StudyDaddy Information Systems Final #2

Final #2

FeBrUAry 2010 | vOl. 53 | nO. 2 | communicA tions of the A cm 29 V viewpoints oFFiciaL WhitE hoUSE Photo by La WrENcE JackSoN Communications’ Inside Risks col- umns over the past two decades have frequently been concerned with trust- worthiness of computer-communica- tion systems and the applications built upon them. This column considers what is needed to attain new progress toward avoiding the risks that have prevailed in the past as a U.S. national cybersecu- rity R&D agenda is being developed. Al- though the author writes from the per - spective of someone deeply involved in research and development of trustwor- thy systems in the U.S. Department of Homeland Security, what is described here is applicable much more univer - sally. The risks of not doing what is de- scribed here are very significant .

—Peter G. Neumann C YBErSp ACE IS THE complex, dynamic, globally intercon- nected digital and infor- mation infrastructure that underpins every facet of so- ciety and provides critical support for our personal communication, econo- my, civil infrastructure, public safety, and national security. Just as our de- pendence on cyberspace is deep, so too must be our trust in cyberspace, and we must provide technical and policy solutions that enable four critical aspects of trustworthy cyber- space: security, reliability, privacy, and usability. The U.S. and the world at large are currently at a significant decision point. We must continue to defend our existing systems and networks. At the same time, we must attempt to be ahead of our adversaries, and ensure future generations of technology will position us to better protect critical infrastructures and respond to at- tacks from adversaries. Government- funded research and development must play an increasing role toward achieving this goal of national and economic security. Background On January 8, 2008, National Security Presidential Directive 54/Homeland Se- curity Presidential Directive 23 formal- ized the Comprehensive National Cyber- security Initiative (CNCI) and a series of continuous efforts designed to establish a frontline defense (reducing current vulnerabilities and preventing intru- sions), which will protect against the full spectrum of threats by using intel- ligence and strengthening supply chain security, and shaping the future environ- ment by enhancing our research, devel- Inside risks The need for a national Cybersecurity research and Development Agenda Government-funded initiatives, in cooperation with private-sector partne\ rs in key technology areas, are fundamental to cybersecurity technical transformation.

DOI:10.1145/1646353.1646365 Douglas Maughan President Barack obama greets White house cyber security chief howard A. schmidt, who was appointed in December 2009. ARt in DeVeL oPment 30 communicAtions of the A cm | FeBrUAry 2010 | vOl. 53 | nO. 2 viewpoints opment, and education, as well as invest - ing in “leap-ahead” technologies. No single federal agency “owns” the issue of cybersecurity. In fact, the federal government does not uniquely own cybersecurity. It is a national and global challenge with far-reaching consequences that requires a coopera- tive, comprehensive effort across the public and private sectors. However, as it has done historically, the U.S. gov- ernment R&D community, working in close cooperation with private-sector partners in key technology areas, can jump-start the necessary fundamental technical transformation.

Partnerships The federal government must reener- gize two key partnerships to success- fully secure the future cyberspace: the partnership with the educational sys- tem and the partnership with the private sector. The Taulbee Survey 2 has shown that our current educational system is not producing the cyberspace workers of the future and the current public- private partnerships are inadequate for taking R&D results and deploying them across the global infrastructure .

Education. A serious, long-term problem with ramifications for na- tional security and economic growth is looming: there are not enough U.S. cit- izens with computer science (CS) and science, technology, engineering, and mathematics (STEM) degrees being produced. The decline in CS enroll- ments and degrees is most acute. The decline in undergraduate CS degrees portends the decline in master’s and doctoral degrees as well. Enrollments in major university CS departments have fallen sharply in the last few years, while the demand for computer scien- tists and software engineers is high and growing. The Taulbee Survey 2 confirmed that CS (including comput- er engineering) enrollments are down 50% from only five years ago, a pre- cipitous drop by any measure. Since CS degrees are a subset of the overall requirement for STEM degrees and show the most significant downturn, CS degree production can be consid- ered a bellwether to the overall condi- tion and trend of STEM education. The problems with other STEM degrees are equally disconcerting and require im- mediate and effective action. At the same time, STEM jobs are growing, and CS jobs are growing faster than the national average. At a time when the U.S. experiences cyberattacks daily and as global com- petition continues to increase, the U.S.

