NSTC Releases Cyber Security R&D Report

The National Science and Technology Council, the cabinet-level council that coordinates S&T policies across the Federal Government, released (pdf) its plan for federal investment in cyber security research and development today. The 121-page report (pdf), called Federal Plan for Cyber Security and Information Assurance Research and Development, “sets out a framework for multi-agency coordination of Federal R&D investments in technologies that can better secure the interconnected computing systems, networks, and information that together make up the U.S. information technology (IT) infrastructure.” Here’s more from their release (pdf):

“This country’s IT infrastructure — which includes not only the public Internet but also the networking and IT systems that control critical infrastructures ranging from power grids to emergency communications systems — is vital not only to our national and homeland security but to our economic security,” said John H. Marburger III, Science Adviser to the President and Director of the Office of Science and Technology Policy. “This report provides a blueprint for coordination of Federal R&D across agencies that will maximize the impact of investments in this key area of the national interest.”
The Federal Plan for Cyber Security and Information Assurance outlines strategic objectives for coordinated Federal R&D in cyber security and information assurance (CSIA). The Plan presents a broad range of CSIA R&D technical topics and identifies those topics that are multi- agency technical and funding priorities. The Plan’s findings and recommendations address R&D priority-setting, coordination, fundamental R&D, emerging technologies, roadmapping, and metrics. Together with commentaries about the CSIA R&D technical topics that describe their significance, the current state of the art, and gaps in current capabilities, these elements provide a baseline for implementing the Plan’s recommendations.

The plan builds in part on the work of the now-extinct President’s Information Technology Advisory Committee, which produced a similar report on the issue — Cyber Security: A Crisis of Prioritization (pdf) — last year that we liked very much.
I’ve only just seen the report, so I can’t give any detailed analysis, but here are the report’s ten findings and recommendations from the executive summary:

Findings and Recommendations Strategic interagency R&D is needed to strengthen the cyber security and information assurance of the Nation’s IT infrastructure. Planning and conducting such R&D will require concerted Federal activities on several fronts as well as collaboration with the private sector. The specifics of the strategy proposed in this Plan are articulated in a set of findings and recommendations. Presented in greater detail in the report, these findings and recommendations are summarized as follows:
1. Target Federal R&D investments to strategic cyber security and information assurance needs — Federal cyber security and information assurance R&D managers should reassess the Nation’s strategic and longer-term cyber security and information assurance needs to ensure that Federal R&D addresses those needs and avoids areas in which the private sector is productively engaged.
2. Focus on threats with the greatest potential impact — Federal agencies should focus cyber security and information assurance R&D investments on high- impact threats as well as on investigation of innovative approaches to increasing the overall security and information assurance of IT systems.
3. Make cyber security and information assurance R&D both an individual agency and an interagency budget priority — Agencies should consider cyber security and information assurance R&D policy guidance as they address their mission-related R&D requirements. To achieve the greatest possible benefit from investments throughout the Federal government, cyber security and information assurance R&D should have high priority for individual agencies as well as for coordinated interagency efforts.
4. Support sustained interagency coordination and collaboration on cyber security and information assurance R&D — Sustained coordination and collaboration among agencies will be required to accomplish the goals identified in this Plan. The CSIA IWG should continue to be the primary vehicle for this R&D coordination and collaboration.
5. Build security in from the beginning — The Federal cyber security and information assurance R&D portfolio should support fundamental R&D exploring inherently more secure next-generation technologies that will replace today’s patching of the current insecure infrastructure.
6. Assess security implications of emerging information technologies — The Federal government should assess the security implications and the potential impact of R&D results in new information technologies as they emerge in such fields as optical computing, quantum computing, and pervasively embedded computing.
7. Develop a roadmap for Federal cyber security and information assurance — R&D Agencies should use this Plan’s technical priorities and investment analyses to work with the private sector to develop a roadmap of cyber security and information assurance R&D priorities. This effort should emphasize coordinated agency activities that address technical and investment gaps and should accelerate development of strategic capabilities.
8. Develop and apply new metrics to assess cyber security and information assurance — As part of roadmapping, Federal agencies should develop and implement a multiagency plan to support the R&D for a new generation of methods and technologies for cost-effectively measuring IT component, network, and system security.
9. Institute more effective coordination with the private sector — The Federal government should review private- sector cyber security and information assurance practices and countermeasures to help identify capability gaps in existing technologies, and should engage the private sector in efforts to better understand private-sector views on cyber security and information assurance R&D priorities. Federal agencies supporting cyber security and information assurance R&D should improve communication and coordination with operators of both Federal and private-sector critical infrastructures with shared interests. Information exchange and outreach activities that accelerate technology transition should be integral parts of Federal cyber security and information assurance R&D activities.
10. Strengthen R&D partnerships, including those with international partners — The Federal government should foster a broad partnership of government, the IT industry, researchers, and private-sector users to develop, test, and deploy a more secure next-generation Internet. The Federal government should initiate this partnership by holding a national workshop to solicit views and guidance on cyber security and information assurance R&D needs from stakeholders outside of the Federal research community. In addition, impediments to collaborative international R&D should be identified and addressed in order to facilitate joint activities that support the common interests of the United States and international partners.

Seems hard to quibble with much of that. As the NCO press release indicates, they’re accepting comments on the report to aid in the “planning of next steps.” Those comments are due by April 28th, so get cracking.
We’ll have more as CRA prepares its comments on the plan (we’ve had strong opinions on the issue in the past).
[Editor’s note: Apologies to regular readers for the lag in posts here recently. Lots going on around town and at CRA HQ — along with some posting fingers that are getting a little worn after 400+ posts over the last couple of years — but things should be better very soon. 🙂 Thanks for the patience!]

NSTC Releases Cyber Security R&D Report