바이오인

 

June 10, 2009
Good morning Mr. Chairman and members of the Committee. I appreciate this opportunity to comment on cyber-security research and education. I am Fred B.Schneider, a Computer Science professor at Cornell University and Chief Scientist of the NSF-funded TRUST1 Science and Technology Center, a collaboration involving researchers at U.C. Berkeley, Carnegie-Mellon University, Cornell University, Stanford University, and Vanderbilt University.

I have been a Computer Science faculty member since 1978, actively involved in research, education, and in various advisory capacities for both the private and public sectors. Besides teaching and doing research at Cornell, I today serve as member of the Dept. of Commerce Information Security and Privacy Advisory Board (ISPAB), as a member of the Computing Research Association’s board of directors, and as a council member of the Computing Community Consortium. I also co-chair Microsoft’s TCAAB external advisory board on trustworthy computing.

Our nation’s increasing dependence on computing systems that are not trustworthy puts
individuals, commercial enterprises, the public sector, and our military at risk. If anything, this dependence will accelerate with new initiatives such as the “smart grid” and electronic healthcare records. Increased data, increased networking, and increased processing all mean increased exposure. These systems need to work as we expect-to operate despite failures and despite attacks. They need to be trustworthy.

The growth in attacks we are seeing today should not be surprising. The more we depend on a system, the more attractive a target it becomes to somebody intent on causing disruption; and the more value that is controlled by a system, the more attractive a target it becomes to somebody seeking illicit gain. But more disturbing than the growth in attacks is that our defenses can’t keep up. The core of this problem is the asymmetric nature of cyber-security:

Defenders are reactive; attackers are proactive. Defenders must defend all places at all times, against all possible attacks (including those not known about by the defender); attackers need only find one vulnerability, and they have the luxury of inventing and testing new attacks in private as well as selecting the place and time
of attack at their convenience.