National Academies Press: OpenBook

Toward a Safer and More Secure Cyberspace (2007)

Chapter: Front Matter

Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

Toward a Safer and More Secure Cyberspace

Seymour E. Goodman and Herbert S. Lin, Editors

Committee on Improving Cybersecurity Research in the United States

Computer Science and Telecommunications Board

Division on Engineering and Physical Sciences

NATIONAL RESEARCH COUNCIL AND NATIONAL ACADEMY OF ENGINEERING OF THE NATIONAL ACADEMIES

THE NATIONAL ACADEMIES PRESS

Washington, D.C.
www.nap.edu

Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

THE NATIONAL ACADEMIES PRESS

500 Fifth Street, N.W. Washington, DC 20001

NOTICE: The project that is the subject of this report was approved by the Governing Board of the National Research Council, whose members are drawn from the councils of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The members of the committee responsible for the report were chosen for their special competences and with regard for appropriate balance.

Support for this project was provided by the Defense Advanced Research Projects Agency (award number N00174-03-C-0074), the National Science Foundation (award number CNS-0221722), the National Institute of Standards and Technology (contract number SB1341-03-C-0028), the Department of Homeland Security through the National Science Foundation (award number CNS-0344585), the National Academy of Engineering, the National Research Council Fund (no award number), and F. Thomas Leighton and Bonnie Berger Leighton. Any opinions, findings, conclusions, or recommendations expressed in this publication are those of the author(s) and do not necessarily reflect the views of the organizations, agencies, or individuals that provided support for the project.

Back cover: Summarized in the right-hand column of the chart is the new mind-set advocated in this report as essential to achieving a more generally secure cyberspace.

Library of Congress Cataloging-in-Publication Data

Toward a safer and more secure cyberspace / Committee on Improving Cybersecurity Research in the United States, Computer Science and Telecommunications Board, Division on Engineering and Physical Sciences, National Research Council of the National Academies ; Seymour E. Goodman and Herbert S. Lin, editors.

p. cm.

Includes bibliographical references.

ISBN 978-0-309-10395-4 (pbk.) -- ISBN 978-0-309-66741-8 (pdf) 1. Computer security. 2. Computer networks--Security measures. 3. Cyberterrorism--Prevention. I. Goodman, Seymour E. II. Lin, Herbert. III. National Research Council (U.S.). Committee on Improving Cybersecurity Research in the United States.

QA76.9.A25T695 2007

005.8--dc22

2007037982

This report is available from

Computer Science and Telecommunications Board

National Research Council

500 Fifth Street, N.W.

Washington, DC 20001

Additional copies of this report are available from the

National Academies Press,

500 Fifth Street, N.W., Lockbox 285, Washington, DC 20055; (800) 624-6242 or (202) 334-3313 (in the Washington metropolitan area); Internet, http://www.nap.edu.

Copyright 2007 by the National Academy of Sciences. All rights reserved.

Printed in the United States of America

Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

THE NATIONAL ACADEMIES

Advisers to the Nation on Science, Engineering, and Medicine


The National Academy of Sciences is a private, nonprofit, self-perpetuating society of distinguished scholars engaged in scientific and engineering research, dedicated to the furtherance of science and technology and to their use for the general welfare. Upon the authority of the charter granted to it by the Congress in 1863, the Academy has a mandate that requires it to advise the federal government on scientific and technical matters. Dr. Ralph J. Cicerone is president of the National Academy of Sciences.


The National Academy of Engineering was established in 1964, under the charter of the National Academy of Sciences, as a parallel organization of outstanding engineers. It is autonomous in its administration and in the selection of its members, sharing with the National Academy of Sciences the responsibility for advising the federal government. The National Academy of Engineering also sponsors engineering programs aimed at meeting national needs, encourages education and research, and recognizes the superior achievements of engineers. Dr. Charles M. Vest is president of the National Academy of Engineering.


The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure the services of eminent members of appropriate professions in the examination of policy matters pertaining to the health of the public. The Institute acts under the responsibility given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, upon its own initiative, to identify issues of medical care, research, and education. Dr. Harvey V. Fineberg is president of the Institute of Medicine.


