An RCUK Green Paper For Cybersecurity Research: June 2011
An RCUK Green Paper For Cybersecurity Research: June 2011
An RCUK Green Paper For Cybersecurity Research: June 2011
June 2011
Research Councils UK (RCUK) has identified research into cybersecurity as a priority for its Global Uncertainties programme. The programme will work with academic researchers, businesses and government users to enable effective networking, build capacity and develop world-class research projects which address important challenges in cybersecurity. Our ultimate aim is to contribute to making the UKs networked and online activities secure from misuse and as a result safer, more productive and more enjoyable. This green paper is intended to raise awareness, among academic researchers and users, of RCUKs emphasis on cybersecurity issues. It is the starting point for further developing an appropriately connected community of cybersecurity researchers and research users. We are inviting comments from all those interested in cybersecurity research in the UK. We are also taking this opportunity to highlight some RCUK activities which will promote cybersecurity research.
Background
At a time when we are more exposed than ever to threats at personal, family, community, organisational and national levels, and as more and more aspects of our lives are played out on computer networks, the problems caused by inadequate cybersecurity are becoming increasingly apparent. Malicious individuals and groups have long since realised just how lucrative the virtual world can be, how it can make criminal or antisocial activity easier, the opportunities it presents to disrupt normal life, and also the fact that these opportunities can only increase in scale. The increasing complexity of computer software and its associated electronic systems and processes increases the incidence of vulnerabilities. Our ever greater reliance on these systems and processes means that successful cyber attacks are likely to have significant consequences. The combination of enhanced threat, increased vulnerability and more serious consequences increases the cyber risk we experience. Better cybersecurity can help to reduce that risk to an acceptable level. More effective cybersecurity measures will come from a clearer understanding of our current and future vulnerabilities, the threats and consequences that result from them and the failings of current approaches. Further research into cybersecurity its fundamentals and in particular its human and behavioural aspects is essential.
Especially networked computer systems, and noting particularly that human users are part of the system and that the system is ultimately intended to meet human needs
Although the exclusion of problems resulting from accidental errors is not a hard-and-fast rule as there is much to learn from, for instance, dependability research
3 4
By which we mean protective measures or approaches which fix problems By which we mean measures which help identify and minimise the threats posed by attackers
Just as we are challenging academics and research users to change the way they currently do things we in RCUK are challenging ourselves to make a real difference. We will have succeeded in this if: The UK is seen to be an active and important source of new ideas and solutions to cybersecurity problems, with a healthy and innovative research base; All parts of the UK academic community which might contribute to it are aware of the nature of the cybersecurity challenge and how they can help; All potential beneficiaries of cybersecurity research have access to RCUK research activities and are able to draw on the existing research base through effective links with key researchers; Academic researchers, businesses and government users are working together to identify and address key research priorities, with research being informed, as far as is possible, by an up-to-date and accurate awareness of the nature of cybersecurity threats.
While there may be some future funding opportunities in cybersecurity our main focus initially will be on working with our current portfolio of projects and resources: aligning it with cybersecurity issues and users in an optimal way and ensuring maximum impact from our existing investments. We have two activities already planned that can be publicised at this stage.
There will be a cybersecurity research showcase event on Wednesday 23rd November 2011 at Church House Conference Centre, London. This will bring together academic researchers and key problem owners to share information on current activities, issues and research programmes. Invitations will go out in July 2011 but anyone who would like to attend can email one of the contacts listed below to register their interest; We are working with GCHQ to develop two opportunities: firstly for academic groups to be identified as UK Centres of Excellence for cybersecurity research and education; secondly to enhance UK research effort in strategically important subject areas within cybersecurity, through one or more Research Institutes in these fields. More details on both activities will be made available soon.
