Skip to main content

Toward a Safer and More Secure Cyberspace (2007) / Chapter Skim
Currently Skimming:

3 Improving the Nation\'s Cybersecurity Posture
Pages 51-76

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.


From page 51...
... landscape into which cybersecurity research flows. It describes the twin needs for research that would lead to improved deployment of today's cybersecurity technologies and the emergence of new cybersecurity technologies in the future.
Read the entire page →
From page 52...
... crosscutting properties such as safe access to information, confident invocation of important transactions, including those that will control physical devices, and knowledge of what security will be available; and (4) matters relating to jurisprudence: that is, appropriate justice for victims of cyberattack.
Read the entire page →
From page 53...
... Availability of system and network resources to legitimate users. Users of information technology systems (from individuals to groups to society, and including programs and applications1)
Read the entire page →
From page 54...
... Just as most people engage in telephone conversations and store paper files with some reason able assurance that the content will remain private even without their taking explicit action, users should expect electronic systems to communicate and store information in accordance with clear confidentiality policies and with reasonable and comprehensible default behavior. Systems for application in a particular problem domain should be able to support the range of privacy policies relevant to that domain.
Read the entire page →
From page 55...
... Information sources and events in cyberspace should be construed broadly, so that deliberately hostile or antisocial sources and actions should have provenance as well. Provenance should be reliable and nonrepudiable.
Read the entire page →
From page 56...
... Security is especially important in certain kinds of transactions, such as those involving financial, medical, or electoral matters. Fur ther, computational devices increasingly control physical processes as well as information processes, and such devices may have the potential to act dangerously in the physical world.
Read the entire page →
From page 57...
... To a great degree, quantitative risk assessments, rational investment strategies, and cybersecurity insurance all depend on the ability to characterize the security of systems. • The last provision relates to justice: X
Read the entire page →
From page 58...
... The first reason is that there is much about cybersecurity technologies and practices that is known but not put into practice. As an example, according to the senior information security officer at a major financial institution, the codification and dissemination of best practices in cybersecurity policy at the level of the chief executive officer or the chief information officer have been particularly challenging, because incentives and rewards for adopting best practices are few.
Read the entire page →
From page 59...
... . Moreover, end users often do not avail themselves of known cybersecurity technologies and practices that could significantly improve their individual resistance to cyberattack of various kinds.
Read the entire page →
From page 60...
... Security add-ons will always be necessary to fix individual security problems as they arise, and R&D is needed to develop improved tools and techniques for dealing with near-term fixes (e.g., configuration management, audit, patch management) , but ultimately there is no substitute for system- or network-wide security that is architected from initial design through deployment, easy to use, and minimally intrusive from the user's standpoint.
Read the entire page →
From page 61...
... Much research is needed on the properties, practices, and disciplines to drive this emergence -- just as research in the nascent complexity sciences is addressing similar problems of understanding emergence in other problem domains characterized by sensitive dependence on initial conditions. This does not mean that it is impossible to identify areas of focus, but it does imply that within those areas of focus the nation's research strategy should seek to develop a broad and diverse technological foundation that would enable more rapid responses to new and currently unforeseen threats as they emerge as well as to yield unanticipated advances.
Read the entire page →
From page 62...
... First, much of today's cybersecurity research is limited to creating "building blocks" for security that could be incorporated into various applications. Today's dominant perspective is that basic research entails the creation or in-principle demonstration of a new cybersecurity concept or mechanism, and that bringing this concept or mechanism into real-world use is somehow less demanding or intellectually less worthy than the "basic" or "fundamental" research that led to the innovative concept or mechanism.
Read the entire page →
From page 63...
... Second, the committee believes that a view of cybersecurity research as being devoted only to the creation of building blocks is far too narrow, and is one of the primary reasons that the benefits of past cybersecurity research have not been fully realized. While the creation of new cybersecurity building blocks is an essential and primary component of any research agenda in cybersecurity, the span of cybersecurity research must be broadened in several interrelated dimensions to encompass -- indeed, embrace -- the application of known and future approaches to specific application domains, development of cybersecurity tools for every part of the IT life cycle, and multidisciplinary approaches to cybersecurity problems.
Read the entire page →
From page 64...
... In addition, because post-catastrophe deployments often change the boundaries of what is politically feasible, research should also consider what sensible things might be done if and when such opportunities arise. 3.4.1.2 New Computing Paradigms and Applications Domains Cybersecurity problems in an environment of large-scale distributed computing, embedded computing, batch processing and mainframe com
Read the entire page →