The National Research Council was organized by the National Academy of Sciences in 1916 to associate the broad community of science and technology with the Academy’s purposes of furthering knowledge and advising the federal government. Functioning in accordance with general policies determined by the Academy, the Council has become the principal operating agency of both the National Academy of Sciences and the National Academy of Engineering in providing services to the government, the public, and the scientific and engineering communities. The Council is administered jointly by both Academies and the Institute of Medicine. Dr. Ralph J. Cicerone and Dr. Charles M. Vest are chair and vice chair, respectively, of the National Research Council.


www.national-academies.org

Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

COMMITTEE ON IMPROVING CYBERSECURITY RESEARCH IN THE UNITED STATES

SEYMOUR (Sy) E. GOODMAN,

Georgia Institute of Technology,

Chair (from August 2006)

JOEL S. BIRNBAUM,

Hewlett-Packard Company,

Chair (until August 2006)

DAVID AUCSMITH,

Microsoft Corporation

STEVEN M. BELLOVIN,

Columbia University

ANJAN BOSE,

Washington State University

BARBARA FRASER,

Cisco Systems, Inc.

JAMES GOSLER,

Sandia National Laboratories

WILLIAM GUTTMAN,

Carnegie Mellon University

RUBY B. LEE,

Princeton University

FERNANDO (FRED) LUIZ,

Hewlett-Packard Company (retired)

TERESA F. LUNT,

Palo Alto Research Center

PETER G. NEUMANN,

SRI International

STEFAN SAVAGE,

University of California, San Diego

WILLIAM L. SCHERLIS,

Carnegie Mellon University

FRED B. SCHNEIDER,

Cornell University

ALFRED Z. SPECTOR, Independent Consultant

JOHN WANKMUELLER,

MasterCard International

JAY WARRIOR,

Agilent Laboratories

Staff

HERBERT S. LIN, Senior Scientist and Study Director (from September 2005)

CHARLES N. BROWNSTEIN, Study Director (until September 2005)

KRISTEN BATCH, Associate Program Officer

JENNIFER M. BISHOP, Program Associate (until November 2006)

JANICE M. SABUDA, Senior Program Assistant

TED SCHMITT, Consultant

Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD

JOSEPH F. TRAUB,

Columbia University,

Chair

ERIC BENHAMOU,

Benhamou Global Ventures, LLC

FREDERICK R. CHANG,

University of Texas, Austin

WILLIAM DALLY,

Stanford University

MARK E. DEAN,

IBM Almaden Research Center

DEBORAH ESTRIN,

University of California, Los Angeles

JOAN FEIGENBAUM,

Yale University

KEVIN KAHN,

Intel Corporation

JAMES KAJIYA,

Microsoft Corporation

MICHAEL KATZ,

University of California, Berkeley

RANDY H. KATZ,

University of California, Berkeley

SARA KIESLER,

Carnegie Mellon University

TERESA H. MENG,

Stanford University

PRABHAKAR RAGHAVAN,

Yahoo! Research

FRED B. SCHNEIDER,

Cornell University

ALFRED Z. SPECTOR, Independent Consultant

WILLIAM STEAD,

Vanderbilt University

ANDREW J. VITERBI,

Viterbi Group, LLC

PETER WEINBERGER,

Google, Inc.

JEANNETTE M. WING,

Carnegie Mellon University

Staff

JON EISENBERG, Director

KRISTEN BATCH, Associate Program Officer

RADHIKA CHARI, Administrative Coordinator

RENEE HAWKINS, Financial Associate

MARGARET MARSH HUYNH, Senior Program Assistant

HERBERT S. LIN, Senior Scientist

LYNETTE I. MILLETT, Senior Program Officer

DAVID PADGHAM, Associate Program Officer

JANICE M. SABUDA, Senior Program Assistant

TED SCHMITT, Consultant

BRANDYE WILLIAMS, Program Assistant

JOAN D. WINSTON, Program Officer

For more information on CSTB, see its Web site at http://www.cstb.org, write to CSTB, National Research Council, 500 Fifth Street, N.W., Washington, DC 20001, call (202) 334-2605, or e-mail the CSTB at cstb@nas.edu.

Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

This page intentionally left blank.

Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

Preface

In the past several years, cybersecurity has been transformed from a concern chiefly of computer scientists and information system managers to an issue of pressing national importance. The nation’s critical infrastructure, such as the electric power grid, air traffic control system, financial system, and communication networks, depends extensively on information technology (IT) for its operation. Concerns about the vulnerability of this infrastructure have heightened in the security-conscious environment after the September 11, 2001, attacks. National policy makers have become increasingly concerned that adversaries backed by substantial resources will attempt to exploit the cyber-vulnerabilities in the critical infrastructure, thereby inflicting substantial harm on the nation.

Today, there is an inadequate understanding of what makes IT systems vulnerable to attack, how best to reduce these vulnerabilities, and how to transfer cybersecurity knowledge to actual practice. For these reasons, and in response to both legislative and executive branch interest, the National Research Council (NRC) established the Committee on Improving Cybersecurity Research in the United States (see Appendix A for biographies of the committee members). The committee was charged with developing a strategy for cybersecurity research in the 21st century. To develop this strategy, the committee built on a number of previous NRC reports in this area, notably, Computers at Risk (1991), Trust in Cyberspace (1998), and Information Technology for Counterterrorism (2003).1 Although

1

National Research Council, 1991, Computers at Risk, National Academy Press, Washington, D.C.; National Research Council, 1998, Trust in Cyberspace, National Academy Press, Washington, D.C.; National Research Council, 2003, Information Technology for Counterterrorism: Immediate Actions and Future Possibilities, The National Academies Press, Washington, D.C.

Page viii Cite
Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

these reports were issued some years ago, the committee found that they contained valuable points of departure for the present effort. In addition, the committee undertook a set of hearings and briefings that provided information about present-day concerns and responses to those concerns. The report of the President’s Information Technology Advisory Committee on cybersecurity—Cyber Security: A Crisis of Prioritization—which lays out a research agenda and makes recommendations on how to implement it, provided a useful point of departure as well.2

Box P.1 contains the full charge to the committee. The committee’s survey of the current cybersecurity research landscape is described in Appendix B. As requested in the charge, Section B.5 contains a survey of the research effort in cybersecurity and trustworthiness to assess the current mix of topics; Sections B.4 and B.6 address level of effort, division of labor, and sources of funding; Section B.3 addresses quality. The issue related to the timescales of cybersecurity research is addressed in Section 10.2.2. Structural dimensions of a program for cybersecurity research are addressed in Section 3.3.

Two elements in the committee’s statement of task were not fully addressed. First, although Part II provides general guidance regarding appropriate areas of programmatic focus, this report does not provide a detailed explication of research priorities within or among these areas (that is, the research areas meriting federal funding). The reason, explained at greater length in Section 3.4.4, is that in the course of its deliberations, the committee concluded that the nation’s cybersecurity research agenda should be broad and that any attempt to specify research priorities in a top-down manner would be counterproductive. Second, the study’s statement of task calls for it to address appropriate levels of federal funding for cybersecurity research. As discussed in Section 10.2.2, the committee articulates a specific principle for determining the appropriate level of budgets for cybersecurity research: namely, that such budgets should be adequate to ensure that a large fraction of good ideas for cybersecurity research can be explored. It further notes that the threat is likely to grow at a rate faster than the present federal cybersecurity research program will enable us to respond to, and thus that in order to execute fully the broad strategy articulated in this report, a substantial increase in federal budgetary resources devoted to cybersecurity research will be needed.

It is important to delineate the scope of what this report does and to

2

President’s Information Technology Advisory Committee. February 2005. Cyber Security: A Crisis of Prioritization, National Coordination Office for Information Technology Research and Development, Washington, D.C.; available at www.nitrd.gov/pitac/reports/20050301_cybersecurity/cybersecurity.pdf.

Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

specify what it does not do. The committee recognizes that cybersecurity is only one element of trustworthiness, which can be defined as the property of a system whereby it does what is required and expected of it—despite environmental disruption, human user and operator errors, and attacks by hostile parties—and that it does not do other things. Trust-

BOX P.1

Statement of Task

This project will involve a survey of the research effort in cybersecurity and trustworthiness to assess the current mix of topics, level of effort, division of labor, sources of funding, and quality; describe those research areas that merit federal funding, considering short-, medium-, and long-term emphases; and recommend the necessary level for federal funding in cybersecurity research. Technologies and approaches conventionally associated with cybersecurity and trustworthiness will be examined to identify those areas most deserving of attention in the future and to understand the research baseline. In addition, this project will also seek to identify and explore models and technologies not traditionally considered to be within cybersecurity and trustworthiness in an effort to generate ideas for revolutionary advances in cybersecurity. Structural alternatives for the oversight and allocation of funding (how to best allocate existing funds and how best to program new funds that may be made available) will be considered and the project committee will provide corresponding recommendations. Finally, the committee will offer some guidance on the shape of grant-making research programs.

