The following is a blog post from CCC Executive Council Member Ben Zorn from Microsoft Research. 

On December 1, 2016, the President’s Commission on Enhancing National Cybersecurity released its comprehensive report containing 53 recommendations that address cybersecurity challenges, in Obama’s words, “… one of the greatest threats we face as a nation.” Over the course of last year, the Commission held numerous public hearings on the topic, which are available in their entirety here. While the report covers many operational challenges that can and should be addressed without the need for new cybersecurity research, there are many challenges discussed in the report that cannot be addressed with existing approaches. Continuing and expanding research in these areas should be a top priority for the agencies that fund cybersecurity, including Defense Advanced Research Projects Agency (DARPA), National Science Foundation (NSF), and National Institute for Standards and Technology (NIST).

For example, in Section II, “The State of Cybersecurity and a Vision for the Future,” bullet 6 declares “Technological complexity creates vulnerabilities.” This insightful statement highlights the deep need for investment in human-computer interaction to reduce the complexity and make cybersecurity manageable by humans even as the technical complexity of systems, which now might include many Internet of Things (IoT) devices, explodes. The report also highlights the challenges that small businesses and organizations face securing their systems (Recommendation 1.5) and the need for technical solutions that greatly reduce the cost and complexity of doing so.

The report also acknowledges the revolution that is unfolding around IoT and its likely impact on national security: “the IoT blurs the distinctions between critical infrastructure, regulated devices, and consumer products.” Software certifications typically required for mission-critical infrastructure (such as airplanes and pace-makers) will now be required for all consumer devices, otherwise these devices can become the weakest-link in national infrastructure. The report observes that “IoT is an area of special concern in which fundamental research and development (R&D) is needed….” A recent massive Distributed Denial-of-Service (DDOS) attack using a hundred thousand web cameras, routers, etc., illustrates the degree to which widespread deployment of IoT devices leads to unintended consequences.

Another area of fundamental research called for by the report relates to security metrics. In the Executive Summary, the report calls out the “…importance and difficulty in developing meaningful metrics for cybersecurity.” Defining metrics is a fundamental and profound challenge because, while a simple “secure/insecure” classification is desired, there are a number of elements that contribute to a device or system being secure, including the software, the hardware, the user interface, the connected components, the update history, the communication channels, etc., and significant research is needed to quantify and measure the degree that each of these elements contribute to overall security in ways that allow for meaningful metrics.

Within the 100-page report there are many more deep insights that highlight the important and time-critical challenges the country faces in ensuring and enhancing national cybersecurity. Of the dozens of recommendations provided, the commission recommends that many merit action within the first 100 days of the new administration. While some of these actions will likely be taken, many more can only be accomplished with a deep and timely investment in the fundamental research agenda outlined throughout the report.