DOE seeks new approach to cybersecurity
Reactive approaches to information security have not kept pace with the rapidly evolving information technology environment, and a panel of experts examining the state of security at the Energy Department has recommended a fundamentally different approach.
The traditional layered wall-and-moat approach to physical security is not well suited to complex information systems whose development and use are unpredictable, the panel concluded in its report, “A Scientific Research and Development Approach to Cyber Security.”
“Today’s cybersecurity methods, policies and tools have proved to be increasingly inadequate when applied to the exponentially growing scope, scale and complexity of information systems and the Internet,” the report states. For instance, the availability of small, powerful USB drives easily circumvents many security measures. “Innovation is needed in many areas — ranging from better authentication protocols to stronger encryption to better understanding of social and human factors.”
The report recommends a program to apply scientific research to the problem, which could enable security to take a leap ahead of emerging threats and vulnerabilities instead of being condemned to a continual game of catch-up.
“Peer-review processes must be used to identify the best research ideas,” the report states. “Opportunities for dissemination of research results — through workshops, conferences, traditional publications or online journals — will be an important consideration in engaging the open science community. Involvement of postdoctoral researchers and students in this effort will help build the pipeline of trained cyber professionals.”
DOE undertook the study because of its heavy reliance on IT and its mission to protect the nation’s energy systems and nuclear stockpiles.
“Despite ubiquitous dependence on electronic information and on networked computing infrastructure, cybersecurity practice and policy [are] largely heuristic, reactive and increasingly cumbersome, struggling to keep pace with rapidly evolving threats,” the report states. “Advancing beyond this reactive posture will require transformation in information system architecture and new capabilities that do not merely solve today’s security challenges — they must render them obsolete.”
A community of cybersecurity professionals and researchers from DOE laboratories, the private sector, academia and other agencies conducted a series of workshops to assess the state of cybersecurity in general and at DOE specifically. “The conclusion reached is that the department should develop a long-term strategy that applies science and mathematics to develop information system architectures and protective measures that go beyond stopping traditional threats to rendering both traditional and new threats harmless,” the report states.
The department sees itself as uniquely qualified to play a leading role in the cybersecurity research and development area because of its reliance on IT infrastructure for a mission that includes classified and unclassified work and basic scientific research.
The panel identified the following three focus areas for research.
- Mathematics: Predictive Awareness for Secure Systems. The goal is to examine system and network behavior to anticipate failures or attacks, including real-time detection of anomalous activity.
- Information: Self-Protective Data and Software. DOE should create active data systems and protocols to enable self-protective and self-healing system.
- Platforms: Creating Trustworthy Systems from Untrusted Components. DOE should develop techniques for maintaining the integrity and confidentiality of a system comprising components for which there are varying degrees of trust.