Consistent with legislative language, the committee will consider:

  1. Identification of the topics in cybersecurity research that deserve emphasis for the future. As discussed with congressional staff, this analysis will build on past work within CSTB [Computer Science and Telecommunications Board] and elsewhere, which has identified many important and often enduring topics.

  2. The distribution of effort among cybersecurity researchers. The emphasis will be on universities, in part to address the link between the conduct of researchers and the education and training of cybersecurity experts, to ensure that there are enough researchers to perform the needed work. Comparisons between academic and industry activities will be made.

  3. Identification and assessment of the gaps in technical capability for critical infrastructure network security, including security of industrial process controls.

  4. The distribution, range, and stability of support programs among federal funding organizations.

  5. Issues regarding research priorities, resource requirements, and options for improving coordination and efficacy in the national pursuit of cybersecurity research. Opportunities for cross-sector (and intra-sector) coordination and collaboration will be considered

Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

worthiness has many dimensions, including correctness, reliability, safety, and survivability, in addition to security. Nevertheless, the charge of this report is to focus on security, and other issues are addressed only to the extent that they relate to security.

This report is not confined to technical topics alone. A number of policy issues related to cybersecurity are discussed. These policy issues provide an overarching context for understanding why greater use has not been made of cybersecurity research to date. In addition, because the report concludes that cybersecurity research should not be undertaken entirely in a domain-independent manner, the report also discusses briefly a number of problem domains to which cybersecurity research is applicable.

The committee assembled for this project included individuals with expertise in the various specialties within computer security and other aspects of trustworthiness, computer networks, systems architecture, software engineering, process control systems, human-computer interaction, and information technology research and development (R&D) programs in the federal government, academia, and industry. In addition, the committee involved individuals with experience in industrial research.

The committee met first in July 2004 and four times subsequently. It held several plenary sessions to gather input from a broad range of experts in cybersecurity. Particular areas of focus included then-current federal research activity, the state of the art in usable security, and current vendor activity related to advancing the state of cybersecurity. The committee did its work through its own expert deliberations and by soliciting input from key officials at sponsoring agencies, numerous experts at federal agencies, academic researchers, and hardware and software vendors (see Appendix C). Additional input included perspectives from professional conferences, the technical literature, and government reports studied by committee members and staff (see Appendix B).

The committee appreciates the support of its sponsoring agencies and especially the numerous inputs and responses to requests for information provided by Jaynarayan Lala and Lee Badger at the Defense Advanced Research Projects Agency (DARPA), Carl Landwehr and Karl Levitt at the National Science Foundation (NSF), Edward Roback at the National Institute of Standards and Technology (NIST), Douglas Maughan at the Department of Homeland Security (DHS), and Robert Herklotz at the Air Force Office of Scientific Research (AFOSR).

PERSONAL NOTE FROM THE CHAIR

A large fraction of the American population now spends a great deal of time in cyberspace. We work and shop there. We are educated and entertained there. We socialize with family, friends, and strangers in cyber-

Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

space. We are paid and we pay others through this medium. Millions of commercial enterprises and local, state, and federal government agencies do their business there. It has become a critical infrastructure in its own right, and it is embedded in almost all other critical infrastructures. We rely on cyberspace to help keep electricity flowing, public transportation running, and many other basic services working at levels that we have come to regard as essential elements of our society. These functions, expectations, and resulting dependencies are with us now, have been growing rapidly, and are expected to continue to grow well into the future.

The people, businesses, and governments of the rest of the world are following suit. On a per capita basis, some are even more committed to this infrastructure than the United States is. The Internet alone is now used by about a billion people and comes to ground in about 200 countries. And they are all connected to us and to one another.

