THE REPORT IN BRIEF
Given the growing importance of cyberspace to nearly all aspects of national life, a secure cyberspace is vitally important to the nation, but cyberspace is far from secure today. The United States faces real risks that adversaries will exploit vulnerabilities in the nation’s critical information systems. The basic premise underlying this report is that research can produce a better understanding of why cyberspace is as vulnerable as it is, and that such research can lead to new technologies and policies and their effective implementation to make cyberspace safer and more secure.
Cybersecurity is not a topic new to the national agenda. But previous efforts to examine cybersecurity have addressed the subject from the standpoint of dealing with specific threats (e.g., terrorism), missions (e.g., critical infrastructure protection), government agencies (e.g., how they might better protect themselves), or specific sectors (e.g., banking and finance). This report focuses on the value of addressing cybersecurity from the perspective of protecting all legitimate users of cyberspace, including individual citizens and small commercial establishments and government agencies, which are particularly vulnerable to harassment and injury every time they log on to the Internet or use some other commercial network. The Committee on Improving Cybersecurity Research in the United States believes that a more generally secure cyberspace will go a long way toward protecting critical infrastructure and national security.
The committee’s vision for a safer and more secure cyberspace is reflected in a “Cybersecurity Bill of Rights” (CBoR), consisting of 10 basic provisions that users should have as reasonable expectations for their safety and security in cyberspace. The CBoR articulated in this report is user-centric, enabling individuals to draw for themselves the contrast between the vision contained in the CBoR and their own personal cyberspace experiences. Unfortunately, the state of cyberspace today is such that it is much easier to state these provisions than it is to achieve them. No simple research project, no silver bullet, no specific critical cybersecurity research topic will lead to the widespread reality of any of these provisions. Indeed, even achieving something that sounds as simple as eliminating spam will require a complex, crosscutting technical and nontechnical research and development (R&D) agenda.
The committee’s proposal for action focuses attention on a number of research areas identified as important in earlier reports (Appendix B, Section B.5). It also focuses on understanding why important and helpful cybersecurity innovations developed in the past have not been more widely deployed in today’s information technology (IT) products and services, thus bringing the very real challenges of incentives, usability, and embedding advances in cybersecurity squarely into the research domain.
The committee’s action agenda for policy makers has five elements. The first is to create a sense of urgency about the cybersecurity problem, as the cybersecurity policy failure is not so much one of awareness as of action. The second, commensurate with a rapidly growing cybersecurity threat, is to support a broad, robust, and sustained research agenda at levels which ensure that a large fraction of good ideas for cybersecurity research can be explored. The third is to establish a mechanism for continuing follow-up on a research agenda that will provide a coordinated picture of the government’s cybersecurity research activities across the entire federal government, including both classified and unclassified research. The fourth is to support research infrastructure, recognizing that such infrastructure is a critical enabler for allowing research results to be implemented in actual IT products and services. The fifth is to sustain and grow the human resource base, which will be a critical element in ensuring a robust research agenda in the future.
BACKGROUND OF THE STUDY
Policy makers, and to a lesser extent, the public, have given attention to cybersecurity issues for some time now, but cybersecurity problems have continued to fester. For example, in 1997, the President’s Commission on Critical Infrastructure Protection noted the importance of
cybersecurity for the systems that operate the nation’s critical infrastructure, such as the electric power grid and the air traffic control system as well as the communications and processing backbones that are increasingly essential to the operation of the entire economy, including distribution, finance, and manufacturing. In the wake of the attacks of September 11, 2001, there is a rising concern that adversaries, backed by substantial resources, will attempt to exploit the vulnerabilities in the information systems of the nation, both private and public.
It is a long way between knowing that there are vulnerabilities and fixing them. First and foremost, the will to fix them must be present—a will that has been all too often absent in the committee’s judgment. Presuming the will to do so, more and better application of existing knowledge and cybersecurity technologies and practices to information system vulnerabilities would help to mitigate many of them. In some cases, such application is straightforward. In other cases, the understanding of the vulnerabilities or of how to deal with them is incomplete or inadequate. And in still other cases, as with cybersecurity in the power grid and in health care, the specific applications context frames how such existing knowledge can be helpful, even when that knowledge is very relevant.
Against this backdrop, the National Research Council established the Committee on Improving Cybersecurity Research in the United States, charged with developing a coherent strategy for cybersecurity research at the start of the 21st century. The committee’s strategy is laid out in this report. To frame this strategy in an appropriate context, this report also considers the nature of the cybersecurity threat, reasons why previous cybersecurity research efforts and agendas have had less impact than hoped for on the nation’s cybersecurity posture, and the human resource base needed to advance the cybersecurity research agenda.
To put this report into context, it is helpful to consider the findings and conclusions from a number of other reports and activities on cybersecurity from the past several years. Described in greater detail in Appendix B, these reports and activities have made a number of points that will be reprised in this report. The following are key conclusions that can be drawn from past studies.
First, there are no silver bullets for “fixing” cybersecurity. The threats are evolving and will continue to grow, meaning that gaining ground requires a broad and ongoing society-wide effort that focuses on cybersecurity vulnerabilities. A culture of security must pervade the entire life cycle of IT systems operations, from initial architecture, to design, development, testing, deployment, maintenance, and use. A number of focus areas are particularly important to achieving such a culture: collaboration among researchers; effective coordination and information sharing between the public and private sector; the creation of a sufficient
core of research specialists necessary to advance the state of the art; the broad-based education of developers, administrators, and users, making security-conscious practices second nature just as optimizing for performance or functionality is; making it easy and intuitive for users to “do the right thing”; the employment of business drivers and policy mechanisms to facilitate security technology transfer and diffusion of R&D into commercial products and services; and the promotion of risk-based decision making (and metrics to support this effort).
Second, the earlier reports have identified as meriting research investment a number of important areas that are consistent with those identified in this report, including authentication, identity management, secure software engineering, modeling and testbeds, usability, privacy, and benchmarking and best practices. Understanding the intersection between critical infrastructure systems and the IT systems increasingly used to control them is another common theme for research needs.
Third, taken together the activities reviewed give an overall sense that—unless we as a society make cybersecurity a priority—IT systems are likely to become overwhelmed by cyberthreats of all kinds and eventually to be limited in their ability to serve society. This future is avoidable, but precluding it requires the effective coordination and collaboration of private and public sector; continuous, comprehensive, and coordinated research; and appropriate policies to promote security and deter attackers.