one of my favorite program managers is posed the following question by senior management at his defense-related funding agency: “we should be able to do a much better job modeling internet attacks. what research can we fund that would enable us to do a better job at modeling internet attacks?”

because i happened to be reading a recent paper by Aaron Burstein of UC Berkeley, “Toward a Culture of Cybersecurity Research”, i was familiar with this quote:

(5) Accordingly, Federal investment in computer and network security research and development must be significantly increased to –

1. improve vulnerability assessment and technological and systems solutions;
2. expand and improve the pool of information security professionals, including researchers, in the United States workforce; and
3. better coordinate information sharing and collaboration
   among industry, government, and academic research projects.

http://caselaw.lp.findlaw.com/casecode/uscodes/15/chapters/100/sections/section_7401.html

which almost hits on the two biggest problems with cybersecurity research today: the research community is not allowed to study the network, and they are not allowed to study the software that runs on the majority of the components (hosts and routers) on the network. networks are generally not allowed to share data with each other, these are all considered proprietary systems on which independent research (by those who do not work for the corporation) is illegal.

it would be nice to be able to turn the cybersecurity research agenda into a technology agenda so we can throw technology R&D money at the problem. so i am sympathetic to the question: “what R&D can we fund?”

but ten years of little measurable progress in this area has made it clear that to the extent that we can fund technology to help, it will be technology that improves our ability to do (A), (B), and (C) above. to do “(A) vulnerability assessment”, we need to analyze the software running on the systems that compose the network: that’s a problem with software ownership, i.e., current law (copyright, trade secrets, EULAs). to do “(C) coordinated information sharing”, we need it to be legal as well as incentive-compatible for networked organizations to share data with each other. that’s also a policy rather than technology problem. “(B) expand the security and research workforce” is more obviously a policy problem, but spending tax dollars to incent scholarship will be wasted if the funded researchers are not able to study the real system.

the government can certainly fund technical activities to facilitate useful data sharing: technology needed to collect, analyze, catalog, and correlate datasets to delineate baseline from anomalous internet traffic and routing patterns; tools that empower users to measure their own networks and automatically contribute data to aggregated, anonymized repositories with legal protection; reputation management systems to support scalable information sharing across vast admistrative boundaries. but these are all going to be impotent weapons against the growing illicit activity on the network if we don’t give ourselves the advantage the criminal actors have had from the beginning: data sharing (in their case, also selling to eachother). so there is reason to believe that we are learning more slowly than they are.

k.

This entry was posted on Tuesday, March 25th, 2008 at 11:06 am and is filed under Commentaries, Data Collection, Economics, Measurement, Policy, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.