CYBERSECURITY

DOE seeks new approach to cybersecurity

Reactive approaches to information security have not kept pace with the rapidly evolving information technology environment, and a panel of experts examining the state of security at the Energy Department has recommended a fundamentally different approach.

The traditional layered wall-and-moat approach to physical security is not well suited to complex information systems whose development and use are unpredictable, the panel concluded in its report, “A Scientific Research and Development Approach to Cyber Security.”

“Today’s cybersecurity methods, policies and tools have proved to be increasingly inadequate when applied to the exponentially growing scope, scale and complexity of information systems and the Internet,” the report states. For instance, the availability of small, powerful USB drives easily circumvents many security measures. “Innovation is needed in many areas — ranging from better authentication protocols to stronger encryption to better understanding of social and human factors.”

The report recommends a program to apply scientific research to the problem, which could enable security to take a leap ahead of emerging threats and vulnerabilities instead of being condemned to a continual game of catch-up.

“Peer-review processes must be used to identify the best research ideas,” the report states. “Opportunities for dissemination of research results — through workshops, conferences, traditional publications or online journals — will be an important consideration in engaging the open science community. Involvement of postdoctoral researchers and students in this effort will help build the pipeline of trained cyber professionals.”

DOE undertook the study because of its heavy reliance on IT and its mission to protect the nation’s energy systems and nuclear stockpiles.

“Despite ubiquitous dependence on electronic information and on networked computing infrastructure, cybersecurity practice and policy [are] largely heuristic, reactive and increasingly cumbersome, struggling to keep pace with rapidly evolving threats,” the report states. “Advancing beyond this reactive posture will require transformation in information system architecture and new capabilities that do not merely solve today’s security challenges — they must render them obsolete.”

A community of cybersecurity professionals and researchers from DOE laboratories, the private sector, academia and other agencies conducted a series of workshops to assess the state of cybersecurity in general and at DOE specifically. “The conclusion reached is that the department should develop a long-term strategy that applies science and mathematics to develop information system architectures and protective measures that go beyond stopping traditional threats to rendering both traditional and new threats harmless,” the report states.

The department sees itself as uniquely qualified to play a leading role in the cybersecurity research and development area because of its reliance on IT infrastructure for a mission that includes classified and unclassified work and basic scientific research.

The panel identified the following three focus areas for research.

  • Mathematics: Predictive Awareness for Secure Systems. The goal is to examine system and network behavior to anticipate failures or attacks, including real-time detection of anomalous activity.
  • Information: Self-Protective Data and Software. DOE should create active data systems and protocols to enable self-protective and self-healing system.
  • Platforms: Creating Trustworthy Systems from Untrusted Components. DOE should develop techniques for maintaining the integrity and confidentiality of a system comprising components for which there are varying degrees of trust.


About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Sat, Mar 21, 2009 Michael Tillman

If one were to create a "supercomputer" that would index every spoken word, every movement, every email and phone call(as text, of course) it wouldn't be quite hard to determine who was planning to launch a "cyber attack" and circumvent them prior to launch of said attack. Now, that would cover 25% of the threat. What is left for the other 75%? That is left to be seen but once the framework for the 25% is laid out I'm sure it will answer the question. How many times has your password been reset and you thought nothing of it? SuperComputer would hear you complain to fellow employee and immediately start looking into it.. I am sure there will be cases of hackers exploiting systems that aren't updated but thats the problem of the SYSADMIN.. so I would think that the rest of it would be left up to Social Engineering and whilst an unsuspecting employee wouldn't be able to tell the difference between social engineering the supercomputer which can parse through the index of every spoken word (and heard) would be able to flag it nearly immediatley resulting in a not so friendly phonecall to the processor who was about to give away the goodies.. Complete security is just that, complete security. Have the credentials of every user indexed and continuously monitored, even down to the phone calls ensuring that the # the call is received from is actually a business partner. And, on top of prevention, swift and severe punishment of those who dare cross the supercomputer.. OF course, never tell them how you did it, either. Regards, Michael A. Tillman

Sun, Mar 1, 2009

It is interesting to me that the "solution" is science and mathmatics from researhers who are science and mathmatics oriented. I agree that additional research is needed, however I wouldn't trust the research to organbization that can't implement the simple security measures.

Fri, Feb 13, 2009 Steven Sprague Mass

DOE Needs to build on the back of the Efforts by the Trusted Computing Group and the PC manufacturers. 70 - 80% of all DOE PCs have a TPM and this device can be used to provide excellent machine identity. Machine Identity will assure that only authorized PCs are on the network. The DOE can and should put the TPM into use today. Industry can help provide the tools but we can't make everyone use them. The TPM can also provide a significant role in machine integrity. This is a more advanced application but much work has been done in this area. DOE should make sure that TPM is part of their NAC architecture. The trusted COmputing group has also delivered specifications for Full Disk Encrytpion in hardware on Drives. All Current DOE purchases should be using FDE drives. This policy should have been set yesterday. The fact that they can't find a bunch of machines continues to prove that they are not taking their role seriously. The cost of adding an FDE drive to a laptop is only a few dollars and every DOE computer should have hardware to protect the data. As the DOE pursues a new architecture for security it needs to leverage the Tools that will enable all data to be encrypted, all keys secured by trusted components, all devices authorized, and common industry standard components leveraged. The industry has spent 10's of millions of dollars to deliver the tools to secure the PC. It is time the IT departments of the world wake up and use them. Steven Sprague, CEO, Wave Systems Corp.

Fri, Feb 13, 2009 Rick Morris Annapolis MD

On going Cyber Game Training is extremely important, just as training a soldier to shoot a gun isn't enough, we have to do War Games to prepare the troops. Cyber Security is no different, we should be doing Cyber Training Games to perfect your Cyber pretection skills. I represent a company that does such training and it is very interesting. I would love to have a discussion with the proper folks on this matter.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above