Given the growing importance of cyberspace to nearly all aspects of national life, a secure cyberspace is vitally important to the nation, but cyberspace is far from secure today. The United States faces real risks that adversaries will exploit vulnerabilities in the nation’s critical information systems, thereby causing considerable suffering and damage.
In this context and in response to a congressional request, the National Research Council (NRC) established the Committee on Improving Cybersecurity Research in the United States. The committee was charged with developing a strategy for cybersecurity research at the start of the 21st century. The basic premise underlying this report is that research can produce a better understanding of why cyberspace is as vulnerable as it is and that such research can lead to new technologies and policies and their effective implementation, making cyberspace safer and more secure. The report also addresses the nature of the cybersecurity threat, explores some of the reasons that previous cybersecurity research efforts and agendas have had less impact on the nation’s cybersecurity posture than desired, and considers the human resource base needed to advance the cybersecurity research agenda.
Society ultimately expects computer systems to be trustworthy—that is, that they do what is required and expected of them despite environmental disruption, human user and operator errors, and attacks by hostile parties, and that they not do other things. Trustworthiness has many
dimensions, including correctness, reliability, safety, and survivability, in addition to security. However, the scope of this report, consistent with the committee’s charge, is somewhat narrower: it focuses on security and addresses other trustworthiness issues only to the extent that they relate to security.
WHAT IS AT STAKE
Information technology (IT) is essential to the day-to-day operations of companies, organizations, and government. People’s personal lives also involve computing in areas ranging from communication with family and friends to online banking and other household and financial management activities. Companies large and small are ever more reliant on IT to support diverse business processes, ranging from payroll and accounting, to tracking of inventory, operation of sales, and support for research and development (R&D)—that is, IT systems are increasingly needed for companies to be able to operate at all. Critical national infrastructures—such as those associated with energy, banking and finance, defense, law enforcement, transportation, water systems, and government—and private emergency services also depend on IT-based systems and networks; of course, the telecommunications system itself is a critical infrastructure for the nation.
Such dependence on IT will grow. But in the future, computing and communications technologies will also be embedded in applications in which they are essentially invisible to their users. A future of “pervasive computing” will see IT ubiquitously integrated into everyday objects in order to enhance their usefulness, and these objects will be interconnected in ways that further multiply their usefulness. In addition, a growing focus on innovation in the future will require the automation and integration of various services to provide rapid response tailored to the needs of users across the entire economy.
The ability to fully realize the benefits of IT depends on these systems being secure—and yet nearly all indications of the size of the threat, whether associated with losses or damage, type of attack, or presence of vulnerability, indicate a continuously worsening problem. Moreover, it is almost certainly the case that reports understate the actual scope of the threat, since some successful attacks are not noticed and others noticed but not reported.
The gaps between commercial practice and vulnerabilities in critical infrastructure are still wide. Meanwhile, the ability of individuals, organizations, or even state actors to attack the nation’s institutions, its people’s identities, and their online lives in cyberspace has grown substantially. Industry trends toward commoditization have resulted in clear targets for
focused attacks, making coordinated attacks by hundreds of thousands of co-opted cooperating agents practical for the first time in history.
The potential consequences of a lack of security in cyberspace fall into three broad categories. First is the threat of catastrophe—a cyberattack, especially in conjunction with a physical attack, could result in thousands of deaths and many billions of dollars of damage in a very short time. Second is frictional drag on important economic and security-related processes. Today, insecurities in cyberspace systems and networks allow adversaries (in particular, criminals) to extract billions of dollars in fraud and extortion—and force businesses to expend additional resources to defend themselves against these threats. If cyberspace does not become more secure, the citizens, businesses, and governments of tomorrow will continue to face similar pressures, and most likely on a greater scale. Third, concerns about insecurity may inhibit the use of IT in the future and thus lead to a self-denial of the benefits that IT brings, benefits that will be needed for the national competitiveness of the United States as well as for national and homeland security.
THE BROAD RANGE OF CAPABILITIES AND GOALS OF CYBERATTACKERS
A very broad spectrum of actors, ranging from lone hackers to major nation-states, poses security risks to the nation’s IT infrastructure. Organized crime (e.g., drug cartels) and transnational terrorists (and terrorist organizations, perhaps state-sponsored) occupy a region in between these two extremes, but they are more similar to the nation-state than to the lone hacker.
