The National Academies Press

Currently Skimming:

10 Looking to the Future
Pages 223-248

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.

From page 223... ... 10 Looking to the Future 10.1 WHY HAS LITTLE ACTION OCCURRED? T he Committee on Improving Cybersecurity Research in the United States believes that the cybersecurity threat is real, imminent, and growing in severity. Read the entire page →
From page 224... ... They control power delivery, communications, aviation, and financial services. They are used to store vital information, from medical records to business plans to criminal records. Read the entire page →
From page 225... ... LooKInG To THe FuTuRe Two years later, the National Research Council released another report, Trust in Cyberspace,5 which argued that it was necessary to move the focus of the [cybersecurity] discussion forward from matters of policy and procedure and from vulnerabilities and their consequences toward questions about the richer set of options that only new science and technology can provide. Read the entire page →
From page 226... ... TowARd A SAFeR And moRe SeCuRe CyBeRSPACe The Nation's information technology (IT) infrastructure, still evolv ing from U.S. Read the entire page →
From page 227... ... LooKInG To THe FuTuRe Bazerman and Watkins described a predictable surprise as an event that takes an individual or a group by surprise, despite prior awareness of all of the information necessary to anticipate the events and their consequences.8 In particular, they identify several characteristics of predictable surprises: • eaders know that a problem exists and that the problem will not L solve itself. • The problem worsens over time. Read the entire page →
From page 228... ... Making parties liable for not securing their facilities against being illicitly used as part of a DDOS attack (today there is zero liability) would change the incentives for making such investments. Read the entire page →
From page 229... ... LooKInG To THe FuTuRe As for the impact of research on the nation's cybersecurity posture, it is not reasonable to expect that research alone will make any substantial difference. Indeed, there is a very large gap between a successful "in principle" result or demonstration and its widespread deployment and use. Read the entire page →
From page 230... ... 0 TowARd A SAFeR And moRe SeCuRe CyBeRSPACe port a robust and sustained research agenda at levels which ensure that a large fraction of good ideas for cybersecurity research can be explored. • stablish a mechanism for continuing follow-up on a research E agenda. Read the entire page →
From page 231... ... LooKInG To THe FuTuRe emergency. However, in one very fundamental aspect, the Y2K problem and today's cybersecurity problem are different. Read the entire page →
From page 232... ... A first step toward an authoritative threat assessment could have been the National Computer Security Survey sponsored by the Bureau of Justice Statistics at the Department of Justice (DOJ) and the National Cyber Security Division (NCSD) Read the entire page →
From page 233... ... LooKInG To THe FuTuRe account the cybersecurity postures of their customers when providing audits or setting insurance rates. The committee recognizes that policy actions are, almost by definition, less compelling for focusing attention and stimulating action than are deadlines imposed by nature. Read the entire page →
From page 234... ... TowARd A SAFeR And moRe SeCuRe CyBeRSPACe combined with a cognizance of the threat environment and advances in technology, that should determine funding allocations. With this model, the scale of the necessary funding is set by the amounts needed to sustain this community at appropriate levels and to ensure that a large fraction of good ideas for cybersecurity research can be explored. Read the entire page →
From page 235... ... LooKInG To THe FuTuRe As for the magnitude of the budget needed to sustain the committee's principle, the committee notes that for the foreseeable future the cybersecurity threat will only grow. First, the threat is likely to grow at a rate faster than the present federal cybersecurity research program will enable us to respond, and the consequences of failing to provide an adequate response could be quite damaging to the nation. Read the entire page →
From page 236... ... But the overall expense is large. Another point of comparison is the 2005 FBI Computer Crime Survey, which estimated the cost of "computer security incidents" in the 12-month period from mid-2004 to mid-2005 at $67.2 billion to U.S. Read the entire page →
From page 237... ... theoretical computer science underpins much encryption research, both in identifying weaknesses and in advancing the state of the art. Algorithms research helps ensure that protocols designed for security can be efficiently implemented. Read the entire page →
