<p>A Roadmap for Cybersecurity Research </p><p>November 2009 </p><p><strong>Contents </strong></p><p>Executive Summary................................................................................................................................................iii Introduction..............................................................................................................................................................v Acknowledgements.................................................................................................................................................ix Current Hard Problems in INFOSEC Research <br>1. Scalable Trustworthy Systems ...................................................................................................................1 2. Enterprise-Level Metrics (ELMs)&nbsp;..........................................................................................................13 3. System Evaluation Life Cycle...................................................................................................................22 4. Combatting Insider Threats ....................................................................................................................29 5. Combatting Malware and Botnets ..........................................................................................................38 6. Global-Scale Identity Management ........................................................................................................50 7. Survivability of Time-Critical Systems ..................................................................................................57 8. Situational Understanding and Attack Attribution ..............................................................................65 9. Provenance .................................................................................................................................................76 10. Privacy-Aware Security&nbsp;..........................................................................................................................83 11. Usable Security ........................................................................................................................................90 <br>Appendices Appendix A. Interdependencies among Topics ..............................................................................................A1 Appendix B. Technology Transfer&nbsp;....................................................................................................................B1 Appendix C. List of Participants in the Roadmap Development .................................................................C1 <a href="#0_0">Appendix </a><a href="#0_0">D</a><a href="#0_0">. </a><a href="#0_0">A</a><a href="#0_0">cronyms ...................................................................................................................................... D1 </a></p><p><strong>i</strong></p><p><strong>Executive Summary </strong></p><p><strong>Executive Summary </strong></p><p>e United States is at a significant decision point. We must continue to defend our </p><p>current systems and networks and at the same time attempt to “get out in front” of our adversaries and ensure that future generations of technology will position us to </p><p>better protect our critical infrastructures and respond to attacks from our adversaries. </p><p>e term “system” is used broadly to encompass systems of systems and networks. </p><p>is cybersecurity research roadmap is an attempt to begin to define a national R&amp;D </p><p>agenda that is required to enable us to get ahead of our adversaries and produce the technologies that will protect our information systems and networks into the future. e research, development, test, evaluation, and other life cycle consider- </p><p>ations required are far reaching—from technologies that secure individuals and </p><p>their information to technologies that will ensure that our critical infrastructures are much more resilient. e R&amp;D investments recommended in this roadmap must tackle the vulnerabilities of today and envision those of the future. </p><p>e intent of this document is to provide detailed research and development </p><p>agendas for the future relating to 11 hard problem areas in cybersecurity, for use by agencies of the U.S. Government and other potential R&amp;D funding sources. e 11 hard problems are: </p><p>1. Scalable&nbsp;trustworthy systems (including system architectures and requisite development methodology) <br>2. Enterprise-level&nbsp;metrics (including measures of overall system trustworthiness) 3. System&nbsp;evaluation life cycle (including approaches for sufficient assurance) 4. Combatting&nbsp;insider threats 