High-end attackers are qualitatively different from others by virtue of their greater resources—money, talent, time, organizational support and commitment, and goals. These adversaries can thus target vulnerabilities at any point in the IT supply chain from hardware fabrication to end uses. Furthermore, they are usually highly capable of exploiting human or organizational weaknesses over extended periods of time. The bottom line is that the threat is growing in sophistication as well as in magnitude, and against the high-end attacker, many current best practices and security technologies amount to little more than speed bumps—thus requiring additional fundamental research and new approaches, such as a greater emphasis on mitigation and recovery.
THE CYBERSECURITY BILL OF RIGHTS
The committee believes that individual users, organizations, and society at large are entitled to use and rely on information technologies whose
functionality does not diminish even when they are under attack. This vision for a safe and secure cyberspace can be expressed as the committee’s Cybersecurity Bill of Rights (CBoR).
Following is a list of the 10 provisions in this CBoR. Explanations and additional discussion of each provision are presented in the main body of the report.
The first three provisions relate to properties of holistic systems, including availability, recoverability, and control of systems:
Availability of system and network resources to legitimate users.
Easy and convenient recovery from successful attacks.
Control over and knowledge of one’s own computing environment.
The next three provisions relate to the traditional security properties of confidentiality, authentication (and its extension, provenance), and authorization:
Confidentiality of stored information and information exchange.
Authentication and provenance.
The technological capability to exercise fine-grained control over the flow of information in and through systems.
The next three provisions relate to crosscutting properties of systems:
Security in using computing directly or indirectly in important applications, including financial, health care, and electoral transactions and real-time remote control of devices that interact with physical processes.
The ability to access any source of information (e.g., e-mail, Web page, file) safely.
Awareness of what security is actually being delivered by a system or component.
The last provision relates to justice:
Justice for security problems caused by another party.
How are the goals of the CBoR to be achieved? As the discussion in the remainder of this report indicates, a different way of thinking about cybersecurity will be necessary regarding the ways in which secure sys-
tems are designed, developed, procured, operated, and used. In the long run, this different way of thinking will entail new directions in education, training, development practice, operational practice, oversight, liability laws, government regulation, and so on.
REALIZING THE VISION
Compared with what exists today, this vision of a secure cyberspace is compelling. However, for two distinct but related reasons, the nation is a long way from meeting this goal. The first reason is that much about cybersecurity technologies and practices is known but not put into practice. Even the deployment of cybersecurity measures that are quite unsophisticated can make a difference against casual attackers. Thus, the cybersecurity posture of the nation could be strengthened substantially if individuals and organizations collectively adopted current best practices and existing security technologies that are known to improve cybersecurity.
The second reason is that, even assuming that everything known today was immediately put into practice, the resulting cybersecurity posture—though it would be stronger and more resilient than it is now—would still be inadequate against today’s threat, let alone tomorrow’s. Closing this gap—a gap of knowledge—will require both traditional and unorthodox approaches to research.
Traditional research is problem-specific, and there are many cybersecurity problems for which good solutions are not known. (A good solution to a cybersecurity problem is one that is effective, is robust against a variety of attack types, is inexpensive and easy to deploy, is easy to use, and does not significantly reduce or cripple other functionality in the system of which it is made a part.) Research will be needed to address these problems.
But problem-by-problem solutions, or even problem-class by problem-class solutions, are highly unlikely to be sufficient to close the gap by themselves. Unorthodox, clean-slate approaches will also be needed to deal with what might be called a structural problem in cybersecurity research now, and these approaches will entail the development of new ideas and new points of view that revisit the basic foundations and implicit assumptions of security research.
Addressing both of these reasons for the lack of security in cyberspace is important, but it is the second goal—closing the knowledge gap—that is the primary goal of cybersecurity research and the primary focus of this report.
Research is needed both to develop new knowledge and to make such knowledge more usable and transferable to the field. Furthermore, cybersecurity will be a continuing issue: threats evolve (both on their own
and as defenses against them are discovered), and new vulnerabilities often emerge as innovation changes underlying system architectures, implementation, or basic assumptions. And, because there are growing incentives to compromise the security of deployed IT systems, research will always be needed. Personal gain, organized crime, terrorism, and national interests are superseding (and, in the eyes of many, have superseded) personal fame and curiosity as incentives.
