The most well thought out research agenda for cyber security I have seen to date

Opinion: the most mature research agenda on the topic of cyber security is the one established by our nation’s Department of Homeland Security.

I’m keeping an open mind, and would love to learn of other cyber security research agenda’s that might be as well defined. But I have to tell you I have seen research programs associated with cyber for years and this one is impressive.

The details of the topic areas of this research activity are embedded in a Broad Area Announcement (BAA) posted on FedBizOpps. The PDF of the announcement is located here: http://ctovision.com/wp-content/uploads/2011/02/Cyber_Security_BAA_11-02-2.pdf

You can also find info on this research agenda at:


A summary of the agenda is pasted below for your review, but please visit review the details on the DHS site and at FedBizOpps for more info. And, if you know of any researcher who has an ability to contribute to the cyber mission needs outlined in this BAA, please get word of the BAA to the researcher. Our nation needs research into these topics, and it looks like DHS may be making some funding available for research into these topics.

I’d also recommend the DHS S&T Topics for Cyber Research by reviewed by computer science students and teachers. They should also be considered by IT firms large and small, even if the firms are not planning on responding to the DHS announcement. Anyone doing any research on cyber anywhere would benefit from a review of this agenda, I believe.

Summary from the DHS S&T website:

The Department of Homeland Security (DHS) Science and Technology (S&T) Homeland Security Advanced Research Projects Agency (HSARPA) Cyber Security Division’s (CSD) announce a Broad Agency Announcement (BAA) for Fiscal Year 2011 to improve the security in both Federal networks and the larger Internet. This Broad Agency Announcement (BAA) seeks ideas and proposals for Research and Development (R&D) in 14 Technical Topic Areas (TTAs) related to CSD. The total estimated value of this acquisition is $40 million. Cyber attacks are increasing in frequency and impact. Even though these attacks have not yet had a significant impact on our Nation’s critical infrastructures, they have demonstrated that extensive vulnerabilities exist in information systems and networks, with the potential for serious damage. The effects of a successful cyber attack might include: serious consequences for major economic and industrial sectors, threats to infrastructure elements such as electric power, and disruption of the response and communications capabilities of first responders. The DHS S&T mission is to conduct, for homeland security purposes, research, development, test and evaluation (RDT&E) and timely transition of cyber security capabilities to operational units within DHS, as well as local, state, Federal and operational end users in critical infrastructure. Cyber security is defined in broad terms to encompass the usual attributes of security, as well as reliability, availability, and survivability in the face of adversary attack and accidental fault, while preserving privacy. DHS S&T invests in programs offering the potential for revolutionary changes in technologies that promote homeland security and accelerate the prototyping and system prototype demonstration in an operational environment of technologies that reduce homeland vulnerabilities. A critical area of focus for DHS is the development and deployment of technologies to protect the nation’s cyber infrastructure, including the Internet and other critical infrastructures that depend on computer systems for their mission.
  • TTA 01 – Software Assurance
  • TTA 02 – Enterprise-Level Security Metrics
  • TTA 03 – Usable Security
  • TTA 04 – Insider Threat
  • TTA 05 – Secure, Resilient Systems and Networks
  • TTA 06 – Modeling of Internet Attacks
  • TTA 07 – Network Mapping and Measurement
  • TTA 08 – Incident Response Communities
  • TTA 09 – Cyber Economics
  • TTA 10 – Digital Provenance
  • TTA 11 – Hardware-Enabled Trust
  • TTA 12 – Moving-Target Defense
  • TTA 13 – Nature-Inspired Cyber Health
  • TTA 14 – Software Assurance MarketPlace (SWAMP)

Summaries of these task areas:


TITLE: Software Assurance


The nation’s critical infrastructure (energy, transportation, telecommunications, banking and finance, and others), businesses, and services are extensively and increasingly controlled and enabled by software. Vulnerabilities in that software put those resources at risk. The risk is compounded by software size and complexity, the ways in which software is developed and maintained, the use of software produced by unvetted suppliers, and the interdependence of software systems. Software quality addresses the presence of internal flaws and vulnerabilities in software threatening its correct or predictable operation and use. Software assurance deals with the root of the problem by improving software security.


TITLE: Enterprise-Level Security Metrics


Defining effective information security metrics has proven difficult, even though there is general agreement that such metrics could allow measurement of progress in security measures and, at a minimum, rough comparisons of security between systems. Metrics underlie and quantify progress in many other system security areas. “You cannot manage what you cannot measure,” as the saying goes; the lack of sound and practical security metrics is severely hampering progress both in research and engineering of secure systems. However, general community agreement on meaningful metrics has been hard to achieve. This is due in part to the rapid evolution of IT, as well as the shifting locus of adversarial action.


TITLE: Usable Security


Although the problem of achieving usable security is universal – it affects everyone, and everyone stands to benefit enormously if usability is successfully addressed as a core aspect of security – it affects different users in different ways, depending on applications, settings, policies, and user roles. The guiding principles may indeed be universal, but there is certainly no general one-size-fits-all solution.


TITLE: Insider Threat


Cybersecurity measures are often focused on threats from outside an organization, rather than threats posed by untrustworthy individuals inside an organization. However, insider threats are the source of many losses in many critical infrastructure industries. In addition, well-publicized intelligence community moles such as Aldrich Ames have caused enormous and irreparable harm to national interests. This TTA focuses on insider threats to our cyber systems, and presents a high-impact research program that could aggressively curtail some aspects of this problem. At a high level, opportunities exist to mitigate insider threats through aggressive profiling and monitoring of users of critical systems, “fishbowling” suspects, “chaffing” data and services by users who are not entitled to access, and finally “quarantining” confirmed malevolent actors to contain damage and leaks while collecting actionable counter-intelligence and legally acceptable evidence.


