National Academies Press: OpenBook

Toward a Safer and More Secure Cyberspace (2007)

Chapter: Appendix B Cybersecurity Reports and Policy: The Recent Past

« Previous: Appendix A Committee and Staff Biographies
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

Appendix B
Cybersecurity Reports and Policy: The Recent Past

B.1
INTRODUCTION

Since September 11, 2001, many cybersecurity activities have been undertaken by the federal government,1 the research community, and private industry. This appendix reviews these activities, providing a snapshot of the efforts undertaken to address cybersecurity concerns over the past several years. Specifically, federal cybersecurity policy activity since 2001 is reviewed. A number of federal government reports that detail cybersecurity risks and challenges that need to be overcome are summarized. Also summarized are best practices and procedures, as well as options for making progress, as identified in these reports. Efforts for improving public-private collaboration and coordination are identified. Reports aimed at elaborating the necessary elements of a research agenda are also reviewed. The final section reviews the current federal research and development (R&D) landscape and describes the particular focus and the types of support being provided at various federal agencies with cybersecurity responsibilities.

Several general impressions about the state of cybersecurity and some common themes about the type of actions required to improve it can be drawn from the various activities summarized here. First, there are

1

The Congressional Research Service issued the report Computer Security: A Summary of Selected Federal Laws, Executive Orders, and Presidential Directives on April 16, 2004; the report outlines the major roles and responsibilities assigned various federal agencies in the area of computer security. See http://www.fas.org/irp/crs/RL32357.pdf.

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

no “silver bullets” for fixing cybersecurity. The threats are evolving and will continue to grow, meaning that gaining ground against these threats requires an ongoing, society-wide, concerted and focused effort. A culture of security must pervade the entire life cycle of information technology (IT) system operations, from initial architecture, to design, development, testing, deployment, maintenance, and use. A number of focus areas are particularly important to achieving such a culture: collaboration among researchers; coordination and information sharing among the public and private sectors; the creation of a sufficiently large and capable core of research specialists to advance the state of the art; the broad-based education of developers, administrators, and users that will make security-conscious practices become second nature just as optimizing for performance or functionality is; making it easy and intuitive for users to “do the right thing”; the employment of business drivers and policy mechanisms to facilitate security technology transfer and the diffusion of R&D into commercial products and services; the promotion of risk-based decision making (and metrics to support this effort).

Second, several areas for research focus (or areas to support such research), consistent with those identified in this report, are identified across nearly all of the activities summarized in this appendix. These areas are authentication, identity management, secure software engineering, modeling and testbeds, usability, privacy, and benchmarking and best practices. Understanding the intersection between critical infrastructure systems and the IT systems increasingly used to control them is another common theme for research needs.

Finally, taken together, the activities reviewed give an overall sense that—unless we as a society make cybersecurity a priority—IT systems are likely to become overwhelmed by cyberthreats of all kinds and eventually to be limited in their ability to transform societal systems productively. This future is avoidable, but avoiding it requires the effective coordination and collaboration of private and public sectors; continuous, comprehensive, and coordinated research; and appropriate policies to promote security and to deter attackers. Given the global nature of cyberthreats, it also requires effective international cooperation. This survey does not focus on activity under way that aims to further international cooperation. However, considerable efforts are under way at the regional intergovernmental and international governmental levels.2

2

See, for example, Delphine Nain, Neal Donaghy, and Seymour Goodman, “The International Landscape of Cyber Security,” Chapter 9 in Detmar W. Straub, Seymour Goodman, and Richard Baskerville (eds.), Information Security: Policies, Processes, and Practices, M.E. Sharpe, New York, forthcoming 2008.

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

B.2
CYBERSECURITY POLICY ACTIVITY SINCE 2001

The U.S. Congress passed the Cybersecurity Research and Development Act3 in November 2002. Section 2(2) of the act noted the ubiquitous and pervasive nature of information and communications technology, stating that revolutionary advancements in computing and communications technology have interconnected critical infrastructures “in a vast, interdependent physical and electronic network.” Section 2(2) pointed to the increased societal dependence on that infrastructure, stating that “exponential increases in interconnectivity have facilitated enhanced communications, economic growth, and the delivery of services critical to the public welfare, but have also increased the consequences of temporary or prolonged failure.” Section 2(4) found that that computer security technology and systems implementation lack the following:

  • Sufficient long-term research funding;

  • Adequate coordination across federal and state government agencies and among government, academia, and industry; and

  • Sufficient numbers of outstanding researchers in the field.

The Cybersecurity Research and Development Act of 2002 called for significantly increasing federal investment in computer and network security research and development to improve vulnerability assessment and technological and systems solutions, to expand and improve the pool of information security professionals, and to improve information sharing and collaboration among industry, government, and academic research projects. The National Science Foundation (NSF) and the National Institute of Standards and Technology (NIST) are called on to create programs necessary to address these issues. The act authorized appropriations for both agencies to support the specified programs, though appropriations were never made to match authorized levels.

The Bush administration noted its support for the legislation as it was developed,4 and issued The National Strategy to Secure Cyberspace5 in February 2003. The report noted that securing cyberspace is a difficult strategic challenge and emphasized the need for a coordinated and focused effort, taking in federal, state, and local governments, the private sector, and individual Americans. It calls on the newly formed Department of

3

Cybersecurity Research and Development Act of 2002, P.L. No. 107-305.

4

Office of Management and Budget, H.R. 3394—Cyber Security Research and Development Act, February 5, 2002; available at http://www.whitehouse.gov/omb/legislative/ap/107-2/ HR3394-r.html.

5

The White House, The National Strategy to Secure Cyberspace, February 2003; available at http://www.whitehouse.gov/pcipb/cyberspace_strategy.pdf.

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

Homeland Security (DHS) to take the leadership role and become the federal Center of Excellence in addressing the five priorities it identified for cyberspace security: a national response system, a threat and vulnerability reduction program, awareness and training programs, the securing of government-administered systems, and international cooperation. Research and development for cybersecurity are not heavily emphasized in the report, and the roles of NSF and NIST are not mentioned.

The Federal Information Security Management Act of 2002 (FISMA) established a “comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets.”6 NIST was designated as the agency responsible for setting guidelines and procedures to be met by all federal agencies with regard to securing their information systems.

The National Infrastructure Advisory Council (NIAC) was created by executive order in October 2001 to make recommendations to the president regarding the security of cyber and information systems of the U.S. national security and economic critical infrastructures. NIAC became part of DHS in February 2003 under Executive Order 13286.7 The council is chartered to examine ways that partnerships between the public and private sectors can be enhanced to improve cybersecurity.8 Members of NIAC represent major sectors of the economy—banking and finance, transportation, energy, information technology, and manufacturing. The council also includes representatives from academia, state and local governments, and law enforcement. It is intended that NIAC work closely with the president’s National Security and Telecommunications Advisory Committee (NSTAC).

Homeland Security Presidential Directive 7 (HSPD-7): “Critical Infrastructure Identification, Prioritization, and Protection,” issued in December 2003, aims to establish “a national policy for Federal departments and agencies to identify and prioritize United States critical infrastructure and key resources and to protect them from terrorist attack.”9 The directive makes DHS responsible for coordinating overall efforts aimed at enhancing and protecting critical infrastructure, including cyber infrastructure. As part of that responsibility, DHS is required to create a National Plan for

6

Federal Information Security Management Act of 2002, Sec. 301 of the E-Government Act of 2002, P.L. No. 107-347.

7

See http://www.fas.org/irp/offdocs/eo/eo-13286.htm.

8

U.S. Department of Homeland Security (DHS), Charter of the National Infrastructure Advisory Council, July 1, 2005; available at http://www.dhs.gov/interweb/assetlibrary/NIAC_Charter.pdf.

9

Homeland Security Presidential Directive 7 (HSPD-7), “Critical Infrastructure Identification, Prioritization, and Protection”; available at http://www.whitehouse.gov/news/releases/2003/12/20031217-5.html.

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

Critical Infrastructure Protection. The department is directed to work with the Office of Science and Technology Policy (OSTP) to coordinate interagency R&D for enhancing critical infrastructure. DHS is also required to develop an annual R&D development plan jointly with OSTP.

DHS issued the National Infrastructure Protection Plan (NIPP) in June 2006, as required by HSPD-7; the plan provides “an integrated, comprehensive approach to addressing physical, cyber, and human threats and vulnerabilities to address the full range of risks to the Nation.”10 The NIPP provides the framework and sets the direction for implementing this protecting of critical infrastructure. The plan is meant to provide a roadmap for identifying assets, assessing vulnerabilities, prioritizing assets, and implementing protection measures in each infrastructure sector. The NIPP delineates roles and responsibilities among all stakeholders. It is part of DHS’s effort to take a leadership role and act as the federal Center of Excellence concerning infrastructure protection. In addition, each sector has developed a Critical Information/Key Resources Sector Specific Plan (SSP). The SSPs were published in May 2007. DHS is the lead agency for the development of the IT and Communications SSPs, and there is a cyber component to each of the remaining 15 SSPs.

The National Plan for Research and Development in Support of Critical Infrastructure Protection,11 issued jointly by DHS and OSTP in April 2005, specifically addresses R&D not covered in the February 2005 interim NIPP. It is required to be updated annually, as specified in HSPD-7. The plan notes, in this initial version, a focus on (1) creating a baseline, including the identification of existing major R&D efforts within federal agencies, and (2) highlighting long-term goals of federal R&D for critical infrastructure. It identifies nine themes that encompass both cyber and physical concerns: detection and sensor systems; protection and prevention; entry and access portals; insider threats; analysis and decision-support systems; response, recovery, and reconstitution; new and emerging threats and vulnerabilities; advanced infrastructure architectures and systems design; and human and social issues.

The plan provides examples of federal agency efforts already under way or that are part of near-term planning for each of the nine themes. Priority focus areas for each theme are also specified. Three long-term strategic goals are identified:

10

See http://www.deq.state.mi.us/documents/deq-wb-wws-interim-nipp.pdf.

11

Department of Homeland Security and Office of Science and Technology Policy, “The National Plan for Research and Development in Support of Critical Infrastructure Protection,” 2005; available at http://www.dhs.gov/interweb/assetlibrary/ST_2004_NCIP_RD_PlanFINALApr05.pdf.

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
  • A national common operating picture for critical infrastructure,

  • A next-generation computing and communications network with security “designed-in” and inherent in all elements rather than added after the fact, and

  • Resilient, self-diagnosing, and self-healing physical and cyber infrastructure systems.

The plan states that future versions will “more strongly integrate both technical and budgetary aspects of R&D efforts” and provide all stakeholders with information about progress toward solutions, alignment of efforts to meet evolving threats, and discovery of needs and vulnerability gaps.

