Toward a Safer and More Secure Cyberspace
Full Title of Reference
Toward a Safer and More Secure Cyberspace
Full Citation
Nat'l Research Council, Toward a Safer and More Secure Cyberspace (2007). Web
Categorization
Overview: Independent Reports
Key Words
Synopsis
This report was prepared by the Committee on Improving Cybersecurity Research, established by the National Research Council of the National Academies in response to a congressional request and with the financial support of NSF, DARPA, NIST, DHS, the National Academy of Engineering, and F. Thomas and Bonnie Berger Leighton. The basic premise underlying the committee’s task is that research can produce a better understanding of why cyberspace is as vulnerable as it is and that it can lead to new technologies and policies and their effective implementation to make things better.
Given the growing importance of cyberspace to nearly all aspects of national life, a secure cyberspace is vitally important to the nation, but cyberspace is far from secure today. The United States faces the real risk that adversaries will exploit vulnerabilities in the nation's critical information systems, thereby causing considerable suffering and damage. Online e-commerce business, government agency files, and identity records are all potential security targets. "Toward a Safer and More Secure Cyberspace" examines these Internet security vulnerabilities and offers a strategy for future research aimed at countering cyber attacks. It also explores the nature of online threats and some of the reasons why past research for improving cybersecurity has had less impact than anticipated, and considers the human resource base needed to advance the cybersecurity research agenda. The target audience of this work is Internet security professionals, information technologists, policy makers, data stewards, e-commerce providers, consumer protection advocates, and others interested in digital security and safety.
The committee addressed the question: What would a safer and more secure cyberspace look like? In response, the has formulated a Cyberspace Bill of Rights (CBoR). It consists of 10 basic provisions that the committee believes users should have as reasonable expectations for their online safety and security. The CBoR articulated in this report is distinctly user-centric, enabling individuals to draw for themselves the contrast between that vision and their own personal cyberspace experiences.
The first three provisions relate to properties of holistic systems, including availability, recoverability, and control of systems:
- I. Availability of system and network resources to legitimate users.
- II. Easy and convenient recovery from successful attacks.
- III. Control over and knowledge of one’s own computing environment.
The next three provisions relate to the traditional security properties of confidentiality, authentication (and its extension, provenance), and authorization:
- IV. Confidentiality of stored information and information exchange.
- V. Authentication and provenance.
- VI. The technological capability to exercise fine-grained control over the flow of information in and through
The next three provisions relate to crosscutting properties of systems:
- VII. Security in using computing directly or indirectly in important applications, including financial, health care, and electoral transactions and real-time remote control of devices that interact with physical processes.
- VIII. The ability to access any source of information (e.g., e-mail, Web page, file) safely.
- IX. Awareness of what security is actually being delivered by a system or component.
The last provision relates to justice:
- X. Justice for security problems caused by another party.
However, providing these "rights" to users will be difficult. Even even assuming that everything known about cybersecurity technologies and practices today was immediately put into practice, the resulting cybersecurity posture — though it would be stronger and more resilient than it is now — would still be inadequate against today’s threat, let alone tomorrow’s. Research is needed both to develop new knowledge and to make such knowledge more usable and transferable to the field. Furthermore, cybersecurity will be a continuing issue: threats evolve (both on their own and as defenses against them are discovered), and new vulnerabilities often emerge as innovation changes underlying system architectures, implementation, or basic assumptions.
Additional Notes and Highlights
Expertise Required: None