The most well thought out research agenda for cyber security I have seen to date

• TTA 01 – Software Assurance
• TTA 02 – Enterprise-Level Security Metrics
• TTA 03 – Usable Security
• TTA 04 – Insider Threat
• TTA 05 – Secure, Resilient Systems and Networks
• TTA 06 – Modeling of Internet Attacks
• TTA 07 – Network Mapping and Measurement
• TTA 08 – Incident Response Communities
• TTA 09 – Cyber Economics
• TTA 10 – Digital Provenance
• TTA 11 – Hardware-Enabled Trust
• TTA 12 – Moving-Target Defense
• TTA 13 – Nature-Inspired Cyber Health
• TTA 14 – Software Assurance MarketPlace (SWAMP)

DESCRIPTION:

The nation’s critical infrastructure (energy, transportation, telecommunications, banking and finance, and others), businesses, and services are extensively and increasingly controlled and enabled by software. Vulnerabilities in that software put those resources at risk. The risk is compounded by software size and complexity, the ways in which software is developed and maintained, the use of software produced by unvetted suppliers, and the interdependence of software systems. Software quality addresses the presence of internal flaws and vulnerabilities in software threatening its correct or predictable operation and use. Software assurance deals with the root of the problem by improving software security.

DESCRIPTION:

Defining effective information security metrics has proven difficult, even though there is general agreement that such metrics could allow measurement of progress in security measures and, at a minimum, rough comparisons of security between systems. Metrics underlie and quantify progress in many other system security areas. “You cannot manage what you cannot measure,” as the saying goes; the lack of sound and practical security metrics is severely hampering progress both in research and engineering of secure systems. However, general community agreement on meaningful metrics has been hard to achieve. This is due in part to the rapid evolution of IT, as well as the shifting locus of adversarial action.

DESCRIPTION:

Although the problem of achieving usable security is universal – it affects everyone, and everyone stands to benefit enormously if usability is successfully addressed as a core aspect of security – it affects different users in different ways, depending on applications, settings, policies, and user roles. The guiding principles may indeed be universal, but there is certainly no general one-size-fits-all solution.

DESCRIPTION:

Cybersecurity measures are often focused on threats from outside an organization, rather than threats posed by untrustworthy individuals inside an organization. However, insider threats are the source of many losses in many critical infrastructure industries. In addition, well-publicized intelligence community moles such as Aldrich Ames have caused enormous and irreparable harm to national interests. This TTA focuses on insider threats to our cyber systems, and presents a high-impact research program that could aggressively curtail some aspects of this problem. At a high level, opportunities exist to mitigate insider threats through aggressive profiling and monitoring of users of critical systems, “fishbowling” suspects, “chaffing” data and services by users who are not entitled to access, and finally “quarantining” confirmed malevolent actors to contain damage and leaks while collecting actionable counter-intelligence and legally acceptable evidence.

DESCRIPTION:

Survivability is the capability of a system to fulfill its mission, in a timely manner, in the presence of attacks, failures, or accidents. Part of the survivability attribute of systems and networks includes being secure and resilient to attack. This is meaningful, in practice, only with respect to well-defined mission requirements against which the survivability can be evaluated and measured.

DESCRIPTION:

This TTA researches, develops and applies modeling and analysis capabilities to predict the effects of cyber attacks on Federal Government and other critical infrastructures. Two main areas are identified: malware and botnets; and situational understanding and attack attribution.

DESCRIPTION:

The protection of cyber infrastructure depends on the ability to identify critical Internet resources, incorporating an understanding of geographic and topological mapping of Internet hosts and routers. A better understanding of connectivity richness among ISPs will help to identify critical infrastructure. Associated data analysis will allow better understanding of peering relationships, and will help identify infrastructure components in greatest need of protection. Improved router level maps (both logical and physical) will enhance Internet monitoring and modeling capabilities to identify threats and predict the cascading impacts of various damage scenarios.

DESCRIPTION:

Cyber security incident response (CSIR) teams, individuals, and communities have historically consisted of people and organizations that have been “in the right place at the right time.” Only recently has the community begun to specify the skills, abilities, structures, and support to create an effective and sustained incident response capability. While there is a good understanding of the technologies involved in CSIRTs, the operational community has not adequately studied the characteristics of individuals, teams, and communities that distinguish the great CSIR responders from the average technology contributor. In other areas where individual contributions are essential to success, e.g., first responders, commercial pilots, and military personnel, there have studies of the individual and group characteristics essential to success. To optimize the selection, training, and organization of CSIR personnel to support the essential cyber missions of DHS, a much greater understanding and appreciation of these characteristics must be achieved.

DESCRIPTION:

Today cyber crime pays. So does cyber-espionage. The state of cyber security today is, and in the future will be, significantly affected by economic conditions and factors. Cyber crime and espionage are making their own economic markets today, having gone well beyond the “script kiddie” and “hacker” personas to mature into big business on a global level. Gaining an understanding of the incentive structure is key to getting stakeholders to behave in a way that will improve overall security. Current cyber-related illegal activities are economically attractive for several reasons.

DESCRIPTION:

Individuals and organizations routinely work with, and make decisions based on, data that may have originated from many different sources and also may have been processed, transformed, interpreted, and aggregated by numerous entities between the original sources and the consumers. Without good knowledge about the sources and intermediate processors of the data, it can be difficult to assess the data’s trustworthiness and reliability, and hence its real value to the decision-making processes in which it is used.

DESCRIPTION:

Hardware can be the final sanctuary and foundation of trust in the computing environment, based on the technologies that can be developed in the area of hardware-enabled trust and security. With cyber threats steadily increasing in sophistication, hardware can provide a game-changing foundation upon which to build tomorrow’s cyber infrastructure. But today’s hardware still provides limited support for security and capabilities that do exist are often not fully utilized by software. The hardware of the future also must exhibit greater resilience to function effectively under attack.

DESCRIPTION:

In the current environment, our systems are built to operate in a relatively static configuration. For example, addresses, names, software stacks, networks, and various configuration parameters remain relatively static over relatively long periods of time. This static approach is a legacy of information technology system design for simplicity in a time when malicious exploitation of system vulnerabilities was not a concern.

DESCRIPTION:

Today, weeks and months may elapse before successful network penetrations are detected through laborious forensic analysis. Despite their potential to function with intelligence, today’s typical network components have very limited understanding of what passes through them, coupled with a correspondingly short memory. In the future, network components must have heightened ability to observe and record what is happening to and around them. With this new awareness of the system health and safety, these “self-aware systems” enjoy a range of options: these system may take preventative measures, rejecting requests which do not fit the profile of what is good, a priori, for the network; these systems can build immunological responses to the malicious agents which they sense in real time; these systems may refine the evidence they capture for the pathologist, as a diagnosis of last resort, or to support the development of new prevention methods. In the future, system owners should be able to monitor and control such dynamic cyber environments.

DESCRIPTION:

Technical Topic Area #1 on Software Assurance describes the need to address threats throughout the software development process and called for new methods, services, and capabilities in build, test, and analysis phases in order to improve the quality and reliability of software used in the nation’s critical infrastructures. Specifically, TTA#1 solicits ideas for research and development of new tools and methods for software analysis, and for applying new and existing capabilities in test and evaluation activities. This TTA (#14) focuses on the research infrastructure necessary to enable these software quality assurance and related activities.