How Much Why Would a Wye Woods Y if a Wye Woods Would Why Woulds [ I will be

[David Farber <farber () central cis upenn edu>]

From: "Peter G. Neumann" <neumann () CSL SRI COM>


[Partially UnLaTeXiZeD version, for net scanning.]


Problems in Networked Communications: Accountability and Liability
Peter G. Neumann
Principal Scientist, Computer Science Laboratory
SRI International EL-243, Menlo Park, California 94025-3493
Telephone 415-859-2375, FAX 1-415-859-2844, Internet neumann () csl sri com
\copyright Peter G. Neumann, 1994


Invitational Workshop on Legal, Ethical, and Technological
Aspects of Computer and Network Use and Abuse


AAAS-ABA National Conference of Lawyers and Scientists
Aspen Institute's Wye Woods Center, Queenstown MD
October 7-9, 1994


Abstract.  Computer-communication systems are increasingly experiencing
misuse, both accidental and intentional.  Detecting, preventing, and
monitoring misuse are fundamental to the future of these systems.  This
brief position paper considers the technological underpinnings relating to
personal identity, user authentication and authorization, usage
accountability, and various consequent privacy and liability implications.


Identity, Authentication, and Authorization.  Ideally, a computer system
should be able to determine uniquely who is doing what to whom, when, and
where.  That is, the system should be able to determine on whose behalf it
is operating, and what resources are being affected.  A fundamental problem
involves identifying each individual user or computer agent, with a
sufficiently high degree of assurance.  Without that knowledge, the
security and integrity of systems and their data are often inherently
incomplete and provide little help in ascertaining the extent of damage
subsequent to a system being compromised.  Unfortunately, the most popular
operating systems are seriously flawed and their techniques for user
authentication are fraught with danger.  Passwords are generally a very
weak means of user authentication, while smart-cards and cryptographically
based tokens offer some hope for improvement in the future.  (In certain
cases, operating systems have vulnerabilities that can actually permit
system access without requiring users to be authenticated.)


Accountability, Monitoring, and Misuse Detection.  Ideally, a system should
be able to monitor its activities so that flagrant misuses can be detected
in real time and suitable action taken --- such as identifying, locating,
and apprehending the culprit~\cite{Lunt93CS}.  Even if real-time analysis
is not possible, enough audit-trail information should be maintained to
later enable the identification of the individuals in question.  Of course,
masqueraders complicate the problem, which is another reason why
authentication of users and systems is essential.


Privacy and Other Social Implications.  Privacy is almost never a
black-and-white issue; there are usually many shades of gray.  However,
computer security that enhances authentication and accountability also has
a down side from the viewpoint of maintaining privacy.  Monitoring may be
invasive; even the threat of monitoring may be psychologically
debilitating.  (For example, see~\cite{DenningSocial87}.)


Liability Implications.  Ideally, programs and services should be easily
accessible and any required usage fees should be collected automatically,
assuming adequate authentication of identities.  In practice, it is often
easy for a misuser to freeload or to masquerade as someone else.  The
notion of free software is very appealing (I live by it with Emacs and
\LaTeX), but in a completely open environment it also entails a risk of
surreptitious Trojan horses or unsupported ripoffs.  There are also serious
questions of responsibility and liability in cases of life-critical systems
failing, irrespective of legal disclaimers.


Conclusions.  Worldwide access is now possible via the Internet, dial-up
telephone lines, cable hookups, and other related computer-communication
technologies.  Many of the host sytems participating in such
interconnctivity are deficient with respect to user accountability, and
often cannot detect unsavory activity until long after it has occurred ---
if at all.


The bottom line for computer security is that we will be increasingly
hindered in our ability to take advantage of the new technologies unless
there is adequate accountability for our actions.  This will certainly be a
problem in the emerging worldwide information infrastructure.  The
technology is progressing rapidly.  However, there are social implications
either way.  Stringent authentication and accountability may greatly
restrict our privacy.  On the other hand, the lack of stringent
authentication and accountability may greatly reduce the integrity of our
computer systems; it may also reduce the consistency and correctness of the
systems on which our lives depend, and may be accompanied by increased
fraud and other forms of misuse.  Thus, there is a very delicate balance
between security and privacy rights, as illustrated by the current
controversy surrounding U.S. cryptographic policy and the Clipper
Chip~\cite{Landau94x}.  See~\cite{NeumannRisksBook} for some of the risks
involved, and see my earlier position paper~\cite{NeumannAAAS93} for
additional background.


\begin{thebibliography}{1}


\bibitem{DenningSocial87}
D.E. Denning, P.G. Neumann, and D.B. Parker.
Social aspects of computer security.
  Proceedings of the 10th National Computer Security
  Conference, September 1987.


\bibitem{Landau94x}
S. Landau, S. Kent, C. Brooks, S. Charney, D. Denning, W. Diffie, A. Lauck,
  D. Miller, P. Neumann, and D. Sobel.
Codes, keys, and conflicts: Issues in U.S. crypto policy.
Technical report, ACM, June 1994.
A summary of this report by the same authors is available as ``Crypto
  Policy Perspectives'' in the Communications of the ACM, 37, 8, 115-121,
  August 1994.


\bibitem{Lunt93CS}
T.F. Lunt.
A survey of intrusion detection techniques.
Computers and Security, 12(4):405--418, 1993.


\bibitem{NeumannAAAS93}
P.G. Neumann.
Limitations of computer-communication technology.
In Proceedings of an Invitational Conference on Legal, Ethical,
  and Technological Aspects of Computer and Network Use and Abuse. AAAS,
  December 1993.


\bibitem{NeumannRisksBook}
P.G. Neumann.
Computer-Related Risks.
ACM Press, New York, and Addison-Wesley, Reading, Massachusetts, 1994.


\end{thebibliography}