We Are at [Cyber] War
We face threats that are rapidly increasing in scope and sophistication. As was made painfully clear by the revelations of military incursions (by the “Shanghai Group” or “Comment Crew”) into U.S. systems, we now face state-sponsored cyber sleuthing and cyber terrorism. This unstable environment includes targeted attacks by ad hoc organizations and global cyber-crime syndicates that are escalating their operations against systems that are critical to our national safety and security.
Cybersecurity is a constant, serious and accelerating challenge in every facet of American society. We have become completely dependent on cyber capabilities and, as a result, highly vulnerable to wide-ranging threats. Where these once were largely annoying hacker probes and network intrusions, we now face organized crime and state-sponsored cyber terrorism. Despite many years of research, we are still on the losing side of an asymmetric battle. These dynamics must be changed to protect U.S. government information, corporate trade secrets, and public health and safety, among other vital concerns. New approaches to research and development must be energized, and new findings must be based in hard experimental science to support crucial cybersecurity discovery, validation and ongoing analysis. We must carry out a coordinated program across multiple sectors of our society to change our posture.
1. Increase the breadth and scope of cybersecurity R&D, and create opportunities for multidisciplinary research.
Too often, cybersecurity research is narrowly focused on a few specific areas of investigation. For example, our community includes scientists conducting very good research on distributed denial-of-service threats, Internet worms, botnets and Internet routing attacks. Researchers typically specialize in just one of these well-known areas, where innovative countermeasures, protection and hardening are extremely valuable. Unfortunately, our adversaries also are doing R&D and are planning their attack scenarios without any of the same constraints. They are looking across multiple threat vectors for system vulnerabilities, within and across different technologies, and picking targets for their strategic value, not simply because they are easy marks. Thus, our adversaries are constructing attacks that combine multiple areas into even more potent, multifaceted weapons.
Studying broadly within our own disciplines is not enough. Cybersecurity is no longer solely an engineering issue. It requires deep involvement from economists, sociologists, anthropologists and others to create the holistic research agendas that can anticipate and guide effective cyber-defense strategies.
2. Formulate a research strategy/agenda to develop open, broad, multi-organizational cybersecurity experimentation and testing capabilities.
Looking forward, it is clear that cybersecurity R&D must be grounded in the same systematic approach to discovery and validation that is routine in other scientific and technological disciplines. To approach these challenging research problems, we must create a paradigm shift in experimental cybersecurity. Only by enabling demonstrable, repeatable experimental results can we provide a sound basis for researchers to leverage prior work and create new capabilities not yet imaginable. Tomorrow’s researchers must be able to stand on the shoulders of today’s researchers, not be consigned to treading the same ground.
3. Develop new models of technology transfer operation, funding, partnership and cultural change within organizations.
Technology transfer is particularly difficult in the constantly shifting world of cybersecurity. At each stage—from initial research idea, to advanced prototype, to early-stage product to widespread adoption—the process can break due to internal factors or sudden shifts in attack methodologies, tools and strategies. The net effect is that many potentially valuable security technologies never see the light of day. Commercializing security technologies in some cases has been largely a matter of chance.
4. Increase educational programs in cybersecurity research and development, with an emphasis on doctoral degrees.
The U.S. needs deep intellectual resources to fundamentally change the cyber-threat dynamic. In addition to creating, cataloging and monitoring training programs, we need to be prepared to make significant investments in higher education. I applaud the efforts of the National Science Foundation and other federal research agencies to create and fund cybersecurity research and education grants. These fundamental research endeavors are the essential catalyst for research breakthroughs. Only by educating the next generation of researchers and educators today can we build the intellectual resources vital to solving tomorrow’s problems.
Taken together, these four recommendations form the basis for a multipronged, sustainable national program to address cyber R&D challenges, and to pursue the most promising approaches to a new order for research, development and innovation partnerships.
Terry Benzel is deputy director for the Computer Networks Division at USC’s Information Sciences Institute (ISI)). She is also the technical project lead for the Cyber Defense Technology Experimental Research (DETER) testbed projects funded by DHS, NSF and DARPA.