The committee’s vision for a safer and more secure cyberspace is reflected in a “Cybersecurity Bill of Rights” (CBoR), consisting of 10 basic provisions that users should have as reasonable expectations for their safety and security in cyberspace. The CBoR articulated in this report is user-centric, enabling individuals to draw for themselves the contrast between the vision contained in the CBoR and their own personal cyberspace experiences. Unfortunately, the state of cyberspace today is such that it is much easier to state these provisions than it is to achieve them. No simple research project, no silver bullet, no specific critical cybersecurity research topic will lead to the widespread reality of any of these provisions. Indeed, even achieving something that sounds as simple as eliminating spam will require a complex, crosscutting technical and nontechnical research and development (R&D) agenda.
The committee’s proposal for action focuses attention on a number of research areas identified as important in earlier reports (Appendix B, Section B.5). It also focuses on understanding why important and helpful cybersecurity innovations developed in the past have not been more widely deployed in today’s information technology (IT) products and services, thus bringing the very real challenges of incentives, usability, and embedding advances in cybersecurity squarely into the research domain.
The committee’s action agenda for policy makers has five elements. The first is to create a sense of urgency about the cybersecurity problem, as the cybersecurity policy failure is not so much one of awareness as of action. The second, commensurate with a rapidly growing cybersecurity threat, is to support a broad, robust, and sustained research agenda at levels which ensure that a large fraction of good ideas for cybersecurity research can be explored. The third is to establish a mechanism for continuing follow-up on a research agenda that will provide a coordinated picture of the government’s cybersecurity research activities across the entire federal government, including both classified and unclassified research. The fourth is to support research infrastructure, recognizing that such infrastructure is a critical enabler for allowing research results to be implemented in actual IT products and services. The fifth is to sustain and grow the human resource base, which will be a critical element in ensuring a robust research agenda in the future.
Policy makers, and to a lesser extent, the public, have given attention to cybersecurity issues for some time now, but cybersecurity problems have continued to fester. For example, in 1997, the President’s Commission on Critical Infrastructure Protection noted the importance of