Skip to Content
[CAIDA - Center for Applied Internet Data Analysis logo]
Center for Applied Internet Data Analysis
www.caida.org > publications : papers : 2015 : comments_cybersecurity_research_development
Comments on Cybersecurity Research and Development Strategic Plan
D. Clark and k. claffy, "Comments on Cybersecurity Research and Development Strategic Plan", Networking and Information Technology Research and Development (NITRD) Program, Jun 2015.

Comment in response to Request for Information (RFI)-Federal Cybersecurity R&D Strategic Plan, posted by the National Science Foundation on 4/27/2015. This comment reflects our views and not necessarily those of the agencies sponsoring our research.

|   View full paper:    PDF    Original FCC Document    Related RFIs    |  Citation:    BibTeX   |

Comments on Cybersecurity Research and Development Strategic Plan

David Clark 2
kc claffy 1
1

CAIDA, San Diego Supercomputer Center, University of California San Diego

2

MIT/CSAIL

The RFI asks "What innovative, transformational technologies have the potential to enhance the security, reliability, resiliency, and trustworthiness of the digital infrastructure, and to protect consumer privacy?"

We believe that it would be beneficial to reframe and broaden the scope of this question. The security problems that we face today are not new, and do not persist because of a lack of a technical breakthrough. Rather, they arise in large part in the larger context within which the technology sits, a space defined by misaligned economic incentives that exacerbate coordination problems, lack of clear leadership, regulatory and legal barriers, and the intrinsic complications of a globally connected ecosystem with radically distributed ownership of constituent parts of the infrastructure. Worse, although the public and private sectors have both made enormous investments in cybersecurity technologies over the last decade, we lack relevant data that can characterize the nature and extent of specific cybersecurity problems, or assess the effectiveness of technological or other measures intended to address them.

We first examine two inherently disconnected views of cybersecurity, the correct-operation view and the harm view. These two views do not always align. Attacks on specific components, while disrupting correct operation, may not map to a specific and quantifiable harm. Classes of harms do not always derive from a specific attack on a component; there may be many stages of attack activity that result in harm. Technologists tend to think about assuring correct operation while users, businesses, and policy makers tend to think about preventing classes of harms. Discussions of public policy including research and development funding strategies must bridge this gap.

We then provide two case studies to illustrate our point, and emphasize the importance of developing ways to measure the return on federal investment in cybersecurity R&D.

Keywords: economics, policy
  Last Modified: Wed Oct-11-2017 17:04:05 PDT
  Page URL: http://www.caida.org/publications/papers/2015/comments_cybersecurity_research_development/index.xml