Information technology (IT) sector vulnerability is defined by the U.S. Congress as “the vulnerability of any computing system, software program, or critical infrastructure, or their ability to resist, intentional interference, compromise, or incapacitation through the misuse of, or by unauthorized means of, the Internet, public or private telecommunications systems or other similar conduct that violates Federal, State, or international law, that harms interstate commerce of the United States, or that threatens public health or safety.”¹ For our purposes, cybersecurity is the study and practice of securing assets in cyberspace—the world of computers and computer networks. Cybersecurity is more than defending against viruses and worms, as described in the previous chapter. It encompasses information assurance in enterprise computing.

This chapter surveys the policies and technologies of securing information and the IT systems that process information—the IT sector. The phrases cybersecurity and IT sector security will be used interchangeably. The essence of IT security centers on the notion of trusted computing—a trusted computing base (TCB) containing hardware and software, plus trusted paths (TP) between and among various computing bases. In laymen's terms, this means encapsulating hardware, software, and data in a protected zone and protecting communication transactions between and among users.

The rules of trusted computing have been known for many ...