Information technology (IT) provides exceptional benefits to society. However, the more society relies on IT, the greater the potential disruption and destruction that adversaries can create via malicious cyber activities. Advances in cybersecurity are urgently needed to preserve the Internet’s social and economic benefits—as well as the security of the Nation and its online commercial and public infrastructure—by thwarting adversaries and strengthening public trust in cyber systems.

The Cybersecurity Enhancement Act of 2014 (Public Law 113-274) requires the National Science and Technology Council and the Networking and Information Technology Research and Development Program to develop, maintain, and update every four years a cybersecurity research and development (R&D) strategic plan to guide the overall direction of federally funded R&D in cybersecurity. This strategic plan (this “Plan”) fulfills this mandate and updates the 2016 Federal Cybersecurity Research and Development Strategic Plan. This Plan also addresses priorities established by the 2018 National Cyber Strategy of the United States of America, including both its domestic and foreign policy priorities, and by the Administration’s FY 2021 Research and Development Budget Priorities Memorandum.

The Plan identifies the following goals for cybersecurity R&D:

• Understand human aspects of cybersecurity

• Provide effective and efficient risk management

• Develop effective and efficient methods for deterring and countering malicious cyber activities

• Develop integrated safety-security-privacy framework and methodologies

• Improve systems development and operation for sustainable security

To realize the goal of a secure cyberspace, the Plan carries forward the essential concepts from the 2016 Federal Cybersecurity Research and Development Strategic Plan, including the framework of four interdependent defensive capabilities:

• Deter

• Protect

• Detect

• Respond

To advance the priorities and objectives of the 2018 National Cyber Strategy of the United States of America and the Administration’s FY 2021 Research and Development Budget Priorities Memorandum, the Plan outlines research objectives in the following priority areas:

• Artificial Intelligence

• Quantum Information Science

• Trustworthy Distributed Digital Infrastructure

• Privacy

• Secure Hardware and Software

• Education and Workforce Development

Advancements in the defensive capabilities and priority areas critically depend on progress in human aspects, research infrastructure, risk management, scientific foundations, and transition to practice.

The Plan closes with identifying roles in cybersecurity R&D for the Federal Government, industry, and academia and with recommendations for supporting activities. Implementing this Plan and these recommendations will create science and technology for cybersecurity that effectively and efficiently sustain a trustworthy cyberspace to support the Nation’s prosperity and security well into the future.

Introduction

Information technology (IT) continues to be woven into every aspect of modern life. Emerging technologies of the 21st century, such as high-speed mobile networking and smart cities, promise that cyberspace will continue to offer exceptional benefits to society. However, the more society relies on IT, the greater the potential disruption and destruction that adversaries can create via malicious cyber activities. Today, U.S. intellectual property is being stolen, critical infrastructure is at risk, commercial and government computer systems are being compromised, and consumers are worried about their privacy. As currently deployed, the Internet places both public and private sectors at a disadvantage versus cyber criminals and other malicious adversaries. Advances in cybersecurity are urgently needed to preserve the Internet’s societal and economic benefits by establishing a position of assurance and trust for cyber systems and professionals. Strategic R&D investments by the Federal Government can contribute to advances in cybersecurity, help secure the cyberspace, and ultimately, strengthen the U.S. economy.

In September 2018, the President released the National Cyber Strategy of the United States of America, outlining how the Administration will, “(1) defend the homeland by protecting networks, systems, functions, and data; (2) promote American prosperity by nurturing a secure, thriving digital economy and fostering strong domestic innovation; (3) preserve peace and security by strengthening the ability of the United States—in concert with allies and partners—to deter and, if necessary, punish those who use cyber tools for malicious purposes; and (4) expand American influence abroad to extend the key tenets of an open, interoperable, reliable, and secure Internet.”1 Through its National Cyber Strategy and FY 2021 Research and Development Budget Priorities Memorandum,2 this Administration has established the following areas as priorities for cybersecurity and related R&D:

• Maintaining military superiority supported by advanced cyber capabilities derived from new computing and technology paradigms.

• Improving the security and resilience of the Nation’s critical infrastructure.

• Maintaining leadership in artificial intelligence (AI) and quantum information science (QIS), and advancing a secure computational infrastructure and ecosystem.3

• Developing advanced communications networks and R&D to secure networks and manage wireless spectrum.

• Maintaining leadership in semiconductor design, including assured access to advanced microelectronics.

• Prioritizing initiatives that provide education and job opportunities in science, technology, engineering, mathematics, and computer science to a wide spectrum of American students and workers.

In support of these priorities, this 2019 Federal Cybersecurity Research and Development Strategic Plan provides guidance and defines priorities for Federal agencies that conduct or sponsor R&D in cybersecurity.

This Plan updates the 2016 Federal Cybersecurity Research and Development Strategic Plan4 as required by the Cybersecurity Enhancement Act of 2014 (Public Law 113-274).5 This law requires the National Science and Technology Council (NSTC) and the Networking and Information Technology Research and Development (NITRD) Program to develop, maintain, and update every four years a cybersecurity R&D strategic plan to guide the overall direction of federally funded R&D in cybersecurity.

This Plan was developed by a task group of subject-matter experts from the NSTC and the NITRD Program under the leadership of the White House Office of Science and Technology Policy. The task group also issued a Federal Request for Information through NITRD to provide industry, academia, and the public an opportunity to offer input to this Plan.6 Responses to this Request for Information are posted on the NITRD website.7

This 2019 Plan carries forward essential concepts and framing from the 2016 Federal Cybersecurity Research and Development Strategic Plan:

• Effective cybersecurity requires maturing capabilities founded upon four defensive elements: Deter, Protect, Detect, and Respond (this was previously Adapt; however, Respond is a more comprehensive approach that includes Adapt).

• Science and technology (S&T) advances are needed to counter adversaries’ asymmetrical advantages in cyberspace with proactive risk management, through sustainably secure systems development and operation, and via effective and efficient deterrence of malicious cyber activities.

• A strong focus is required on evidence-driven S&T for cybersecurity; evidence of efficacy and efficiency is needed to guide cybersecurity R&D and to improve cybersecurity practices.

• Advances in the following areas are critical to successful cybersecurity R&D: human aspects, research infrastructure, risk management, scientific foundations, and transition to practice.

The following key updates and new priorities are put forth by this 2019 Plan:

• People—users who are affected by computing and communication systems—must be included in the realm that needs to be protected by cybersecurity, in addition to systems and data.

• Frameworks and methodologies are needed that will enable developers to reason across and manage safety, security, resiliency, and privacy requirements holistically and concurrently.

• Efficient adaptation, countering, and recovery capabilities are needed to engender an effective Respond capability.

• Focused and coordinated R&D investments are needed in the cybersecurity aspects of these priority areas: artificial intelligence, quantum information science, trustworthy distributed digital infrastructure, privacy, secure hardware and software, and education and workforce development.

Cybersecurity R&D is a shared responsibility, with essential roles for government, industry, and academia. Government funds long-term, high-risk research and performs mission -specific R&D. Industry funds near- term research and transitions successful research into commercial products. This document lays out a research agenda for federally funded R&D carried out by government agencies and the U.S. R&D enterprise, informed by interactions with industry and academia.

Strategic Framing

This Plan focuses on thwarting malicious cyber activities and campaigns by developing S&T to support four defensive elements: Deter, Protect, Detect, and Respond. This strategy is driven by evidence-based evaluations and measurements of the efficacy and efficiency of cybersecurity S&T solutions. The solutions are effective if they achieve the desired security result; they are efficient when the measured units of benefit are greater than the minimized units of cost. Along with an investment in technology solutions, the Plan highlights the importance of investments in a diverse workforce of cyber professionals who can design and implement suitable cybersecurity measures as well as manage risk.

Cybersecurity Context

Cybersecurity must be understood as a multifaceted domain where a variety of social, technical, economic, and legal goals, actors, and processes interact. Solutions for improving cybersecurity need to be designed and evaluated in this multidisciplinary context. This Plan makes the following key observations about the cybersecurity domain:

Adversaries. Adversaries will perform malicious cyber activities if they perceive that the potential benefits outweigh their expended effort and probable consequences.

Defenders. Defenders must thwart malicious cyber activities against valuable and critical systems while technologies and threats are continually evolving.

Users. Users will circumvent cybersecurity practices that they perceive to be irrelevant, ineffective, inefficient, or overly burdensome.

Technology. Because technology connects the physical and cyber worlds, the risks and benefits of the two worlds are interconnected.

Dual-use. Many security technologies can be used for either offensive or defensive purposes.

Policy impact. National policies such as patents, regulations, or export controls can have significant impact on both research and the transition of research to practice.

Challenges

A fundamental research goal for cybersecurity is to make it less onerous while seeking to provide more effective protections. This challenge can be met by developing a deeper understanding of how to evaluate the quality of cybersecurity (including the assessment of the cyber risk), how to leverage cybersecurity mechanisms to support privacy needs, and how to manage tradeoffs between applying cybersecurity while maintaining delivery of vital services. To accomplish the vision of a trustworthy cyberspace and effective cybersecurity practices, priority should be given to developing solutions to the following goals:

Better understanding of human aspects: Today, “cybersecurity” is characterized too narrowly as the practice of protecting computers, networks, data, and the resulting IT systems. This characterization needs to be expanded to explicitly include the sociotechnical issues and the roles of humans as developers, defenders, users, and adversaries and to elevate human-oriented issues to be among the priorities for cybersecurity R&D. The human aspects goal also focuses on ensuring that end-users and computer professionals can understand and make effective security decisions, and that systems and policies account for their abilities, needs, and expectations.

