Federal Plan for Cyber Security and Information Assurance Research and Development: Difference between revisions
| (15 intermediate revisions by 2 users not shown) | |||
| Line 4: | Line 4: | ||
==Full Citation== | ==Full Citation== | ||
Nat'l Sci. and Tech. Council, ''Federal Plan for Cyber Security and Information Assurance Research and Development'' (2006) | Nat'l Sci. and Tech. Council, ''Federal Plan for Cyber Security and Information Assurance Research and Development'' (2006). Online Paper. [http://www.cyber.st.dhs.gov/docs/Federal%20R&D%20Plan%202006.pdf ''Web''] | ||
[http://www.nitrd.gov/pubs/csia/csia_federal_plan.pdf ''AltWeb''] | |||
[http://cyber.law.harvard.edu/cybersecurity/Special:Bibliography?f=wikibiblio.bib&title=Special:Bibliography&view=detailed&action=&keyword=NSTC:2006 ''BibTeX''] | [http://cyber.law.harvard.edu/cybersecurity/Special:Bibliography?f=wikibiblio.bib&title=Special:Bibliography&view=detailed&action=&keyword=NSTC:2006 ''BibTeX''] | ||
| Line 11: | Line 12: | ||
==Categorization== | ==Categorization== | ||
* Resource by Type: [[US Government Reports and Documents]] | * Resource by Type: [[US Government Reports and Documents]] | ||
* Issues: [[Attribution]]; [[Metrics]]; [[Public-Private Cooperation]] | |||
* Approaches: [[Technology]] | |||
==Key Words== | ==Key Words== | ||
[[Keyword_Index_and_Glossary_of_Core_Ideas#Research_&_Development | Research & Development]] | [[Keyword_Index_and_Glossary_of_Core_Ideas#Computer_Network_Attack | Computer Network Attack]], | ||
[[Keyword_Index_and_Glossary_of_Core_Ideas#Hacker | Hacker]], | |||
[[Keyword_Index_and_Glossary_of_Core_Ideas#Information_Asymmetries | Information Asymmetries]], | |||
[[Keyword_Index_and_Glossary_of_Core_Ideas#Malware | Malware]], | |||
[[Keyword_Index_and_Glossary_of_Core_Ideas#Organized_Crime | Organized Crime]], | |||
[[Keyword_Index_and_Glossary_of_Core_Ideas#Red Team| Red Team]], | |||
[[Keyword_Index_and_Glossary_of_Core_Ideas#Research_&_Development | Research & Development]], | |||
[[Keyword_Index_and_Glossary_of_Core_Ideas#SCADA_Systems | SCADA Systems]], | |||
==Synopsis== | ==Synopsis== | ||
Given the growing importance of cyberspace to nearly all aspects of national life, a secure cyberspace is vitally important to the nation, but cyberspace is far from secure today. The United States faces the real risk that adversaries will exploit vulnerabilities in the nation's critical information systems, thereby causing considerable suffering and damage. Online e-commerce business, government agency files, and identity records are all potential security targets."Toward a Safer and More Secure Cyberspace" examines these Internet security vulnerabilities and offers a strategy for future research aimed at countering cyber attacks. It also explores the nature of online threats and some of the reasons why past research for improving cybersecurity has had less impact than anticipated, and considers the human resource base needed to advance the cybersecurity research agenda. This book will be an invaluable resource for Internet security professionals, information technologists, policy makers, data stewards, e-commerce providers, consumer protection advocates, and others interested in digital security and safety. | Given the growing importance of cyberspace to nearly all aspects of national life, a secure cyberspace is vitally important to the nation, but cyberspace is far from secure today. The United States faces the real risk that adversaries will exploit vulnerabilities in the nation's critical information systems, thereby causing considerable suffering and damage. Online e-commerce business, government agency files, and identity records are all potential security targets. "Toward a Safer and More Secure Cyberspace" examines these Internet security vulnerabilities and offers a strategy for future research aimed at countering cyber attacks. It also explores the nature of online threats and some of the reasons why past research for improving cybersecurity has had less impact than anticipated, and considers the human resource base needed to advance the cybersecurity research agenda. This book will be an invaluable resource for Internet security professionals, information technologists, policy makers, data stewards, e-commerce providers, consumer protection advocates, and others interested in digital security and safety. | ||
'''Executive Summary''' | |||
The IT infrastructure supports critical U.S. | |||
infrastructures such as power grids, emergency | |||
communications systems, financial systems, and airtraffic- | |||
control networks. While the vast majority of | |||
these critical infrastructures (including their IT | |||
components) are owned and operated by the | |||
private sector, ensuring their operational stability | |||
and security is vital to U.S. national, homeland, | |||
and economic security interests. | |||
Cyber threats are asymmetric, surreptitious, and | |||
constantly evolving – a single individual or a small | |||
group anywhere in the world can inexpensively and | |||
secretly attempt to penetrate systems containing | |||
vital information or mount damaging attacks on | |||
