Cybersecurity: Second Order Effects
A great deal of cybersecurity research focuses on the logical and physical domains of information technology (IT) infrastructure as well as the security implications of human interactions with these domains. Great progress has been achieved to detect cyber attacks, design defensible networks, and maintain situational awareness of network activity; however, less attention has been paid to the technological, societal, and psychological factors that influence the effectiveness of cybersecurity initiatives on a grand scale. Effective cybersecurity policy cannot be drafted if the corresponding societal influence is not understood; threat intelligence will not be shared if the private sector fears legal repercussions or competitiveness disadvantage; and defenses cannot be tailored to an adversary whose goals are not understood. To address these issues, interdisciplinary investigations to develop understanding of the interactions of cybersecurity issues and society, as well as cyber defense analysts and their data, are necessary.
Many policy and data sharing issues faced in cybersecurity are not unique to the domain, and relevant solutions may exist as prior work in analogs such as healthcare, finance, and economics.
There are four areas of investigation relevant to this project.
- Qualitative and quantitative methods to measure the real-world impact of government cyber policies. Effective policy is built upon the analysis of the successes and failures of prior policy decisions. While longstanding indicators have been leveraged in analysis of traditional policy domains (e.g. economics), the rapidly evolving cyber domain is in need of robust indicators and methods to measure the influence of policy decisions concerning topics such as encryption, offensive cyber capabilities, exploitation research, privacy, and intellectual property theft.
- Methods to mask, anonymize, or perturb cyber threat indicator data while maximizing data utility. A wealth of cyber threat intelligence (CTI) resides in disparate locations within the private sector. While the sharing of CTI across the private and public sectors would improve the defensibility of US infrastructure, concerns related to privacy protections, competitive advantage, and the negative effects of intrusion disclosure impede effective sharing efforts. Methods of sharing CTI while protecting private sector equities could be inspired by similar sensitive data sharing circumstances in the healthcare and financial sectors, and effective solutions could promote increased public/private cooperation in cyber defense.
- Methods to infer adversary goals, intent, and capabilities. Tactical surprise is difficult to prevent in the cyberwarfare domain given the absence of a traditional “landscape” on which attack preparations can be observed. Reaching the predictive/anticipatory space within the cyber realm instead relies on strategic insight into adversaries’ intent and capabilities. Effective methods to infer intent and capabilities are therefore paramount to preventing strategic surprise. Investigation into the mapping of business logic onto the IT infrastructure domain could yield mechanisms to identify the business workflow impact of an intrusion, evaluate critical infrastructure in security planning, and provide insight into an adversary’s operational goals based on security and event logs.
- Methods to improve analyst cognition of free text reports and arbitrary event log data. Traditional cyber reports of text and event logs are not intuitive formats for comprehending trends or coalescing tactical information into strategic insight. Methods of generating high-quality structured data on free text bring such information into the domain of structured data analytics in addition to enabling intuitive trend analysis. Methods for detecting or highlighting changes and anomalies, in addition to identifying “valuable” data, are also necessary for improving analyst cognition of large volumes of cyber event data and overcoming the reduced efficacy of cyber defense professionals as a result of increasingly severe “information overload.”
A summary of key areas of investigation includes, but is not limited to:
- Quantitative and qualitative analysis methods of the influence of government cybersecurity policies
- Innovative ideas to enable public-private sharing of cyber threat intelligence
- Sensitive data sharing methodologies
- Data protection and data utility trade-offs
- Mapping of business processes to IT infrastructure
- Goal and intent recognition
- Transformation/presentation of free text reports and event logs
- Anomaly detection and data value estimation