Effective and efficient organizational risk management: Organizations need an understanding of the range of vulnerabilities and threats in cyberspace and how it applies to them. This involves evidence- based risk management, which is the process of identifying, assessing, and responding to risk, including the development of effective and measurable controls. Organizations must have access to evidence of the efficacy and efficiency of these controls as well as be prepared to consider the human aspects with respect to users, developers, operators, defenders, and adversaries.

Effective and efficient deterrence and countering of malicious cyber activities: Techniques are needed that can discourage malicious cyber activities by increasing costs and risks and lowering gains for adversaries. Active forms of deterrence that utilize appropriate countermeasures to reduce the operational effectiveness of malicious cyber activities are also needed—that is, actions or techniques that reduce threats, eliminate or prevent attacks, or minimize the harm they can cause.

Integrated safety-security-privacy framework: Many operational systems being developed today (e.g., autonomous vehicles) require that safety, security, resiliency, and privacy requirements be managed concurrently. However, frameworks do not yet exist that allow holistic integration of such requirements. Frameworks and methodologies are needed that will enable designers and developers to reason across all domains concurrently.

Sustainably secure systems: There is an acute need for design and implementation of software, firmware, and hardware that are highly resistant to malicious cyber activities, along with development of effective, measurable technical and nontechnical security controls that consider human behavior as well as the economic drivers associated with cyberspace.

Approach

This Plan provides a framework of four interrelated defensive elements to realize cybersecurity goals; they are defined as follows:

Deter: The ability to discourage malicious cyber activities by increasing the costs to, diminishing the spoils of, and increasing the risks and uncertainty for potential adversaries.

Protect: The ability of components, systems, users, and critical infrastructure to efficiently resist malicious cyber activities, and to ensure confidentiality, integrity, availability, and accountability.

Detect: The ability to efficiently detect, and even anticipate, adversary decisions and activities, given that perfect security is not possible and that systems should be assumed to be vulnerable to malicious cyber activities.

Respond: The ability of defenders, defenses, and infrastructure to dynamically react to malicious cyber activities by efficiently adapting to disruption, countering the malicious activities, recovering from damage, maintaining operations while completing restoration, and adjusting to thwart similar future activities.

These four elements are similar but not identical to the five core functions in the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity.8 Whereas the five NIST core functions (Identify, Protect, Detect, Respond, Recover) are geared toward operational cybersecurity risk management, this Plan is intended to guide cybersecurity R&D. The main difference is that the Identify function and Deter element do not have exact complements in the two approaches. However, the differences do not introduce any incompatibility between these efforts.

While this Plan identifies the need for R&D to develop effective countering techniques, such techniques are intended to provide defensive capabilities. R&D for offensive cyber operations is out of scope for this Plan.

Figure 1 shows how the Plan’s four defensive elements aim to thwart malicious cyber activities and campaigns and the value of continuous outcomes-driven improvements in efficacy and efficiency.

挿絵が含まれている画像

自動的に生成された説明

Figure 1. Continuously strengthening the four interrelated defensive elements improves success in thwarting malicious cyber activities overall.

The Defensive Elements

The value created by computing and networks will continue to be subverted by those seeking illicit gains. IT systems should be assumed to be vulnerable to malicious cyber activities, and perfect security is not possible. Security should be viewed as a flexible, ongoing process of self-evaluation and informed actions of adjusting and responding to threats as they evolve. The cybersecurity framing of Deter, Protect, Detect, and Respond addresses the full range of cybersecurity needs, and by doing so, it provides a structure for coordinating research and focusing on shared goals. This section describes each of the defensive elements.

Deter

The most effective way to secure a system from cyber threats is by deterring malicious cyber activities before they can compromise the system or the enterprise. Deterrence, in the broad sense used by this Plan, requires increasing the level of effort that adversaries must apply to achieve their objectives and increasing the possible negative consequences for them from their actions. If adversaries judge that the likely costs of malicious activities, including risks of prosecution or sanctions, are greater than their expected benefits, they are more likely to be deterred from attempting the activities. Increasing both the required level of effort and the negative consequences for adversaries is needed for successful deterrence. Deterrence through threats of retaliation (e.g., prosecution and sanctions) alone has not been effective against most malicious cyber activities due to current limitations with attribution of cyber attacks and prosecuting across jurisdictions.

Challenges

Deterrence requires effective, multipronged defenses that increase the number and types of resources an adversary must have. A successful cyber defense has many facets, ranging from the appropriate technological solutions (e.g., designing secure software, hardware, and operating systems), to network protocols and access controls, to human factors such as safe data handling by users. In this manner, effective deterrence relies on the other three defensive elements—Protect, Detect, and Respond—to increase the costs and decrease the benefits to adversaries of their malicious cyber activities.

Deterrence also requires successful attribution of cyber attacks to specific offenders to dissuade them from pursuing cyber attacks. However, identifying the origins of individual malicious actions in cyberspace can be difficult, because the actors are often in different jurisdictions than the systems they attempt to breach, and they operate through proxies and other anonymizing procedures. Improving attribution will require progress in effectively collecting and sharing activity indicators across organizations and jurisdictions. A related challenge is developing forensic techniques that are robust enough to preserve evidence such that it is suitable for use in legal proceedings while also bolstering immediate detection and cyber analytical abilities.

To meet these challenges, new technologies are needed to measure and verify the ability of an enterprise to thwart adversary efforts and to ensure that law enforcement, government agencies, and system and network owners can successfully attribute malicious activities to their sources. Examples follow of the needed capabilities:

Modeling attackers, defenders, and users. Effective models of the actors in cybersecurity are critical to properly assessing attackers’ risks, costs, and capabilities. The Critical Dependencies, Human Aspects, section of this Plan gives a wide range of considerations for these models. In the context of deterrence, key factors are modeling attacker effort (i.e., money, time, or computational cost), effectiveness, and risks, given the characteristics and capabilities of the defenders and users.

Providing effective and timely attribution. Accurate attribution of malicious cyber activities to their sources opens a broad range of response options, such as sanctions or prosecution.

Supporting robust investigations. Effective investigative tools for law enforcement create the basis for collecting the evidence required for successful prosecution of cyber adversaries.

Sharing information for attribution. Effective mechanisms for sharing attribution information must be developed and must support investigations that cross international or domestic law enforcement jurisdictions.

Protect

The second defensive element, Protect, focuses on creating systems and networks that are highly resistant to malicious cyber activities through assurance-based engineering practices that will simultaneously protect a system and supply the verifiable evidence needed to support its assurance case.

Challenges

Limiting Vulnerabilities

There are five essential approaches needed to produce software, hardware, or firmware with fewer defects that present security vulnerabilities, as described below:

Design for security. In many cases, security vulnerabilities in a system are present from the start. To avoid systemic security vulnerabilities, system architects must begin with accurate threat models and a robust understanding of the intended applications. Further, security tools, policies, and systems must operate as part of larger sociotechnical systems. This demands design attention to interoperability, maintainability, and evolvability in the context of other technologies, and to how these tools can be adopted by and adapted to the human and organizational contexts in which they will be deployed.

Build secure. Implementation errors can undermine the security of well- designed components. Although common vulnerabilities such as buffer overflows and memory leaks are well understood by most developers, they remain difficult to eliminate. Existing tools and practices that prevent developers from creating specific types of security vulnerabilities are imperfect and inefficient. To reduce common product vulnerabilities, tools and practices for software and hardware development are needed that significantly improve developer productivity and operational system performance.

Verify security. Even when products are designed for security and are built to be robust, implementation errors may creep in during system development. In addition to undergoing functional testing, components should be subjected to rigorous security analysis throughout the development process. Because adversaries use static analysis tools and fuzzing tools to find previously unknown (“zero-day”) software vulnerabilities, rigorous application of these tools should be used to identify and eliminate vulnerabilities before a product goes to market.

Maintain security. Inevitably, even software that is well-designed, implemented by knowledgeable developers with good tools, and subjected to comprehensive security testing still will have defects. When errors are identified, the software must be updated. The mechanisms used to update software can unintentionally introduce vulnerabilities instead of eliminating them. Building in secure mechanisms for updating software or firmware is essential to securing products throughout their lifecycles.

Verify authenticity. The four approaches listed above offer the potential to dramatically reduce the number of vulnerabilities in hardware and software, but only if users deploy authentic, unaltered products. Objective measures for supply-chain assurance are needed to increase an organization’s ability to confirm a product’s provenance. Research into objective measures for supply-chain assurance (e.g., cryptology-based markers) is needed to achieve these aims.

Enforcing Security Principles

Better techniques are needed for enforcing security principles where efficacy and efficiency are lacking in current mechanisms. Several important system requirements are noted below:

Authenticate users, devices, and systems. User authentication is a traditional building block for enforcement of security policy, but deployment of strong multifactor authentication systems continues to present challenges. The proliferation of Internet of Things (IoT) and autonomous systems increases the need for strong and efficient authentication of devices.

Control access. Access controls build upon authentication to support the implementation of security policies and authorizations. Systems often rely on coarse-grained access controls even though more robust mechanisms such as role-based access controls are available. To accurately enforce security policies, improvements in access control efficiency are needed for system administrators.