From page 238... ... TowARd A SAFeR And moRe SeCuRe CyBeRSPACe a reasonably fine-grained understanding of the scope and nature of that portfolio. However, to the committee's knowledge, a picture that is both adequately detailed and sufficiently comprehensive does not exist today. Read the entire page →
From page 239... ... LooKInG To THe FuTuRe classified auspices does not mean that such efforts produce no knowledge of value outside the military, diplomatic, and intel ligence communities. It may mean, for example, that researchers and developers may have been asked to conduct their work in the context of specific problems whose details are classified. Read the entire page →
From page 240... ... 0 TowARd A SAFeR And moRe SeCuRe CyBeRSPACe BOX 10.1 A Model Categorization for Understanding Budgets The National Science Foundation (NSF) overview of the fiscal year 2004 awards for the Cyber Trust program and related awards included several substan tive categorizations for the same awards, including the following: • opic (security of next-generation operating systems and networking; fo T rensic and law enforcement foundations; human-computer interface for se curity functions; cross-disciplinary approaches; theoretical foundations and mechanisms for privacy, security, trust; composable systems and policies; presenting security concepts to the average user; improved ability to certify system security properties; improved ability to analyze security designs and to build systems correctly; more effective system monitoring, anomaly detection, attack recognition and defense; and integrating hardware and software for security) Read the entire page →
From page 241... ... . An infrastructure for cybersecurity research provides invaluable assistance in new ideas at a reasonable scale, in the wild, with real users; insight into appropriate paths to the "tipping point" (the point of acceptance of an innovation after which the entire community feels that it no longer makes sense to refuse to accept it) Read the entire page →
From page 242... ... TowARd A SAFeR And moRe SeCuRe CyBeRSPACe worms to be tested under relatively controlled conditions. Propagation speed, destructiveness, and virulence of an attack can be evaluated in a safe environment (i.e., without consequences for the larger Internet) Read the entire page →
From page 243... ... LooKInG To THe FuTuRe civilian cyber security fundamental research community by the end of the decade. In particular, the Federal government should increase and stabilize the funding for fundamental research in civilian cyber security, and should support programs that enable researchers to move into cyber security research from other fields. Read the entire page →
From page 244... ... TowARd A SAFeR And moRe SeCuRe CyBeRSPACe the importance of research support for the field that is both adequate and stable. Regarding adequacy -- increasing the number of researchers in a field necessarily entails increased support for that field, and no amount of prioritization within a fixed budget will result in significant growth in that number. Read the entire page →
From page 245... ... LooKInG To THe FuTuRe services. Such efforts are useful, but they do not speak to development of a cadre of computer scientists and engineers and IT leaders that will focus on how to make the next generation of products and services more secure. Read the entire page →
From page 246... ... . For example, current software engi neering education does not emphasize that inputs to a program affecting program flow must always be checked for validity before it is passed to the program, even when data are made available at internal interfaces to program components. Read the entire page →
From page 247... ... LooKInG To THe FuTuRe • hereas in the old mind-set, a system is considered secure until W demonstrated otherwise by a practical attack, the new mind-set suggests that a system should be regarded as insecure until there is evidence that suggests its resistance to attack. These comments are not intended to suggest that every designer and developer of IT products, services, and applications must become a security specialist as well. Read the entire page →
From page 248... ... TowARd A SAFeR And moRe SeCuRe CyBeRSPACe particularly important if and when departments are contracting. In such times, it is difficult to obtain slots for any subspecialty, and especially so if -- as is the case with the cybersecurity specialization -- there is not a critical mass of those faculty members already in the department. Read the entire page →

From page 223...

... 10 Looking to the Future 10.1 WHY HAS LITTLE ACTION OCCURRED? T he Committee on Improving Cybersecurity Research in the United States believes that the cybersecurity threat is real, imminent, and growing in severity.

10 Looking to the Future Pages 223-248

10 Looking to the Future
Pages 223-248