Cyber Security Research and Development Agenda
Full Title of Reference
Cyber Security Research and Development Agenda
Institute for Information Infrastructure Protection, Cyber Security Research and Development Agenda (2003). Web
- Resource by Type: Independent Reports
- Issues: Attribution; Metrics; Risk Management and Investment
- Approaches: Regulation/Liability
The Institute for Information Infrastructure Protection (I3P) is a consortium of twenty three academic and not-for-profit research organizations focused on cyber security and information infrastructure protection research and development (R&D). Its mission is to help protect the information infrastructure of the United States by developing a comprehensive, prioritized R&D Agenda for cyber security and promoting collaboration and information sharing among academia, industry, and government.
The information infrastructure consists of technologies and capabilities for gathering, handling, and sharing information that are accessible to, or commonly depended upon by, multiple organizations, whether within a single enterprise, a critical infrastructure sector such as banking and finance, the U.S. Government, the nation as a whole, or transnationally. The Internet is perhaps the most obvious element of the information infrastructure; other easily recognized components include such widely used products as desktop operating systems and routers, the devices that handle message transfers between computers. The development of this infrastructure over the past two decades has been swift and has permanently changed the way the nation conducts business, operates its governmental structures and armed forces, keeps its people healthy and safe, and spends its leisure time
This document constitutes the initial Cyber Security R&D Agenda. This initial Agenda identifies R&D topics of significant value to the security of the information infrastructure that are either not funded or under-funded by the collection of private sector and government-sponsored research activities in the United States. The Agenda is based on information gathered and analyzed during the 2002 calendar year and reflects the input of experts in industry, government, and academia. The Agenda, together with that supporting information, is intended to aid researchers in identifying problems and R&D program managers in defining program directions.
Areas in which new or additional research is needed include:
Enterprise Security Management
Each piece of the information infrastructure may be owned by individuals or enterprises, but we are all interconnected. Therefore, the enterprise security management (ESM) challenge is to integrate diverse security mechanisms into a coherent capability for managing access to and use of enterprise resources, monitoring behavior on enterprise systems, and detecting and responding to suspicious or unacceptable behavior. While the marketplace offers product suites under the rubric of ESM, the problem area is broader than the fragmented capabilities provided by existing products. Research needs remain in the areas of enterprise policy definition and management, definition and maintenance of a targeted risk posture, and definition of, and protection at, security boundaries. IT based collaboration with partner organizations, and increased services to home users make these boundaries more complex and extend the definition of “insiders.” Further research is needed to address the insider threat.
Trust Among Distributed Autonomous Parties
In cyberspace, entities -- individuals, organizations, software, and devices -- need to establish relationships dynamically and without recourse to a central authority or previously determined trusted third party. Existing research, particularly in terms of the techniques entities use to establish trust in the security of other entities, is expected to address many of the needs articulated by enterprise users. However, solutions are needed that address the autonomy, scale, complexity, and dynamism of critical infrastructures. Research needs exist for trust models for autonomous entities that are geographically or organizationally distributed, definition and management of dynamic security relationships in peer-to-peer settings, techniques for developing trust relationships between systems and enduser devices such as cell phones or laptops, and approaches to establish trust in data.
Discovery and Analysis of Security Properties and Vulnerabilities
The information infrastructure has a large number and variety of components, in different forms: hardware, firmware, software, communications media, storage media, and information. Frequently, the properties of these components are poorly understood, due to undocumented functionality, flaws in their design or implementation, or unanticipated uses. Products and systems commonly include vulnerabilities and inadequately understood security properties. Moreover, the security properties of a system or subsystem cannot be derived or deduced from those of its components, and emergent properties of large-scale systems are difficult to describe, much less predict. Considerable effort has been applied to the problem of ensuring the presence of desired security properties and preventing (or determining the presence of) vulnerabilities. The need is acute for ways to determine, throughout a product or system’s life cycle (development, integration, update and maintenance, decommissioning, or replacement of components), whether exploitable defects have been introduced or unanticipated security properties have emerged or escalated. Research is needed into techniques, embodied in tools to ensure their utility, to analyze code, devices, and systems in dynamic and large-scale environments.
