I am starting to feel like the motorist yelling "You're going the wrong way!" and I'm telling Federal research efforts like the Federal Networking and Information Technology Research and Development (NITRD) Program. This program describes itself thusly:
The NITRD Program is the primary forum by which the US Government coordinates its unclassified networking and information technology (IT) research and development (R&D). Fourteen Federal agencies, including all of the large science and technology agencies, are formal members of the NITRD Program, whose combined 2010 networking and IT R&D budgets totaled more than $4 billion.
This program proposes three Federal Cybersecurity Game-change R&D Themes:
- Tailored Trustworthy Spaces: Tailored Trustworthy Spaces (TTS) provide flexible, adaptive, distributed trust environments that can support functional and policy requirements arising from a wide spectrum of activities in the face of an evolving range of threats. A TTS recognizes the user’s context and evolves as the context evolves. The user chooses to accept the protections and risks of a tailored space, and the attributes of the space must be expressible in an understandable way to support informed choice and must be readily customized, negotiated and adapted.
The scientific challenge of tailored spaces is to provide the separation, isolation, policy articulation, negotiation, and requisite assurances to support specific cyber sub-spaces.
- Moving Target: Research into Moving Target (MT) technologies will enable us to create, analyze, evaluate, and deploy mechanisms and strategies that are diverse and that continually shift and change over time to increase complexity and cost for attackers, limit the exposure of vulnerabilities and opportunities for attack, and increase system resiliency. The characteristics of a MT system are dynamically altered in ways that are manageable by the defender yet make the attack space appear unpredictable to the attacker.
MT strategies aim to substantially increase the cost of attacks by deploying and operating networks and systems in a manner that makes them less deterministic, less homogeneous, and less static.
- Cyber Economic Incentives: Cybersecurity practices lag behind technology. Solutions exist for many of the threats introduced by casual adversaries, but these solutions are not widely used because incentives are not aligned with objectives and resources are not correctly allocated. Secure practices must be incentivized if cybersecurity is to become ubiquitous, and sound economic incentives need to be based on sound metrics, processes that enable assured development, sensible and enforceable notions of liability and mature cost/risk analysis methods.
This is lovely. Great. However, if you're going to spend $4 billion, why not focus on better operations. The problem with this endeavor is that it is driven by researchers. This is my personal opinion, but researchers do not know what is happening inside real enterprises. Researchers reply "How do they know where we're going?" I know where they are going because I see these sorts of R&D efforts and I don't see them addressing the real problems in the enterprise.
Harlan Carvey always makes this point, and he is right: many enterprises are not conducting counter-intrusion operations at the level that is required for modern defense. We don't need output from a research project to be yet another aspect of digital security that is not designed, built, or run properly in the IT environment.