The Energy Policy Act of 200512 addresses the need for cybersecurity standards to protect the energy infrastructure. It includes a requirement that the Federal Energy Regulatory Commission (FERC) establish an Electric Reliability Organization (ERO) to establish and enforce reliability standards for the reliable operation of existing bulk-power system facilities, where “reliable operation” is understood to mean prevention of instability, uncontrolled separation, or cascading failures of bulk-power systems as a result of a sudden disturbance, including a cybersecurity incident. The North American Electric Reliability Corporation (NERC)—a voluntary industry group composed of electrical utilities—which sought the provisions specified in the act, was certified by the FERC as the ERO on July 20, 2006.13

B.3
IDENTIFYING EXPOSURES, BEST PRACTICES, AND PROCEDURES

A number of recent reports have addressed continuing cybersecurity exposures of critical infrastructures. Collectively, they identify the nature of the exposures as well as a number of challenges that must be overcome to address them. Several of the reports make recommendations regarding best practices and procedures necessary to reduce the risks from cyberattacks. More generally, they recommend that available cybersecurity technology be more systematically adopted throughout existing critical infrastructure systems.

12

The Energy Policy Act of 2005, P.L. No. 109-058; Sec. 1211, “Electric Reliability Standards,” contains the passages relevant to cybersecurity.

13

Federal Energy Regulatory Commission, “Order Certifying North American Electric Reliability Corporation as the Electric Reliability Organization and Ordering Compliance Filing,” July 20, 2006; available at ftp://www.nerc.com/pub/sys/all_updl/docs/ferc/20060720_ERO_certification.pdf.

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

In March 2004 the U.S. General Accounting Office (GAO) issued Critical Infrastructure Protection: Challenges and Efforts to Secure Control System.14 GAO undertook the study resulting in the report at the request of the House Committee on Government Reform and its Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census. The committee and subcommittee had asked GAO to report on potential cyber vulnerabilities, focusing on significant cybersecurity risks associated with control systems, potential and reported cyberattacks against these systems, key challenges to securing control systems, and efforts to strengthen the cybersecurity of control systems.

The GAO report found that several factors have contributed to the escalation of the risks of cyberattacks against control systems, including the adoption of standardized technologies with known vulnerabilities, the connectivity of control systems with other networks, insecure remote connections, and the widespread availability of technical information about control systems. It also found that securing control systems poses significant challenges. These include “the limitations of current security technologies in securing control systems, the perception that securing control systems may not be economically justifiable and conflicting priorities within organizations regarding the security of control systems.” The GAO report identifies the need for greater collaboration and coordination among government agencies and with the private sector. It recommends that DHS implement the responsibilities outlined in the National Strategy to Secure Cyberspace, specifically calling on DHS to “develop and implement a strategy for coordinating with the private sector and other government agencies to improve control system security, including an approach for coordinating the various ongoing efforts to secure control systems.”15

In April 2004 NIAC issued the report Best Practices for Government to Enhance the Security of National Critical Infrastructures.16 The report notes how much convergence there is between physical and information infrastructures and indicates the need to view security as including both physical and cyber issues. The NIAC report concludes that, while market forces are the most powerful drivers of change, government intervention can be appropriate and beneficial in certain areas. It focuses on four infrastructure sectors and finds that a deep understanding of sector dynamics is critical for effective government intervention.

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

Also in April 2004, the U.S.-Canada Power System Outage Task Force issued its Final Report on the August 14, 2003 Blackout in the U.S. and Canada.17 The report found that, while the blackout was not caused by a cyberattack, the potential opportunity exists for cyber compromise of the Energy Management System (EMS) and supporting information technology infrastructure. It also noted that a failure in a software program not linked to malicious activity may have significantly contributed to the power outage. In all, the task force report made 15 recommendations related to the cybersecurity aspects of protecting the EMS. It called for the following:

  • Cybersecurity management standards and procedures,

  • Planned and documented corporate-level security governance and strategies,

  • Implementation of detection controls,

  • Improvement of diagnostic and forensic capabilities,

  • Scheduled risk and vulnerability assessments,

  • A central point for sharing security information,

  • The establishment of clear authority to influence corporate decision making, and

  • Procedures to prevent or mitigate inappropriate disclosure of information.

In May 2004, the GAO issued its second study, Technology Assessment: Cybersecurity for Critical Infrastructure Protection, in which it found that available cybersecurity technologies were not being deployed to their full extent, while continued R&D was needed for additional technology. The report identified three broad categories of actions that the federal government can undertake to increase the use of cybersecurity technologies:18

  • Help critical infrastructures determine their cybersecurity needs, such as developing a national critical infrastructure protection (CIP) plan, assisting with risk assessments, and enhancing cybersecurity awareness;

  • Take actions to protect its own systems, which could lead others to emulate it or could lead to the development and availability of more cybersecurity technology products; and

  • Undertake long-term activities to increase the quality and availability of cybersecurity technologies in the marketplace.

17

Available at https://reports.energy.gov/BlackoutFinal-Web.pdf; see Chapter 9 beginning at p. 131 for a discussion of the cybersecurity aspects of the blackout.

18

See http://www.gao.gov/new.items/d04321.pdf.

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

The May 2004 GAO report found a number of cybersecurity research areas in need of continuing attention, including the composition of secure systems, the security of network-embedded systems, security metrics, the socioeconomic impact of security, vulnerability identification and analysis, and wireless security. It also notes that federal cybersecurity research programs are already beginning to address these research areas.

In January 2005 NIST issued a detailed report entitled Security Considerations for Voice over IP Systems: Recommendations of the National Institute of Standards and Technology19 that made nine recommendations for providing secure Voice-over-Internet Protocol (VOIP) services, noting that VOIP introduces potential new cybersecurity risks. The recommendations include the development of appropriate network architecture and the importance of physical controls in preventing unauthorized access to information.

A report from the Environmental Protection Agency’s (EPA’s) Office of the Inspector General—EPA Needs to Determine What Barriers Prevent Water Systems from Securing Known Supervisory Control and Data Acquisition (SCADA) Vulnerabilities—issued January 2005, identified several reasons why vulnerabilities have not been addressed:20

  • Current technological limitations may impede implementing security measures.

  • Companies may not be able to afford or justify the required investment.

  • Utilities may not be able to conduct background checks on existing employees.

  • Officials may not permit SCADA penetration testing.

  • Technical engineers may have difficulty communicating security needs to management.

This report from EPA’s Office of the Inspector General recommended that the EPA notify DHS and Congress of problems for which it found no apparent solutions.

The Congressional Research Service (CRS) report Creating a National Framework for Cybersecurity: An Analysis of Issues and Options, issued in February 2005, states that “despite increasing attention from federal and state governments and international organizations, the defense against attacks on these systems has appeared to be generally fragmented and varying widely in effectiveness. Concerns have grown that what is needed is a national cybersecurity framework—a coordinated, coherent set of

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

public- and private-sector efforts required to ensure an acceptable level of cybersecurity for the nation.”21

The CRS report identifies various approaches taken, all of which are recommended by one or more of the reports described in this section. These include adopting standards and certification, promulgating best practices and guidelines, using benchmarks and checklists, using auditing, improving training and education, building security into enterprise architecture, using risk management, and employing metrics. It notes that “none of them are likely to be widely adopted in the absence of sufficient economic incentives for cybersecurity.” The CRS report also notes concerns about the effectiveness of market forces to provide adequate cybersecurity and the narrow scope of the policy activity in contrast with the apparent need for broad policy actions as called for in the 2003 National Strategy to Secure Cyberspace and similar documents. It also identifies the response to the year-2000 computer problem and federal safety and environmental regulations as models for possible federal action to promote cybersecurity, and further notes that the federal government might do the following:

  • Encourage the widespread adoption of cybersecurity standards and best practices,

  • Leverage the procurement power of the federal government,

  • Make the reporting of incidents mandatory,

  • Use product liability actions to promote attention to cybersecurity,

  • Facilitate the development of cybersecurity insurance, and

  • Strengthen federal cybersecurity programs in DHS and elsewhere.

Released in May 2005, the GAO report Critical Infrastructure Protection: Department of Homeland Security Faces Challenges in Fulfilling Cybersecurity Responsibilities notes that DHS has become the focal point for critical infrastructure protection. The report identifies 13 responsibilities that DHS has regarding cybersecurity. It states that “while DHS has initiated multiple efforts, it has not fully addressed any of the 13 key cybersecurity-related responsibilities that we [GAO] identified in federal law and policy, and it has much work ahead in order to be able to fully address them.” It states that the Interim National Infrastructure Protection Plan is one of several efforts that DHS has undertaken to address its responsibilities for cybersecurity, but notes that DHS has not undertaken a number of critical activities. It cites several organizational barriers and underlying challenges that DHS will need to overcome to assume the key role envi-

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

sioned for it in strengthening the cybersecurity of critical infrastructures and serving as the strong cybersecurity focal point envisioned in federal law and policy.22

In September 2006, the GAO report Coordination of Federal Cyber Security Research and Development sought to identify the federal entities involved in cybersecurity R&D; actions taken to improve oversight and coordination of federal cybersecurity R&D, including the development of a federal research agenda; and methods used for technology transfer at agencies with significant activities in this area.23

The September 2006 GAO report reviews policy actions over the past few years, describes the nature of cybersecurity research support by the various federal agencies, and presents a description of the organization of federal cybersecurity R&D oversight and coordination. It notes several important steps taken by federal agencies to improve the oversight and coordination of federal cybersecurity R&D, including the following: chartering an interagency working group to focus on this type of research, publishing a federal plan for cybersecurity and information assurance research that is to provide baseline information and a framework for planning and conducting this research, separating the reporting of budget information for cybersecurity research from other types of research, and maintaining government-wide repositories of information on R&D projects.

One shortcoming specifically identified in this 2006 GAO report regarding coordination is the continuing lack of an R&D roadmap called for in the National Strategy to Secure Cyberspace. (A call for input as a first step to creating such a roadmap was made in April 2006 by the Interagency Working Group on Cyber Security and Information Assurance. See Section B.5, Notable Recent Efforts at Identifying a Research Agenda, below, for a description of this activity.) Overall, the 2006 GAO report found that while progress is being made, key elements of the federal research agenda called for in the National Strategy to Secure Cyberspace have yet to be developed.

To strengthen federal cybersecurity R&D programs, the 2006 GAO report recommends that the Office of Science and Technology Policy establish firm timelines for the completion of the federal cybersecurity R&D agenda—including near-term, mid-term, and long-term research—with the following elements: timelines and milestones for conducting R&D activities; goals and measures for evaluating R&D activities; assignment of responsibility for implementation, including the accomplishment of the focus areas and suggested research priorities; and the alignment of

22

See GAO-05-434; available at http://www.gao.gov/new.items/d05434.pdf.

23

See GAO-06-811; available at http://www.gao.gov/new.items/d06811.pdf.

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

funding priorities with technical priorities. The report also recommends that the director of the Office of Management and Budget issue guidance to agencies on reporting information about federally funded cybersecurity R&D projects to government-wide repositories.

