Government, academic and private sector cybersecurity experts met last month at the National Institute of Standards and Technology (NIST) headquarters to establish a research agenda that may affect America’s developing cybersecurity research approach.
The Cyber Security Research Alliance (CSRA) and NIST hosted a two-day workshop on April 4th and 5th in Gaithersburg, Md., focused on addressing the threats and vulnerabilities in technology that supports critical infrastructure operations like the country’s food, power and communications networks.
The alliance has collaborated with NIST, a division of the U.S. Department of Commerce, since 2012 to help organizations in multiple sectors prioritize their own threat research and mediation tactics. The workshop was the latest step in that mission.
“It’s the beginning of the beginning, and clearly, what we hope to come out of this workshop will be an agenda and identification of high priority initiatives that could be undertaken in the research arena to address these barriers to cybersecurity that exist in legacy systems today,” said Lee Holcomb, CSRA president.
The collaborators hope to publish their agenda by the end of May. From there, members from academia and the public and private sectors will help define specific actions that adhere to that agenda. Neither Holcomb nor any of this colleagues told Government Technology about any specific actions on that agenda, as those details were still in development.
“How we do that is still somewhat ill-defined and will evolve during the year,” Holcomb said.
The CSRA’s cybersecurity strategy seems to be evolving even as the White House inches toward a coherent strategy of its own for national cybersecurity, a process that hasn't gone smoothly so far. President Obama was compelled to issue an executive order on cybersecurity earlier this year after Congress failed to pass its own legislation in 2012, but some media outlets argue that the order is vague. Most recently, the House of Representatives passed another cybersecurity bill, the Cyber Intelligence Sharing and Protection Act (CISPA), on April 18, in spite of White House threats to veto it for being too invasive. But just days ago, the Senate said it wouldn't even consider the legislation.
No one from the CSRA spoke of the political implications of the agenda, but they feel that the government is making good progress in the cybersecurity area.
“I think there’ve been some very good steps put forward in terms of a long-term research agenda by the government,” Holcomb said. “What we bring to the table is an industry perspective on that agenda.”
Their agenda promotes public-private collaboration for greater security among all sectors -- a relationship that at least one government participant favors.
“These complex, IT-driven systems pose unique security challenges that will only be met through the combined effort of the commercial, academic and government sectors,” said Chuck Romine, director of NIST’s Information Technology Laboratory in a CSRA press release.
These “complex, IT-driven systems” include self-driving cars, smart buildings, advanced manufacturing systems and intelligent medical devices — all controlled by technology that’s vulnerable to hacking and corruption if it’s not properly secured.
But unfortunately, many of these machines aren’t designed with security in mind, and they’ve been outpaced by software’s rapid evolution, and the evolution of the malware that threatens it.
“There’s a huge spectrum of systems out there, from very simple sensors to large control systems. In general, they tend to have very long lives,” said Ron Perez, a founding member of the CSRA. “There’s this huge legacy base out there. They haven’t been designed with the current threats in mind either.”
Hilton Collins is a former staff writer for Government Technology and Emergency Management magazines.