Looking at the Federal Plan for Cyber Security and Information Assurance Research and Development

Federal Plans NICE Plan Development and Research Challenge Future Plan This paper discusses what is referred to as the Federal Plan is for Cyber Security and Information Assurance (CSIA- R&D) Research and Development. Details of the federal government's plan will be discussed as well as what is expected and can be done about cyber security in the long-term.

In this federal plan, the terms 'information assurance' and 'cyber security' refer to measures put in place to protect computer information, systems and networks from unauthorized access or disruptions, modification, use or destruction. The purpose of information assurance and cyber security is to ensure: the protection of integrity against unauthorized destruction or modification of information, networks and systems (Community List.-Federal Plan for Cyber Security and Information Assurance Research and Development, 2006) as also to ensure confidentiality protection against illegal access of networks and disclosure of information held therein.

Information assurance is likewise concerned with guaranteeing reliable and timely access to networks, systems and or information.

The federal plan is made up of several sections including: Strategic Federal objectives; Analysis of the latest calls for Federal R & D; Types of threats, vulnerabilities, and risks; Technical issues in information assurance and cyber security R & D; Current investment and technical priorities of Federal agencies dealing with the issues of Cyber Security and information assurance; Technical and funding gaps analysis results; Findings and recommendations; Perspectives on R and D technical topics such as the main technical challenges; and the roles and responsibilities of cyber security and information assurance related agencies.

The federal plan basically recommends for all levels of government to give cyber security a high priority and to ensure the integrity of the design, implementation and the utilization of all the components of the information technology (IT) infrastructure. Background In less than twenty years, developments and innovations in ICT (information and communication technologies) have revolutionized educational, commercial, scientific and government infrastructures. Powerful high-speed processors, high-bandwidth networks, wireless networks and the widespread utilization of internet services have transformed previously individual and largely closed networks into virtual world of seamless interconnectivity.

There has also been an increase in the kind of devices that can connect to this vast IT infrastructure. A growing ease of access is via 'always-on' connections meaning that individual users and organizations are becoming more and more interconnected across different physical networks, organizations and countries (Federal Plan for Cyber Security and Information Assurance Research and Development, 2006). As more and more individuals and organizations have become interconnected, the quantity of electronic information shared via what is colloquially referred to as "cyberspace" has increased dramatically.

The information exchanged has also expanded beyond what was exchanged in hitherto traditional traffic to include, process control signals, multimedia data and other critical forms of data. New services and applications that utilize the capabilities of IT infrastructure are always emerging. The risks that are linked to the present and anticipated, threats to, vulnerabilities to, and attacks against the information technology infrastructure provide the basis for the plan.

Rapidly changing trends in both the threats and technologies make it possible that security issues related to IT will only increase in the next few years. The following are the main areas of concern (Federal Plan for Cyber Security and Information Assurance Research and Development, 2006): The increasing sophistication of IT networks and systems, which will result in more security challenges for both the developers of these systems and their consumers.

The constantly evolving nature of communications infrastructure as traditional phone networks and information technology networks merge to form a more unified network. The growing access to wireless connectivity to personal computers and networks, increasing the exposure of such systems to attack. This is because in all-wireless networks the conventional protective approach of "securing the perimeter" cannot be used because it is becoming increasingly difficult to establish the logical and physical boundaries of such networks.

The increasing accessibility and interconnectivity of (and as a, result risk to) computer systems and networks that are vital to the United States economy, including financial sector networks, supply chain management and utilities and control systems in the manufacturing sectors. The existent proliferation and the increasingly global nature of communications infrastructure, which will result in more opportunities for subversion by both domestic and foreign adversaries.

There are many different types of cyber attacks and also an equally diverse array of corresponding incentives, including activist causes, information misuse or theft, financial fraud, attempts to disrupt computer systems and attempts to interrupt important government IT infrastructure and services that depend on them. The perpetrators of cyber attacks can be individuals such as activists, insiders and suppliers, or large scale efforts perpetrated by foreign governments or criminal networks.

