An RCUK green paper for cybersecurity research

June 2011

Research Councils UK (RCUK) has identified research into cybersecurity as a priority for its Global Uncertainties programme. The programme will work with academic researchers, businesses and government users to enable effective networking, build capacity and develop world-class research projects which address important challenges in cybersecurity. Our ultimate aim is to contribute to making the UKs networked and online activities secure from misuse and as a result safer, more productive and more enjoyable. This green paper is intended to raise awareness, among academic researchers and users, of RCUKs emphasis on cybersecurity issues. It is the starting point for further developing an appropriately connected community of cybersecurity researchers and research users. We are inviting comments from all those interested in cybersecurity research in the UK. We are also taking this opportunity to highlight some RCUK activities which will promote cybersecurity research.

Background
At a time when we are more exposed than ever to threats at personal, family, community, organisational and national levels, and as more and more aspects of our lives are played out on computer networks, the problems caused by inadequate cybersecurity are becoming increasingly apparent. Malicious individuals and groups have long since realised just how lucrative the virtual world can be, how it can make criminal or antisocial activity easier, the opportunities it presents to disrupt normal life, and also the fact that these opportunities can only increase in scale. The increasing complexity of computer software and its associated electronic systems and processes increases the incidence of vulnerabilities. Our ever greater reliance on these systems and processes means that successful cyber attacks are likely to have significant consequences. The combination of enhanced threat, increased vulnerability and more serious consequences increases the cyber risk we experience. Better cybersecurity can help to reduce that risk to an acceptable level. More effective cybersecurity measures will come from a clearer understanding of our current and future vulnerabilities, the threats and consequences that result from them and the failings of current approaches. Further research into cybersecurity its fundamentals and in particular its human and behavioural aspects is essential.

What is cybersecurity research?

The term cybersecurity has come into common usage even though there is no clear agreement on what it does and does not mean. RCUKs working understanding, purely for the purposes of this paper, is that cybersecurity research is any research that seeks ultimately to make electronic systems 1 and the activities they support less likely to suffer harm or disruption as result of deliberate 2 attack. It includes defensive 3 as well as more active 4 measures. This description is only an initial place-marker, lacking in detail and the necessary nuance. Consultation and development of a scope for a research approach to cybersecurity is an important aim for the Global Uncertainties programme. To help frame the discussion, some key references and a few possible future research directions are gathered in an appendix to this paper. These are not exhaustive or prescriptive and they do not represent a fixed preference or strategy.

What does RCUK want to achieve?

Good cybersecurity requires long-term, underpinning research of the highest quality, characterised by game-changing concepts and approaches rather than incremental improvements. It should enable positive outcomes for us all; creating new opportunities for the UKs citizens, communities, business and government; helping us to work, play and manage our lives safely and effectively in a world which is moving its activities online at a breathtaking rate. We want the cybersecurity researchers we support to be the best at what they do: leading research internationally, contributing to making the UK a safer place to live and work, and helping to make it an attractive place to invest. However good it is in more theoretical terms, research will not have real impact unless it addresses real problems, is based on a good understanding of the key issues, takes account of international context and developments, and connects with system vendors and endusers. Businesses and government users have already highlighted to RCUK the importance of fundamental research in solving their problems and their desire to help inform that research. We want to ensure a high-quality dialogue and sharing of views and information between academia and users, valuing equally the contributions of all participants. While it is clear that many of the problems we face are at heart technological, some of the trickiest issues (such as the insider threat) cannot be addressed by technologists alone. Multi- and interdisciplinary research will have a crucial role to play in the process of developing novel approaches and solutions. We want to encourage contributions from researchers new to cybersecurity as well as those from core areas, and to develop approaches to tackling problems which work across discipline boundaries wherever necessary.
1

Especially networked computer systems, and noting particularly that human users are part of the system and that the system is ultimately intended to meet human needs

Although the exclusion of problems resulting from accidental errors is not a hard-and-fast rule as there is much to learn from, for instance, dependability research
3 4

By which we mean protective measures or approaches which fix problems By which we mean measures which help identify and minimise the threats posed by attackers

What research is being done?