cannot afford continued ineffective ed- ucational measures and programs. Re- vitalizing educational systems can take years before results are seen. As part of an overall national cybersecurity R&D agenda, the U.S. must incite an extraor- dinary shift in the number of students in STEM education quickly to avoid a serious shortage of computer scien- tists, engineers, and technologists in the decades to come. Public-Private Partnerships. Infor- mation and communications net- works are largely owned and operated by the private sector, both nationally and internationally. Thus, addressing cybersecurity issues requires public- private partnerships as well as inter- national cooperation. The public and private sector interests are dependent on each other and share a responsibil- ity for ensuring a secure, reliable infra- structure. As the federal government moves forward to enhance its partner- ships with the private sector, research and development must be included in the discussion. More and more private- sector R&D is falling by the wayside and, therefore, it is even more impor- tant that government-funded R&D can make its way to the private sector, given it designs, builds, owns, and operates most of the critical infrastructures.

t echnical Agenda Over the past decade there have been a significant number of R&D agendas published by various academic and in- dustry groups, and government depart- ments and agencies (these documents can be found online at http://www. cyber.

st.dhs.gov/documents.html).

A 2006 federal R&D plan identified at least eight areas of interest with over 50 project topics that were either being funded or should be funded by federal R&D entities. Many of these topic areas have been on the various lists for over a decade. Why? Because the U.S. has un- derinvested in these R&D areas, both within the government and private R&D communities. The Comprehensive National Cy- ber Initiative (CNCI) and the Presi- dent’s Cyberspace Policy Review 3 challenged the federal networks and IT research community to figure out how to “change the game” to address these technical issues. Over the past year, through the National Cyber Leap Year (NCLY) Summit and a wide range of other activities, the U.S. government research community sought to elicit the best ideas from the research and technology community. The vision of the CNCI research community over the next 10 years is to “transform the cyber- infrastructure to be resistant to attack so that critical national interests are protected from catastrophic damage and our society can confidently adopt new technological advances .” The leap-ahead strategy aligns with the consensus of the U.S. networking and cybersecurity research communi- ties: That the only long-term solution to the vulnerabilities of today’s network- ing and information technologies is to ensure that future generations of these technologies are designed with security built in from the ground up. Federal agencies with mission-critical needs for increased cybersecurity, which in- cludes information assurance as well as network and system security, can play a direct role in determining research pri- orities and assessing emerging technol- ogy prototypes. The Department of Homeland Secu- rity Science and Technology Director- ate has published its own roadmap in an effort to provide more R&D direction for the community. The Cybersecurity Research Roadmap 1 addresses a broad R&D agenda that is required to enable production of the technologies that will protect future information systems and the current public- private partnerships are inadequate for taking R&D results and deploying them across the global infrastructure. viewpoints FeBrUAry 2010 | vOl. 53 | nO. 2 | communicA tions of the A cm 31 networks. The document provides de- tailed research and development agen- das relating to 11 hard problem areas in c ybersecurity, for use by agencies of the U.S. government. The research top- ics in this roadmap, however, are rel- evant not just to the governments, but also to the private sector and anyone else funding or performing R&D .

While progress in any of the areas identified in the reports noted previous- ly would be valuable, I believe the “top 10” list consists of the following (with short rationale included): Software Assurance: poorly writ- 1.

ten software is at the root of all of our security problems ; Metrics: we cannot measure our 2.

systems, thus we cannot manage them; Usable Security: information se- 3.

cu rity technologies have not been de- ployed because they are not easily usable; Identity Management: the ability 4.

to know who you are communicating with will help eliminate many of today’s online problems, including attribution; Malware: today’s problems contin- 5.

ue because of a lack of dealing with ma- licious software and its perpetrators; Insider Threat: one of the biggest 6.

threats to all sectors that has not been adequately addressed; Hardware Security: today’s com- 7.

puting systems can be improved with new thinking about the next generation of hardware built from the start with se- curity in mind; Data Provenance: data has the 8.

most value, yet we have no mechanisms to know what has happened to data from its inception; Trustworthy Systems: current sys- 9.

tems are unable to provide assurances of correct operation to include resil- iency; and Cyber Economics: we do not un- 10.

derstand the economics behind cyber- security for either the good guy or the bad guy.

