The Cybersecurity Research Alliance

Transcription

1 The Cybersecurity Research Alliance Executive Summary Motivation is a national priority that must be addressed to defend our society economy from attacks that undermine their digital foundation. A coherent cyber security R&D strategy that encourages public private partnerships is the foundation for addressing these challenges. Public private R&D partnerships are critically important because roughly ninety percent of the United States critical infrastructure, as identified by the Department of Homel Security, is privately owned operated [3]. Government, industry academic research institutions are motivated by the same set of fundamental cyber security challenges. Yet, as illustrated in Figure 1, each has largely different perceptions of the relative priorities vastly divergent processes to define their research agendas. Govt Per Agency, Government R&D Policy Priorities RFIs RFPs BAAs Government funding Projects address Govt critical I/S protection Security Solutions to protect the Critical Infrastructure Fundamental Long-sting Problems Industry Industry Projection Of Priorities Markets Funding from Industry, Venture Capital, Government Sources Projects target industry profits Technologies solutions to fuel enterprise growth Academia Academic Research Agenda Funding from Government Industry Sources Projects target publishable innovation & prototypes Inventions, Stards Best Practices Silo ed uncoordinated strategies policies Lack of large investment in key game Changing technologies Multiple, silo ed disconnected R&D initiatives Point, Technologies, Stards Best Practices Figure 1: The Status Quo Government invests primarily in R&D that is critically important to the security of the nation but cannot ensure the commercial applicability productization of the technologies developed.

2 Corporate research focuses on developing innovations to fuel the organic growth of their enterprises. These innovations are viewed as strategic assets for competing in the marketplace. But industry is not motivated to invest in cyber security research development that does not have near-term tangible economic benefits. Academia primarily engages in long-term basic applied research in cyber security which pushes the frontier of what is known possible. However, this frontier is often disconnected from the operational reality. Members of this community often find it difficult to move beyond first-level deliverables, such as research papers limited prototypes. Cyber Security Research Alliance (CSRA) Fundamental Long-sting Cyber Security Problems Govt Industry Academia Per Agency, Government Cyber Security R&D Policy Priorities Industry Projection Of Cyber Security Priorities Markets Academic Cyber Security Research Agenda RFIs Government RFPs BAAs Government funding Academia Industry Industry Private Funding (e.g. Venture Capital) EXPECTATION: projects address fundamental problems, receive significant investment lead to Innovative, practical publishable results that can create future markets Security Solutions to protect the Critical Infrastructure Technologies Solutions Inventions, Stards Best Practices Innovation Timeline Figure 2 : Improving Collaboration in Cyber Security R&D A novel approach is needed to move the focus of cyber security research from applied, incremental disconnected projects to game changing cyber security technologies (see Figure 2 above). Such an approach should address inefficiencies in current cyber security R&D, amplify investments made by stakeholders, enable stronger more action-oriented collaboration alliances. In addition, this approach needs to be helpful in devising novel collaboration models among stakeholders at the international level. An ad-hoc group of stakeholders from industry has joined together to propose the idea of the Research Alliance (CSRA) to serve as a forum to achieve fundamental game change in cyber security to facilitate public-private partnerships that orchestrate a more focused, coordinated concerted approach to cybersecurity R&D. The CSRA mission statement is as follows:

3 Foster the research development of game changing solutions to critical cyber security challenges through effective government, industry, academia partnerships CSRA will have a long term (e.g. one decade) view of what industry, government academia need to do in order to make game change happen. CSRA will identify areas of cyber security research where game changing approaches could have a significant impact. CSRA will seek input from stakeholders across government, academia, industry to identify promising research methodologies directions that may have been underemphasized as a result of insufficient funding, fragmented engagement by the stakeholders, imperfect collaboration models in cyber security R&D. CSRA will define a consistent multidisciplinary view of the area of research in question organize scoping exercises to define it further, e.g., via workshops that develop recommendations to inform supporting research or development. CSRA will socialize these research agendas developed by the stakeholders obtain the support necessary to define, implement facilitate the deployment of these game changing solutions. Bringing different stakeholders together in a shared collaborative environment is an essential first step. CSRA will be organized to support agile operations in order to enable stakeholders to work on the orchestration of technological market forces in support of game change; requisite development of new technologies; support for coordinated cyber security R&D policy focused research agendas aligned with national priorities; defining funding priorities for cyber security R&D. CSRA will benefit from government participation in various ways: government research programs may invest funds or allocate personnel to work at the Institute; the government will also be encouraged to provide experts to serve on the CSRA Technical Advisory Committee participate in planning exercises other workshops. CSRA invites wide participation by government agencies responsible for various components of cybersecurity R&D R&D strategy. In addition to defining research agendas, CSRA will engage in research directly. CSRA will seek funding from government agencies that can be directed specifically toward making progress on these gr challenges or used internally as CSRA developed internal research capabilities. The CSRA stakeholderbased funding allocation responsibility will ensure that participating agencies facilitate projects that will have a stronger likelihood of adoption by industry. Thus, CSRA, from the very beginning, can ensure that all the stakeholders are engaged in order to create new technologies that have an increased opportunity for commercialization for the development of new game-changing business models. In the midterm, CSRA will have a dedicated research staff with the capability to conduct research in house. Complementing in-house research, CSRA will develop novel programs collaboration models for joint projects among industry, academia, government to address these gr challenges. CSRA will also

4 define models that permit international collaboration on projects that yield themselves to this approach, in order to further amplify the impact of the technologies that are developed with CSRA s participation. Tracking CyberSecurity R&D Activities CSRA will track relevant cyber security research activities develop a broad picture of these activities available to CSRA membership affiliates. Tracking relevant cyber security R&D will enable CSRA to become a key focal point for integrating game changing activities in cyber security R&D, by ensuring efficient coverage of the main components in game changing research agendas. Greater awareness of cyber security R&D lscape, in the US internationally, can help CSRA its potential affiliates develop greater agility in approaching the highly dynamic cyber security R&D space. CSRA will also work with government funding agencies to provide input into the definition of cyber security R&D agendas. CSRA can serve as a body to help government assess the quality relevance of research, funding programs initiatives related to cyber security. Technology Transfer CSRA will develop novel models for spurring more effective ideas for commercialization of technology from academia federal research laboratories focusing on game changing technologies that can have a broad impact on multiple technology areas. IP developed during the course of R&D efforts being led supported by CSRA will be made available to CSRA membership according to terms defined in the bylaws. Organizational Structure CSRA is envisioned as a non-profit organization with the organizational structure consisting of (a) industry members, (b) a Board of Directors, (c) dedicated staff, (d) working groups, (e) a Technical Advisory Committee. Members of CSRA will be drawn from industry constituents involved in cyber security R&D, system integrators, owners operators of critical infrastructures, academia. CSRA membership will be tiered to suit the needs goals of the stakeholders a structure that is agile can accommodate multiple collaboration models engagement in diverse cyber security initiatives. Members will pay an annual fee. All members will get preferential access to CSRA deliverables, their roles will be differentiated based on membership tiers defined in bylaws. CSRA will have an open structure, where members can move from tier to tier based on the procedures defined in the bylaws. CSRA can start as a lightweight organization, with minimal engagement of dedicated staff. As CSRA activities develop, the organization will have some dedicated staff that is responsible for the day to day operations of CSRA, including engaging in research, management of the budget funding programs, public relations, special events (such as workshops), other operational matters. The staff will be led by an Executive Director, who is appointed by the Board. Research may be done by Visiting or Permanent Fellows who