The UK has an excellent research base in many areas relevant to cybersecurity, one which is already making a valuable contribution to efforts to improve cyber systems. There is a great deal of current activity (funded by RCUK and other organisations) and much published work on which we will build. It ranges from fundamental research into cryptography to work addressing the economics and value of privacy. We have identified a set of around 120 projects currently or recently funded by RCUK which comprise the core of our cybersecurity research portfolio. They have a total value of nearly 70M. More than 250 Principal and Co-Investigators are supported by these grants, and more are being added all the time. A full list of these projects and further information on the portfolio is available from the contacts given below.

What will RCUK do next?

We believe that the cybersecurity research we fund will benefit from raised visibility and a strengthened feeling of common purpose among researchers and research-users. So we will: Connect academic researchers, business and other users of research with each other as a means of further strengthening the UK cybersecurity research community; Communicate research results, needs and ideas between academic researchers, security professionals and government; Commission, where necessary and as funds allow, new research in the most promising areas, addressing priorities agreed among academic researchers, business and government stakeholders.

Just as we are challenging academics and research users to change the way they currently do things we in RCUK are challenging ourselves to make a real difference. We will have succeeded in this if: The UK is seen to be an active and important source of new ideas and solutions to cybersecurity problems, with a healthy and innovative research base; All parts of the UK academic community which might contribute to it are aware of the nature of the cybersecurity challenge and how they can help; All potential beneficiaries of cybersecurity research have access to RCUK research activities and are able to draw on the existing research base through effective links with key researchers; Academic researchers, businesses and government users are working together to identify and address key research priorities, with research being informed, as far as is possible, by an up-to-date and accurate awareness of the nature of cybersecurity threats.

While there may be some future funding opportunities in cybersecurity our main focus initially will be on working with our current portfolio of projects and resources: aligning it with cybersecurity issues and users in an optimal way and ensuring maximum impact from our existing investments. We have two activities already planned that can be publicised at this stage.

There will be a cybersecurity research showcase event on Wednesday 23rd November 2011 at Church House Conference Centre, London. This will bring together academic researchers and key problem owners to share information on current activities, issues and research programmes. Invitations will go out in July 2011 but anyone who would like to attend can email one of the contacts listed below to register their interest; We are working with GCHQ to develop two opportunities: firstly for academic groups to be identified as UK Centres of Excellence for cybersecurity research and education; secondly to enhance UK research effort in strategically important subject areas within cybersecurity, through one or more Research Institutes in these fields. More details on both activities will be made available soon.

How can you become involved?

If you have any comments, questions or suggestions about the future of cybersecurity research please contact either Alasdair Rose (alasdair.rose@epsrc.ac.uk) or Alex Hulkes (alex.hulkes@epsrc.ac.uk). EPSRC is leading the cybersecurity aspects of the RCUK Global Uncertainties Programme, which is led by John Wand of ESRC (john.wand@esrc.ac.uk).

Appendix
Background material
Several reports covering many of the key issues in cybersecurity research are publicly available. While they do not necessarily represent everything that might be included in an RCUK programme, and while their prioritisations may not match those we will collectively develop, they provide some excellent source material. The US DHS Roadmap for Cybersecurity Research is a very comprehensive reference which describes a large number of key challenges in cybersecurity. A similar strategy document has been prepared by the Dartmouth Institute for Information Infrastructure Protection. The UKs Technology Strategy Board has produced a complementary roadmap that, rather than specifying research issues, sets out drivers for change in information security over the next ten years. It provides an extremely useful insight to help structure longer term research questions and builds on an earlier Foresight Cyber Trust and Crime Prevention project. This investigation, while conducted some time ago and with a broader scope and different focus to this paper, provides a synthesis of many issues related to cybersecurity that remains valid and useful. The Cyber Security Strategy of the United Kingdom is due to be updated soon, and so may change in its detail, but we would like to highlight its current vision statement which describes a future in which: Citizens, business and government can enjoy the full benefits of a safe, secure and resilient cyber space: working together, at home and overseas, to understand and address the risks, to reduce the benefits to criminals and terrorists, and to seize opportunities in cyber space to enhance the UKs overall security and resilience. A useful summary of current UK government policy and initiatives, highlighting the need for academic research, can be found here, while the UKs National Security Strategy is here. Finally it is worth restating RCUKs emphasis on Excellence with Impact and our desire that our research and training activities in cybersecurity should make a demonstrable contribution to society and the economy.