Life cycle of innovation R&D programs, including cybersecu- rity R&D, consistently have difficulty in taking the research through a path of development, testing, evaluation, and transition into operational envi- ronments. Past experience shows that transition plans developed and applied early in the life cycle of the research program, with probable transition paths for the research product, are ef- fective in achieving successful transfer from research to application and use.

It is equally important, however, to ac- knowledge that these plans are subject to change and must be reviewed often.

It is also important to note that differ- ent technologies are better suited for different technology transition paths and in some instances the choice of the transition path will mean success or failure for the ultimate product. There are guiding principles for transitioning research products. These principles in- volve lessons learned about the effects of time/schedule, budgets, customer or end-user participation, demonstra- tions, testing and evaluation, product partnerships, and other factors.

A July 2007 U.S. Department of De- fense Report to Congress on Technol- ogy Transition noted there is evidence that a chasm exists between the DoD S&T communities and acquisition of a system prototype demonstration in an operational environment. DOD is not the only government agency that struggles with technology transition.

That chasm, commonly referred to as the “valley of death,” can be bridged only through cooperative efforts and investments by both research and ac- quisition communities. There are at least five canonical tran- sition paths for research funded by the federal government. These transition paths are affected by the nature of the technology, the intended end user, par- ticipants in the research program, and other external circumstances. Success in research product transition is often accomplished by the dedication of the program manager through opportu- nistic channels of demonstration, part- nering, and sometimes good fortune. However, no single approach is more effective than a proactive technology champion who is allowed the freedom to seek potential utilization of the re- search product. The five canonical tran- sition paths are: Department/Agency direct to ˲ Acquisition Department/Agency to ˲ Government Lab Department/Agency to Industry ˲ Department/Agency to ˲ Academia to Industry Department/ ˲ Agency to Open Source Community In order to achieve the full results of R&D, technology transfer needs to be a key consideration for all R&D invest- ments. This requires the federal gov- ernment to move past working models where most R&D programs support only limited operational evaluations and ex- periments. In these old working mod- els, most R&D program managers con- sider their job done with final reports, and most research performers consider their job done with publications. In or- der to move forward, government-fund- ed R&D activities must focus on the real goal: technology transfer, which follows transition. Current R&D principal inves- tigators (PIs) and program managers (PMs) aren’t rewarded for technology transfer. Academic PIs are rewarded for publications, not technology transfer.

The government R&D community must reward government program managers and PIs for transition progress.

conclusion As noted in the White House Cyber- space Policy Review, 3 an updated na- tional strategy for securing cyberspace is needed. Research and development must be a full partner in that discus- sion. It is only through innovation cre- ation that the U.S. can regain its posi- tion as a leader in cyberspace. References 1. a roadmap for cybersecurity research, Department of homeland Security Science and t echnology Directorate, November 2009; http://www.cyber.st.dhs.

gov/documents.html 2. t aulbee Survey 2006–2007, computing research News 20, 3. Computer Research Association, May 2008.

3. White house cyberspace Policy review; http://www.

whitehouse.gov/assets/documents/cyberspace_ Policy_review_final.pdf Douglas Maughan ([email protected]) is a program manager for cybersecurity r&D at the U.S.

Department of homeland Security in Washington, D.c.

copyright held by author. in order to achieve the full results of R&D, technology transfer needs to be a key consideration for all R&D investments.

Have a similar question?

Continue to edit or attach image(s).

  • Fast and convenient

    Fast and convenient

    Simply post your question and get it answered by professional tutor within 30 minutes. It's as simple as that!

  • Any topic, any difficulty

    Any topic, any difficulty

    We've got thousands of tutors in different areas of study who are willing to help you with any kind of academic assignment, be it a math homework or an article.

  • 100% Satisfied Students

    100% Satisfied Students

    Join 3,4 million+ members who are already getting homework help from StudyDaddy!