critical infrastructures. Attack tools and resources | |||
are readily available on the Internet and new | |||
vulnerabilities are continually discovered and | |||
exploited. Moreover, the pervasive interconnectivity | |||
of the IT infrastructure makes cyber attack an | |||
increasingly attractive prospect for adversaries that | |||
include terrorists as well as malicious hackers and | |||
criminals. | |||
===Strategic Federal R&D Objectives=== | |||
The following strategic Federal objectives for | |||
cyber security and information assurance R&D are | |||
derived from a review of current legislative and | |||
regulatory policy requirements, analyses of cyber | |||
security threats and infrastructure vulnerabilities, | |||
and agency mission requirements: | |||
# Support research, development, testing, and evaluation of cyber security and information assurance technologies aimed at preventing, protecting against, detecting, responding to, and recovering from cyber attacks that may have large scale consequences. | |||
# Address cyber security and information assurance R&D needs that are unique to critical infrastructures. | |||
# Develop and accelerate the deployment of new communication protocols that better assure the security of information transmitted over networks. | |||
# Support the establishment of experimental environments such as testbeds that allow government, academic, and industry researchers to conduct a broad range of cyber security and information assurance development and assessment activities. | |||
# Provide a foundation for the long-term goal of economically informed, risk-based cyber security and information assurance decision making. | |||
# Provide novel and next-generation secure IT concepts and architectures through long-term research. | |||
# Facilitate technology transition and diffusion of Federally funded R&D results into commercial products and services and private-sector use. | |||
===Findings and Recommendations=== | |||
Strategic interagency R&D is needed to | |||
strengthen the cyber security and information | |||
assurance of the Nation’s IT infrastructure. | |||
Planning and conducting such R&D will require | |||
concerted Federal activities on several fronts as well | |||
as collaboration with the private sector. The | |||
specifics of the strategy proposed in this Plan are | |||
articulated in a set of findings and | |||
recommendations. Presented in greater detail in the | |||
report, these findings and recommendations are | |||
summarized as follows: | |||
====Target Federal R&D investments to strategic cyber security and information assurance needs==== | |||
Federal cyber security and information assurance | |||
R&D managers should reassess the Nation’s | |||
strategic and longer-term cyber security and | |||
information assurance needs to ensure that Federal | |||
R&D addresses those needs and complements areas | |||
in which the private sector is productively engaged. | |||
====Focus on threats with the greatest potential impact==== | |||
Federal agencies should focus cyber security and | |||
information assurance R&D investments on high impact | |||
threats as well as on investigation of | |||
innovative approaches to increasing the overall | |||
security and information assurance of IT systems. | |||
====Make cyber security and information assurance R&D both an individual agency and an interagency budget priority==== | |||
Agencies should consider cyber security and | |||
information assurance R&D policy guidance as | |||
they address their mission-related R&D | |||
requirements. To achieve the greatest possible | |||
benefit from investments throughout the Federal | |||
government, cyber security and information | |||
assurance R&D should have high priority for | |||
individual agencies | |||
====Support sustained interagency coordination and collaboration on cyber security and information assurance R&D==== | |||
Sustained coordination and collaboration among | |||
agencies will be required to accomplish the goals | |||
identified in this Plan. Agencies should participate | |||
in interagency R&D coordination and | |||
collaboration on an ongoing basis. | |||
====Build security in from the beginning==== | |||
The Federal cyber security and information | |||
assurance R&D portfolio should support | |||
fundamental R&D exploring inherently more | |||
secure next-generation technologies that will replace | |||
today’s patching of the current insecure | |||
infrastructure. | |||
====Assess security implications of emerging information technologies==== | |||
The Federal government should assess the | |||
security implications and the potential impact of | |||
R&D results in new information technologies as | |||
they emerge in such fields as optical computing, | |||
quantum computing, and pervasively embedded | |||
computing. | |||
====Develop a roadmap for Federal cyber security and information assurance R&D==== | |||
Agencies should use this Plan’s technical | |||
priorities and investment analyses to work with the | |||
private sector to develop a roadmap of cyber | |||
security and information assurance R&D priorities. | |||
This effort should emphasize coordinated agency | |||