In the 2006 report from the Association of Computing Machinery (ACM) entitled Globalization and Offshoring of Software, Chapter 6 focuses on cybersecurity risks and exposures presented as a result of the offshoring of software development. The chapter argues that “offshoring exacerbates existing risk and introduces new types of risk by opening more opportunities for incursion, accident, or exposure; and it may greatly complicate jurisdictional issues.” This chapter raises a number of issues that it argues must be dealt with to address these risks and exposures. It concludes that the concerns raised need “not lead to a wholesale condemnation and rejection of offshoring but rather to the recognition of the inadequate attention so far paid to these risks” and the need for “prudently cautious, thoughtful, and effective practices in preventing and dealing with these risks.”24

B.4
PUBLIC-PRIVATE COLLABORATION, COORDINATION, AND COOPERATION

Federal and state governments have taken steps to secure information systems that they manage. FISMA is an example of policy aimed at securing information infrastructure managed by the public sector. Yet, DHS estimates that 85 percent of all critical infrastructures are operated by the private sector.25 The National Strategy to Secure Cyberspace identifies public-private partnership as the cornerstone of securing cyberspace. This emphasis echoes and reinforces that placed on private-sector involvement in Presidential Decision Directive (PDD) 63, the Clinton administration’s policy on “Critical Infrastructure Protection,” issued in May 1998.26 This section identifies steps taken by government and the private sector to actively engage private-sector participation, collaboration, and partnership with the public sector.

24

Association of Computing Machinery, Job Migration Task Force, Globalization and Offshoring of Software, 2006, especially pp. 6-1 through 6-32; available at http://www.acm.org/globalizationreport.

25

Department of Homeland Security, Press Release, “DHS Launches Protected Critical Infrastructure Information Program to Enhance Homeland Security, Facilitate Information Sharing,” Washington, D.C., February 18, 2004; available at http://www.dhs.gov/xnews/releases/press_release_0350.shtm.

26

Presidential Decision Directive (PDD) 63, “Critical Infrastructure Protection,” May 22, 1998; available at http://www.fas.org/irp/offdocs/pdd/pdd-63.htm.

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
B.4.1
Information Sharing and Analysis Centers

Presidential Decision Directive 63 created the National Infrastructure Protection Center (NIPC). The NIPC was intended to serve as a national focal point for gathering information on threats to the infrastructures. PDD 63 further recommended the creation of Information Sharing and Analysis Centers (ISACs), meant to “serve as the mechanism for gathering, analyzing, appropriately sanitizing and disseminating private sector information” to both industry and appropriate government agencies.27 PDD 63 recommended that an ISAC be created for each major infrastructure in the United States. The owners and operators of the infrastructure would determine the design and functions of the center for their sector in consultation with the federal government. The function of the NIPC was integrated into the National Protection and Programs Directorate of DHS as a result of the directives of HSPD-7. Several sector-specific ISACs for the chemical industry, electric power, emergency management and response, financial services, food and agriculture, real estate, state government, surface transportation, telecommunications, and water have been established to allow critical private sectors and infrastructure owners to share information and work with DHS to improve protection of the infrastructure and to coordinate response to threats.

The ISAC Council was created in 2003 “to advance the physical and cyber security of the critical infrastructures of North America by establishing and maintaining a framework for valuable interaction between and among the ISACs and with government.”28 A 2004 white paper from the ISAC Council sought to describe the degree of penetration that each ISAC has had into the infrastructure of the United States.29 The white paper noted that penetration varied widely from sector to sector, with overall participation at approximately 65 percent of the U.S. private infrastructure. It also noted the importance of government funding support to assist ISACs in reaching numerous small but critical infrastructure owners who are unable to afford ISAC membership and the dedication of resources necessary to participate.30

B.4.2
Alliances and Partnerships

In September 2002 the workshop called Accelerating Trustworthy Internetworking (ATI) was held to initiate discussion on how to encour-

27

PDD 63, “Annex A. Structure and Organization.”

28

Information Sharing and Analysis Centers (ISAC) Council Web site, http://www.isaccouncil.org/about/index.php.

29

ISAC Council, “Reach of the Major ISACs,” White Paper, January 31, 2004; available at http://www.isaccouncil.org/about/index.php.

30

ISAC Council, “Reach of the Major ISACs,” p. 8.

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

age collaborative activities across academia, industry, and government in the emerging interdisciplinary trustworthy internetworking area. ATI participants included government agencies, private industry, universities, and nonprofit organizations. The goal was to accelerate progress toward high-grade commercial security for Internetworking applications.31 A second ATI workshop held in January 2004 continued the work of the initial workshop and resulted in the 2004 Accelerating Trustworthy Internetworking Workshop Report.32 The report notes a number of trends emerging since the 2002 workshop. For example:

  • The critical role of IT in infrastructure protection has become clearer and has led to an interest in applications drivers that focus on both critical and pervasive scenarios;

  • The key role of the private sector—and the importance of relationships among government, universities, industry, and other sectors—in addressing this challenge has been made more clear;

  • The need for fundamental (not incremental) cybersecurity improvement goals has been recognized, as has the need for a pervasive trustworthy Internetworking environment to support critical applications;

  • There is a growing realization that achieving a trustworthy Internet for these applications may well require a new paradigm, or architecture; hence the reference to trustworthy Internetworking;

  • The recently formed Department of Homeland Security has taken responsibility for cybersecurity, and Congress has become increasingly interested in this area; and

  • The National Science Foundation and DHS are focusing research resources on cybersecurity.

The ATI Workshop Report states that the “full sustainable potential for scalable and pervasive information technologies cannot be achieved until the architectural framework broadly adopted in pervasive market driven applications, also functions as the underlying framework for critical applications driven by needs of national and domestic security.33 It recommended the development of a collaborative research organization based at a consortium of universities to serve as a “safe place where competing companies can meet with university researchers and set commonalities”

31

Accelerating Trustworthy Internetworking (ATI) Workshop Report, September 3-5, 2002; available at http://www.ati2002.org/.

32

Accelerating Trustworthy Internetworking (ATI) Workshop Report, April 2004; available at http://www.gtisc.gatech.edu/2004site/ati2004/ATI_Report_FINAL_4-25-04.pdf.

33

ATI Workshop Report, April 2004, p. 1. Italics in the original.

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

and provide a focal point for government involvement. Further objectives included building community-shared “road maps” to encourage support for research collaboration, pilot projects, testbeds, and test-case sharing.

Three major industry alliance groups have formed since the release of the 2003 National Strategy to Secure Cyberspace, which emphasized the importance of private-sector participation in improving cybersecurity through the adoption and diffusion of cybersecurity technology. The three groups are the National Cyber Security Partnership (NCSP),34 the Trusted Computing Group (TCG),35 and the Cyber Security Industry Alliance (CSIA).36

The NCSP, led by the Business Software Alliance, the Information Technology Association of America, TechNet, and the U.S. Chamber of Commerce, was established in 2003 as a public-private partnership to develop shared strategies and programs to better secure and enhance America’s critical information infrastructure. NCSP created the following five task forces composed of cybersecurity experts from industry, academia and government: awareness for home users and small businesses, cybersecurity early warning, corporate governance, security across the software development life cycle, and technical standards and common criteria. Each task force produced a report with recommendations for action, published between March and April 2004.37

NCSP notes that “like most risks in life, cyber security risks can be mitigated, but not completely eliminated. The nature of the threat is constantly evolving. Not all companies and institutions will share the same level of commitment to protecting their cyber-dependent resources from attack.”38 It advocates increased spending by government agencies to put in place the appropriate people, processes, and technologies in order to demonstrate leadership in cybersecurity. It says that “attempts by government to legislate or regulate cybersecurity would be counterproductive, creating a least common denominator for cyber security practitioners and doing little to stop those intent on wrongfully hacking into systems”; it further notes that industry failure to take proactive steps to demonstrate its commitment to and to make substantial improvements in cybersecurity will open the door for greater government involvement. While NCSP states its intent to continue activities for the foreseeable future, no new activity has occurred since the release of the task force reports in 2004.

34

Information available at http://www.cyberpartnership.org/init-governance.html.

35

Information available at https://www.trustedcomputinggroup.org/home.

36

Information available at https://www.csialliance.org/home. Note that this organization is distinct from the Interagency Working Group on Cyber Security and Information Assurance, which goes by the same acronym.

37

See http://www.cyberpartnership.org/init.html.

38

See http://www.cyberpartnership.org/about-faq.html.

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

Also formed in 2003, the Trusted Computing Group is a “not-for-profit organization formed to develop, define, and promote open standards for hardware-enabled trusted computing and security technologies, including hardware building blocks and software interfaces, across multiple platforms, peripherals, and devices.”39 TCG has more than 135 members, including component vendors, software developers, systems vendors, and network and infrastructure companies. It has issued standards for the Trusted Platform Module (TPM) used in personal computers (PCs) and other systems and a software interface specification to enable application development for systems using the TPM. It has also issued a trusted server specification and trusted network connect specification to enable network protection. TCG continues to be active and is developing specifications for storage, peripherals, and mobile devices.

The Cyber Security Industry Alliance, formed in 2004, is a public policy and advocacy group exclusively focused on cybersecurity policy issues. Its membership consists primarily of private-sector information security firms. Its mission is to enhance cybersecurity through public policy initiatives, public-sector partnerships, corporate outreach, academic programs, alignment behind emerging industry technology standards, and public education. Perhaps its most visible effort has been its regular consumer survey to determine the “digital confidence index,” which is meant to measure public attitudes regarding the security of information systems. Among other things, the Alliance tracks proposed legislation related to cybersecurity issues—for example, spyware, phishing, identity theft, and privacy.

B.4.3
Private-Sector Support for Cybersecurity Research in Academia

A number of private-sector companies have supported cybersecurity academic research. For instance, Microsoft has funded research in universities on trustworthiness through a request for proposals process for the past few years.40 Some companies have placed provisions on the results of such research, limiting availability to the sponsoring company for some period of time prior to their being generally available to the wider community or restricting publication of detailed excerpts of the data. Detailed or comprehensive figures about funding levels or the conditions placed on such funding are not publicly available.

39

See https://www.trustedcomputinggroup.org/about/.

40

Microsoft and the External Research and Programs group announced the recipients of two Request for Proposal Programs, Trustworthy Computing and Virtual Earth Digital Photography. See http://www.microsoft.com/presspass/features/2006/feb06/02-21Research.mspx.

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

B.5
NOTABLE RECENT EFFORTS AT IDENTIFYING A RESEARCH AGENDA

The academic and policy communities concerned with cybersecurity have held numerous conferences and issued a number of reports aimed at identifying critical elements for a research and development agenda based on the current state of cybersecurity in existing information systems infrastructure.

