Representatives of the National Science Foundation, the Department of Homeland Security, and the Office of the Director of National Intelligence came yesterday to the IEEE Symposium on Security and Privacy in Oakland, CA, to describe the federal government’s current wish list for cybersecurity research. The representatives described three main ways that the federal government is interested in spending its money on academic work.
First, they asked for “moving target” technologies. The idea here is that current systems favor attackers–the defender’s system remains the same and the attacker is able to hammer away at it until exploits are found. With moving targets, federal government agencies hope to shift this scenario to make it harder and more expensive for attackers to penetrate systems. The idea is that systems that are complex and easily changed by defenders make an attacker’s job more difficult. This runs against traditional security wisdom, which is that adding complexity opens up more room for vulnerabilities.
Second, the federal agencies asked for work on “tailored trustworthy spaces.” Here, they hope researchers can create islands within systems that meet particular security requirements and that are easy to put up and take down. The hope is that it would be possible to have a verifiably secure work environment that was fine-tuned to match the task the user is carrying out.
Finally, the representatives outlined the need for a better understanding of the economics of security. Currently, security is often an afterthought for software developers. When companies do invest in security, the results can be haphazard, scattershot, and hard to measure. The federal agencies are hoping to get a clearer picture of what types of investments would help defenders, and they are asking for solutions that might again shift the advantage away from attackers. Right now, it doesn’t cost an attacker much to go after a system, and cyber crime promises high rewards. The agencies hope to find ways to encourage improvements to overall security, and to discourage attackers.
Jeannette Wing, assistant director of the computer and information science and engineering directorate of the National Science Foundation, stressed that with all three of these agendas, the federal government is hoping to break away from the current security arms race and find new directions. Since the federal representatives spoke in front of some of the world’s top security researchers, it should be interesting to see how the concepts are received.