Use encryption mechanisms to protect data. When standard protection mechanisms fail and an adversary gains access to an IT system, or when data are transmitted across networks where eavesdropping is possible, cryptographic methods could deny intruder access to plaintext data and ensure that adversary modifications do not escape notice. Decryption of data is currently required to perform system operations or modifications, thus creating opportunities for a patient adversary; more efficient techniques that operate directly on encrypted data would offer greater security and privacy. Cryptographic tools and techniques are also needed for constrained environments (e.g., lightweight cryptography) and for long-term confidentiality (e.g., quantum-resistant cryptography).

Mitigate vulnerabilities. Current systems continue to include many legacy components with undiscovered and unmitigated vulnerabilities. Technologies are needed to neutralize malicious cyber activities on legacy systems. Data analytics offers new opportunities to capitalize on security data and identify malicious activities in the absence of established signatures. However, as discussed later in the AI and Privacy Priority Area sections of this Plan, data analytic strategies can raise new security and privacy challenges of their own, such as adversarial machine learning and leakage of private data.

Detect

Detection seeks to ensure that system and network owners and users have situational awareness and understanding of ongoing (authorized and malicious) activities and move towards largely automated detection and warning abilities.

Challenges

Provide situational awareness. Systems and networks are highly complex, and device mobility increases complexity. To defend networks and systems, it is necessary to identify all of a system’s critical assets, when devices have been added or removed, and attributes and anomalies associated with the users. Real-time change detection is essential, including schemes that are flexible for dynamic network conditions and enable comparisons against known good system states.

Detect vulnerabilities. Changes in system configuration, installation of new applications, or discovery of new techniques may reduce a system’s level of protection or create new vulnerabilities. Tools are required to identify shortcomings in protection measures in near real-time so the situation can be remediated. Qualified personnel to serve on vulnerability assessment “red teams” are scarce.

Effectively detect rapidly evolving malicious cyber activities. Operations are highly dynamic, and context is significant; as a result, current tools have many false positives and false negatives and fail to differentiate malicious cyber activities from authorized operations. Many techniques for recognition of malicious cyber activities are also retrospective in nature: these tools look for malicious activities that conform to a known historical pattern. Such tools are rendered useless when faced with innovation by an adversary. R&D is required to ensure that detection techniques can reliably detect the full range of adversaries’ malicious cyber activities and reduce detection time. In particular, tools are needed that can detect zero-day malware and innovative sequences of operations with acceptable levels of false positives and negatives. Behavioral intrusion detection and heuristic tools, which look for anomalies compared to system baseline activities, offer a promising avenue of research. Scalable mathematical techniques capable of extracting useful information from extremely large datasets could lead to more effective detection of malicious cyber activities from data sources such as network logs.

Respond

Effective defense entails the ability to adapt, counter, recover, and adjust to malicious cyber activities. Cyber defenders must respond rapidly and effectively to adversarial activities whether precisely targeted or on a global scale. Systems must withstand these events such that their critical mission and operational functions still meet minimum performance requirements and substantial damage is avoided. Resilient systems will continue to perform correctly during and after such activities and will recover from adverse effects. To sustain resiliency, systems must also dynamically adapt to changing threats. Moreover, effective response includes countering malicious cyber activities by imposing additional costs on adversaries. Countering is aimed at exposing, degrading, disrupting, or blocking malicious activities.

Challenges

As cybersecurity technologies are integrated into complex systems and systems of systems, responses often have unforeseen dependencies and coupled interactions. Developers and users need visibility and insight into these system behaviors, as well as analytic techniques and response pathways that maintain clarity and trust and avoid unintended consequences.

Another challenge comes from the increasing use of autonomous systems, which must support response, recovery, and adjustment with little or no interaction with (or even knowledge on the part of) cyber defenders. The implications of autonomy must be considered as resilience design principles and technologies advance.

Multiscale risk governance presents technical challenges to current cyber defense activities. Decisions that increase, decrease, or shift factors that contribute to risk are made at many levels and at multiple scales. Decisions made at one level can affect other levels in complex and difficult-to-understand ways. Technical approaches are needed to identify and understand risk dependencies and explore resulting decision spaces. Complicating this process is that the time within which decisions must be made and implemented continues to shrink: detection, assessment, and mitigation of cyber threats and malicious activities must occur faster than the speed at which adversaries can exploit systems. In this ever-tightening risk management cycle, information sharing and coordination among decision makers becomes increasingly crucial.

Therefore, to improve the overall ability of systems to respond, R&D activities should improve the capacity of systems, enterprises, and critical infrastructure to adapt, counter, recover, and adjust in the three ways described below:

Provide dynamic assessment. Measure key properties and attributes of system components and assess potential damage amidst evolving threat methodologies and system requirements, thereby enabling response and recovery to a known good state.

Include adaptive response. Provide methods to adjust to actual, emerging, and anticipated disruptions, so that mission and organizational needs can continue to be met while unintended consequences and adversary returns-on-investment are minimized. These methods will support risk trade-offs in homogeneous enterprise systems in the near term and in integrated heterogeneous cyber-physical systems in the medium term. In the long term, they will enable integrated resilient architectures that are optimized for the ability to absorb shocks and speed recovery to a known secure operable state. R&D is needed to prevent adversaries from exploiting autonomous functions and the machine learning that underlies them.

Coordinate at multiple scales. Provide methods to manage risks at multiple scales (e.g., component, device, system, systems of systems, enterprise, or international coalition) and enable comprehensive and collective responses to specific types of malicious cyber activities, such as distributed denial-of-service attacks. These methods support the collection of threat intelligence in the near term, coordination of defensive activities in the medium term, and negotiation and orchestration of collective defenses in the long term.

Priority Areas

To advance the objectives of the Administration’s 2018 National Cyber Strategy and FY 2021 Research and Development Budget Priorities Memorandum and tackle emerging or existing cybersecurity challenges that require coordinated, multiagency research efforts, this Plan identifies six areas for priority R&D. These Federal cybersecurity R&D priorities are not the exclusive domains where R&D is needed; additional cybersecurity R&D is needed for capabilities important to specific agencies or government missions. Advances in the priority areas will also strengthen cybersecurity across all four defensive capabilities, as illustrated in Table 1.

Table 1. Priority areas and their impact on cybersecurity

			Defensive Elements
		Deter	Protect	Detect	Respond
	Artificial Intelligence				

Areas	Quantum Information Science		

	Trustworthy Distributed Digital				
	Trustworthy Distributed Digital
Priority	Infrastructure
Priority	Secure Hardware and Software			
	Privacy		


	Education and Workforce				
	Development				
	Development

Artificial Intelligence

Artificial intelligence enables computers and other automated systems to perform tasks that have historically required human cognition and what are typically considered human decision-making abilities, as noted in the National Artificial Intelligence Research and Development Strategic Plan: 2019 Update.9 In view of the substantial growth in interest and investment worldwide in applications of AI technologies, the 2017 National Security Strategy of the United States of America10 calls for increased R&D investment in AI. In February 2019, the President issued an Executive Order on Maintaining American Leadership in Artificial Intelligence whose objectives include advancing AI R&D as a national objective, preserving privacy, protecting confidentiality, maintaining safety and security, developing AI technical standards to minimize cyberattacks, and cultivating public trust in AI technologies.11 In support of the Executive Order, the National Artificial Intelligence Research and Development Strategic Plan: 2019 Update defines the priority areas for Federal investments in AI R&D.

AI has significant potential impacts on national economy and security; it is thus essential to guard AI technologies from unintended uses and hostile exploitations by leveraging cybersecurity practices. The emerging threats posed by AI-enhanced autonomous systems deserve serious attention. Conversely, AI techniques are expected to enhance cybersecurity by either automating certain routine tasks or assisting human system managers to monitor, analyze, and respond to adversarial threats to cyber systems. This Plan highlights the mutual needs and benefits of AI and cybersecurity.

Challenges

AI systems design should be informed by security, safety, and privacy principles. While these principles are not synonymous and in fact can be in tension, there are common characteristics upon which converged results can be achieved: reproducibility, accountability, interpretability, explainability, verifiability, transparency, and reliability. Existing cybersecurity concepts may have to be reformulated and redesigned to cope with AI models, algorithms, and the human-AI system interactions. Below are key issues at the interface of AI and cybersecurity:

• AI effects on operational speed and scale. AI systems operate at speeds and scale beyond human and current technological capabilities. This is of concern in areas where malicious activities may be driven by AI, leading to an increasingly asymmetric engagement between attackers and defenders unless AI is likewise used for cyber defenses. In general, AI systems will enable more sophisticated and automated cyber defense, and if not implemented with appropriate controls, could also be wielded offensively to perform malicious activities.

• Interpretability, explainability, and transparency of AI. Reasoning used in AI systems is very different from that used by humans and is not always intuitive to humans. Even though some individual algorithms used in AI can be comprehensible, their collective behavior may not always be. Thus, being able to understand, interpret, explain, and anticipate AI outputs and outcomes with transparency is difficult. Assessing biases in data or AI algorithms and guarding against these potential biases without compromising privacy will contribute to creating trustworthy AI, as will strengthening AI’s accuracy, resiliency, safety, reliability, objectivity, and security. This raises questions such as how to model and measure trust in AI systems, and what levels of certainty should guide deployment of these types of systems. This is of concern in cybersecurity areas such as situational awareness, threat and risk estimation and management, privacy risk mitigation, and resource allocation.