The 2002 report of the National Research Council (NRC) entitled Making the Nation Safer: The Role of Science and Technology in Countering Terrorism dedicated a chapter to cybersecurity.41 The report outlined a broad IT research agenda for improving cybersecurity and counterterrorism efforts, including information and network security, emergency response, and information fusion. It emphasized that none of these areas “can be characterized by the presence of a single impediment whose removal would allow everything else to fall into place.” The report stressed that none of these areas is new, but called for additional research because the existing technologies are not sufficiently robust or effective, they degrade performance or functionality too severely, or they are too hard to use or too expensive to deploy. Finally, the report noted that the research and development agenda is one of the means of leverage that is readily available (beyond constructive engagement with the private sector) to the federal government for influencing progress toward better cybersecurity.

The Institute for Information Infrastructure Protection (I3P), a consortium of academic research centers, government laboratories, and not-for-profit research organizations, was founded in September 2001. I3P identifies as its primary role the coordinating of a national cybersecurity R&D program; helping to build bridges between academia, industry, and government; and reaching out to government and industry so as to foster collaboration and information sharing and to overcome historical, legal, and cultural problems that have prevented some research organizations from working together. I3P issued its Cyber Security Research and Development Agenda in January 2003, stating that it sought to “help meet a well-documented need for improved research and development to protect the Nation’s information infrastructure against catastrophic failures.” This report, which defines an R&D agenda for cybersecurity and says that the agenda will continue to evolve as required, identifies eight areas as underserved and ripe for new or additional R&D:42

41

National Research Council, Making the Nation Safer: The Role of Science and Technology in Countering Terrorism, The National Academies Press, Washington, D.C., 2002.

42

Institute for Information Infrastructure Protection (I3P). The 2003 Cyber Security Research and Development Agenda is available at http://www.thei3p.org/about/2003_Cyber_Security_RD_Agenda.pdf.

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
  • Enterprise Security Management

  • Trust Among Distributed Autonomous Parties

  • Discovery and Analysis of Security Properties and Vulnerabilities

  • Secure System and Network Response and Recovery

  • Traceback, Identification, and Forensics

  • Wireless Security

  • Metrics and Models

  • Law, Policy, and Economic Issues

A brief problem description, existing research and capabilities, and potential research areas are identified for each general area. In addition, I3P maintains a directory of organizations that work in the area of cybersecurity.

The President’s National Security Telecommunications Advisory Committee (NSTAC)43 held a series of Research and Development Exchange Workshops in 2003,44 2004,45 and 2006.46 The R&D Exchange Workshops are part of what NSTAC sees as its evolving mission, to offer advice to the government on how to protect the information infrastructure from threats and vulnerabilities that might ultimately jeopardize the country’s national and economic security.47 NSTAC is part of the National Communication System (NCS), which became part of DHS. Its work plan includes initiatives that intersect with various programs set forth in the 2000 National Plan for Information Systems Protection,48 “i.e., information sharing, the security and reliability of converged networks, and research and development issues related to converged networks.”

The 2004 Research and Development Exchange Workshop Proceedings identifies five findings regarding the trustworthiness of telecommunications and information systems:

43

The President’s National Security Telecommunications Advisory Committee is composed of up to 30 industry chief executives representing the major communications and network service providers and information technology, finance, and aerospace companies. NSTAC was created by executive order to provide industry-based advice and expertise to the president on issues and problems related to implementing national security and emergency preparedness communications policy.

44

National Security Telecommunications Advisory Committee, 2003 Research and Development Exchange Proceedings: Research and Development Issues to Ensure Trustworthiness in Telecommunications and Information Systems that Directly or Indirectly Impact National Security and Emergency Preparedness, May 2003; available at http://www.ncs.gov/nstac/reports/2003/2003%20RDX%20Proceedings.pdf.

45

The 2004 Research and Development Exchange Workshop Proceedings are available at http://www.ncs.gov/nstac/reports/2005/2004%20RDX%20Workshop%20Proceedings.pdf.

46

See a summary of the conference objectives and briefing slides, available at http://www.ncs.gov/nstac/rd/nstac_rdexchange_ont.html.

47

See “How the NSTAC Is Tackling Today’s Issues,” available at http://www.ncs.gov/nstac/nstac.html.

48

See http://www.fas.org/irp/offdocs/pdd/CIP-plan.pdf.

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
  • Collaboration is essential for successful R&D initiatives….

  • Ubiquitous, interoperable identity management and authentication systems must be embedded into future networks….

  • A need to examine interdependencies between critical infrastructures, especially the implications of the intersection between telecommunications and electric power….

  • A need to influence business drivers and policy levers and provide other incentives to promote a culture of security….

  • Agreement on a common agenda is critical to achieve progress in trustworthiness R&D.

The National Science Foundation sponsored the workshop “Security at Line Speed” in November 2003. The goal of the workshop was to “disseminate information on problems, discuss potential solutions and identify areas requiring additional research” related to coupling the performance requirements of advanced applications with the necessities of prudent network security.49 The workshop consensus was as follows:

  • Solutions exist, but they are not easy…. There are network architectures and technologies that are useful…. There are steps that the research community can take to adapt their protocols and approaches to better fit the realities of the current level of security threats. The use of layered authentication and authorization services offer new opportunities for security. The traditional benefits of education and awareness, mixed with appropriate policies, remain….

  • But they may not be sufficient. Applied security research, well anchored in the realities of performance issues and network constraints, could significantly advance the future options available…. The investment in research and deployment may need to be considerable.

  • The future open networks will require new research…. The state of networking is at a crossroads. If no action is taken, we will continue to see attacks, experience pain and create barriers that will eventually hinder the ability for the network to support the original goal of the Internet….50

The NSF workshop report notes the need for new research alternatives requiring basic research to begin to address the need for improvements in network performance and security brought about by the changing reality of how networks are used. It calls for user-level tools that simplify the process of protecting hosts and user education to increase understand-

49

Security at Line Speed Workshop: Workshop Findings and Report, available at http://apps.internet2.edu/sals/files/20031108-wr-sals-v1.1.pdf.

50

Security at Line Speed Workshop: Workshop Findings and Report, available at http://apps.internet2.edu/sals/files/20031108-wr-sals-v1.1.pdf.

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

ing of the importance of security. It notes the need for the research and creation of tools to assist administrators. Finally, it notes the need for a set of applications communications standards that are coordinated and managed by an objective organization that can support competing efforts.

Also in November 2003, the Computing Research Association (CRA) held the conference “Grand Research Challenges in Information Security and Assurance.”51 Grand Research Challenges seek to inspire creative thinking and vision. As specific examples, CRA cites future research that might emerge from factors such as pervasive networking and mobility; increasing volumes of data; smaller, cheaper embedded computing; and a growing population of user-centric services. The identification of the following four Grand Challenges resulted from the CRA conference:52

  • The elimination of epidemic-style attacks (viruses, worms, e-mail spam) within 10 years;

  • The development of tools and principles that allow large-scale systems to be constructed for important societal applications—such as medical-records systems—that are highly trustworthy despite being attractive targets;

  • The development of quantitative information-systems risk management to be at least as good as quantitative financial risk management within the next decade; and

  • The provision of end-users with security controls that they can understand and privacy that they can control for the dynamic, pervasive computing environments of the future.

The basis of the Grand Challenges requires the sharing of information on computer security risks—a tactic that the community has been reluctant to adopt, unlike the telecommunications industry, which shares information on outages.53 The CRA conference presented two alternative futures, depending on whether or not the Grand Challenges can be met. One future envisioned overwhelming unsolicited junk, rampant identity theft, frequent network outages, frequent manual intervention, and largely unchecked abuses of laws and rights. The alternative future envisioned a world with no spam or viruses, uninterrupted communications, user-controlled privacy, and balanced regulation and law enforcement. The CRA conference argued that meeting the challenges (which go beyond those of national defense) requires a focus on long-term research,

51

See http://www.cra.org/Activities/grand.challenges/security/home.html.

52

See http://www.cra.org/Activities/grand.challenges/security/grayslides.pdf.

53

Summary of remarks by Richard DeMillo, Georgia Institute of Technology, in a presentation to the NRC committee, Washington, D.C., July 27, 2004.

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

because the immediacy of the threat focuses too much on near-term needs and an enlarged talent pool.

The Institute for Security Technologies Studies (ISTS) issued Law Enforcement Tools and Technologies for Investigating Cyber Attacks: A National Research and Development Agenda in June 2004; the report addresses the highest-priority technological impediments that face law enforcement when it is investigating and responding to cyberattacks and for which research and development might provide solutions. It documents the “continuing, critical, unmet needs of the law enforcement community for solutions to assist in the investigation and prosecution of cyber attacks,” and it prioritizes the needs of the cyberattack investigative community that can form the basis for targeted research and development. The ISTS report identifies a number of themes:54

  • The need to automate tasks in the investigative process,

  • Tools that produce evidence-quality data,

  • Reducing the cost of available tools,

  • Reducing the reliance on insiders or individuals who may be suspects in cyberattacks, and

  • The need for continued and expanded public-private partnership, collaboration, and information sharing.

In February 2005 the President’s Information Technology Advisory Committee (PITAC) issued a report to the president entitled Cyber Security: A Crisis of Prioritization (hereafter, “the PITAC report”).55 The committee was established to provide “the President, Congress, and the Federal agencies involved in Networking and Information Technology Research and Development (NITRD) with expert, independent advice on maintaining America’s preeminence in advanced information technologies, including such critical elements of the national infrastructure as high performance computing, large-scale networking, and high assurance software and systems design.”56 The PITAC report stresses how vital the information technology infrastructure has now become for communication, commerce, and control of physical infrastructure. It also stresses that the IT infrastructure is highly vulnerable to terrorist and criminal attacks and that the vulnerabilities are growing rapidly. It cites broad consensus among computer scientists that endless patching is not a solution and that the long-term answer requires fundamentally new security models and

54

See http://www.ists.dartmouth.edu/TAG/randd.htm.

55

See http://www.nitrd.gov/pitac/reports/20050301_cybersecurity/cybersecurity.pdf.

56

See the President’s Information Technology Advisory Committee Web site at http://www.nitrd.gov/pitac/.

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

methods. The report identifies four key issues, all related to cybersecurity research. Specifically, it found the following:

  • Inadequate funding—Federal R&D funding for fundamental research in civilian cybersecurity is inadequate. Increased funding is needed for NSF to support such research.

  • Lack of researchers and education—The research community is too small to support the necessary research and education. Increased and stable funding is needed to promote recruitment and retention of researchers and students.

  • Ineffective technology transfer—Current technology transfer efforts are inadequate to successfully transfer federal research investments into civilian-sector best practices and products. The development of metrics, models, data sets, and testbeds is needed so that new products and best practices can be evaluated. Partnerships with the private sector need strengthening.

  • Lack of coordination and oversight—Current federal R&D effort is unfocused and inefficient. A focal point for coordinating cybersecurity R&D efforts is needed: specifically, the Interagency Working Group on Critical Information Infrastructure Protection (CIIP).

