Appendix B
Cybersecurity Reports and Policy: The Recent Past

B.1
INTRODUCTION

Since September 11, 2001, many cybersecurity activities have been undertaken by the federal government,1 the research community, and private industry. This appendix reviews these activities, providing a snapshot of the efforts undertaken to address cybersecurity concerns over the past several years. Specifically, federal cybersecurity policy activity since 2001 is reviewed. A number of federal government reports that detail cybersecurity risks and challenges that need to be overcome are summarized. Also summarized are best practices and procedures, as well as options for making progress, as identified in these reports. Efforts for improving public-private collaboration and coordination are identified. Reports aimed at elaborating the necessary elements of a research agenda are also reviewed. The final section reviews the current federal research and development (R&D) landscape and describes the particular focus and the types of support being provided at various federal agencies with cybersecurity responsibilities.

Several general impressions about the state of cybersecurity and some common themes about the type of actions required to improve it can be drawn from the various activities summarized here. First, there are

1

The Congressional Research Service issued the report Computer Security: A Summary of Selected Federal Laws, Executive Orders, and Presidential Directives on April 16, 2004; the report outlines the major roles and responsibilities assigned various federal agencies in the area of computer security. See http://www.fas.org/irp/crs/RL32357.pdf.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 264
Toward a Safer and More Secure Cyberspace Appendix B Cybersecurity Reports and Policy: The Recent Past B.1 INTRODUCTION Since September 11, 2001, many cybersecurity activities have been undertaken by the federal government,1 the research community, and private industry. This appendix reviews these activities, providing a snapshot of the efforts undertaken to address cybersecurity concerns over the past several years. Specifically, federal cybersecurity policy activity since 2001 is reviewed. A number of federal government reports that detail cybersecurity risks and challenges that need to be overcome are summarized. Also summarized are best practices and procedures, as well as options for making progress, as identified in these reports. Efforts for improving public-private collaboration and coordination are identified. Reports aimed at elaborating the necessary elements of a research agenda are also reviewed. The final section reviews the current federal research and development (R&D) landscape and describes the particular focus and the types of support being provided at various federal agencies with cybersecurity responsibilities. Several general impressions about the state of cybersecurity and some common themes about the type of actions required to improve it can be drawn from the various activities summarized here. First, there are 1 The Congressional Research Service issued the report Computer Security: A Summary of Selected Federal Laws, Executive Orders, and Presidential Directives on April 16, 2004; the report outlines the major roles and responsibilities assigned various federal agencies in the area of computer security. See http://www.fas.org/irp/crs/RL32357.pdf.

OCR for page 264
Toward a Safer and More Secure Cyberspace no “silver bullets” for fixing cybersecurity. The threats are evolving and will continue to grow, meaning that gaining ground against these threats requires an ongoing, society-wide, concerted and focused effort. A culture of security must pervade the entire life cycle of information technology (IT) system operations, from initial architecture, to design, development, testing, deployment, maintenance, and use. A number of focus areas are particularly important to achieving such a culture: collaboration among researchers; coordination and information sharing among the public and private sectors; the creation of a sufficiently large and capable core of research specialists to advance the state of the art; the broad-based education of developers, administrators, and users that will make security-conscious practices become second nature just as optimizing for performance or functionality is; making it easy and intuitive for users to “do the right thing”; the employment of business drivers and policy mechanisms to facilitate security technology transfer and the diffusion of R&D into commercial products and services; the promotion of risk-based decision making (and metrics to support this effort). Second, several areas for research focus (or areas to support such research), consistent with those identified in this report, are identified across nearly all of the activities summarized in this appendix. These areas are authentication, identity management, secure software engineering, modeling and testbeds, usability, privacy, and benchmarking and best practices. Understanding the intersection between critical infrastructure systems and the IT systems increasingly used to control them is another common theme for research needs. Finally, taken together, the activities reviewed give an overall sense that—unless we as a society make cybersecurity a priority—IT systems are likely to become overwhelmed by cyberthreats of all kinds and eventually to be limited in their ability to transform societal systems productively. This future is avoidable, but avoiding it requires the effective coordination and collaboration of private and public sectors; continuous, comprehensive, and coordinated research; and appropriate policies to promote security and to deter attackers. Given the global nature of cyberthreats, it also requires effective international cooperation. This survey does not focus on activity under way that aims to further international cooperation. However, considerable efforts are under way at the regional intergovernmental and international governmental levels.2 2 See, for example, Delphine Nain, Neal Donaghy, and Seymour Goodman, “The International Landscape of Cyber Security,” Chapter 9 in Detmar W. Straub, Seymour Goodman, and Richard Baskerville (eds.), Information Security: Policies, Processes, and Practices, M.E. Sharpe, New York, forthcoming 2008.

OCR for page 264
Toward a Safer and More Secure Cyberspace B.2 CYBERSECURITY POLICY ACTIVITY SINCE 2001 The U.S. Congress passed the Cybersecurity Research and Development Act3 in November 2002. Section 2(2) of the act noted the ubiquitous and pervasive nature of information and communications technology, stating that revolutionary advancements in computing and communications technology have interconnected critical infrastructures “in a vast, interdependent physical and electronic network.” Section 2(2) pointed to the increased societal dependence on that infrastructure, stating that “exponential increases in interconnectivity have facilitated enhanced communications, economic growth, and the delivery of services critical to the public welfare, but have also increased the consequences of temporary or prolonged failure.” Section 2(4) found that that computer security technology and systems implementation lack the following: Sufficient long-term research funding; Adequate coordination across federal and state government agencies and among government, academia, and industry; and Sufficient numbers of outstanding researchers in the field. The Cybersecurity Research and Development Act of 2002 called for significantly increasing federal investment in computer and network security research and development to improve vulnerability assessment and technological and systems solutions, to expand and improve the pool of information security professionals, and to improve information sharing and collaboration among industry, government, and academic research projects. The National Science Foundation (NSF) and the National Institute of Standards and Technology (NIST) are called on to create programs necessary to address these issues. The act authorized appropriations for both agencies to support the specified programs, though appropriations were never made to match authorized levels. The Bush administration noted its support for the legislation as it was developed,4 and issued The National Strategy to Secure Cyberspace5 in February 2003. The report noted that securing cyberspace is a difficult strategic challenge and emphasized the need for a coordinated and focused effort, taking in federal, state, and local governments, the private sector, and individual Americans. It calls on the newly formed Department of 3 Cybersecurity Research and Development Act of 2002, P.L. No. 107-305. 4 Office of Management and Budget, H.R. 3394—Cyber Security Research and Development Act, February 5, 2002; available at http://www.whitehouse.gov/omb/legislative/ap/107-2/ HR3394-r.html. 5 The White House, The National Strategy to Secure Cyberspace, February 2003; available at http://www.whitehouse.gov/pcipb/cyberspace_strategy.pdf.