Appendix
Background material
Several reports covering many of the key issues in cybersecurity research are publicly available. While they do not necessarily represent everything that might be included in an RCUK programme, and while their prioritisations may not match those we will collectively develop, they provide some excellent source material. The US DHS Roadmap for Cybersecurity Research is a very comprehensive reference which describes a large number of key challenges in cybersecurity. A similar strategy document has been prepared by the Dartmouth Institute for Information Infrastructure Protection. The UKs Technology Strategy Board has produced a complementary roadmap that, rather than specifying research issues, sets out drivers for change in information security over the next ten years. It provides an extremely useful insight to help structure longer term research questions and builds on an earlier Foresight Cyber Trust and Crime Prevention project. This investigation, while conducted some time ago and with a broader scope and different focus to this paper, provides a synthesis of many issues related to cybersecurity that remains valid and useful. The Cyber Security Strategy of the United Kingdom is due to be updated soon, and so may change in its detail, but we would like to highlight its current vision statement which describes a future in which: Citizens, business and government can enjoy the full benefits of a safe, secure and resilient cyber space: working together, at home and overseas, to understand and address the risks, to reduce the benefits to criminals and terrorists, and to seize opportunities in cyber space to enhance the UKs overall security and resilience. A useful summary of current UK government policy and initiatives, highlighting the need for academic research, can be found here, while the UKs National Security Strategy is here. Finally it is worth restating RCUKs emphasis on Excellence with Impact and our desire that our research and training activities in cybersecurity should make a demonstrable contribution to society and the economy.
cybercrime for instance from a child protection point of view is impossible to value in any sensible way, as is the lost potential of what we are unable to do as a result of the threat of cyber-criminality. Deployment, economics, motivation and regulation of cybersecurity measures The resources allocated, and approaches adopted, to cybersecurity often do not seem to reflect the risks to which a system or its users will be exposed. As a business driver, security is often last in line. This is partly down to a lack of information about risks: information which individuals, business and government need to make sound decisions. Misaligned incentives, a lack of common standards, lack of clarity on ownership/responsibility and poor information on the effectiveness of solutions also contribute to a general market failure. Insight into attackers motivations, and ways of deterring them from acting on them, is also lacking. Drivers for change Developments in the ways that we use ICT are outpacing the security solutions required for their safe adoption. Research relating to the systems and applications of the future, as well as those currently in use, is essential. These drivers of change include: e-healthcare systems; ubiquitous computing; smart metering, monitoring and control systems; e-voting; cloud computing; and, in the very long term, quantum systems and technologies. Global threats, cyberwar, ethics, regulation, policy and legality Threats to the UK from states and terrorists are growing. These threats need to be responded to proportionately and appropriately. The framework for doing so is not as well established as in more traditional cases, nor is our ability to attribute an attack, nor is it clear what responses are likely to be most effective or acceptable. Recognition of the importance of cyberspace as a national frontier has similarly complex implications as do the global nature of the threat and the borderless nature of the internet.
Human factors and useable security It takes a human to create or exploit a cyber vulnerability. We have to understand how humans really behave and interact with cybersystems, and how a particular technology choice or approach will affect human behaviour, if we want our systems be more secure. Security solutions also need to be developed in ways that work in practise, not just on paper. Risk identification, reduction, mitigation and management in a cyber world
Our understanding of how cybersystems behave has not kept up with the rate at which they are developed and implemented. We need a better understanding of the risks associated with our cyber activities, and we need better ways of managing those risks and making decisions under uncertainty. We also need ways of measuring or characterising the level of security in a system and how much we stand to gain or lose from a particular security action relating to it. Secure management and usage of data across a range of systems As more and more services government and private are delivered online, the risks associated with data losses mount. Many of the most memorable stories about breaches in cybersecurity are in fact information management issues. Approaches to sharing data and delivering better services which enhance information security and preserve the privacy of individuals are required. There are also complicated ethical and legal issues to consider. Threats to physical infrastructure from cyber events As more physical infrastructure comes under the control of systems which are connected to public networks, the potential for malicious disruption increases. While this threat has much in common with parallel work into resilience it also has unique cybersecurity aspects.
Understanding and monitoring systems and networks, and detecting attacks Without knowing how a system behaves in normal operation it is impossible to tell when something abnormal is occurring. Intrusion detection systems, visualisations, digital forensics and other methods of improving broad situational awareness, in real time and post-event, will be important areas for research. Autonomous approaches to protecting systems will help reduce the burden on human resources.