This paper examines emerging cybersecurity technologies designed to protect critical infrastructure and organizational data from increasingly sophisticated cyber attacks. It identifies key technologies including Bug Bounty Programs (BBP) and cloud computing security systems, presents real-world implementations by companies like Microsoft, Google, and Mozilla, and analyzes government initiatives such as federal cybersecurity laws, the NIST Cybersecurity Framework, and educational campaigns. The paper concludes that while government efforts have raised awareness and established protective policies, cyber attacks continue to outpace defensive measures, necessitating closer collaboration between government and private sector.
The development of the internet and cyberspace represents one of the most revolutionary technological advancements of humanity. Few countries and sectors remain unaffected by the latest advances in internet technologies. Although recent technological developments have influenced many areas, they represent one of the most serious security threats to modern society. As organizations and developed nations move their critical infrastructures online, cyber criminal activities are also growing, with adversaries attempting to steal sensitive data worth billions of dollars. These adversaries include state-sponsored spies and organized criminals targeting identities, financial information, and intellectual property. Cyber threats present fundamental asymmetrical risks, and the ever-increasing waves of cyber attacks represent serious and mounting security risks to business organizations, public agencies, and individuals.
Defending against these waves of cyber attacks requires emerging cyber security technologies. Cyber security is the process of applying and providing security measures to enhance data integrity, confidentiality, and availability. A cyber-security strategy aims to assure protection of assets such as desktops, data, servers, buildings, and humans. The goal of cyber-security is to protect assets in transit and at rest. Goodyear, Goerdel, Portillo, and colleagues (2010) define cyber-security as an information technology measure to achieve a desired level of protection using the CIA acronym to enhance Confidentiality, Integrity, and Availability of organizational data.
The option for emerging cyber-security is essential because traditional cyber-security systems cannot control the frequency and sophistication of cyber attacks, which have become prevalent in the current IT environment. The benefits that organizations can derive from emerging cyber-security for data confidentiality, integrity, and availability are prompting an increasing number of organizations to consider emerging technologies to enhance security of their information assets. However, emerging technologies are just recently being developed, and their efficacy in thwarting sophisticated cyber attacks has not yet been conclusively proven. Some of these technologies are in their early stages—some as young as twelve months old.
The objective of this paper is to explore emerging cyber security technologies. The paper is organized as follows: First, it identifies and discusses emerging cyber securities and reveals recent research and development efforts to improve them, providing different definitions and main features. Second, it provides real-world examples of identified emerging cyber securities. Third, it explores government efforts in nurturing and supporting cyber securities. Finally, it discusses several benefits and drawbacks of government efforts for the improvement of emerging cyber securities.
Kuehn and Mueller (2014) identify the BBP (Bug Bounty Program) as one of the new emerging cyber-security programs used to identify and address bug vulnerabilities in computer systems. A software vulnerability is a computer code flaw, known as a security bug, that can compromise computer security. Typically, vulnerabilities occur due to unintended design or mathematical errors. A bug can persist for a long time within an organizational computer system before being discovered. Such vulnerabilities allow unauthorized individuals to intrude into, manipulate, and steal data from organizational information systems. Software code that allows this type of vulnerability is called an exploit. In essence, vulnerability enables the software exploit to circumvent organizational security systems. Software engineering experts have presented various novel approaches to design and test software to enhance software security.
Kuehn and Mueller (2014) further point out that many organizations have developed a new generation of cyber security program called BBP (Bug Bounty Program). This program represents an emerging cyber-security realm that has translated to emerging practices and norms in the cyber-security paradigm. The new security paradigms have implications for the security and reliability of the internet. The BBP is a bug challenge reward or VRP (vulnerability rewards program) aimed at rewarding penetrators, testers, independent security researchers, and white hat hackers in order to share knowledge about BBP operation (Bilge and Dumitras, 2012). However, enhancing cyber-security through monetary rewards from the BBP program is a new security development. Many software security vendors have incorporated the BBP program into their business objectives to enhance security platforms within IT environments. However, the efficacy of the BBP security platform is still under consideration. In recent years, many online companies have experimented with BBPs to enhance their security systems.