OCR for page 264
Toward a Safer and More Secure Cyberspace Homeland Security (DHS) to take the leadership role and become the federal Center of Excellence in addressing the five priorities it identified for cyberspace security: a national response system, a threat and vulnerability reduction program, awareness and training programs, the securing of government-administered systems, and international cooperation. Research and development for cybersecurity are not heavily emphasized in the report, and the roles of NSF and NIST are not mentioned. The Federal Information Security Management Act of 2002 (FISMA) established a “comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets.”6 NIST was designated as the agency responsible for setting guidelines and procedures to be met by all federal agencies with regard to securing their information systems. The National Infrastructure Advisory Council (NIAC) was created by executive order in October 2001 to make recommendations to the president regarding the security of cyber and information systems of the U.S. national security and economic critical infrastructures. NIAC became part of DHS in February 2003 under Executive Order 13286.7 The council is chartered to examine ways that partnerships between the public and private sectors can be enhanced to improve cybersecurity.8 Members of NIAC represent major sectors of the economy—banking and finance, transportation, energy, information technology, and manufacturing. The council also includes representatives from academia, state and local governments, and law enforcement. It is intended that NIAC work closely with the president’s National Security and Telecommunications Advisory Committee (NSTAC). Homeland Security Presidential Directive 7 (HSPD-7): “Critical Infrastructure Identification, Prioritization, and Protection,” issued in December 2003, aims to establish “a national policy for Federal departments and agencies to identify and prioritize United States critical infrastructure and key resources and to protect them from terrorist attack.”9 The directive makes DHS responsible for coordinating overall efforts aimed at enhancing and protecting critical infrastructure, including cyber infrastructure. As part of that responsibility, DHS is required to create a National Plan for 6 Federal Information Security Management Act of 2002, Sec. 301 of the E-Government Act of 2002, P.L. No. 107-347. 7 See http://www.fas.org/irp/offdocs/eo/eo-13286.htm. 8 U.S. Department of Homeland Security (DHS), Charter of the National Infrastructure Advisory Council, July 1, 2005; available at http://www.dhs.gov/interweb/assetlibrary/NIAC_Charter.pdf. 9 Homeland Security Presidential Directive 7 (HSPD-7), “Critical Infrastructure Identification, Prioritization, and Protection”; available at http://www.whitehouse.gov/news/releases/2003/12/20031217-5.html.

OCR for page 264
Toward a Safer and More Secure Cyberspace Critical Infrastructure Protection. The department is directed to work with the Office of Science and Technology Policy (OSTP) to coordinate interagency R&D for enhancing critical infrastructure. DHS is also required to develop an annual R&D development plan jointly with OSTP. DHS issued the National Infrastructure Protection Plan (NIPP) in June 2006, as required by HSPD-7; the plan provides “an integrated, comprehensive approach to addressing physical, cyber, and human threats and vulnerabilities to address the full range of risks to the Nation.”10 The NIPP provides the framework and sets the direction for implementing this protecting of critical infrastructure. The plan is meant to provide a roadmap for identifying assets, assessing vulnerabilities, prioritizing assets, and implementing protection measures in each infrastructure sector. The NIPP delineates roles and responsibilities among all stakeholders. It is part of DHS’s effort to take a leadership role and act as the federal Center of Excellence concerning infrastructure protection. In addition, each sector has developed a Critical Information/Key Resources Sector Specific Plan (SSP). The SSPs were published in May 2007. DHS is the lead agency for the development of the IT and Communications SSPs, and there is a cyber component to each of the remaining 15 SSPs. The National Plan for Research and Development in Support of Critical Infrastructure Protection,11 issued jointly by DHS and OSTP in April 2005, specifically addresses R&D not covered in the February 2005 interim NIPP. It is required to be updated annually, as specified in HSPD-7. The plan notes, in this initial version, a focus on (1) creating a baseline, including the identification of existing major R&D efforts within federal agencies, and (2) highlighting long-term goals of federal R&D for critical infrastructure. It identifies nine themes that encompass both cyber and physical concerns: detection and sensor systems; protection and prevention; entry and access portals; insider threats; analysis and decision-support systems; response, recovery, and reconstitution; new and emerging threats and vulnerabilities; advanced infrastructure architectures and systems design; and human and social issues. The plan provides examples of federal agency efforts already under way or that are part of near-term planning for each of the nine themes. Priority focus areas for each theme are also specified. Three long-term strategic goals are identified: 10 See http://www.deq.state.mi.us/documents/deq-wb-wws-interim-nipp.pdf. 11 Department of Homeland Security and Office of Science and Technology Policy, “The National Plan for Research and Development in Support of Critical Infrastructure Protection,” 2005; available at http://www.dhs.gov/interweb/assetlibrary/ST_2004_NCIP_RD_PlanFINALApr05.pdf.

