The growth of myriad cyber-threats continues to accelerate, yet the stream of new and effective cyber-defense technologies has grown much more slowly. The gap between threat and defense has widened, as our adversaries deploy increasingly sophisticated attack technology and engage in cyber-crime with unprecedented power, resources, and global reach. We are in an escalating asymmetric cyber environment that calls for immediate action. The extension of cyber-attacks into the socio-techno realm and the use of cyber as an information influence and disinformation vector will continue to undermine our confidence in systems. The unknown is a growing threat in our cyber information systems.
Nonetheless, while the dark side is daunting, emerging research, development, and education across interdisciplinary topics addressing cybersecurity and privacy are yielding promising results. The shift from R&D on siloed add-on security, to new fundamental research that is interdisciplinary, and positions privacy, security, and trustworthiness as principal defining objectives, offer opportunities to achieve a shift in the asymmetric playing field.
Here, I will discuss three key considerations for cybersecurity research and development: interdisciplinary research themes, the role of experimentation in R&D, and education. Each of these will be the subject of future columns as we focus on opportunities for dramatically different security and privacy in our daily lives.
The past 10 years have seen a move from R&D in purely defensive enterprise protection concepts to increasingly smart, autonomous, and reactive cybersecurity research. This movement away from boundary protection and after-attack analysis, to proactive autonomic systems has opened the door to new investigations and opportunities that are vital to future R&D. The shift in understanding attacks and vulnerabilities through research based on increased understanding of threat techniques and increasingly sophisticated attack modes such as advanced persistent threats ransomware, and embedded system attacks provide the basis for next-generation research using AI and machine learning techniques.
The application of AI simultaneously creates new vectors for attacks and malfeasance while giving researchers new tools. New understanding and research into detecting, blocking, and managing misinformation/disinformation, detection of deepfakes and the associated automatically generated images/video/content/dialogue will have far-reaching impacts. A better marriage between natural language understanding, human behavior, and network signals backed by AI will enhance information systems. At the same time, systems must be designed with an understanding of the threat space of adversarial attacks on machine learning models that will underlie so many mission-critical systems. Some of these research advances and techniques to manage trade-offs can be seen in a number of DARPA-funded research programs such as the Active Social Engineering Defense (ASED) program that is developing approaches to automatically identify, disrupt, and investigate spear-phishing and social engineering attacks. While the Cyber Hunting at Scale (CHASE) program is developing data-driven cyber-hunting tools for real-time cyber threat detection, characterization, and protection within DoD networks.
Studying broadly within our own disciplines is not enough. Cybersecurity is no longer solely an engineering discipline. It requires deep involvement from economists, sociologists, anthropologists, and other scientists to create the holistic research agendas that can anticipate and guide effective cyber-defense strategies.
Cybersecurity is no longer solely an engineering discipline.
Finally, we need innovations in data and information sharing between and across academia, government, and industry. One of the key impediments to research is the lack of real, validated data. There is an imbalance between the massive data collected and used by the Big Four (Apple, Facebook, Amazon, Google), industrial contractors and operational components, and that available to academic researchers. This is an issue that touches deeply on issues of privacy, security, and ethics, yet most of the needed advances in research increasingly rely on access to data of this type and scale to train and validate emerging AI and reasoning research.
A Science of Experimentation
Historically, cybersecurity R&D has struggled to prove its value in the commercial marketplace. The scientific basis for assessing the relative strength of theoretical and technological cybersecurity solutions often has been uncertain. This uncertainty has hampered technology transition and widespread cybersecurity adoption.
My research interests over the past two decades, are in the science of cybersecurity experimentation and next generation distributed experimentation methodologies. In my position as Director of the Networking and Cybersecurity Research Division at the Information Sciences Institute of the University of Southern California, I lead teams developing leading-edge cybersecurity research infrastructure for creating, testing, and evaluating the next generation of R&D. Our test-bed technology, provides infrastructure, and methodologies and tools for cybersecurity experimentation. Our cybersecurity experimentation strategy is driven by the following key principles:
- Support experimentation and testing of hypotheses;
- Enable creation of repeatable, science-based experiments that can be validated by others;
- Generate research results that can be leveraged into broad, multi-component solutions in which components demonstrably support one another, making the whole greater than the sum of its parts;
- Foster methodologies and tools to help guide experimenters toward this new, scientific cybersecurity experimentation discipline; and
- Provide an open environment for researchers in industry, government, and academia to build on one another's achievements.