The most frequently modes of attack include the use of malicious software such as spyware, viruses, worms, trojans; phishing of passwords; and attacks intended to deny services or to crash websites. Each type of attack posits different and unique challenges that necessitate the utilization of a targeted group of prevention activities. Some of these activities might not be technology related (Cybersecurity and the Audit Committee - Deloitte Risk & Compliance -- WSJ).

Social engineering and phishing activities, for example, are usually dependent on staffs revealing passwords or other sensitive data when requested by the perpetrators and false pretenses. Therefore, efforts to raise awareness of the way such illegal activities are done and the reasons behind are of critical importance in preventing losses. NICE Systems Using NICE, the U.S.

federal government plans to improve the country's cyber security through accelerating the availability of training and educational resources and material to significantly improve the cyber skills, knowledge and behavior of every sector of the population to create a safer and more secure cyber space for all. The NICE initiative has three objectives (Newhouse, 2012): 1. To raise national awareness with regards to cyber space 2. To widen the pool of persons who are prepared and ready to join the cyber security workforce, and 3.

To develop an internationally competitive cyber security work force In 2011, the White House announced the "Trust-worthy cyberspace: Strategic plan for the federal cyber security research and development program" that entailed part on developing scientific foundations. This part challenges the R & D (research and development) community to organize and compile knowledge in the area of cyber security and to research universal beliefs and concepts that are predictive and cut across specific systems, defenses and attacks resulting in a comprehensive understanding of the principles underlying cyber security (Newhouse, 2012).

The federal government program will also enable analyses that impact large-scale systems and the formulation of hypotheses that will then be subject to empirical validation; the program will support high-risk experimentations that are necessary to establish a scientific basis and to come up with PPPs (public-private partnerships) of federal government agencies, academic communities and industry. Plan Summary In this federal plan, the terms information assurance and cyber security refer to measures put in place to protect computer information, systems and networks from unauthorized access or disruptions, modification, use or destruction.

The purpose of information assurance and cyber security is to ensure: (Community List.-Federal Plan for Cyber Security and Information Assurance Research and Development). Integrity-this is protection against illegal and unauthorized alteration or destruction of information, systems and networks, and information authentication Confidentiality-this is protection of information against illegal and unauthorized access to information or its disclosure. Availability-this is the assurance that information, systems and networks can timely and reliably accessed and utilized by authorized personnel. Other areas-entail policymaking (e.g.

Internet governance, intellectual property rights, funding, regulation and legislation), ICT workforce training and education, operational cyber security approaches and best industry practices (Community List. Federal Plan for Cyber Security and Information Assurance Research and Development). However, most of these areas are outside the scope of the federal plan, since it addresses only the role of Federal research and development regarding cyber security.

Similarly the plan is neither a budget plan nor does it entail present or proposed allowed agency spending levels or limits for information assurance and cyber security research and development. Federal agencies have to determine their own individual budget priorities based on their mission requirements and needs. The federal plan basically recommends for all levels of government to give cyber security a high priority and to ensure the integrity of the design, implementation and the utilization of all the components of the information technology (IT) infrastructure.

The work of identifying and prioritizing cyber security and information assurance research and development efforts begun in this document should be a continuous process. Continuation of inter-agency collaboration is necessary to concentrate Federal research and development efforts on the greatest risks and threats to vital IT infrastructures and the missions of those federal agencies and to make the most of the steps made by these efforts (Community List. Federal Plan for Cyber Security and Information Assurance Research and Development).

Specifically, the plan highlights the need for a collaborative effort of federal R&D to clear or provide solutions to the challenging technical issues that are impediments to the fundamental developments in next-generation information assurance and cyber security technologies; such research and development is usually multidisciplinary, high-risk and long-term. Plan Development and Research One might believe that R&D on issues related to security are not often within the everyday responsibilities of security experts and auditors, and it is true for many cases.