OCR for page 264
Toward a Safer and More Secure Cyberspace A national common operating picture for critical infrastructure, A next-generation computing and communications network with security “designed-in” and inherent in all elements rather than added after the fact, and Resilient, self-diagnosing, and self-healing physical and cyber infrastructure systems. The plan states that future versions will “more strongly integrate both technical and budgetary aspects of R&D efforts” and provide all stakeholders with information about progress toward solutions, alignment of efforts to meet evolving threats, and discovery of needs and vulnerability gaps. The Energy Policy Act of 200512 addresses the need for cybersecurity standards to protect the energy infrastructure. It includes a requirement that the Federal Energy Regulatory Commission (FERC) establish an Electric Reliability Organization (ERO) to establish and enforce reliability standards for the reliable operation of existing bulk-power system facilities, where “reliable operation” is understood to mean prevention of instability, uncontrolled separation, or cascading failures of bulk-power systems as a result of a sudden disturbance, including a cybersecurity incident. The North American Electric Reliability Corporation (NERC)—a voluntary industry group composed of electrical utilities—which sought the provisions specified in the act, was certified by the FERC as the ERO on July 20, 2006.13 B.3 IDENTIFYING EXPOSURES, BEST PRACTICES, AND PROCEDURES A number of recent reports have addressed continuing cybersecurity exposures of critical infrastructures. Collectively, they identify the nature of the exposures as well as a number of challenges that must be overcome to address them. Several of the reports make recommendations regarding best practices and procedures necessary to reduce the risks from cyberattacks. More generally, they recommend that available cybersecurity technology be more systematically adopted throughout existing critical infrastructure systems. 12 The Energy Policy Act of 2005, P.L. No. 109-058; Sec. 1211, “Electric Reliability Standards,” contains the passages relevant to cybersecurity. 13 Federal Energy Regulatory Commission, “Order Certifying North American Electric Reliability Corporation as the Electric Reliability Organization and Ordering Compliance Filing,” July 20, 2006; available at ftp://www.nerc.com/pub/sys/all_updl/docs/ferc/20060720_ERO_certification.pdf.

OCR for page 264
Toward a Safer and More Secure Cyberspace In March 2004 the U.S. General Accounting Office (GAO) issued Critical Infrastructure Protection: Challenges and Efforts to Secure Control System.14 GAO undertook the study resulting in the report at the request of the House Committee on Government Reform and its Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census. The committee and subcommittee had asked GAO to report on potential cyber vulnerabilities, focusing on significant cybersecurity risks associated with control systems, potential and reported cyberattacks against these systems, key challenges to securing control systems, and efforts to strengthen the cybersecurity of control systems. The GAO report found that several factors have contributed to the escalation of the risks of cyberattacks against control systems, including the adoption of standardized technologies with known vulnerabilities, the connectivity of control systems with other networks, insecure remote connections, and the widespread availability of technical information about control systems. It also found that securing control systems poses significant challenges. These include “the limitations of current security technologies in securing control systems, the perception that securing control systems may not be economically justifiable and conflicting priorities within organizations regarding the security of control systems.” The GAO report identifies the need for greater collaboration and coordination among government agencies and with the private sector. It recommends that DHS implement the responsibilities outlined in the National Strategy to Secure Cyberspace, specifically calling on DHS to “develop and implement a strategy for coordinating with the private sector and other government agencies to improve control system security, including an approach for coordinating the various ongoing efforts to secure control systems.”15 In April 2004 NIAC issued the report Best Practices for Government to Enhance the Security of National Critical Infrastructures.16 The report notes how much convergence there is between physical and information infrastructures and indicates the need to view security as including both physical and cyber issues. The NIAC report concludes that, while market forces are the most powerful drivers of change, government intervention can be appropriate and beneficial in certain areas. It focuses on four infrastructure sectors and finds that a deep understanding of sector dynamics is critical for effective government intervention. 14 See http://www.gao.gov/new.items/d04354.pdf. 15 See http://www.gao.gov/new.items/d04354.pdf. 16 See http://www.dhs.gov/interweb/assetlibrary/NIAC_BestPracticesSecurityInfrastructures_0404.pdf.

OCR for page 264
Toward a Safer and More Secure Cyberspace Also in April 2004, the U.S.-Canada Power System Outage Task Force issued its Final Report on the August 14, 2003 Blackout in the U.S. and Canada.17 The report found that, while the blackout was not caused by a cyberattack, the potential opportunity exists for cyber compromise of the Energy Management System (EMS) and supporting information technology infrastructure. It also noted that a failure in a software program not linked to malicious activity may have significantly contributed to the power outage. In all, the task force report made 15 recommendations related to the cybersecurity aspects of protecting the EMS. It called for the following: Cybersecurity management standards and procedures, Planned and documented corporate-level security governance and strategies, Implementation of detection controls, Improvement of diagnostic and forensic capabilities, Scheduled risk and vulnerability assessments, A central point for sharing security information, The establishment of clear authority to influence corporate decision making, and Procedures to prevent or mitigate inappropriate disclosure of information. In May 2004, the GAO issued its second study, Technology Assessment: Cybersecurity for Critical Infrastructure Protection, in which it found that available cybersecurity technologies were not being deployed to their full extent, while continued R&D was needed for additional technology. The report identified three broad categories of actions that the federal government can undertake to increase the use of cybersecurity technologies:18 Help critical infrastructures determine their cybersecurity needs, such as developing a national critical infrastructure protection (CIP) plan, assisting with risk assessments, and enhancing cybersecurity awareness; Take actions to protect its own systems, which could lead others to emulate it or could lead to the development and availability of more cybersecurity technology products; and Undertake long-term activities to increase the quality and availability of cybersecurity technologies in the marketplace. 17 Available at https://reports.energy.gov/BlackoutFinal-Web.pdf; see Chapter 9 beginning at p. 131 for a discussion of the cybersecurity aspects of the blackout. 18 See http://www.gao.gov/new.items/d04321.pdf.

