Cybersecurity R&D agenda unveiled

The 2003 Cyber Security Research and Development Agenda

The Institute for Information Infrastructure Protection (I3P) has unveiled its 2003 Cyber Security Research and Development Agenda, which identifies critical areas that require significant research and development to help secure the nation's information infrastructure.

The agenda, announced Jan. 30, outlines eight crucial R&D gaps that are not being sufficiently addressed by ongoing government, private-sector or academic research.

The I3P, a consortium of 23 leading cybersecurity research institutions from academia, national labs and nonprofit organizations, is funded by the Commerce Department's National Institute of Standards and Technology.

"Our hope is that this agenda will become a useful guide for research communities and research funding managers," said Michael Vatis, chairman of I3P.

The agenda will help the White House's Office of Science and Technology Policy better coordinate R&D efforts across government agencies, said Sharon Hays, deputy associate director for technology at the office.

"We need to improve the ability to secure" the nation's infrastructure, she said. "We need technology to do that." And to implement the right technology, government needs a better understanding of what research is not being done. The agenda helps lay the groundwork to solve that problem, she said.

I3P received input, gathered over nine months in 2002, from more than 900 experts and security professionals from the private sector, academia and government, Vatis said.

Building on work by other private and public organizations focused on cybersecurity, I3P identified the following critical eight R&D areas:

* Enterprise security management: Research on managing enterprisewide policies, defining and maintaining a targeted risk posture, and addressing specific concerns such as the insider threat.

* Trust among distributed autonomous parties: Research on new trust models that involve interactions among organizations, systems, individuals and devices ranging from mobile phones to desktop computers.

* Discovery and analysis of security properties and vulnerabilities: Focuses on tools and techniques required to analyze codes, devices and systems in complex, large-scale environments.

* Secure system and network response and recovery: Focuses on providing holistic approaches to infrastructure recovery and reconstitution such as automated response. Research into prediction and pre-incident detection is also required.

* Traceback, identification and forensics: Research to determine attack sources and methods.

* Wireless security: Research to develop the basic science of wireless security and ensure security is an integral part of wireless networks.

* Metrics and models: Research on tools that express the cost, benefits and impacts of choices across economic, organizational, technical and risk considerations.

* Law, policy and economics: Focuses on developing a sophisticated understanding of the legal, economic, policy and technological forces that shape information infrastructure protection to better understand the potential impacts of policy.