Wave Systems Corp. (fka WAVXQ)

[helpfulbacteria]

April 2006: The Federal Plan for Cyber-Security

(Every once in a while, I stumble upon something that has LOTS of implications. For all the times that we've been frustrated by finding articles and white papers that DO NOT mention trusted computing, this one is a strong counter-weight. I've read a LOT of security documents over the years... and in terms of breadth... this one takes the cake. And, yes, trusted computing references are all over it... as are references to authentication, the urgent need to protect our banking and financial cyber-structure... etc. Wow.)

http://www.nitrd.gov/pubs/csia/FederalPlan_CSIA_RnD.pdf

NATIONAL SCIENCE AND TECHNOLOGY COUNCIL
FEDERAL PLAN FOR CYBER SECURITY AND INFORMATION ASSURANCE
RESEARCH AND DEVELOPMENT

A Report by the
Interagency Working Group on Cyber Security and Information Assurance Subcommittee on Infrastructure
and
Subcommittee on Networking and Information Technology Research and Development
April 2006

The Nation's information technology (IT) infrastructure - the seamless fabric of interconnected computing and storage systems, mobile devices, software, wired and wireless networks, and related technologies - has become indispensable to public- and private-sector activities throughout our society and around the globe. Pervasive, cost-effective communication enables a
vast, constant flow of information that has transformed work environments and processes in government, business and industry, and advanced research, health care, and many other fields.

This IT infrastructure also supports other critical U.S. infrastructures, such as those that supply our food, water, energy, financial transactions, and transportation, as well as public health, emergency response, and other vital services. The interconnectivity that makes seamless delivery of essential information and services possible, however, also exposes many previously isolated critical infrastructures to the risk of cyber attacks mounted through the IT infrastructure by
hostile adversaries.

The exposure of critical infrastructure to cyber-based attacks is expected to increase, as convergence of network and device technologies accelerates, and as systems increasingly connect to the Internet to provide added functionality or greater efficiency.

Safeguarding the Nation's IT infrastructure and critical infrastructure sectors for the future is a matter of national and homeland security. Developed by the Cyber Security and Information Assurance Interagency Working Group under the auspices of the National Science and Technology Council, this Federal Plan for Cyber Security and Information Assurance Research and Development presents a coordinated interagency framework for addressing critical gaps in current cyber security and information assurance capabilities and technologies.

The Plan focuses on interagency research and development (R&D) priorities and is intended to complement agency-specific prioritization and R&D planning efforts in cyber security and information assurance. The Plan also describes the key Federal role in supporting R&D to strengthen the overall security of the IT infrastructure through development of fundamentally more secure next-generation technologies.


(One excerpt of many which re highly relevant):

Trusted computing platforms, and the corresponding
OS modifications to leverage them fully, have the
potential to improve some key areas of information
security, especially the level of trust in platform
hardware. Research is needed to understand
weaknesses and covert channels open to hardware and
firmware attacks. New approaches and rigorous
methods for certifying hardware and firmware are
particularly needed for an environment in which the
IT infrastructure’s hardware and firmware are
increasingly developed and manufactured offshore.

Areas in which R&D advances are needed include:

Hardware support for security: Efforts are underway
to protect hardware and firmware and enable secure,
trusted computing platforms. Cryptographic
accelerators speed the processing of cryptographic
algorithms. Smart cards can be used to protect
authentication keys and for multifactor
authentication. Although work is ongoing, more
R&D is needed on integrating more secure
components into a trusted computing platform.

Authentication-based firmware security: The
authentication-based approach (sometimes referred to
as “secure bootstrap”) seeks to ensure firmware
integrity by using digital signatures to authenticate
the origin of the device, its transmitted data, chain of
custody, and physical protection. This approach
ensures that the firmware has not been changed since
it was approved. It is a means for preserving an
existing relationship of trust but cannot establish
trust. Authentication alone cannot ensure that
untrusted code is safe to run. The authentication-based
approach is currently the preferred strategy
because the technology is better developed and its
implementation is more straightforward than
language-based approaches. Increased emphasis on
development and deployment is needed.