these APIs is usually incompletely specified (e.g., it may not be documented how the system responds when inputs are provided that are not of the expected variety), the overall relationship between application and operating system cannot be known completely. Much research is needed on the properties, practices, and disciplines to drive this emergence—just as research in the nascent complexity sciences is addressing similar problems of understanding emergence in other problem domains characterized by sensitive dependence on initial conditions.
This does not mean that it is impossible to identify areas of focus, but it does imply that within those areas of focus the nation’s research strategy should seek to develop a broad and diverse technological foundation that would enable more rapid responses to new and currently unforeseen threats as they emerge as well as to yield unanticipated advances.
As for the character of the research needed, both traditional and unorthodox approaches will be necessary. Traditional research is problem-specific, and there are many cybersecurity problems for which good solutions are not known. (A good solution to a cybersecurity problem is one that is effective, is robust against a variety of attack types, is inexpensive and easy to deploy, is easy to use, and does not significantly reduce or cripple other functionality in the system of which it is made a part.) Research is and will be needed to address these problems.
But problem-by-problem solutions, or even problem-class by problem-class solutions, are highly unlikely to be sufficient to close the gap by themselves. Unorthodox, clean-slate approaches will also be needed to deal with what might be called a structural problem in cybersecurity research now, and these approaches will entail the development of new ideas and new points of view that revisit the basic foundations and implicit assumptions of security research.
Addressing both of these reasons for the lack of security in cyberspace is important, but it is the second—closing the knowledge gap—that is the primary goal of cybersecurity research and the primary focus of this report.
This section describes a set of interrelated principles that the committee believes should shape the research agenda. Some are principles intended to drive specific components of the research agenda, while others are intended to change the mind-set with which the agenda is carried out. Individually, none of these principles is new, but in toto they represent the committee’s best understanding of what should constitute a sound philosophical foundation for cybersecurity research.