Another emerging cyber-security technology involves security systems to protect cloud computing. Sharma (2012) identifies cloud computing as one of the emerging technologies that many organizations are currently using to achieve business objectives. An increasing number of organizations are using cloud computing because of its cost effectiveness. In other words, organizations are moving to the cloud to enjoy significant cost savings, flexibility, and new collaborative models. Despite the benefits delivered by cloud computing, its security systems are different from other technologies. Big Data also presents different security challenges to organizations. Big Data is more than bits and bytes, the features of ordinary data. Typically, Big Data is a new technology that requires a new security system.
Takahashi, Kadobayashi, and Fujiwara (2010) also identify cloud computing technology as a new emerging IT (Information Technology). The authors define cloud computing as a model used to achieve shared configuration of computing resources such as servers, networks, storage, and applications. Typically, the benefit of cloud computing is its massive scalability because it provides a superior and efficient user experience. For example, cloud computing services such as Google Apps and Amazon Web Services are accessible through a web service or web browser API (application programming interface). Many organizations prefer using cloud computing services because of cost savings. Recently, the market size of cloud computing is growing rapidly. In 2009, organizations spent approximately $17 billion on cloud services. However, the market increased to $44 billion in 2013, showing that cloud computing will outpace traditional IT spending in the next few years.
However, preserving security for cloud computing requires emerging cyber-security technologies since cloud computing departs from traditional computing systems. Different emerging cyber securities have been developed to enhance the security systems of cloud computing. A Warning Database is an emerging security system for cloud computing that consists of a database containing information on cyber-security warnings. Organizations can use this warning information in the database to implement countermeasures against cybersecurity risks.
In cloud computing technology, a warning database is used to alert users about security risks. A CKB (Countermeasure Knowledge Base) is another emerging security system for cloud computing that accumulates information related to assessment rules, checklists, and scoring methodologies to evaluate security levels of cloud computing. For example, the CKB provides information about best practice rules for cloud computing. The CKB also provides Protection and Detection Knowledge Bases used to accumulate knowledge for protecting and detecting security threats within the cloud-computing environment. For example, the Countermeasure Knowledge Database provides rules and criteria for the implementation of IDS (intrusion detection system) and IPS (intrusion prevention system) signatures. Typically, the rules that should be followed for signature implementation are accumulated in the database. Despite the effectiveness of Countermeasure Knowledge Base for cloud computing security measures, the security platform is still in an initial stage of development. Its applicability remains limited within the cloud-computing environment.
Rabai, Jouini, Aissa, and colleagues (2013) also point out that cloud computing is an emerging computing paradigm, and many organizations use it because of its flexibility, economy of scale, and convenience. Despite the benefits associated with cloud computing, the new technology is inherent with security risks. For example, cloud computing technology is exposed to threats such as virtual machine modification, flooding attacks, denial of service (DoS) attacks, data leakage or loss, traffic hijacking, account hijacking, service hijacking, and monitoring of users' virtual machines from other virtual machines.
Rabai and colleagues (2013) identify "OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation)" as a risk-based planning technique for cloud security systems. The OCTAVE plan is based on the identification of major security threats and development of security strategies to thwart those risks.
In the United States and other parts of the world, some organizations have started experimenting with emerging cyber security technologies to enhance organizational security systems. In the case of the BBP (Bug Bounty Program), Microsoft has launched one of the emerging cyber security projects. Microsoft launched a Bounty Program in 2013 offering rewards for novel exploitation techniques, viewing the development of BBPs as a decisive shift in cyber-security technological development. The essence of the Microsoft BBP program is to target the black market dealing with security vulnerabilities. In 2013, Microsoft launched the Internet Explorer II BBP reward reaching up to $10,000 to identify critical software flaws. Microsoft also launched a Mitigation Bypass Bounty of up to $100,000 to enhance advanced protection of technology. The BlueHat Bonus was also launched to provide novel exploitation techniques for defensive approaches against vulnerabilities.