OCR for page 264
Toward a Safer and More Secure Cyberspace The May 2004 GAO report found a number of cybersecurity research areas in need of continuing attention, including the composition of secure systems, the security of network-embedded systems, security metrics, the socioeconomic impact of security, vulnerability identification and analysis, and wireless security. It also notes that federal cybersecurity research programs are already beginning to address these research areas. In January 2005 NIST issued a detailed report entitled Security Considerations for Voice over IP Systems: Recommendations of the National Institute of Standards and Technology19 that made nine recommendations for providing secure Voice-over-Internet Protocol (VOIP) services, noting that VOIP introduces potential new cybersecurity risks. The recommendations include the development of appropriate network architecture and the importance of physical controls in preventing unauthorized access to information. A report from the Environmental Protection Agency’s (EPA’s) Office of the Inspector General—EPA Needs to Determine What Barriers Prevent Water Systems from Securing Known Supervisory Control and Data Acquisition (SCADA) Vulnerabilities—issued January 2005, identified several reasons why vulnerabilities have not been addressed:20 Current technological limitations may impede implementing security measures. Companies may not be able to afford or justify the required investment. Utilities may not be able to conduct background checks on existing employees. Officials may not permit SCADA penetration testing. Technical engineers may have difficulty communicating security needs to management. This report from EPA’s Office of the Inspector General recommended that the EPA notify DHS and Congress of problems for which it found no apparent solutions. The Congressional Research Service (CRS) report Creating a National Framework for Cybersecurity: An Analysis of Issues and Options, issued in February 2005, states that “despite increasing attention from federal and state governments and international organizations, the defense against attacks on these systems has appeared to be generally fragmented and varying widely in effectiveness. Concerns have grown that what is needed is a national cybersecurity framework—a coordinated, coherent set of 19 See http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf. 20 See http://www.epa.gov/oig/reports/2005/20050106-2005-P-00002.pdf.

OCR for page 264
Toward a Safer and More Secure Cyberspace public- and private-sector efforts required to ensure an acceptable level of cybersecurity for the nation.”21 The CRS report identifies various approaches taken, all of which are recommended by one or more of the reports described in this section. These include adopting standards and certification, promulgating best practices and guidelines, using benchmarks and checklists, using auditing, improving training and education, building security into enterprise architecture, using risk management, and employing metrics. It notes that “none of them are likely to be widely adopted in the absence of sufficient economic incentives for cybersecurity.” The CRS report also notes concerns about the effectiveness of market forces to provide adequate cybersecurity and the narrow scope of the policy activity in contrast with the apparent need for broad policy actions as called for in the 2003 National Strategy to Secure Cyberspace and similar documents. It also identifies the response to the year-2000 computer problem and federal safety and environmental regulations as models for possible federal action to promote cybersecurity, and further notes that the federal government might do the following: Encourage the widespread adoption of cybersecurity standards and best practices, Leverage the procurement power of the federal government, Make the reporting of incidents mandatory, Use product liability actions to promote attention to cybersecurity, Facilitate the development of cybersecurity insurance, and Strengthen federal cybersecurity programs in DHS and elsewhere. Released in May 2005, the GAO report Critical Infrastructure Protection: Department of Homeland Security Faces Challenges in Fulfilling Cybersecurity Responsibilities notes that DHS has become the focal point for critical infrastructure protection. The report identifies 13 responsibilities that DHS has regarding cybersecurity. It states that “while DHS has initiated multiple efforts, it has not fully addressed any of the 13 key cybersecurity-related responsibilities that we [GAO] identified in federal law and policy, and it has much work ahead in order to be able to fully address them.” It states that the Interim National Infrastructure Protection Plan is one of several efforts that DHS has undertaken to address its responsibilities for cybersecurity, but notes that DHS has not undertaken a number of critical activities. It cites several organizational barriers and underlying challenges that DHS will need to overcome to assume the key role envi- 21 See http://www.law.umaryland.edu/marshall/crsreports/crsdocuments/RL3277702222005.pdf.

OCR for page 264
Toward a Safer and More Secure Cyberspace sioned for it in strengthening the cybersecurity of critical infrastructures and serving as the strong cybersecurity focal point envisioned in federal law and policy.22 In September 2006, the GAO report Coordination of Federal Cyber Security Research and Development sought to identify the federal entities involved in cybersecurity R&D; actions taken to improve oversight and coordination of federal cybersecurity R&D, including the development of a federal research agenda; and methods used for technology transfer at agencies with significant activities in this area.23 The September 2006 GAO report reviews policy actions over the past few years, describes the nature of cybersecurity research support by the various federal agencies, and presents a description of the organization of federal cybersecurity R&D oversight and coordination. It notes several important steps taken by federal agencies to improve the oversight and coordination of federal cybersecurity R&D, including the following: chartering an interagency working group to focus on this type of research, publishing a federal plan for cybersecurity and information assurance research that is to provide baseline information and a framework for planning and conducting this research, separating the reporting of budget information for cybersecurity research from other types of research, and maintaining government-wide repositories of information on R&D projects. One shortcoming specifically identified in this 2006 GAO report regarding coordination is the continuing lack of an R&D roadmap called for in the National Strategy to Secure Cyberspace. (A call for input as a first step to creating such a roadmap was made in April 2006 by the Interagency Working Group on Cyber Security and Information Assurance. See Section B.5, Notable Recent Efforts at Identifying a Research Agenda, below, for a description of this activity.) Overall, the 2006 GAO report found that while progress is being made, key elements of the federal research agenda called for in the National Strategy to Secure Cyberspace have yet to be developed. To strengthen federal cybersecurity R&D programs, the 2006 GAO report recommends that the Office of Science and Technology Policy establish firm timelines for the completion of the federal cybersecurity R&D agenda—including near-term, mid-term, and long-term research—with the following elements: timelines and milestones for conducting R&D activities; goals and measures for evaluating R&D activities; assignment of responsibility for implementation, including the accomplishment of the focus areas and suggested research priorities; and the alignment of 22 See GAO-05-434; available at http://www.gao.gov/new.items/d05434.pdf. 23 See GAO-06-811; available at http://www.gao.gov/new.items/d06811.pdf.

