The state of the science of information security is astonishingly rich with solutions and tools to incrementally and selectively solve the hard problems. In contrast, the state of the actual application of science, and the general knowledge and understanding of the existing science, is lamentably poor. Still we face a dramatically growing dependence on information technology, e.g., the Internet, that attracts a steadily emerging threat of well- planned, coordinated hostile attacks. A series of hard- won scientific advances gives us the ability to field systems having verifiable protection, and an understanding of how to powerfully leverage verifiable protection to meet pressing system security needs. Yet, we as a community lack the discipline, tenacity and will to do the hard work to effectively deploy such systems. Instead, we pursue pseudoscience and flying pigs. In summary, the state of the science in computer and network security is strong, but it suffers unconscionable neglect.
Keywords: Information Security, Computer Security, Network Security, Security Evaluation, Trusted Computing Base, Security Kernel, Reference Monitor, Security Model, Verifiable Protection, Common Criteria
Dr. Roger R. Schell is President of Aesec, a new company focused on appliances built on hardened platforms for secure, reliable e-business on the Internet. For several years he managed the successful development and delivery of security for several Novell releases of network software products including an integral PKI, an international crypto API, and an authentication service with exposed SSL capability. Dr. Schell was co-founder and Vice President for Engineering of Gemini Computers, Inc., where he directed development of Gemini's highly secure (Class A1) network processor commercial product. He was also the founding Deputy Director of the DoD (now National) Computer Security Center. Previously he was an Associate Professor of Computer Science at the Naval Postgraduate School.
Dr. Schell received a Ph.D. in Computer Science from the MIT, an M.S.E.E. from Washington State, and a B.S.E.E. from Montana State. He originated several key modern security design and evaluation techniques and holds patents in cryptography and authentication. He is widely regarded as the "father" of the Trusted Computer System Evaluation Criteria (the "Orange Book"). The NIST and NSA have recognized Dr. Schell with the National Computer System Security Award, the nation's highest honor in the information security field.