National Cyber Leap Year Summit 2009, Co-Chairs' Report

From Cybersecurity Wiki
Jump to navigation Jump to search

Full Title of Reference

National Cyber Leap Year Summit 2009, Co-Chairs' Report

Full Citation

Networking and Information Technology Research and Development, National Cyber Leap Year Summit 2009: Co-Chairs' Report (2009). Web



Key Words


The Nation’s economic progress and social well-being now depend as heavily on cyberspace assets as on interest rates, roads, and power plants, yet our digital infrastructure and its foundations are still far from providing the guarantees that can justify our reliance on them. The inadequacy of today’s cyberspace mechanisms to support the core values underpinning our way of life has become a national problem. To respond to the President’s call to secure our nation’s cyber infrastructure, the White House Office of Science and Technology Policy (OSTP) and the agencies of the Federal Networking and Information Technology Research and Development (NITRD) Program have developed the Leap-Ahead Initiative. NITRD agencies include AHRQ, DARPA, DOE, EPA, NARA, NASA, NIH, NIST, NOAA, NSA, NSF, OSD, and the DOD research labs.) As part of this initiative, the Government in October 2008 launched a National Cyber Leap Year to address the vulnerabilities of the digital infrastructure. That effort has proceeded on the premise that, while some progress on cybersecurity will be made by finding better solutions for today’s problems, some of those problems may prove to be too difficult. The Leap Year has pursued a complementary approach: a search for ways to avoid having to solve the intractable problems. We call this approach changing the game, as in “if you are playing a game you cannot win, change the game!” During the Leap Year, via a Request for Information (RFI) process coordinated by the NITRD Program, the technical community had an opportunity to submit ideas for changing the cyber game, for example, by:

  • Morphing the board: changing the defensive terrain (permanently or adaptively) to make it harder for the attacker to maneuver and achieve his goals, or
  • Changing the rules: laying the foundation for cyber civilization by changing norms to favor our society’s values, or
  • Raising the stakes: making the game less advantageous to the attacker by raising risk, lowering value, etc.

The 238 RFI responses that were submitted were synthesized by the NITRD Senior Steering Group for Cybersecurity R&D and five new games were identified. These new games have been chosen both because the change shifts our focus to new problems, and because there appear to be technologies and/or business cases on the horizon that would promote a change:

Basing trust decisions on verified assertions (Digital Provenance)

Attacks only work once if at all (Moving-target Defense)

Knowing when we have been had (Hardware-enabled Trust)

Hardware can be the final sanctuary and foundation of trust in the computing environment, based on the technologies that can be developed in the area of hardware-enabled trust and security. With cyber threats steadily increasing in sophistication, hardware can provide a game-changing foundation upon which to build tomorrow’s cyber infrastructure. But today’s hardware still provides limited support for security and capabilities that do exist are often not fully utilized by software. The hardware of the future also must exhibit greater resilience to function effectively under attack.

Within ten years, based on game-changing research:

  • We will build a computer that will not execute malware, just as the human body can harbor certain viruses without ill-effect.
  • We will build hardware that is itself more trustworthy.
  • We will be able to determine, by technical means, whether to trust a device, a software package or a network based on dynamically acquired trust information rooted in hardware and user-defined security policies.
  • We will build a computer that functions even under attack, through built-in resiliency that guarantees critical services in the face of compromise.

Move from forensics to real-time diagnosis (Nature-inspired Cyber Health)

Crime does not pay (Cyber Economics)

The economics of cybersecurity reflects the recognition that information security problems are, fundamentally, issues of misaligned incentives and misallocated resources - and therefore economic problems that require economic, more than merely technical, game changing solutions. Accordingly, the Cyber-Economics group at the 2009 National Cyber Leap Year Summit identified four economic strategies through which research and policy efforts may spur game changes in cybersecurity:

  • MITIGATING INCOMPLETE INFORMATION: Mitigate incomplete and asymmetric information barriers that hamper efficient security decision-making at the individual and organizational levels.
  • INCENTIVES AND LIABILITIES: Leverage incentives and impose or redistribute liabilities to promote secure behavior and decision making among stakeholders.
  • REDUCING ATTACKERS’ PROFITABILITY: Promote legal, technical, and social changes that reduce attackers’ revenues or increase their costs, thus lowering the overall profitability (and attractiveness) of cybercrime.
  • MARKET ENFORCEABILITY: Ensure that proposed changes are enforceable with market mechanisms.

Additional Notes and Highlights

Expertise Required: None