It is thus very much in the public interest to have a safe and secure cyberspace. Yet cyberspace in general, and the Internet in particular, are notoriously vulnerable to a frightening and expanding range of accidents and attacks by a spectrum of hackers, criminals, terrorists, and state actors who have been empowered by unprecedented access to more people and organizations than has ever been the case with any infrastructure in history. Most of the people and organizations that increasingly depend on cyberspace are unaware of how vulnerable and defenseless they are, and all too many users and operators are poorly trained and equipped. Many learn only after suffering attacks. These people, and the nation as a whole, are paying enormous costs for relying on such an insecure infrastructure.

The Committee on Improving Cybersecurity Research in the United States was established by the National Research Council of the National Academies with the financial support of NSF, DARPA, NIST, DHS, the National Academy of Engineering, and F. Thomas and Bonnie Berger Leighton. The basic premise underlying the committee’s task is that research can produce a better understanding of why cyberspace is as vulnerable as it is and that it can lead to new technologies and policies and their effective implementation to make things better.

Cybersecurity is not a topic that is new to the national agenda. Indeed, a number of earlier reports have addressed this subject from different perspectives. Many of these reports have been concerned with specific threats (e.g., terrorism), missions (e.g., critical infrastructure protection), government agencies (e.g., how they might better protect themselves), or specific sectors (e.g., banking and finance). This study tackles the problem from the perspective of protecting all legitimate users of cyberspace, including the individual citizens, small commercial concerns, and government agencies that are particularly vulnerable to harassment and injury every

Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

time they use the Internet or connect to other networks. The committee strongly believes that a more generally secure cyberspace would go a long way toward protecting critical infrastructure and national security.

What would a safer and more secure cyberspace look like? To address this question, the committee has formulated a Cyberspace Bill of Rights (CBoR). It consists of 10 basic provisions that the committee believes users should have as reasonable expectations for their online safety and security. The CBoR articulated in this report is distinctly user-centric, enabling individuals to draw for themselves the contrast between that vision and their own personal cyberspace experiences.

Unfortunately, the state of cyberspace today is such that it is much easier to state these provisions than it is to achieve them. No simple research project will lead to the widespread reality of any of these provisions. Indeed, even achieving something that sounds as simple as eliminating spam will require a complex, crosscutting technical and nontechnical R&D agenda. Accordingly, this report goes on to propose a comprehensive R&D agenda and to show how that agenda would help realize the provisions of the CBoR. The report also warns that there will be no shortcuts and that realizing the CBoR vision will take a long, sustained, and determined effort. There is much to accomplish.

Many of this report’s technical R&D recommendations build on and support those of earlier reports. However, they give particular emphasis to problems that have handicapped the more extensive practice of cybersecurity in the past. Thus, the report focuses substantial attention on the very real challenges of incentives, usability, and embedding advances in cybersecurity into real-world products, practices, and services.

On behalf of the committee, I would like to thank those who took the time and trouble to contribute to our deliberations by briefing the committee. This group of individuals is listed in Appendix C. In addition, those who reviewed this report in draft form played a critical and indispensable role in helping to improve the report (see “Acknowledgment of Reviewers” on page xiii). On the Computer Science and Telecommunications Board (CSTB), Ted Schmitt’s work as program officer on his first NRC project was exemplary, and Janice Sabuda provided administrative and logistical support beyond compare. Special recognition is due to Herbert S. Lin, who became the CSTB study director about halfway through the committee’s lifetime, and who worked so hard to pull this report together. His tenacity, determination, and expertise were indispensable.


Seymour E. Goodman, Chair

Committee on Improving Cybersecurity Research in the United States

Page xiii Cite
Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

Acknowledgment of Reviewers

This report has been reviewed in draft form by individuals chosen for their diverse perspectives and technical expertise, in accordance with procedures approved by the National Research Council’s Report Review Committee. The purpose of this independent review is to provide candid and critical comments that will assist the institution in making its published report as sound as possible and to ensure that the report meets institutional standards for objectivity, evidence, and responsiveness to the study charge. The review comments and draft manuscript remain confidential to protect the integrity of the deliberative process. We wish to thank the following individuals for their review of this report:

Eric Benhamou, Benhamou Global Ventures, LLC,

Earl Boebert, Sandia National Laboratories (retired),

William R. Cheswick, AT&T Research,

David D. Clark, Massachusetts Institute of Technology,

Richard A. DeMillo, Georgia Institute of Technology,

Samuel H. Fuller, Analog Devices, Inc.,

Paul A. Karger, IBM Thomas J. Watson Research Center,

Pradeep Khosla, Carnegie Mellon University,

Butler Lampson, Microsoft Corporation,

Brian Lopez, Lawrence Livermore National Laboratory,

William Lucyshyn, University of Maryland,

Clifford Neuman, University of Southern California,

Eugene Spafford, Purdue University,

Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

Philip Venables, Goldman Sachs,

Jesse Walker, Intel Corporation, and

Jeannette M. Wing, Carnegie Mellon University.

Although the reviewers listed above have provided many constructive comments and suggestions, they were not asked to endorse the conclusions or recommendations, nor did they see the final draft of the report before its release. The review of this report was overseen by Lewis Branscomb and Brian Snow. Appointed by the National Research Council, they were responsible for making certain that an independent examination of this report was carried out in accordance with institutional procedures and that all review comments were carefully considered. Responsibility for the final content of this report rests entirely with the authoring committee and the institution.

Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

3

 

IMPROVING THE NATION’S CYBERSECURITY POSTURE

 

51

   

 3.1  The Cybersecurity Bill of Rights,

 

51

   

 3.1.1  Introduction to the Cybersecurity Bill of Rights,

 

52

   

 3.1.2  The Provisions of the Cybersecurity Bill of Rights,

 

53

   

 3.1.3  Concluding Comments,

 

57

   

 3.2  Realizing the Vision,

 

58

   

 3.3  The Necessity of Research,

 

58

   

 3.4  Principles to Shape the Research Agenda,

 

61

   

 3.4.1  Principle 1: Conduct cybersecurity research as though its application will be important,

 

62

   

 3.4.2  Principle 2: Hedge against uncertainty in the nature of the future threat,

 

69

   

 3.4.3  Principle 3: Ensure programmatic continuity in the research agendam,

 

70

   

 3.4.4  Principle 4: Respect the need for breadth in the research agenda,

 

72

   

 3.4.5  Principle 5: Disseminate new knowledge and artifacts,

 

74

PART II
AN ILLUSTRATIVE RESEARCH AGENDA

 

 

4

 

CATEGORY 1—BLOCKING AND LIMITING THE IMPACT OF COMPROMISE

 

83

   

 4.1  Secure Design, Development, and Testing,

 

83

   

 4.1.1  Research to Support Design,

 

84

   

 4.1.2  Research to Support Development,

 

91

   

 4.1.3  Research to Support Testing and Evaluation,

 

103

   

 4.2  Graceful Degradation and Recovery,

 

107

   

 4.2.1  Containment,

 

107

   

 4.2.2  Recovery,

 

109

   

 4.3  Software and Systems Assurance,

 

110

5

 

CATEGORY 2—ENABLING ACCOUNTABILITY

 

113

   

 5.1  Attribution,

 

113

   

 5.2  Misuse and Anomaly Detection Systems,

 

118

   

 5.3  Digital Rights Management,

 

121

6

 

CATEGORY 3—PROMOTING DEPLOYMENT

 

124

   

 6.1  Usable Security,

 

124

   

 6.2  Exploitation of Previous Work,

 

131

   

 6.3  Cybersecurity Metrics,

 

133

Page xvii Cite
Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
   

 6.4  The Economics of Cybersecurity,

 

142

   

 6.4.1  Conflicting Interests and Incentives Among the Actors in Cybersecurity,

 

144

   

 6.4.2  Risk Assessment in Cybersecurity,

 

147

   

 6.4.3  The Nature and Extent of Market Failure (If Any) in Cybersecurity,

 

152

   

 6.4.4  Changing Business Cases and Altering the Market Calculus,

 

153

   

 6.5  Security Policies,

 

166

7

 

CATEGORY 4—DETERRING WOULD-BE ATTACKERS AND PENALIZING ATTACKERS

 

169

   

 7.1  Legal Issues Related to Cybersecurity,

 

170

   

 7.2  Honeypots,

 

171

   

 7.3  Forensics,

 

173

8

 