• Vulnerability of systems with AI components. Many machine learning (ML) algorithms are subject to attacks throughout their lifecycles. The following kinds of attacks can take place at any stage: poisoning datasets to degrade model quality, creating backdoors that allow model creators access to other systems, crafting instances that induce classification errors, and inference attacks on both the model itself and on the dataset used to train it. Although the vulnerability surface of AI/ML is not yet well understood, it must be accounted for in AI/ML implementations. In this respect, the threat models for AI systems differ from traditional software- and/or hardware-related threats.

• Efficacy evaluation of AI cybersecurity systems. AI is increasingly becoming part of technologies that are central to our daily lives, such as healthcare and transportation. The boundaries between the cyber, the physical, the social, and the economic are ever more blurred. While this results in efficiency gains, it also increases dependencies and increases exposures to natural, manmade, and programmatic accidents and threats. This raises the likelihood of systemic risks and cascading harms from threats in one domain spilling over into other domains. AI introduces more complexity on top of existing, insufficient understanding of the efficacy of current cybersecurity technologies, such as how much security can be gained from investing in certain controls, and which controls best reduce risk. Measuring the multidimensional causal links between AI-based security controls, levels of resulting security, and outcomes in the face of threats is a significant challenge.

R&D Goals

• Simulate different decision-support scenarios with respect to threat models, including attacker/defender strategies related to specific AI/ML implementations, to avoid endless attack-defense cycles perpetuated by AI/ML techniques. Expand and explore new AI-based techniques for cybersecurity tasks beyond malware and intrusion detection and beyond signature-based approaches. Develop automated orchestration of security capabilities that use AI.

• Study the behaviors of AI systems, including their behaviors in the presence of human interactions, in order to make the systems trustworthy. Develop methodologies to validate and interpret results from AI systems against human perceptions and expectations. Develop techniques to improve provenance of results produced by AI systems.

• Develop tools and techniques for understanding attacks and defenses against ML systems. Improve formal method techniques to verify security and robustness of ML algorithms at both training and deployment times. Find cryptographic methods to ensure tamper-resilient storage of training data and tamper-resilient computation for ML, and to enable data sharing for machine learning without disclosing the sources or sensitive information. Develop new AI-based capabilities that can accommodate semantic security properties. Study potential vulnerabilities of chips, processors, and special-purpose devices built for AI applications, in view of the emergence of AI and neuromorphic chips and processors that feature in-memory processing and analog computing.

• Develop models, definitions, and metrics of security and trust that can be used to evaluate AI cybersecurity systems and AI-based cybersecurity controls. Ensure that security, safety, and privacy be preserved at different levels of abstraction, from high-level planning and decision-making to low-level execution of AI systems.

Quantum Information Science

Quantum computing raises the possibility of some current data encryption systems being defeated. For this reason, the Administration’s 2018 National Cyber Strategy points out the potential impacts of quantum computers. Recent progress in realizing small-scale quantum computers demonstrates the commercial and public interest in these devices. While there is a vast gulf between these devices and large-scale quantum machines that would threaten current cryptological standards,12,13 the anticipated impacts on security necessitate early planning to ensure that the national cybersecurity goals are met.

In addition to quantum computing, other key quantum technologies identified in the Administration’s September 2018 National Strategic Overview for Quantum Information Science14 include sensing; position, navigation, and timing; and communication. Together with quantum computing, these applications are poised to shape future directions for QIS and cybersecurity research. There are two questions to consider at the interface between the two fields. The first question is whether or how quantum technologies can impact or break current cybersecurity methods; hence, securing communications and computation becomes vital. In fact, the National Defense Authorization Act for Fiscal Year 201915 cited “secure communications and cryptography” in its call for a quantum information science and technology R&D plan. The second question is how to protect future quantum computing infrastructure and quantum information technology from attacks. Since quantum technologies are fundamentally different from their conventional counterparts, it is imperative to address potential security flaws as the devices and systems are designed.

Challenges

Future quantum technologies should be secure by design, from hardware to software and including the protocols that link quantum systems. Since debugging errors in quantum software and hardware is highly nontrivial due to quantum mechanical effects, correct-by-construction implementation is desirable. Conversely, because quantum technologies hold promise for achieving a higher level of security beyond classical computing limits, understanding quantum capabilities and finding ways to circumvent their fundamental limits have far-reaching implications. Below are the overarching challenges:

• Securing quantum software. Trusted and assured software stacks for controlling quantum computers, processors, and devices are critical because, unlike the conventional software testing process, the states of quantum programs cannot be directly examined for potential errors. Quantum programs that operate directly on a quantum device should utilize the laws of quantum mechanics to prevent illegal operations. Computational effects of quantum programs are presently unknown.

• Securing quantum hardware. Testing and debugging hardware components are difficult tasks due to quantum mechanical effects. Current knowledge of side-channel attacks on quantum devices is confined to quantum key distribution (QKD). A broader look at the issue of general quantum hardware is desirable. Moreover, as quantum systems will likely be built from different types of quantum hardware platforms, the resulting heterogeneous platforms and their interconnects are likely to be targets of attacks.

• Designing efficient quantum cryptographic protocols. Efficient protocols (beyond QKD) are still elusive for designing quantum information, communication, and computation with security requirements stronger than classical settings, and systems must be robust to noise and feasible to implement. Composability of quantum and/or classical resources is not well understood. Classical proof techniques for establishing security of protocols do not always carry over to the quantum settings.

• Anticipating quantum attacks and countermeasures. Known methods of attack perpetrated by quantum technologies on current systems are relatively few, e.g., Shor’s algorithm and attacks on QKD systems. Countermeasures against quantum attacks are also scarce, e.g., device-independent quantum information.

R&D Goals

• Design type-safe quantum programming languages for controlling quantum processors and for interacting with quantum memories. Understand the side effects of programming a quantum computer, especially in the presence of quantum effects and noise. Design and build tools to analyze quantum programs akin to formal method techniques for classical software and protocols.

• Explore new theoretical and experimental methods to probe quantum states, quantum processes, and their quantum properties to diagnose and analyze hardware for its security properties. Find algorithms and experimental techniques to efficiently test and evaluate quantum hardware or devices for functional correctness.

• Draft standards for quantum-resistant cryptography while observing the recommendations of NIST and the National Security Agency. Devise a plan for implementing quantum-resistant cryptography while studying its potential vulnerabilities. Integrate classical, quantum-resistant, and quantum cryptographic techniques. Design, analyze, and test quantum security protocols, beyond QKD, for security and efficiency. Extend these protocols to multiparty scenarios whenever possible. Demonstrate a small number of protocols to validate their utility on quantum systems.

• Understand how quantum technologies can be exploited for attacks on classical and/or quantum systems. Understand security threats against quantum devices and their supply chain, including materials designed for various physical platforms. Design security models, craft provably secure countermeasures against quantum attacks, and demonstrate the feasibility of these defense mechanisms.

Trustworthy Distributed Digital Infrastructure

A trustworthy distributed digital infrastructure (TDDI) is a critical enabling element for the United States to underpin the growth of new industries that will help drive the Nation’s economic growth and keep the Nation as the world leader in innovation. This imperative is recognized in the Administration’s 2018 National Cyber Strategy, specifically to “facilitate the accelerated development and rollout of next-generation telecommunications and information communications infrastructure in the United States,”16 which includes the deployment of advanced fifth-generation (5G)-and-beyond wireless networks.

A TDDI will help distribute computing to the new network edge, enabling a wide range of applications and societal benefits for manufacturing, healthcare, smart grids, autonomous vehicles and mobility, and smart cities. Recognizing this opportunity, the Administration’s FY 2021 Research and Development Budget Priorities Memorandum calls for agencies to prioritize R&D to “lower barriers to the deployment of surface, air, and maritime autonomous vehicles.”17

Challenges

5G and Post-5G Wireless Security and Resiliency

5G wireless networks are poised to transform the world’s digital infrastructure, supporting a connected society with higher data rates, lower latency, and higher reliability. While the underlying technologies for 5G are largely complete, research is needed into cost-effective means to ensure secure and resilient communications over potentially untrusted infrastructure. A significant area of concern is securing the information and communications technology and services supply chain underlying 5G technology.18

Additionally, research is needed to shape the capabilities required in the next generation of networking technology, including faster, higher-bandwidth 5G and post-5G networks, and secure autonomous spectrum sharing.19 It is critical to design security from the beginning into all layers of post-5G networks and services, from mobile devices through radio access and core networks, to the Internet, and into enterprise systems and applications.

Edge and Fog Computing

Cloud computing continues to grow year after year, particularly in the infrastructure-as- a-service sector. Increasingly, cloud applications need to provide feedback to end users in real time. The low-latency requirements are pushing analytics and data processing close to the network edge where the data are first collected. Fog and edge computing have emerged to meet this need.

In fog computing, computation and storage are moved as needed to nodes between cloud servers and edge nodes. Computations that require only local data can be performed at the intermediate nodes, while global processing continues to be performed in cloud servers. This hierarchy of data processing services has evolved to become a new paradigm, with fog nodes communicating directly with each other as needed to perform global-level computations.

Edge computing started as the introduction of applications in mobile network base stations, but it has developed into an edge-centric computing paradigm in which edge nodes communicate in peer-to-peer fashion to perform tasks and compute data of immediate local value. This computing paradigm can take advantage of fog and cloud nodes to provide stable resources when needed.

