The pervasive existence of the three gaps noted above suggests
that efforts are needed to narrow each of the gaps. Some needs for the
future include the following.
- Better systems, providing more comprehensive security with greater assurance
– systems that are easier to use and to administer, easier to understand
with respect to what is actually happening, more repre-sentative of the security
policy that is really desired, etc. [Gap 1]
- Professional standards. Existing professional associations have established
ethical codes. But are they adequate? or adequately invoked? [Gap 2]
- Better education relating to ethics and values, in the context of
the technology, particularly in relation to computer and communication
systems, and also relating to the risks of computerization (cf. Neumann
[91a]). [Gap 2]
- Better understanding of the responsibilities and rights of system administrators,
users, misusers, and penetrators. [Gaps 2 and 3]
- A population that is more intelligent and more responsible, including designers,
programmers, operations personnel, users, and lay people who are in many ways
forced to be dependent on computerization, whether they like it or not. Holistically,
we need a kinder and gentler society, but realistically that is too utopian.
[Gap 3]
- In the absence of a utopian world, it seems necessary that we must
strive to improve our computer systems and communications, our standards,
our expectations of education, and our world as a whole, all at the
same time, although the needs of our society will tend to dictate certain
priorities among those contributing directions. Unfortunately, commercial
expedience often dictates that emphasis be placed on seemingly easy
and palliative solutions that in the long run are inadequate. [Gaps
1, 2, 3, addressed together from an overall perspective.]
In this article, we have considered security somewhat broadly,
encompassing not only protection against penetrations and internal misuse, but
also protection against other types of undesirable system and user behavior.
This perspective is important, because attempts to address a narrower set of
problems are generally shortsighted.
Overall, awareness of computer system vulnerabilities and
security countermeasures is greater than it was a few years ago. In retrospect,
computer security has been getting steadily better, but so have the crackers
and stealthy misusers of authority. Further, the potential opportunities
and gains from insider misuse seem to be increasing. However, our society
does not seem to be getting significantly more moral on the whole, despite
some determined efforts on the part of a few individuals and groups. Gap
1 has actually been closing a little; Gap 2 needs still more work; Gap
3 remains a potentially serious problem.
At a conference in 1969 I heard “2001”author Arthur
Clarke talk about how it was getting harder and harder to write good science
fiction; he lamented that “The future isn’t what it used to be.”
Yogi Berra might have remarked that Clarke’s observation was “deja
vu all over again.” By transitive closure, I think it is appropriate to
combine those two aphorisms. Deja vu isn’t what it used to be all over
again – it seems to be getting worse. And there seem to be enough people
around who subscribe to Tom Lehrer’s title for a song he never wrote (because
it would have been an anticlimax): “If I had it to do all over again, I’d
do it all over you.” In the absence of better computer and communication
systems, better system operations, better laws, better educational programs,
better ethical practices, and better people, we are all likely to have it done
to us, over and over again.
One of the purposes of this article is to stimulate further
discussion of the vital issues relating to values in the use of computers.
Following are a few topics of potential interest. All of these have implications
relevant to the Security Track, but many of them also have implications
in other tracks as well. They are stated here because of the pervasive
nature of the problems, and the dangers of attempting to compartmentalize
the relations between causes and effects.
- Can the three gaps discussed in Section 2 (technical, sociotechnical,
and social, respectively) ever be closed in any realistic sense, in
the face of the behaviors of Section 8? Are we converging or diverging,
or both? Remember, there is no perfect
security.
- Are the existing laws an adequate representation of the need to close
Gaps 2 and 3? What are the appropriate roles of ‘intent’,
‘exceeding authority’, and ‘misusing authority’,
particularly in situations in which no authorization is required, and
what are the implications on attempts to close Gap 1?
- What are the intrinsic limitations of technological security measures
by themselves, administrative and operational security measures by themselves,
and all of these together? See Section 6.
- What are the essential limitations of trying to maintain privacy,
particularly in light of the demands for compromising it? The implications
of emergency overrides and other exceptional mechanisms (cf. SB 266)
provide conflicting needs. (This is of interest also to the Privacy
Track.)