PRINCIPLES TO DRIVE THE ONGOING RESEARCH AGENDA
The committee identified several principles that should shape the cybersecurity research agenda:
Conduct cybersecurity research as though its application will be important. The scope of cybersecurity research must extend to understanding how cybersecurity technologies and practice can be applied in real-life contexts. Consequently, fundamental research in cybersecurity will embrace organizational, sociological, economic, legal, and psychological factors as well as technological ones.
Hedge against uncertainty in the nature and severity of the future cybersecurity threat. It seems prudent to take a balanced approach that hedges against the eventuality that a high-end cybersecurity threat emerges and becomes manifestly obvious to all. That hedge is an R&D agenda in cybersecurity that is both broader and deeper than might be required if only low-end threats were at issue. (Because of the long lead time for large-scale deployments of any measure, part of the research agenda must include research directed at reducing those long lead times.)
Ensure programmatic continuity. A sound research program should also support a substantial effort in research areas with a long time horizon for payoff. This is not to say that long-term research cannot have intermediate milestones, although such milestones should be treated as midcourse corrections rather than “go/no-go” decisions that demoralize and make researchers overly conservative. Long-term research should engage both academic and industrial actors, and it can involve collaboration early and often with technology-transition stakeholders, even in the basic science stages.
Respect the need for breadth in the research agenda. Cybersecurity risks will be on the rise for the foreseeable future, but few specifics about those risks can be known with high confidence. Thus, it is not realistic to imagine that one or even a few promising approaches will prevent or even substantially mitigate cybersecurity risks in the future, and cybersecurity research must be conducted across
a broad front. In addition, because qualitatively new attacks can appear with little warning, a broad research agenda is likely to decrease significantly the time needed to develop countermeasures against these new attacks when they appear. Priorities are still important, but they should be determined by those in a position to respond most quickly to the changing environment—namely, the research constituencies that provide peer review and the program managers of the various research-supporting agencies. Notions of breadth and diversity in the cybersecurity research agenda should themselves be interpreted broadly as well, and might well be integrated into other research programs such as software and systems engineering, operating systems, programming languages, networks, Web applications, and so on.
Disseminate new knowledge and artifacts (e.g., software and hardware prototypes) to the research community. Dissemination of research results beyond one’s own laboratory is necessary if those results are to have a wide impact—a point that argues for cybersecurity research to be conducted on an unclassified basis as much as possible. Other information to be shared as widely as possible includes threat and incident information that can help guide future research.
IMPORTANT CATEGORIES OF RESEARCH FOCUS
A research agenda can be laid out to make progress toward the vision embedded in the Cybersecurity Bill of Rights. This agenda has six primary areas of focus. Although these categories identify important areas of focus, they are broad in scope. This breadth reflects a recognition of the holistic nature of cybersecurity—attackers will attack at any technological or procedural weak point, so no single or even small number of silver bullets can “solve the cybersecurity problem.” A good cybersecurity research portfolio recognizes the importance of diversity in an uncertain threat environment, which is true even if several areas of focus warrant emphasis.
Category 1—Blocking and limiting the impact of compromise. This category includes secure information systems and networks that resist technical compromise; convenient and ubiquitous encryption that can prevent unauthorized parties from obtaining sensitive or confidential data; containment, backup, mitigation, and recovery; and system lockdowns under attack.
One illustrative example of research in this category is secure design, development, and testing. Research is needed that will facilitate the design of systems that are “secure by design.” Research is also needed for security evaluation, for good implementation prac-
tices and tools that reduce the likelihood of program flaws (bugs) and make it easier for developers to implement secure systems, and for improved testing and evaluation for functionality that has not been included in the specification of a system’s requirements and that may result in security vulnerabilities.
Category 2—Enabling accountability. This category includes matters such as remote authentication, access control and policy management, auditing and traceability, maintenance of provenance, secure associations between system components, intrusion detection, and so on. In general, the objective is to hold anyone or anything that has access to a system component—a computing device, a sensor, an actuator, a network—accountable for the results of such access.
