The Changes That Could Be Coming to Federal Cybersecurity R&D

Officials from the Department of Homeland Security (DHS) have defended the government’s Einstein cybersecurity system as well as the Obama administration’s request for $19 billion in cybersecurity funding for fiscal 2017, a 35 percent increase from last fiscal year’s $14 billion. But as cybersecurity research and development (R&D) for federal agencies is being plotted into the next decade, current and former government officials argue that the administration needs to rethink those R&D efforts.

Speaking last month at the Department of Homeland Security’s Cybersecurity R&D Showcase, Chris Inglis, former deputy director of the National Security Agency, and Gregory Shannon, assistant director for cybersecurity strategy at the White House’s Office of Science and Technology Policy, touched on how the administration should confront the future of cybersecurity R&D.

Balancing Security and Convenience

As FedScoop reported, the White House updated the Federal Cybersecurity Research and Development Strategic Plan in February, setting out cybersecurity R&D priorities for the coming decade. The report calls on agencies to, within the next one to three years, achieve the science and technology advances needed to "counter adversaries’ asymmetrical advantages with effective and efficient risk management," meaning the ability to identify, assess and respond to cybersecurity risks.

Over the next three to seven years, cybersecurity R&D should “reverse adversaries’ asymmetrical advantages, through sustainably secure systems development and operation.”

Over the next seven to 15 years, the report says, the federal government needs to develop better capabilities to deter malicious cyberthreats and create more precise ways of identifying attackers so that the consequences of an attack are higher for adversaries.

At the DHS event, Shannon argued that the plan needs to help the government resolve or move beyond the divide of opposing intentions that hamper cybersecurity today: enhance security of IT systems or make them easy to use.

“The fundamental challenge is this duality, this tension between how you make things secure and how you make them less onerous for users,” Shannon said, according to FedScoop. “How do we develop systems that are sustainably secure? There’s the notion of secure by design, but you have to implement it, you have to operate it and you have to upgrade it.”

Inglis agreed with that general concept and said that IT systems need to be both secure and useful, FedScoop notes. “If you thought the opposite of security is insecurity, then as a technologist or a system designer, you’d be scratching your head about why individuals who use those systems are everyday pursuing insecurity,” he said. “That’s not what they are pursuing. They are pursuing convenience.”

Additionally, Inglis argued that the government should shift away from cybersecurity systems that react to threats based on the type or signature of attacks to systems that anticipate malicious actions. “Signature-based security solves 80 percent of the problem, but we should be studying and understanding the remaining 20 percent of anomalies before they become an issue,” he said.  

A New Set of Cybersecurity Priorities

The White House report notes that while near-term cybersecurity R&D goals are focused on refining existing science, the goals for the medium term and long term “require both refinement and improvement of existing science, and fundamental research, which has the potential for identifying transformative new approaches to solve problems beyond the current research areas.”

To achieve that, the plan calls for the development of science and technology to deter malicious activities by increasing costs to adversaries, diminishing what they can get from an attack and “increasing risks and uncertainty for potential adversaries.” The federal government also needs to protect its IT systems, users and critical infrastructure by resisting attacks.

In addition, the report says R&D efforts should enhance the government’s “ability to efficiently detect, and even anticipate, adversary decisions and activities, given that perfect security is not possible and systems should be assumed to be vulnerable to malicious cyber activities.”

Finally, the report suggests that the government develop the “ability of defenders, defenses, and infrastructure to dynamically adapt to malicious cyber activities, by efficiently reacting to disruption, recovering from damage, maintaining operations while completing restoration, and adjusting to thwart similar future activity.”