- How can we best balance personal rights with needs for monitoring? For example,
consider the FBI monitoring on-line newsgroups, and corporations monitoring
inbound and outbound e-mail and general system usage. (See Section 9.4.)
- Consider the Free Software Foundation philosophy of open access and
free distribution, and its implications. Note that security has many
more purposes than just providing confidentiality. For example, preventing
Trojan horses and other types of sabotage is clearly an important goal.
(This is of interest also to the Equity Track and the Ownership Track.)
(Added note: Ironically, just before NCCV, abuse of the FSF computers
became rampant, including using the open accounts to trash the FSF software
and to gain free access to other Internet systems. Richard Stallman
of the FSF reluctantly admitted that they had had to institute passwords.
See the Boston Globe, 6 August 1991, front page article.)
- Can we realistically “place the blame” for undesired system and
human behavior, with respect to crackers, malfeasors, designers, programmers,
system administrators, marketers, corporate interests, U.S. and other governments,
etc., across the broad spectrum of security-related problems? Attempts to
place blame are often misguided, and tend to lose sight of the underlying
problems. Furthermore, blame can usually be widely distributed. There is also
the danger of shooting the messenger. (Contrast this distributed notion of
blame with the I Ching concept of “no
blame”!) See also the following track contribution from Dorothy Denning
(Denning [91]).
- How can the needs of encryption for privacy, integrity, and other purposes
noted in Section 9.3 be balanced with needs for “national security”
and other governmental constraints? Consider the social implications of private-key
versus public-key encryption, export controls, corporate and national interests,
international cooperation, etc.
- How does security aid or interfere with other social issues? Might it seriously
impede access by handicapped and disadvantaged people? Or if it does not,
would it present intrinsic vulnerabilities that could be exploited by others?
There are challenges both ways. For example, physically disabled or otherwise
handicapped individuals might be able to vote from their homes, via telephone
or computer hook-up. Such systems might also encourage fraudulent voting.
If serious security measures were invoked, the benefits might be lost.
- Are we creating a bipolar society of computer-literate insiders and
everyone else? Or a multipolar society of various distinct categories?
Are we disenfranchising any sectors of society, such as ordinary mortals
and people in the humanities who do not have computer resources? Might
increased computer security tend to further such an alienation? Are
people in the creative arts becoming sterilized if they do move toward
computerization? Are there relevant implications of computer security
on such individuals?
- What are the implications of computer security on scholarly research?
Unnecessary secrecy is clearly one concern. So is inadequate privacy.
Loss of integrity is another concern, with the possibility of having
experimental data and research results altered or forged. Authenticity
(the ability to provide assurance that something is genuine) and subsequent
non-repudiatability (the ability to provide some assurance that something
attributed to an individual really was correctly attributed) are illustrative
technical issues that relate to this question.
- Do existing transnational data exchange regulations present serious obstacles
to international cooperation, including dissemination of knowledge, programs
and other on-line information? If those regulations were relaxed, would there
be serious consequences, e.g., with respect to social, economic, political
issues, and national integrity? Could computer security help to provide controls
that would permit national boundaries to be safely transcended? Or must it
be an impediment? Or are both of these alternatives actually true at the same
time?
The above itemization is by no means complete. It merely
suggests a few of the thornier topics that might be of interest for further
discussion.
Further background on computer security is found in Clark
et al. [90], while recent examples of system misuse are analyzed in Denning
[90] and Hoffman [90]. Examples of accidental and intentional events that
have resulted in serious computer-related problems are summarized in Neumann
[91a], an updated copy of which is appended.
SRI International
Back to the top
Go to: 14. References
Home > Research
Resources > Computer Security
> Computer Security and Human Values
Back
to the Main Site
HOME | IN
THE NEWS | RESEARCH
RESOURCES
TEACHING RESOURCES | STUDENT
RESOURCES | LINKS
The Research Center on Computing & Society
at Southern Connecticut State University
501 Crescent Street | New Haven, CT 06515
Director: (203) 392-6790 | e-mail: webmaster@computerethics.org
© 2000 – 2007 – Research Center on Computing & Society