5. Combatting&nbsp;malware and botnets 6. Global-scale&nbsp;identity management 7. Survivability&nbsp;of time-critical systems 8. Situational&nbsp;understanding and attack attribution 9. Provenance&nbsp;(relating to information, systems, and hardware) 10.Privacy-aware security 11.Usable security </p><p>For each of these hard problems, the roadmap identifies critical needs, gaps in </p><p>research, and research agenda appropriate for near, medium, and long term </p><p>attention. DHS S&amp;T assembled a large team of subject matter experts who provided input into the development of this research roadmap. e content was developed over the course of 15 months that included three regional multi-day workshops, two </p><p>virtual workshops for each topic, and numerous editing activities by the participants. </p><p><strong>iii </strong></p><p><strong>Introduction </strong></p><p><strong>Introduction </strong></p><p>Information technology has become pervasive in every way—from our phones and </p><p>other small devices to our enterprise networks to the infrastructure that runs our </p><p>economy. Improvements to the security of this information technology are essential </p><p>for our future. As the critical infrastructures of the United States have become more </p><p>and more dependent on public and private networks, the potential for widespread </p><p>national impact resulting from disruption or failure of these networks has also </p><p>increased. Securing the nation’s critical infrastructures requires protecting not only their physical systems but, just as important, the cyber portions of the systems on which they rely. e most significant cyber threats to the nation are fundamentally different from those posed by the “script kiddies” or virus writers who traditionally have plagued users of the Internet. Today, the Internet has a significant role </p><p>in enabling the communications, monitoring, operations, and business systems </p><p>underlying many of the nation’s critical infrastructures. Cyberattacks are increas- </p><p>ing in frequency and impact. Adversaries seeking to disrupt the nation’s critical </p><p>infrastructures are driven by different motives and view cyberspace as a possible means to have much greater impact, such as causing harm to people or widespread </p><p>economic damage. Although to date no cyberattack has had a significant impact on </p><p>our nation’s critical infrastructures, previous attacks have demonstrated that exten- </p><p>sive vulnerabilities exist in information systems and networks, with the potential for </p><p>serious damage. e effects of a successful attack might include serious economic consequences through impacts on major economic and industrial sectors, threats to infrastructure elements such as electric power, and disruptions that impede the response and communication capabilities of first responders in crisis situations. </p><p>e United States is at a significant decision point. We must continue to defend our </p><p>current systems and networks and at the same time attempt to “get out in front” of our adversaries and ensure that future generations of technology will position </p><p>us to better protect our critical infrastructures and respond to attacks from our </p><p>adversaries. It is the opinion of those involved in creating this research roadmap that </p><p>government-funded research and development (R&amp;D) must play an increasing role </p><p>to enable us to accomplish this goal of national and economic security. e research </p><p>topics in this roadmap, however, are relevant not only to the federal government but also to the private sector and others who are interested in securing the future. </p><p>is cybersecurity research roadmap is an attempt to begin to define a national R&amp;D </p><p>agenda that is required to enable us to get ahead of our adversaries and produce the technologies that will protect our information systems and networks into the future. e research, development, test, evaluation, and other life cycle consider- </p><p>ations required are far reaching—from technologies that secure individuals and </p><p>their information to technologies that will ensure that our critical infrastructures are much more resilient. ese investments must tackle the vulnerabilities of today and envision those of the future. </p><p><strong>“e time is now near at hand...” — George Washington, July 2, 1776 </strong></p><p><strong>v</strong></p><p>Historical background </p><p>research programs. e original list has&nbsp;mixes of legacy systems), and the presproven useful in guiding INFOSEC&nbsp;ence of significant, asymmetric threats. </p><p>e INFOSEC Research Council (IRC)&nbsp;research, and policy makers and planners </p><p>is an informal organization of govern-&nbsp;may find the document useful in evalu-&nbsp;e area of cybersecurity and the associ- </p><p>ment program managers who sponsor&nbsp;ating the contributions of ongoing and&nbsp;ated research and development activities </p><p>information security research within the&nbsp;proposed INFOSEC research programs.