Computers at Risk: Safe Computing in the Information Age (1991)
National Research Council, National Academy Press, Washington, D.C.
The System Security Study Committee was charged with developing a national research, engineering, and policy agenda to help the United States achieve a more trustworthy computing technology base by the end of the century. In order to advance an end-to-end systems approach, this report committee also brought together two groups that did not interact much before: communications security (COMSEC) and computer security (COMPUSEC).
The committee delivered a total of six recommendations: (1) promulgate comprehensive generally accepted system security principles, (2) take specific short-term actions that build on readily available capabilities, (3) gather information and provide education, (4) clarify export control criteria and set up a forum for arbitration, (5) fund and pursue needed research, and (6) establish an information security foundation. Under the fifth recommendation, the committee highlighted a security research agenda that would include research regarding the following: (1) security modularity, (2) security policy models, (3) cost/benefit models for security, (4) new security mechanisms, (5) increasing effectiveness of assurance techniques, and (6) alternative representations and presentations. This list was not meant to be complete, but illustrated the importance and scope of a possible research agenda moving forward.
The committee highlighted that progress was needed at many fronts,
including management, deployment, research, legal enforcement, and institutional support, and that the reliability of computers and communications would be essential to the United States taking advantage of the Information Age.
Trust in Cyberspace (1999)
National Research Council, National Academy Press, Washington, D.C.
The Committee on Information Systems Trustworthiness was convened to assess the nature of information systems trustworthiness and prospects for technology that will increase trustworthiness. Part of its task statement was to “propose a research agenda that identifies ideas for relevant long-term research and the promotion of fundamental or revolutionary (as opposed to incremental) advances to foster increased trustworthiness of networked information systems.”
The central recommendations it made concerned the agenda for research. These recommendations included the following: (1) research to identify and understand networked information systems vulnerabilities, (2) research in avoiding design and implementation errors, (3) new approaches to computer and communication security, and (4) research in building trustworthy systems from untrustworthy components. These recommendations were aimed at federal funders of relevant researchers, such as the Defense Advanced Research Projects Agency (DARPA) and the National Security Agency (NSA), while also highlighting that policy makers should take interest in the research agenda as they formulate legislation. The committee believed that increased funding was warranted for both DARPA and the NSA for information security research and networked information systems trustworthiness research in general.
In addition to the central recommendations relating to the research agenda, the committee highlighted a number of findings and recommendations related to security and trustworthiness (Box C.1).
A Research Agenda for Networked Systems
of Embedded Computers (2001)
National Research Council, The National Academies Press, Washington, D.C.
The Committee on Networked Systems of Embedded Computers was convened to conduct a study of networked systems of embedded computers (EmNets) and examine the kinds of systems that might be developed and deployed in the future and identify areas in need of greater
investigation. The overall objective was to develop a research agenda that could guide federal programs related to computing research and inform the research communities (in industry, universities, and government) about the challenging needs of the emerging research area. The committee found eight key areas in which concerted research efforts were needed: predictability and manageability; adaptive self-configuration; monitoring and system health; computational models; network geometry; interoperability; the integration of technical, social, ethical, and public policy issues; and enabling technologies.
For embedded computers, the committee noted that the users of networked systems were going to demand reliability, safety, security, privacy, and ease of use—all of which were bundled together in the term “trustworthiness.” Given the amount of information that can be gathered by these systems, the committee highlighted that there needed to be ways that information could be verified to ensure that it was not compromised, misused, or accessed by an outsider. The committee noted that security in the context of embedded networks needs to assume that an adversary will actively try to abuse, break, or steal from the system. It also highlighted that security analysis in embedded systems would be difficult because embedded networks expand the number of possible points of failure, tampering, or attack and homogenous embedded networks would need different security than heterogeneous embedded networks. For example, traditional network security techniques will suffice along with policy and protection methods in homogeneous embedded networks, but heterogeneous embedded networks will rely more heavily on trust management and security policies/methods at individual nodes and applications. Creating boundaries for these systems would be a problem, just taking into account their size and span as noted earlier, in addition to potential vulnerabilities that could be found in remote updates or mobile code. These boundaries would also protect these systems from denial-of-service attacks that may pose challenges to high-integrity networks, such as those found in the military.
