Common themes—and some big questions—emerged at this year's event.
CyberSci 2017 explored the rising challenge of cyberspace as a place to exert influence, governance—even control—analogous to the more traditional battlefields on land, air, sea, and space. The recent wave of high-profile cyber breaches amplifies the need to create a national cybersecurity R&D community, define appropriate national cybersecurity R&D challenges, and establish the role cybersecurity R&D should play in national information technology development.
CyberSci demonstrates the power of assembling some of the top minds in cyber R&D to share and learn about innovations in the field. Read on to learn more about the common themes—and big questions—that emerged at this year’s event:
- Is Cyber Really a Domain? The nature of cyberspace is changing, and our adversaries are exploiting opportunities that contrast with traditional western values. We’ve talked about defense, exploit, attack, now it’s time to talk about control and governance. Different from other “battlefield” domains, however, perhaps it’s time to consider cyber as an overarching domain that is intrinsically tied to activities in the other four. With 3.7 billion people online at any given time, its reach is undeniable. Symposium Chairman Samuel Visner noted that some countries view cyberspace as a place where they can assert sovereignty.
- The Rise of Artificial Intelligence (AI). Humans will not resolve the cyber battle alone. Development of intelligent agents has already begun and will be an innovative priority in the future. The Army Research Lab’s Chief Scientist, Dr. Alexander Kott, presented a view into the future with humans, cyber, and AI comprising the intelligent world. Success will depend on “bits, bots, and bodies” working together to benefit from the strengths of each group, and Dr. Kott sees AI as the ultimate solution to cybersecurity. The most severe restraint in this “unimaginably” complex future? Human cognition.
- Higher Walls, Wider Moats, and Bigger Locks are Not the Answer. In CyberSci’s panel discussion about whole-of-nation cybersecurity, former senior CIA official and former Capitol Hill Staffer Ron Marks noted our tendency to blame the victim when cyber breaches occur. He also shared his views on the three levels of threat actors: nation-states, non-nation-states, and “the most worrisome of all”—an angry 25-year-old on the inside. The day’s first panel discussed the concept of the “battle for cyberspace” and the experience of countries—China in particular—trying to lock down communications within their borders. National Intelligence Officer for Cyber Vinh Nguyen explained that state control is seen by some as a challenge to break, so rather than continue to escalate defenses/breaches, China has shifted to a strategy of obfuscation.
- We Call it “Critical” For a Reason. Critical infrastructures encapsulate the complexity of cybersecurity issues in the U.S. We need to stop admiring the issue and find new ways to solve it. The challenge of allocating cybersecurity management responsibility and accountability among the various elements that “own” connected infrastructures will likely require new logical and business models. Equally, tools will be needed to provide a unified view of disparate infrastructures, to identify and attribute correctly anomalous behavior, and to deploy and manage network defenses.
- So Where Do the Humans Fit In? Right now, we need to educate, innovate, and sustain the development of cyber workforce skills. As ICF noted in a recent paper about Cybersecurity Workforce Analysis “There is a nationwide shortage of highly qualified cybersecurity experts, and the federal government in particular has fallen behind in the race for this talent—individuals who are essential to protecting our nation’s critical public and private information technology infrastructure.”
- Keeping Up With the ITs.Information technologies, infrastructures, and services continue to advance in terms of sophistication, functionality, and interconnectedness. Energy and transportation infrastructures are converging and will be managed through advanced, cloud-based analytics. Transportation is being described by crowd-sourced data (e.g., Waze), which is then used by drivers to make routing decisions. We should expect that infrastructure operators, too, will start taking advantage of this data—and the cybersecurity challenges raised by that kind of development are significant. Additional information technologies–like the private sector and in academia–should be accompanied by R&D focused on securing these technologies. Efforts by companies involved in the development and deployment of cloud-based infrastructures and services should also be accompanied by cybersecurity research connected explicitly to the new technologies under development.
- Don’t Rock the Vote. Former Director of National Intelligence James Clapper shared his perspective on the cyber threats facing the U.S., including efforts by Russia to influence the 2016 presidential election. Exploitation of social media and privileged information call for stronger effort to understand the vulnerabilities of our electoral institutions and systems, and possibly changes in the underlying technologies to secure them. Confidence in our democratic processes demands confidence in the way votes are tallied. R&D should be undertaken to give social media organizations the means to spot and characterize foreign efforts to influence electoral opinions—through troll farms and other means—and to help halt such efforts.
Last year’s CyberSci symposium produced Recommendations for the 45th President of the United States based on the information shared by participating experts from industry, government, and academia. This year, in addition to the key takeaways listed above, we echo last year’s insights about building on lessons learned in the development of nuclear energy and aerospace technology. A national R&D community could leverage the substantial work already underway in the federal government (at the Army, Navy, and Air Force Research Laboratories, the Department of Energy National Laboratories, the Defense Advanced Research Projects Agency, the Homeland Security Advanced Research Projects Agency, and elsewhere) in combination with non-governmental resources throughout the country.