Cybersecurity is arguably the most important challenge confronting society in the information age. No one—whether government, business, or individual—is exempt from the ravages of malicious cyber acts upon information technologies. The intelligent cyber adversary, whether human or software, learns and evolves to exploit, disrupt, and overpower cyber defenses, even as they are improved and strengthened. But posing cyber conflict solely in terms of classic attackers and defenders shortchanges the diversity and subtlety of the motivations, incentives, ethics, asymmetries, and strategies of the constituent actors and players in cyberspace. Addressing the challenge of securing cyberspace requires a coordinated multidisciplinary approach including computer scientists, mathematicians and statisticians, economists, behavioral scientists and sociologists, education experts, and engineers from many areas, all contributing to the body of knowledge on cybersecurity. Ultimately, the goal of such a multidisciplinary effort is the development of a science of cybersecurity, leading to practical, usable, and deployable technologies.
As a step toward creating such a science of cybersecurity, the National Science and Technology Council (NSTC) with the cooperation of the National Science Foundation (NSF) put forth a 2011 report, "Trustworthy cyberspace: Strategic plan for the federal cybersecurity research and development program" . The plan identifies a broad, coordinated research agenda to make cyberspace secure and trustworthy. Research in cybersecurity must "change the game," check the misuses of cyber technology, bolster education and training in cybersecurity, establish a science of cybersecurity, and transition promising cybersecurity research into practice. The objective is to make cyberspace worthy of the public's trust.
NSF's Secure and Trustworthy Cyberspace (SaTC) program
NSF's new program for secure and trustworthy cyberspace (SaTC) supports the NSTC strategic plan for a trustworthy cyberspace. It recognizes that cyberspace will continue to grow and evolve and that advances in the sciences and technologies will create new leap-ahead opportunities expanding cyberspace. It recognizes that cybersecurity must also grow and coevolve along with cyberspace and that a secure and trustworthy cyberspace will ensure continued economic growth and future technological innovation.
The SaTC program is seeking research proposals that address cybersecurity from three distinct perspectives:
Trustworthy computing systems;
Social, behavioral, and economic sciences; and
Transition to practice.
In addition, the SaTC program is seeking research proposals that integrate research addressing two or more of these perspectives, as well as proposals focusing entirely on cybersecurity education.
The following sections of this article describe the SaTC cybersecurity research perspectives. Each section outlines the projects and proposals that are of interest to the SaTC program within the relevant research perspective.
Trustworthy computing systems perspective
The trustworthy computing systems perspective aims to provide the basis for designing, building, and operating a cyber infrastructure with improved resistance and improved resilience to attack that can be tailored to meet a wide range of technical and policy requirements, including both privacy and accountability. The broad scope of this work supports all research approaches from theoretical to experimental, including participation by human subjects. Theories, models, cryptography, algorithms, methods, architectures, languages, software, tools, systems, and evaluation frameworks are all of interest as potential research projects.
Of particular interest is research that addresses how better to design desired security and privacy properties into components and systems. Methods for raising attacker costs by incorporating diversity and change into systems, while preserving system manageability, are also relevant.
The SaTC program welcomes studies of the trade-offs among trustworthy computing properties (e.g., security and usability, or accountability and privacy) as well as work that examines the tension between security and human values, such as openness and transparency. Also, methods to assess, reason about, and predict system trustworthiness, including observable metrics, analytical methods, simulation, experimental deployment—especially deployment on live test beds for experimentation at scale—will be considered. Statistical, mathematical, and computational methods in the area of cryptographic methods, new algorithms, risk assessments, and statistical methods in cybersecurity are also of interest to the program.
Social, behavioral, and economic sciences perspective
Research addressing the social, behavioral, and economic sciences (SBE) perspective of cybersecurity may focus on the individual, group, organizational, market, and societal levels, identifying cybersecurity risks and exploring the feasibility of potential solutions. All research approaches, including (but not limited to) theoretical, experimental, observational, statistical, survey, and simulation-based are of interest. A variety of methods can be used in research from the SBE perspective, including field data, laboratory experiments, observational studies, simulations, and theoretical development.
Not all work that examines aspects involving people falls within the SBE perspective. If such aspects are not the primary focus of the proposal, or if the aspects involving people merely apply the social, behavioral, or economic sciences instead of contributing to them, the proposal might fit under the trustworthy computing systems perspective as human factors research.
Research with the SBE perspective as its primary perspective must have the social, behavioral, or economic sciences as its main focus and must involve theoretical or methodological contributions to those sciences. Contributions to the social, behavioral, or economic sciences may include identifying generalizable theories and regularities and should push the boundaries of the current understanding of social, behavioral, or economic phenomena in cybersecurity. The SaTC program seeks research that holds the promise of constructing new social, behavioral, or economic science theories that would apply to a variety of domains, or new generalizations of existing theory which clarify the conditions under which such generalizations hold (i.e., scope conditions).
