Federal Plans NICE

Plan Development and Research

Challenge

Future Plan

This paper discusses what is referred to as the Federal Plan is for Cyber Security and Information Assurance (CSIA- R&D) Research and Development. Details of the federal government's plan will be discussed as well as what is expected and can be done about cyber security in the long-term.

In this federal plan, the terms 'information assurance' and 'cyber security' refer to measures put in place to protect computer information, systems and networks from unauthorized access or disruptions, modification, use or destruction. The purpose of information assurance and cyber security is to ensure: the protection of integrity against unauthorized destruction or modification of information, networks and systems (Community List.-Federal Plan for Cyber Security and Information Assurance Research and Development, 2006) as also to ensure confidentiality protection against illegal access of networks and disclosure of information held therein. Information assurance is likewise concerned with guaranteeing reliable and timely access to networks, systems and or information. The federal plan is made up of several sections including: Strategic Federal objectives; Analysis of the latest calls for Federal R & D; Types of threats, vulnerabilities, and risks; Technical issues in information assurance and cyber security R & D; Current investment and technical priorities of Federal agencies dealing with the issues of Cyber Security and information assurance; Technical and funding gaps analysis results; Findings and recommendations; Perspectives on R and D technical topics such as the main technical challenges; and the roles and responsibilities of cyber security and information assurance related agencies. The federal plan basically recommends for all levels of government to give cyber security a high priority and to ensure the integrity of the design, implementation and the utilization of all the components of the information technology (IT) infrastructure.

Background

In less than twenty years, developments and innovations in ICT (information and communication technologies) have revolutionized educational, commercial, scientific and government infrastructures. Powerful high-speed processors, high-bandwidth networks, wireless networks and the widespread utilization of internet services have transformed previously individual and largely closed networks into virtual world of seamless interconnectivity. There has also been an increase in the kind of devices that can connect to this vast IT infrastructure. A growing ease of access is via 'always-on' connections meaning that individual users and organizations are becoming more and more interconnected across different physical networks, organizations and countries (Federal Plan for Cyber Security and Information Assurance Research and Development, 2006).. As more and more individuals and organizations have become interconnected, the quantity of electronic information shared via what is colloquially referred to as "cyberspace" has increased dramatically. The information exchanged has also expanded beyond what was exchanged in hitherto traditional traffic to include, process control signals, multimedia data and other critical forms of data. New services and applications that utilize the capabilities of IT infrastructure are always emerging. The risks that are linked to the present and anticipated, threats to, vulnerabilities to, and attacks against the information technology infrastructure provide the basis for the plan. Rapidly changing trends in both the threats and technologies make it possible that security issues related to IT will only increase in the next few years. The following are the main areas of concern (Federal Plan for Cyber Security and Information Assurance Research and Development, 2006):

The increasing sophistication of IT networks and systems, which will result in more security challenges for both the developers of these systems and their consumers.

The constantly evolving nature of communications infrastructure as traditional phone networks and information technology networks merge to form a more unified network.

The growing access to wireless connectivity to personal computers and networks, increasing the exposure of such systems to attack. This is because in all-wireless networks the conventional protective approach of "securing the perimeter" cannot be used because it is becoming increasingly difficult to establish the logical and physical boundaries of such networks.

The increasing accessibility and interconnectivity of (and as a, result risk to) computer systems and networks that are vital to the United States economy, including financial sector networks, supply chain management and utilities and control systems in the manufacturing sectors.

The existent proliferation and the increasingly global nature of communications infrastructure, which will result in more opportunities for subversion by both domestic and foreign adversaries.

There are many different types of cyber attacks and also an equally diverse array of corresponding incentives, including activist causes, information misuse or theft, financial fraud, attempts to disrupt computer systems and attempts to interrupt important government IT infrastructure and services that depend on them. The perpetrators of cyber attacks can be...

The most frequently modes of attack include the use of malicious software such as spyware, viruses, worms, trojans; phishing of passwords; and attacks intended to deny services or to crash websites. Each type of attack posits different and unique challenges that necessitate the utilization of a targeted group of prevention activities. Some of these activities might not be technology related (Cybersecurity and the Audit Committee - Deloitte Risk & Compliance -- WSJ). Social engineering and phishing activities, for example, are usually dependent on staffs revealing passwords or other sensitive data when requested by the perpetrators and false pretenses. Therefore, efforts to raise awareness of the way such illegal activities are done and the reasons behind are of critical importance in preventing losses.
NICE Systems

Using NICE, the U.S. federal government plans to improve the country's cyber security through accelerating the availability of training and educational resources and material to significantly improve the cyber skills, knowledge and behavior of every sector of the population to create a safer and more secure cyber space for all. The NICE initiative has three objectives (Newhouse, 2012):

1. To raise national awareness with regards to cyber space

2. To widen the pool of persons who are prepared and ready to join the cyber security workforce, and

3. To develop an internationally competitive cyber security work force

In 2011, the White House announced the "Trust-worthy cyberspace: Strategic plan for the federal cyber security research and development program" that entailed part on developing scientific foundations. This part challenges the R & D (research and development) community to organize and compile knowledge in the area of cyber security and to research universal beliefs and concepts that are predictive and cut across specific systems, defenses and attacks resulting in a comprehensive understanding of the principles underlying cyber security (Newhouse, 2012). The federal government program will also enable analyses that impact large-scale systems and the formulation of hypotheses that will then be subject to empirical validation; the program will support high-risk experimentations that are necessary to establish a scientific basis and to come up with PPPs (public-private partnerships) of federal government agencies, academic communities and industry.

Plan Summary

In this federal plan, the terms information assurance and cyber security refer to measures put in place to protect computer information, systems and networks from unauthorized access or disruptions, modification, use or destruction. The purpose of information assurance and cyber security is to ensure: (Community List.-Federal Plan for Cyber Security and Information Assurance Research and Development).

Integrity-this is protection against illegal and unauthorized alteration or destruction of information, systems and networks, and information authentication

Confidentiality-this is protection of information against illegal and unauthorized access to information or its disclosure.

Availability-this is the assurance that information, systems and networks can timely and reliably accessed and utilized by authorized personnel.

Other areas-entail policymaking (e.g. Internet governance, intellectual property rights, funding, regulation and legislation), ICT workforce training and education, operational cyber security approaches and best industry practices (Community List. Federal Plan for Cyber Security and Information Assurance Research and Development). However, most of these areas are outside the scope of the federal plan, since it addresses only the role of Federal research and development regarding cyber security. Similarly the plan is neither a budget plan nor does it entail present or proposed allowed agency spending levels or limits for information assurance and cyber security research and development. Federal agencies have to determine their own individual budget priorities based on their mission requirements and needs.

The federal plan basically recommends for all levels of government to give cyber security a high priority and to ensure the integrity of the design, implementation and the utilization of all the components of the information technology (IT) infrastructure. The work of identifying and prioritizing cyber security and information assurance research and development efforts begun in this document should be a continuous process. Continuation of inter-agency collaboration is necessary to concentrate Federal research and development efforts on the greatest risks and threats to vital IT infrastructures and the missions of those federal agencies and to make the most of the steps made by these efforts (Community List. Federal Plan for Cyber Security and Information Assurance Research and Development). Specifically, the plan highlights the need for a collaborative effort of federal R&D to clear or provide solutions to the challenging technical issues that are impediments to the fundamental developments in next-generation information assurance and cyber security technologies; such research and development is usually multidisciplinary, high-risk and long-term.

Plan Development and…