Improving Cybersecurity Research in the United States
||Toward a Safer and More Secure Cyberspace examines the vulnerabilities of the Internet and offers a strategy for future research aimed at countering cyber attacks. The report also explores the nature of online threats and some of the reasons why past research for improving cybersecurity has had less impact than anticipated.
The nation's critical infrastructure, such as the electric power grid, air traffic control system, financial system, and communication networks, depends upon networked information systems (NISs) for their operation. However, these NISs presently possess vulnerabilities that can be exploited by terrorists and malicious hackers because there is an inadequate understanding of what makes them vulnerable to attack, how best to reduce these vulnerabilities, and how to transfer cybersecurity knowledge to actual practice. In short, it appears that our nation's dependence on NISs has grown faster than our ability to address vulnerabilities.
At congressional hearings (e.g., House Science Committee) and other convenings of academic, industry and government representatives between 2001 and 2002, participants argued that new research funds, and possibly a new way of thinking about cybersecurity, are necessary to meet the urgent need to secure computer networks supporting the nation's critical infrastructure. In response, the U.S. Congress passed the Cyber Security Research and Development Act (PL 107-305, enacted November 27, 2002) which authorized this study to provide advice regarding the appropriate locus for federal cybersecurity research.
This project will involve a survey of the research effort in cybersecurity and trustworthiness to assess the current mix of topics, level of effort, division of labor, sources of funding, and quality; describe those research areas that merit federal funding, considering short-, medium-, and long-term emphases; and recommend the necessary level for federal funding in cybersecurity research. The study will address research topics traditionally associated with cybersecurity, as well as those related to improving the trustworthiness of networked information systems, with a focus on achieving fundamental strength rather than pursuing reactive approaches. This project will also seek to identify and explore models and technologies that are not traditionally associated with cybersecurity or computer system trustworthiness that, nevertheless, may generate ideas leading to revolutionary-not incremental-advances in cybersecurity research. Structural alternatives for the oversight and allocation of funding (how to best allocate existing funds and how best to program new funds that may be made available) will be considered and the project committee will provide corresponding recommendations.
The expertise required for this project includes the various specialties within computer security and other aspects of trustworthiness, computer networks, systems architecture, complex systems (both in the computer science context and in other domains such those based in the biological sciences), software engineering, process control systems (e.g., SCADA), human-computer interaction, organization theory and public administration, and information technology research and development programs (both operational and grant-making programs) in the federal government, academia, and industry. People experienced with federally funded programs will be involved, as well as people with experience in industrial research. Membership on the committee will be balanced among those with well-established expertise in areas traditionally associated with cybersecurity with those with expertise in other areas that may infuse creative and innovative ideas into how cybersecurity is conceived and researched in the future. The committee will solicit input from the broad research community, possibly through a workshop, to discuss creative and innovative approaches to cybersecurity.
The committee's report will be made publicly available in both a regular book length and a shorter version, both in print and on the World Wide Web. Briefings will be made to government leaders and members of the information technology research communities, as well as to members of interested industry and application domain groups.
Seymour (Sy) E. Goodman, Chair
Professor of International Affairs and Computing
Sam Nunn School of International Affairs
College of Computing
Georgia Institute of Technology
Fred B. Schneider, CSTB Liaison
Professor, Department of Computer Science
Director, Information Assurance Institute
Security Architect and Chief Technology Officer
Microsoft Corporation, Security Business Unit
Steven M. Bellovin
Professor, Computer Science Department
Joel S. Birnbaum
Dean, College of Engineering and Architecture
Distinguished Professor of Electric Power Engineering
Washington State University
Senior Consulting Engineer
Cisco Systems, Inc.
Fellow for Information Operations Studies
Sandia National Laboratories
Distinguished Service Professor of Economics and Technology
H. John Heinz III School of Public Policy and Management
Carnegie Mellon University
Herbert S. Lin, Study Director and Senior Scientist
Ted Schmitt, Consultant
Janice Sabuda, Senior Program Assistant
National Institute of Standards and Technology (NIST)
Defense Advanced Research Project Agency (DARPA)
National Science Foundation
National Academy of Engineering
|Ruby B. Lee
Forrest G. Harrick Professor of Engineering
Professor of Electrical Engineering
Fernando (Fred) Luiz
Division General Manager (retired)
Teresa F. Lunt
Principal Scientist and Area Manager, Security Group
Area Manager, Theory Group
Peter G. Neumann
Assistant Professor of Computer Science and Engineering
University of California, San Diego
William L. Scherlis
Professor of Computer Science
Carnegie Mellon University
Alfred Z. Spector
Vice President for Electronic Security and Technology
Director of Distributed Systems Research