particularly important if and when departments are contracting. In such times, it is difficult to obtain slots for any subspecialty, and especially so if—as is the case with the cybersecurity specialization—there is not a critical mass of those faculty members already in the department. Thus, targeted funding to support the cybersecurity specialization would be particularly important if the number of such faculty is to grow.
Support for infrastructure is also needed for cybersecurity education. Developing cybersecurity expertise requires hands-on experience with security products, so that their capabilities and limitations can be understood and intuitions developed for when they are or are not helpful. Such infrastructure is often neglected in funding programs, and those that do exist are limited in time, amounts, and schools.
The primary purpose of this report is to formulate a cybersecurity research agenda. But the scope and the nature of this agenda are inextricably intertwined with the character of the threat to cyberspace. Accordingly, this report argues that the threat to cybersecurity is real, significant, and growing rapidly. But because the combination of adversary threats and technical or procedural vulnerabilities of the future is impossible to predict in anything but the most general terms, a broad cybersecurity research agenda (Section 3.4.4, Principle 4: Respect the need for breadth in the research agenda.) is necessary to develop new knowledge that can be used to strengthen defenses against the cyberattacks of tomorrow. Furthermore, the research agenda must examine both technical and nontechnical issues. There is of course a central role to be played by technologists—but they must work hand in hand with organizational specialists, psychologists, anthropologists, sociologists, manufacturing specialists, and many others if the desired outcome—systems that are more secure in the real world—is to be achieved.
In Section 10.2, the committee identified five action items for the nation’s policy makers: creating a sense of urgency about the cybersecurity problem commensurate with the risks, supporting a robust and sustained research agenda at levels which ensure that a large fraction of good ideas for cybersecurity research can be explored, establishing a mechanism for continuing follow-up on a research agenda, supporting the infrastructure needed for cybersecurity research, and sustaining and growing the human resource base. If these items are successfully addressed, real progress can be made toward realizing a more secure cyberspace and toward making the Cybersecurity Bill of Rights more a reality than a vision.