The PITAC report offers 10 priority areas for increased research focus: authentication technologies; secure fundamental protocols; secure software engineering and software assurance; holistic system security; monitoring and detection; mitigation and recovery methodologies; cyber forensics; modeling and testbeds; metrics, benchmarks, and best practices; and nontechnology issues (psychological, societal, institutional, legal, and economic) that can affect cybersecurity. NSF was singled out by the report for increased funding—a total of $90 million annually—to support fundamental research in civilian cybersecurity.

PITAC was disbanded in June 2005 by the Bush administration. An executive order designated the President’s Council of Advisors on Science and Technology (PCAST) to serve in the role of PITAC.57

In July 2005 the “OSTP/OMB Memorandum on Administration, FY 2007 R&D Budget Priorities” called for placing high priority on R&D investments in cyber infrastructure protection as well as high-end computing.58 It specifically called for agencies to work through the National

57

Executive Order 13385, “Continuance of Certain Federal Advisory Committees and Amendments to and Revocation of Other Executive Orders,” September 30, 2005, available at http://edocket.access.gpo.gov/2005/pdf/05-19993.pdf.

58

Joint Memorandum of the Office of Management and Budget and the Office of Science and Technology Policy, “OSTP/OMB Memorandum on Administration, FY 2007 R&D Budget Priorities,” Washington, D.C., July 8, 2005.

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

Science and Technology Council (NSTC) to generate a detailed gap analysis of R&D funding reflecting the importance of cybersecurity and the need to ensure that areas in need of research be covered in the federal R&D program.

The INFOSEC Research Council (IRC)59 issued its Hard Problem List 2005 in November 2005.60 As the report notes, the hard problems on this list were chosen because they represent fundamental technical challenges that arise in building and operating trustworthy systems, because they are inherently complex, and because of their importance to government missions. They do not (as the report also states) by any means represent the only challenges to the field of IT security. The eight topic areas identified as most relevant over the next 5 to 10 years are as follows:

  • Global-scale identity management: Global-scale identification, authentication, access control, authorization, and management of identities and identity-related information;

  • Insider threat: Mitigation of insider threats in cyberspace to an extent comparable to that of mitigation of comparable threats in physical space;

  • Availability of time-critical systems: Guaranteed availability of information services, even in resource-limited, geospatially distributed, on-demand ad hoc environments;

  • Building scalable secure systems: Design, construction, verification, and validation of system components and systems ranging from crucial embedded devices to systems composing millions of lines of code;

  • Situational understanding and attack attribution: Reliable understanding of the status of information systems, including information concerning possible attacks, who or what is responsible for the attack, the extent of the attack, and recommended response;

  • Information provenance: The ability to track the pedigree of information in very large systems with petabytes of information;

  • Security with privacy: Technical means for improving information security without sacrificing privacy; and

59

The INFOSEC Research Council consists of U.S. government sponsors of information security research from the Department of Defense, the intelligence community, and federal civil agencies. The IRC provides its membership with a community-wide forum for discussing critical information security issues, conveying the research needs of their respective communities, and describing current research initiatives and proposed courses of action for future research investments. Further information on the IRC is available at http://www.infosec-research.org.

60

INFOSEC Research Council (IRC), “Hard Problem List 2005,” available at http://www.infosec-research.org/docs_public/20051130-IRC-HPL-FINAL.pdf.

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
  • Enterprise-level security metrics: The ability to effectively measure the security of large systems with hundreds to millions of users.

In April 2006 the Interagency Working Group on Cyber Security and Information Assurance (CSIA), under the auspices of the NSTC, issued the Federal Plan for Cyber Security and Information Assurance Research and Development.61 CSIA reports jointly to the NSTC subcommittee on Infrastructure and the NSTC subcommittee on NITRD. The plan is intended to provide “baseline information and a technical framework for coordinating multi-agency R&D in cyber security and information assurance.”62 The scope of the plan is limited specifically to federal R&D objectives. Within this scope the plan is comprehensive in its laying out the breadth of technical perspectives on cybersecurity R&D. It also provides an overview of the threats, threat agents, asymmetric advantages of those agents, vulnerability trends, and infrastructure sectors of particular immediate concern—that is, industrial process control systems and the banking and finance sector.

This Federal Plan also aims to respond to recent calls for improving the overall federal cybersecurity R&D program. Specifically, it responds to the following reports and policy actions already discussed: the “OSTP/ OMB Memorandum on Administration, FY 2007 R&D Budget Priorities”; Cyber Security: A Crisis of Prioritization, the 2005 PITAC report; the 2003 National Strategy to Secure Cyberspace; and the Cyber Security Research and Development Act of 2002 (P.L. No. 107-305). Seven broad objectives are identified by the plan as being strategic to federal R&D efforts:63

  1. Support research, development, testing, and evaluation of cyber security and information assurance technologies aimed at preventing, protecting against, detecting, responding to, and recovering from cyber attacks that may have large-scale consequences.

  2. Address cyber security and information assurance R&D needs that are unique to critical infrastructures.

  3. Develop and accelerate the deployment of new communication protocols that better assure the security of information transmitted over networks.

  4. Support the establishment of experimental environments such as testbeds that allow government, academic, and industry researchers to

61

National Science and Technology Council, Federal Plan for Cyber Security and Information Assurance Research and Development, National Coordinating Office for Networking and Information Technology Research and Development, April 2006; available at http://www.nitrd.gov/pubs/csia/csia_federal_plan.pdf.

62

National Science and Technology Council, Federal Plan for Cyber Security, 2006, p. ix.

63

National Science and Technology Council, Federal Plan for Cyber Security, 2006, p. x.

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

conduct a broad range of cyber security and information assurance development and assessment activities.

  1. Provide a foundation for the long-term goal of economically informed, risk-based cyber security and information assurance decision making.

  2. Provide novel and next-generation secure IT concepts and architectures through long-term research.

  3. Facilitate technology transition and diffusion of federally funded R&D results into commercial products and services and private-sector use.

These objectives were drawn from a review of legislative and regulatory policy requirements, analyses of cybersecurity threats and infrastructure vulnerabilities, and agency mission requirements. The Federal Plan makes a detailed analysis of federal cybersecurity R&D technical and funding priorities for areas broken into eight categories, each with several subcategories. For each subcategory, a definition of the area, its importance, the current state of the art, and the existing capability gap are provided. The eight categories and their subcategories are as follows:64

  1. Fundamental Cyber Security and Information Assurance, including authentication, authorization, and trust management; access control and privilege management; attack protection, prevention, and preemption; large-scale cyber situational awareness; automated attack detection, warning, and response; insider threat detection and mitigation; detection of hidden information and covert information flows; recovery and reconstitution; and forensics, traceback, and attribution.

  2. Securing the Infrastructure, including secure domain name system; secure routing protocols; IPV6, IPSec, and other Internet protocols; and secure process control systems.

  3. Domain-Specific Security, including wireless security; secure radio frequency identification; security of converged networks and heterogeneous traffic; and next-generation priority services.

  4. Cyber Security and Information Assurance Characterization and Assessment, including software quality assessment and fault characterization; detection of vulnerabilities and malicious code; standards; metrics; software testing and assessment tools; risk-based decision making; and critical infrastructure dependencies and interdependencies.

  5. Foundations for Cyber Security and Information Assurance, including hardware and firmware security; secure operating systems; security-centric programming languages; security technology and

64

National Science and Technology Council, Federal Plan for Cyber Security, 2006, Part II.

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

policy management methods and policy specification languages; information provenance; information integrity; cryptography; multi-level security; secure software engineering; fault-tolerant and resilient systems; integrated, enterprise-wide security monitoring and management; and analytical techniques for security across the IT systems engineering life cycle.

  1. Enabling Technologies for Cyber Security and Information Assurance R&D, including cyber security and information assurance R&D testbeds; IT system modeling, simulation, and visualization; Internet modeling, simulation, and visualization; network mapping; and red teaming.

  2. Advanced and Next-Generation Systems and Architectures, including trusted computing base architectures; inherently secure, high-assurance, and provably secure systems and architectures; composable and scalable secure systems; autonomic systems; architectures for next-generation Internet infrastructure; and quantum cryptography.

  3. Social Dimensions of Cyber Security and Information Assurance, including trust in the Internet; and privacy.

The R&D priorities identified in the Federal Plan are compared with both the IRC and PITAC reports. The generally close alignment between the three reports is called “particularly noteworthy.”65 Authentication, secure software engineering, security throughout the system life cycle, monitoring and detection, modeling and testbeds, metrics, benchmarking and best practices, and privacy are all identified as top R&D priorities in various ways across all three reports.

The Federal Plan makes 10 recommendations for federal strategic interagency R&D to strengthen cybersecurity and information assurance in IT infrastructure, noting the need to collaborate and coordinate with the private sector:66

  1. Target Federal R&D investments to strategic cyber security and information assurance needs….

  2. Focus on threats with the greatest potential impact….

  3. Make cyber security and information assurance R&D both an individual agency and an interagency budget priority….

  4. Support sustained interagency coordination and collaboration on cyber security and information assurance R&D….

  5. Build security in from the beginning….

  6. Assess security implications of emerging information technologies….

65

National Science and Technology Council, Federal Plan for Cyber Security, 2006, p. 21.

66

National Science and Technology Council, Federal Plan for Cyber Security, 2006, pp. 23-26.

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
  1. Develop a roadmap for Federal cyber security and information assurance R&D….

  2. Develop and apply new metrics to assess cyber security and information assurance….

  3. Institute more effective coordination with the private sector….

  4. Strengthen R&D partnerships, including those with the international partners….

The Federal Plan stresses the need for interagency coordination to be strengthened within the context of the continuing mission-specific focus of the various agencies cooperating through NITRD.

In October 2006, CSIA requested input from the computing community on the roadmap for cybersecurity R&D called for in the recommendations (item 7 above).67 It specifically sought input in four broad topics: R&D strategic issues, R&D technical topics and priorities (as listed in the request), R&D roadmap, and R&D recommendations in the Federal Plan. The GAO had noted in a September 2006 report the lack of steps taken to date toward creating such a roadmap.

B.6
THE CURRENT FEDERAL RESEARCH AND DEVELOPMENT LANDSCAPE

This section characterizes the current research activity in cybersecurity being supported by various federal agencies in line with their respective mission focuses. The nature of supported activity in cybersecurity is outlined for each agency. Research focus areas are identified, and a summary of the activities—based on focus area—is provided for each agency supporting or undertaking R&D research.

B.6.1
The Nature of Supported Activity in Cybersecurity

The nature of the activity supported by federal agencies varies depending on the mission of the agency. The following summarizes the primary goals of the support that each agency provides for cybersecurity:

  • National Science Foundation (NSF)—Basic research, building research capacity.