activities that address technical and investment gaps | |||
and should accelerate development of strategic | |||
capabilities. | |||
====Develop and apply new metrics to assess cyber security and information assurance==== | |||
As part of roadmapping, Federal agencies should | |||
develop and implement a multi-agency plan to | |||
support the R&D for a new generation of methods | |||
and technologies for cost-effectively measuring IT | |||
component, network, and system security. These | |||
methods should evolve with time. | |||
====Institute more effective coordination with the private sector==== | |||
The Federal government should review privatesector | |||
cyber security and information assurance | |||
practices and countermeasures to help identify | |||
capability gaps in existing technologies, and should | |||
engage the private sector in efforts to better | |||
understand each other’s views on cyber security and | |||
information assurance R&D needs, priorities, and | |||
investments. Federal agencies supporting cyber | |||
security and information assurance R&D should | |||
improve communication and coordination with | |||
operators of both Federal and private-sector critical | |||
infrastructures with shared interests. Information | |||
exchange and outreach activities that accelerate | |||
technology transition should be integral parts of | |||
Federal cyber security and information assurance | |||
R&D activities. | |||
====Strengthen R&D partnerships, including those with international partners==== | |||
The Federal government should foster a broad | |||
partnership of government, the IT industry, | |||
researchers, and private-sector users to develop, test, | |||
and deploy a more secure next-generation Internet. | |||
The Federal government should initiate this | |||
partnership by holding a national workshop to | |||
solicit views and guidance on cyber security and | |||
information assurance R&D needs from | |||
stakeholders outside of the Federal research | |||
community. In addition, impediments to | |||
collaborative international R&D should be | |||
identified and addressed in order to facilitate joint | |||
activities that support the common interests of the | |||
United States and international partners. | |||
==Additional Notes and Highlights== | ==Additional Notes and Highlights== | ||
Expertise Required: Technology - Low | |||
Latest revision as of 11:29, 9 September 2010
Full Title of Reference
Federal Plan for Cyber Security and Information Assurance Research and Development
Full Citation
Nat'l Sci. and Tech. Council, Federal Plan for Cyber Security and Information Assurance Research and Development (2006). Online Paper. Web AltWeb
Categorization
- Resource by Type: US Government Reports and Documents
- Issues: Attribution; Metrics; Public-Private Cooperation
- Approaches: Technology
Key Words
Computer Network Attack, Hacker, Information Asymmetries, Malware, Organized Crime, Red Team, Research & Development, SCADA Systems,
Synopsis
Given the growing importance of cyberspace to nearly all aspects of national life, a secure cyberspace is vitally important to the nation, but cyberspace is far from secure today. The United States faces the real risk that adversaries will exploit vulnerabilities in the nation's critical information systems, thereby causing considerable suffering and damage. Online e-commerce business, government agency files, and identity records are all potential security targets. "Toward a Safer and More Secure Cyberspace" examines these Internet security vulnerabilities and offers a strategy for future research aimed at countering cyber attacks. It also explores the nature of online threats and some of the reasons why past research for improving cybersecurity has had less impact than anticipated, and considers the human resource base needed to advance the cybersecurity research agenda. This book will be an invaluable resource for Internet security professionals, information technologists, policy makers, data stewards, e-commerce providers, consumer protection advocates, and others interested in digital security and safety.
Executive Summary
The IT infrastructure supports critical U.S. infrastructures such as power grids, emergency communications systems, financial systems, and airtraffic- control networks. While the vast majority of these critical infrastructures (including their IT components) are owned and operated by the private sector, ensuring their operational stability and security is vital to U.S. national, homeland, and economic security interests.
Cyber threats are asymmetric, surreptitious, and constantly evolving – a single individual or a small group anywhere in the world can inexpensively and secretly attempt to penetrate systems containing vital information or mount damaging attacks on critical infrastructures. Attack tools and resources are readily available on the Internet and new vulnerabilities are continually discovered and exploited. Moreover, the pervasive interconnectivity of the IT infrastructure makes cyber attack an increasingly attractive prospect for adversaries that include terrorists as well as malicious hackers and criminals.
