The nation’s critical infrastructure is increasingly dependent on the Internet, while cybersecurity attacks are on the rise. Cybersecurity threats are becoming more frequent, more sophisticated, and more destructive—gradually eroding society’s trust in digital infrastructure. As technology continues to advance and every facet of daily life becomes increasingly interconnected, both the likelihood and the cost of failure rise dramatically.
Cybersecurity and National Security are now on the same footing, and require the same kinds of strategic vision. Enacting this vision will benefit all Americans, resulting in economic growth, increased security and privacy, and establishing global cybersecurity leadership in the United States.
To promote these goals, a National Cyber Moonshot report was created for the White House that called for a “whole of nation approach” for a safer, more resilient internet to deliver government and critical infrastructure services. This initiative echoes the bold, strategic original Moonshot challenge given to American scientists by President John F. Kennedy in 1961 to land humans on the moon. This time, the goal is a safer, more resilient use of the Internet to deliver government and critical infrastructure services securely.
The report has proposed a focus on six strategic pillars for a safe and secure internet to bring economic growth, national security, enhanced privacy, technology advances and global leadership benefits. The Cyber Moonshot initiative has both short and long-term milestones that started in 2018 and will continue to drive the progress of this key initiative.
The complex nature of cybersecurity has created a multitude of challenges cutting across matters of technology, people, and processes. Cybersecurity is an inherently distributed challenge, with unique authorities, roles, and responsibilities that are shared across the broader public, private, and academic ecosystem. All these capabilities must be effectively leveraged in a collective security model to make meaningful progress. The Cybersecurity Moonshot Initiative’s implementation and success will depend on a highly distributed system of stakeholder groups that are effectively empowered, resourced, and mobilized.
To be clear, the NSTAC is not advocating for Internet balkanization, the creation of an entirely separate Internet infrastructure, nor prescribing any specific type of technical architecture. The NSTAC is advocating for a fundamentally safe and secure Internet for critical services, characterized by the harnessing of significant technological advances, more strongly aligned incentives and consequences for user behaviors that promote secure choices, cybersecurity policy and education reforms, and a clearer understanding about ecosystem roles and responsibilities in building and operating within this fundamentally safe environment for specific critical services.
Other desired elements identified included:
• Resilience to attacks;
• Guaranteed availability of services;
• Fully attributable actions of users, for specific critical service functions;
• Consequences for malicious actions;
• Assured protection of private information;
The call for a Cyber Moonshot is a call for true Cyber Resilience. We must assume that our systems, information and processes are under continual threat of compromise and we must engineer them to be fault tolerant. By doing that we can create a baseline level of confidence that does not waver when an unexpected event hits and being ready with a systematic plan and cyber defenses in place when an attack occurs.
The NSTAC recommends the pursuit of a safe and secure Internet environment on the existing, open Internet in order to assure safe interaction with critical services in a more resistant and resilient manner.
Key characteristics to realize this outcome include:
• Endpoints and actions will be attributable;
• Malicious behavior will have consequences;
• Identities will move beyond passwords and PII;
• Privacy and trust will be enhanced and enforced; and
• A voluntary, opt-in process to realize the full spectrum of benefits.
Across the government, our nation’s cybersecurity efforts remain fractured. “When compared against 17 major
private industries, our federal, state and local government agencies rank third lowest in cybersecurity.” For a Cyber Moonshot to work we must establish unity of action–all agencies must have the advantage of benefitting from cyber intelligence and lessons learned.
Identifying the highest priority focus areas—those that provide the greatest amount of strategic leverage towards achieving a safe and secure cybersecurity environment for critical services—will need to be born out of a more distributed process. However, there are broad categories of technologies that are fundamental to the realization of a safe cybersecurity environment in the future, based on the NSTAC’s findings include:
- 5G Communications and Next Generation Networks: Provide a 5G communications network (wireless and wired) designed with enhanced security, interconnectivity, privacy, and availability. This will provide a much more resilient infrastructure, expand secure connectivity for the Internet of Things (IoT), industrial control systems, mobile, healthcare, and more, with dramatically greater bandwidth and near real-time latency.
- Artificial Intelligence: Ensure development of machine learning and AI to augment (rather than replace) humans, while minimizing risks such as data poisoning of AI systems. Allowing for near-autonomous response to cyber threats at machine speed to achieve self healing computing environments that identify flaws, prevent exploitation of those flaws, and mitigate impacts of failures.
- Behavioral Biometrics for Identity: Behavior biometrics combined with AI capabilities can reduce the reliance on easily compromised personally identifiable identification, allowing for the creation of identity scores that render passwords obsolete and give greater transparency and confidence in identifying users.