  • Defense Advanced Research Projects Agency (DARPA)—Mission-

67

Subcommittee on Networking and Information Technology Research and Development, “Invitation to Submit White Papers on Developing a Roadmap for Cybersecurity and Information Assurance Research and Development,” October 31, 2006; available at http://www.nitrd.gov/subcommittee/csia/CSIA_White_Papers_Final_103106.pdf.

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

oriented with the objective of rapid technology transfer for military operational use.

  • Department of Homeland Security (DHS)—Development and near-term deployment of useful cybersecurity technologies.

  • National Institute of Standards and Technology (NIST)—Standards, guidelines, and certification.

  • Department of Energy (DOE)—Provision of a trustworthy environment for access to distributed resources and for supporting collaborative management of those resources.

  • National Security Agency (NSA) and intelligence agencies—The unclassified and defensive portion of these agencies’ mission is applied research aimed at growing the capabilities necessary to protect national information infrastructure, including support for education aimed at building the necessary domestic cadre of cybersecurity researchers and developers.

  • Other agencies (e.g., Federal Aviation Administration [FAA], Department of Justice [DOJ], Department of Defense [DOD])—Mission-specific objectives relating to protecting information systems and infrastructure.

The agencies use a variety of approaches to support research to address their primary goals. Some agencies do all of their research in government laboratories, while others fund a mixture of university or private-industry research. NSF, DARPA, and DHS made recent solicitations directed at supporting cybersecurity research.

NSF supports a broad range of basic research in several areas of cybersecurity research. NSF’s Cyber Trust program is dedicated to supporting basic cybersecurity research. It has funded a number of center-scale research efforts of limited scope and duration to provide support for specific focus areas. NSF also supports cybersecurity research through various other programs. DARPA supported one unclassified program directed at cybersecurity in 2004. All research projects in this program focus on one aspect of cybersecurity research. This is consistent with recent DARPA programs addressing cybersecurity. DHS—in keeping with the cybersecurity mission specified for it in the National Strategy to Secure Cyberspace—focused on operational aspects of cybersecurity through its National Cybersecurity Division (NCS), although (as noted in the PITAC report) less than 1 percent of its R&D budget is spent on cybersecurity research.

The Homeland Security Advanced Research Projects Agency (HSARPA) solicited proposals for cybersecurity research and development from the academic and private sectors. The focus of this solicitation was on the improvement of existing technologies, the development of

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

new technologies, and technology transfer. DOE cybersecurity research is closely coupled with the science applications that it is focused on supporting—primarily, secure collaborative management of infrastructure resources. The primary focus of NIST’s Computer Security Division is cybersecurity tools, standards, best practices, and guidelines. It performs in-house research on cybersecurity in support of this focus.

B.6.2
Interagency Cooperation and Coordination

Several coordinating bodies within the federal government address various aspects of cybersecurity R&D. Two of these, NITRD and CIIP, are under the NSTC. Furthermore, NITRD’s Interagency Working Group (IWG) on Cyber Security and Information Assurance was responsible for the creation of the 2006 Federal Plan for Cyber Security and Information Assurance Research and Development. As noted previously, this plan was intended to address concerns about the need for more comprehensive coordination of the federal cybersecurity R&D agenda, expressed in the PITAC report and other reports and policy instruments. Several agencies participated in the CSIA IWG: NIST, DOD, DHS, the Department of State, FAA, the Department of the Treasury, the intelligence community, NASA, the National Institutes of Health (NIH), and NSF.

The role of the NITRD program is to provide an interagency coordination function that ensures that unclassified strategic federal IT R&D objectives are covered by the various mission agencies and to provide a mechanism for identifying and addressing gaps in IT R&D. All agencies active in cybersecurity research are included in NITRD. The CSIA Federal Plan is meant to provide a framework for coordinating interagency R&D in the context of the NITRD structure.

B.6.3
Research Focus Areas

Creating trustworthy information infrastructure requires addressing many problems. Cybersecurity can be compromised by a weakness in any aspect of a system or network. Thus, cybersecurity research must encompass a broad range of IT disciplines—hardware, networking, and so on. A trustworthy system should aim to be secure by design, but it should also be able to detect, prevent, and survive attacks. The security life cycle begins with architecture and ends with the ability to identify attackers after the fact. The CSIA Federal Plan previously summarized provides a sense of the breadth of issues that must be considered in order to comprehensively address cybersecurity.

Current research can be classified in a number of ways—for example, using the categories and subcategories used in the Federal Plan. NSF used

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

security discipline and life-cycle classifications for categorizing projects for its 2004 core cybersecurity awards.68 Categorization is helpful for identifying those areas receiving considerable focus and those that are currently receiving limited funding support, although no conclusions can be drawn directly from relative funding in these various areas about the need for funding in a particular focus area—an area may have been well researched in the past, or may be perceived to hold less promise. The following subsections provide specifics about the nature of cybersecurity R&D at each of the agencies that supported or conducted such research.

B.6.4
Agency Specifics
B.6.4.1
National Science Foundation

The National Science Foundation is the leading agency supporting nondefense basic research in cybersecurity. The Cybersecurity Research and Development Act of 2002 includes specific language regarding NSF’s lead role in cybersecurity research and development. It also authorizes appropriations for research.69 The Cyber Trust program is the centerpiece of NSF’s support for cybersecurity research, although the program has not been funded to the fully authorized level.70 The Cyber Trust program was established in response to the Cybersecurity Act to provide a focal point for cybersecurity activity at NSF.

Since 2004, the Cyber Trust program has awarded more than 100 research grants, including the funding of several center-scale cybersecurity research efforts. Other NSF programs—Information Technology Research, Embedded Hybrid Systems, Small Grants for Exploratory Research, Network Research Testbeds, and Experimental Infrastructure Network—supported awards for cybersecurity research. These programs supported more than 100 additional cybersecurity projects. Projects vary in length from 1 to 5 years, with annual awards ranging from $150,000 to $1.5 million for the center-scale projects. Nearly all the awards include some support for graduate and postdoctoral students. According to Karl Levitt, program manager for the Cyber Trust program, the success rate in 2006 for the Cyber Trust program was about 12 percent—and was accomplished by eliminating for that year the funding for center-level grants and by significantly reducing the funding awarded compared with that requested. The ratio of total amounts awarded to total amounts requested

68

See http://www.nsf.gov/cise/funding/cyber_awards.jsp.

69

P.L. No. 107-305, Secs. 4-7.

70

See the Cyber Trust program home page at http://www.nsf.gov/funding/pgm_summ.jsp?pims_id=13451&org=CISE.

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

was less than 8 percent, a figure comparable to that of fiscal year (FY) 2004. In 2007, the success rate was increased to 20 percent, mostly because the Cyber Trust budget was increased to $34 million, the level it was in 2004-2006, but also because of not making center-level awards.71

The type of research being performed covers a broad range of the categories listed in the Federal Plan, although some areas receive significant focus and others relatively little.72 The Cybersecurity Research and Development Act explicitly identifies a number of areas to receive attention. Each of the areas specified was the focus of at least some projects awarded funding. The act authorized funding of $40 million for FY 2004 and $46 million for FY 2005, excluding center funding, for which separate authorizations were specified. Funding for cybersecurity R&D supported by NSF has grown over the past several years, starting at approximately $30 million in FY 2004; it has not risen to the level recommended by the PITAC report, however.

In addition to awards to eligible individuals, the Cybersecurity Research and Development Act calls for NSF to establish computer and network security research centers to “generate innovative approaches to computer and network security by conducting cutting-edge, multidisciplinary research.” The act authorizes center-scale appropriations for FY 2003 through FY 2007, although center-scale awards were eliminated in the FY 2006 solicitation.73 Center-scale awards are typically 5-year grants, with annual funding ranging from $1.5 million to $4 million. Each center-scale project involves researchers from multiple universities addressing multidisciplinary aspects of each project. Several center-scale projects have been established thus far through the Cyber Trust program, including the following:

  • Security Through Interaction Modeling will “explore ways to create more effective and usable defenses by modeling these networks of interactions and making the models an integral part of the defenses.”74

  • The Center for Internet Epidemiology and Defenses will work “to understand how the Internet’s open communications and software vulnerabilities permit worms to propagate, to devise a global-scale

71

Karl Levitt, NSF, personal communications to the committee, November 27, 2006, and June 21, 2007.

72

The National Science Foundation did a breakdown of some of the FY 2004 cybersecurity funding. The summary of this breakdown is available at the Cyber Trust Program Web page, http://www.nsf.gov/funding/pgm_summ.jsp?pims_id=13451&org=CISE.

73

National Science Foundation, Cyber Trust Program Solicitation, NSF 06-517, Washington, D.C., 2006.

74

NSF Press Release 04-124, September 21, 2004, “NSF Announces Two Cybersecurity Centers to Study Internet Epidemiology and Ecology”; available at http://www.nsf.gov/news/news_summ.jsp?cntn_id=100434.

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

early warning system to detect epidemics …, to develop forensics capabilities …, and to develop techniques and devices that can suppress outbreaks before they reach pandemic proportions.”75

  • The Center for Correct, Usable, Reliable, Auditable and Transparent Elections will “investigate software architectures, tamper-resistant hardware, cryptographic protocols and verification systems as applied to electronic voting systems.”76

  • Trustworthy Cyber Infrastructure for the Power Grid will “create technologies that will convey critical information to grid operators despite cyber attacks and accidental failures. The solutions created are expected to be adaptable for use in other critical infrastructure systems.” Both DOE and DHS will collaborate to fund and manage this center.77

A major cybersecurity research project funded outside the auspices of the NSF Cyber Trust program is the Team for Research in Ubiquitous Secure Technology (TRUST).78 TRUST seeks to address a parallel and accelerating trend of the past decade—the integration of computing and communications across critical infrastructures in areas such as finance, energy distribution, telecommunications, and transportation. The center is an NSF Science and Technology Center, chartered to investigate key issues of computer trustworthiness in an era of increasing attacks at all levels on computer systems and information-based technologies. As noted on its Web site, TRUST is “devoted to the development of a new science and technology that will radically transform the ability of organizations (software vendors, operators, local and federal agencies) to design, build, and operate trustworthy information systems for our critical infrastructure.” The project takes a highly cross-disciplinary approach, including researchers in relevant areas of computer security, systems modeling and analysis, software technology, economics, and social sciences. Education and technology transfer are also important components. TRUST also receives funding from the Air Force Office of Scientific Research.

B.6.4.2
Defense Advanced Research Projects Agency

In line with its agency mission, the Defense Advanced Research Projects Agency’s research focus has been on military applications of infor-

75

NSF Press Release 04-124, September 21, 2004.

76

NSF Press Release 05-141, August 15, 2005, “NSF Awards $36 Million Toward Securing Cyberspace”; available at http://www.nsf.gov/news/news_summ.jsp?cntn_id=104352.