A central tenant of our research is enabling researchers to live in the future—allowing researchers to experiment with techniques and tools that do not yet exist and operate in environments only beginning to emerge. This allows highly capable, fluid new approaches to take shape. Living in the future also means enabling continuous R&D infrastructure gains. Our highly connected world is growing exponentially in scale and complexity. Critical national assets and the threats to them evolve in tandem as well. While there are now various cybersecurity testbed experimentation facilities around the world, only a few are applicable to a wide range of experimentation, and almost none are openly available. Still, their existence is a valuable step toward research into a cross-disciplinary range of cybersecurity experimentation and testing methods and tools. In the future, we need an expansive ecosystem of experimentation laboratories along with clearinghouses and coordination centers to ensure widespread availability and use.
Looking forward, it is clear cyber-security R&D must be grounded in the same systematic approach to discovery and validation that is routine in other scientific and technological disciplines. To approach these challenging research problems, we must create a paradigm shift in experimental cybersecurity. Only by enabling demonstrable, repeatable experimental results can we provide a sound basis for researchers to leverage prior work, and to create new capabilities not yet imaginable.
Education for the Future
Changing the asymmetric dynamics of cyberspace requires astute, knowledgeable researchers, educators, operators, users, and citizens. However, we are far from this goal. Rapid growth and spread of information technology, dramatically increased system complexity, and the multi-dimensional interdependence of these systems have left us woefully unprepared on many fronts.
The current dearth of cyber-professionals has sparked significant new federal training and education programs aimed at addressing this need. Among these initiatives are: the National Initiative for Cyber Security Education (NICE), the Scholarship for Service program, the National Centers of Academic Excellence in Information Assurance Education, and the Centers of Academic Excellence in Research. While these initiatives are beginning to increase the pipeline of cyber-professionals, their scale, pace, and depth so far are nowhere near sufficient to address the critical needs in the public and private sectors. The challenge now is to help organizations, locate and access programs suited for their needs.
It is clear cybersecurity R&D must be grounded in the same systematic approach to discovery and validation that is routine in other scientific and technological disciplines.
While classroom study and early exposure to research provide foundational cybersecurity education, effective training also demands direct, hands-on involvement. Teaching cybersecurity is challenging. How do you demonstrate system weaknesses, inspire students to create constructive new solutions to vulnerabilities, and provide an environment in which they realistically can explore threat scenarios? We believe that undergraduates with direct cybersecurity experience are most likely to be eager to—and capable of—earning master's degrees. Similarly, graduate students who engage in science-based experimental research are most likely to develop the passion to pursue demanding doctoral and post-doctoral studies, and to obtain the academic positions that will enable them to continue developing the next generation of cyber-warriors.
To fundamentally change the cyber-threat dynamic, however, we need deep intellectual resources as well. These are represented by the brightest, best trained, and most curious and ambitious researchers and educators. Accordingly, we must be prepared to make significant investments in higher education. We must focus on educating the next generation of researchers and educators today so that we can we build the intellectual resources vital to solving tomorrow's problems. We are at serious risk of diminishing our academic programs due to the number of graduate students and faculty who are lured to industry by astronomical salaries and promises of opportunity. While this trend is advancing commercial offerings, it will have a serious impact on our ability perform leading edge research and to educate and mentor the next generation.
However, the future challenges in emerging topics of AI, quantum, and IoT require that cyber education be much wider spread, more sophisticated, and accessible. Furthermore, the events of 2020 make it clear that we must address issues of diversity, equity, and inclusion in all levels of education. Only 20% of awarded U.S. computer science Ph.D.'s are women and only 3% of the awarded Ph.D.'s are people of color (Black, Hispanic, Native American). Computer science is lacking the involvement of 70% of the population, and thus we cannot hope to address the myriad of challenges in cybersecurity with such a lack of diversity
This is an exciting time to be a researcher in cybersecurity. The challenges facing the community are more complex than ever and changing at a rapid pace. In the face of these conditions, we are perhaps for the first time, in a position to draw on a wide range of interdisciplinary research themes to tackle these challenges. Artificial intelligence research has advanced in scale and complexity, and can take advantage of new computational support, and is now making regular contributions to the filed of cybersecurity research. These advances along with important contributions from economists, sociologists, anthropologists, and other scientists are creating the holistic research agendas that will result in technology that can anticipate and guide effective cyber-defense strategies. I look forward to creating a forum for the community to explore these exciting developments and to debate the technological and societal trade-offs that will inevitably arise.