Strategic Federal R&D Objectives
The following strategic Federal objectives for cyber security and information assurance R&D are derived from a review of current legislative and regulatory policy requirements, analyses of cyber security threats and infrastructure vulnerabilities, and agency mission requirements:
- Support research, development, testing, and evaluation of cyber security and information assurance technologies aimed at preventing, protecting against, detecting, responding to, and recovering from cyber attacks that may have large scale consequences.
- Address cyber security and information assurance R&D needs that are unique to critical infrastructures.
- Develop and accelerate the deployment of new communication protocols that better assure the security of information transmitted over networks.
- Support the establishment of experimental environments such as testbeds that allow government, academic, and industry researchers to conduct a broad range of cyber security and information assurance development and assessment activities.
- Provide a foundation for the long-term goal of economically informed, risk-based cyber security and information assurance decision making.
- Provide novel and next-generation secure IT concepts and architectures through long-term research.
- Facilitate technology transition and diffusion of Federally funded R&D results into commercial products and services and private-sector use.
Findings and Recommendations
Strategic interagency R&D is needed to strengthen the cyber security and information assurance of the Nation’s IT infrastructure. Planning and conducting such R&D will require concerted Federal activities on several fronts as well as collaboration with the private sector. The specifics of the strategy proposed in this Plan are articulated in a set of findings and recommendations. Presented in greater detail in the report, these findings and recommendations are summarized as follows:
Target Federal R&D investments to strategic cyber security and information assurance needs
Federal cyber security and information assurance R&D managers should reassess the Nation’s strategic and longer-term cyber security and information assurance needs to ensure that Federal R&D addresses those needs and complements areas in which the private sector is productively engaged.
Focus on threats with the greatest potential impact
Federal agencies should focus cyber security and information assurance R&D investments on high impact threats as well as on investigation of innovative approaches to increasing the overall security and information assurance of IT systems.
Make cyber security and information assurance R&D both an individual agency and an interagency budget priority
Agencies should consider cyber security and information assurance R&D policy guidance as they address their mission-related R&D requirements. To achieve the greatest possible benefit from investments throughout the Federal government, cyber security and information assurance R&D should have high priority for individual agencies
Support sustained interagency coordination and collaboration on cyber security and information assurance R&D
Sustained coordination and collaboration among agencies will be required to accomplish the goals identified in this Plan. Agencies should participate in interagency R&D coordination and collaboration on an ongoing basis.
Build security in from the beginning
The Federal cyber security and information assurance R&D portfolio should support fundamental R&D exploring inherently more secure next-generation technologies that will replace today’s patching of the current insecure infrastructure.
Assess security implications of emerging information technologies
The Federal government should assess the security implications and the potential impact of R&D results in new information technologies as they emerge in such fields as optical computing, quantum computing, and pervasively embedded computing.
Develop a roadmap for Federal cyber security and information assurance R&D
Agencies should use this Plan’s technical priorities and investment analyses to work with the private sector to develop a roadmap of cyber security and information assurance R&D priorities. This effort should emphasize coordinated agency activities that address technical and investment gaps and should accelerate development of strategic capabilities.
Develop and apply new metrics to assess cyber security and information assurance
As part of roadmapping, Federal agencies should develop and implement a multi-agency plan to support the R&D for a new generation of methods and technologies for cost-effectively measuring IT component, network, and system security. These methods should evolve with time.
Institute more effective coordination with the private sector
The Federal government should review privatesector cyber security and information assurance practices and countermeasures to help identify capability gaps in existing technologies, and should engage the private sector in efforts to better understand each other’s views on cyber security and information assurance R&D needs, priorities, and investments. Federal agencies supporting cyber security and information assurance R&D should improve communication and coordination with operators of both Federal and private-sector critical infrastructures with shared interests. Information exchange and outreach activities that accelerate technology transition should be integral parts of Federal cyber security and information assurance R&D activities.
Strengthen R&D partnerships, including those with international partners
The Federal government should foster a broad partnership of government, the IT industry, researchers, and private-sector users to develop, test, and deploy a more secure next-generation Internet. The Federal government should initiate this partnership by holding a national workshop to solicit views and guidance on cyber security and information assurance R&D needs from stakeholders outside of the Federal research community. In addition, impediments to collaborative international R&D should be identified and addressed in order to facilitate joint activities that support the common interests of the United States and international partners.
Additional Notes and Highlights
Expertise Required: Technology - Low