&nbsp;have been written about frequently over </p><p>U.S. Government. Many organizations&nbsp;However, the significant evolution of&nbsp;the past decade. In addition to both </p><p>have representatives as regular members&nbsp;technology and threats between 1999&nbsp;the original IRC HPL in 1999 and the </p><p>of the IRC: Central Intelligence Agency,&nbsp;and 2005 required an update to the list.&nbsp;revision in 2005, the following reports Department of Defense (including the&nbsp;erefore, an updated version of the&nbsp;have discussed the need for investment </p><p>Air Force, Army, Defense Advanced&nbsp;HPL was published in November 2005.&nbsp;in this critical area: </p><p>Research Projects Agency, National&nbsp;is updated document included the </p><p>ƒ Toward a Safer and More Secure <br>Cyberspace <br>Reconnaissance Office, National Secu-&nbsp;following technical hard problems from </p><p>rity Agency, Navy, and Office of the&nbsp;the information security perspective: </p><p>ƒ Federal Plan for Cyber Security and Information Assurance Research and Development </p><p>Secretary of Defense), Department </p><p>of Energy, Department of Homeland </p><p>Security, Federal Aviation Administra- </p><p>tion, Intelligence Advanced Research </p><p>Projects Activity, National Aeronautics </p><p>1. Global-Scale&nbsp;Identity Management 2. Insider&nbsp;reat 3. Availability&nbsp;of Time-Critical <br>Systems </p><p>ƒ Cyber Security: A Crisis of <br>Prioritization </p><p>and Space Administration, National&nbsp;4. Building&nbsp;Scalable Secure Systems </p><p>ƒ Hardening the Internet <br>Institutes of Health, National Institute </p><p>of Standards and Technology, National Science Foundation, and the Technical </p><p>Support Working Group. In addition, </p><p>the IRC is regularly attended by partner </p><p>organizations from Canada and the </p><p>United Kingdom. </p><p>5. Situational&nbsp;Understanding and <br>Attack Attribution </p><p>6. Information&nbsp;Provenance 7. Security&nbsp;with Privacy </p><p>ƒ Information Security <br>Governance: A Call to Action </p><p>ƒ The National Strategy to Secure <br>Cyberspace </p><p>8. Enterprise-Level&nbsp;Security Metrics </p><p>ƒ Cyber Security Research and <br>Development Agenda </p><p>ese eight problems were selected </p><p>e IRC developed the original Hard&nbsp;as the hardest and most critical chal- </p><p>Problem List (HPL), which was com-&nbsp;lenges that must be addressed by the&nbsp;ese reports can be found at <a href="/goto?url=http://www.cyber.st.dhs.gov/documents.html" target="_blank">http:// </a></p><p>posed in 1997 and published in draft&nbsp;INFOSEC research community if trust-&nbsp;<a href="/goto?url=http://www.cyber.st.dhs.gov/documents.html" target="_blank">www.cyber.st.dhs.gov/documents.html </a></p><p>form in 1999. e HPL defines desir-&nbsp;worthy systems envisioned by the U.S. able research topics by identifying a set&nbsp;Government are to be built. INFOSEC of key problems from the U.S. Govern-&nbsp;problems may be characterized as “hard” </p><p>Current context </p><p>ment perspective and in the context of&nbsp;for several reasons. Some problems are&nbsp;On January 8, 2008, the President </p><p>IRC member missions. Solutions to&nbsp;hard because of the fundamental techni-&nbsp;issued National Security Presiden- </p><p>these problems would remove major&nbsp;cal challenges of building secure systems,&nbsp;tial Directive 54/Homeland Security </p><p>barriers to effective information secu-&nbsp;others because of the complexity of&nbsp;Presidential Directive 23, which for- </p><p>rity (INFOSEC). e Hard Problem&nbsp;information technology (IT) system&nbsp;malized the Comprehensive National </p><p>List was intended to help guide the&nbsp;applications. Contributing to these&nbsp;Cybersecurity Initiative (CNCI) and a </p><p>research program planning of the IRC&nbsp;problems are conflicting regulatory and&nbsp;series of continuous efforts designed to </p><p>member organizations. It was also hoped&nbsp;policy goals, poor understanding of&nbsp;establish a frontline defense (reducing </p><p>that nonmember organizations and&nbsp;operational needs and user interfaces,&nbsp;current vulnerabilities and preventing </p><p>industrial partners would consider these&nbsp;rapid changes in technology, large het-&nbsp;intrusions), defending against the full </p><p>problems in the development of their&nbsp;erogeneous environments (including&nbsp;spectrum of threats by using intelligence </p><p><strong>vi </strong></p><p>and strengthening supply chain security,&nbsp;influence in networking and IT systems,&nbsp;interagency coordination to ensure cov- </p><p>and shaping the future environment by&nbsp;components, and standards among U.S.