through a process that required only a few members to support them and should not be taken as ideas that the committee as a whole thinks are worth significant effort or emphasis.

9.1
A CYBERATTACK RESEARCH ACTIVITY

In many domains of security studies, theories of defense and theories of attack are inextricably interwoven. That is, insights on how best to defend are grounded in knowledge of how attacks might unfold, and a deep knowledge of attack methodologies should not be limited to potential attackers. For example, arson investigators know very well how to set fires and agents from the Bureau of Alcohol, Tobacco, Firearms and Explosives know a great deal about how to make bombs. Similarly, a body of cyberattack knowledge that is independent of criminal intent may be very useful to cybersecurity researchers. Although in today’s cybersecurity environment, many attacks are simple indeed, such a body of cyberattack knowledge would logically go far beyond the commonplace attacks of today to include at least some of the more sophisticated techniques that high-end attackers might use.

The utility of this approach is suggested by the use of red teams to test operational defenses. Red team testing is an effort undertaken by an organization to test its security posture using teams that simulate what a determined attacker might do. The red team develops expertise relevant to its intended target, conducts reconnaissance to search for security weaknesses, and then launches attacks that exploit those weaknesses. Because red teams have deep knowledge of attack, and in particular know how to look at a system from the outside and how to cross interfaces (such as hardware/software) that may effectively limit the view of insiders, it is possible that greater interaction between red team experts and cybersecurity researchers would prove fruitful.

Many important issues attend the establishment of a research activity intended to develop deep knowledge of cyberattack. For example:

  • How should deep knowledge of cyberattack be acquired? Cybercriminals and other adversaries develop knowledge by attacking real systems; sometimes their efforts cause real disruptions and loss. It is inconceivable that as a matter of national policy the U.S. government would endorse or support any effort that would result in such harm, and there might well be significant liability issues associated with the conduct of such an activity. The availability of large-scale testbeds for the research community might have some potential for mitigating this particular problem. Moreover, once a plausible attack hypothesis has been developed, it might often be



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement