ISW'98 no.27

[27]

A System-Oriented Perspective of Survivability^*

Peter G. Neumann <Neumann@CSL.sri.com>
Principal Scientist, Computer Science Lab
SRI International, Menlo Park CA 94025-3493
Phone 1-650-859-2375, Fax 1-650-859-2844

Information Survivability Workshop 1998
"Protecting Critical Infrastructures and Critical Applications"
Wyndham Safari Resort Orlando, Florida, 28-30 October 1998

Information survivability suffers from not being an integrated discipline. It relies largely on a loose collection of subdisciplines such as security, reliability, fault tolerance, system development practice and good software engineering, on which it critically depends. We are currently engaged in a study that that attempts to create an integrated discipline unifying all of the necessary attributes. Our workshop contribution will summarize the first year's work.

Following is the current draft executive summary of the first year's final report, which will be available at about the time of the workshop:

Systems and networks with critical survivability requirements are extremely difficult to specify, develop, procure, operate, and maintain. They tend to be subject to many threats, laden with risks, and difficult to use wisely. We begin with several observations.

The U.S. Government, the defense establishment, and the nation are becoming increasingly dependent on commercially available systems --with all their warts and blemishes as well as their more fundamental shortcomings. Unfortunately, there is no longer any viable alternative for obtaining most of the hardware and software --- except for a few specialized components that cannot be obtained as off-the-shelf products.
Commercially available systems are very poor with respect to security and reliability. They are even worse with respect overall system and network survivability. Software components are often incompatible with one another, even from the same developer. Interoperability and reusability are much less than what should reasonably be expected. Compatibility with legacy systems is driving many systems into their lowest common denominators. Long-term compatible evolvability is a serious problem.
Although there are significant research and prototype-development efforts that could help minimize many of the existing problems, that R&D is exceedingly slow in finding its way into practice.
System development practice is in general abysmal. (Recent examples of total fiascos in the development of U.S. Government systems include the cancellations of the FAA Air Route Traffic Control System development, the IRS Tax Systems Modernization effort, and the FBI NCIC-2000 fingerprint system development, representing the waste of billions of dollars.) A representative example of the very bad state of practice and the great difficulties inherent in trying to advance the state of commercial systems is given by the mere existence and pervasiveness of the Year-2000 problem, with the resulting enormous costs to attempt to fix millions of lines of code and the lingering doubts as to whether those attempts will be successful. The Y2K problem is just one more example of short-sighted system development practice, rather than a unique problem unto itself.
The recent report of the President's Commission on Critical Infrastructure Protection (PCCIP) touches on the tip of an enormous iceberg. It observes that the survivability and integrity of all of the critical national infrastructures (telecommunications, power, energy, etc.) are very much at risk, that all of these national infrastructures are interdependent. Whereas the report recognized that all of the critical national infrastructures depend critically on computers and communications, their recommendations touch only lightly on what might be done to strengthen the underlying computer-communication infrastructures. Nevertheless, the PCCIP recommendations are important and must be considered very carefully.

These observations motivate a simple statement of the goals of our project:

To surmount these realities, we seek to (1) make the requirements for survivability and its necessary subtended properties such as security and reliability explicit; (2) identify functionality whose absence currently prevents adequate satisfaction of those requirements; (3) explore techniques for designing and developing highly survivable systems and networks despite the presence of untrustworthy subsystems; and (4) recommend specific architectural structures and structural architectures that can lead to survivable systems and networks.

It is absolutely essential to realize that there are no easy answers to achieving survivable systems and networks. This report does not pretend to be a cookbook. Cookbook approaches are doomed to fail, because of the intrinsic multidimensionality of the problem, the inadequacies of the existing infrastructures, the fact that all of the underpinnings are continually in flux, and the fact that no one solution or small set of solutions fits all applications. For these reasons, we emphasize the need for depth of understanding of the basic issues, the recognition and pervasive adherence to sensible principles, the fundamental importance of insights gleaned from past experience, and the urgency of pursuing significant R&D approaches and incorporating them into practical systems. Thus, we include many references to primary literature sources, with the hopes that diligent readers will pursue them. The successful integration of all of these concepts is absolutely fundamental to the development, procurement, and use of highly survivable systems and networks.

Survivability of systems and networks is not an intrinsic low-level property of subsystems in the small. Instead, it is an emergent property of entire enterprises in the large. Simply composing a system or network out its components provides no certainty whatever that the resulting whole will work as desired, even if the components themselves seem to behave properly. One of the most important challenges confronting us is to be able to derive the resulting properties of a system in the large from the properties of its components and from the manner in which they are integrated.

To satisfy the goals stated above, we are taking a strongly system-oriented approach. This approach

Examines the survivability requirements and their interdependence with one another.
Recommends the development of specific infrastructural components that are currently missing or not commercially available.
Explores operational principles that can enhance survivability.
Characterizes architectures that can achieve critical survivability requirements.

It is a difficult course that we must follow. It is evidently a never-ending course, for a variety of reasons. As the requirements continue to be better understood, more is demanded. As technology continues to offer new functional opportunities, and as systems tend to operate closer to their technological limits, the vulnerabilities, threats, and risks are increased accordingly, requiring much greater care. Also, our adversaries are becoming much more agile and are quite capable of becoming much more aggressive. As a consequence, much greater discipline is required to achieve the necessary goals.

^* This position statement is based on work funded by the U.S. Army Research Laboratory under Contract DAKF11-97-C-0020, coordinated by LTC Paul Walczak (pwalczak@arl.army.mil), 1-301-394-3862, and Anthony Barnes (TBarnes@ARL.army.mil), 1-732-427-5099, both of ARL.

Back to the Table of Contents

[27]