&nbsp;erage of all the topics. </p><p>enhancing our research, development,&nbsp;competitors. Federal agencies with </p><p>and education, as well as investing in&nbsp;mission-critical needs for increased&nbsp;Each of the following topic areas is </p><p></p><ul style="display: flex;"><li style="flex:1">“leap-ahead” technologies. </li><li style="flex:1">cybersecurity, which includes informa-&nbsp;treated in detail in a subsequent section </li></ul><p></p><p>tion assurance as well as network and&nbsp;of its own, from Section 1 to Section 11. </p><p>e vision of the CNCI research com-&nbsp;system security, can play a direct role </p><p>munity over the next 10 years is to&nbsp;in determining research priorities and </p><p>“transform the cyber-infrastructure so&nbsp;assessing emerging technology proto- </p><p>that critical national interests are pro-&nbsp;types. Moreover, through technology </p><p>tected from catastrophic damage and&nbsp;transfer efforts, the federal government </p><p>our society can confidently adopt new&nbsp;can encourage rapid adoption of the </p><p>1. Scalable&nbsp;trustworthy systems <br>(including system architectures and requisite development methodology) </p><p>2. Enterprise-level&nbsp;metrics (including measures of overall system trustworthiness) </p><p>3. System&nbsp;evaluation life cycle (including approaches for sufficient assurance) </p><p></p><ul style="display: flex;"><li style="flex:1">technological advances.” </li><li style="flex:1">results of leap-ahead research. Technol- </li></ul><p></p><p>ogy breakthroughs that can curb or </p><p>Two components of the CNCI deal&nbsp;break the resource-draining cycle of </p><p>with cybersecurity research and develop-&nbsp;security patching will have a high likeli- </p><p>ment—one focused on the coordination&nbsp;hood of marketplace implementation. </p><p>of federal R&amp;D and the other on the </p><p>development of leap-ahead technologies.&nbsp;As stated previously, this Cybersecu- </p><p>rity Research Roadmap is an attempt </p><p>4. Combatting&nbsp;insider threats 5. Combatting&nbsp;malware and botnets 6. Global-scale&nbsp;identity management </p><p>No single federal agency “owns” the&nbsp;to begin to address a national R&amp;D </p><p>issue of cybersecurity. In fact, the&nbsp;agenda that is required to enable us to </p><p>federal government does not uniquely&nbsp;get ahead of our adversaries and produce </p><p>own cybersecurity. It is a national and&nbsp;the technologies that will protect our </p><p>global challenge with far-reaching con-&nbsp;information systems and networks into </p><p>sequences that requires a cooperative,&nbsp;the future. e topics contained in this </p><p>comprehensive effort across the public&nbsp;roadmap and the research and developand private sectors. However, as it has&nbsp;ment that would be accomplished if the </p><p>done historically, U.S. Government&nbsp;roadmap were implemented are, in fact, </p><p>R&amp;D in key technologies working in&nbsp;leap-ahead in nature and address many </p><p>7. Survivability&nbsp;of time-critical systems <br>8. Situational&nbsp;understanding and attack attribution <br>9. Provenance&nbsp;(relating to information, systems, and hardware) </p><p>10.Privacy-aware security 11.Usable security </p><p>close cooperation with private-sector&nbsp;of the topics that have been identified&nbsp;Eight of these topics (1, 2, 4, 6, 7, 8, </p><p>partners can jump-start the necessary&nbsp;in the CNCI activities </p><p>fundamental technical transformation. <br>9, 10) are adopted from the November 2005 IRC Hard Problem List [IRC05] </p><p>and are still of vital relevance. e </p><p>other three topics (3, 5, 11) represent </p><p>Document format </p><p>e leap-ahead strategy aligns with the </p><p>consensus of the nation’s networking&nbsp;e intent of this document is to&nbsp;additional areas considered to be of </p><p>and cybersecurity research communi-&nbsp;provide detailed research and develop-&nbsp;particular importance for the future. ties that the only long-term solution to&nbsp;ment agendas for the future relating to </p><p>the vulnerabilities of today’s network-&nbsp;11 hard problem areas in cybersecurity,&nbsp;e order in which the 11 topics are </p><p>ing and information technologies is to&nbsp;for use by agencies of the U.S. Govern-&nbsp;presented reflects some structural simiensure that future generations of these&nbsp;ment and anyone else that is funding&nbsp;larities among subgroups of the topics technologies are designed with secu-&nbsp;or doing R&amp;D. It is expected that each&nbsp;and exhibits clearly some of their major </p><p>rity