More inductive or interpretative approaches may contribute to the social, behavioral, or economic sciences as well, especially if they set the groundwork for generalizable research or reveal broad connections that advance understanding in those sciences. The SBE perspective proposals should clearly state and elaborate how the proposed research will contribute to the social, behavioral, or economic sciences. Research proposals that involve the SBE perspective, but not as their primary perspective, must include at least an application of the social, behavioral, or economic sciences but need not involve a theoretical or methodological contribution.
All SBE perspective proposals must, like all SaTC proposals, also contribute toward the goal of creating a secure and trustworthy cyberspace. The social, behavioral, or economic sciences contribution of any SBE perspective proposal must be related to bringing about that goal.
The strongest research proposals should demonstrate the capabilities of the research team to bring to bear state-of-the-art research in the human sciences. These proposals should seek to understand, predict, and explain prevention, attack, and/or defense behaviors and should contribute to developing strategies for remediation. Proposals that contribute to the design of incentives, markets, or institutions to reduce either the likelihood of cyberattack or the negative consequences of cyberattack are especially welcome, as are proposals that examine incentives and motivations of individuals.
Research proposals submitted with an SBE perspective will be evaluated with careful attention to their:
Mutual application of, and contribution to, basic social, behavioral, or economic science research;
Generalizability to multiple cybersecurity settings;
Ultimate contribution to the construction of institutions that induce optimal behavior; and
Value toward creating a secure and trustworthy cyberspace.
Given the nascent state of social, behavioral, and economic science research in cybersecurity, work that proposes workshops and other opportunities for intellectual engagements is welcomed. Such proposals, however, must clarify how the efforts are likely to enable future contributions to the SBE perspective, preferably from a range of social, behavioral, and economic sciences. For research proposals that are infrastructure-oriented, those that contribute directly to research and go beyond merely providing a resource for other researchers are of special interest.
Research proposals with the transition-to-practice perspective should address the challenge of moving from research to capability. These proposals will typically leverage successful results from previous and current basic research and focus on later stage activities in the research and development life cycle (e.g., applied research, development, prototyping, testing, and experimental deployment). Strong preference will be given to projects whose outcomes result in fielded capabilities and innovations of direct benefit to networks, systems, and environments supporting NSF science and engineering research and education. Any software that is developed in this program area will be required to be released under an open source license listed by the Open Source Initiative . Industry partnerships and collaborations are strongly encouraged. Research proposals that are submitted with a transition-to-practice perspective will be evaluated with careful attention to:
The expected impact on the deployed environment described in the proposal;
The extent to which the value of the proposed cybersecurity research and development is described in the context of a needed capability required by science and engineering and potential impact across a broader segment of the NSF community;
The feasibility, utility, and interoperability of the capability in its proposed operational role;
A project plan that addresses in its goals and milestones the demonstration and evaluation of a working system in the target environment; and
Tangible metrics described to evaluate the success of the capabilities developed and the steps necessary to take the system from prototype status to production use.
Cybersecurity education perspective
The results of SaTC funded research may lead to widespread changes in our understanding of the fundamentals of cybersecurity that can, in turn, lead to fundamentally new ways to motivate and educate students about cybersecurity. Proposals submitted with this perspective should leverage successful results from previous and current basic research in cybersecurity and research on student learning, both in terms of intellectual merit and broader impact, to address the challenge of expanding existing educational opportunities and resources in cybersecurity. This might include, but is not limited to, the following efforts:
Defining a cybersecurity body of knowledge and establishing curricular recommendations for new courses (both traditional and online), degree programs, and educational pathways leading to wide adoption nationally;
Evaluating the effects of these curricula on student learning;
Encouraging the participation of a broad and diverse student population in cybersecurity education;
Developing virtual laboratories to promote collaboration and resource sharing in cybersecurity education;
Developing partnerships between centers of research in cybersecurity and institutions of higher education that lead to improved models for the integration of research experiences into cybersecurity degree programs; and
Developing and evaluating the effectiveness of cybersecurity competitions, games, and other outreach and retention activities.
Additional information on NSF's SaTC program solicitation NSF 12-596 is available at http://www.nsf.gov/pubs/2012/nsf12596/nsf12596.htm.
About the authors
Nina Amla, Vijayalakshmi Atluri, Jeremy Epstein, Sol Greenspan, and Samuel Weber are program officers for the National Science Foundation (NSF)'s Directorate for Computer and Information Science and Engineering. The Directorate for Social, Behavioral, and Economic Sciences is represented by program officer Peter Muhlberger and the Directorate for Mathematical and Physical Sciences by Andrew Pollington. Kevin Thompson is a program officer in the NSF Office of Cyberinfrastructure, while Victor P. Piotrowski and Zhi Tian are program officers in the Directorate of Education and Human Resources and the Directorate of Engineering, respectively.
 Executive Office of the President National Science and Technology Council. "Trustworthy cyberspace: Strategic plan for the federal cybersecurity research and development program." 2011 Dec. Available at: http://www.whitehouse.gov/sites/default/files/microsites/ostp/ fed_cybersecurity_rd_strategic_plan_2011.pdf
View PDF version of this article (282 KB)