding, market forces, and the open-source movement. This was not a hodge-podge of unrelated ideas, but rather an attempt to see if we can integrate all of these perspectives into a unified whole that is much greater than the sum of its parts. What lessons must be learned from our past experience, and what must we do differently in the future?
* What should our universities be teaching to increase the understanding of software development and dependably secure systems?* What about training computer system administrators and system development managers?
* What are realistic expectations of software engineering disciplines in developing secure systems?
* What could the computer industry do differently that would be effective, within their needs for economic competitiveness?
* What R&D directions are not being adequately pursued that might realistically have a constructive effect on commercial systems and on government deployments?
* What can governments do differently that would encourage the availability of systems and networks with greater security?
* Are there relevant lessons that we should learn from the Y2K fiasco?
* What hope do we have for establishing criteria that meaningfully constrain security and that can be extensively fulfilled?
* Can the open-source, free software, and nonproprietary movements lead to systems that are dramatically more robust than commercial systems?
* Could serious liability laws constrain developers and purveyors of systems that engender huge losses or cause critical failures?
* To what extent are our critical national infrastructures affected by a lack of robust systems and networks?
Final Comment
- - - - - - - - - - - - - - - - - - -
FROM arl-one: We have outlined many concepts that are highly relevant to the specification, design, development, and operation of highly survivable systems and networks. The architectural directions pursued here integrate all of those concepts and provide a strong basis for systems that accommodate mobile code, portable user platforms and robust execution platforms, minimal critical dependence on untrustworthy components, and highly reconfigurable and adaptive environments. There is much work yet to be done to demonstrate the applicability of this approach, but we hope that we have broken some new ground.