government’s latest Federal Cybersecurity Research and Development (R&D) Strategic Plan will put human-centered cybersecurity at the forefront of the nation’s cyber research and development efforts and investments over the next four years.
The document, published last month, states: “We need to place greater emphasis on a human-centered approach to cybersecurity, where people’s needs, motivations, behaviors, and capabilities are at the forefront of determining the design, operation, and security of information technology systems. “it is written like this.
The 2023 Federal Cybersecurity Research and Development Strategic Plan was developed by the Networking and Information Technology Research and Development (NITRD) Subcommittee of the National Science and Technology Council’s Cybersecurity and Information Assurance Interagency Task Force.
The Cybersecurity Enhancement Act of 2014 requires NITRD to develop and update a Federal Cybersecurity R&D Strategic Plan every four years. The December 2023 plan supersedes the document published in 2019.
“This 2023 Federal Cybersecurity Research and Development Strategic Plan (Plan) provides federal agencies with up-to-date guidance regarding the overall priorities for federally funded cybersecurity research and development,” the 42-page document reads. is written in the preface. “This guidance includes [March 2023 National Cybersecurity Strategy] and establish research priorities to develop the science and technology needed to advance the Biden-Harris Administration’s goals in cybersecurity. ”
The updated plan continues key concepts and frameworks from the 2019 Federal Cybersecurity Research and Development Strategic Plan.
- Effective cybersecurity requires mature capabilities based on four defensive capabilities: deterrence, protection, detection, and response.
- Improving cybersecurity practices requires scientific and technological advances in developing and operating sustainably secure systems, proactive risk management, and demonstrating evidence of the effectiveness and efficiency of those practices.
- People, especially affected users of computing and communication systems, must be protected by cybersecurity safeguards with equal or greater urgency than systems, communications, and data.
- We need frameworks and methodologies that allow developers to consider and manage safety, security, resiliency, trust, and privacy requirements holistically and simultaneously.and
- Successful cybersecurity research and development requires advances in scientific foundations, research infrastructure, and translation into practice.
Key updates to the Federal Cyber Plan in 2023
The 2023 plan highlights three priority areas of cybersecurity and corresponding research goals for the next four years. Developing means to establish and manage trust. and strengthen cyber resilience.
The introduction to the document highlights that while many of the cyber concepts from past plans are retained, the new plan for December 2023 has three key updates and priorities:
The document adds “human-centered cybersecurity” as a research objective under priority number one, protecting people and society.
The initiative aims to “embed participatory and iterative design to address the needs of people, organizations, communities, including marginalized and vulnerable populations, and society related to cybersecurity.” ” the document continues. “This allows people to invest in the process and provides a locus of control that supports and encourages them to be part of the cybersecurity solution that is created.”
Research activities based on this objective include identifying factors that reduce or eliminate memory and cognitive load on people interacting with digital technologies, in order to ensure the safety and security of people and systems. For example, the plan states that as threats such as phishing campaigns become more sophisticated, “we will develop socio-technical solutions to detect and mitigate such attacks without relying on humans to identify these threats.” We need to focus on that.” ”
The 2023 plan also updated priority number two: developing means to establish and manage trust.
“The lack of methods and mechanisms for determining the trustworthiness of entities in cyberspace and establishing trust among interacting parties and components is a significant shortcoming inherent in cyberspace,” the document states. is stated. “The ability to establish and enforce the required level of trust across all layers of computing, starting with the hardware layer and including all other layers such as operating systems, software applications, networking, web browsing, applications and services, etc. e-commerce, information sharing on social media, etc.”
This paper presents 30 steps to advance trust in cyberspace, including advances in digital identity methodologies that can leverage a variety of attributes related to users, entities, and systems that can continuously assess different levels of dynamic trust. research actions are proposed.
Finally, the new Cyber Research and Development Plan has added cyber resilience as a key research objective for the next four years.
“There is a growing recognition that cybersecurity needs to move beyond its traditional focus on prevention, protection, and recovery to address the broader needs of organizations as they respond to threats to their systems. Cyber resilience is a mission statement. and has emerged as a key element in the overall strategy for business assurance,” the document reads. “This is why we need to understand how to effectively design and develop systems to withstand cyber-attacks and continue to operate at an adequate level to accomplish their mission even in the face of an ongoing attack or if compromised. , further attention will be required to determine whether it can be operated.”
One area of research in cyber resilience is identifying secure software design principles that can eliminate the majority of common software weaknesses. For example, model-based design can be used to enable secure-by-design software, validate software execution against secure design principles, and generate software that performs the intended functions of a cyber resiliency system. .
Plan highlights White House and Congressional cyber research and development priorities
The 2023 plan also focuses on specific cyber topics that the federal government is pursuing through executive and legislative action in documents such as the National Cybersecurity Strategy and AI Bill of Rights Blueprint.
Three federal filing scenarios include:
- Protect your software and hardware supply chain.
- Enabling safe and reliable artificial intelligence.and
- Secure a clean energy future.
The plan also protects effective cybersecurity research, development, and experimentation, as well as continuing to promote sound national cyber metrics, measurement, and evaluation methodologies, and the above research priorities. It also emphasizes that neither of these goals can be realized.
The paper concludes by identifying the roles of the federal government, industry, and academia in cybersecurity research and development and approaches for coordination and collaboration. The document says agencies are expected to spell out their approach to implementing the plan in a strategy, implementation plan or roadmap.
“Implementation of this plan will generate cybersecurity science and technology that will help maintain a trusted cyberspace that supports the nation’s prosperity and security,” the document concludes.