The National Academies Press

Currently Skimming:

6 Findings and Conclusion
Pages 116-126

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.

From page 116... ... As information technology becomes more ubiquitously integrated into society, the incentives to compromise the security of deployed IT systems grow. As innovation produces new information technology applications, new venues for criminals, terrorists, and other hostile parties also emerge, along with new vulnerabilities that malevolent actors can exploit. Read the entire page →
From page 117... ... If an adversary has the resources to increase the sophistication of its attack and the motivation to keep trying even after many initial attempts fail, it is natural for users to wonder whether it makes sense to bother to improve security at all. Yet, doing nothing until perfect security can be deployed is surely a recipe for inaction that leaves one vulnerable to many lower-level threats. Read the entire page →
From page 118... ... • Other defensive measures may enable the victim to know of the adversary's presence and activities, even if the victim is not entirely successful in thwarting the adversary's efforts. For all of these reasons, efforts to improve cybersecurity postures have significant value. Read the entire page →
From page 119... ... Attending to Part 2 of the cybersecurity gap calls for research that targets specific identifiable cybersecurity problems and that also builds a base of technical expertise that increases the ability to respond quickly in the future when threats unknown today emerge. Note that the Part 1 gap is primarily nontechnical in nature (requiring, e.g., research relating to economic or psychological factors regarding the use of known practices and techniques, enhanced educational efforts to promote security-responsible user behavior, and incentives to build organizational cultures with higher degrees of security awareness) Read the entire page →
From page 120... ... Such a culture would entail, among other things, collaboration among researchers; effective coordination and information sharing between the public and the private sector; the creation of a sufficient core of research specialists necessary to advance the state of the art; the broad-based education of developers, administrators, and users that would make security-conscious practices second nature, just as optimizing for performance or functionality is now, and that would make it easy and intuitive for developers and users to "do the right thing"; the employment of business drivers and policy mechanisms to facilitate security technology transfer and diffusion of R&D into commercial products and services; and the promotion of risk-based decision making (and metrics to support this effort) Read the entire page →
From page 121... ... Senior policy makers have many issues on their agenda, and only five issues can be in the top five issues of concern. Even within the national security context, for example, is it more important to attend to nuclear proliferation and terrorism or to rebalancing U.S. Read the entire page →
From page 122... ... For example, the United States has publicly held China and Russia responsible for industrial cyber exploitation on a very large scale. But China is also the largest single holder of U.S. Read the entire page →
From page 123... ... Nonetheless, irreconcilable tensions will sometimes be encountered. At that point, policy makers will have to confront rather than sidestep those tensions, and honest acknowledgment and discussion of the tradeoffs (e.g., a better cybersecurity posture may reduce the nation's innovative capability, may increase the inconvenience of using information technology, may reduce the ability to collect intelligence) Read the entire page →
From page 124... ... government thinking on these issues highly opaque. Such opacity has many undesirable consequences, but one of the most important consequences is that the role offensive capabilities could play in defending important information technology assets of the United States cannot be discussed fully. Read the entire page →
From page 125... ... FINDINGS AND CONCLUSION 125 nomics, organizational behavior, political science, engineering, sociology, decision sciences, international relations, and law. In practice, although technical measures are an important element, cybersecurity is not primarily a technical matter, although it is easy for policy analysts and others to get lost in the technical details. Read the entire page →

From page 116...

... As information technology becomes more ubiquitously integrated into society, the incentives to compromise the security of deployed IT systems grow. As innovation produces new information technology applications, new venues for criminals, terrorists, and other hostile parties also emerge, along with new vulnerabilities that malevolent actors can exploit.

Read the entire page →

From page 117...

... If an adversary has the resources to increase the sophistication of its attack and the motivation to keep trying even after many initial attempts fail, it is natural for users to wonder whether it makes sense to bother to improve security at all. Yet, doing nothing until perfect security can be deployed is surely a recipe for inaction that leaves one vulnerable to many lower-level threats.

Read the entire page →

From page 118...

... • Other defensive measures may enable the victim to know of the adversary's presence and activities, even if the victim is not entirely successful in thwarting the adversary's efforts. For all of these reasons, efforts to improve cybersecurity postures have significant value.

Read the entire page →

From page 119...

... Attending to Part 2 of the cybersecurity gap calls for research that targets specific identifiable cybersecurity problems and that also builds a base of technical expertise that increases the ability to respond quickly in the future when threats unknown today emerge. Note that the Part 1 gap is primarily nontechnical in nature (requiring, e.g., research relating to economic or psychological factors regarding the use of known practices and techniques, enhanced educational efforts to promote security-responsible user behavior, and incentives to build organizational cultures with higher degrees of security awareness)

Read the entire page →

From page 120...

... Such a culture would entail, among other things, collaboration among researchers; effective coordination and information sharing between the public and the private sector; the creation of a sufficient core of research specialists necessary to advance the state of the art; the broad-based education of developers, administrators, and users that would make security-conscious practices second nature, just as optimizing for performance or functionality is now, and that would make it easy and intuitive for developers and users to "do the right thing"; the employment of business drivers and policy mechanisms to facilitate security technology transfer and diffusion of R&D into commercial products and services; and the promotion of risk-based decision making (and metrics to support this effort)

Read the entire page →

From page 121...

... Senior policy makers have many issues on their agenda, and only five issues can be in the top five issues of concern. Even within the national security context, for example, is it more important to attend to nuclear proliferation and terrorism or to rebalancing U.S.

Read the entire page →

From page 122...

... For example, the United States has publicly held China and Russia responsible for industrial cyber exploitation on a very large scale. But China is also the largest single holder of U.S.

Read the entire page →

From page 123...

... Nonetheless, irreconcilable tensions will sometimes be encountered. At that point, policy makers will have to confront rather than sidestep those tensions, and honest acknowledgment and discussion of the tradeoffs (e.g., a better cybersecurity posture may reduce the nation's innovative capability, may increase the inconvenience of using information technology, may reduce the ability to collect intelligence)

Read the entire page →

From page 124...

... government thinking on these issues highly opaque. Such opacity has many undesirable consequences, but one of the most important consequences is that the role offensive capabilities could play in defending important information technology assets of the United States cannot be discussed fully.

Read the entire page →

From page 125...

... FINDINGS AND CONCLUSION 125 nomics, organizational behavior, political science, engineering, sociology, decision sciences, international relations, and law. In practice, although technical measures are an important element, cybersecurity is not primarily a technical matter, although it is easy for policy analysts and others to get lost in the technical details.

Read the entire page →

← Previous Chapter Skim

Next Chapter Skim →

This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More information on Chapter Skim is available.

6 Findings and Conclusion Pages 116-126

6 Findings and Conclusion
Pages 116-126