In order to address some of the security issues noted above, the committee highlighted a few research topics that it believed could use more attention to improve the overall trustworthiness of a system, including the following:
- Fault models and recovery techniques for embedded networks that take into account their scale, long life, open architecture, distributed control aspects, and the replaceabiity of their components (Reliability)
- Embedded network monitoring and performance-checking facilities (Reliability)
- Verification of embedded networks’ correctness and reliability (Reliability)
- Designing embedded networks with safety incorporated into the design, including the human–computer interface and interaction (Safety)
- Hazard analysis for embedded networks (Safety)
- Validating requirements (Safety)
- Verifying safety (Safety)
- Ensuring safety in upgraded software (Safety)
- Network access control (Security)
- Enforcement of security policies (Security)
- Critical infrastructure self-defense (Security)
- Preventing denial-of-service attacks (Security)
- Energy scarcity (which can significantly challenge security) (Security)
- Flexible policy management (Privacy)
- Informed consent (Privacy)
- Accountability research (Privacy)
- Anonymity-preserving systems (Privacy)
- Design for users and interaction (Usability)
- Appropriate conceptual models (Usability)
Toward a Safer and More Secure Cyberspace (2007)
National Research Council, The National Academies Press, Washington, D.C.
The Committee on Improving Cybersecurity Research in the United States was charged with developing a strategy for cybersecurity research in the 21st century. The committee built upon a number of previous Computer Science and Telecommunications Board reports. The committee’s action agenda for policy makers had five elements. The first was to create a sense of urgency about the cybersecurity problem, as the cybersecurity policy failure is not so much one of awareness as of action. The second, commensurate with a rapidly growing cybersecurity threat, was to support a broad, robust, and sustained research agenda at levels which ensure that a large fraction of good ideas for cybersecurity research could be explored. The third was to establish a mechanism for continuing follow-up on a research agenda that would provide a coordinated picture of the government’s cybersecurity research activities across the entire federal government, including both classified and unclassified research. The fourth was to support research infrastructure, recognizing that such infrastructure is a critical enabler for allowing research results to be implemented in actual information technology products and services. The fifth was to sustain and grow the human resource base, which will be a critical element in ensuring a robust research agenda in the future.
In regards to highlighting the necessities in research, the committee identified five principles that should shape the research agenda: (1) Conduct cybersecurity research as though its application will be important, (2) Hedge against uncertainty in the nature of the future threat, (3) Ensure programmatic continuity in the research agenda, (4) Respect the need for breadth in the research agenda, and (5) Disseminate new knowledge and artifacts.
The committee highlighted that there is no silver bullet for “fixing”
cybersecurity, as cybersecurity will continue to grow and evolve. This means that gaining ground will require broad and ongoing society-wide efforts that focus on cybersecurity vulnerability. It also noted that earlier reports had identified research investments in a number of important areas consistent with the recommendations reiterated in its report. It clearly stated that cybersecurity needs to be made a priority by society so that research could be moved forward.
Science of Cyber-Security (2010)
JSR-10-102, JASON, The MITRE Corporation, McLean, Virginia
JASON was tasked by the Department of Defense (DoD) to perform a study on the interplay of science with cybersecurity. As a part of the study, DoD posed a number of questions to be answered by JASON, including the following:
- What elements of scientific theory, experimentation, and/or practice should the cyber security research community adopt to make significant progress in the field? How will this benefit the community? Are there philosophical underpinnings of science that the cybersecurity research community should adopt?
- Are there “laws of nature” in cyberspace that can form the basis of scientific inquiry in the field of cyber security? Are there mathematical abstractions or theoretical constructs that should be considered?
- Are there metrics that can be used to measure with repeatable results the cyber security status of a system, of a network, of a mission? Can measurement theory or practice be expanded to improve our ability to quantify cyber security?
- How should a scientific basis for cyber security research be organized? Are the traditional domains of experimental and theoretical inquiry valid in cyber security? Are there analytic and methodological approaches that can help? What are they?
- Are there traditional scientific domains and methods such as complexity theory, physics, theory of dynamical systems, network topology, formal methods, mathematics, social sciences, etc., that can contribute to a science of cyber security?
- How can modeling and simulation methods contribute to a science of cyber security?
- Repeatable cyber experiments are possible in small closed and controlled conditions, but can they be scaled up to produce repeat-
- able results on the entire Internet? To the subset of the Internet that supports DoD and the Intelligence Community?
- What steps are recommended to develop and nurture scientific inquiry into forming a science of cyber security field? What is needed to establish the cyber security science community?
- Is there reason to believe the above goals are, in principle, not achievable, and if so, why not?
