Operators Wanted
Status:, Extract from a lecture at Norwich University, Vermont,
Master of Science in Information Assurance, Spring, 2003
Journalists love to get experts to predict the future. Over the years I have learned, rather sadly, that grim predictions are the best bet for a security expert, at least in terms of coming true. Nobody wants to be the expert who said, in any given year, including 2003, that the virus threat will soon diminish. So, over the last ten years, I have tended to stick with a tired but trusted line: “It is probably going to get worse before it gets better.” I think I said that about boot sector viruses in 1992, about macro viruses in 1995, Java exploits in 1996, spam in 2002, and so on.
Consequently, when Dr. Peter Tippett agreed to write the final chapter of The Computer Security Handbook, 4th Edition, the primary text book for this degree program, he had my sympathies. (That is the same NCSA that became ICSA then TruSecure, then merged with Betrusted to become Cybertrust which is now Verizon Business--so for a short period of time in the mid-nineties, Dr. Tippett was technically my boss.)
I had faced a similar challenge in 1996, when I came to write the final chapter of the NCSA Guide to PC & LAN Security. So it is somewhat fitting that I now draw attention to one of Dr. Tippett’s earlier ideas, an idea with which I took issue in the final chapter of my book. In 1996, Dr. Tippett was already looking forward to the day when computer security would be taken care of by persons/agents other than the owners/operators of the computers. This approach has a lot of merit and we have seen a big surge in recent years in both “managed security” and “self-healing systems.”
However, one of the most important lessons I have learned about developing information security products and solutions is that timing is everything. I wrote my original security book in the late eighties. At that time it seemed to me that diskless workstations were, from a security and system management perspective, a great idea. The book came out in 1992, by which time the product that I had highlighted as an example of a diskless workstation had disappeared. Then, about the same time that the 1996 edition of the book was coming together, Oracle’s CEO, Larry Ellison, announced the thin client network station. How could I go wrong? Surely the security advantages of the thin client would gain traction. Perhaps, but I was not going to bet on it.
Aware that it could take a while before the advantages of remotely managed, easy-to-use, appliance-style workstations would become apparent to IT managers, I decided to take issue with Dr. Tippett’s 1996 assertion that users should not have to worry about security. Frankly, I was concerned that too many computer users, and owners, were abdicating responsibility, rather like people who drive vehicles without ever checking the tread on the tires.
I was, and still am, keen to get across the notion that a computer user is a computer operator, and things would have gone better if ‘user’ had never replaced ‘operator.’ The term ‘user’ was coined for users of dumb terminals, as opposed to the people who operated the computers that fed the data to the terminals.
If the hundreds of millions of people who today “operate” powerful and autonomous computer systems were actually using terminals then we’d all be a lot safer. But the fact is we have hyper-threaded, multi-gigahertz computer systems selling for less than $500. These are fully-fledged computers, providing input, output, storage, and processing. Packed with hundreds of megabytes of RAM and hundreds of gigabytes of storage, many of these systems are also network nodes, sitting on megabit-per-second connections to a global network. And they are operated by Junior, who, at 11 years of age, probably lacks a fully developed sense of personal responsibility. This is a lot like letting teenagers drive without lessons or a permit.
Operators are to computers as drivers are to cars. Users are to computers as passengers are to cars. But the automotive analogies don’t end there. I’m not sure how far back your memory of cars goes, but back in the fifties, when my father went to work in the mornings, the probability that the car would start was a lot lower than it is when I head out of the door today. This does not just reflect the fact that I grew up in England. My wife tells me that her father, just like mine, would take the family car to the garage to be serviced before any long trip. Recently, I watched my daughter get in her car and head off on a 2,000 mile round trip without even thinking of lifting the hood. My point here is that over the last half century cars have steadily moved closer to a reality that was talked about as long ago as the fifties, a car so ‘maintenance-free’ that it frees the driver of any mechanical responsibilities.
Sadly, the maintenance-free, care-free computer has not yet arrived. Furthermore, even though cars today have warning indicators to tell us when a bulb is burned out, or a tire is low, it is still the responsibility of the driver not to drive unless all bulbs are working and all tires are properly inflated. What is more, you need a license to drive a car. Operating a vehicle on the public highway is not a right but a privilege. Why should operating a computer on the public network be different. Why not a license to drive a computer?
In the world of information systems we have not yet reached the point when we can relieve the individual of the responsibility of proactively protecting systems from abuse. While conceding to Dr. Tippett that managed security is a worthy goal, I did, and still, assert that we are not there yet. Indeed, I am prepared to predict that computers will never reach the point where they can be used safely without operator training.
The future of information assurance rests with people and products. I’ve talked about products elsewhere, but what about the people? Like many of my colleagues I believe that the human race needs a massive dose of computer ethics training. We need to start the computer ethics education early and repeat often. And we must continually endeavor to counter the still too common misconception that system abuse is cool.
Sadly, corporate America today makes ethics education difficult to discuss without risking a chorus of derisive laughter. The moral example set by money-hungry, fraudulent C-level executives is appalling. I’m not just talking about theft and slimy accounting, but the moral tone. When a company is convicted, under the laws of the land in which it is incorporated, of being a monopoly, it is unseemly to find it arguing overseas, several years later, that it is not (yes, that is a reference to Microsoft). The rampant absence of shame and contrition in the corporate world, where people like the CEO of Enron try to dodge the buck rather than take the bullet, makes the task of
teaching Junior to respect the intellectual property and cyber-space of others that much more challenging...
... The term 'computer user' harks back to the days of dumb terminals, simple input/output devices with no storage or processing power, a relatively harmless element of a complete computer system. A person who controls a complete computer system, one with input/output/storage/processing, is an operator, not a user, whether that computer is a PC or Mac in a living room or college dorm, or a fire control system, e-commerce web site, or ban
In short, I believe that on the Internet highway there are users and there are operators. Operators Wanted
Stephen Cobb