Geartest.com: Could you tell us about your current work?

Spafford: For the last nine to 10 years I've been working almost exclusively in the area of information security systems and technologies, and integration of that with research in areas related to computing that have an impact on security and reliability of computing systems.

Geartest.com: What do you see as the major challenge in information security today?

Spafford: If it had to be a single challenge, from a societal point of view, it would be getting the everyday user who knows very little about how computers work and what security means -- and what the risks are -- to embrace and use good technology and techniques to protect their systems.

A lot of the attacks that we're seeing now are coming from systems that have been subverted, sometimes by automated agents -- worms, break-in toolkits, massive denial of service tools -- that are taking over home computers [and] small business computers, and are using those as platforms to launch attacks. That's a big threat because those systems are not run by people who really understand anything at all about security, and the systems are also built and sold by companies that haven't found a reason to include better security in their products. So we have to find some way to get all of these people using these systems to effectively use some technologies to protect their systems and to want to embrace it, even if it costs a little bit more.

I would say that's the most encompassing problem.

"Security doesn't work as an add-on"

Geartest.com: What kind of advanced systems that individuals can use are you talking about? Are there any out there right now?

Spafford: Well, the closest that we have to that [is] some of the antivirus tools, some of the personal firewall kits and application of security patches or applying individual security scanners to know that the patches need to be put in place. But most of those really require deeper understanding of what's going on with the system than your average user has the capability to apply. So, we aren't really there yet.

If you think about the typical home system, it's probably a 3/4 of a gigahertz processor, a lot of RAM and disk [space], it's got a network connection, [it] may be connected to an always-on [Internet] connection through a DSL or cable-modem, [it has a] big, general purpose operating system with lots of utilities, a full protocol stack for the network, a debugger, a compiler [and] all of these other kinds of things. And yet, the person at home is using it for potentially three applications: a Web browser, e-mail and a game. That's it.

So we have a big mismatch between the needs and the understanding and the capabilities and what's actually there. We need to understand better how, perhaps, to shape the systems to meet the [user's] needs, and that could also help [improve security]. So instead of layering something on a system, actually replacing it with a better match [is a solution].

Security doesn't work as an add-on. It really needs to be built-in from the beginning.

"To realize the promise of digital government or of e-commerce, we're going to have to have some stronger authentication mechanisms"

Geartest.com: What kind of changes could be made from the infrastructure side to bring about the kind of security that you're talking about?

Spafford: Paradoxically, the network provides us with a great medium for many things, many of which are in conflict with each other. So in one sense, it gives us the ability to have some truly anonymous participation in things. Whether they're marketplaces or bulletin boards and chatrooms, expression for political speech, [or] all kinds of things that can be done anonymously.

But anonymity also can be a shield for people who are doing things that are wrong and [that] we want to stop, whether those things are breaking into systems, e-commerce systems, money laundering, slander, libel -- those kinds of issues. What we need to do is to think about for the network infrastructure: can all this be accommodated in a single network or are we better off in trying to develop some different networks that have different rules of operation, [and] that are regulated differently? That's one of the things that we're going to have to look at.

To realize the promise, for instance, of digital government or of e-commerce, we're going to have to have some stronger authentication mechanisms. We're going to have to be able to deal, for instance, with denial of service [attacks] and, perhaps, technologies that won't allow packets to traverse a corporate firewall or even traverse the network unless they're cryptographically signed, might be one approach.

I can't say for certain what is going to be the best combination of things but we need to start looking in that direction. We continue to have this very strong philosophical extremes where one group is going, "We must have anonymity, it has to be allowed for political speech and for personal privacy," and others [are] saying, "No, we have to have strict accountability to be able to enforce the laws and otherwise." They're both right!

