White House Releases Cyber-Security RandD Program Priorities

In order to secure the nation's computer networks from cyber-attack, the federal government has outlined its research and development priorities for cyber-security.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

The Obama Administration has outlined its road map of priorities for government agencies that sponsor research and development on cyber-security.

The Office of Science and Technology Policy (OSTP) organized the government's priorities into four major areas, or "thrusts," in a report titled "Trustworthy Cyberspace: Strategic Plan for the Federal Cyber-Security Research and Development Program," which was released Dec. 6.

The plan is the result of seven years of examination and consideration by cyber-security experts in both the private and public sector, Aneesh Chopra, U.S. CTO, and Howard Schmidt, the White House cyber-security coordinator, wrote on the OSTP blog.

A 60-day review of the state of cyber-security in the United States, conducted shortly after President Obama took office in 2009, called for urgent action to secure the nation's computer network infrastructure, according to Chopra and Schmidt. This R&D plan from OSTP is based on that report's findings and outlines how to jump-start how the nation approaches the challenge of developing and implementing more effective cyber-security measures, they wrote.

"Given the magnitude and pervasiveness of cyber-space threats to our economy and national security, it is imperative that we fundamentally alter the dynamics in cyber-security through the development of novel solutions and technologies," Chopra and Schmidt wrote. The federal government has the research resources at its disposal to address the underlying causes of cyber-security problems, they said.

In the first thrust, "Inducing Change," OSTP advocates the use of "game-changing" methods of problem-solving to understand the root causes of existing cyber-security deficiencies and to tackle existing problems with the "goal of disrupting the status quo," according to the report. The research in this area will focus on creating "moving targets" that will make it difficult for cyber-attackers to infiltrate computer networks.

The second thrust, "Developing Scientific Foundations," aims to treat cyber-security like any other scientific discipline by developing methods, techniques and control theories for attacks. Researchers will standardize data-gathering methods, establish common terminology and identify metrics, according to the report.

"Maximizing Research Impact" is about engaging the greater cyber-security research community and fostering connection with federal agencies for "maximum effectiveness." Agencies need to collaborate, coordinate and integrate their activities to improve cyber-security. The research also needs to be in line with the agency's overall objectives, according to the OSTP.

Finally, the "Accelerate Transition to Practice" thrust looks for ways to shorten the time it takes for research to actually be put in practice and ways to commercialize it, according to the report. There's a "chasm" between the research community and operations teams, and bridging the gap is necessary, according to the OSTP.

The government wants to achieve "greater cyber-space resiliency" by developing technology to enable secure software development, establishing economic incentives such as market-based, legal, regulatory or institutional interventions, defining strategies to help security professionals analyze and deploy mechanisms that increase cost and complexity for attackers, and developing distributed, trusted environments, according to the report.

The Obama Administration and various Congressional lawmakers have pledged to make cyber-security a priority. While there are several bills making the rounds in both the Senate and House that address various cyber-security issues, such as online privacy, securing the critical infrastructure and information-sharing between the public and private sectors, most of them are all still in draft form. Congress has yet to pass comprehensive cyber-security legislation.