Toward a Safer and More Secure Cyberspace

Seymour E. Goodman and Herbert S. Lin, Editors

Committee on Improving Cybersecurity Research in the United States

Computer Science and Telecommunications Board

Division on Engineering and Physical Sciences

NATIONAL RESEARCH COUNCIL AND NATIONAL ACADEMY OF ENGINEERING OF THE NATIONAL ACADEMIES

THE NATIONAL ACADEMIES PRESS

Washington, D.C.
www.nap.edu



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page R1
Toward a Safer and More Secure Cyberspace Toward a Safer and More Secure Cyberspace Seymour E. Goodman and Herbert S. Lin, Editors Committee on Improving Cybersecurity Research in the United States Computer Science and Telecommunications Board Division on Engineering and Physical Sciences NATIONAL RESEARCH COUNCIL AND NATIONAL ACADEMY OF ENGINEERING OF THE NATIONAL ACADEMIES THE NATIONAL ACADEMIES PRESS Washington, D.C. www.nap.edu

OCR for page R1
Toward a Safer and More Secure Cyberspace THE NATIONAL ACADEMIES PRESS 500 Fifth Street, N.W. Washington, DC 20001 NOTICE: The project that is the subject of this report was approved by the Governing Board of the National Research Council, whose members are drawn from the councils of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The members of the committee responsible for the report were chosen for their special competences and with regard for appropriate balance. Support for this project was provided by the Defense Advanced Research Projects Agency (award number N00174-03-C-0074), the National Science Foundation (award number CNS-0221722), the National Institute of Standards and Technology (contract number SB1341-03-C-0028), the Department of Homeland Security through the National Science Foundation (award number CNS-0344585), the National Academy of Engineering, the National Research Council Fund (no award number), and F. Thomas Leighton and Bonnie Berger Leighton. Any opinions, findings, conclusions, or recommendations expressed in this publication are those of the author(s) and do not necessarily reflect the views of the organizations, agencies, or individuals that provided support for the project. Back cover: Summarized in the right-hand column of the chart is the new mind-set advocated in this report as essential to achieving a more generally secure cyberspace. Library of Congress Cataloging-in-Publication Data Toward a safer and more secure cyberspace / Committee on Improving Cybersecurity Research in the United States, Computer Science and Telecommunications Board, Division on Engineering and Physical Sciences, National Research Council of the National Academies ; Seymour E. Goodman and Herbert S. Lin, editors. p. cm. Includes bibliographical references. ISBN 978-0-309-10395-4 (pbk.) -- ISBN 978-0-309-66741-8 (pdf) 1. Computer security. 2. Computer networks--Security measures. 3. Cyberterrorism--Prevention. I. Goodman, Seymour E. II. Lin, Herbert. III. National Research Council (U.S.). Committee on Improving Cybersecurity Research in the United States. QA76.9.A25T695 2007 005.8--dc22 2007037982 This report is available from Computer Science and Telecommunications Board National Research Council 500 Fifth Street, N.W. Washington, DC 20001 Additional copies of this report are available from the National Academies Press, 500 Fifth Street, N.W., Lockbox 285, Washington, DC 20055; (800) 624-6242 or (202) 334-3313 (in the Washington metropolitan area); Internet, http://www.nap.edu. Copyright 2007 by the National Academy of Sciences. All rights reserved. Printed in the United States of America

OCR for page R1
Toward a Safer and More Secure Cyberspace THE NATIONAL ACADEMIES Advisers to the Nation on Science, Engineering, and Medicine The National Academy of Sciences is a private, nonprofit, self-perpetuating society of distinguished scholars engaged in scientific and engineering research, dedicated to the furtherance of science and technology and to their use for the general welfare. Upon the authority of the charter granted to it by the Congress in 1863, the Academy has a mandate that requires it to advise the federal government on scientific and technical matters. Dr. Ralph J. Cicerone is president of the National Academy of Sciences. The National Academy of Engineering was established in 1964, under the charter of the National Academy of Sciences, as a parallel organization of outstanding engineers. It is autonomous in its administration and in the selection of its members, sharing with the National Academy of Sciences the responsibility for advising the federal government. The National Academy of Engineering also sponsors engineering programs aimed at meeting national needs, encourages education and research, and recognizes the superior achievements of engineers. Dr. Charles M. Vest is president of the National Academy of Engineering. The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure the services of eminent members of appropriate professions in the examination of policy matters pertaining to the health of the public. The Institute acts under the responsibility given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, upon its own initiative, to identify issues of medical care, research, and education. Dr. Harvey V. Fineberg is president of the Institute of Medicine. The National Research Council was organized by the National Academy of Sciences in 1916 to associate the broad community of science and technology with the Academy’s purposes of furthering knowledge and advising the federal government. Functioning in accordance with general policies determined by the Academy, the Council has become the principal operating agency of both the National Academy of Sciences and the National Academy of Engineering in providing services to the government, the public, and the scientific and engineering communities. The Council is administered jointly by both Academies and the Institute of Medicine. Dr. Ralph J. Cicerone and Dr. Charles M. Vest are chair and vice chair, respectively, of the National Research Council. www.national-academies.org