From page 65...
... Moreover, these collaborations must be undertaken as enterprises among co-equals -- and in particular the computer scientist as cybersecurity researcher cannot view the problem domain as "merely" the applications domain, must refrain from jumping to conclusions about the problem domain, must be willing to learn the facts and contemplate realities and paradigms in the problem domain seriously, and must not work solely on the refined abstract problem that characterizes much of computer science research. Similarly, applications experts cannot view security as a mere annoyance to be brushed aside as quickly as possible, must refrain from jumping to conclusions about cybersecurity, must be willing to learn the facts and contemplate realities
Read the entire page →
From page 66...
... Whether different foci of research are needed to address security issues in each of these phases is an open question, but it is clear that the needs for security are not identical in each phase -- and so researchers and funders should be open to the idea of phase-specific cybersecurity research. As an example of thinking implied by this principle, consider a search for alternatives to the notion of perimeter defense, which has been a common approach to security for many years.
Read the entire page →
From page 67...
... 3.4.1.4 Engaging a Multidisciplinary Approach to Cybersecurity Any meaningful cybersecurity research program should be understood as a highly multidisciplinary enterprise for two related reasons. First, adversaries can focus their efforts on any weak point in a system, whether that weak point is technological, organizational, sociological, or psychological.
Read the entire page →
From page 68...
... Also in scope are software engineering techniques, architecture, and network configuration through awareness, codification of those practices, and education programs. • eveloping the value proposition and business case for the deployment d of security, which includes economic models and measurement techniques to facilitate models for estimating costs and benefits, testbeds, field trials, and case studies to demonstrate and assess value when in situ.
Read the entire page →
From page 69...
... Problem-oriented research, on the other hand, will require close collaboration among cybersecurity researchers and experts from other disciplines, and as suggested in Section 3.4.1.2, collaborations with application domain experts as well. Because of the stovepiped nature of many academic disciplines, including computer science, special efforts will be needed to nurture problem interdisciplinary efforts that will encourage and incentivize the interaction of academic cybersecurity researchers with researchers with other specialties, both in university departments and nonacademic research institutes.
Read the entire page →
From page 70...
... 0 TowARd A SAFeR And moRe SeCuRe CyBeRSPACe only low-end threats were at issue. The development of stronger technological foundations for computer and network security is, of course, highly relevant to threats across the entire spectrum, but because a highend threat may well be capable of undertaking more sophisticated or more subtle technical attacks, the technological research agenda must be correspondingly deeper.
Read the entire page →
From page 71...
... Private industry has important roles to play as well. Today, industrial research and development in cybersecurity is a significant component of the nation's cybersecurity R&D efforts, and meaningful cybersecurity results emerge from this effort.
Read the entire page →
From page 72...
... But such continuity is particularly relevant to cybersecurity. As noted in Section 2.6, cybersecurity problems will endure as long as bad guys have incentives to compromise the security of IT-based systems and networks, and thus cybersecurity research will always be needed to deal with some new and unanticipated exploit.
Read the entire page →
From page 73...
... Rather, a good cybersecurity research agenda is more like a good strategy for investing in the stock market, both of which are driven by a multitude of unpredictable factors. Although there are basic principles
Read the entire page →
From page 74...
... Cybersecurity is relevant to research, education, and practice for every component of the IT system's development life cycle, and research focused on these components should itself embrace a cybersecurity aspect to such work. By tacitly accepting the current practice of fencing off "cybersecurity research" into separate programs, research programs have a tendency to focus primarily on those areas that are more "purely cybersecurity" such as crypto protocols and other aspects of cybersecurity that are easily separable from basic system design and implementation and to neglect those areas where integration is a principal concern, principally the engineering of software and cyber-physical systems.
Read the entire page →
From page 75...
... Furthermore, a significant expansion in the number of cybersecurity researchers with security clearances does not seem feasible in the present political environment. Thus, the committee believes that as a general rule, the nation would be better served by the latter course.
Read the entire page →
From page 76...
... 1994. Academic Careers for experimental Computer Scientists and engineers.
Read the entire page →

Key Terms

  • cybersecurity research
  • cybersecurity bill
  • perimeter defense
  • cybersecurity technologies
  • security properties

  • application domain
  • control physical
  • safe access
  • cybersecurity efforts
  • security concerns

  • traditional security
  • security issues
  • security expectations
  • research attention
  • formal methods

  • physical devices
  • various applications
  • physical processes
  • crosscutting properties
  • formal verification

  • contemplate realities
  • verification methods
  • properties relating
  • responsible parties
  • bad guys

  • configuration management
  • web browsing
  • confident invocation
  • rendered ineffective
  • construed broadly


    • This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
    More information on Chapter Skim is available.