Nav: Home

Roadmap to safer cyberspace

December 17, 2015

How do cybersecurity experts discover how to properly defend a system or build a network that's secure?

As in other domains of science, this process involves hypothesis, experimentation, and analysis -- or at least it should. In reality, cybersecurity research can happen in an ad hoc fashion, often in crisis mode in the wake of an attack.

However, a set of researchers has imagined a different approach, one in which experts can test their theories and peers can review their work in realistic but contained environments -- not unlike the laboratories found in other fields of science.

"Our adversaries have an incredible environment for testing out attacks: the Internet, on which all our production systems operate," said Terry Benzel, deputy director for the Internet and Networked Systems Division at the Information Sciences Institute (ISI) of the University of Southern California. "They can sit and analyze our vulnerabilities for as long as they want, probe and poke and run experiments until they find the right way in. Our researchers and leading technology developers don't have anything like that."

This "asymmetry," as researchers call it, is part of the reason so many cyberattacks and breaches occur. It also served as motivation for the the National Science Foundation (NSF) moving in 2013 to fund a multi-year effort to determine how to best advance the field of experimental cybersecurity.

Led by cybersecurity researchers from SRI International and ISI with decades of years of experience designing, building, and operating large cybersecurity testbeds, the effort involved more than 150 experts, representing 75 organizations. They participated in three workshops in 2014.

The researchers released a report resulting from this activity, titled "Cybersecurity Experimentation of the Future (CEF): Catalyzing a New Generation of Experimental Cybersecurity Research," in July 2015.

The Science of Cybersecurity Experimentation

Though one might expect the report to focus on the types of hardware, software and networking required for conducting cybersecurity experiments, the main takeaway is even more fundamental: the research community needs to develop a "science of cybersecurity experimentation."

The report stressed that key elements of that discipline should include methods, approaches and techniques that researchers can use to create reproducible studies that the community can test, reuse and build upon.

"Experimentation is an inherent part of the scientific method and you can't do research without doing experimentation," said Douglas Maughan, Director of the Cyber Security Division at the Department of Homeland Security, Science and Technology Directorate. "This report is a critical first step to re-think what is needed in cyber experimentation before we build the infrastructure."

Using the scientific method also requires peer review and repeatability. The report emphasized the need for infrastructure that supports and enables repeatable experiments by creating easy ways for researchers to test each others' results.

Moreover, instead of uncoordinated, domain-specific studies -- some related to denial of service attacks or password cracking, others related to critical infrastructure or automotive testing -- researcher need common standards and ways to work across disciplines and domains.

"The adversary isn't looking narrowly," Benzel said, "and researchers can't afford to either."

Finally, the community needs to develop new approaches for sharing and synthesizing data in order to accelerate knowledge and community building across disciplines and organizations.

"We need a way that makes it easy for researchers, not only from different aspects of cybersecurity, but across different domains, to share their problems and draw from a library of experimental cyber components to put together a big problem," Benzel said.

Recommendations for Securing our Cyber-Future

Based on input from scholars, the authors synthesized five key observations that they believe, if followed, will yield transformational results.

First, research must be multidisciplinary. Whereas today, experts typically specialize in one area, in the future, individuals and teams must incorporate a wider range of knowledge and skills.

"We need to bring in different disciplines, from computer science, engineering, math and modeling to human behavior, sociology, economics and education," said David Balenson, another of the lead authors and a senior computer scientist at SRI International.

Second, experiments must accurately model and incorporate human activity.

"Everything we do needs to be grounded in the real world and include the human element -- users, operators, maintainers, developers and even the adversary," Balenson said.

NSF Program Director Anita Nikolich said performing cybersecurity research "in an isolated, contained environment that doesn't mimic reality is not conducive to discovering the nuances inherent in this sort of research. New approaches to testing are needed in order to produce useful, actionable results."

Third, different experimental environments must be able to work together in a plug-and-play fashion by following common models of infrastructure and experiment components using open interfaces and standards.

"Without shared experimental infrastructure, researchers have to spend lots of money developing their own experimental infrastructure which takes away from their core research," said Laura Tinnel, a senior research engineer at SRI International and one of the study's authors. "People are reinventing the wheel."

Fourth, experimental frameworks must allow reusable designs to better enable science-based hypothesis testing.

"In most other sciences, someone can come and repeat your experiment, but that's not typically the case in cyber," Benzel said. Hardwiring such capabilities into the structure of the experimental framework would allow researchers to do broader experiments, and also lower the barrier to entry and improve education and training.