OCR for page R1
Toward a Safer and More Secure Cyberspace COMMITTEE ON IMPROVING CYBERSECURITY RESEARCH IN THE UNITED STATES SEYMOUR (Sy) E. GOODMAN, Georgia Institute of Technology, Chair (from August 2006) JOEL S. BIRNBAUM, Hewlett-Packard Company, Chair (until August 2006) DAVID AUCSMITH, Microsoft Corporation STEVEN M. BELLOVIN, Columbia University ANJAN BOSE, Washington State University BARBARA FRASER, Cisco Systems, Inc. JAMES GOSLER, Sandia National Laboratories WILLIAM GUTTMAN, Carnegie Mellon University RUBY B. LEE, Princeton University FERNANDO (FRED) LUIZ, Hewlett-Packard Company (retired) TERESA F. LUNT, Palo Alto Research Center PETER G. NEUMANN, SRI International STEFAN SAVAGE, University of California, San Diego WILLIAM L. SCHERLIS, Carnegie Mellon University FRED B. SCHNEIDER, Cornell University ALFRED Z. SPECTOR, Independent Consultant JOHN WANKMUELLER, MasterCard International JAY WARRIOR, Agilent Laboratories Staff HERBERT S. LIN, Senior Scientist and Study Director (from September 2005) CHARLES N. BROWNSTEIN, Study Director (until September 2005) KRISTEN BATCH, Associate Program Officer JENNIFER M. BISHOP, Program Associate (until November 2006) JANICE M. SABUDA, Senior Program Assistant TED SCHMITT, Consultant

OCR for page R1
Toward a Safer and More Secure Cyberspace COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD JOSEPH F. TRAUB, Columbia University, Chair ERIC BENHAMOU, Benhamou Global Ventures, LLC FREDERICK R. CHANG, University of Texas, Austin WILLIAM DALLY, Stanford University MARK E. DEAN, IBM Almaden Research Center DEBORAH ESTRIN, University of California, Los Angeles JOAN FEIGENBAUM, Yale University KEVIN KAHN, Intel Corporation JAMES KAJIYA, Microsoft Corporation MICHAEL KATZ, University of California, Berkeley RANDY H. KATZ, University of California, Berkeley SARA KIESLER, Carnegie Mellon University TERESA H. MENG, Stanford University PRABHAKAR RAGHAVAN, Yahoo! Research FRED B. SCHNEIDER, Cornell University ALFRED Z. SPECTOR, Independent Consultant WILLIAM STEAD, Vanderbilt University ANDREW J. VITERBI, Viterbi Group, LLC PETER WEINBERGER, Google, Inc. JEANNETTE M. WING, Carnegie Mellon University Staff JON EISENBERG, Director KRISTEN BATCH, Associate Program Officer RADHIKA CHARI, Administrative Coordinator RENEE HAWKINS, Financial Associate MARGARET MARSH HUYNH, Senior Program Assistant HERBERT S. LIN, Senior Scientist LYNETTE I. MILLETT, Senior Program Officer DAVID PADGHAM, Associate Program Officer JANICE M. SABUDA, Senior Program Assistant TED SCHMITT, Consultant BRANDYE WILLIAMS, Program Assistant JOAN D. WINSTON, Program Officer For more information on CSTB, see its Web site at http://www.cstb.org, write to CSTB, National Research Council, 500 Fifth Street, N.W., Washington, DC 20001, call (202) 334-2605, or e-mail the CSTB at cstb@nas.edu.

OCR for page R1
Toward a Safer and More Secure Cyberspace This page intentionally left blank.