TITLE: Secure, Resilient Systems and Networks


Survivability is the capability of a system to fulfill its mission, in a timely manner, in the presence of attacks, failures, or accidents. Part of the survivability attribute of systems and networks includes being secure and resilient to attack. This is meaningful, in practice, only with respect to well-defined mission requirements against which the survivability can be evaluated and measured.


TITLE: Modeling of Internet Attacks


This TTA researches, develops and applies modeling and analysis capabilities to predict the effects of cyber attacks on Federal Government and other critical infrastructures. Two main areas are identified: malware and botnets; and situational understanding and attack attribution.


TITLE: Network Mapping and Measurement


The protection of cyber infrastructure depends on the ability to identify critical Internet resources, incorporating an understanding of geographic and topological mapping of Internet hosts and routers. A better understanding of connectivity richness among ISPs will help to identify critical infrastructure. Associated data analysis will allow better understanding of peering relationships, and will help identify infrastructure components in greatest need of protection. Improved router level maps (both logical and physical) will enhance Internet monitoring and modeling capabilities to identify threats and predict the cascading impacts of various damage scenarios.


TITLE: Incident Response Communities


Cyber security incident response (CSIR) teams, individuals, and communities have historically consisted of people and organizations that have been “in the right place at the right time.” Only recently has the community begun to specify the skills, abilities, structures, and support to create an effective and sustained incident response capability. While there is a good understanding of the technologies involved in CSIRTs, the operational community has not adequately studied the characteristics of individuals, teams, and communities that distinguish the great CSIR responders from the average technology contributor. In other areas where individual contributions are essential to success, e.g., first responders, commercial pilots, and military personnel, there have studies of the individual and group characteristics essential to success. To optimize the selection, training, and organization of CSIR personnel to support the essential cyber missions of DHS, a much greater understanding and appreciation of these characteristics must be achieved.


TITLE: Cyber Economics


Today cyber crime pays. So does cyber-espionage. The state of cyber security today is, and in the future will be, significantly affected by economic conditions and factors. Cyber crime and espionage are making their own economic markets today, having gone well beyond the “script kiddie” and “hacker” personas to mature into big business on a global level. Gaining an understanding of the incentive structure is key to getting stakeholders to behave in a way that will improve overall security. Current cyber-related illegal activities are economically attractive for several reasons.


TITLE: Digital Provenance


Individuals and organizations routinely work with, and make decisions based on, data that may have originated from many different sources and also may have been processed, transformed, interpreted, and aggregated by numerous entities between the original sources and the consumers. Without good knowledge about the sources and intermediate processors of the data, it can be difficult to assess the data’s trustworthiness and reliability, and hence its real value to the decision-making processes in which it is used.


TITLE: Hardware-Enabled Trust


Hardware can be the final sanctuary and foundation of trust in the computing environment, based on the technologies that can be developed in the area of hardware-enabled trust and security. With cyber threats steadily increasing in sophistication, hardware can provide a game-changing foundation upon which to build tomorrow’s cyber infrastructure. But today’s hardware still provides limited support for security and capabilities that do exist are often not fully utilized by software. The hardware of the future also must exhibit greater resilience to function effectively under attack.


TITLE: Moving-Target Defense


In the current environment, our systems are built to operate in a relatively static configuration. For example, addresses, names, software stacks, networks, and various configuration parameters remain relatively static over relatively long periods of time. This static approach is a legacy of information technology system design for simplicity in a time when malicious exploitation of system vulnerabilities was not a concern.


TITLE: Nature-Inspired Cyber Health


Today, weeks and months may elapse before successful network penetrations are detected through laborious forensic analysis. Despite their potential to function with intelligence, today’s typical network components have very limited understanding of what passes through them, coupled with a correspondingly short memory. In the future, network components must have heightened ability to observe and record what is happening to and around them. With this new awareness of the system health and safety, these “self-aware systems” enjoy a range of options: these system may take preventative measures, rejecting requests which do not fit the profile of what is good, a priori, for the network; these systems can build immunological responses to the malicious agents which they sense in real time; these systems may refine the evidence they capture for the pathologist, as a diagnosis of last resort, or to support the development of new prevention methods. In the future, system owners should be able to monitor and control such dynamic cyber environments.


TITLE: Software Assurance MarketPlace (SWAMP)


Technical Topic Area #1 on Software Assurance describes the need to address threats throughout the software development process and called for new methods, services, and capabilities in build, test, and analysis phases in order to improve the quality and reliability of software used in the nation’s critical infrastructures. Specifically, TTA#1 solicits ideas for research and development of new tools and methods for software analysis, and for applying new and existing capabilities in test and evaluation activities. This TTA (#14) focuses on the research infrastructure necessary to enable these software quality assurance and related activities.

Related articles

Related posts:

  1. Federal Cyber Security: Missions, Initiatives, Opportunities and Risks
  2. The Future of Cyber Security and Cyber Conflict
  3. Protecting Federal Networks Against Cyber Attack

Original post

Leave a Comment

Leave a comment

Leave a Reply