OCR for page 264
Toward a Safer and More Secure Cyberspace early warning system to detect epidemics …, to develop forensics capabilities …, and to develop techniques and devices that can suppress outbreaks before they reach pandemic proportions.”75 The Center for Correct, Usable, Reliable, Auditable and Transparent Elections will “investigate software architectures, tamper-resistant hardware, cryptographic protocols and verification systems as applied to electronic voting systems.”76 Trustworthy Cyber Infrastructure for the Power Grid will “create technologies that will convey critical information to grid operators despite cyber attacks and accidental failures. The solutions created are expected to be adaptable for use in other critical infrastructure systems.” Both DOE and DHS will collaborate to fund and manage this center.77 A major cybersecurity research project funded outside the auspices of the NSF Cyber Trust program is the Team for Research in Ubiquitous Secure Technology (TRUST).78 TRUST seeks to address a parallel and accelerating trend of the past decade—the integration of computing and communications across critical infrastructures in areas such as finance, energy distribution, telecommunications, and transportation. The center is an NSF Science and Technology Center, chartered to investigate key issues of computer trustworthiness in an era of increasing attacks at all levels on computer systems and information-based technologies. As noted on its Web site, TRUST is “devoted to the development of a new science and technology that will radically transform the ability of organizations (software vendors, operators, local and federal agencies) to design, build, and operate trustworthy information systems for our critical infrastructure.” The project takes a highly cross-disciplinary approach, including researchers in relevant areas of computer security, systems modeling and analysis, software technology, economics, and social sciences. Education and technology transfer are also important components. TRUST also receives funding from the Air Force Office of Scientific Research. B.6.4.2 Defense Advanced Research Projects Agency In line with its agency mission, the Defense Advanced Research Projects Agency’s research focus has been on military applications of infor- 75 NSF Press Release 04-124, September 21, 2004. 76 NSF Press Release 05-141, August 15, 2005, “NSF Awards $36 Million Toward Securing Cyberspace”; available at http://www.nsf.gov/news/news_summ.jsp?cntn_id=104352. 77 NSF Press Release 05-141, August 15, 2005. 78 Detailed information about the project is available at the TRUST project Web site at http://www.truststc.org/overview.htm.

OCR for page 264
Toward a Safer and More Secure Cyberspace mation security. DARPA began an Information Security research program in 1994.79 The Information Survivability program, was the initial program, followed by the Information Assurance program. These programs focused on a number of security aspects, including retrofitting security and survivability technology for legacy systems, intrusion detection and response, survivability in the face of attack, high-assurance operating system construction, the composing of trustworthy systems from less trustworthy components, and secure collaboration allowing data sharing and communication over a network. DARPA expanded its information security investment in 1999. From 1999 to 2003, six programs were funded, covering a range of information security areas and extending research in areas covered by the earlier programs: Composable High Assurance Trusted Systems—High-assurance operating systems composed out of interoperable subsystems, to provide the required trustworthiness. Cyber Panel—Monitoring for attacks and allowing operators to manage system security and survivability. Dynamic Coalitions—Secure communication and data sharing across a network. Fault Tolerant Networks—Continued network operation in the presence of successful attacks; that is, intrusion tolerance at the network layer and below. Organically Assured and Survivable Information Systems—Sustained operation of mission-critical functions in the face of known and future cyberattacks; that is, intrusion tolerance at the host and system level. Operational Partners in Experimentation—Accelerated transition to deployment. DARPA sponsored three conferences between 2000 and 2003 called “DARPA Information Survivability Conference and Expositions” (DISCEX I, DISCEX II, DISCEX III) to present the findings of the research programs. These programs began winding down in 2003 and had ended by early 2005. Much of the staff focused on information assurance and security left DARPA as these programs wound down and have not been replaced. The institutional knowledge has largely left or become classified. 79 Much of the discussion concerning past support for cybersecurity at DARPA is drawn from the Information Survivability Conference and Exposition III, Washington, D.C., April 2003; available at http://csdl.computer.org/comp/proceedings/discex/2003/1897/00/1897xi.pdf.

OCR for page 264
Toward a Safer and More Secure Cyberspace One unclassified program, Self-Regenerative Systems (SRS), focused on information security; it began in 2004 and was scheduled to run for 18 months. This program supports 11 research projects. The funding rate for SRS was approximately 12 percent. Funding projects were about evenly split between universities and the private sector, with four projects being performed jointly by universities and corporations. The overarching theme of the SRS program is on survivability, resilience, and adaptation in the face of attack, with four specific focus areas: code diversity to reduce the impact of exploiting a single flaw across systems; attack masking and recovery; scalable redundancy to achieve survivability and resilience; and detection, prevention, and mitigation from insider threats. Measurable goals have been set for projects, reflecting their applied nature. At least two classified programs are also under way, with largely short-term research and deployment goals. DARPA is also co-funding two projects with NSF. In recent years, concerns have been expressed about a shift toward classified, shorter-term, and military-mission-focused research in DARPA’s cybersecurity portfolio. For example, in 2005, the PITAC report commented as follows:80 DARPA historically used a large portion of its budget to fund unclassified long-term fundamental research—in general, activities with a time horizon that exceeds five years. This provided DARPA with access to talented researchers in the Nation’s finest research institutions and helped cultivate a community of scholars and professionals who developed the field. By FY 2004, however, very little, if any, of DARPA’s substantial cyber security R&D investment was directed towards fundamental research. Instead, DARPA now depends on NSF-supported researchers for the fundamental advances needed to develop new cyber security technologies to benefit the military. Additionally, the emergence of cyber warfare as a tool of the warfighter has led DARPA to classify more of its programs. The combined result is an overall shift in DARPA’s portfolio towards classified and short-term research and development and away from its traditional support of unclassified longer-term R&D. In the 2 years since the PITAC report was issued, the committee has seen no evidence to suggest a significant change in DARPA’s approach to cybersecurity research. The extent to which DARPA emphasizes classified and short-term 80 President’s Information Technology Advisory Committee, Cyber Security: A Crisis of Prioritization, National Coordination Office for Information Technology Research and Development, Washington D.C., February 2005, p. 19; available at www.nitrd.gov/pitac/reports/20050301_cybersecurity/cybersecurity.pdf.