OCR for page R1
Toward a Safer and More Secure Cyberspace Preface In the past several years, cybersecurity has been transformed from a concern chiefly of computer scientists and information system managers to an issue of pressing national importance. The nation’s critical infrastructure, such as the electric power grid, air traffic control system, financial system, and communication networks, depends extensively on information technology (IT) for its operation. Concerns about the vulnerability of this infrastructure have heightened in the security-conscious environment after the September 11, 2001, attacks. National policy makers have become increasingly concerned that adversaries backed by substantial resources will attempt to exploit the cyber-vulnerabilities in the critical infrastructure, thereby inflicting substantial harm on the nation. Today, there is an inadequate understanding of what makes IT systems vulnerable to attack, how best to reduce these vulnerabilities, and how to transfer cybersecurity knowledge to actual practice. For these reasons, and in response to both legislative and executive branch interest, the National Research Council (NRC) established the Committee on Improving Cybersecurity Research in the United States (see Appendix A for biographies of the committee members). The committee was charged with developing a strategy for cybersecurity research in the 21st century. To develop this strategy, the committee built on a number of previous NRC reports in this area, notably, Computers at Risk (1991), Trust in Cyberspace (1998), and Information Technology for Counterterrorism (2003).1 Although 1 National Research Council, 1991, Computers at Risk, National Academy Press, Washington, D.C.; National Research Council, 1998, Trust in Cyberspace, National Academy Press, Washington, D.C.; National Research Council, 2003, Information Technology for Counterterrorism: Immediate Actions and Future Possibilities, The National Academies Press, Washington, D.C.

OCR for page R1
Toward a Safer and More Secure Cyberspace these reports were issued some years ago, the committee found that they contained valuable points of departure for the present effort. In addition, the committee undertook a set of hearings and briefings that provided information about present-day concerns and responses to those concerns. The report of the President’s Information Technology Advisory Committee on cybersecurity—Cyber Security: A Crisis of Prioritization—which lays out a research agenda and makes recommendations on how to implement it, provided a useful point of departure as well.2 Box P.1 contains the full charge to the committee. The committee’s survey of the current cybersecurity research landscape is described in Appendix B. As requested in the charge, Section B.5 contains a survey of the research effort in cybersecurity and trustworthiness to assess the current mix of topics; Sections B.4 and B.6 address level of effort, division of labor, and sources of funding; Section B.3 addresses quality. The issue related to the timescales of cybersecurity research is addressed in Section 10.2.2. Structural dimensions of a program for cybersecurity research are addressed in Section 3.3. Two elements in the committee’s statement of task were not fully addressed. First, although Part II provides general guidance regarding appropriate areas of programmatic focus, this report does not provide a detailed explication of research priorities within or among these areas (that is, the research areas meriting federal funding). The reason, explained at greater length in Section 3.4.4, is that in the course of its deliberations, the committee concluded that the nation’s cybersecurity research agenda should be broad and that any attempt to specify research priorities in a top-down manner would be counterproductive. Second, the study’s statement of task calls for it to address appropriate levels of federal funding for cybersecurity research. As discussed in Section 10.2.2, the committee articulates a specific principle for determining the appropriate level of budgets for cybersecurity research: namely, that such budgets should be adequate to ensure that a large fraction of good ideas for cybersecurity research can be explored. It further notes that the threat is likely to grow at a rate faster than the present federal cybersecurity research program will enable us to respond to, and thus that in order to execute fully the broad strategy articulated in this report, a substantial increase in federal budgetary resources devoted to cybersecurity research will be needed. It is important to delineate the scope of what this report does and to 2 President’s Information Technology Advisory Committee. February 2005. Cyber Security: A Crisis of Prioritization, National Coordination Office for Information Technology Research and Development, Washington, D.C.; available at www.nitrd.gov/pitac/reports/20050301_cybersecurity/cybersecurity.pdf.