Mozilla has also introduced the Security Bug Bounty Program in order to encourage safe internet practices. Typically, Mozilla pays up to $3,000 for identifying high severity and critical bugs in Thunderbird and Firefox. According to Mozilla (2015), "Security bug is present in the most recent main development or released versions of Firefox, Thunderbird, Firefox for Android, or in Mozilla services which could compromise users of those products, as released by Mozilla Corporation."
Google also pays up to $20,000 to discover vulnerabilities in YouTube.com and Google.com. Moreover, several companies have introduced between $500 and $10,000 as monetary rewards to manage various BBP internet services and software applications.
Facebook has also launched a bug bounty program using the White Hat initiatives to draw both external and internal security experts for the programs. In 2013, Facebook extended the bug security infrastructure in its corporate network. According to Kuehn and Mueller (2014), "the program is subject to continuous growth in terms of participating security researchers, scope, and numbers of submissions. This leads to continuous refinement of the program: Facebook reported that the number of high-severity issues was falling, increasing the efforts needed to discover 'good bugs'. It announced increases in the bounty amounts in areas of particular security interest."
Klaper and Hovy (2014) argue that cyber security is very critical for both government and private organizations. If government's sensitive data is exposed, the issue can damage public support for open government initiatives. One of the government efforts to enhance security for the infrastructures of government and private organizations is by creating cyber security laws and policies to protect organizations and citizens against cyber crimes. In essence, policies and laws are the political strategies of governments to enhance cyber-security. However, laws and policies to enhance cyber security remain underdeveloped because the advent of the internet has made national boundaries disappear. It is now possible for cyber criminals to penetrate organizational network systems remotely from another country, making application of these laws and policies more complicated. The United States is one of the few countries that have comprehensive cyber laws and policies. For example, the Obama administration implemented a presidential policy directive that provides a detailed strategy to secure critical infrastructures. Moreover, the United States has promulgated American cyber-security laws to enhance security of cyber infrastructures.
Education and awareness are other strategies that the government employs to enhance cyber security. For example, the U.S. government has launched a CNCI (Comprehensive National Cyber security Initiative) aimed at improving cyber security at all levels. Typically, the Department of Homeland Security has launched "National Cyber security Communications Integration" focusing on educating users about website safety.
The U.S. Government Accountability Office (2013) also presents research showing that the sophistication and advancement of cyber attacks have become a major concern to the government and business communities. Attackers have taken advantage of flaws within software code to commit cyber crimes. Some attackers also use social engineering tools to trick unsuspected users into divulging sensitive information. Some attacks are becoming more automated using botnets to compromise computers remotely. According to the U.S. Government Accountability Office (2013), "Bots (short for robots) have become a key automation tool to speed the infection of vulnerable systems."
The U.S. government has implemented several laws to improve the country's cybersecurity. For example, the government has promulgated the "Federal Information Security Management Act of 2002 (FISMA) [which] present[s] a framework for agencies to use in improving their capabilities to protect federal systems and information against cyberattack" (U.S. Government Accountability Office, 2013, p. 14). The OMB (Office of Management & Budget) is also empowered to oversee and develop the principles, policies, guidelines, and standards for the implementation of information security. In other words, the OMB is responsible for issuing guidance to federal government agencies on the appropriate way to manage information security threats.
Moreover, the Homeland Security Act provides the appropriate tools to intercept information security threats and incidents. NIST (National Institute of Standards and Technology) has also issued several publications that can assist agencies and business organizations to protect their infrastructures against emerging cyber-security threats. The government also has many pending legislations to address threats such as phishing, spam, and spyware. The NIST has also issued various guidance that federal agencies can use to enhance electronic mail security and security of public web servers. The electronic mail security guidance reveals various practices that organizations should employ to enhance the security of their network infrastructures. The NIST also discusses different methods that organizations can employ to secure web servers. The methods include testing, hardening servers, backing up, patching systems, developing, and maintaining a secure network. The NIST also issued a publication on the methods organizations can use to implement cryptographic and authentication applications.