End-to-end security becomes complex and challenging when data are located in centralized cloud servers, intermediate fog nodes, and edge devices. Addressing this context, the 2019 Federal Cloud Computing Strategy20 recommends implementing security controls at the data layer in addition to the network and physical layers, thus providing a multi-layer protection strategy.

Internet of Things

The Internet of Things is now a reality as a growing number and variety of consumer devices, home appliances, and sensors used for transportation and municipal services share compute power, network connectivity, and ability to be controlled remotely. The IoT environment is complex, and its security challenges are just as complex. IoT devices are often limited in computational, data storage, communication, and available power resources. Approaches to authentication, encryption, and security policy enforcement that work for the desktop and server environment will not be deployable to a resource-constrained device. Usability and human factors are also a challenge for the secure design of IoT because the devices have limited user interfaces, and the typical user of consumer devices is not trained in cybersecurity and may not make reliably good security and privacy decisions.

Cyber-Physical Systems and Critical Infrastructure

Cyber-physical systems (CPS) are engineered systems that are built for and depend upon the seamless integration of computation and physical components. Examples of such systems can be seen in “smart,” Internet-connected manufacturing assemblies, traffic flow controls, rescue robots, border security drones, and consumer medical devices, among a host of others. Advances in CPS will enable advanced capability, adaptability, scalability, resiliency, safety, security, and usability that will expand the horizons of these increasingly critical systems.

As CPS systems become more complex, the interdependence of components increases the vulnerability to attacks and cascading failures. The algorithms that control CPS may be complex and opaque, and their security may depend on autonomous cyber defense rather than human intervention, as well as on secure analog and digital electronic hardware. Furthermore, restoration and resiliency of CPS systems after a fault or cyber attack may be challenged by the potential overload on the physical systems.

R&D Goals

• Develop methodologies and standards interconnected networks with multiple to support seamless, end-to-end security across owners, trust domains, topologies, networking paradigms, and the full range of mobile devices and mobile network layers. Enable secure ad hoc establishment, management, and disposal of tailored trust domains within a larger general-purpose infrastructure. Develop software assurance solutions for virtualized radio access networking and for security of software-defined networking for the core network. Design analog and mixed-signal solutions at the wireless end points, where radio frequency components play critical roles, to assure secure and reliable autonomous transceiver reconfiguration, antenna beamforming, and dynamic spectrum utilization.

• Develop technologies to sustain autonomous management of security across the communication infrastructure in ways that balance strength of security services with performance requirements of availability, latency, processing, and storage capacity. Develop data-centric security solutions based on the protection requirements of the data across all networking paradigms: cloud, fog, and edge computing. Devise privacy protection mechanisms that can be tailored to the location and role of a node in a combined sensing/communication/computing paradigm—from the sensor where raw data lack context, to more robust protections as the aggregation of data increases in volume and source diversity.

• Develop end-to-end security and key management capabilities that will allow highly secure, highly resourced nodes to interoperate with resource-limited edge and IoT devices. This includes devising effective access control, authentication, cryptography, and key management techniques for limited-resource nodes. Develop technologies to attest and verify devices and systems at varying levels of computational capabilities.

• As CPS systems (e.g., cars, medical devices, and utilities) scale in the number of devices they connect and the volume of data they process, develop approaches to assure that they remain resilient to adverse cyber activities. This includes developing accurate models of CPS environments to reduce vulnerabilities and mitigate the impacts of incidents and failures. Develop methods and technologies that will successfully integrate human decision-making with cybersecurity technologies and process control technologies. Advance formal methods to validate high-assurance, fault-tolerant, adaptive subsystems that can operate in contested and degraded conditions for long periods without human interaction.

Privacy

Privacy is a confluence of multiple values such as solitude, confidentiality, and autonomy that define an individual’s control of personal information, identity, or the boundaries of personal spaces. Privacy comprises a multitude of disciplines: ethics and philosophy, sociology and psychology, law and government, economics, and technology. Broad recommendations for R&D in privacy have been presented in the 2016 National Privacy Research Strategy.21

In the context of cybersecurity R&D, this Plan focuses primarily on privacy aspects that involve collection, disclosure, and use of an individual’s private information, including identity; patterns of behavior; and economic, social, or other discriminators. Confidentiality and integrity principles necessitate controls that limit unauthorized access, use, and disclosure of data. Security can be the mechanism by which privacy risk is prevented, reduced, or mitigated when the data or system to be secured implicates privacy interests and values. However, secure systems might be in tension with privacy, especially when considering the security principle of availability. This is manifested when users’ desires to control privacy-relevant data run up against the needs of system stakeholders to control that same data for authorization, attribution, and/or monitoring for situational awareness, decision support, risk modeling, incident response, and/or threat scoring. Nevertheless, cybersecurity research must consider privacy management as a fundamental aspect of the design of secure systems.

The following challenges need to be overcome to ensure that individuals’ privacy is protected in an open, highly digitized economy, and to ensure that U.S. Government agencies, commercial entities, and social networks can access and use personal data in authorized ways without putting individuals’ personal privacy at risk.

Challenges

• The difficulty of designing privacy-protecting systems. People value privacy differently, perceive privacy-related harms differently, and vary their privacy requirements with circumstances. To develop systems that are more respectful of peoples’ privacy choices, system designers and developers need to better understand what people value regarding privacy, what people’s privacy desires and expectations are, and the ways privacy might be infringed upon.

• The lack of appropriate tools for designing systems. System designers need tools that incorporate effective privacy requirements and controls. Even when designers do consider privacy at the beginning of the design process, they lack a systematic approach for understanding and assessing the risks that a system might pose to privacy, for identifying and expressing privacy requirements for a system, and for designing controls that can achieve those goals.

• Individuals’ needs not only to understand the rules that govern the use of personal data, but also to have confidence that the rules are observed in practice. Techniques are needed that will facilitate people’s expression and implementation of privacy preferences. Furthermore, advances are needed in technologies that can assure that personal data are linked with the rules appropriate for the context in which they are collected and that operations applied to those data are governed by those rules.

• Privacy concerns deriving from the growing interest in publishing statistics, analyses, and raw data that involves people. Existing approaches for protecting privacy, such as the removal of personally identifiable information, have not been able to address the privacy risks of large-scale data collection, analytics, and release. As more information about individuals is stored and made available, data analytics can often be used to link sensitive information back to individuals, despite efforts to anonymize the data. Techniques are needed to measure and balance reidentification risks against the benefits of data use and storage.

• Requirements for effective solutions for recovery from privacy violations. Existing recovery mechanisms are limited and are inconsistent in their efficacy. New approaches for recovering from privacy violations need to be developed that are fast, predictable, and easy to implement.

R&D Goals

• Develop research methods that can reliably and validly sample, measure, and represent people’s privacy desires, expectations, attitudes, beliefs, and interests. Develop methods and technologies that can identify privacy violations and privacy harms effectively and efficiently, with the capability to assess privacy harms.

• Devise frameworks that integrate safety, security, and privacy requirements, allowing system designers and developers to reason across all three domains concurrently. Develop privacy trust models that encompass a broad range of authorized data disseminations and uses. Develop languages and reasoners to formally specify, compose, and enforce targeted privacy requirements, including translation from natural-language privacy statements or information-sharing agreements. Advance system design tools for managing privacy risk, i.e., standardized frameworks, libraries, and interfaces; tools to verify designs against privacy requirements; and tools to standardize privacy requirements from data owners and custodians. Such design tools should support end-to-end composable mechanisms that protect the privacy of sensitive inputs at rest and in use, resulting in outputs that are tagged for privacy policy enforcement by their consumers.

• Develop efficient, robust, and agile privacy controls for distributed analytic applications that can be tailored to the privacy requirements and the available resources of each party (e.g., secure, multiparty computations). Techniques are also needed to automatically invoke and verify privacy controls in accordance with policies. Devise methods that allow composition of privacy rules of an aggregate or function output from the privacy requirements of each record or function input.

• Foster techniques and models that can systematically assess and quantify privacy risks, such as the effectiveness of privacy protections and changes in privacy risk when disclosed personal information is correlated with other information. Develop metrics and measures of reidentification risk for disclosed and obfuscated data, both at the time of disclosure and obfuscation and over subsequent accesses, uses, and potential correlations with other data.

• Develop models, techniques, and evaluation metrics for redress and recovery from privacy violations, such as provable assurance that personal information is removed from a dataset or is otherwise rendered inaccessible. Research techniques to identify and redress inaccurate or unauthorized personal information informing machine learning models.

Secure Hardware and Software

Computing today is geospatially dispersed—ranging from mobile edge devices to data centers—and highly heterogeneous in nature—ranging in capabilities from tiny microcontrollers, mainstream CPU, GPU (graphics processing unit), and reconfigurable processors to highly customized NPUs (neural processing units). Computing systems execute highly diverse tasks ranging from sensing, perception, planning, and data processing to complex scientific applications where computation and data may be offloaded from one system to another continuously for performance, load-balancing, and fault tolerance. Data and storage are geo-replicated, and the network evolves with time. Vulnerabilities and defects of any remotely accessible software can have significant cybersecurity consequences for the system. Software is developed with vulnerability and defect rates that force dependency on a detect-and-patch paradigm that is expensive and ineffective. Against this backdrop, securing data, codes, and computation from hardware and software to network and storage poses significant challenges. The tools and capabilities of adversaries improve with time. Assumptions about threats need to be reevaluated and defenses need to be adapted constantly.

