NITRD -> Publication Library 

NITRD Publication Library

Federal Plan for Cyber Security and Information Assurance Research and Development

Category: Federal Plans
Available Format: PDF
Pages: 140
View Full Text:

Powerful personal computers, high-bandwidth and wireless networking technologies, and the widespread use of the Internet have transformed stand-alone computing systems and predominantly closed networks into the virtually seamless fabric of today’s information technology (IT) infrastructure. This infrastructure provides for the processing, transmission, and storage of vast amounts of vital information used in virtually every facet of society, and it enables Federal agencies to routinely interact with each other as well as with industry, private citizens, state and local governments, and the governments of other nations. As the IT infrastructure has broadened to global scale, the volume of electronic information exchanged through what is popularly known as “cyberspace” has grown dramatically and new applications and services proliferate.

The IT infrastructure supports critical U.S. infrastructures such as power grids, emergency communications systems, financial systems, and airtraffic- control networks. While the vast majority of these critical infrastructures (including their IT components) are owned and operated by the private sector, ensuring their operational stability and security is vital to U.S. national, homeland, and economic security interests

Cyber threats are asymmetric, surreptitious, and constantly evolving – a single individual or a small group anywhere in the world can inexpensively and secretly attempt to penetrate systems containing vital information or mount damaging attacks on critical infrastructures. Attack tools and resources are readily available on the Internet and new vulnerabilities are continually discovered and exploited. Moreover, the pervasive interconnectivity of the IT infrastructure makes cyber attack an increasingly attractive prospect for adversaries that include terrorists as well as malicious hackers and criminals.

In this environment of heightened risk, the Federal government has an essential role to play in cyber security and information assurance (CSIA) research and development (R&D). As in other science, technology, and engineering fields of critical importance to the Nation, Federal leadership should energize a broad collaboration with private-sector partners and stakeholders in academia and the national and industry laboratories where the bulk of Federal research is carried out. Such a partnership can chart a national R&D agenda for strengthening the security of the Nation’s IT infrastructure.

This Federal Plan for Cyber Security and Information Assurance Research and Development takes the first step toward developing that agenda. The Plan also responds to recent calls for improved Federal cyber security and information assurance R&D, as outlined in the following documents: the OSTP/OMB Memorandum on Administration FY 2007 R&D Budget Priorities; Cyber Security: A Crisis of Prioritization, the 2005 report of the President’s Information Technology Advisory Committee (PITAC); the 2003 National Strategy to Secure Cyberspace; and the 2002 Cyber Security Research and Development Act (P.L. 107-305).

Developed by the Cyber Security and Information Assurance Interagency Working Group (CSIA IWG), an organization under the National Science and Technology Council (NSTC), the Plan provides baseline information and a technical framework for coordinated multiagency R&D in cyber security and information assurance. Other areas – including policy making (e.g., legislation, regulation, funding, intellectual property, Internet governance), economic issues, IT workforce education and training, and operational IT security approaches and best practices – also have substantial roles to play in improving cyber security and information assurance. However, these subjects are outside thescope of the Plan, which addresses only the role of Federal R&D.

Likewise, the Plan is not a budget document and thus does not include current or proposed agency spending levels for cyber security and information assurance R&D. Agencies determine their individual budget priorities according to their mission needs and requirements...