Cyber Security Research & Development

Approved by the IEEE-USA Board of Directors
24 June 2006

The Institute of Electrical and Electronics Engineers-United States of America (IEEE-USA) supports increased funding for cyber security research and encourages developing programs for cyber security commercialization and workforce education, as well as programs to ensure the security of our cyber network systems, software and personnel.  To enhance the protection of our cyber security resources against a potential, concerted terrorist attack, IEEE-USA further recommends that Congress and the executive branch work in conjunction with private industry to:

• Authorize and Appropriate Increased and Stable Funding for Cyber Security Research. The basic research foundation within programs at the Defense Advanced Research Projects Agency,  Department of Homeland Security-Homeland Security Advances Research Projects Agency, National Science Foundation, Department of Energy, the armed forces services, (Air Force Office of Scientific Research, Office of Naval Research, Army Research Office), Department of Health and Human services including Public Health, Centers for Disease Control (CDC), the developing National Health Information Infrastructure and the intelligence community should be expanded dramatically. The government should continue to encourage and enhance cross-agency and multidisciplinary collaboration, and improved techniques and processes, coordinating efforts between R&D labs, industry, academia and the government.
• Encourage and Support Cyber Security Technology Transfer Programs. The government should encourage and promote industry’s rapid transfer of basic and applied research results to technology and product development.   It should also promote collaboration among federal laboratories, universities and industry to foster an environment for rapid application of new cyber security solutions.
• Facilitate Commercialization. Working with industry, government should facilitate the timely commercialization of cyber security advances from research laboratories to the marketplace.
• Facilitate Development and Implementation of Cyber Security Standards. It is imperative for the Federal Government and U.S. industry to work together with standards organizations such as American National Standards Institute, International Organization for Standardization and the IEEE to facilitate the establishment of international standards to help industry institute baselines of acceptable security for cyber systems.
• Support Cyber Security Education Programs. The government should encourage and financially support developing curricula and instruction for more effective teaching and training in cyber security at all educational levels.

This statement was developed by the Research & Development Policy Committee of the IEEE-United States of America (IEEE-USA) and represents the considered judgment of a group of U.S. IEEE members with expertise in the subject field. IEEE-USA is an organizational unit of The Institute of Electrical and Electronics Engineers, Inc., created in 1973 to advance the public good and promote the careers and public policy interests of the more than 220,000 electrical, electronics, computer and software engineers who are U.S. members of the IEEE.  The positions taken by IEEE-USA do not necessarily reflect the views of IEEE or its other organizational units. 

IEEE-USA, 1828 L Street, N.W., Suite 1202, Washington, DC 20036-5104
(O) +1.202.785.0017  +  (F) +1.202.785.0835 + (Email) ieeeusa@ieee.org + (Web) www.ieeeusa.org

BACKGROUND

Homeland security and national defense are dependent on the integrity and security of their information technology infrastructures.  Moreover, cyber security has an increasingly large impact on the life of every American, even those that do not themselves use computers.  Vulnerability of our information infrastructure to either natural disasters or man-made attacks can cause significant damage to our economy, civil infrastructure and security.

Among the many reasons for this vulnerability, one standout is that the software industry is far from assembling a product that has zero security defects.  Secure software engineering techniques are in their infancy and not widely adopted.  Some known techniques and languages that could lead to more secure software have been ignored due to lack of operating as quickly in practice as software using more popular languages. As a result, many lingering vulnerabilities exist in critical software components that may be used against the nation. Widely publicized viruses, worms and data thefts are merely the tip of the iceberg.

For example, hackers have exploited weaknesses in a widely used Internet browser to attack personal computers with spyware to steal personal identities, creating significant financial losses and undermining confidence in on-line commerce and financial services.  In another example, during July 2005, researchers discovered an exploitable condition in the most widely used network operating system that is at the heart of routing for the Internet.  This condition allowed attackers to take control of a vulnerable router entirely.  A coordinated attack on such routers could bring down the entire Internet for an extended period of time, or facilitate eavesdropping attacks that could lead to widespread financial fraud, or purposely misdirected information.
Not only is our entire information technology (IT) infrastructure at risk but that risk is also clearly increasing with time.  All data indicate that the number of attacks on IT infrastructure is increasing rapidly, as is the sophistication and success of those attacks.  Five years ago, the majority of incidents were the result of untargeted attacks, often instigated by unsophisticated hackers who were gaining unauthorized access simply because they could. Today the Internet has established itself as a recognized place for commerce, amassing tangible high-value assets.  These assets are vulnerable to attack, and highly sophisticated criminals and organized crime syndicates have increasingly become the perpetrators of such attacks.  For example, several international crime rings attack systems from countries outside of U.S. jurisdictions, where corruption is high and the risk of arrest and prosecution is low.

Furthermore, as our military adopts network-centric warfare technology, national defense IT becomes an increasingly attractive target for adversary nation states in both covert and overt military operations.

Cyber security implies more than the protection of our information systems from terrorist penetration attacks.  Natural disasters have documented the vulnerabilities of our information systems.  Hurricane Katrina demonstrated how vulnerable our medical record infrastructure is.  Power outages; communications failures; and security safeguard interruption, such as credentialing and authentication, cause severe disruption to information flow. 

Our public health infrastructure and disease monitoring/reporting systems through the CDC need to be maintained during any and all disasters.   Furthermore, this sector needs to integrate its data with other participants in the Public Health System, such as the Environmental Protection Agency, the United States Department of Agriculture, and the Department of EnergyDoE as part of the Public Health Information Network and the National Health Information Network. 

With development of the National Health Information Network, the importance of cyber security for health data is even more critical.  In healthcare, geographic 7 x 24 hot-swap redundancy should be the goal to ensure medical record data availability. IEEE-USA is concerned about the potential for network/access denial, corruption of data, insertion of erroneous data, and/or data security breaches allowing inappropriate disclosures.

Cyber security includes: information assurance:  maintenance of data integrity, confidentiality, availability, non-repudiation and authenticity; crisis management in response to attacks on critical information systems; recovery plans for failures of critical information systems; and warning information and advice about appropriate protective measures and countermeasures to state, local and non-governmental organizations, including the private sector, academia and the public.  Because of society’s complete reliance on information technology and cyber networks, all the critical infrastructures and networks are interdependent and interconnected.  A cyber attack on one sector’s infrastructure may have devastating consequences to another sector.

U.S. infrastructure is not adequately prepared to defend against such risks.  Many of the core protocols that run the Internet are fundamentally at risk, such as Internet routing, e-mail transfer, and end-user authentication.  The entire infrastructure has fundamental usability issues that encourage end-users to make security decisions that are not in their own best interests.  For example, a large number of insecure wireless access points exist, even within corporate America.  Our primary defense mechanisms today are point solutions that are only partially effective, such as incremental patching, firewalls and intrusion detection.  These approaches provide only temporary, not long-term, remedies.  The Unites States urgently needs Federal government and IT industry cyber security research and development efforts, to develop advanced security technologies that will support a long-term strategic vision commensurate with the role that IT will play in our national economy and our national and homeland defenses.

Not only has the government traditionally played an important role in financing such efforts, but IEEE-USA strongly believes that, without the government driving a long-term cyber security vision, industry will most likely continue to make only incremental advances and improvements based on short-term, market-driven, and adverse risk factors.
 

| Top of Page | Position Statements | Policy Forum | IEEE-USA |

Last Updated: 27 June 2006
Staff Contact: Bill Williams

 Copyright © 2006 The Institute of Electrical and Electronics Engineers, Inc.
Permission to copy granted for non-commercial uses with appropriate attribution.