Looking for some old stuff, I ran across a 2-page position paper (and slides) I wrote for an EU-US Cyber Trust Summit in 2006. The gist of the paper is summed up by this question:
If the Saltzer and Shroeder principles have been known for over three decades, and if operating systems and network infrastructure have supported mechanisms to enforce much of Saltzer and Schroeder throughout the network, why aren’t we taking advantage of them to build more resistant and robust networks?
Part of my recommendation:
Instrument all control surfaces to collect appropriate audit information so that each observable activity (e.g., packet observed on a wire or a write to a file) can be mapped to (1) the user that instigated the activity, (2) the person(s) who installed the relevant software, and (3) the person(s) who wrote the relevant software.
I've still been working on (1) and (2) since then. I guess I believed in my position.