James Jay Horning
Network Associates Laboratories
3965 Freedom Circle
Santa Clara, CA 95054
jim_horning@nai.com
(408) 346-3589

Potential Grand Research Challenge 1:
Establish an Actuarial Basis for Information System Risk Management

	The challenge is to make it feasible for operators and users of
information systems to assess the likelihood and likely magnitude of
damages (including consequential damages) caused by breaches in
security, integrity, availability, and confidentiality; to give them
tools to make reasoned decisions about whether to insure against these
perils; and to provide a basis for companies to rationally set prices
for such insurance. The focus is on quantifying and managing insecurity
of various kinds, rather than questing for absolute security.
	A key issue is defining perils so that each is understood in the
same way by all parties, including the courts. It must be clear what
losses are and are not covered and how to measure their cost. Any
particular warrantee or policy may include limits and deductibles.
Defining the perils does not seem to be the hardest issue, but users
must be educated about their risks.
	A second key issue is estimating the likelihood of defined perils.
Traditional statistical techniques are probably inadequate, since the
occurrence of a peril frequently involves an intelligent opponent
exploiting a vulnerability. Intelligent adversaries don't make risk
management impossible, but they make it more like game theory than like
statistics. Theft insurance, bonding of employees against embezzlement,
and credit card fraud risk management provide more useful analogies
than fire and automobile insurance do.
	A third key issue is developing methodologies for system design
and implementation that enable assessment of their vulnerabilities in
advance.
	A key non-technical issue is establishing infrastructure.
Something analogous to Underwriters Laboratories is needed to establish
standards for information assurance and to test for compliance. Because
attacks against discovered vulnerabilities tend to cluster, re-insurance
companies will need to develop policies that spread the risk far enough.
	Probably the hardest non-technical issue is persuading vendors to
accept liability. Vulnerabilities in the information systems
underpinning our critical infrastructures put us all at risk. Society
must ensure that this risk is managed appropriately, giving system
purveyors a strong self-interest in becoming part of the solution,
rather than remaining major contributors to the problem. Shifting the
costs of insecurity from users to purveyors and pricing expected losses
up-front should help. Users too often fail to consider IS/IA risks when
they decide to acquire or deploy information systems.

===========

Potential Grand Research Challenge 2:
Develop a Transparent, Trustworthy, and Practical System for Online Voting

	Recently there have been several proposals for online voting via
the Internet, and even a few trials in real elections. There has also
been some fascinating research on cryptographic protocols to address
problems of online voting schemes, such as authentication, anonymity,
and public scrutiny. But we are a long way from any online voting system
as good as traditional paper secret ballots. The challenge here is to
develop a complete, practical, and deployable system.
	Even the trustworthiness of direct recording electronic (DRE)
voting machines is uncertain. Many DRE problems could be reduced by
linking them to voter-verifiable (paper) audit trails, which would
enable manual recounts when needed.
	The problems with trustworthy Internet voting are more numerous
and more difficult. A solution must provide adequate answers to all the
following questions:
- Authentication: How will the system determine that ballots are cast by
authorized voters (once each), and no others?
- Usability: How will the system make casting an online ballot as
understandable as casting a paper ballot, and limit the chance of user
errors? Present Internet interfaces are complex, error-prone, and
confusing.
- Equal access: How will the system avoid discrimination against voters
with less access to, or less experience with, the Internet?
- Secrecy: How will the secrecy of voting be preserved, both at the time
and place where the vote is cast (e.g., no one looking over the shoulder
or otherwise observing the voting), and through all subsequent stages?
- Voter verifiability: How will voters confirm that their votes are
counted as they intended?
- Non-salability: How will voter verification be made unusable as
proof of how a particular vote was cast (as might be done by putting
distinguishing marks on a paper ballot)?
- Transparency: How will the process be made open enough and simple
enough that partisan observers, the press, and the general public can
observe all stages of its operation, challenge any irregularities, and
have confidence in the validity of the result?
- Validation: How will it be shown beyond dispute that all the software
and systems involved in casting, recording, counting, and preserving
votes do what is intended and claimed? How will they be tamper-proofed?
- Recountability: If the results of the election are in question for any
reason, how will a definitive recount be performed?
- Practicality: How will the system be made easy enough to deploy and
inexpensive enough to acquire and operate to compete with other voting
systems?
	It is not enough to solve these problems separately--they
interact. An acceptable online voting system must solve them together.
Its development would involve years of research in technical areas
ranging from human computer interaction to cryptography, as well as
dealing with social, educational, legal, and political issues. It
would surely have valuable spin-offs to many other areas that require
high-security or high-assurance systems. (Perhaps it could be called an
"IS Complete" challenge.)
	Publicly declaring this to be a grand research challenge could
both stimulate research and help restrain the technical pollyannaism of
those who blithely assume that "the Internet" or "the Web" is the answer
to all problems.

========

Bio:
	Jim Horning is Chief Scientist of Network Associates Laboratories,
the technology research division of Network Associates, Inc., a leading
computer and network security company. He started programming in 1959.
His career has included research in programming languages and compilers,
programming methodology, software development tools, operating systems,
dependable computing, formal methods, and digital rights management,
performed at the University of Toronto, Xerox PARC, DEC/SRC, and
InterTrust STAR Lab.