5 come from industry, academia, or government, together with CSRAI affiliated groups, for participation in specific research initiatives. CSRA will have a Board of Directors, which will establish broad policies objectives; elect a President; select,, as the organization develops, appoint, support review the performance of the Executive Director; ensure that CSRA has adequate financial resources manage these resources; approve the annual budgets; be accountable to the membership for the organization s performance. The Board of Directors will be comprised of representatives of the highest tier members following the rules defined in the bylaws. CSRA will have a Technical Advisory Committee. The Advisory Committee will advise the Board of Directors working groups on the technical direction that CSRA should be taking including the creation or dissolution of working groups, evaluation of the progress of the working groups. The Advisory Committee will consist of participants from industry, academia, government, will be appointed by the Board of Directors. CSRA will organize activities by Working Groups, which are focused on a particular gr challenge, typically defined in the course of a series of workshops. The working groups will be responsible for the creation of deliverables including: Technical reports white papers Policy recommendations Prototypes Specifications to support stards development Testbeds or data repositories Software Workshops other events Intellectual Property Each working group will be chaired or co-chaired by a CSRA Board member. Participation in the working groups is open to all members associate members from industry, academia or government, subject to the Board s approval. The intent is to get the most capable people involved, who are the most knowledgeable about the particular topic being addressed. Stages of Development CSRA intends to progress rapidly through three phases of growth In order to progress beyond the status quo (shown in Figure 1): Coordination testing of approaches to cyber security R&D. The initial ramp-up period starts when the organization is formed, begins to grow starts participation in activities described in this document. CSRA will implement a coordination infrastructure approach that supports greater cohesion in cyber security R&D provides a forum to facilitate the exploratory execution stages of research where game change is a viable approach. CSRA will establish

6 relationships with agencies departments responsible for strategy funding of cyber security R&D. CSRA will also provide awareness of related cyber security research initiatives that are conducted by other entities worldwide establish a relationship with them as permitted by US law. CSRA will work to increase membership, ensure that members with critical expertise capabilities have the opportunity to participate in specific initiatives. Initially, CSRA will be largely a virtual organization with minimal permanent staff engaged primarily in coordination of activities. CSRA will be run mostly through the efforts of initial industry members. In this, CSRA will not be different from the path adopted by many industry consortia. A Board of Directors a Technical Advisory Committee will be established in this first year. CSRA will select one game change-related topic to explore in depth, by running a workshop establishing a working group to make progress against that topic. The output of this effort will be a document which will define the gr challenges in this area a research agenda required to make progress on the problem. CSRA will then work with the appropriate stakeholders to ensure that some initial progress is made on executing this research agenda. During the initial period, CSRA will finalize its long term strategy, including strategy for R&D agenda building, international collaboration, research execution. CSRA will establish relationships with the main stakeholders in cyber security R&D seek sponsorship funding for an exped research agenda. During this phase, CSRA will also seek to provide industry input for cyber security R&D strategy development. Development of Game Changing Agenda in Cyber Security. CSRA will mature to become a forum for formulating a shared cyber security R&D agenda focusing on hard problems in cyber security that can be addressed via game change. CSRA members will collaborate among themselves with other organizations in order to assess prioritize fundamental cyber security problems. The resulting consensus view will be presented in the form of a Cyber Security Research Outlook (CRO) to inform direct concrete planning for the advancement of key game change initiatives. The CRO will be an evolving roadmap that reflects the sequence of pressing technology, policy, operational deployment obstacles that need to be overcome in order to remove the advantage from attackers strengthen cyber security defenses. It will be a living document updated regularly. CSRA will build on its work during phase 1 by executing on the research agenda defined during that phase selecting new gr challenge problems to explore. CSRA will create populate a database of relevant cyber security activities, which will be made available to CSRA membership. CSRA will redirect some small amount of funding to at least one strategically important target, seek more substantial funding starting from Phase 3. CSRA will also begin to execute the international collaboration strategy. In Phase 2, CSRA will have a physical presence, an Executive Director, a small administrative staff.

7 Execution of the Shared R&D Agenda. In order to break the cycle of incremental improvements to security that struggle to keep pace with the innovativeness of attackers, CSRA will evolve to become a facilitator for the development technology transfer of game changing solutions to hard broadly applicable cyber security problems. CSRA supported efforts will have a scope ranging from the concept stage of potentially game changing approaches to research, development, productization, deployment of these solutions, drawing on the expertise of CSRA s members, stakeholders, collaborators. Academia government participation as well as significant levels of government funding are necessary at this stage. By Phase 3, CSRA will be a mature, fully staffed organization with the ability to perform in house research.