Readers of this column are familiar with descriptions of cybersecurity threats and potentially dire consequences, particularly as more critical activities become dependent on cyberspace. They also recognize the high ongoing burden of living with and defending against cyberattacks. At the same time, many policymakers (including those with responsibility for security) have a wide range of views about the severity of the threats. The resulting lack of urgency has impeded progress toward a more secure cyberspace.
A recent National Research Council report (Toward a Safer and More Secure Cyberspace, National Academies Press, Washington, D.C., 2007; www.nap.edu) analyzes aspects of the current cybersecurity dilemma and articulates five key points regarding cybersecurity. First, the report argues that we should focus more attention on cybersecurity for both public safety and economic reasons. Increasing dependence on information technology (IT) steadily increases the risks that cyberattacks could impact the safe and orderly operation of systems across the board, including for critical infrastructures. From an economic perspective, the costs and risks related to computer security are high and could begin to outweigh the benefits of the increasing use of IT. This in turn could cause us to reject key opportunities to apply IT more widely.
Second, particularly in huge, open, networked systems, the quest for cybersecurity must be seen as an ongoing, multifaceted battle that will never end. New threats will emerge for many reasons—for example, as responses to new defenses. New vulnerabilities will emerge as innovation adds applications and changes underlying systems. Our increasing dependency on IT amplifies the incentives to compromise it. In important ways, the problems of cybersecurity are similar to security problems arising in other domains. Cybersecurity is a problem here to stay.
Third, there are important implications for the appropriate cybersecurity research agenda. Because of the breadth of the problem, there are no silver bullets that will allow government policymakers, corporate decision makers, or individual users to take cybersecurity problems off the radar screen, and so it is futile to seek narrowly focused research agendas that will decisively "solve the problem." Consequently, the research agenda must be both broad and interdisciplinary, and draw not only on computer science and software engineering but expertise in human factors, law, economics, political science, and psychology as well.
The report divides the research agenda into six categories. Research is needed on blocking and limiting the impact of compromise; enabling users to limit anyone or anything with access to a system component (computing device, sensor, actuator, network, and so on) accountable for the results of such access; promoting deployment of good cybersecurity technologies and practices; and deterring would-be attackers. A fifth category is aimed at cross-cutting problem-focused research addressing applications as well as systems. A sixth category focuses on unorthodox "out-of-the-box" research that may offer potentially greater gains. As just two examples, the report proposes research on how to motivate creation of more robust software, and the maintenance of information provenance from information creation to modification. The report contains approximately 150 pages of details on cybersecurity research opportunities.
Fourth, recognizing that cybersecurity will improve only if many agree on its objectives and increase their focus, the NRC study proposed a Cybersecurity Bill of Rights (CBoR) that is a statement of security goals or expectations, depending on whether the reader views himself an IT creator or user. It illustrates what society could reasonably expect in the way of security in its IT. Because most of today’s IT is not designed or implemented with the goals of the CBoR in mind, it also vividly illustrates the enormous gap between what IT should do and what it presently does.
The 10 provisions of the CBoR are in four categories: holistic system properties related to availability, recoverability, and control of systems; traditional security properties related to confidentiality, authentication, provenance, and authorization; cross-cutting properties such as safe access to information, confident invocation of important transactions particularly including those control physical devices, and knowledge of what security exists in a system; and appropriate justice related to cybersecurity.
Finally, the report argues that current cybersecurity research funding is insufficiently directed to meeting the objectives defined by the CBoR. The report recommends that policymakers establish budgets to support a significant fraction of the good ideas proposed for long-term cybersecurity research.
Join the Discussion (0)
Become a Member or Sign In to Post a Comment