The National Academies Press

Currently Skimming:

1 Cybersecurity Challenges and Security Science
Pages 10-20

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.

From page 10... ... Systems of all kinds are becoming larger and more inter onnected. Other changes in recent years include the character of c the threat, its sophistication, goals and targets; increasingly sophisticated supply chains for software-reliant systems that themselves include components from diverse sources; and wide deployment of Internet of Things (IoT) Read the entire page →
From page 11... ... This report is aimed primarily at the cyber security research community, but it takes a broad view that efforts to improve foundational science in cybersecurity will need to be inclusive of many disciplinary perspectives and ensure that these disciplines work together to achieve common goals.3 CHALLENGES TO ACHIEVING CYBERSECURITY Cyberspace is notoriously vulnerable to varied and changing attacks by hackers, criminals, terrorists, and state actors. The nation's critical infrastructure, including the electric power grid, air traffic control system, financial system, and communication networks, depends on information technology for its operation and thus is susceptible to cyberattack. Read the entire page →
From page 12... ... At a ocietal s level, cybersecurity affects and is affected by the sometimes conflicting equities of national security, democratic values, and economic prosperity,5 which widens the aperture for the research enterprise considerably. Responding to these dynamic challenges requires sustained support for research that can address challenges of today and those still on the horizon. Read the entire page →
From page 13... ... Another example involves the common attack mode of "phishing," which is not against a technical system per se but against an individual, where an adversary tries to deceive someone into actions that allow attackers into their system. A model that does not include people invoking malicious software would be 6 Recent years have seen increased discussion of what a scientific basis for cybersecurity might entail, and efforts are under way within the cybersecurity research community to develop a security science. Read the entire page →
From page 14... ... EXAMPLE EFFORTS Examples of research areas in which this sort of scientific approach has been taken include cryptography, programming languages, and security modeling. The cryptography community (which comes from a mathematics tradition) Read the entire page →
From page 15... ... The result is that reference monitors can enforce only what are known as safety properties, which require that something bad will never happen.12 This result both demonstrates the robustness of the scientific approach and offers a practical insight to those implementing security technologies -- to wit: understand whether the policy to be enforced is a safety property, and recognize that, if it is not, any security approach that depends on a reference monitor will not be able to enforce it. For instance, firewalls cannot address sophisticated phishing attacks.13 Developing scientific laws and models related to composability would help explore and explain how combinations of mechanisms and approaches interact.14 It could be a key contribution, especially if exploring compos 10 D.E. Read the entire page →
From page 16... ... Human factors researchers have developed signal detection theory15 to determine when performance errors reflect the inability to detect problems and misaligned incentives for responding to them (undue or insufficient caution) Read the entire page →
From page 17... ... has funded several lablets (groups of researchers tasked with contributing to the development of a systemic body of knowledge) 18 and created an annual "Best Scientific Cybersecurity Paper" competition.19 As an adjunct to these lablets and related efforts, the NSA has also established a science of security virtual organization20 to help researchers stay abreast of current news and activities in the field. Read the entire page →
From page 18... ... A password policy for mobile phones illustrates how difficult it is to get to the right security policy. Password policies usually come with a trusted third party to help recover from losing access (by forgetting a password or having one expire) Read the entire page →
From page 19... ... e The Federal Trade Commission has also issued guidance regarding mandatory password changes (L. Cranor, "Time to rethink mandatory password changes," Federal Trade Com mission, March 2, 2016, https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink mandatory-password-changes.) Read the entire page →
From page 20... ... Chapter 5 offers insights on the organization and leadership of the research community and describes opportunities to improve research practice and approach, concluding with a discussion of how the research community could reconfigure its efforts to more inclusively address cybersecurity challenges. Read the entire page →

From page 10...

... Systems of all kinds are becoming larger and more inter onnected. Other changes in recent years include the character of c the threat, its sophistication, goals and targets; increasingly sophisticated supply chains for software-reliant systems that themselves include components from diverse sources; and wide deployment of Internet of Things (IoT)

Read the entire page →

From page 11...

... This report is aimed primarily at the cyber security research community, but it takes a broad view that efforts to improve foundational science in cybersecurity will need to be inclusive of many disciplinary perspectives and ensure that these disciplines work together to achieve common goals.3 CHALLENGES TO ACHIEVING CYBERSECURITY Cyberspace is notoriously vulnerable to varied and changing attacks by hackers, criminals, terrorists, and state actors. The nation's critical infrastructure, including the electric power grid, air traffic control system, financial system, and communication networks, depends on information technology for its operation and thus is susceptible to cyberattack.

Read the entire page →

From page 12...

... At a ocietal s level, cybersecurity affects and is affected by the sometimes conflicting equities of national security, democratic values, and economic prosperity,5 which widens the aperture for the research enterprise considerably. Responding to these dynamic challenges requires sustained support for research that can address challenges of today and those still on the horizon.

Read the entire page →

From page 13...

... Another example involves the common attack mode of "phishing," which is not against a technical system per se but against an individual, where an adversary tries to deceive someone into actions that allow attackers into their system. A model that does not include people invoking malicious software would be 6 Recent years have seen increased discussion of what a scientific basis for cybersecurity might entail, and efforts are under way within the cybersecurity research community to develop a security science.

Read the entire page →

From page 14...

... EXAMPLE EFFORTS Examples of research areas in which this sort of scientific approach has been taken include cryptography, programming languages, and security modeling. The cryptography community (which comes from a mathematics tradition)

Read the entire page →

From page 15...

... The result is that reference monitors can enforce only what are known as safety properties, which require that something bad will never happen.12 This result both demonstrates the robustness of the scientific approach and offers a practical insight to those implementing security technologies -- to wit: understand whether the policy to be enforced is a safety property, and recognize that, if it is not, any security approach that depends on a reference monitor will not be able to enforce it. For instance, firewalls cannot address sophisticated phishing attacks.13 Developing scientific laws and models related to composability would help explore and explain how combinations of mechanisms and approaches interact.14 It could be a key contribution, especially if exploring compos 10 D.E.

Read the entire page →

From page 16...

... Human factors researchers have developed signal detection theory15 to determine when performance errors reflect the inability to detect problems and misaligned incentives for responding to them (undue or insufficient caution)

Read the entire page →

From page 17...

... has funded several lablets (groups of researchers tasked with contributing to the development of a systemic body of knowledge) 18 and created an annual "Best Scientific Cybersecurity Paper" competition.19 As an adjunct to these lablets and related efforts, the NSA has also established a science of security virtual organization20 to help researchers stay abreast of current news and activities in the field.

Read the entire page →

From page 18...

... A password policy for mobile phones illustrates how difficult it is to get to the right security policy. Password policies usually come with a trusted third party to help recover from losing access (by forgetting a password or having one expire)

Read the entire page →

From page 19...

... e The Federal Trade Commission has also issued guidance regarding mandatory password changes (L. Cranor, "Time to rethink mandatory password changes," Federal Trade Com mission, March 2, 2016, https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink mandatory-password-changes.)

Read the entire page →

From page 20...

... Chapter 5 offers insights on the organization and leadership of the research community and describes opportunities to improve research practice and approach, concluding with a discussion of how the research community could reconfigure its efforts to more inclusively address cybersecurity challenges.

Read the entire page →

← Previous Chapter Skim

Next Chapter Skim →

This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More information on Chapter Skim is available.

1 Cybersecurity Challenges and Security Science Pages 10-20

1 Cybersecurity Challenges and Security Science
Pages 10-20