77

NSF Press Release 05-141, August 15, 2005.

78

Detailed information about the project is available at the TRUST project Web site at http://www.truststc.org/overview.htm.

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

mation security. DARPA began an Information Security research program in 1994.79 The Information Survivability program, was the initial program, followed by the Information Assurance program. These programs focused on a number of security aspects, including retrofitting security and survivability technology for legacy systems, intrusion detection and response, survivability in the face of attack, high-assurance operating system construction, the composing of trustworthy systems from less trustworthy components, and secure collaboration allowing data sharing and communication over a network.

DARPA expanded its information security investment in 1999. From 1999 to 2003, six programs were funded, covering a range of information security areas and extending research in areas covered by the earlier programs:

  • Composable High Assurance Trusted Systems—High-assurance operating systems composed out of interoperable subsystems, to provide the required trustworthiness.

  • Cyber Panel—Monitoring for attacks and allowing operators to manage system security and survivability.

  • Dynamic Coalitions—Secure communication and data sharing across a network.

  • Fault Tolerant Networks—Continued network operation in the presence of successful attacks; that is, intrusion tolerance at the network layer and below.

  • Organically Assured and Survivable Information Systems—Sustained operation of mission-critical functions in the face of known and future cyberattacks; that is, intrusion tolerance at the host and system level.

  • Operational Partners in Experimentation—Accelerated transition to deployment.

DARPA sponsored three conferences between 2000 and 2003 called “DARPA Information Survivability Conference and Expositions” (DISCEX I, DISCEX II, DISCEX III) to present the findings of the research programs. These programs began winding down in 2003 and had ended by early 2005. Much of the staff focused on information assurance and security left DARPA as these programs wound down and have not been replaced. The institutional knowledge has largely left or become classified.

79

Much of the discussion concerning past support for cybersecurity at DARPA is drawn from the Information Survivability Conference and Exposition III, Washington, D.C., April 2003; available at http://csdl.computer.org/comp/proceedings/discex/2003/1897/00/1897xi.pdf.

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

One unclassified program, Self-Regenerative Systems (SRS), focused on information security; it began in 2004 and was scheduled to run for 18 months. This program supports 11 research projects. The funding rate for SRS was approximately 12 percent. Funding projects were about evenly split between universities and the private sector, with four projects being performed jointly by universities and corporations. The overarching theme of the SRS program is on survivability, resilience, and adaptation in the face of attack, with four specific focus areas: code diversity to reduce the impact of exploiting a single flaw across systems; attack masking and recovery; scalable redundancy to achieve survivability and resilience; and detection, prevention, and mitigation from insider threats. Measurable goals have been set for projects, reflecting their applied nature. At least two classified programs are also under way, with largely short-term research and deployment goals. DARPA is also co-funding two projects with NSF.

In recent years, concerns have been expressed about a shift toward classified, shorter-term, and military-mission-focused research in DARPA’s cybersecurity portfolio. For example, in 2005, the PITAC report commented as follows:80

DARPA historically used a large portion of its budget to fund unclassified long-term fundamental research—in general, activities with a time horizon that exceeds five years. This provided DARPA with access to talented researchers in the Nation’s finest research institutions and helped cultivate a community of scholars and professionals who developed the field. By FY 2004, however, very little, if any, of DARPA’s substantial cyber security R&D investment was directed towards fundamental research. Instead, DARPA now depends on NSF-supported researchers for the fundamental advances needed to develop new cyber security technologies to benefit the military. Additionally, the emergence of cyber warfare as a tool of the warfighter has led DARPA to classify more of its programs. The combined result is an overall shift in DARPA’s portfolio towards classified and short-term research and development and away from its traditional support of unclassified longer-term R&D.

In the 2 years since the PITAC report was issued, the committee has seen no evidence to suggest a significant change in DARPA’s approach to cybersecurity research.

The extent to which DARPA emphasizes classified and short-term

80

President’s Information Technology Advisory Committee, Cyber Security: A Crisis of Prioritization, National Coordination Office for Information Technology Research and Development, Washington D.C., February 2005, p. 19; available at www.nitrd.gov/pitac/reports/20050301_cybersecurity/cybersecurity.pdf.

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

R&D over unclassified longer-term R&D is dependent on many factors, not the least of which is DARPA’s interpretation of its mission. The tension between these two different foci has been reflected in many ways, not the least of which is the many changes in the very name of the agency since its birth in 1958.81 If DARPA continues to emphasize classified, short-term research, that may well raise concerns among academic researchers about the long-term sustainability and future of working in cybersecurity research.

A second possible result of the shift toward short-term, military-mission-focused research is that such a research program may not sufficiently focus on issues relevant to the commercial sector (which develops and operates much of the nation’s critical infrastructure). For example, military and intelligence applications often emphasize confidentiality over integrity and availability, whereas the commercial sector is often as concerned or more concerned about integrity and availability. Also, military and intelligence applications are more likely to emphasize risk avoidance, whereas commercial enterprises are more likely to emphasize risk management.

B.6.4.3
Department of Homeland Security

The Department of Homeland Security has both an operational function—preparedness and response—and a research function for cybersecurity. The National Strategy to Secure Cyberspace gave DHS the lead role in cybersecurity, calling on it to become the Center of Excellence for response, vulnerability reduction, training and awareness, and securing government cyberspace.82 DHS created the National Cyber Security Division (NCSD) under the department’s National Protection and Programs Directorate in June 2003 in response to the National Strategy requirements.83 NCSD has three operating branches: U.S. Computer Emergency Readiness Team (US-CERT); Strategic Initiatives to advance cybersecurity

81

In 1958, Department of Defense (DOD) Directive 5105.15 established the Advanced Research Projects Agency. In 1972, another DOD directive changed the agency’s name to Defense Advanced Research Projects Agency (DARPA). In 1993, DARPA was redesignated the Advanced Research Projects Agency at the direction of President William J. Clinton. In 1996, the Defense Authorization Act for FY 1996 changed the agency’s name back to Defense Advanced Research Projects Agency (DARPA). See http://www.darpa.mil/body/arpa_darpa.html.

82

Discussion in this section is drawn, in part, from the written statement of Donald (Andy) Purdy, Jr., to the House Subcommittee on Federal Financial Management, Government Information, and International Security, July 19, 2005; available at http://hsgac.senate.gov/_files/PurdyTestimony.pdf.

83

DHS Press Release, June 6, 2003, “Ridge Creates New Division to Combat Cyber Threats”; available at http://www.dhs.gov/dhspublic/display?content=916.

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

training, education, software assurance, exercises, control systems, critical infrastructure protection, and standards and practices; and Outreach and Awareness.

In July 2005, newly appointed DHS Secretary Michael Chertoff proposed creating a new position of Assistant Secretary for Cybersecurity—moving the responsibility for cybersecurity up one level in the organizational structure, although the position took more than 14 months to fill.84 Cybersecurity research at DHS is supported through the Science and Technology (S&T) Directorate. The S&T mission includes conducting, stimulating, and enabling research and development. However, the current emphasis is on short- to medium-term needs related to the implementation of the National Strategy to Secure Cyberspace, including testing, evaluation, and timely transition of capabilities with approximately 85 to 90 percent of the S&T budget focused on these areas.85 The remaining 10 to 15 percent of the budget is for the support of long-term, breakthrough research.

The mission of the Cyber Security Research Area—one of 15 S&T research portfolios organized into three categories—is to “lead cyber security research, development, testing, and evaluation endeavors to secure the nation’s critical information infrastructure, through coordinated efforts that will improve the security of the existing cyber infrastructure, and provide a foundation for a more secure infrastructure.”86 This broad mission is reflected in the R&D areas that DHS identifies as important to address: secure systems engineering, information assurance benchmarks and metrics, wireless and embedded systems security, critical infrastructure, and cybersecurity education. There is specific focus on technology-transfer issues—moving from research to deployment. Around $300 million has been spent annually on cybersecurity research for the past decade. Yet, the transition path has not existed to produce commercial products from this research. Government funding trends have moved roughly $100 million into classified areas—resulting in even less research available to eventually produce commercial products.87

84

See the organizational charts for 2005, http://www.dhs.gov/interweb/assetlibrary/DHS_Org_Chart_2005.pdf, and the proposed structural adjustments, http://www.dhs.gov/interweb/assetlibrary/DHSOrgChart.htm. The position was filled for the first time in September 2006.

85

Background for the discussion of cybersecurity research missions of the Department of Homeland Security is drawn from presentations given by Douglas Maughan, DHS, to the committee on July 27, 2004, and presentations given at the HSARPA Cyber Security Research and Development Bidder’s Conference held on September 23, 2004, in Arlington, Va. (see http://www.hsarpabaa.com/main/Cyber_Security_Bidders_9-13-2004.pdf).

86

See http://www.dhs.gov/dhspublic/interapp/editorial/editorial_0549.xml.

87

Statement of Douglas Maughan, HSARPA Program Manager, in a briefing to the committee on July 27, 2004.

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

The Homeland Security Advanced Research Projects Agency (HSARPA) under S&T created the Cyber Security R&D Center in 2004. HSARPA initiated the Cyber Security Research and Development (CSRD) program in 2004.88 Program funding supported approximately half of the proposals deemed worthy of pursuing. There was concerted effort to reach out to the private sector for proposals, but few private-sector submissions were received.89

The DHS S&T cybersecurity agenda includes several other activities in addition to the Broad Agency Announcement for CSRD. The Cyber Defense Technology Experimental Research project—funded and run jointly with NSF—provides an experimental testbed to facilitate national-scale cybersecurity experimentation. The Protected Repository for Defense of Infrastructure against Cyber Threats is aimed at providing cybersecurity researchers with sufficient access to data necessary to test their research prototypes. Significant steps are being taken to protect the data against privacy concerns and to protect the data providers from abuse. A joint government-industry steering committee has been formed to address issues related to Domain Name Service Security (DNSSEC). Two workshops were held in 2004. NIST provided additional funding for this activity. The Secure Protocols for Routing Infrastructure activity is similar to the DNSSEC activity, with a government-industry steering committee and workshops. Cyber economic assessment studies are being undertaken—in keeping with the focus on technology transfer—to examine cost-evaluation methods for cybersecurity events and to enhance understanding of business cases and investment strategies that promote cybersecurity and risk prioritization. Two Small Business Innovation Research grants were awarded in 2004 addressing intrusion detection and identification of malicious code.

B.6.4.4
National Institute of Standards and Technology

The Cybersecurity Research and Development Act specifies the role of the National Institute of Standards and Technology in cybersecurity research.90 The Computer Security Division—one of eight divisions in the Information Technology Laboratory—is the focal point at NIST for

88

Homeland Security Advanced Research Projects Agency (HSARPA) Broad Agency Announcement (BAA) 04-17; available at http://www.hsarpabaa.com/.

89

Discussion of committee members with Douglas Maughan, HSARPA Program Manager, on May 25, 2005.