One illustrative example of research in this category is attribution. Anonymous attackers cannot be held responsible for their actions and do not suffer any consequences for the harmful actions that they may initiate. But many computer operations are inherently anonymous, which means that associating actors with actions must be done explicitly. Attribution technology enables such associations to be easily ascertained, captured, and preserved. At the same time, attribution mechanisms do not solve the important problem of the unwittingly compromised or duped user, although these mechanisms may be necessary in conducting forensic investigations that lead to such a user.
Category 3—Promoting deployment. This category is focused on ensuring that the technologies and procedures in Categories 1 and 2 are actually used to promote and enhance security. Category 3 includes technologies that facilitate ease of use by both end users and system implementers, incentives that promote the use of security technologies in the relevant contexts, and the removal of barriers that impede the use of security technologies.
One illustrative example of research in this category is usable security. Security functionality is often turned off, disabled, bypassed, and not deployed because it is too complex for individuals and enterprise organizations to manage effectively or to use conveniently. Thus, an effort to develop more usable security mechanisms and approaches would have substantial payoff. Usable security has social and organizational dimensions as well as technological and psychological ones. Other illustrations are provided in the main text of this report.
Category 4—Deterring would-be attackers and penalizing attackers. This category includes legal and policy measures that could be employed to penalize or impose consequences on cyberattackers, and technologies that support such measures. In principle, this category could also include technical measures to retaliate against a cyberattacker.
One illustrative example of research in this category would facilitate the prosecution of cybercriminals across international borders. Many cybercrime perpetrators are outside of U.S. jurisdiction, and the applicable laws may not criminalize the particulars of the crime perpetrated. Even if they do, logistical difficulties in identifying a perpetrator across national boundaries may render him or her practically immune to prosecution. Research is needed to further harmonize laws across many national boundaries to enable international prosecutions and to reduce the logistical difficulties involved in such activities. Other illustrations are provided in the main text of the report.
Category 5—Illustrative crosscutting problem-focused research areas. This category focuses elements of research in Categories 1 through 4 onto specific important problems in cybersecurity. These include security for legacy systems, the role of secrecy in cyberdefense, coping with the insider threat, and security for new computing environments and in application domains.
Category 6—Speculative research. This category focuses on admittedly speculative approaches to cybersecurity that are unorthodox, “out-of-the-box,” and also that arguably have some potential for revolutionary and nonincremental gains in cybersecurity. The areas described in this report are merely illustrative of such ideas—of primary importance is the idea that speculative ideas are worth some investment in any broad research portfolio.
WHY HAS CYBERSECURITY ACTION TAKEN TO DATE BEEN INSUFFICIENT?
The committee believes that the cybersecurity threat is ominous. Moreover, as one of the most IT-dependent nations in the world, the United States has much to lose from the materialization of this threat. But this committee is not the first committee—and this report is not the first report—to make this claim. After more than 15 years of reports pointing to an ominous threat, and in fact more than 15 years in which the threat has objectively grown, why is there not a national sense of urgency about
cybersecurity? Why has action not been taken to close the gap between the nation’s cybersecurity posture and the cyberthreat?
The notion that no action to promote cybersecurity has been taken in the past 15 years is somewhat unfair. In recent years, most major IT vendors have undertaken significant efforts to improve the security of their products in response to end-user concerns over security, and many of today’s products are by many measures more secure than those that preceded these efforts. In addition, the sentinel events of September 11, 2001, spurred public concerns about security, and some of that concern has spilled over into the cybersecurity domain.
Nevertheless, these changes in the environment, important though they are, do not change the fact that the degree of awareness and action taken in the past 15 years is nowhere near what is necessary to achieve a robust cybersecurity posture.
The committee believes that the lack of adequate action in the cybersecurity space can be largely explained by three factors:
Past reports have not provided the sufficiently compelling information needed to make the case for dramatic and urgent action. If so, perhaps it is possible to paint a sufficiently ominous picture of the threat in terms that would inspire decision makers to take action. Detailed and specific information is usually more convincing than information couched in very general terms, but unfortunately, detailed and specific information in the open literature about the scope and nature of the cyberthreat is lacking. Many corporate victims of cyberattack, for example, are reluctant to identify themselves as being victims for fear of being cast in a bad light relative to their competitors.
