5
Rationalizing the Future Research Agenda
As noted in Chapter 3, the committee believes that the IT research areas of highest priority for counterterrorism are in three major areas: information and network security,1 information technologies for emergency response, and technologies for information fusion. Within each of these areas, a reasonably broad agenda is appropriate, as none of them can be characterized by the presence of a single stumbling block or impediment whose removal would allow everything else to fall into place.
Attention to human and organizational issues in a counterterrorism context is also critical. Insight, knowledge, and tools that result from such attention are likely to be much more relevant to systems integration than to technology efforts devoted to proofs-of-principle or other technology development issues. However, that fact does not mean that there is no role for research, especially since system development methodologies that incorporate such tools are scarce or nonexistent. Thus, the engagement of social scientists (e.g., psychologists, anthropologists, sociologists, organizational behavior analysts) will be important in any research program in IT for counterterrorist purposes.
Based on the discussion in Chapter 3, Box 5.1 summarizes some of the
topics within these areas that the committee believes would be fruitful to research. It is useful to note that progress in these areas would have commercial applications as well in many cases. The fruits of information and network security research would benefit all users of information technology, though their particular relevance to providers of critical infrastructure is obvious. Emergency responders will be the primary beneficiaries of research that focuses on their particular needs. Progress in information fusion has relevance across the spectrum of counterterrorism efforts, from prevention to detection to response, and indeed to information mining for other public and private purposes. (A point of particular interest is the fact that information-fusion efforts for countering bioterrorism have significant applicability to public health, especially with respect to the early identification of “natural” disease outbreaks.) Advances in developing tools to incorporate knowledge about human and organizational factors in systems integration would be relevant to the deployment of most large IT-based systems.
The fact that research in these areas may have commercial relevance raises for some questions about the necessity of government involvement. As noted in Chapter 4, the commercial market has largely failed in promoting information and network security. In other cases, the research program required (e.g., research addressing the needs of emergency responders) is of an applied nature—and focused on counterterror applications. As for information fusion, it is highly likely that its applications will have commercial applications once new technologies are developed, but whether those new technologies would develop in the absence of government-supported research and become broadly available is another question entirely.
Most of these technology research areas are not new. Efforts have long been under way in information and network security and information fusion, though additional research is needed because the resulting technologies are not sufficiently robust or effective, they degrade performance or functionality too severely, or they are too hard to use or too expensive to deploy. Moreover, given the failure of the market to adequately address security challenges, adequate government support for R&D in information systems and network security is especially important. Information technologies for emergency response have not received a great deal of attention, though efforts in other contexts (e.g., military operations) are intimately related to progress in this area.2
BOX 5.1 Illustrative Topic Areas for Long-Term Research Authentication, Detection, Identification
Containment
Recovery
Cross-cutting Issues in Information and Network Security
C3I Systems for Emergency Response
|
Information Fusion for Counterterrorism
Privacy and Confidentiality
Human and Organizational Factors
NOTE: A future CSTB report on cybersecurity research will explicate research areas in greater detail. |
As for the funding of the research program described in this report, computer crime losses are estimated at $10 billion per year (and growing).3 Although statistics on the amount lost to cybercrime are of dubious reliability, there is no doubt that aggregate losses are considerable. The committee believes that because this research program has considerable overlap with that needed to fight cybercrime, progress in this research program has the potential to reduce cybercrime as well. Without rigorous argument, the committee believes that the potential reduction in cybercrime would likely offset a considerable portion (if not all) of the research program described in this report (though of course the primary beneficiaries will be society at large rather than any individual company that today may suffer loss). Nevertheless, the committee has not had access to information that would allow it to determine an appropriate level of funding for the research program described in this report.
The time scale on which the fruits of efforts in these research areas will become available ranges from short to long. That is, each of these areas has technologies that can be beneficially deployed on a relatively short time scale (e.g., in a few years). Each area also has other prospects for research and deployment on a much longer time scale (e.g., a decade or more) that will require the development of entirely new technologies and capabilities.
The committee is silent on the specific government agency or agencies that would be best suited to support the program described above,4 though it notes that the recently created Department of Homeland Security may expand the options available for government action. Rather, the more important policy issue is how to organize a federal infrastructure to support this research. In particular, the committee believes that this infrastructure should have the following attributes. It would:
-
Engage and support multidisciplinary, problem-oriented research that is useful both to civilian and military users. (Note that this approach contrasts strongly with the disciplinary orientation that characterizes most academic departments and universities.)
-
Develop a research program driven by a deep understanding and
|
which there is a need for a low probability of intercept, these conditions do not obtain for civilian emergency-response communications. Also, military forces often must communi-cate in territory without a pre-existing friendly infrastructure, while civilian agencies can potentially take advantage of such an infrastructure. |
3 |
“Cyber Crime.” BusinessWeek Online, February 21, 2000. Available online at <http://www.businessweek.com/2000/00_08/b3669001.htm>. |
4 |
See CSTB, NRC, 2002, Cybersecurity Today and Tomorrow, pp. 13-14. |
-
assessment of IT vulnerabilities. This will likely require access to classified information, even though most of the research should be unclassified.