The U.S. government has also introduced the Internet-Spyware (I-SPY) Prevention Act, which makes unauthorized access to private or public network infrastructures a criminal act. Offenses include intentional unauthorized access leading to copying of a computer file. It is also a criminal offense to intentionally transmit personal information that can cause damage to other people's computers or defraud another person.
The U.S. government also introduced the Anti-phishing Act that imposes penalties on individuals perpetuating pharming and phishing. The Act intends to prohibit email messages and fake websites that pretend to be legitimate and attempt to make individuals divulge personal information that will lead to fraud and identity theft. The Anti-phishing Act also covers identity theft and internet-related frauds such as creating a website with the aim of fraudulently representing itself as a legitimate online business. The Act also includes penalties of up to five years imprisonment for an individual committing this fraud.
The NIST has also introduced five effective cyber-security frameworks that offer potential protection for network infrastructures across organizations. These frameworks are voluntary; however, they serve as potential advances in technological protection across industry (PWC, 2014). The five core frameworks are: Identify, Protect, Detect, Respond, and Recover.
Table 1: NIST Five Core Cyber-security Frameworks
The U.S. government has also approved funding for research and development that can promote emerging cyber securities. For example, the U.S. government has allowed the National Science Foundation to provide funding for talented undergraduate and postgraduate students to develop strategies that can be employed to enhance cyber security. Through the NIST, the U.S. government has also introduced funding opportunities that can enhance development of cyber security in the United States.
Several benefits organizations can derive from government efforts to enhance cyber security. First, the laws and policies have created awareness among the business community that cyber criminality is an offense and the government is ready to prosecute anybody attempting to thwart an emerging cyber security. Moreover, the government has used several laws to protect the infrastructures of both public and private organizations. More importantly, the government has been able to educate both organizations and private individuals on strategies to protect their data against cyber attacks. Apart from the laws and policies introduced by the federal government, the NIST has also issued several publications to enhance greater understanding among organizations and individuals on methods to protect their network infrastructure against cyber attacks.
Despite the benefits that organizations can derive from government efforts in enhancing emerging cyber-security, cyber attacks are on the increase and government efforts to thwart cyber adversaries appear ineffectual. A report by PwC (2014) reveals: "As cyber-security incidents multiply in frequency and cost, the cyber-security programs of U.S. organizations do not rival the persistence and technological prowess of their cyber adversaries. Organizations do not adequately address employee and insider vulnerabilities, nor do they assess the security practices of third-party partners and supply chains. Most do not strategically invest in cyber-security and ensure that it is aligned with their overall business strategy."
The 2014 Cybercrime Survey reveals the responses of more than 500 business executives in the United States and shows that the U.S. government cyber-security programs cannot rival the technological prowess and tactical skills of potential cyber adversaries. In the contemporary IT environment, organized cyber criminals are using sophisticated techniques, highly difficult to detect, to steal sensitive information and valuable private communications, intellectual property, and strategic assets. The United States Director of Intelligence ranks cybercrime as one of the top national security threats and ranks it higher than espionage, terrorism, and weapons of mass destruction. In 2013, more than 3,000 companies in the United States were victims of major cyber intrusions. According to PwC (2014), "The United States faces real [cyber-security] threats from criminals, terrorists, spies, and malicious cyber actors."
Emerging cyber-security has become a security option that government and private organizations should employ to secure their infrastructures. This paper identifies and discusses different emerging cyber securities that organizations are using to secure their infrastructures. The Bug Bounty Program is one of the emerging cyber security programs that organizations are using to identify bugs. The strategy assists in eliminating bugs within the software development environment. Moreover, the paper identifies different emerging securities to protect cloud computing. Cloud computing is an emerging technology that requires emerging cyber security. The study also discusses different government efforts to enhance cyber securities in the United States. Despite the efforts of the U.S. government, cyber attacks are still on the increase in the United States, with several organizations losing data worth millions of dollars. This study recommends that the government, in collaboration with private organizations, should develop a think-tank program drawing experts from around the world to develop strategies to enhance cyber-security in the United States.
You’re 96% through this paper. Sign up to read the full paper.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.