Fed plan for cybersecurity R&D released
- By Patience Wait
- Jun 02, 2006
The government has outlined its first steps for coordinating and expanding federal research and development efforts aimed at improving cybersecurity.
The new Federal Plan for Cyber Security and Information Assurance Research and Development
, issued in April and now available online, lays the groundwork for developing an R&D agenda that will help address critical gaps in current technologies and capabilities.
The authors identify several technology trends that 'make it likely that the security issues of the IT infrastructure will only intensify over the next decade.' Among these trends:
- The increasing complexity of IT systems and networks;
- The evolution of the telecommunications infrastructure, as telephone systems and IT networks converge into a more unified architecture;
- The increased use of wireless technology, which increases vulnerability to attack;
- The increasing interconnectivity and accessibility of computer systems critical to the U.S. economy, including supply chain management systems, financial-sector networks, and distributed control systems for factories and utilities; and
- The increasingly global nature of the IT supply chain, which will increase the risk of subversion by foreign and domestic adversaries.
The plan was prepared by the Interagency Working Group on Cyber Security and Information Assurance, under the auspices of the National Science and Technology Council. The document does not address budget requirements or policy issues, but it makes ten broad recommendations:
- Target federal R&D investments to strategic cybersecurity and IA needs, to focus on strategic and longer-term requirements that complement projects being carried out in the private sector.
- R&D efforts should focus on countering high-impact threats and investigating innovating approaches to increasing the overall security and information assurance of IT systems.
- Make cybersecurity and IA research and development both an individual agency and an interagency budget priority, including guidance as they address mission-related R&D requirements.
- Support sustained interagency coordination and collaboration on R&D in this area.
- Build in security from the beginning, by supporting fundamental R&D into inherently more secure next-generation technologies that will replace today's insecure, patchwork infrastructure.
- Assess the security implications of emerging technologies, such as optical computing, quantum computing, and pervasively embedded computing.
- Use the plan's technical priorities and investment analyses to work with the private sector to develop a road map of cybersecurity and IA R&D priorities, emphasizing coordinated agency activities that address technical and investment gaps.
- Develop and apply new methods and technologies for measuring IT component, network and system security.
- Implement more effective coordination with the private sector, including improving communication and coordination with operators of both federal and private-sector critical infrastructures with shared interests.
- Foster a broad partnership among government, the IT industry, researchers and private-sector users, including international partners, to develop, test and deploy a more secure next-generation Internet.
The risks associated with current and anticipated vulnerabilities of, threats to, and attacks against the IT infrastructure provide the rationale for this report. Fast-shifting trends in both technologies and threats make it likely that the security issues of the IT infrastructure will only intensify over the next decade. Key areas for concern include:
- The increasing complexity of IT systems and networks, which will present mounting security challenges for both the developers and consumers
- The evolving nature of the telecommunications infrastructure, as the traditional phone system and IT networks converge into a more unified architecture
- The expanding wireless connectivity to individual computers and networks, which increases their exposure to attack. In hybrid or all-wireless network environments, the traditional defensive approach of "securing the perimeter" is not effective because it is increasingly difficult to determine the physical and logical boundaries of networks.
- The increasing interconnectivity and accessibility of (and consequently, risk to) computer-based systems that are critical to the U.S. economy, including supply chain management systems, financial sector networks, and distributed control systems for factories and utilities
- The breadth and increasingly global nature of the IT supply chain, which will increase opportunities for subversion by adversaries.