no “silver bullets” for fixing cybersecurity. The threats are evolving and will continue to grow, meaning that gaining ground against these threats requires an ongoing, society-wide, concerted and focused effort. A culture of security must pervade the entire life cycle of information technology (IT) system operations, from initial architecture, to design, development, testing, deployment, maintenance, and use. A number of focus areas are particularly important to achieving such a culture: collaboration among researchers; coordination and information sharing among the public and private sectors; the creation of a sufficiently large and capable core of research specialists to advance the state of the art; the broad-based education of developers, administrators, and users that will make security-conscious practices become second nature just as optimizing for performance or functionality is; making it easy and intuitive for users to “do the right thing”; the employment of business drivers and policy mechanisms to facilitate security technology transfer and the diffusion of R&D into commercial products and services; the promotion of risk-based decision making (and metrics to support this effort).
Second, several areas for research focus (or areas to support such research), consistent with those identified in this report, are identified across nearly all of the activities summarized in this appendix. These areas are authentication, identity management, secure software engineering, modeling and testbeds, usability, privacy, and benchmarking and best practices. Understanding the intersection between critical infrastructure systems and the IT systems increasingly used to control them is another common theme for research needs.
Finally, taken together, the activities reviewed give an overall sense that—unless we as a society make cybersecurity a priority—IT systems are likely to become overwhelmed by cyberthreats of all kinds and eventually to be limited in their ability to transform societal systems productively. This future is avoidable, but avoiding it requires the effective coordination and collaboration of private and public sectors; continuous, comprehensive, and coordinated research; and appropriate policies to promote security and to deter attackers. Given the global nature of cyberthreats, it also requires effective international cooperation. This survey does not focus on activity under way that aims to further international cooperation. However, considerable efforts are under way at the regional intergovernmental and international governmental levels.2