Toward a Safer and More Secure Cyberspace: Difference between revisions

From Cybersecurity Wiki
Jump to navigation Jump to search
Line 34: Line 34:


The first three provisions relate to properties of holistic systems, including availability, recoverability, and control of systems:
The first three provisions relate to properties of holistic systems, including availability, recoverability, and control of systems:
* I. ''Availability of system and network resources to legitimate users''.<br /><br />Users of information technology systems (from individuals to groups to society, and including programs and applications) should be able to use the computational resources to which they are entitled and systems that depend on those resources. Attacks intended to deny, seriously degrade, or reduce the timeliness of information technology-based services should not succeed.<br /><br />
* I. ''Availability of system and network resources to legitimate users''.<br />Users of information technology systems (from individuals to groups to society, and including programs and applications) should be able to use the computational resources to which they are entitled and systems that depend on those resources. Attacks intended to deny, seriously degrade, or reduce the timeliness of information technology-based services should not succeed.<br />
* II. Easy and convenient recovery from successful attacks.
* II. ''Easy and convenient recovery from successful attacks.''<br />Because cybersecurity measures will sometimes fail, recovery from a security compromise will be necessary from time to time.  When necessary, such recovery should be easy and convenient for individual users, systems administrators, and other operators. Recovery is also an essential element of survivability and fault tolerance. Recovery should be construed broadly to include issues related to long-term availability in the face of “bit rot” and incompatible upgrades.
* III. Control over and knowledge of one’s own computing environment.
* III. Control over and knowledge of one’s own computing environment.



Revision as of 15:25, 9 July 2010

Full Title of Reference

Toward a Safer and More Secure Cyberspace

Full Citation

Nat'l Research Council, Toward a Safer and More Secure Cyberspace (2007). Web

BibTeX

Categorization

Overview: Independent Reports

Key Words

Botnet, DDoS Attack,


Research & Development, SCADA Systems, Software Vulnerability, Worm,

Synopsis

This report was prepared by the Committee on Improving Cybersecurity Research, established by the National Research Council of the National Academies in response to a congressional request and with the financial support of NSF, DARPA, NIST, DHS, the National Academy of Engineering, and F. Thomas and Bonnie Berger Leighton. The basic premise underlying the committee’s task is that research can produce a better understanding of why cyberspace is as vulnerable as it is and that it can lead to new technologies and policies and their effective implementation to make things better.

Purpose

Given the growing importance of cyberspace to nearly all aspects of national life, a secure cyberspace is vitally important to the nation, but cyberspace is far from secure today. The United States faces the real risk that adversaries will exploit vulnerabilities in the nation's critical information systems, thereby causing considerable suffering and damage. Online e-commerce business, government agency files, and identity records are all potential security targets. "Toward a Safer and More Secure Cyberspace" examines these Internet security vulnerabilities and offers a strategy for future research aimed at countering cyber attacks. It also explores the nature of online threats and some of the reasons why past research for improving cybersecurity has had less impact than anticipated, and considers the human resource base needed to advance the cybersecurity research agenda. The target audience of this work is Internet security professionals, information technologists, policy makers, data stewards, e-commerce providers, consumer protection advocates, and others interested in digital security and safety.

A Cyberspace Bill of Rights

The committee addressed the question: What would a safer and more secure cyberspace look like? In response, the has formulated a Cyberspace Bill of Rights (CBoR). It consists of 10 basic provisions that the committee believes users should have as reasonable expectations for their online safety and security. The CBoR articulated in this report is distinctly user-centric, enabling individuals to draw for themselves the contrast between that vision and their own personal cyberspace experiences.