JASON acknowledged that the challenge in defining a science of cybersecurity is that it is an “artificially constructed environment” that does not have strong ties to the physical realm and the challenges created from this environment dynamic in nature. They highlighted that there is not one area of science that covers all the issues related to cybersecurity; however, they found other fields that they believed were analogous to cybersecurity, such as epidemiology, economics, and clinical medicine. They noted that there were specific subfields in computer science that were especially relevant to examine as well, including model checking, cryptography, randomization, type theory, and game theory. They stated that model checking could provide frameworks for examining security issues; cryptography could provide useful lessons relating to communication in the presence of an adversary and the capabilities adversaries are assumed to have; randomization or use of obfuscation could help to construct defenses; and game theory could help to prioritize cyber defense activities. In addition, they noted that machine learning and event processing would be subfields of importance when trying to correlate anomalies in systems to actual attacks.
JASON reported that although there had been a lot of reports on the need for R&D for cybersecurity, there was a universal agreement that more work was needed and that there was no agreement that it was being managed well. To move forward, one key observation by JASON was the need to accelerate the process of turning research results into tools that can be used by developers. To make significant progress in the field of cybersecurity, JASON highlighted that the most important first steps should be the creation of a common language and basic concepts that the cybersecurity community can use as a foundation, while also understanding that adversaries, threats, and practices will change over time since there are no intrinsic “laws of nature” for cybersecurity as there are in other scientific fields.
In addition to contributing their own conclusions and recommendations, JASON endorsed the IDA report Cyber-Security Technology Initiatives, which had recommended the establishment of cybersecurity science-based centers and projects within universities and other centers. JASON highlighted the following advantages of having DoD sponsor those programs:
- The DoD would have access to the best ideas and people.
- The DoD would be able to “bias the work towards their versions of common problems.”
- Universities and other research centers would be able to leverage resources internal to the DoD (including internal networks).
They also highlighted that universities and centers would be able to bridge the gap between the DoD and the software industry in order to accelerate the transition of new ideas into useful tools for developers.
Federal Cybersecurity Research and Development Strategic Plan (2016)
Executive Office of the President, Washington, D.C.
The Federal Cybersecurity Research and Development Strategic Plan released in February 2016 expands on the strategic plan Trustworthy Cyberspace: Strategic Plan for the Federal Cybersecurity Research and Development Program released in December 2011. The strategic plan is built upon four assumptions related to adversaries, defenders, users, and technology (Box C.2) and expands on the priorities set in 2011. The strategic plan also introduces a heavy focus on research and development not discussed in the 2011 strategic plan.
The strategic plan uses the four fundamental assumptions to outline near-term, mid-term, and long-term goals that together will pro-
vide the tools needed to improve cybersecurity. These goals include the following:
- Near-term goal (1-3 years): Achieve S&T advances to counter adversaries’ asymmetrical advantages with effective and efficient risk management.
- Mid-term goal (3-7 years): Achieve S&T advances to reverse adversaries’ asymmetrical advantages through sustainably secure systems development and operation.
- Long-term goal (7-15 years): Achieve S&T advances for effective and efficient deterrence of malicious cyber activities via denial of results and likely attribution.
In order to achieve these goals, the plan focuses on developing science and technology to support what the report identifies as four defensive elements. The four defensive elements are as follows: deter, protect, detect, and adapt. The plan wants to deter malicious attacks by measuring and increasing the costs to adversaries carrying out such activities, diminishing the spoils, and increasing risks and uncertainty for potential adversaries. The plan wants components, systems, users, and critical infrastructure to have the ability to efficiently resist malicious cyber activities while also ensuring confidentiality, integrity, availability, and accountability. The plan wants the ability to efficiently detect, or even anticipate, adversary decisions based on the assumption that systems should be assumed to be vulnerable since perfect security is not possible. The plan wants defenders, defenses, and infrastructure to dynamically adapt to malicious cyber activities by efficiently reacting to disruption, recovering from damage, maintaining operations while completing restoration, and adjusting to thwart similar future activity.
The four defensive elements, which ultimately support the overall plan, are dependent on six areas deemed critical to a successful cybersecurity R&D effort: (1) scientific foundations, (2) enhancements in risk management, (3) human aspects, (4) transitioning successful research into pervasive use, (5) workforce development, and (6) enhancing the infrastructure for research.
The plan highlighted five recommendations for the federal government that would help support and achieve the plan in its entirety:
- Recommendation 1. Prioritize basic and long-term research in federal cybersecurity R&D.
- Recommendation 2. Lower barriers and strengthen incentives for public and private organizations that would broaden participation in cybersecurity R&D.
- Recommendation 3. Assess barriers and identify incentives that could accelerate the transition of evidence-validated effective and efficient cybersecurity research results into adopted technologies, especially for emerging technologies and threats.
- Recommendation 4. Expand the diversity of expertise in the cybersecurity research community.
- Recommendation 5. Expand diversity in the cybersecurity workplace.
This page intentionally left blank.