OCR for page 264
Toward a Safer and More Secure Cyberspace R&D over unclassified longer-term R&D is dependent on many factors, not the least of which is DARPA’s interpretation of its mission. The tension between these two different foci has been reflected in many ways, not the least of which is the many changes in the very name of the agency since its birth in 1958.81 If DARPA continues to emphasize classified, short-term research, that may well raise concerns among academic researchers about the long-term sustainability and future of working in cybersecurity research. A second possible result of the shift toward short-term, military-mission-focused research is that such a research program may not sufficiently focus on issues relevant to the commercial sector (which develops and operates much of the nation’s critical infrastructure). For example, military and intelligence applications often emphasize confidentiality over integrity and availability, whereas the commercial sector is often as concerned or more concerned about integrity and availability. Also, military and intelligence applications are more likely to emphasize risk avoidance, whereas commercial enterprises are more likely to emphasize risk management. B.6.4.3 Department of Homeland Security The Department of Homeland Security has both an operational function—preparedness and response—and a research function for cybersecurity. The National Strategy to Secure Cyberspace gave DHS the lead role in cybersecurity, calling on it to become the Center of Excellence for response, vulnerability reduction, training and awareness, and securing government cyberspace.82 DHS created the National Cyber Security Division (NCSD) under the department’s National Protection and Programs Directorate in June 2003 in response to the National Strategy requirements.83 NCSD has three operating branches: U.S. Computer Emergency Readiness Team (US-CERT); Strategic Initiatives to advance cybersecurity 81 In 1958, Department of Defense (DOD) Directive 5105.15 established the Advanced Research Projects Agency. In 1972, another DOD directive changed the agency’s name to Defense Advanced Research Projects Agency (DARPA). In 1993, DARPA was redesignated the Advanced Research Projects Agency at the direction of President William J. Clinton. In 1996, the Defense Authorization Act for FY 1996 changed the agency’s name back to Defense Advanced Research Projects Agency (DARPA). See http://www.darpa.mil/body/arpa_darpa.html. 82 Discussion in this section is drawn, in part, from the written statement of Donald (Andy) Purdy, Jr., to the House Subcommittee on Federal Financial Management, Government Information, and International Security, July 19, 2005; available at http://hsgac.senate.gov/_files/PurdyTestimony.pdf. 83 DHS Press Release, June 6, 2003, “Ridge Creates New Division to Combat Cyber Threats”; available at http://www.dhs.gov/dhspublic/display?content=916.

OCR for page 264
Toward a Safer and More Secure Cyberspace training, education, software assurance, exercises, control systems, critical infrastructure protection, and standards and practices; and Outreach and Awareness. In July 2005, newly appointed DHS Secretary Michael Chertoff proposed creating a new position of Assistant Secretary for Cybersecurity—moving the responsibility for cybersecurity up one level in the organizational structure, although the position took more than 14 months to fill.84 Cybersecurity research at DHS is supported through the Science and Technology (S&T) Directorate. The S&T mission includes conducting, stimulating, and enabling research and development. However, the current emphasis is on short- to medium-term needs related to the implementation of the National Strategy to Secure Cyberspace, including testing, evaluation, and timely transition of capabilities with approximately 85 to 90 percent of the S&T budget focused on these areas.85 The remaining 10 to 15 percent of the budget is for the support of long-term, breakthrough research. The mission of the Cyber Security Research Area—one of 15 S&T research portfolios organized into three categories—is to “lead cyber security research, development, testing, and evaluation endeavors to secure the nation’s critical information infrastructure, through coordinated efforts that will improve the security of the existing cyber infrastructure, and provide a foundation for a more secure infrastructure.”86 This broad mission is reflected in the R&D areas that DHS identifies as important to address: secure systems engineering, information assurance benchmarks and metrics, wireless and embedded systems security, critical infrastructure, and cybersecurity education. There is specific focus on technology-transfer issues—moving from research to deployment. Around $300 million has been spent annually on cybersecurity research for the past decade. Yet, the transition path has not existed to produce commercial products from this research. Government funding trends have moved roughly $100 million into classified areas—resulting in even less research available to eventually produce commercial products.87 84 See the organizational charts for 2005, http://www.dhs.gov/interweb/assetlibrary/DHS_Org_Chart_2005.pdf, and the proposed structural adjustments, http://www.dhs.gov/interweb/assetlibrary/DHSOrgChart.htm. The position was filled for the first time in September 2006. 85 Background for the discussion of cybersecurity research missions of the Department of Homeland Security is drawn from presentations given by Douglas Maughan, DHS, to the committee on July 27, 2004, and presentations given at the HSARPA Cyber Security Research and Development Bidder’s Conference held on September 23, 2004, in Arlington, Va. (see http://www.hsarpabaa.com/main/Cyber_Security_Bidders_9-13-2004.pdf). 86 See http://www.dhs.gov/dhspublic/interapp/editorial/editorial_0549.xml. 87 Statement of Douglas Maughan, HSARPA Program Manager, in a briefing to the committee on July 27, 2004.