- Quantum Communications and Quantum Resistant Cryptography: Provide a trusted encryption and communications platform, leveraging quantum technologies, that is resistant to quantum general purpose (QGP) computers, tamper-resistant, and available to all services. This needs to be in place before the advent of QGP computers that can decrypt existing sensitive data.
- Common Resilience: Assure access and availability for required functionality of critical services by automating and simplifying the consumption model of threat prevention-oriented cybersecurity tools and capabilities.
- Micro-segmentation: Implementing cryptographically assured microsegments within distributed networks can reduce attack surfaces, limit lateral reconnaissance, and dramatically lessen impacts of malware, to help support both operational resilience and zerotrust methodologies.
Accenture has recommended following five essential steps in this part of the Cyber Moonshot journey:
Embrace the Cloud for Security: leverage the unique, enabling features of cloud technology to eliminate vulnerabilities, create a more defensible barrier and enable more dynamic cybersecurity. Using the cloud to enhance security will allow us to significantly limit our exposure to cyber risks.
Engage in Proactive Defense: Shift from a reactive to a proactive approach to cybersecurity. Don’t guess, know! Continuously hunt, probe, and root out dangers such as Advanced Persistent Threats (APTs), before the adversary can
exploit them. Apply machine learning and artificial intelligence to automate detection and response.
Demand a Data-centric Approach: Harden systems from the inside out by encrypting and anonymizing data to minimize the potential for loss if an adversary gets in. This starts with prioritizing the most important data assets—“the crown jewels”—across the government and devoting the necessary resources to secure them.
Require Security by Design: Security must no longer be viewed as an after the fact compliance exercise that results in added cost. Rather it should be engineered into the core of every system from the get-go. Agencies must adopt
a more agile approach to security during the development process that brings all practitioners to a high level of proficiency in security in a short period of time, ensuring security needs and recognize that this isn’t a one-time exercise as today’s dynamic systems require continuous cyber hygiene.
Build-in Cyber Resilience: Leverage the advanced capabilities of software-defined computing and storage to build
cyber resilient systems. A moving target is hard to hit – and if they cannot find you, they cannot attack you.
DARPA’s ASSET study
The ASSET study is being conducted under the umbrella of DARPA’s Information Science and Technology (ISAT) Study Group, whose goal is to identify new areas of development in computer and communication technologies for DARPA. The ISAT group, established in 1987, includes approximately 30 renowned scientists and engineers. Those involved collaborate to discover new ideas for research and create independent assessments for DARPA.
Hamed Okhravi, a cybersecurity expert and senior staff member at MIT Lincoln Laboratory, has been named a co-chair of a new study for the Defense Advanced Research Project Agency (DARPA). The study was spurred by Okhravi’s research at Lincoln Laboratory, in collaboration with MIT, into a “cybersecurity moonshot,” a vision to develop a secure-by-design computer. Okhravi previously published an article about this vision in IEEE Security and Privacy magazine. “ISAT read the article and recognized that this is an important challenge for DARPA,” Okhravi says. “The ASSET study will look into advanced cyber technologies and how DARPA can pave the way for these technologies to make their way into defense systems.”
According to Okhravi, large classes of vulnerabilities still remain in government systems despite decades of research and practice in cybersecurity. The problems are rooted in the inherently insecure design of legacy systems, developed decades ago before the need for security was widely understood. His findings point to three main causes of vulnerabilities: the use of unsafe programming languages, the lack of security checks being performed by computer processors, and the structure of operating systems. Okhravi’s team has been developing technologies to address these issues.
To achieve success we need bold new approaches to address the vulnerabilities we face today and to overcome the challenges we will face tomorrow, such as protecting the Internet of Things (IoT). The sheer number of IoT devices will make human control and oversight impossible which means we must proactively pursue security solutions that detect and respond to threats at machine speed. Artificial intelligence and machine learning will fulfil this critical role in enabling confident, assured use of IoT capabilities.
“We have these advanced technologies that exist, but one of the main questions of the study is how they fit together and what challenges exist for practitioners to implement them,” says Okhravi.
Sean Peisert at Lawrence Berkeley National Laboratory joins Okhravi as co-chair. The study will also include approximately 10 other cybersecurity experts spanning academia, industry, and federally funded research and development centers.
At Lincoln Laboratory, Okhravi works in the Secure Resilient Systems and Technology Group, where he actively contributes to strategic planning activities at the laboratory and to national-level research and development roadmaps. He has also led the development of multiple systems security technologies that have successfully transitioned outside of Lincoln Laboratory. Most recently, his work was awarded the 2020 Stratus Award for Cloud Computing.
“For many years I’ve been a big advocate for taking big steps in cybersecurity resilience, and I’m very excited about how this study can impact the future of security practice,” Okhravi says.