-
Support a substantial effort in research areas with a long time horizon for payoff. Historically, such investigations have been housed most often in academia, which can conduct research with fewer pressures for immediate delivery on a bottom line. (This is not to say that private industry has no role. Indeed, because the involvement of industry is critical for deployment, and is likely to be essential for developing prototypes and mounting field demonstrations, it is highly appropriate to support both academia and industry perhaps even jointly in efforts oriented toward development.)
-
Provide support extending for time scales that are long enough to make meaningful progress on hard problems (perhaps 5-year project durations) and in sufficient amounts that reasonably realistic operating environments for the technology could be constructed (perhaps $2 million to $5 million per year per site for system-oriented research programs).
-
Invest some small fraction of its budget on thinking “outside the box” in consideration (and possible creation) of alternative futures (Box 5.2).
-
Be more tolerant of research directions that do not appear to promise immediate applicability. Research programs, especially in IT, are often—even generally—more “messy” than research managers would like. The desire to terminate unproductive lines of inquiry is understandable, and sometimes entirely necessary, in a constrained budget environment. On the other hand, it is frequently very hard to distinguish between (A) a line of inquiry that will never be productive and (B) one that may take some time and determined effort to be productive. While an intellectually robust research program must be expected to go down some blind alleys occasionally, the current political environment typically punishes such blind alleys as being of Type A, with little apparent regard for the possibility that they might be Type B.
-
Be overseen by a board or other entity with sufficient stature to attract top talent to work in the field, to provide useful feedback, and to be an effective sounding board for that talent.
-
Pay attention to the human resources needed to sustain the counterterrorism IT research program. This need is especially apparent in the fields of information and network security and emergency communications. Only a very small fraction of the nation’s graduating doctoral students in IT specialize in either of these fields, only a very few professors conduct research in these areas, only a very few universities support research programs in these fields, and, in the judgment of the committee,
BOX 5.2 Planning for the Future Planning for the future is a critical dimension of any research agenda, though the resources devoted to it need not be large. System architectures and technologies such as switched optical networks, mobile code, and open-source or multinational code development will have different vulnerabilities from the technologies that characterize most of the existing infrastructure and hence require different defense strategies. Similarly, device types such as digital appliances, wireless headphones, and network-capable cell phones may pose new challenges. Even today, it is hard to interconnect systems with different security models or security semantics; unless this problem is successfully managed, it will become increasingly difficult in the future. Furthermore, the characteristics of deployed technology that protect the nation against catastrophic IT-only attacks today (e.g., redundancy, system heterogeneity, and a reliance on networks other than the Internet for critical business functions) may not continue to protect it in the future. For example, trends toward deregulation are pushing the nation’s critical infrastructure providers to reduce excess capacity, even though this is what provides much of the redundancy so important to reduced vulnerability. In the limit, the market dominance of a smaller number of products leads to system monocultures that, like their ecological and agricultural counterparts, are highly vulnerable to certain types of attack. For these reasons, researchers and practitioners must be vigilant to changes in network technology, usage and reliance on IT, and decreasing diversity. In addition, research focused on the future is likely to have a slant that differs from the orientation of the other research efforts described in this chapter. While the latter efforts might be characterized as building on existing bodies of knowledge (and are in that sense incremental), future-oriented research would have a more radical orientation: it would, for example, try to develop alternative paradigms for secure and reliable operation that would not necessarily be straightforward evolutions from the Internet and information technology of today. One such pursuit might be the design of appropriate network infrastructure for deployment in 2020 that would be much more secure than the Internet of today. Another might be an IT infrastructure whose security relied on engineered system diversity—in which deployed systems were sufficiently similar to be interoperable, yet sufficiently diverse to essentially be resistant to large-scale attacks. |
-
only a very small fraction of the universities that do support such programs can be regarded as first-rate universities.
One additional attribute of this R&D infrastructure would be desirable, though the committee has few good ideas on how to achieve it. The success of the nation’s R&D enterprise in IT (as well as in other fields) rests in no small part on the ability of researchers to learn from each other in a relatively free and open intellectual environment. Constraining the openness of that environment (e.g., by requiring that research be classified or by forbidding certain research from being undertaken) would
have obvious negative consequences for researchers and the creation of new knowledge. On the other hand, keeping counterterrorist missions in mind, the free and open dissemination of information has potential costs as well, because terrorists may obtain information that they can use against us. Historically, these competing interests have been “balanced”—with more of one in exchange for less of the other. But the committee believes (or at least hopes) that there are other ways of reconciling the undeniable tension, and calls for some thought to be given to a solution to this dilemma that does not demand such a trade-off. If such a solution can be found, it should be a design characteristic of the R&D infrastructure.
A comment on the counterterrorist research program is that successfully addressing the privacy and confidentiality issues that arise in counterterrorism efforts will be critical for the deployment of many information technologies. This area is so important that research in the area itself is necessary and should be a fundamental component of the work in virtually all of the other areas described in this report.
Finally, it is the belief of the committee that an R&D infrastructure with the characteristics presented above has the best chance of delivering successfully on the complex research problems described in this report. The committee is not arguing for unlimited latitude to undertake research that is driven primarily by intellectual curiosity, but rather for a program focused on the specific national needs described in this report that can look beyond immediate deliverables. More detailed research agendas should be forthcoming from the agencies responsible for implementing the broad research program described in this report.