The foundation of security is authentication of hardware, attestation of low- defect software, and secure software updates to migrate a system forward by revoking compromised assets and patching newly discovered vulnerabilities. Secure root-of-trust provides such a foundation for these functions by establishing an unforgeable identity that remains inseparable from the computing assets and provides a small trusted computing base with hardware-protected cryptographic keys used for these purposes.

Secure hardware and software are a required foundation for the modernizing of U.S. military forces, as identified in the 2018 National Defense Strategy of the United States of America.22 This foundation enables the development of resilient and survivable cyber capabilities, federated networks and information ecosystems, missile defenses, nuclear forces, autonomous systems, and other critical functions identified in the National Defense Strategy. The development of a secure hardware and software foundation are further supported in the 2018 National Cyber Strategy.

Challenges

The following paragraphs describe cybersecurity challenges in hardware (HW) and/or software (SW), as indicated in the side headings:

• Trusted hardware and secure supply chain (HW). The foundation of computing is built on the premise that hardware can be trusted: the hardware executes as specified and does nothing less and, more importantly, does nothing more, i.e., it does not execute instructions or functions without explicit commands to do so. Since much hardware originates offshore, maintaining trust in the hardware supply chain is crucial. Hardware Trojans or backdoors that exfiltrate information remain a great concern. Other concerns relate to theft of intellectual property; compromised supply chain with aged or untrusted parts; and verification of third-party intellectual property, which may be cloaked with unknown features that increase the attack surface or add complexity that makes verification difficult.

• Adverse possession (HW/SW). In a distributed computing environment, there are multiple opportunities for an adversary to gain physical possession of a remote device, allowing the adversary to observe the device functions, obtain data/memory/software dump, de-package and reverse-engineer hardware, supply malicious inputs to the system, and emulate device behavior. Both a remote device’s hardware and software must stand up to physical attacks.

• Hardware vulnerabilities (HW). It is difficult to patch hardware vulnerabilities. Recent attacks against commercial microprocessors demonstrate the vulnerabilities of microprocessor systems.23

• Design-for-security (HW/SW). Both hardware and software should be designed with security considerations right from the beginning of the design process. Security features such as authentication, access control, and encryption are relatively well understood, yet design-for-security has remained elusive due to lack of good security abstractions, lack of integrated tool suites to aid in secure design, and the economics of design. There is a need for quantifiable and measurable security abstractions that effectively capture current and future attacks to advance design-for-security, short of which, defensive design will remain a piecemeal approach prone to vulnerabilities. Similarly, there is a need to define roles and permissible actions for various actors, including users, system administrators, and underlying software systems, early in the design cycle to formally verify the security of systems against these roles.

• Economics of security (HW/SW). Economics of design favors component reuse, often resulting in feature sets larger than necessary, which increases the attack surface and compounds verification problems. Furthermore, developers are less likely to provide the low-defect software that security requires if doing so imposes time and effort penalties.

• Secure update (SW). It is crucial that the software of a system remains updatable to allow newly learned vulnerabilities to be patched, compromised assets to be isolated and contained, and software to evolve as needed.

Effective management (SW). Software systems must be designed so the security and privacy aspects can be effectively configured and managed, and so they take into consideration the various levels of expertise of the people charged with performing such tasks. Security for software systems also must address their continual evolution through development and operational phases as defects are detected and fixed; new missions, markets, and platforms are targeted; and new capabilities are added. Further, fixing software defects imposes a risk of introducing additional defects, which squarely points to a need for improved management of software development and testing.

R&D Goals

• Develop cost- and threat-proportionate integrated root-of-trust alternatives for various hardware devices, ranging from low-cost IoT devices and networked sensor devices to server computers. Develop techniques for authenticated secure boot, authenticated secure software updates, and authenticated secure software execution with security guarantees extending from the hardware layer to the application layer.

• Develop novel processes, techniques, and mechanisms that protect against reverse-engineering efforts.

• Develop mechanisms and tools that verify the security properties of hardware.

• Develop secure debug and testing techniques. Develop crypto-agility to migrate existing advanced encryption standards-based infrastructure to post-quantum cryptographic solutions. Develop hybrid cryptography schemes for cost-proportionate security. Develop efficient general solutions against code-reuse attacks.

• Develop new software development methodologies that allow rapid revision and regression against security goals.

• Develop secure update mechanisms that support the full range of product formats (i.e., proprietary and open source); applications (e.g., enterprise services and IoT); and lifecycles.

• Develop empirical understanding of software defect rates, effort, and calendar time that are achievable with alternative software development and sustainment technologies, and of relationships between software defects and software vulnerabilities. Based upon empirical understanding, develop paradigm and supporting technology to develop and sustain software with less than 1 defect per 100,000 lines of code (LOC) without compromising quality attributes, cost, or schedule. Develop tools and techniques for effective management of software systems.

Education and Workforce Development

There is a shortage in the United States of qualified cybersecurity workers, and the supply-demand gap is increasing in both quality (the competence required) and quantity. This gap threatens all sectors of the national critical infrastructure and will throttle aspirations in the advancement of AI and QIS. The gap is deeply rooted in the education and training infrastructure; it includes a shortage of qualified teachers, trainers, and advanced faculty.24

The current culture of treating cybersecurity as an add-on requirement is a barrier to effective, efficient solutions and complicates the successful adoption of innovative technologies. The sociotechnical challenges involving human, social, organizational, economic, and technical factors, and the complex interaction among them require engagement with all sectors of society. This requires increasing diversity and inclusion and broadening participation in the R&D community. In addition, scientists and engineers often lack experience in business formation and may not understand the commercial viability of their innovations, hindering the effective transfer of technology to products.

Challenges

Cybersecurity education and workforce development, as emphasized in the 2018 Federal STEM Education 5-year plan, Charting a Course for Success: America’s Strategy for STEM Education,25 form a critical element for successful implementation and transition to practice of any advances in cybersecurity R&D. The Nation needs to make cyberspace worthy of the public’s trust by investing in an education and training ecosystem that supports the application of “systems security engineering”26 capabilities at all proficiency levels. Challenges in developing the requisite education infrastructure include the following:

• Emphasizing education imperatives in two broad categories: (1) professional careers in cybersecurity related science and technology, and (2) the general population of users of safe and secure cybersecurity infrastructure.

• Expanding student and worker support, with a focus on broadening participating by underrepresented groups, via scholarships, fellowships, and educational grants; internships, apprenticeships, and cooperative learning opportunities; consortia-based structures for education, with job rotation and cross-pollination between government, industry, and academia; and incentives for early and sustained mentoring, especially for traditionally underrepresented populations.

• Supporting innovative K–12 and after-school curricula to introduce technological awareness topics, expand adoption of transformative technological breakthroughs, and engage K–12 students and teachers to increase student interest in cybersecurity careers.

• Increasing the capacity of the U.S. education enterprise to produce cybersecurity professionals and expanding adaptability in critical areas such as the secure use of AI, quantum computing, advanced manufacturing, and emerging wireless technologies. This includes continuous reskilling of the workforce in order to keep up with the rapidly evolving IT technologies and providing funding to the academic research community—for both pure and applied research—to create and expand cybersecurity programs aligned to near-term development of enabling fields identified in this plan.

• Expanding postsecondary cybersecurity faculty by offering fellowships, retraining existing faculty, and preparing nonacademic researchers to become faculty.

• Preparing future scientists and engineers to extend their focus beyond the university laboratory to accelerate the economic and societal benefits of research projects that are ready to move toward commercialization by building a more entrepreneurial R&D workforce to support innovation and use the advancements described in the other priority areas of this Plan. This includes identifying grand challenges to foster innovation among faculty and students and to promote multistakeholder coordination and linkages; such challenges may include emergence of hypertransformative technologies that may necessitate changes in learning processes or a large realignment of education with newly identified needs of the future workforce.

R&D Goals

• Accelerate adoption of a modern taxonomy of the cybersecurity workforce, such as the National Initiative for Cybersecurity Education—Cybersecurity Workforce Framework.27 Conduct research on effective models to educate individuals of different backgrounds and ages to protect themselves from cyber threats and inappropriate content on the Internet.

• Research innovative ways to develop talent in all sectors of society to build the cybersecurity workforce, improve the preparation, increase the participation, and ensure the contributions of individuals from groups that have traditionally been underrepresented and underserved in science and engineering. Study effective models and ecosystems used in other countries to understand how to build partnerships in support of developing cybersecurity talent.

• Study the supply-and-demand forces in the innovation workplace to help predict future workforce needs. Include considerations of educational pathways and potential retraining opportunities.

• Support experiential learning, such as apprenticeships, internships, job-shadows, and other employer-educator partnerships, to align curriculum with workplace demands. Apply the research to develop systems that enable reskilling Americans for the jobs of today and the future. Promote distributed, highly scalable educational tools and expand the use of mentoring and apprenticeship as force multipliers in critical areas. Engage in strategic cybersecurity educational planning that considers how emerging technologies—including artificial intelligence, machine learning, and quantum information sciences—alter the cybersecurity focus of the Nation’s workforce.

• Accelerate adoption of convergence research among faculty and students to solve complex scientific, engineering, and societal problems that require integrating knowledge, methods, and expertise from different disciplines and forming novel frameworks to catalyze scientific discovery and innovation.