OCR for page 264
Toward a Safer and More Secure Cyberspace The Homeland Security Advanced Research Projects Agency (HSARPA) under S&T created the Cyber Security R&D Center in 2004. HSARPA initiated the Cyber Security Research and Development (CSRD) program in 2004.88 Program funding supported approximately half of the proposals deemed worthy of pursuing. There was concerted effort to reach out to the private sector for proposals, but few private-sector submissions were received.89 The DHS S&T cybersecurity agenda includes several other activities in addition to the Broad Agency Announcement for CSRD. The Cyber Defense Technology Experimental Research project—funded and run jointly with NSF—provides an experimental testbed to facilitate national-scale cybersecurity experimentation. The Protected Repository for Defense of Infrastructure against Cyber Threats is aimed at providing cybersecurity researchers with sufficient access to data necessary to test their research prototypes. Significant steps are being taken to protect the data against privacy concerns and to protect the data providers from abuse. A joint government-industry steering committee has been formed to address issues related to Domain Name Service Security (DNSSEC). Two workshops were held in 2004. NIST provided additional funding for this activity. The Secure Protocols for Routing Infrastructure activity is similar to the DNSSEC activity, with a government-industry steering committee and workshops. Cyber economic assessment studies are being undertaken—in keeping with the focus on technology transfer—to examine cost-evaluation methods for cybersecurity events and to enhance understanding of business cases and investment strategies that promote cybersecurity and risk prioritization. Two Small Business Innovation Research grants were awarded in 2004 addressing intrusion detection and identification of malicious code. B.6.4.4 National Institute of Standards and Technology The Cybersecurity Research and Development Act specifies the role of the National Institute of Standards and Technology in cybersecurity research.90 The Computer Security Division—one of eight divisions in the Information Technology Laboratory—is the focal point at NIST for 88 Homeland Security Advanced Research Projects Agency (HSARPA) Broad Agency Announcement (BAA) 04-17; available at http://www.hsarpabaa.com/. 89 Discussion of committee members with Douglas Maughan, HSARPA Program Manager, on May 25, 2005. 90 See Secs. 8-11 of the Cybersecurity Research and Development Act of 2002 (P.L. No. 107-305).

OCR for page 264
Toward a Safer and More Secure Cyberspace cybersecurity. CSD describes its mission as improving information security in four ways:91 Raising awareness of IT risks, vulnerabilities, and protection, particularly in new and emerging technologies; Researching, studying, and advising agencies of IT vulnerabilities, and devising techniques for the cost-effective security and privacy of sensitive federal systems; Developing standards, metrics, tests, and validation programs to promote, measure, and validate security in systems and services; to educate consumers; and to establish minimum security requirements for federal systems; and Developing guidance to increase secure IT planning, implementation, management, and operation. Four focus areas reflect this mission: Cryptographic Standards and Applications; Security Testing; Security Research/Emerging Technologies; and Security Management and Guidance.92 CSD performs in-house research and provides services to DHS, NSA, and other agencies to support their cybersecurity missions. CSD’s Computer Security Resource Center (CSRC)93 acts as a focal point for raising awareness about cybersecurity. CSD issues reports, such as Security Considerations for Voice Over IP Systems, to raise awareness of IT risks in emerging technologies. NIST runs the National Vulnerability Database (NVD) with funding from DHS’s National Cyber Security Division. NVD is “a comprehensive cyber security vulnerability database that integrates all publicly available U.S. Government vulnerability resources and provides references to industry resources.”94 The bulk of NIST’s efforts (~$15 million) are focused on setting guidelines, evaluation tools, and standards for non-national security computers, and providing assistance to improve partnering of industry and academia. For instance, NIST provides coordination and guidance for how federal agencies implement and meet Federal Information Security Management Act requirements. It provides security self-assessment tools, organizes workshops, and gives training sessions and awareness meet- 91 Statement of Edward Roback, National Institute of Standards and Technology, in a briefing to the committee, July 27, 2004. See also http://csrc.nist.gov/mission.html. The statement “Cybersecurity Research and Development” by Arden Bement, Jr., NIST Technology Administration, before the U.S. House Committee on Science, May 14, 2003, provides additional background information for this section. 92 See http://csrc.nist.gov/focus_areas.html#sret. 93 See http://csrc.nist.gov/index.html. 94 See http://nvd.nist.gov.

OCR for page 264
Toward a Safer and More Secure Cyberspace ings. It develops encryption standards and cryptography toolkits. The Common Criteria process,95 run by NSA under the National Information Assurance Partnership,96 provides a means for the evaluation of information technology products for conformance to the International Common Criteria for Information Technology Security Evaluation. NIST performs intramural cybersecurity R&D focused on Internet Protocol Security (IPSec), mobile networks and devices, access control and authentication mechanisms, and improved automation testing. It also provides funding—jointly with DHS—for I3P97 run by Dartmouth College’s Institute for Security and Technology Studies. In 2001 NIST provided nine research grants under its Critical Infrastructure Protection Grants Program. Funding for this program was not reauthorized, although the Cybersecurity Research and Development Act calls for the establishment and support of research fellowships. NIST also supports cyber forensics and law enforcement. It maintains the National Software Reference Library, sets standards for forensic tools and methods, and does some testing of tools and devices for forensic analysis. The Intelligent Systems Division of the Manufacturing Engineering Laboratory at NIST formed the Process Control Security Requirements Forum in 2001 to address cybersecurity issues related to SCADA systems. In October 2004, the Forum—composed of vendors, system integrators, end users of industrial control systems, and NIST staffers—issued the first draft of the System Protection Profile for Industrial Control Systems, which is “designed to present a cohesive, cross-industry, baseline set of security requirements for new industrial control systems.”98 B.6.4.5 Department of Energy The Office of Science (SC) at the U.S. Department of Energy supports cybersecurity R&D focused on “providing a trustworthy environment for access to distributed resources and for supporting collaborations.”99 Research projects are conducted at universities as well as at the Lawrence Berkeley National Laboratory. Cybersecurity research is tightly coupled with science applications that are the primary mission at DOE. In particular, much of the focus of cybersecurity research is on distributed 95 See http://csrc.nist.gov/cc/. 96 See http://niap.nist.gov/. 97 See http://www.thei3p.org/. 98 See http://www.isd.mel.nist.gov/projects/processcontrol/. 99 Written comments provided by Daniel Hitchcock, Department of Energy, to the committee at a meeting on July 27, 2004.