90

See Secs. 8-11 of the Cybersecurity Research and Development Act of 2002 (P.L. No. 107-305).

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

cybersecurity. CSD describes its mission as improving information security in four ways:91

  • Raising awareness of IT risks, vulnerabilities, and protection, particularly in new and emerging technologies;

  • Researching, studying, and advising agencies of IT vulnerabilities, and devising techniques for the cost-effective security and privacy of sensitive federal systems;

  • Developing standards, metrics, tests, and validation programs to promote, measure, and validate security in systems and services; to educate consumers; and to establish minimum security requirements for federal systems; and

  • Developing guidance to increase secure IT planning, implementation, management, and operation.

Four focus areas reflect this mission: Cryptographic Standards and Applications; Security Testing; Security Research/Emerging Technologies; and Security Management and Guidance.92 CSD performs in-house research and provides services to DHS, NSA, and other agencies to support their cybersecurity missions.

CSD’s Computer Security Resource Center (CSRC)93 acts as a focal point for raising awareness about cybersecurity. CSD issues reports, such as Security Considerations for Voice Over IP Systems, to raise awareness of IT risks in emerging technologies. NIST runs the National Vulnerability Database (NVD) with funding from DHS’s National Cyber Security Division. NVD is “a comprehensive cyber security vulnerability database that integrates all publicly available U.S. Government vulnerability resources and provides references to industry resources.”94

The bulk of NIST’s efforts (~$15 million) are focused on setting guidelines, evaluation tools, and standards for non-national security computers, and providing assistance to improve partnering of industry and academia. For instance, NIST provides coordination and guidance for how federal agencies implement and meet Federal Information Security Management Act requirements. It provides security self-assessment tools, organizes workshops, and gives training sessions and awareness meet-

91

Statement of Edward Roback, National Institute of Standards and Technology, in a briefing to the committee, July 27, 2004. See also http://csrc.nist.gov/mission.html. The statement “Cybersecurity Research and Development” by Arden Bement, Jr., NIST Technology Administration, before the U.S. House Committee on Science, May 14, 2003, provides additional background information for this section.

92

See http://csrc.nist.gov/focus_areas.html#sret.

93

See http://csrc.nist.gov/index.html.

94

See http://nvd.nist.gov.

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

ings. It develops encryption standards and cryptography toolkits. The Common Criteria process,95 run by NSA under the National Information Assurance Partnership,96 provides a means for the evaluation of information technology products for conformance to the International Common Criteria for Information Technology Security Evaluation.

NIST performs intramural cybersecurity R&D focused on Internet Protocol Security (IPSec), mobile networks and devices, access control and authentication mechanisms, and improved automation testing. It also provides funding—jointly with DHS—for I3P97 run by Dartmouth College’s Institute for Security and Technology Studies. In 2001 NIST provided nine research grants under its Critical Infrastructure Protection Grants Program. Funding for this program was not reauthorized, although the Cybersecurity Research and Development Act calls for the establishment and support of research fellowships.

NIST also supports cyber forensics and law enforcement. It maintains the National Software Reference Library, sets standards for forensic tools and methods, and does some testing of tools and devices for forensic analysis.

The Intelligent Systems Division of the Manufacturing Engineering Laboratory at NIST formed the Process Control Security Requirements Forum in 2001 to address cybersecurity issues related to SCADA systems. In October 2004, the Forum—composed of vendors, system integrators, end users of industrial control systems, and NIST staffers—issued the first draft of the System Protection Profile for Industrial Control Systems, which is “designed to present a cohesive, cross-industry, baseline set of security requirements for new industrial control systems.”98

B.6.4.5
Department of Energy

The Office of Science (SC) at the U.S. Department of Energy supports cybersecurity R&D focused on “providing a trustworthy environment for access to distributed resources and for supporting collaborations.”99 Research projects are conducted at universities as well as at the Lawrence Berkeley National Laboratory. Cybersecurity research is tightly coupled with science applications that are the primary mission at DOE. In particular, much of the focus of cybersecurity research is on distributed

95

See http://csrc.nist.gov/cc/.

96

See http://niap.nist.gov/.

97

See http://www.thei3p.org/.

98

See http://www.isd.mel.nist.gov/projects/processcontrol/.

99

Written comments provided by Daniel Hitchcock, Department of Energy, to the committee at a meeting on July 27, 2004.

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

authorization and secure collaboration using shared resources. From the perspective of the security life cycle, DOE efforts emphasize attack prevention and intrusion detection.

In FY 2005 DOE provided support, along with DHS, for an NSF-funded center-scale project—the Center for Trustworthy Cyber Infrastructure for the Power Grid—which will support 19 researchers across three universities with creating secure network protocols that enable efficient sharing of supply and demand information.

B.6.4.6
National Security Agency

The National Security Agency focuses largely on applied research to meet the needs of DOD and the intelligence community. Approximately 120 internal researchers work on cybersecurity. About 50 percent of the NSA budget for cybersecurity goes to nonacademic organizations doing classified research; 10 to 15 percent of the budget supports academic organizations. In his statement before the House Select Committee on Homeland Security Subcommittee on Cybersecurity, Science and Research and Development, then-NSA Director of Information Assurance Daniel G. Wolf noted that the agency now spends the bulk of its time and resources “engaged in research, development and deployment of a full spectrum of Information Assurance technologies for systems processing all types of information.”100 He identified a number of priority areas for research, including assured software design tools and development techniques, automated patch management, resilient systems, attack identification, and attribution. He expressed concerns about foreign hardware and software being used in critical systems and noted NSA’s work on a Trusted Microelectronic Capability.

NSA provides support for civilian cybersecurity research in various ways, including funding and technical advice to NSF, DARPA, NIST, and DHS.101 NSA sponsors the Information Assurance Technical Framework Forum (IATFF) to foster dialogue between U.S. government agencies, industry, and academia. The IATFF document provides guidance for protecting information and systems. NSA supports several other outreach programs for system security assessment, security design and evaluation,

100

Statement by Daniel G. Wolf, Director of Information Assurance, National Security Agency, before the House Select Committee on Homeland Security, Subcommittee on Cybersecurity, Science and Research and Development, hearing titled “Cybersecurity—Getting It Right,” July 22, 2003; available at http://www.globalsecurity.org/security/library/congress/2003_h/030722-wolf.doc.

101

The discussion of National Security Agency support for cybersecurity research is drawn from the presentation to the committee by Grant Wagner, NSA Information Assurance Research Group, on July 27, 2004.

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

and security professional certification. NSA developed Security Enhanced Linux (SELinux) as an enhancement to the Linux kernel that implements mandatory access control and role-based access control. SELinux was released to the Linux community for enhancement and extension.102

One of the major priorities for NSA is the growth of a vibrant civil service cybersecurity research community. To that end, NSA is a supporter of education and capacity building in cybersecurity. The NSA, jointly with DHS, sponsors 75 designated centers as part of its Centers for Academic Excellence in Information Assurance Education (CAE/IAE) Program. This program is part of the broader National Information Assurance Education and Training Program, which also supports the national Colloquium for Information Systems Security Education and the National Information Assurance Training and Education Center.103 No independent assessment of the CAE program has been conducted to determine if the requirements are appropriate, applied appropriately, or whether the program is actually helping to achieve its stated goals. Some individuals associated with schools in the program have questioned the lack of clear delineation between programs that conduct research and graduate education and those that are primarily vocational in nature. Nonetheless, the program has succeeded in bringing attention to educational efforts as little else has done.

B.6.4.7
Disruptive Technology Office, Office of Naval Research, and Air Force Research Laboratory

The Disruptive Technology Office,104 Office of Naval Research (ONR), and Air Force Research Laboratory through its Air Force Office of Scientific Research (AFOSR) all support cybersecurity research related to their intelligence and military missions. These agencies have been a source of funding continuity, supporting significant unclassified education and research in cybersecurity, as well as funding classified research. AFOSR, for instance, supports the Information Assurance Institute at Cornell University. It also supports, with NSF, the TRUST Center (described above). ONR manages a major Multidisciplinary University Research Initiative program (funded from the Office of the Secretary of Defense) on “secure mobile code.”

102

See the NSA SELinux Web page at http://www.nsa.gov/selinux/.

103

See http://www.nsa.gov/ia/academia/cisse.cfm and http://niatec.info/.

104

Formerly known as the Advanced Research and Development Activity (ARDA).

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
B.6.4.8
Federal Aviation Administration

The Federal Aviation Administration’s cybersecurity efforts are focused on its mission of providing for the safety and security of the FAA infrastructure. Its cybersecurity research activities “leverage developments by other agencies.”105

B.6.4.9
National Aeronautics and Space Administration

NASA has no project current or planned directly related to cybersecurity. It does support research, such as the High Dependability Computing Project, which addresses another aspect of trustworthy computing—system reliability. The project Web site notes that “dependability is a major challenge for all complex software-based systems. Aspects of dependability include safety critical reliability, software safety, high security, high integrity, and continuous operation.”106

105

National Science and Technology Council, Federal Plan for Cyber Security, 2006, p. 113.

106

High Dependability Computing Project (HDCP); see http://hdcp.org.

Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 264
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 265
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 266
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 267
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 268
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 269
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 270
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 271
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 272
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 273
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 274
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 275
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 276
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 277
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 278
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 279
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 280
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 281
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 282
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 283
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 284
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 285
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 286
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 287
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 288
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 289
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 290
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 291
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 292
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 293
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 294
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 295
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 296
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 297
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 298
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 299
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 300
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 301
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 302
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 303
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 304
Suggested Citation:"Appendix B Cybersecurity Reports and Policy: The Recent Past." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 305
Next: Appendix C Contributors to the Study »
Toward a Safer and More Secure Cyberspace Get This Book
×
Buy Paperback | $67.00 Buy Ebook | $54.99
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

Given the growing importance of cyberspace to nearly all aspects of national life, a secure cyberspace is vitally important to the nation, but cyberspace is far from secure today. The United States faces the real risk that adversaries will exploit vulnerabilities in the nation’s critical information systems, thereby causing considerable suffering and damage. Online e-commerce business, government agency files, and identity records are all potential security targets.

Toward a Safer and More Secure Cyberspace examines these Internet security vulnerabilities and offers a strategy for future research aimed at countering cyber attacks. It also explores the nature of online threats and some of the reasons why past research for improving cybersecurity has had less impact than anticipated, and considers the human resource base needed to advance the cybersecurity research agenda. This book will be an invaluable resource for Internet security professionals, information technologists, policy makers, data stewards, e-commerce providers, consumer protection advocates, and others interested in digital security and safety.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    Switch between the Original Pages, where you can read the report as it appeared in print, and Text Pages for the web version, where you can highlight and search the text.

    « Back Next »
  6. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  7. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  8. ×

    View our suggested citation for this chapter.

    « Back Next »
  9. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!