The first three provisions relate to properties of holistic systems, including availability, recoverability, and control of systems:

  • I. Availability of system and network resources to legitimate users.
    Users of information technology systems (from individuals to groups to society, and including programs and applications) should be able to use the computational resources to which they are entitled and systems that depend on those resources. Attacks intended to deny, seriously degrade, or reduce the timeliness of information technology-based services should not succeed.
  • II. Easy and convenient recovery from successful attacks.
    Because cybersecurity measures will sometimes fail, recovery from a security compromise will be necessary from time to time. When necessary, such recovery should be easy and convenient for individual users, systems administrators, and other operators. Recovery is also an essential element of survivability and fault tolerance. Recovery should be construed broadly to include issues related to long-term availability in the face of “bit rot” and incompatible upgrades.
  • III. Control over and knowledge of one’s own computing environment.

The next three provisions relate to the traditional security properties of confidentiality, authentication (and its extension, provenance), and authorization:

  • IV. Confidentiality of stored information and information exchange.
  • V. Authentication and provenance.
  • VI. The technological capability to exercise fine-grained control over the flow of information in and through

The next three provisions relate to crosscutting properties of systems:

  • VII. Security in using computing directly or indirectly in important applications, including financial, health care, and electoral transactions and real-time remote control of devices that interact with physical processes.
  • VIII. The ability to access any source of information (e.g., e-mail, Web page, file) safely.
  • IX. Awareness of what security is actually being delivered by a system or component.

The last provision relates to justice:

  • X. Justice for security problems caused by another party.

Roadblocks to Providing a CBoR

However, providing these "rights" to users will be difficult. Even even assuming that everything known about cybersecurity technologies and practices today was immediately put into practice, the resulting cybersecurity posture — though it would be stronger and more resilient than it is now — would still be inadequate against today’s threat, let alone tomorrow’s. Research is needed both to develop new knowledge and to make such knowledge more usable and transferable to the field. Furthermore, cybersecurity will be a continuing issue: threats evolve (both on their own and as defenses against them are discovered), and new vulnerabilities often emerge as innovation changes underlying system architectures, implementation, or basic assumptions.

Proposed Research Agenda

The recommended research agenda to make progress toward the vision embedded in the Cybersecurity Bill of Rights has six broad areas of focus:

  1. Blocking and limiting the impact of compromise. This category includes secure information systems and networks that resist technical compromise; convenient and ubiquitous encryption that can prevent unauthorized parties from obtaining sensitive or confidential data; containment, backup, mitigation, and recovery; and system lockdowns under attack. One illustrative example of research in this category is secure design, development, and testing. Research is needed that will facilitate the design of systems that are “secure by design.” Research is also needed for security evaluation, for good implementation practices and tools that reduce the likelihood of program flaws (bugs) and make it easier for developers to implement secure systems, and for improved testing and evaluation for functionality that has not been included in the specification of a system’s requirements and that may result in security vulnerabilities.

  2. Enabling accountability. This category includes matters such as remote authentication, access control and policy management, auditing and traceability, maintenance of provenance, secure associations between system components, intrusion detection, and so on. In general, the objective is to hold anyone or anything that has access to a system component—a computing device, a sensor, an actuator, a network—accountable for the results of such access. One illustrative example of research in this category is attribution. Anonymous attackers cannot be held responsible for their actions and do not suffer any consequences for the harmful actions that they may initiate. But many computer operations are inherently anonymous, which means that associating actors with actions must be done explicitly. Attribution technology enables such associations to be easily ascertained, captured, and preserved. At the same time, attribution mechanisms do not solve the important problem of the unwittingly compromised or duped user, although these mechanisms may be necessary in conducting forensic investigations that lead to such a user.

  3. Promoting deployment. This category is focused on ensuring that the technologies and procedures in Categories 1 and 2 are actually used to promote and enhance security. Category 3 includes technologies that facilitate ease of use by both end users and system implementers, incentives that promote the use of security technologies in the relevant contexts, and the removal of barriers that impede the use of security technologies. One illustrative example of research in this category is usable security. Security functionality is often turned off, disabled, bypassed, and not deployed because it is too complex for individuals and enterprise organizations to manage effectively or to use conveniently. Thus, an effort to develop more usable security mechanisms and approaches would have substantial payoff. Usable security has social and organizational dimensions as well as technological and psychological ones.