OCR for page R1
Toward a Safer and More Secure Cyberspace specify what it does not do. The committee recognizes that cybersecurity is only one element of trustworthiness, which can be defined as the property of a system whereby it does what is required and expected of it—despite environmental disruption, human user and operator errors, and attacks by hostile parties—and that it does not do other things. Trust- BOX P.1 Statement of Task This project will involve a survey of the research effort in cybersecurity and trustworthiness to assess the current mix of topics, level of effort, division of labor, sources of funding, and quality; describe those research areas that merit federal funding, considering short-, medium-, and long-term emphases; and recommend the necessary level for federal funding in cybersecurity research. Technologies and approaches conventionally associated with cybersecurity and trustworthiness will be examined to identify those areas most deserving of attention in the future and to understand the research baseline. In addition, this project will also seek to identify and explore models and technologies not traditionally considered to be within cybersecurity and trustworthiness in an effort to generate ideas for revolutionary advances in cybersecurity. Structural alternatives for the oversight and allocation of funding (how to best allocate existing funds and how best to program new funds that may be made available) will be considered and the project committee will provide corresponding recommendations. Finally, the committee will offer some guidance on the shape of grant-making research programs. Consistent with legislative language, the committee will consider: Identification of the topics in cybersecurity research that deserve emphasis for the future. As discussed with congressional staff, this analysis will build on past work within CSTB [Computer Science and Telecommunications Board] and elsewhere, which has identified many important and often enduring topics. The distribution of effort among cybersecurity researchers. The emphasis will be on universities, in part to address the link between the conduct of researchers and the education and training of cybersecurity experts, to ensure that there are enough researchers to perform the needed work. Comparisons between academic and industry activities will be made. Identification and assessment of the gaps in technical capability for critical infrastructure network security, including security of industrial process controls. The distribution, range, and stability of support programs among federal funding organizations. Issues regarding research priorities, resource requirements, and options for improving coordination and efficacy in the national pursuit of cybersecurity research. Opportunities for cross-sector (and intra-sector) coordination and collaboration will be considered

OCR for page R1
Toward a Safer and More Secure Cyberspace worthiness has many dimensions, including correctness, reliability, safety, and survivability, in addition to security. Nevertheless, the charge of this report is to focus on security, and other issues are addressed only to the extent that they relate to security. This report is not confined to technical topics alone. A number of policy issues related to cybersecurity are discussed. These policy issues provide an overarching context for understanding why greater use has not been made of cybersecurity research to date. In addition, because the report concludes that cybersecurity research should not be undertaken entirely in a domain-independent manner, the report also discusses briefly a number of problem domains to which cybersecurity research is applicable. The committee assembled for this project included individuals with expertise in the various specialties within computer security and other aspects of trustworthiness, computer networks, systems architecture, software engineering, process control systems, human-computer interaction, and information technology research and development (R&D) programs in the federal government, academia, and industry. In addition, the committee involved individuals with experience in industrial research. The committee met first in July 2004 and four times subsequently. It held several plenary sessions to gather input from a broad range of experts in cybersecurity. Particular areas of focus included then-current federal research activity, the state of the art in usable security, and current vendor activity related to advancing the state of cybersecurity. The committee did its work through its own expert deliberations and by soliciting input from key officials at sponsoring agencies, numerous experts at federal agencies, academic researchers, and hardware and software vendors (see Appendix C). Additional input included perspectives from professional conferences, the technical literature, and government reports studied by committee members and staff (see Appendix B). The committee appreciates the support of its sponsoring agencies and especially the numerous inputs and responses to requests for information provided by Jaynarayan Lala and Lee Badger at the Defense Advanced Research Projects Agency (DARPA), Carl Landwehr and Karl Levitt at the National Science Foundation (NSF), Edward Roback at the National Institute of Standards and Technology (NIST), Douglas Maughan at the Department of Homeland Security (DHS), and Robert Herklotz at the Air Force Office of Scientific Research (AFOSR). PERSONAL NOTE FROM THE CHAIR A large fraction of the American population now spends a great deal of time in cyberspace. We work and shop there. We are educated and entertained there. We socialize with family, friends, and strangers in cyber-