Secure System and Network Response and Recovery
The proliferation of numbers and types of computing devices has resulted in the increasing size and complexity of the information infrastructure. Response to and recovery from attacks against such multifaceted systems are hindered by this inherent complexity. As a result, response across a set of organizations is often uneven and difficult to coordinate, and reconstitution to a secure state can be difficult. The potential for survivability from attacks and in making intrusion detection systems more proactive has driven research into secure response and recovery. Current research, however, does not adequately address the issues of scale, coordination across different administrative and policy domains, or coordination across the highly diverse systems that are the hallmarks of information infrastructure protection. Research needs remain in the areas of prediction or pre-incident detection, as well as recovery and reconstitution for systems of systems.
Traceback, Identification, and Forensics
During and after an attack, responding organizations must have prompt and reliable information to determine and implement an appropriate response. Current capabilities are oriented toward enabling the enterprise to detect and respond internally to suspected attacks. Research is needed into capabilities that enable responders to trace back, or identify the source location of the attack; to identify the individual, group, or organization originating the attack; and to determine the actual nature of the attack. Companion research is needed to address the legal and policy implications of such capabilities.
Wireless technologies are increasingly crucial to enterprise systems and across critical infrastructure sectors. Wireless networks include not only wireless telecommunications per se, but an increasingly diverse set of end devices, such as sensors, process controllers, and information appliances for home and business users; in some cases, end devices may also provide wireless telecommunications services. In principle, many of the security concerns for wireless networks mirror those for the wired world; in practice, solutions developed for wired networks may not be viable in wireless environments. Private sector concern, and thus investment, focuses on proprietary or enterprise solutions. Research is needed to make security a fundamental component of wireless networks, develop the basic science of wireless security, develop security solutions that can be integrated into the wireless device itself, investigate the security implications of existing wireless protocols, integrate security mechanisms across all protocol layers, and integrate wireless security into larger systems and networks. In particular, research is needed into security situation awareness techniques for wireless networks and strategies to address distributed denial-of-service attacks.
Metrics and Models
Individuals, organizations, and critical infrastructure sectors bear the risks of relying on the information infrastructure. For organizations to manage cyber security risks—to accept a given level of risk, transfer or externalize risk, or apply resources to decrease the level of risk to an appropriate balance—decision makers need a clear and defensible basis for making investment decisions that can be related to organizational missions and strategies. That basis should be founded on rigorous and generally accepted models and metrics for cyber security. Research is needed to provide a foundation of data about the current investment and risk levels. Research is also needed to define metrics that express the costs, benefits, and impacts of security controls from multiple perspectives -- economic, organizational, technical, and risk -- so that the dynamics at work in making security decisions can be better understood. Finally, research is needed into techniques for modeling the security-related behavior of the information infrastructure and predicting consequences of risk management choices.
Law, Policy, and Economic Issues
Decisions that affect the security posture of the information infrastructure are made in a poorly understood context of economic factors, laws, regulations, and government policy. Research is needed to determine the actual magnitude of the cyber security problem and enable a better understanding of the relationships between the forces that shape information infrastructure protection (i.e., research into the structure of the market, and to determine how changes in laws, policy, and economic conditions, as well as technology, affect one another). For any emerging technology, companion research is needed into the legal, policy, and economic implications as well as the cyber security implications of the technology and its possible uses. Research is needed to describe the structure and dynamics of the cyber security marketplace, as well as the impacts of various interventions—changes in enterprise purchasing patterns, cyber security laws, regulations, government acquisition practices, policies, auditing practices, insurance and other factors—on cyber security in general, and on the development, deployment, and use of cyber security technology in particular. Research is also needed into the implications of implementing alternative strategies for allocating responsibility for security in cyberspace, and into tradeoffs among stakeholder concerns. In particular, there is a need for research into the role of standards and best practices in improving the security posture of the information infrastructure, the policy and legal considerations associated with collecting and retaining data about the information infrastructure and its uses, and the implications of potential changes to laws or policies that would be intended to enable direct responses to attacks.
Additional Notes and Highlights
Expertise Required: Technology - Low/None