Some possible directions for research into cybersecurity

Cybersecurity research is hard to define and scope. It is part of, touches on, influences and is influenced by a range of associated and equally important issues and disciplines: criminology, dependability, resilience, sociology, systems engineering and many others. To help describe it more usefully we have identified some areas ripe for future investigation or in which we know there is ongoing work on which we can build. These are not intended to be exclusive or comprehensive, they are kept deliberately open and they are presented in alphabetical order. Cybercrime Cybercrime is a large and growing problem. While its direct financial effects are undoubtedly very significant, cybercrime also generates fear and anxiety, hampers our online activities and limits the UKs economic potential. Social damage from

cybercrime for instance from a child protection point of view is impossible to value in any sensible way, as is the lost potential of what we are unable to do as a result of the threat of cyber-criminality. Deployment, economics, motivation and regulation of cybersecurity measures The resources allocated, and approaches adopted, to cybersecurity often do not seem to reflect the risks to which a system or its users will be exposed. As a business driver, security is often last in line. This is partly down to a lack of information about risks: information which individuals, business and government need to make sound decisions. Misaligned incentives, a lack of common standards, lack of clarity on ownership/responsibility and poor information on the effectiveness of solutions also contribute to a general market failure. Insight into attackers motivations, and ways of deterring them from acting on them, is also lacking. Drivers for change Developments in the ways that we use ICT are outpacing the security solutions required for their safe adoption. Research relating to the systems and applications of the future, as well as those currently in use, is essential. These drivers of change include: e-healthcare systems; ubiquitous computing; smart metering, monitoring and control systems; e-voting; cloud computing; and, in the very long term, quantum systems and technologies. Global threats, cyberwar, ethics, regulation, policy and legality Threats to the UK from states and terrorists are growing. These threats need to be responded to proportionately and appropriately. The framework for doing so is not as well established as in more traditional cases, nor is our ability to attribute an attack, nor is it clear what responses are likely to be most effective or acceptable. Recognition of the importance of cyberspace as a national frontier has similarly complex implications as do the global nature of the threat and the borderless nature of the internet.

Human factors and useable security It takes a human to create or exploit a cyber vulnerability. We have to understand how humans really behave and interact with cybersystems, and how a particular technology choice or approach will affect human behaviour, if we want our systems be more secure. Security solutions also need to be developed in ways that work in practise, not just on paper. Risk identification, reduction, mitigation and management in a cyber world

Our understanding of how cybersystems behave has not kept up with the rate at which they are developed and implemented. We need a better understanding of the risks associated with our cyber activities, and we need better ways of managing those risks and making decisions under uncertainty. We also need ways of measuring or characterising the level of security in a system and how much we stand to gain or lose from a particular security action relating to it. Secure management and usage of data across a range of systems As more and more services government and private are delivered online, the risks associated with data losses mount. Many of the most memorable stories about breaches in cybersecurity are in fact information management issues. Approaches to sharing data and delivering better services which enhance information security and preserve the privacy of individuals are required. There are also complicated ethical and legal issues to consider. Threats to physical infrastructure from cyber events As more physical infrastructure comes under the control of systems which are connected to public networks, the potential for malicious disruption increases. While this threat has much in common with parallel work into resilience it also has unique cybersecurity aspects.

Understanding and monitoring systems and networks, and detecting attacks Without knowing how a system behaves in normal operation it is impossible to tell when something abnormal is occurring. Intrusion detection systems, visualisations, digital forensics and other methods of improving broad situational awareness, in real time and post-event, will be important areas for research. Autonomous approaches to protecting systems will help reduce the burden on human resources.