Report: Safer and more secure cyberspace.

Thanks to the CRA blog for a pointer to a newly-available report from the National Research Council's (NRC) Computer Science and Telecommunications Board (CSTB) and Division on Engineering and Physical Sciences (DEPS), entitled Toward a Safer and More Secure Cyberspace. (Draft form free for online viewing, but you'll have to pay for a hardcopy.)

Given the growing importance of cyberspace to nearly all aspects of national life, a secure cyberspace is vitally important to the nation but cyberspace is far from secure today...

Society ultimately expects computer systems to be trustworthy—that is, that they do what is required and expected of them despite environmental disruption, human user and operator errors, and attacks by hostile parties, and that they not do other things... This report ... focuses on security and addresses other trustworthiness issues only to the extent that they relate to security...

The potential consequences of a lack of security in cyberspace fall into three broad categories. First is the threat of catastrophe—a cyber attack, especially in conjuction with a physical attack, could result in thousands of deaths and many billions of dollars of damage in a very short time. Second is frictional drag on important economic and security-related processes... Third, concerns about insecurity may inhibit the use of IT in the future and thus lead to a self-denial of the benefits that IT brings...

THE CYBERSECURITY BILL OF RIGHTS

I. Availability of system and network resources to legitimate users.
II. Easy and convenient recovery from successful attacks.
III. Control over and knowledge of one's own computing environment.
IV. Confidentiality of stored information and information exchange.
V. Authentication and provenance.
VI. The technological capability to exercise fine-grained control over the flow of information in and through systems.
VII. Security in using computing directly or indirectly in important applications, including financial, health care, and electoral transactions and real-time remote control of devices that interact with physical processes.
VIII. The ability to access any source of information (e.g., e-mail, Web page, file) safely.
IX. Awareness of what security is actually being delivered by a system or component.
X. Justice for security problems caused by another party...

A different way of thinking about cybersecurity will be necessary regarding the ways in which secure systems are designed, developed, procured, operated, and used. In the long run, this different way of thinking will entail new directions in education, training, development practice, operational practice, oversight, liability laws, government regulation, and so on...

The nation is a long way from meeting this goal. The first reason is that much about cybersecurity technologies is known but not put into practice...

The second reason is that even assuming that all that is known today were to be immediately put into practice, the resulting cybersecurity posture ... would still be inadequate against today's threat, let alone tomorrow's. Closing this gap—a gap of knowledge—will require both traditional and unorthodox approaches to research...

Cybersecurity will be a continuing issue: threats evolve (both on their own and as defenses against them are discovered), and new vulnerabilities often emerge as innovation changes underlying system architectures, implementation, or basic assumptions...

IMPORTANT CATEGORIES OF RESEARCH FOCUS

1. Blocking and limiting the impact of compromise...

2. Enabling accountability...

3. Promoting deployment...

4. Deterring would-be attackers...

5. Crosscutting problem-focused research...

6. Speculative research...

WHY HAS CYBERSECURITY ACTION TAKEN TO DATE BEEN INSUFFICIENT?

The cybersecurity threat is ominous. Moreover, as one of the most IT-dependent nations in the world, the United States has much to lose from the materialization of this threat. But this committee is not the first committee—and this report is not the first report—to make this claim. After more than 15 years of reports pointing to an ominous threat, and in fact 15+ years in which the threat has objectively grown, why is there not a national sense of urgency about cybersecurity? Why has action not been taken to close the gap between the nation's cybersecurity posture and the cyberthreat?

The lack of adequate action in the cybersecurity space can be largely explained by three factors:

• Past reports have not provided the sufficiently compelling information needed to make the case for dramatic and urgent action...
• Even with the relevant information in hand, decision makers discount future possibilites so much that they do not see the need for present-day action. That being the case, nothing short of a highly visible and perhaps ongoing cyber-disaster will motivate actions...
• The costs of inaction are not borne by the relevant decision makers...

These factors suggest the need for putting into place mechanisms that change the calculus used to make decisions about cybersecurity...

PRIORITIES FOR ACTION TODAY

• Create a sense of urgency about the cybersecurity problem...
• Support a robust and sustained research agenda at levels which ensure that a large fraction of good ideas for cybersecurity research can be explored...
• Establish a mechanisms for continuing follow-up on a research agenda...
• Support research infrastructure...
• Sustain and grow the human resource base...

Most of these points will strike security researchers as self-evident. But they are apparently not evident to the nation's decision makers. Hopefully, this well-written high-profile report by a distinguished committee (Sy Goodman, Joel Birnbaum, David Aucsmith, Steve Bellovin, Anjan Bose, Barbara Fraser, James Gosler, William Guttman, Ruby Lee, Fred Luiz, Teresa Lunt, Peter Neumann, Stefa Savage, Bill Scherlis, Fred Schneider, Alfred Spector, John Wankmueller, and Jay Warrior) will have some success in getting these messages to those outside the security community.