• Focus not only on developing the expertise and talent to build these systems but also on research that addresses how the education and training ecosystem can develop interdisciplinary approaches that support innovation. Conduct research to identify cybersecurity professionals capable of fostering the technological breakthroughs most critical to developing and sustaining a safe Internet environment. Enable “use-inspired research” in government-university-industry R&D partnerships that bring pressing, real-world challenges faced by industry to university researchers; leverage industry expertise to accelerate the transition of open and published research results into viable products and services in the marketplace for economic growth; and grow research and workforce capacity by linking university faculty and students with industry representatives.

Critical Dependencies

Building on the dependencies identified in the 2016 Federal Cybersecurity Research and Development Strategic Plan, advancements in this Plan’s defensive elements and priority areas critically depend on continuing development of the following areas (listed alphabetically).

Human Aspects

Comprehensive cybersecurity requires understanding the human facets of cyber threats and secure cyber systems, and development of an informed and skilled cybersecurity workforce and general public. Many opportunities exist in economic, human, and social research for improving cybersecurity:

• Advancing usable security research to design security techniques that improve usability and acceptability, cognitive efficiency and decision support, and collaboration both among people and with increasingly autonomous security systems.

• Conducting social and behavioral studies to help identify the strengths and weaknesses of incentive mechanisms to acquire and deploy cybersecurity measures.

• Developing psychological, sociological, and economic models of human weaknesses and strengths for use in analyzing security properties in systems and the respective roles of users, developers, operators, defenders, and adversaries.

• Validating models of adversary motives and susceptibility to deterrence actions such as denial, attribution, and retaliation.

• Preventing and detecting insider threats by designing systems, both human and technical, that can better identify insiders doing harm to their organizations’ cyber systems in real time.

• Pursuing studies of organizational, social, and programmer psychology to support more effective development, deployment, and adoption of security and privacy technologies.

• Modeling social and international norms, rules of engagement, and escalation dynamics of malicious cyber activities that range from phishing and ransomware, through censorship and information campaigns, to limited- and full-scale cyber-warfare to enable identification of institutional, social, and structural factors that promote or undermine a secure cyberspace.

Research Infrastructure

Access to advanced cybersecurity testbeds continues to be a hurdle for researchers. Testbeds are essential for researchers to be able to use actual operational data to model and conduct experiments on real-world system vulnerabilities and exploitation scenarios. Current methods fall short of realistically integrating human factors into experiments and accurately quantifying them as security variables to be tested. Data repositories exist today, but many are unable to deal with proliferation of massive datasets, do not support semantically rich data searches, and have limited data provenance information. The Federal Government, with industry participation, should expand the scope and fidelity of cybersecurity testbeds in multiple application areas such as cloud computing, manufacturing, energy delivery, transportation, information and networking systems, healthcare, and telecommunications. It should also enable multidisciplinary experimentation in computer science, engineering, mathematics, modeling, human behavior, sociology, economics, epistemology, and education.

Risk Management

Technologies enable cybersecurity, but achieving appropriate levels of security requires more than technology. The application of cybersecurity technologies requires significant insight into an organization’s goals, its abilities and modalities, and the nature of the threats it faces. Risk management is the ongoing process of identifying, assessing, and responding to risk. The NIST Special Publication 800-39, Managing Information Security Risk: Organization, Mission, and Information System View,28 presents a generally accepted process, consistent with international standards, for information-security risk management at all levels of an organization. The NIST Framework for Improving Critical Infrastructure Cybersecurity29 presents a flexible framework to help organizations manage and reduce cybersecurity risk and has been applied across a broad spectrum of organizations.

Advances in risk management, such as those below, are needed to achieve the goals of the defensive elements:

• Integrated cost modeling techniques that incorporate human factors (such as required expertise and ongoing training).

• Risk models that incorporate information about known and projected vulnerabilities.

• Integration of modeling, simulation, and exercises into risk management practice.

Scientific Foundations

Cybersecurity needs sound mathematical and technical methods with clear objectives; comprehensive theories (e.g., of defense, systems, and adversaries); principled design methodologies; models of complex and dynamic systems at multiple scales; and metrics for evaluating success or failure. Establishing scientific foundations in the areas below will directly support the goals and objectives for the cybersecurity defensive elements and priority areas:

• Formal frameworks with quantitative definitions of threats, measurable security assumptions and guarantees, and efficient formal methods for evaluating compositions of systems, defenses, and adversaries.

• Principled design techniques to construct secure systems with provable or measurable verification and validation of security properties, and characterizations of efficiency.

• Reasoning frameworks to anticipate evolving and disruptive technologies and threats.

• Theories and models aimed at understanding individual, organizational, and social needs, expectations, and behaviors around security, safety, and privacy in sociotechnical systems.

Transition to Practice

Federal agencies should increase R&D funding to cybersecurity R&D transition-to-practice activities, such as System Integrator Forums, Small Business Innovation Research activities, and consortium ventures. Streamlining and accelerating the acquisition process for the results of R&D should also remain a priority. Agencies should continue to assess and selectively utilize all contractual instruments at their disposal. For example, Other Transactions Authority can provide a mechanism to streamline and accelerate funding of R&D and allow agencies to reach performers who are typically not engaged in government-funded cybersecurity research.

Implementing the Plan

Research and development funding is a scarce resource. For this reason, it is essential to invest wisely and selectively to avoid research redundancies. This section identifies the respective roles for the Federal Government, academia and research organizations, and the commercial sector; and identifies strategies for ensuring coordination of robust cybersecurity R&D among and across sectors.

Federal Research Agencies

The Federal Government is the primary source of funding for long-term, high-risk cybersecurity research initiatives. Science agencies such as the National Science Foundation have a leading role in funding cybersecurity R&D to support this Plan. Depending upon the agency, the research may be executed in- house; at national laboratories; or in academia via grants, cooperative agreements, contracts, or other agreements. The challenge for these agencies is twofold: (1) identifying and funding the most promising and important R&D initiatives, and (2) transitioning this research into practice.

Science agencies should embrace and fund multidisciplinary research and continue to demand strong scientific methods in all funded initiatives. Mission agencies, such as the Department of Homeland Security, primarily fund applied research with a near- term or mid-term horizon to meet immediate and future mission requirements. Mission-specific R&D is often incremental in nature, and agencies should make special efforts to ensure that the desired functionality is not already available from the private sector, academia, or other Federal agencies. Both science and mission agencies should avoid funding near-term R&D unless it is directly related to mission-specific needs or creates public goods that industry is not incentivized to pursue.

Research-funding agencies also have an obligation to ensure that their R&D investments promote research integrity and protect national research assets. This objective is among the priority crosscutting actions emphasized in the Administration’s FY 2021 Research and Development Budget Priorities Memorandum (M-19-25). In addition, the Subcommittee on Research Security of the NSTC Joint Committee on Research Environments (JCORE) has been established to lead Federal efforts in developing guidance and best practices to ensure that the Nation’s researchers are protected from undue foreign influence.30 Agencies should coordinate their actions in this area through this Subcommittee.

Academia and Research Organizations

Academia is the leading R&D performer of basic research and long-term, high-risk initiatives. Academics are strongly encouraged to embrace this Plan’s focus on measurable and testable efficacy and efficiency. Where possible, researchers should provide comparisons against open datasets to enable comparison and evaluation of competing techniques. Use of open datasets also enables reproducibility of experiments, which is a basic scientific tenet. Academic researchers should incorporate strategies for transitioning successful research into practice when developing proposals and initiating research. Academia strongly influences research directions through the promotion and tenure process. Academic institutions are strongly encouraged to value multidisciplinary cybersecurity research, even where publication occurs in nontraditional journals for the field. Institutions are also encouraged to value research with rigorously defined models and experimental design.

Research organizations and professional societies are natural partners in cybersecurity R&D efforts. They produce research strategies, organize conferences, and publish journals. By establishing publication requirements for documented efficacy and efficiency, these organizations can greatly aid and improve scientific rigor in the cybersecurity field.

Commercial Sector

Budgets for commercially funded cybersecurity research are usually comparatively modest for even the largest IT companies. Private-sector R&D funding is typically internal and focused on product-development goals based on the specific needs of the company as well as on profitability and turnaround time. While companies often have the skills to perform long -term and high-risk research, the opportunity cost of their moving personnel to address these topics is high, even when government funding is available to defray the immediate costs, because longer-term research often benefits the entire industry, not just the company that funded it. Nonetheless, there are opportunities for the R&D activities of the private and public sectors to be synergistic and complementary. A well-functioning cybersecurity research ecosystem must offer several mechanisms for the two sectors to mutually benefit each other.

Coordination and Collaboration

Coordination and collaboration across sectors are essential to avoiding redundant research initiatives. The Federal cybersecurity R&D community engages with industry via many public-private partnerships. For example, partnerships exist in the area of the trusted computing base that provides technology for hardware-based cryptography, key repositories, self-encrypting drives, and device authentication. Agencies use advisory boards to obtain industry perspectives, such as the NIST Information Security and Privacy Advisory Board.31 Both the Department of Homeland Security and the Department of Defense have offices in Silicon Valley to expand their conversations with technology innovators. In addition, the National Cybersecurity Center of Excellence, an example of a Federal, state, and local government partnership (NIST, the State of Maryland, and Montgomery County, MD), focuses on accelerating the adoption of secure technologies.32

Opportunity for fruitful collaboration exists in expanding efforts to measure and verify efficacy and efficiency in cybersecurity products and services. Consumers and enterprises need such information for effective and efficient management of their cybersecurity risks. Private-sector product vendors should consider the full range of costs of using cybersecurity solutions, including financial costs, cognitive load on users, and innovation-inhibiting practices. Another fruitful partnership opportunity for commercial entities would be to jointly identify precompetitive research areas in which private-public partnership funding would be most productive.

