In this paper we motivate which research topics should be further investigated and survey some of the recent research results that have a potential impact on survivable computation.

AREAS THAT NEED FURTHER RESEARCH

Impact of computers

• those organizations for which a serious attack would have an immediately visible impact.
• non-manufacturing areas of the economy.
• address current applications of computers.

• address attacks which impact only becomes visible after several weeks, or even months, and which long term effect may be worse than the scenarios identified in the report,
• address how emerging and new applications will make us even more dependable on computers.

The unibomber case has demonstrated that the modern terrorist may be well educated. This implies that one should not exclude sophisticated attacks. An attack that does not destroy capabilities, but reduces their efficiency or the efficiency of the tools and products they produce, may take a time too long to be detected in time for a recovery.

One should also be aware that the World Wide Web is comparable to the library of Alexandria by relying on single volumes not being backed up at physically separated locations. Already today, specs (specifications of hardware and software) are mainly, or only, available in digital format (e.g., from the World Wide Web). A major natural disaster may not only destroy the critical infrastructure, but may as well destroy the help and repair manuals!

A detailed study using scientific methods to identify the current and future dependencies of our society on computers is therefore primordial (further details on this viewpoint are available from the author).

Reducing the dependency on digital computers and making them less general

A potential solution to this problem is to design algorithms and software in such a way that a human can verify the computation without the need of any digital computer whatsoever. Although this research is in its infancy, the trend is an interesting development.

The concept of general purpose computers seemed very useful. However it seems inherently a bad idea from a security viewpoint. A major problem is that insecure software is very easy to install. Methods based on cryptography have been developed to make installation of non-authorized software very hard, turning a computer in a dedicated machine. Integrating different dedicated computers into one machine may reduce the general purpose aspect of the computer, but could significantly reduce the security headache. (For more details see http://www.cs.uwm.edu/~desmedt/reducing-dependency.html#reducing .)

Non-technical aspects of a solution

Software developers should be forced to take responsibility for faults in their software. Current products are sold with strong disclaimers, which would be unacceptable in the medical world, the aviation industry, etc. However, the idea of only relying on making the software industry responsible will fail. Indeed the start up money needed to set up a video game company is rather small. However, the damage of a security flaw in their software can run in the multi-million dollars.

In several industries engineers need to pass a state exam. However, programmers do not have to pass such tests. People without proper training are making programs that may have an impact on several thousands of people. For example, the demand for programmers is so large, that industry is hiring programmers who failed their basic computer science courses. Since computers play such a significant role in our society, states should extend their licensing regulations to guarantee proper training.

The FDA prevents untested medicine to find its way to a pharmacy. This also implies that medicine that could benefit patients is significantly delayed. The FAA plays such a role in the aviation industry. Medicine not properly evaluated and lax criteria in the aviation industry could have serious consequences on our society. It is clear that a properly planned attack on computers may have a similar impact on our society. A regulatory body for bringing software (and hardware) on the market would be viewed by many users as clearly undesirable. However, why do such bodies exits in other critical areas of our society, but not in the computer industry?

When operating a complex vehicle people need a license. The most known example is a driver's license. It should be noted that the license to drive a car is different from the license to drive a truck. We analyze the benefits of introducing such licenses to the computer world.

We propose that when buying hardware/software for personal use, one automatically receives a state license for using it. The license indicates for what type of applications it can and cannot be used. The hardware used in critical applications and the software run on such computers should satisfy more stringent criteria than when used for personal reasons. As in the case of the FDA, such a licensing policy may imply a delay of several years before such products can be used. Computers have such a large impact on the survivability of our society that such a delay is easy justifiable in the case of critical applications. Moreover, there are several examples that question the benefits of new software, which further warrant the delay. Those running, managing and buying hardware/software to be used in more critical applications need to take an appropriate test before receiving their license. Installing software licensed for personal use only on a machine licensed for critical applications, should be outlawed.

Finally, monopolies in the computer industry are a serious security threat since they do not only form a single-point-of-failure, but facilitate the design of attacks.

Protecting against computer viruses

Target oriented computer viruses in the hands of a professional hacker are a major threat. How to protect against them is a major challenge.

New software releases: a blessing or a doom

More and more it is shown that this philosophy is flawed. The massive number of new releases imply that many users cannot keep up with installing new releases. This implies an incompatibility which may make distributed computers unstable.

New releases make the software environment by default unstable. There are basically two approaches to this problem:

Backward compatibility

is a well known approach. However, it often fails for different reasons. One of the problems is that the usefulness of an old release decreases extremely quickly. For example, while new browsers can display old html documents, old browsers, that are one year outdated are completely unable to read more modern html pages. A good design would have allowed the display of parts of the document that have not exploited the new features.

Automatic installation of new software

automatically updates your software without any user interaction. Such a solution clearly would address the mentioned instability problem. While this seems extremely user friendly, the security issues of such an approach need to be studied very carefully to prevent a hacker of installing a Trojan Horse. Moreover, in many critical applications new releases can be worse than old ones. The new releases have usually other and often more bugs than the old ones.

BRIEF SURVEY OF SOME NEW RESEARCH RESULTS

Byzantine faults all over again

In the standard approach every node knows the network. However, in many networks the nodes do not know the network. Indeed, some networks are dynamic. New nodes are added and some go down, changing the network. Also, some nodes may only know their neighbors.

New models for survivable computation

A model that takes this multiple input aspect into account has been worked out. While the problem of reliable communication in the single type of input case is straightforward, the problem in the case of multiple inputs turns out to be NP-complete. For many more results on this topic consult: http://www.cs.uwm.edu/~desmedt/survivability.html