OCR for page R1
Toward a Safer and More Secure Cyberspace space. We are paid and we pay others through this medium. Millions of commercial enterprises and local, state, and federal government agencies do their business there. It has become a critical infrastructure in its own right, and it is embedded in almost all other critical infrastructures. We rely on cyberspace to help keep electricity flowing, public transportation running, and many other basic services working at levels that we have come to regard as essential elements of our society. These functions, expectations, and resulting dependencies are with us now, have been growing rapidly, and are expected to continue to grow well into the future. The people, businesses, and governments of the rest of the world are following suit. On a per capita basis, some are even more committed to this infrastructure than the United States is. The Internet alone is now used by about a billion people and comes to ground in about 200 countries. And they are all connected to us and to one another. It is thus very much in the public interest to have a safe and secure cyberspace. Yet cyberspace in general, and the Internet in particular, are notoriously vulnerable to a frightening and expanding range of accidents and attacks by a spectrum of hackers, criminals, terrorists, and state actors who have been empowered by unprecedented access to more people and organizations than has ever been the case with any infrastructure in history. Most of the people and organizations that increasingly depend on cyberspace are unaware of how vulnerable and defenseless they are, and all too many users and operators are poorly trained and equipped. Many learn only after suffering attacks. These people, and the nation as a whole, are paying enormous costs for relying on such an insecure infrastructure. The Committee on Improving Cybersecurity Research in the United States was established by the National Research Council of the National Academies with the financial support of NSF, DARPA, NIST, DHS, the National Academy of Engineering, and F. Thomas and Bonnie Berger Leighton. The basic premise underlying the committee’s task is that research can produce a better understanding of why cyberspace is as vulnerable as it is and that it can lead to new technologies and policies and their effective implementation to make things better. Cybersecurity is not a topic that is new to the national agenda. Indeed, a number of earlier reports have addressed this subject from different perspectives. Many of these reports have been concerned with specific threats (e.g., terrorism), missions (e.g., critical infrastructure protection), government agencies (e.g., how they might better protect themselves), or specific sectors (e.g., banking and finance). This study tackles the problem from the perspective of protecting all legitimate users of cyberspace, including the individual citizens, small commercial concerns, and government agencies that are particularly vulnerable to harassment and injury every

OCR for page R1
Toward a Safer and More Secure Cyberspace time they use the Internet or connect to other networks. The committee strongly believes that a more generally secure cyberspace would go a long way toward protecting critical infrastructure and national security. What would a safer and more secure cyberspace look like? To address this question, the committee has formulated a Cyberspace Bill of Rights (CBoR). It consists of 10 basic provisions that the committee believes users should have as reasonable expectations for their online safety and security. The CBoR articulated in this report is distinctly user-centric, enabling individuals to draw for themselves the contrast between that vision and their own personal cyberspace experiences. Unfortunately, the state of cyberspace today is such that it is much easier to state these provisions than it is to achieve them. No simple research project will lead to the widespread reality of any of these provisions. Indeed, even achieving something that sounds as simple as eliminating spam will require a complex, crosscutting technical and nontechnical R&D agenda. Accordingly, this report goes on to propose a comprehensive R&D agenda and to show how that agenda would help realize the provisions of the CBoR. The report also warns that there will be no shortcuts and that realizing the CBoR vision will take a long, sustained, and determined effort. There is much to accomplish. Many of this report’s technical R&D recommendations build on and support those of earlier reports. However, they give particular emphasis to problems that have handicapped the more extensive practice of cybersecurity in the past. Thus, the report focuses substantial attention on the very real challenges of incentives, usability, and embedding advances in cybersecurity into real-world products, practices, and services. On behalf of the committee, I would like to thank those who took the time and trouble to contribute to our deliberations by briefing the committee. This group of individuals is listed in Appendix C. In addition, those who reviewed this report in draft form played a critical and indispensable role in helping to improve the report (see “Acknowledgment of Reviewers” on page xiii). On the Computer Science and Telecommunications Board (CSTB), Ted Schmitt’s work as program officer on his first NRC project was exemplary, and Janice Sabuda provided administrative and logistical support beyond compare. Special recognition is due to Herbert S. Lin, who became the CSTB study director about halfway through the committee’s lifetime, and who worked so hard to pull this report together. His tenacity, determination, and expertise were indispensable. Seymour E. Goodman, Chair Committee on Improving Cybersecurity Research in the United States

OCR for page R1
Toward a Safer and More Secure Cyberspace Acknowledgment of Reviewers This report has been reviewed in draft form by individuals chosen for their diverse perspectives and technical expertise, in accordance with procedures approved by the National Research Council’s Report Review Committee. The purpose of this independent review is to provide candid and critical comments that will assist the institution in making its published report as sound as possible and to ensure that the report meets institutional standards for objectivity, evidence, and responsiveness to the study charge. The review comments and draft manuscript remain confidential to protect the integrity of the deliberative process. We wish to thank the following individuals for their review of this report: Eric Benhamou, Benhamou Global Ventures, LLC, Earl Boebert, Sandia National Laboratories (retired), William R. Cheswick, AT&T Research, David D. Clark, Massachusetts Institute of Technology, Richard A. DeMillo, Georgia Institute of Technology, Samuel H. Fuller, Analog Devices, Inc., Paul A. Karger, IBM Thomas J. Watson Research Center, Pradeep Khosla, Carnegie Mellon University, Butler Lampson, Microsoft Corporation, Brian Lopez, Lawrence Livermore National Laboratory, William Lucyshyn, University of Maryland, Clifford Neuman, University of Southern California, Eugene Spafford, Purdue University,

