The Obama Administration is encouraging the IT research and development community to take a hard look at how to improve cybersecurity at all levels.
“We want the R&D community to deliver technology that makes security less onerous, more effective, with fewer ways to break in, [so that] adversaries have to use more resources,” said Greg Shannon, Assistant Director for Cybersecurity Strategy in the White House Office of Science & Technology Policy, at MeriTalk’s Cybersecurity Brainstorm.
Shannon said the President’s federal strategic plan for cybersecurity R&D, released in February, was intended as a way to challenge the R&D community to address specific security needs, but also to let the government know what the community needs to help meet those needs. Just four days after issuing the strategic plan, the Administration followed up with a Cybersecurity National Action Plan (CNAP) which, among other things, created the nonpartisan Commission on Enhancing National Cybersecurity.
Congress wanted some goals set for this cybersecurity R&D effort, Shannon said.
“Between the appointment of the first federal CISO, the NIST cyber framework for effective and efficient risk management, there’s a real momentum in addressing the cyber threats that face our government, businesses, and citizens,” said Mav Turner, Senior Director, Product Strategy at SolarWinds. “By prioritizing the implementation of sustainably secure systems development and operations, agency cyber officials have more time to plan for long-term goals of defense and deterrence.”
“Today smart people, anywhere, they can look at code … and figure out how to penetrate the system,” Shannon said. But the Defense Advanced Research Projects Agency’s Cyber Grand Challenge this past August shows where network defense is heading.
“The future is where machines will be making decisions on how to break into a system [and] how much effort it is for an adversary to break in,” he said. “You have to look at the whole ecosystem – networks, data, people, how they use the system, the use of social media to influence the ecosystem. It’s not just about malware.”
Shannon offered five recommendations for R&D in the cybersecurity arena:
- Prioritize basic and long-term research
- Broaden public-private participation in R&D
- Accelerate evidence-validated R&D transition
- Expand the diversity of research expertise
- Expand diversity in the workforce