CCC submitted a response to a Request for Information (RFI) released by Networking and Information Technology Research and Development (NITRD), National Coordination Office (NCO), and National Science Foundation (NSF) on the 2023 Federal Cybersecurity Research and Development Strategic Plan. CCC previously released a blog about the importance of the RFI, and encouraged the computing community to respond.
CCC’s response was written by:
- Nadya Bliss (Arizona State University)
- Elizabeth Bradley (University of Colorado-Boulder)
- Randal Burns (Johns Hopkins University)
- Thomas M. Conte (Georgia Institute of Technology)
- David Danks (University of California San Diego)
- Nathan Evans (Arizona State University)
- Kevin Fu (Northeastern University)
- Haley Griffin (Computing Community Consortium)
- William D. Gropp (University of Illinois Urbana-Champaign)
- David Jensen (University of Massachusetts Amherst)
- Chandra Krintz (University of California-Santa Barbara)
- Brian LaMacchia (Farcaster Consulting Group)
- Daniel Lopresti (Lehigh University)
- Madhav Marathe, (University of Virginia)
- Melanie Moses (University of New Mexico)
- Ann W. Schwartz (Computing Community Consortium)
- Ufuk Topcu (University of Texas-Austin)
- Pamela Wisniewski (Vanderbilt University)
The response includes answers to questions 1, 3, 4, 5, 6 and 7. Some of the high-level points of the paper are summarized here:
Socio-technical resilience and human aspects of cyber security: While the 2019 Federal Strategy did include multiple references to the importance of the Human Aspects of cybersecurity, it did not elevate that topic to a “Priority Area”. While it is, of course, a “Critical Dependency” as it is referred to in the previous strategy, it is also important to invest in R&D in this area. Research in this area could potentially include development of multi-scale multi-theory models to understand interdependent socio-technical infrastructure systems. This can lead to identification of new vulnerabilities, making systems more resilient, early warning systems, and understanding inter-dependencies. A big challenge is the availability of data and including this in the federal cybersecurity strategy can initiate new ways data can be shared safely.
Resilience and security by design: The 2019 Federal Strategy has significant focus on cyber defense. A key theme of the comments below is to incorporate security up front, by design and not as an afterthought. That, together with socio-technical resilience as described above, is likely to lead to more secure systems.
Artificial intelligence: Recently, there has been increased adoption of Large Language Models (LLMs) and generative AI models in general. These potentially present a significant cybersecurity risk, particularly in their ability to generate disinformation effectively and efficiently, and at an overwhelming scale. More broadly, the ability to discern between authentic, accurate, auto-generated, and maliciously generated information via artificial intelligence (regardless of modality – text, images, video, etc.) presents significant challenges to cybersecurity and needs to be prioritized in the updated research strategy. While the technology companies are increasingly investing in dis- and misinformation related work, this work needs to be continually complemented by academic research and education initiatives.
Pandemic and computing: The COVID-19 pandemic led to rapid adoption of remote working environments which continue to persist because both employees and employers find them attractive. Computing capabilities enable significant connectivity and productivity, but also have the potential to lead to a broader attack surface.
Climate and computing: Rapidly accelerating effects of climate change require new research in resiliency and security of computing infrastructure, particularly in context of the accelerating rate of extreme weather events. There are many opportunities for highly impactful computing research in hardware, software, and algorithms that could support both security and efficiency in a co-optimized fashion.
Cybersecurity is an increasingly important and complex territory for the computing community, and it is critical that societal factors are prioritized when creating these systems in order to promote resilience, security and privacy.