Coordination between Federal departments and agencies is facilitated by the NSTC. Unclassified Federal R&D efforts in networking and information technology are coordinated by the NITRD Program and its National Coordination Office. Classified research efforts are coordinated by the NSTC Special Cyber Operations and Research and Engineering Subcommittee.

Federal Cybersecurity R&D Strategic Plan Implementation Roadmap

The coordinated R&D activities of this Plan are carried out by Federal agencies with varying missions but complementary roles. This arrangement assures that the full spectrum of R&D approaches is represented and engaged. Details of R&D carried out by each agency involved are provided by agencies through individually appropriate means, such as agency-specific strategic plans or implementation roadmaps, and via appropriate contracting methods such as solicitations or broad agency announcements.

Each year, the NITRD Program compiles and produces a Supplement to the President’s Budget Request (for example, see https://www.nitrd.gov/pubs/FY2020-NITRD-Supplement.pdf) which provides highlights of agency research activities in various areas of IT and networking. In the Supplement, the section describing NITRD’s Cyber Security and Information Assurance Interagency Working Group provides an overview of planned Federal investments in unclassified cybersecurity R&D. The annual Federal Cybersecurity R&D Strategic Plan Implementation Roadmap (an online appendix to the Supplement, available at https://www.nitrd.gov/publications/), provides information about the activities the agencies are pursuing in implementing this Plan.

Recommendations for Supporting Activities

The Federal Government can support this Plan by carrying out the following recommendations.

Prioritize basic and long-term cybersecurity research.

The Nation will benefit from a steady increase in Federal cybersecurity R&D, with an emphasis on basic research and long-term, high-risk research initiatives in the Deter, Protect, Detect, and Respond defensive capabilities. Because basic research and long-term research are areas where the private sector is not likely to invest, Federal investments will be important for R&D in these areas. Basic research should emphasize the development of sound scientific foundations and formal, reproducible, and quantifiable methods for assessing the effectiveness and efficiency of cybersecurity solutions.

Advance cybersecurity standards.

Cybersecurity standards and best practices that address security, privacy, interoperability, and usability are critical tools for reducing vulnerabilities of IT systems to malicious cyber activities. Federal agencies should continue to advance measurement science, standards, and related technologies in ways that underpin and accelerate adoption of effective, efficient, and practical security solutions and technologies. Effective cybersecurity standards will also support U.S. innovation and industrial competitiveness.

Accelerate the transition of effective cybersecurity research results into adopted technologies.

Federal agencies should streamline the technology transition process for federally funded research and develop a suite of standardized licensing or other intellectual property agreements that could be selected to facilitate technology transfer to commercial entities as well as to the Federal Government. Within its acquisition process, Federal agencies should support solutions and technologies that advance the capabilities described in this Plan. Agencies should align such efforts with the Lab-to-Market Cross-Agency Priority Goal in the President's Management Agenda.33

Federal agencies can also lower the barriers to entry into the cybersecurity R&D marketplace by funding common research infrastructure (e.g., testbeds and datasets) to lower the cost of entry for small businesses, startup companies, and academic institutions, and to increase overall participation in R&D.

Expand diversity of expertise and diversity of workforce in cybersecurity.

Cybersecurity is more than technology. To accelerate progress, traditional cybersecurity research should be augmented with expertise from social, behavioral, and economic disciplines. Multidisciplinary research should be promoted by funding agencies and by research institutions. Agencies should ensure that grant solicitations encourage multidisciplinary proposals. Research institutions should ensure that personnel advancement (e.g., tenure) decisions value multidisciplinary research successes and publications as highly as traditional tenure criteria.

Diversity encompasses race, gender, ethnic group, age, personality, cognitive style, education, background, and more. Harnessing the talents of a workforce that includes people of all backgrounds who are diverse in thought, experience, and skills is essential to enabling innovation and creative discovery. Organizational leaders should take measures to foster an inclusive workplace climate in cybersecurity to attract and recruit new talent and maximize workforce engagement. Federal agencies should work with cybersecurity stakeholders to promote the visibility of cybersecurity careers and increase the mobility of cybersecurity professionals across government, industry, and academia.

Abbreviations

5G fifth-generation wireless networking technologies

AI artificial intelligence

CPS cyber-physical systems

DHS Department of Homeland Security

HW hardware

IoT Internet of Things

IT information technology

IWG Interagency Working Group

K–12 kindergarten to 12th grade

ML machine learning

NCO National Coordination Office

NIST National Institute of Standards and Technology

NITRD Networking and Information Technology Research and Development

(Program and NSTC Subcommittee)

NSF National Science Foundation

NSTC National Science and Technology Council

OSD Office of the Secretary of Defense

QIS Quantum Information Science

QKD quantum key distribution

R&D research and development

S&T science and technology

SW software

TDDI trustworthy distributed digital infrastructure

1 https://www.whitehouse.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf, p. I.

2 https://www.whitehouse.gov/wp-content/uploads/2019/08/FY-21-RD-Budget-Priorities.pdf (Memorandum M-19-25).

3 NSTC. National Strategic Computing 2019 Update: Enabling the Future of Computing (November 2019); https://www.whitehouse.gov/wp-content/uploads/2019/11/National-Strategic-Computing-Initiative-Update-2019.pdf.

4 https://www.nitrd.gov/pubs/2016-Federal-Cybersecurity-Research-and-Development-Strategic-Plan.pdf

5 https://congress.gov/113/plaws/publ274/PLAW-113publ274.pdf

6 https://www.federalregister.gov/documents/2018/11/13/2018-24668/request-for-information-on-update-to-the-2016-federal-cybersecurity-research-and-development

7 https://www.nitrd.gov/nitrdgroups/index.php?title=CSIA-RFI-Responses-2019

8 https://doi.org/10.6028/NIST.CSWP.04162018

9 https://www.nitrd.gov/pubs/National-AI-RD-Strategy-2019.pdf

10 https://www.whitehouse.gov/wp-content/uploads/2017/12/NSS-Final-12-18-2017-0905.pdf

11 https://www.whitehouse.gov/presidential-actions/executive-order-maintaining-american-leadership-artificial-intelligence/

¹²National Academies of Sciences, Engineering, and Medicine. Quantum Computing: Progress and Prospects.

Washington, DC: The National Academies Press (2019); https://doi.org/10.17226/25196.

13 National Institute of Standards and Technology. “Post-Quantum Cryptography,” last updated October 22, 2019; https://csrc.nist.gov/projects/post-quantum-cryptography/workshops-and-timeline.

14 https://www.whitehouse.gov/wp-content/uploads/2018/09/National-Strategic-Overview-for-Quantum-Information-Science.pdf

15 https://www.congress.gov/bill/115th-congress/house-bill/5515/text (Section 234).

16 2018 National Cyber Strategy, p. 15.

17 Memorandum M-19-25, p. 4.

18 “Executive Order on Securing the Information and Communications Technology and Services Supply Chain” (May 15, 2019); https://www.whitehouse.gov/presidential-actions/executive-order-securing-information-communications-technology-services-supply-chain/.

19 Executive Office of the President. Research and Development Priorities for American Leadership in Wireless Communications (May 2019); https://www.whitehouse.gov/wp-content/uploads/2019/05/Research-and-Development-Priorities-for-American-Leadership-in-Wireless-Communications-Report-May-2019.pdf.

20 https://www.whitehouse.gov/wp-content/uploads/2019/06/Cloud-Strategy.pdf

21 https://www.nitrd.gov/PUBS/NationalPrivacyResearchStrategy.pdf

22 An unclassified summary of this document is available at https://dod.defense.gov/Portals/1/Documents/pubs/2018-National-Defense-Strategy-Summary.pdf.

²³National Academies of Sciences, Engineering, and Medicine. Beyond Spectre: Confronting New Technical andPolicy Challenges: Proceedings of a Workshop. Washington, DC: The National Academies Press (2019); https://doi.org/10.17226/25418.

24 https://www.nist.gov/system/files/documents/2018/07/24/eo_wf_report_to_potus.pdf

25 https://www.whitehouse.gov/wp-content/uploads/2018/12/STEM-Education-Strategic-Plan-2018.pdf

26 https://doi.org/10.6028/NIST.SP.800-160v1

27 https://doi.org/10.6028/NIST.SP.800-181

28 https://doi.org/10.6028/NIST.SP.800-39

29 https://doi.org/10.6028/NIST.CSWP.04162018 (revised in 2018).

30 https://www.whitehouse.gov/wp-content/uploads/2019/07/Update-from-the-NSTC-Joint-Committee-on-Research-Environments-July-2019.pdf

31 https://csrc.nist.gov/projects/ispab

32 https://www.nccoe.nist.gov/

33 https://www.performance.gov/CAP/lab-to-market/

	Co-Chairs
France Córdova, Director, National Science	Paul M. Dabbar, Under Secretary for Science,
Foundation (NSF)	Department of Energy (DOE)
Walter G. Copan, Director, National Institute of
Standards and Technology (NIST)