Thoughts on New Cyber Security Report
Today I skimmed the latest report from the President's Information Technology Advisory Committee (PITAC) titled Cyber Security: A Crisis of Prioritization (.pdf). This Government Computer News Story summarizes the reports findings. Briefly, they are the nation's critical infrastructures remain vulnerable to attack, and federal security research and development funding is misallocated. PITAC estimates "there are fewer than 250 active cyber security or cyber assurance specialists, many of whom lack either formal training or extensive professional experience in the field." I agree with this claim; it is very difficult to find anyone with deep and broad security degrees and experience I would trust to teach future practitioners.
I was pleased to see the report list the following as some of its ten research priorities, as they are near to my own interests:
- Monitoring and Detection. Regardless of progress made in the preceding research areas, unanticipated events will still occur. When they do, tools to monitor and understand what is happening are needed to enable the proper deployment of appropriate defensive measures. The ability of current tools that monitor irregular network activity to rapidly identify the underlying cause is primitive. The current advantage that adversaries enjoy will increase as they become more knowledgeable and as the Internet becomes larger and more complex. Research subtopics include:
-- Dynamic protection that can react when attacks are detected, possibly by increasing monitoring activities
-- Global scale monitoring and intrusion detection
-- Monitoring of systems to ensure that they meet declared security policies
-- Better tools based on improved models that characterize "normal" behavior
-- Real-time data collection, storage, mining, and analysis during a crisis
-- Usable presentation interfaces that allow operators to better understand incidents in progress
- Cyber Forensics: Catching Criminals and Deterring Criminal Activities. The rapid arrest and conviction of criminals is a primary goal of law enforcement and also serves as a deterrent. When potential criminals believe there is a strong chance that they will be caught and convicted, they are more reluctant to commit crimes. Current capabilities to investigate cyber crime, identify perpetrators, gather and present evidence, and convict criminals are woefully inadequate. Compounding the problem, we do not really know how to deter cyber crime. Very few of the thousands of cyber criminals active today are being caught. There is a pressing need to develop new tools and techniques to investigate cyber crimes and prosecute criminals. Robust cyber forensic methods are also needed that will prove capable of withstanding the burden of proof in court, whether employed to prosecute criminals or exonerate the innocent. Research subtopics include:
-- Identifying the origin of cyber attacks, including traceback of network traffic
-- Identifying attackers based on their behavior
-- Collecting evidence in uncooperative network environments
-- Tracing stolen information used in the growing traffic in fraud, identity theft, and intellectual property theft, including tools and protocols for recovering trace evidence from volatile and incompletely-erased computing media, disks, cell phones, PDAs, and embedded systems
-- Tools and protocols to search massive data stores for specific information and indicators, possibly while the data stores are in use
-- Fundamental research to develop forensic-friendly system architectures that are more amenable to investigation when incidents occur
I intend to keep my eyes open for institutions looking for researchers to pursue these areas.
I was pleased to see the report list the following as some of its ten research priorities, as they are near to my own interests:
- Monitoring and Detection. Regardless of progress made in the preceding research areas, unanticipated events will still occur. When they do, tools to monitor and understand what is happening are needed to enable the proper deployment of appropriate defensive measures. The ability of current tools that monitor irregular network activity to rapidly identify the underlying cause is primitive. The current advantage that adversaries enjoy will increase as they become more knowledgeable and as the Internet becomes larger and more complex. Research subtopics include:
-- Dynamic protection that can react when attacks are detected, possibly by increasing monitoring activities
-- Global scale monitoring and intrusion detection
-- Monitoring of systems to ensure that they meet declared security policies
-- Better tools based on improved models that characterize "normal" behavior
-- Real-time data collection, storage, mining, and analysis during a crisis
-- Usable presentation interfaces that allow operators to better understand incidents in progress
- Cyber Forensics: Catching Criminals and Deterring Criminal Activities. The rapid arrest and conviction of criminals is a primary goal of law enforcement and also serves as a deterrent. When potential criminals believe there is a strong chance that they will be caught and convicted, they are more reluctant to commit crimes. Current capabilities to investigate cyber crime, identify perpetrators, gather and present evidence, and convict criminals are woefully inadequate. Compounding the problem, we do not really know how to deter cyber crime. Very few of the thousands of cyber criminals active today are being caught. There is a pressing need to develop new tools and techniques to investigate cyber crimes and prosecute criminals. Robust cyber forensic methods are also needed that will prove capable of withstanding the burden of proof in court, whether employed to prosecute criminals or exonerate the innocent. Research subtopics include:
-- Identifying the origin of cyber attacks, including traceback of network traffic
-- Identifying attackers based on their behavior
-- Collecting evidence in uncooperative network environments
-- Tracing stolen information used in the growing traffic in fraud, identity theft, and intellectual property theft, including tools and protocols for recovering trace evidence from volatile and incompletely-erased computing media, disks, cell phones, PDAs, and embedded systems
-- Tools and protocols to search massive data stores for specific information and indicators, possibly while the data stores are in use
-- Fundamental research to develop forensic-friendly system architectures that are more amenable to investigation when incidents occur
I intend to keep my eyes open for institutions looking for researchers to pursue these areas.
Comments