CATEGORY 5—ILLUSTRATIVE CROSSCUTTING PROBLEM-FOCUSED RESEARCH AREAS

 

181

   

 8.1  Security for Legacy Systems,

 

181

   

 8.2  The Role of Secrecy in Cyberdefense,

 

184

   

 8.3  Insider Threats,

 

185

   

 8.4  Security in Nontraditional Computing Environments and in the Context of Use,

 

191

   

 8.4.1  Health Information Technology,

 

191

   

 8.4.2  The Electric Power Grid,

 

193

   

 8.4.3  Web Services,

 

196

   

 8.4.4  Pervasive and Embedded Systems,

 

197

   

 8.5  Secure Network Architectures,

 

199

   

 8.6  Attack Characterization,

 

200

   

 8.7  Coping with Denial-of-Service Attacks,

 

201

   

 8.7.1  The Nature of Denial-of-Service Attacks,

 

201

   

 8.7.2  Responding to Distributed Denial-of-Service Attacks,

 

202

   

 8.7.3  Research Challenges,

 

205

   

 8.8  Dealing with Spam,

 

208

9

 

CATEGORY 6—SPECULATIVE RESEARCH

 

214

   

 9.1  A Cyberattack Research Activity,

 

215

   

 9.2  Biological Approaches to Security,

 

216

   

 9.3  Using Attack Techniques for Defensive Purposes,

 

218

   

 9.4  Cyber-Retaliation,

 

219

Page xviii Cite
Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

Boxes

P.1

 

Statement of Task,

 

ix

2.1

 

Lack of Exploitation Does Not Indicate Nonvulnerability,

 

30

2.2

 

Major Sources of Data Characterizing the Cyberthreat,

 

36

2.3

 

On Botnets,

 

40

2.4

 

Possible Points of Vulnerability in Information Technology Systems and Networks,

 

44

2.5

 

Foreign Sourcing of Information Technology Used in the United States,

 

47

2.6

 

The Silence of a Successful Cyberattack,

 

48

3.1

 

What Firewalls and Antivirus Products Protect Against,

 

59

3.2

 

Lessons Learned from the Technology-Transfer Effort Associated with Microsoft’s Static Driver Verifier,

 

64

4.1

 

The Saltzer-Schroeder Principles of Secure System Design and Development,

 

86

6.1

 

Fluency with Information Technology (and Cybersecurity),

 

126

6.2

 

Bug Bounties and Whistle-Blowers,

 

156

8.1

 

Issues in System Migration,

 

183

8.2

 

Secrecy of Design,

 

186

8.3

 

Attack Diffusion,

 

204

10.1

 

A Model Categorization for Understanding Budgets,

 

240

Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page R1
Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page R2
Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page R3
Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page R4
Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page R5
Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page R6
Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page R7
Page viii Cite
Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page R8
Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page R9
Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page R10
Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page R11
Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page R12
Page xiii Cite
Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page R13
Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page R14
Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page R15
Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page R16
Page xvii Cite
Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page R17
Page xviii Cite
Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page R18
Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page R19
Suggested Citation:"Front Matter." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page R20
Next: Executive Summary »
Toward a Safer and More Secure Cyberspace Get This Book
×
Buy Paperback | $67.00 Buy Ebook | $54.99
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

Given the growing importance of cyberspace to nearly all aspects of national life, a secure cyberspace is vitally important to the nation, but cyberspace is far from secure today. The United States faces the real risk that adversaries will exploit vulnerabilities in the nation’s critical information systems, thereby causing considerable suffering and damage. Online e-commerce business, government agency files, and identity records are all potential security targets.

Toward a Safer and More Secure Cyberspace examines these Internet security vulnerabilities and offers a strategy for future research aimed at countering cyber attacks. It also explores the nature of online threats and some of the reasons why past research for improving cybersecurity has had less impact than anticipated, and considers the human resource base needed to advance the cybersecurity research agenda. This book will be an invaluable resource for Internet security professionals, information technologists, policy makers, data stewards, e-commerce providers, consumer protection advocates, and others interested in digital security and safety.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    Switch between the Original Pages, where you can read the report as it appeared in print, and Text Pages for the web version, where you can highlight and search the text.

    « Back Next »
  6. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  7. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  8. ×

    View our suggested citation for this chapter.

    « Back Next »
  9. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!