built in from the ground up. e&nbsp;agency will find certain parts of the&nbsp;interdependencies. e order proceeds </p><p>leap-ahead strategy will help extend&nbsp;document resonant with its own needs&nbsp;roughly from overarching system con- </p><p>U.S. leadership at a time of growing&nbsp;and will proceed accordingly with some&nbsp;cepts to more detailed issues—except </p><p><strong>vii </strong></p><p>for the last topic—and has the following&nbsp;<strong>Background </strong></p><p>ƒ What R&amp;D is evolutionary and what is more basic, higher risk, game changing? structure: <br>ƒ What is the problem being </p><p>addressed? a. Topics&nbsp;1–3 frame the overarching </p><p>problems. <br>ƒ Resources <br>ƒ What are the potential threats? <br>ƒ Measures of success <br>ƒ Who are the potential </p><p>beneficiaries? What are their respective needs? b. Topics 4–5 relate to specific major threats and needs. <br>ƒ What needs to be in place for test and evaluation? c. Topics&nbsp;6–10 relate to some of the </p><p>“ilities” and to system concepts required for implementing the previous topics. <br>ƒ To what extent can we test real systems? <br>ƒ What is the current state of the practice? </p><p>ƒ What is the status of current </p><p>Following the 11 sections are three </p><p>appendices: research? </p><p>Topic 11, usable security, is different </p><p>from the others in its cross-cutting&nbsp;<strong>Future Directions </strong></p><p>Appendix A: Interdependencies among Topics </p><p>nature. If taken seriously enough, it </p><p>ƒ On what categories can we </p><p>can influence the success of almost all </p><p>the other topics. However, some sort </p><p>of transcendent usability requirements </p><p>need to be embedded pervasively in all the other topics. subdivide the topics? <br>Appendix B: Technology Transfer </p><p>ƒ What are the major research </p><ul style="display: flex;"><li style="flex:1">gaps? </li><li style="flex:1">Appendix C: List of Participants in the </li></ul><p>Roadmap Development <br>ƒ What are some exemplary </p><p>problems for R&amp;D on this topic? </p><p>Each of the 11 sections follows a </p><p>similar format. To get a full picture of the problem, where we are, and where </p><p>we need to go, we ask the following </p><p>questions: <br>ƒ What are the challenges that must be addressed? </p><p>ƒ What approaches might be desirable? </p><p>References </p><p></p><ul style="display: flex;"><li style="flex:1">[IRC2005] </li><li style="flex:1">INFOSEC Research Council Hard Problem List, November 2005 </li></ul><p></p><p><a href="/goto?url=http://www.cyber.st.dhs.gov/docs/IRC_Hard_Problem_List.pdf" target="_blank">http://ww</a><a href="/goto?url=http://www.cyber.st.dhs.gov/docs/IRC_Hard_Problem_List.pdf" target="_blank">w</a><a href="/goto?url=http://www.cyber.st.dhs.gov/docs/IRC_Hard_Problem_List.pdf" target="_blank">.cyber.st.dhs.gov/docs/IRC_Hard_Problem_List.pdf. </a></p><p>[USAF-SAB07] United States Air Force Scientific Advisory Board, Report on Implications of Cyber Warfare. Volume 1: <br>Executive Summary and Annotated Brief; Volume 2: Final Report, August 2007. For Official Use Only. </p><p>Additional background documents (including the two most recent National Research Council study reports on cybersecurity) </p><p>can be found online. (<a href="/goto?url=http://www.cyber.st.dhs.gov/documents.html" target="_blank">http://www.cyber.st.dhs.gov/documents.html</a>). </p><p><strong>viii </strong></p><p><strong>Acknowledgements </strong></p><p><strong>Acknowledgements </strong></p><p>e content of this research roadmap was developed over the course of 15 months </p><p>that included three workshops, two phone sessions for each topic, and numer- </p><p>ous editing activities by the participants. Appendix C lists all the participants. </p><p>e Cyber Security program of the Department of Homeland Security (DHS) </p><p>Science and Technology (S&amp;T) Directorate would like to express its appre- </p><p>ciation for the considerable amount of time they dedicated to this effort. </p><p>DHS S&amp;T would also like to acknowledge the support provided by the staff of SRI </p><p>International in Menlo Park, CA, and Washington, DC. SRI is under contract with </p><p>DHS S&amp;T to provide technical, management, and subject matter expert support for </p><p>the DHS S&amp;T Cyber Security program. ose involved in this effort include Gary </p><p>Bridges, Steve Dawson, Drew Dean, Jeremy Epstein, Pat Lincoln, Ulf Lindqvist, </p><p>Jenny McNeill, Peter Neumann, Robin Roy, Zach Tudor, and Alfonso Valdes. </p><p>Of particular note is the work of Jenny McNeill and Peter Neumann. Jenny </p><p>has been responsible for the organization of each of the workshops and phone </p><p>sessions and has worked with SRI staff members Klaus Krause, Roxanne Jones, </p>