The Nature of the Problem

Computer T he rash of viruses, intrusions, and other attacks on computer systems during the past two years has focused considerable attention on network security in the US. At the same time, experts say the US is not spending enough on networksecurity research and universities are not producing enough graduates with advanced degrees in the field to conduct the necessary future research. This situation troubles many security experts, who note that much of the US’s national infrastructure—affecting government agencies, corporations, utilities, transportation operations, the armed forces, and so on—runs on potentially vulnerable computer networks. “We are so dependent on the cyberinfrastructure now,” said William A. Wulf, University of Virginia professor and National Academy of Engineering (NAE) president. “We can’t do financial transactions without it. Even the larger infrastructure—the power grid, gas pipelines—depends on [it].” A lack of adequate research eventually could cause the US to face an “electronic Pearl Harbor,” in which a cyberattack cripples or damages the network running an important publicinfrastructure element and harms many people, said Terry Benzel, vice president of advanced security research at Network Associates. Also, poor security could let hackers obtain Internet users’ Social Security and credit card numbers and otherwise compromise their privacy. This lack of security could promote identity theft, fraud, and other crimes, noted Daniel A. Reed, director of the National Center for Supercomputing Applications at the University of Illinois at UrbanaChampaign, and director of the National Computational Science Alliance. According to Timothy J. Shimeall, a senior member of the technical staff with the Software Engineering Institute’s (SEI’s) Networked Systems Survivability Program, security has become a growing concern now partly because the number of cyberattacks has increased dramatically in recent years, as Figure 1 shows. “And the vulnerabilities being described are not trivial,” he noted. Network threats are increasing in complexity, as demonstrated by the destructive distributed denial-of-service (DDoS) attacks on major Web sites in 2000 and dangerous worms such as last year’s CodeRed. Malicious-code authors work with an open source model in which they freely share successive code improvements, thereby making their attacks increasingly sophisticated. Computer-security issues were the subject of a recent hearing by the US House of Representatives’ Science Committee in which panelists said the federal government must provide more funding and support to address the problem.