Finally, any infrastructure that is built must be useable and intuitive, so researchers and students spend less time learning to use the infrastructure and more time doing critical scientific inquiry. Moreover, the community must adopt a more rigorous scientific model for research and supporting infrastructure.

"People have been doing things the same way for some time now, and trying to get them to work in a more community-oriented way is going to take some shifts in their thinking as well as cultural changes," Balenson said.

However, the study's authors believe that if the scientific community follows the recommendations, such a shift would not only change the balance of power between hackers and cybersecurity experts, but result in systems that are secure by design -- something that long-discussed in the cybersecurity world but not yet successfully implemented.

"We can shift this asymmetric cyberspace context to one of greater planning, preparedness, anticipation and higher assurance solutions," Benzel said.
-end-
-NSF-

National Science Foundation

Related Cybersecurity Articles:

$4.6 million award creates program to train cybersecurity professionals
A five-year, $4.63 million award from the National Science Foundation will enable a multi-disciplinary team of researchers at the University of Arkansas to create a program to recruit, educate and train the next generation of cybersecurity professionals.
First cyber agility framework to train officials developed to out-maneuver cyber attacks
To help train government and industry organizations on how to prevent cyberattacks, as part of a research project for the US Army, scientists at The University of Texas at San Antonio, developed the first framework to score the agility of cyber attackers and defenders.
Cyber of the fittest: Researchers develop first cyber agility framework to measure attacks
The framework proposed by the researchers will help government and industry organizations visualize how well they out-maneuver attacks over time.
Army researchers identify new way to improve cybersecurity
Researchers at the US Army Combat Capabilities Development Command's Army Research Laboratory, the Army's corporate research laboratory also known as ARL, and Towson University may have identified a new way to improve network security.
How susceptible are hospital employees to phishing attacks?
A multicenter study finds high click rate for simulated phishing emails, potential benefit in phishing awareness training.
A Georgia State cybersecurity study of the dark web exposes vulnerability to machine identities
A thriving marketplace for SSL and TLS certificates -- small data files used to facilitate confidential communication between organizations' servers and their clients' computers -- exists on a hidden part of the Internet, according to new research by Georgia State University's Evidence-Based Cybersecurity Research Group (EBCS) and the University of Surrey.
Army scientists revolutionize cybersecurity through quantum research
Army scientists have found a novel way to safeguard quantum information during transmission.
Dena Haritos Tsamitis secures $5 million NSF award for CyberCorps Scholarship for Service program
At a time when demand for cybersecurity expertise has never been higher, Carnegie Mellon University has just been awarded a $5 million renewal of its National Science Foundation CyberCorps Scholarship for Service program through 2023.
UTSA researchers create framework to stop cyber attacks on internet-connected cars
A new study by Maanak Gupta, doctoral candidate at The University of Texas at San Antonio, and Ravi Sandhu, Lutcher Brown Endowed Professor of computer science and founding executive director of the UTSA Institute for Cyber Security (ICS), examines the cybersecurity risks for new generations of smart which includes both autonomous and internet connected cars.
Cybersecurity teams that don't interact much perform best
Army scientists recently found that the best, high-performing cybersecurity teams have relatively few interactions with their team-members and team captain.
More Cybersecurity News and Cybersecurity Current Events

Best Science Podcasts 2019

We have hand picked the best science podcasts for 2019. Sit back and enjoy new science podcasts updated daily from your favorite science news services and scientists.
Now Playing: TED Radio Hour

Rethinking Anger
Anger is universal and complex: it can be quiet, festering, justified, vengeful, and destructive. This hour, TED speakers explore the many sides of anger, why we need it, and who's allowed to feel it. Guests include psychologists Ryan Martin and Russell Kolts, writer Soraya Chemaly, former talk radio host Lisa Fritsch, and business professor Dan Moshavi.
Now Playing: Science for the People

#538 Nobels and Astrophysics
This week we start with this year's physics Nobel Prize awarded to Jim Peebles, Michel Mayor, and Didier Queloz and finish with a discussion of the Nobel Prizes as a way to award and highlight important science. Are they still relevant? When science breakthroughs are built on the backs of hundreds -- and sometimes thousands -- of people's hard work, how do you pick just three to highlight? Join host Rachelle Saunders and astrophysicist, author, and science communicator Ethan Siegel for their chat about astrophysics and Nobel Prizes.