The problem is that they both want to impose those rules on the same arena, and that isn't really what we're going to be able to build for the future. There's enough fiber going in, there [are] enough communication channels that there's no reason that we can't run multiple channels, multiple virtual networks. That's one approach. But the problems are not so much technological as they are political and economic and philosophical. Those are, really, the big challenges -- to get people to agree on things and to be able to afford them, especially as we're going to a global network.

Geartest.com: How much of the security issues are ethical issues and how do ethics play in this whole environment?

Spafford: They certainly play a role. And in part -- from the standpoint of looking at ethics -- it's within a social context. The things that govern our behavior are partly driven by ethics, partly by etiquette, partly by tradition and -- certainly -- partly by law, because the computing technology is relatively new. The PC just celebrated its 20th anniversary. The network has only been used for commercial purposes for about seven years. That's an incredibly new arena.

The numbers that I've seen indicate that the population online has been doubling about every nine to 11 months for years. This is a trend that has been going on for a long time. You can trace out those figures. Which means right now, at any point -- whenever "now" is -- the majority of users have been online less than a year. So where do they learn proper behavior? Not simply etiquette, or not simply ethics but etiquette and building a sense of community, knowing what's right and wrong in that regard we haven't built that up. We don't have the standard techniques to teach that.

And it's not something we can just spring on adults. We have to start at an early age and build it in as part of the whole thought process of understanding "What is property?" That's going to be a big issue. What is someone's personal space online? What's appropriate to do when you find an open door, for instance. We do that in the physical world. We have not done a very good job of that in the electronic world.

"Security is an absolute that we can never achieve "

Geartest.com: So how would security come into play here?

Spafford: Well, a lot of people in the field have been talking about assurance because security really is a property that's an absolute that we can never quite achieve. A system is secure or it's not. What we're trying to do is we're trying to find ways of increasing your trust in those systems to give you a greater assurance that they'll operate in the way that they are supposed to, and if we think of that in the broadest context, it's not simply technology. It is also affecting how people interact and how they view the systems, affecting what laws govern it, affecting when it can be accessed, where it can be accessed, how it works in a global arena.

[There are] a lot of challenges ahead for us! Sometime in the next five years, the majority of users on the Net will have Chinese as their primary language. How's that going to affect what we're doing now with the network -- that big change? We're already seeing that now. A lot of people [are] getting massive amounts of spam in character sets and languages that [they] have no idea what it is. It's going to get worse. And we're dealing with ethics, religion, laws, [and] customs in over 200 countries around the world. Whose are the right ones to impose on a global arena? We've got a long way to go before we know the answer to that.

"Security is almost non-existent in the wireless realm "

Geartest.com: How do you see security in wireless applications, in the wireless world? What kind of security do you envision being implemented on mobile handsets? Will it be PKI or something else?

Spafford: Right now security is almost non-existent in the wireless realm. And depending on how you define the elements of security, encryption only solves some of them.

Confidentiality? Yes, we can encrypt links. That works. And we can do that with negotiated keystreams, for instance. It can be used with dynamic keystreams. [It] could be done public/private keying -- that's also possible. You could also build in symmetric keys on a one-time basis or on a recharge basis where you bring the phone in and it's reprogrammed. That solves problems.

Integrity of communications? Again, if you encrypt it with the right kind of feedback chaining then you can detect any alterations.

Availability is a problem. Encryption doesn't do anything to help us with availability. Availability to the end system. Because you jam the signals or you create interference and there you go.

It's also the case that you, as a consumer, are not going to want to enter a long keystream into the unit every time you use it. And even if it's on a smart card, you're going to insert the card and leave it. So now we have to worry about theft and loss.

From the standpoint of someone else now impersonating you and using those services -- particularly if all your keys are on one card -- that gets particularly messy. Or from the standpoint of "You've lost your card! There go all your keys!" now we have to introduce a whole new either key recovery system or escrow system, which bothers a lot of people because of the potential privacy and impersonation problems.

So again, we're back to the point where encryption is a technology that offers solutions but key management and everything that surrounds it becomes a huge headache.