The President has made it clear that cybersecurity is one of the most important challenges we face as a Nation. Advances in cybersecurity science and engineering are urgently needed to preserve the Internet’s social and economic benefits.
As part of the President’s Cybersecurity National Action Plan (CNAP), the Administration also released the 2016 Federal Cybersecurity Research and Development Strategic Plan, which was coordinated by the National Science and Technology Council. This is the most comprehensive federal cybersecurity research and development (R&D) plan to date, and it updates 2011’s Trustworthy Cyberspace: Strategic Plan for the Federal Cybersecurity Research and Development Program.
With the goal of making cyberspace inherently more secure, the plan challenges the cybersecurity R&D community to provide methods and tools for deterring, protecting, detecting, and adapting to malicious cyber activities. The plan defines near-, mid-, and long-term goals to guide and evaluate progress.
The plan’s goal for the near term is to achieve science and technology (S&T) advances that counter adversaries’ asymmetrical advantages with effective and efficient risk management. To do this, organizations need to better understand the range of vulnerabilities and threats they face in cyberspace, and to practice evidence-based risk management, which is the process of identifying, assessing, and responding to risk, including the development of effective and measurable controls. To make the best choices, organizations need reliable data on the efficacy of security controls and their operational impact in realistic environments, reflecting the behavior of users, defenders, and adversaries. Understanding which measures will be effective against malicious cyber activities will lower cybersecurity risks.
The plan’s goal for the mid-term is to reverse adversaries’ asymmetrical advantages by developing sustainably secure systems and operations. To make malicious cyber activities more difficult, organizations must reduce the rewards of such activities by improving the efficacy and efficiency of their defenses by several orders of magnitude without placing undue burden on users.
Software defects, which are currently common, also give rise to many vulnerabilities. Science and technology advances are needed for the design and implementation of software, firmware, and hardware that are highly resistant to malicious cyber activities. And because system breaches are often due to innocent actions by well-intentioned users, we also need to develop effective, measurable technical and non-technical security controls that consider human behavior and economic incentives in cyberspace.
The plan’s long-term goal is to achieve S&T advances that deter malicious cyber activities, by increasing adversaries’ costs and risks, while also lowering their gains. Measuring the effort required and the likely results for malicious activities is critical to understanding how to effectively deter such activities. This requires new forensic capacities that reliably identify the perpetrator quickly enough to take action, without compromising free speech, or anonymity for those who are doing nothing wrong. If the likelihood of their discovery is increased and it becomes clear they will suffer negative consequences, many potential actors would forgo malicious activities.
As we accelerate the important work of making computing and the Internet inherently more secure through implementation of the plan, it will be critical to re-examine, refine, and extend the plan over time. Today, the President also established the Commission on Enhancing National Cybersecurity to provide recommendations on actions that can be taken over the next decade to strengthen cybersecurity, including further investments in research and development initiatives. While their work is just beginning, the Federal Cybersecurity Research and Development Strategic Plan will provide the Commission a valuable reference point as they consider the challenges and opportunities in cybersecurity R&D.
Whether in government, academia, or the private sector, organizations that sponsor research, perform research, or advise on such investments have an opportunity to contribute. Let’s work together to make cyberspace more secure.
Greg Shannon is the Assistant Director for Cybersecurity Strategy in the White House Office of Science and Technology Policy.
Tim Polk is the Assistant Director for Cybersecurity in the White House Office of Science and Technology Policy.