OCR for page R1
Toward a Safer and More Secure Cyberspace Philip Venables, Goldman Sachs, Jesse Walker, Intel Corporation, and Jeannette M. Wing, Carnegie Mellon University. Although the reviewers listed above have provided many constructive comments and suggestions, they were not asked to endorse the conclusions or recommendations, nor did they see the final draft of the report before its release. The review of this report was overseen by Lewis Branscomb and Brian Snow. Appointed by the National Research Council, they were responsible for making certain that an independent examination of this report was carried out in accordance with institutional procedures and that all review comments were carefully considered. Responsibility for the final content of this report rests entirely with the authoring committee and the institution.

OCR for page R1
Toward a Safer and More Secure Cyberspace Contents EXECUTIVE SUMMARY   1 PART I SETTING THE STAGE     1   INTRODUCTION   15      1.1  The Report in Brief,   15      1.2  Background of the Study,   16 2   WHAT IS AT STAKE?   19      2.1  Interconnected Information Technology Everywhere, All the Time,   19      2.2  The Nature of Cybersecurity Vulnerabilities,   20      2.3  Systems and Networks at Risk,   22      2.3.1  Attacks on the Internet,   23      2.3.2  Attacks on Embedded/Real-Time Computing and Control Systems,   25      2.3.3  Attacks on Dedicated Computing Facilities,   26      2.4  Potential Consequences of Exploits,   27      2.5  The Magnitude of the Threat Against Today’s Technologies,   32      2.6  An Ominous Future,   35      2.6.1  The Evolution of the Threat,   38      2.6.2  The Broad Range of Capabilities and Goals of Cyberattackers,   42

OCR for page R1
Toward a Safer and More Secure Cyberspace 3   IMPROVING THE NATION’S CYBERSECURITY POSTURE   51      3.1  The Cybersecurity Bill of Rights,   51      3.1.1  Introduction to the Cybersecurity Bill of Rights,   52      3.1.2  The Provisions of the Cybersecurity Bill of Rights,   53      3.1.3  Concluding Comments,   57      3.2  Realizing the Vision,   58      3.3  The Necessity of Research,   58      3.4  Principles to Shape the Research Agenda,   61      3.4.1  Principle 1: Conduct cybersecurity research as though its application will be important,   62      3.4.2  Principle 2: Hedge against uncertainty in the nature of the future threat,   69      3.4.3  Principle 3: Ensure programmatic continuity in the research agendam,   70      3.4.4  Principle 4: Respect the need for breadth in the research agenda,   72      3.4.5  Principle 5: Disseminate new knowledge and artifacts,   74 PART II AN ILLUSTRATIVE RESEARCH AGENDA     4   CATEGORY 1—BLOCKING AND LIMITING THE IMPACT OF COMPROMISE   83      4.1  Secure Design, Development, and Testing,   83      4.1.1  Research to Support Design,   84      4.1.2  Research to Support Development,   91      4.1.3  Research to Support Testing and Evaluation,   103      4.2  Graceful Degradation and Recovery,   107      4.2.1  Containment,   107      4.2.2  Recovery,   109      4.3  Software and Systems Assurance,   110 5   CATEGORY 2—ENABLING ACCOUNTABILITY   113      5.1  Attribution,   113      5.2  Misuse and Anomaly Detection Systems,   118      5.3  Digital Rights Management,   121 6   CATEGORY 3—PROMOTING DEPLOYMENT   124      6.1  Usable Security,   124      6.2  Exploitation of Previous Work,   131      6.3  Cybersecurity Metrics,   133

