NSF cybersecurity research focuses on 3 “game-changing” themes

In a notice published this week in the Federal Register, the National Science Foundation’s National Coordination Office for Networking and Information Technology Research and Development (NCO/NITRD) announced three new federal cybersecurity research themes that represent a response to a challenge in the President’s Cyberspace Policy Review to identify research strategies that focus on “game-changing” technologies and approaches to securing cyberspace. The three themes identified by NITRD include:

1. Tailored trustworthy spaces:  recognizing that meeting all security requirements derived from different contexts and purposes is infeasible, there could instead be “sub-spaces” defined in terms of specific uses or types of interactions, each with its own set of tailored security policies, services, and mechanisms.
2. Moving target:  when the cost of attack favors the attacker, rather than the defender, defenders need ways to increase the cost of attack, such as by making the security environment more dynamic and therefore harder to predict or less susceptible to prolonged attack.
3. Economic incentives:  security resources are not optimally allocated, in part due to a lack of meaningful security metrics and economically justified decision making criteria; ideally doing the “right” things in terms of security will also be justified in economic terms, and these should hopefully outweigh the return from illegal activities.

NITRD has scheduled a kickoff event for the new R&D themes on May 19, and has also published a more detailed set of recommendations related to these proposed research areas. In general, the themes appear to be logically consistent with the general push towards situational awareness and continuous security monitoring, although the idea of not just watching protected environments but regularly, proactively adjusting the security profile of those environments to make reconnaissance and attack more difficult is a pretty extreme contrast to the predominant approaches grounded in formal control baselines and static configurations that change little between accreditation dates. The concept of variable, purpose-driven security and trust models might also be considered a drastic departure from current federal information security guidance, which doesn’t distinguish among security provisions needed for different systems and environments beyond a high-level qualitative (high, moderate, low) security categorization.