A Roadmap for Cybersecurity Research

Full Title of Reference

A Roadmap for Cybersecurity Research

Full Citation

Department of Homeland Security, A Roadmap for Cybersecurity Research (2009). Web

BibTeX

Categorization

• Overview: Government Reports and Documents

• Threats and Actors: Private Critical Infrastructure; Public Critical Infrastructure; States; Terrorists

• Issues: Attribution; Metrics; Privacy; Public-Private Cooperation

• Approaches: Government Organizations

Key Words

Botnet, Civilian Participation, Computer Network Attack, COTS Software, Cyber Crime, Cyber Security as a Public Good, Cyber Terrorism, Department of Homeland Security, Honeypot, Interdependencies, Malware, National Security, Outreach and Collaboration, Privacy Law

Synopsis

This cybersecurity research roadmap is an attempt to begin to define a national R&D agenda that is required to enable us to get ahead of our adversaries and produce the technologies that will protect our information systems and networks into the future. The research, development, test, evaluation, and other life cycle considerations required are far reaching—from technologies that secure individuals and their information to technologies that will ensure that our critical infrastructures are much more resilient. The R&D investments recommended in this roadmap must tackle the vulnerabilities of today and envision those of the future.

The intent of this document is to provide detailed research and development agendas for the future relating to 11 hard problem areas in cybersecurity, for use by agencies of the U.S. Government and other potential R&D funding sources. The 11 hard problems are:

1. Scalable trustworthy systems (including system architectures and requisite development methodology)

Growing interconnectedness among existing systems results, in effect, in new composite systems at increasingly large scales. Existing hardware, operating system, networking, and application architectures do not adequately account for combined requirements for security, performance, and usability—confounding attempts to build trustworthy systems on them. As a result, today the security of a system of systems may be drastically less than that of most of its components.

The primary focus of this topic area is scalability that preserves and enhances trustworthiness in real systems. The perceived order of importance for research and development in this topic area is as follows: (1) trustworthiness, (2) composability, and (3) scalability. Thus, the challenge addressed here is threefold: (a) to provide a sound basis for composability that can scale to the development of large and complex trustworthy systems; (b) to stimulate the development of the components, analysis tools, and testbeds required for that effort; and (c) to ensure that trustworthiness evaluations themselves can be composed.

This topic area interacts strongly with enterprise-level metrics (Section 2) and evaluation methodology (Section 3) to provide assurance of trustworthiness.

2. Enterprise-level metrics (ELMs)

Defining effective metrics for information security (and for trustworthiness more generally) has proven very difficult, even though there is general agreement that such metrics could allow measurement of progress in security measures and at least rough comparisons between systems for security. Metrics underlie and quantify progress in all other roadmap topic areas. We cannot manage what we cannot measure, as the saying goes. However, general community agreement on meaningful metrics has been hard to achieve, partly because of the rapid evolution of information technology (IT), as well as the shifting locus of adversarial action.

Lack of effective ELMs leaves one in the dark about cyberthreats in general. With respect to enterprises as a whole, cybersecurity has been without meaningful measurements and metrics throughout the history of information technology. (Some success has been achieved with specific attributes at the component level.) This lack seriously impedes the ability to make enterprise-wide informed decisions of how to effectively avoid or control innumerable known and unknown threats and risks at every stage of development and operation.

3. System evaluation life cycle (including approaches for sufficient assurance)

4. Combatting insider threats

5. Combatting malware and botnets

6. Global-scale identity management

7. Survivability of time-critical systems

8. Situational understanding and attack attribution

9. Provenance (relating to information, systems, and hardware)

10. Privacy-aware security

11. Usable security

For each of these hard problems, the roadmap identifies critical needs, gaps in research, and research agenda appropriate for near, medium, and long term attention.

Additional Notes and Highlights

Expertise Required: Technology - Low