OCR for page R1
Toward a Safer and More Secure Cyberspace      6.4  The Economics of Cybersecurity,   142      6.4.1  Conflicting Interests and Incentives Among the Actors in Cybersecurity,   144      6.4.2  Risk Assessment in Cybersecurity,   147      6.4.3  The Nature and Extent of Market Failure (If Any) in Cybersecurity,   152      6.4.4  Changing Business Cases and Altering the Market Calculus,   153      6.5  Security Policies,   166 7   CATEGORY 4—DETERRING WOULD-BE ATTACKERS AND PENALIZING ATTACKERS   169      7.1  Legal Issues Related to Cybersecurity,   170      7.2  Honeypots,   171      7.3  Forensics,   173 8   CATEGORY 5—ILLUSTRATIVE CROSSCUTTING PROBLEM-FOCUSED RESEARCH AREAS   181      8.1  Security for Legacy Systems,   181      8.2  The Role of Secrecy in Cyberdefense,   184      8.3  Insider Threats,   185      8.4  Security in Nontraditional Computing Environments and in the Context of Use,   191      8.4.1  Health Information Technology,   191      8.4.2  The Electric Power Grid,   193      8.4.3  Web Services,   196      8.4.4  Pervasive and Embedded Systems,   197      8.5  Secure Network Architectures,   199      8.6  Attack Characterization,   200      8.7  Coping with Denial-of-Service Attacks,   201      8.7.1  The Nature of Denial-of-Service Attacks,   201      8.7.2  Responding to Distributed Denial-of-Service Attacks,   202      8.7.3  Research Challenges,   205      8.8  Dealing with Spam,   208 9   CATEGORY 6—SPECULATIVE RESEARCH   214      9.1  A Cyberattack Research Activity,   215      9.2  Biological Approaches to Security,   216      9.3  Using Attack Techniques for Defensive Purposes,   218      9.4  Cyber-Retaliation,   219

OCR for page R1
Toward a Safer and More Secure Cyberspace PART III CONCLUSION     10   LOOKING TO THE FUTURE   223      10.1  Why Has Little Action Occurred?,   223      10.2  Priorities for Action,   229      10.2.1  Item 1: Create a sense of urgency about the cybersecurity problem commensurate with the risks,   230      10.2.2  Item 2: Commensurate with a rapidly growing cybersecurity threat, support a robust and sustained research agenda at levels which ensure that a large fraction of good ideas for cybersecurity research can be explored,   233      10.2.3  Item 3: Establish a mechanism for continuing follow-up on a research agenda,   237      10.2.4  Item 4: Support infrastructure for cybersecurity research,   241      10.2.5  Item 5: Sustain and grow the human resource base,   242      10.3  Concluding Comments,   248 APPENDIXES     A   COMMITTEE AND STAFF BIOGRAPHIES   251 B   CYBERSECURITY REPORTS AND POLICY: THE RECENT PAST   264      B.1  Introduction,   264      B.2  Cybersecurity Policy Activity Since 2001,   266      B.3  Identifying Exposures, Best Practices, and Procedures,   269      B.4  Public-Private Collaboration, Coordination, and Cooperation,   275      B.4.1  Information Sharing and Analysis Centers,   276      B.4.2  Alliances and Partnerships,   276      B.4.3  Private-Sector Support for Cybersecurity Research in Academia,   279      B.5  Notable Recent Efforts at Identifying a Research Agenda,   280

OCR for page R1
Toward a Safer and More Secure Cyberspace      B.6  The Current Federal Research and Development Landscape,   290      B.6.1  The Nature of Supported Activity in Cybersecurity,   290      B.6.2  Interagency Cooperation and Coordination,   292      B.6.3  Research Focus Areas,   292      B.6.4  Agency Specifics,   293 C   CONTRIBUTORS TO THE STUDY   306

OCR for page R1
Toward a Safer and More Secure Cyberspace Boxes P.1   Statement of Task,   ix 2.1   Lack of Exploitation Does Not Indicate Nonvulnerability,   30 2.2   Major Sources of Data Characterizing the Cyberthreat,   36 2.3   On Botnets,   40 2.4   Possible Points of Vulnerability in Information Technology Systems and Networks,   44 2.5   Foreign Sourcing of Information Technology Used in the United States,   47 2.6   The Silence of a Successful Cyberattack,   48 3.1   What Firewalls and Antivirus Products Protect Against,   59 3.2   Lessons Learned from the Technology-Transfer Effort Associated with Microsoft’s Static Driver Verifier,   64 4.1   The Saltzer-Schroeder Principles of Secure System Design and Development,   86 6.1   Fluency with Information Technology (and Cybersecurity),   126 6.2   Bug Bounties and Whistle-Blowers,   156 8.1   Issues in System Migration,   183 8.2   Secrecy of Design,   186 8.3   Attack Diffusion,   204 10.1   A Model Categorization for Understanding Budgets,   240