Part II
An Illustrative Research Agenda
Part II presents one illustrative research agenda that might be constructed to further the goals described in Part I. The first four categories of the agenda (Chapters 4 through 7) constitute what might be regarded as primary areas of programmatic focus. The fifth category (Chapter 8) is a broad, crosscutting category that draws on parts of the first four categories but focuses on bringing them together in the context of specific cybersecurity problems. The sixth category (Chapter 9) contains what might be regarded as speculative ideas that are worth some effort to investigate. Table II.1 maps the topics described in this research agenda to the provisions of the Cybersecurity Bill of Rights described in Chapter 3.
The areas of programmatic focus were selected on the basis of their high importance. (Here, “importance” is characterized by the enormous benefits that would flow from progress in those domains.) Fruitful results in these areas would significantly increase the security of the technology base on which information technology (IT) applications are built and increase the likelihood of incorporating those results into these applications. Such incorporation, on a large scale, would in turn significantly improve the nation’s cybersecurity posture.
At the same time, the research described within each area of programmatic focus is fairly broad. This breadth is based on the committee’s belief that excessive priority setting in the cybersecurity research field runs significant risks of leaving the nation unprepared for a rapidly changing cybersecurity environment. The committee cautions policy makers strongly against neglecting potentially important topics in their quest to prioritize research. Moreover, because there will always be incentives and opportunities to attack IT-based systems in the future, it would be a profound mistake to believe that the committee’s specific research agenda—or any other one that any other group might create—can “solve the problem” of cybersecurity once and for all. The committee emphasizes that the specific topics covered in Part II constitute representative examples of possible research within the four areas of programmatic focus and not specific priorities within those areas.
TABLE II.1 Mapping Research Topics to the 10 Provisions of the Committee’s Cybersecurity Bill of Rights
Research Topicsa |
I |
II |
III |
IV |
Availability |
Recovery |
Control |
Confidentiality |
|
Category 1—Blocking and Limiting the Impact of Compromise |
|
|
|
|
4.1-Secure design, development, and testing |
X |
X |
X |
X |
4.2-Graceful degradation and recovery |
X |
X |
X |
|
4.3-Software and systems assurance |
X |
|
X |
X |
Category 2—Enabling Accountability |
|
|
|
|
5.1-Attribution |
|
|
|
X |
5.2-Misuse and anomaly detection systems |
X |
X |
|
|
5.3-Digital rights management |
|
|
|
X |
Category 3—Promoting Deployment |
|
|
|
|
6.1-Usable security |
|
|
|
X |
6.2-Exploitation of previous work |
X |
X |
X |
X |
6.3-Cybersecurity metrics |
|
|
X |
|
6.4-The economics of cybersecurity |
X |
X |
X |
X |
6.5-Security policies |
X |
|
X |
X |
Category 4—Deterring Would-Be Attackers and Penalizing Attackers |
|
|
|
|
7.1-Legal issues related to cybersecurity |
X |
X |
X |
X |
7.2-Honeypots |
|
|
X |
|
7.3-Forensics |
|
|
X |
|
Research Topicsa |
I |
II |
III |
IV |
Availability |
Recovery |
Control |
Confidentiality |
|
Category 5—Illustrative Crosscutting Problem-Focused Research Areas |
|
|
|
|
8.1-Security for legacy systems |
X |
X |
X |
X |
8.2-The role of secrecy in cyberdefense |
X |
X |
X |
X |
8.3-Insider threats |
|
|
X |
|
8.4-Security in nontraditional computing environments and in the context of use |
X |
X |
X |
X |
8.5-Secure network architectures |
X |
|
X |
X |
8.6-Attack characterization |
X |
|
X |
|
8.7-Coping with denial-of-service attacks |
X |
X |
|
|
8.8-Dealing with spam |
|
|
X |
|
Category 6—Speculative Research |
|
|
|
|
9.1-A cyberattack research activity |
X |
X |
X |
X |
9.2-Biological approaches to security |
X |
X |
X |
X |
9.3-Using attack techniques for defensive purposes |
X |
X |
X |
X |
9.4-Cyber-retaliation |
X |
X |
X |
X |
NOTE: Some imprecision in this mapping is freely acknowledged, in the sense that a number of the specific mappings mentioned are the result of judgment calls that might be different if a different set of individuals were to make those judgments. As presented in Chapter 3 of this report, the 10 provisions of the Cybersecurity Bill of Rights are as follows: I. Availability of system and network resources to legitimate users. II. Easy and convenient recovery from successful attacks. III. Control over and knowledge of one’s own computing environment. IV. Confidentiality of stored information and information exchange. V. Authentication and provenance. VI. The technological capability to exercise fine-grained control over the flow of information in and through systems. |
V |
VI |
VII |
VIII |
IX |
X |
Authentication |
Flow Control |
Application |
Access |
Awareness |
Justice |
X |
X |
X |
X |
X |
|
X |
X |
X |
X |
X |
|
X |
|
X |
|
|
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
|
|
|
X |
|
X |
X |
|
|
X |
X |
|
|
|
|
X |
X |
|
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
|
X |
X |
X |
X |
X |
|
X |
X |
X |
X |
X |
X |
VII. Security in using computing directly or indirectly in important applications, including financial, health care, and electoral transactions, and real-time remote control of devices that interact with physical processes. VIII. The ability to access any source of information (e.g., e-mail, Web page, file) safely. IX. Awareness of what security is actually being delivered by a system or component. X. Justice for security problems caused by another party. aThe numbering of each research topic corresponds with the numbering of the section on that topic in Chapter 4 through Chapter 9. |