Even with the relevant information in hand, decision makers discount future possibilities so much that they do not see the need for present-day action. That being the case, nothing short of a highly visible and perhaps ongoing cyber-disaster will motivate actions. Decision makers weigh the immediate costs of putting into place adequate cybersecurity measures, both technical and procedural, against the potential future benefits (actually, avoided costs) of preventing cyber-disaster in the future—and systematically discount the latter as uncertain and vague.
The costs of inaction are not borne by the relevant decision makers. The bulk of the nation’s critical infrastructure is owned and operated by private-sector companies. To the extent that these companies respond to security issues, they generally do so as one of the risks of doing business. But they do much less to respond to the
threat of low-probability, high-impact (i.e., catastrophic) threats, although all of society at large has a large stake in their actions.
The first factor above suggests the necessity of undertaking a truly authoritative assessment of the cybersecurity threat that draws on the best industry and intelligence data available and that is made public for all to see. The second and third factors suggest that the cybersecurity problem results not from a failure to recognize the threat but from a failure to respond sufficiently to it. (In other words, awareness is not enough—there are potential solutions that have not been deployed widely and many problems for which practical solutions are not known today.) These factors suggest the need for putting into place mechanisms that change the calculus used to make decisions about cybersecurity.
As for the impact of research on the nation’s cybersecurity posture, it is not reasonable to expect that research alone will make any substantial difference at all. Indeed, there is a very large gap between a successful “in principle” result or demonstration and its widespread deployment and use; closing this gap is the focus of research in Category 3—Promoting deployment, above. But many other factors must also be aligned if research is to have a significant impact. Specifically, IT vendors must be willing to regard security as a product attribute that is coequal with performance and cost; IT researchers must be willing to value cybersecurity research as much as they value research into high-performance or cost-effective computing; and IT purchasers must be willing to incur present-day costs in order to obtain future benefits.
PRIORITIES FOR ACTION TODAY
The committee has identified the following five action items for policy makers as warranting the highest priority:
Create a sense of urgency about the cybersecurity problem. One element will be to provide as much information as possible about the scope and nature of the threat. A second element will be to change the decision-making calculus that excessively focuses vendor and end-user attention on short-term costs of improving their cybersecurity postures.
Commensurate with a rapidly growing cybersecurity threat, support a broad, robust, and sustained research agenda at levels which ensure that a large fraction of good ideas for cybersecurity research can be explored. Discretionary budgets for the foreseeable future will be very tight, but even in such times, program growth is possible if the political will is present to designate these directions as priorities. Both the
scope and scale of federally funded cybersecurity research are seriously inadequate. To execute fully the broad strategy articulated in this report, a substantial increase in federal budgetary resources devoted to cybersecurity research will be needed. Nor should cybersecurity research remain in the computer science domain alone, and additional funding might well be used to support the pursuit of cybersecurity considerations in other closely related research endeavors, such as those related to creating high-assurance systems and the engineering of secure systems and software across entire system life cycles.
Establish a mechanism for continuing follow-up on a research agenda. Today, the scope and nature of cybersecurity research across the federal government are not well understood, least of all by government decision makers. An important first step would be for the government to build on the efforts of the National Coordination Office for Networking and Information Technology Research and Development to develop a reasonably complete picture of the cybersecurity research efforts that the government supports from year to year. To the best of the committee’s knowledge, no such coordinated picture exists.
Support research infrastructure. Making progress on any cybersecurity research agenda requires substantial attention to infrastructural issues. In this context, a cybersecurity research infrastructure refers to the collection of open testbeds, tools, data sets, and other things that enable research to progress and which allow research results to be implemented in actual IT products and services. Without an adequate research infrastructure, there is little hope for realizing the full potential of any research agenda.
Sustain and grow the human resource base. When new ideas are needed, human capital is particularly important. For the pool of cybersecurity researchers to expand to a sufficiently large level, would-be researchers must believe that there is a future to working in this field, a point suggesting the importance of adequate and stable research support for the field. Increasing the number of researchers in a field necessarily entails increased support for that field, since no amount of prioritization within a fixed budget will result in significantly more researchers. In addition, potential graduate students see stable or growing levels of funding as a signal about the importance of the field and the potential for professional advancement.