  4. Deterring would-be attackers and penalizing attackers. This category includes legal and policy measures that could be employed to penalize or impose consequences on cyberattackers, and technologies that support such measures. In principle, this category could also include technical measures to retaliate against a cyberattacker. One illustrative example of research in this category would facilitate the prosecution of cybercriminals across international borders. Many cybercrime perpetrators are outside of U.S. jurisdiction, and the applicable laws may not criminalize the particulars of the crime perpetrated. Even if they do, logistical difficulties in identifying a perpetrator across national boundaries may render him or her practically immune to prosecution. Research is needed to further harmonize laws across many national boundaries to enable international prosecutions and to reduce the logistical difficulties involved in such activities.

  5. Illustrative crosscutting problem-focused research areas. This category focuses elements of research in Categories 1 through 4 onto specific important problems in cybersecurity. These include security for legacy systems, the role of secrecy in cyberdefense, coping with the insider threat, and security for new computing environments and in application domains.

  6. Speculative research. This category focuses on admittedly speculative approaches to cybersecurity that are unorthodox, “out-of-the-box,” and also that arguably have some potential for revolutionary and nonincremental gains in cybersecurity. The areas described in this report are merely illustrative of such ideas—of primary importance is the idea that speculative ideas are worth some investment in any broad research portfolio.

Priorities for Immediate Action

Finally, the report outlines its recommended priorities for immediate action:

  • Create a sense of urgency about the cybersecurity problem. One element will be to provide as much information as possible about the scope and nature of the threat. A second element will be to change the decision-making calculus that excessively focuses vendor and enduser attention on short-term costs of improving their cybersecurity postures.

  • Commensurate with a rapidly growing cybersecurity threat, support a broad, robust, and sustained research agenda at levels which ensure that a large fraction of good ideas for cybersecurity research can be explored. Discretionary budgets for the foreseeable future will be very tight, but even in such times, program growth is possible if the political will is present to designate these directions as priorities. Both the scope and scale of federally funded cybersecurity research are seriously inadequate. To execute fully the broad strategy articulated in this report, a substantial increase in federal budgetary resources devoted to cybersecurity research will be needed. Nor should cybersecurity research remain in the computer science domain alone, and additional funding might well be used to support the pursuit of cybersecurity considerations in other closely related research endeavors, such as those related to creating high-assurance systems and the engineering of secure systems and software across entire system life cycles.

  • Establish a mechanism for continuing follow-up on a research agenda. Today, the scope and nature of cybersecurity research across the federal government are not well understood, least of all by government decision makers. An important first step would be for the government to build on the efforts of the National Coordination Office for Networking and Information Technology Research and Development to develop a reasonably complete picture of the cybersecurity research efforts that the government supports from year to year. To the best of the committee’s knowledge, no such coordinated picture exists.

  • Support research infrastructure. Making progress on any cybersecurity research agenda requires substantial attention to infrastructural issues. In this context, a cybersecurity research infrastructure refers to the collection of open testbeds, tools, data sets, and other things that enable research to progress and which allow research results to be implemented in actual IT products and services. Without an adequate research infrastructure, there is little hope for realizing the full potential of any research agenda.

  • Sustain and grow the human resource base. When new ideas are needed, human capital is particularly important. For the pool of cybersecurity researchers to expand to a sufficiently large level, would-be researchers must believe that there is a future to working in this field, a point suggesting the importance of adequate and stable research support for the field. Increasing the number of researchers in a field necessarily entails increased support for that field, since no amount of prioritization within a fixed budget will result in significantly more researchers. In addition, potential graduate students see stable or growing levels of funding as a signal about the importance of the field and the potential for professional advancement.

Additional Notes and Highlights

Expertise Required: None