OCR for page 264
Toward a Safer and More Secure Cyberspace authorization and secure collaboration using shared resources. From the perspective of the security life cycle, DOE efforts emphasize attack prevention and intrusion detection. In FY 2005 DOE provided support, along with DHS, for an NSF-funded center-scale project—the Center for Trustworthy Cyber Infrastructure for the Power Grid—which will support 19 researchers across three universities with creating secure network protocols that enable efficient sharing of supply and demand information. B.6.4.6 National Security Agency The National Security Agency focuses largely on applied research to meet the needs of DOD and the intelligence community. Approximately 120 internal researchers work on cybersecurity. About 50 percent of the NSA budget for cybersecurity goes to nonacademic organizations doing classified research; 10 to 15 percent of the budget supports academic organizations. In his statement before the House Select Committee on Homeland Security Subcommittee on Cybersecurity, Science and Research and Development, then-NSA Director of Information Assurance Daniel G. Wolf noted that the agency now spends the bulk of its time and resources “engaged in research, development and deployment of a full spectrum of Information Assurance technologies for systems processing all types of information.”100 He identified a number of priority areas for research, including assured software design tools and development techniques, automated patch management, resilient systems, attack identification, and attribution. He expressed concerns about foreign hardware and software being used in critical systems and noted NSA’s work on a Trusted Microelectronic Capability. NSA provides support for civilian cybersecurity research in various ways, including funding and technical advice to NSF, DARPA, NIST, and DHS.101 NSA sponsors the Information Assurance Technical Framework Forum (IATFF) to foster dialogue between U.S. government agencies, industry, and academia. The IATFF document provides guidance for protecting information and systems. NSA supports several other outreach programs for system security assessment, security design and evaluation, 100 Statement by Daniel G. Wolf, Director of Information Assurance, National Security Agency, before the House Select Committee on Homeland Security, Subcommittee on Cybersecurity, Science and Research and Development, hearing titled “Cybersecurity—Getting It Right,” July 22, 2003; available at http://www.globalsecurity.org/security/library/congress/2003_h/030722-wolf.doc. 101 The discussion of National Security Agency support for cybersecurity research is drawn from the presentation to the committee by Grant Wagner, NSA Information Assurance Research Group, on July 27, 2004.

OCR for page 264
Toward a Safer and More Secure Cyberspace and security professional certification. NSA developed Security Enhanced Linux (SELinux) as an enhancement to the Linux kernel that implements mandatory access control and role-based access control. SELinux was released to the Linux community for enhancement and extension.102 One of the major priorities for NSA is the growth of a vibrant civil service cybersecurity research community. To that end, NSA is a supporter of education and capacity building in cybersecurity. The NSA, jointly with DHS, sponsors 75 designated centers as part of its Centers for Academic Excellence in Information Assurance Education (CAE/IAE) Program. This program is part of the broader National Information Assurance Education and Training Program, which also supports the national Colloquium for Information Systems Security Education and the National Information Assurance Training and Education Center.103 No independent assessment of the CAE program has been conducted to determine if the requirements are appropriate, applied appropriately, or whether the program is actually helping to achieve its stated goals. Some individuals associated with schools in the program have questioned the lack of clear delineation between programs that conduct research and graduate education and those that are primarily vocational in nature. Nonetheless, the program has succeeded in bringing attention to educational efforts as little else has done. B.6.4.7 Disruptive Technology Office, Office of Naval Research, and Air Force Research Laboratory The Disruptive Technology Office,104 Office of Naval Research (ONR), and Air Force Research Laboratory through its Air Force Office of Scientific Research (AFOSR) all support cybersecurity research related to their intelligence and military missions. These agencies have been a source of funding continuity, supporting significant unclassified education and research in cybersecurity, as well as funding classified research. AFOSR, for instance, supports the Information Assurance Institute at Cornell University. It also supports, with NSF, the TRUST Center (described above). ONR manages a major Multidisciplinary University Research Initiative program (funded from the Office of the Secretary of Defense) on “secure mobile code.” 102 See the NSA SELinux Web page at http://www.nsa.gov/selinux/. 103 See http://www.nsa.gov/ia/academia/cisse.cfm and http://niatec.info/. 104 Formerly known as the Advanced Research and Development Activity (ARDA).

OCR for page 264
Toward a Safer and More Secure Cyberspace B.6.4.8 Federal Aviation Administration The Federal Aviation Administration’s cybersecurity efforts are focused on its mission of providing for the safety and security of the FAA infrastructure. Its cybersecurity research activities “leverage developments by other agencies.”105 B.6.4.9 National Aeronautics and Space Administration NASA has no project current or planned directly related to cybersecurity. It does support research, such as the High Dependability Computing Project, which addresses another aspect of trustworthy computing—system reliability. The project Web site notes that “dependability is a major challenge for all complex software-based systems. Aspects of dependability include safety critical reliability, software safety, high security, high integrity, and continuous operation.”106 105 National Science and Technology Council, Federal Plan for Cyber Security, 2006, p. 113. 106 High Dependability Computing Project (HDCP); see http://hdcp.org.