those two components, regardless of the side of the interface on which each resides. To the extent that the CBoR can be relied on to set security expectations for components developed by different parties, the result will be a more orderly world that supports composability of the building blocks in the IT infrastructure. The CBoR would also require end users to be sufficiently knowledgable to ascertain whether and to what extent the information technology that they use in fact delivers on the CBoR’s security obligations.
How should the goals of the CBoR be achieved? As the discussion in the remainder of this report indicates, a new way of thinking about security—a drastic cultural shift—will be necessary regarding the ways in which secure systems are designed, developed, procured, operated, and used. In the long run, such a shift will entail new directions in education, training, development practice, operational practice, oversight, liability laws, and government regulation.
Compared to what is available today, the foregoing vision of a secure cyberspace is quite compelling. However, for two distinct though related reasons, we are a long way away from meeting this goal. The first reason is that there is much about cybersecurity technologies and practices that is known but not put into practice. As an example, according to the senior information security officer at a major financial institution, the codification and dissemination of best practices in cybersecurity policy at the level of the chief executive officer or the chief information officer have been particularly challenging, because incentives and rewards for adopting best practices are few. Box 3.1 indicates the limited scope of threats against which certain common commercial products defend.
The second reason is that even assuming that everything known today was immediately put into practice, the resulting cybersecurity posture—though it would be stronger and more resilient than it is today—would still be inadequate against today’s threats, let alone tomorrow’s. Closing this gap—a gap of knowledge—will require research, as discussed below.
Framing the issue of necessary research requires understanding the larger context of which such research is a part. Today, the vast majority of actual cybersecurity efforts is devoted to a reactive catch-up game that fixes problems as they are discovered (either in anticipation of attack as