Such research is carried out by government agencies, academics and vendors (Axelrod, 2006). However, such a scenario doesn't often result in outcomes such as innovative services or new information/products that are needed most by organizations, or the best guidance in terms of relative priorities.

It is probable that there is a link between what is needed and what is developed, since the goal of vendors is to come up with products and services that sell more, that of the academia is to come up with publishable findings and that of the government is to produce proposals that budget money can be assigned to. However, it is not a guarantee that such a link will always hold.

There are certainly billions of dollars spent on research projects that turn out to be unremarkable and inconsequential from the viewpoint of risk and security experts. In doing their day-to-day work, security and risk professionals may not see the significance to fight for more productive research and development; nonetheless they and other practitioners in the field must offer their input into the research and development project priority selection process. This has already started happening in the finance sector (Axelrod, 2006).

To be more specific, the FSSCC (Financial Services Sector Coordinating Council) has formed a financial sector research and development committee made up of members from government, financial firms and industry associations. The committee is mandated with guiding the sector's R&D agenda with regards to the cyber security of large financial services companies.

In one of the latest studies with regards to the matter, the number of successful cyber attacks on firms per week had risen by more than a 100% and the financial impact of such attacks had also risen by almost 40% according to research done by the Ponemon Institute. Such attacks impact organizations' market positioning adversely, particularly if access to service is denied or security of information is compromised (Cybersecurity and the Audit Committee - Deloitte Risk & Compliance -- WSJ).

In a 2013 letter written by Securities Exchange Commission (SEC) Chairman Mary White to Senator Jay Rockefeller, she said that the commission's staff were reviewing public companies with the disclosure guidance policy regarding cyber security so as to determine how effective it was and whether any remedial action was required. This suggests that there was a possibility that some public organizations might have been attacked and might have not disclosed such information to the public. Plan Process The plan process is outlined below (Szykman and Lee, 2006): 1.

Identify key and strategic federal research and development objectives with regards to cyber security and information assurance R&D 2. Identify a wide set of areas within cyber security and information assurance R&D 3. Identify collaborative inter-agency technical R&D priorities among the areas 4. Identify investment priorities (inter-agency) among the areas 5. Define the scope and identify capability gaps for research and development areas. 6.

Research and document findings and recommendations Challenge Even though platforms, networks, systems, and software have grown in complexity over the last few decades, modern practices in cyber security and policy are still heuristic and reactive. There is lack of sufficient framework to verify effectiveness of pursuant security policies. There are also not enough methods to get analyze and extract information from situational data.

Existing approaches for protecting and managing digital information fundamentally ignore its digital nature, thereby viewing the problem as one of physical access, instead of using that digital nature to come up with self-protection mechanisms (A Scientific Research and Development Approach to Cyber Security). Operating systems and platform architectures rely on principles that were developed for individual un-networked main-frames over 3 decades ago.

For over 20 years our network security architecture has not changed, firmware and hardware are implicitly trusted regardless of the source, and we continue to insert gaps and erect walls to protect data, with decreasing success. Recommendations of Plan The United States federal government should review private sector information assurance and cyber security practices to help find the capability gaps in current technologies.

The government should also engage the private sector so that both parties can better understand the other's perspective on CSIA R&D needs, priorities and investments (Nat'l Sci. and Tech. Council-Federal Plan for Cyber Security and Information Assurance Research and Development). The U.S. federal government should also cultivate a broad partnership between itself and private sector users, researchers, and the ICT industry to develop, test and spread the use of a more secure advanced Internet.

This can be done through the government holding a national workshop to get views and assistance on CSIA research and development requirements from stakeholders who are outside the government (Nat'l Sci. and Tech. Council, 2006). Federal agencies should utilize this Plan's investment analyses and technical priorities to collaborate with the private sector.