Thou Shalt Not Trust non-Trustworthy Systems

Computer systems and ICT at large (information and communication technologies) are on the verge of a strange era: on the one hand, everyday we require more from applications as seen by users (response, determinism, robustness, security); on the other hand, improvements in infrastructure technology peer with asymmetry and instability (access networks, mobility, de-regulation, and so forth). This evolution of distributed computing and applications has put new challenges on models, architectures and systems. In essence, we should look for paradigms that help us reconcile uncertainty with predictability. Grand challenges require drastic changes, and they are happening: in the hybrid, dynamic and decentralised way we start looking at system design, once quite homogeneous, static, centralised, and in the cross-fertilising way we now look at previously disjoint scientific fields. Two issues are central to modern design of dependable and secure dynamic distributed systems: the confluence between classical dependability and security, met essentially but not only by the concept of common ’accidental fault and malicious intrusion tolerance’. and the necessary but often forgotten link between trust (dependence or belief on some system’s properties) and trustworthiness (the merit of that system to be trusted, the degree to which it meets those properties, or its dependability). The uncertainty described above, together with the vast amount of exposure to wrong-doing endured by current systems, forms an explosive combination. In order to handle it and obtain assurance on the correct operation of systems, all efforts are not too much. The tolerance perspective on security, currently termed intrusion tolerance, shed new light on a road darkened by the growing difficulty of preventing every intrusion on large and complex and uncertain installations. The combination of fault and intrusion tolerance closes the final gap, by allowing the design of systems that become simultaneously secure and dependable through the same class of mechanisms. This is not enough though, we need system design principles that ensure a global and accurate view of the relation between trust and trustworthiness. This goes well beyond technological fact- ors: if an ICT-based society will not be able to provide trustable services, services that are trusted because justifiably they rely on trustworthy components and infrastructure, then, such services, which will nevertheless be deployed due to market pressure: will be perceived with suspicion by users; will be managed by a restricted group of "experts", increasing info-exclusion; may very well be mismanaged, yielding cyber-crime, e-frauds, cyber terrorism and sabotage.