A previous issue of NSA's The Next Wave magazine provided academic perspectives on what a cybersecurity science might look like. This follow-on issue focuses on the government's response to this topic by describing how various organizations, individually and collectively, are addressing the challenges of developing a true science for cybersecurity.
The past several decades have witnessed the phenomenon of a fledgling military computer network transform into an essential national and international information infrastructure that has fueled the growth of the global information age. This new infrastructure, often described as cyberspace, has already taken its place alongside long-established infrastructures, such as the national transportation system, in shaping society and reshaping governments.
The rapid acceptance and pervasiveness of this information technology, and cyber technology more generally, has come with a significant cost. We see evidence of that cost on almost a daily basis, and often with spectacular consequences. The ongoing cyber-thefts from the networks of public and private organizations, including Fortune 500 companies, represent the greatest transfer of wealth in human history.
While the need for cybersecurity is widely recognized, current views and definitions of security differ greatly. Commercial-world cybersecurity implements new security measures in reaction to new cyberattacks in an unending arms race. The discipline of security engineering implements best practices to build less vulnerable cyber systems, but security failures often arise in spite of compliance with best practices. Both approaches seek to secure known vulnerabilities of systems against attack. But, the systems and the cyber environment are dynamic, not static, and new vulnerabilities arise. Security fails in this dynamic environment when the adversary simply changes the game by exploiting new vulnerabilities. Adversaries have the easier job, and they can expand their methodologies and techniques to acquire significant power in cyberspace with relatively modest resources.
The ball is now in our court.
In recognition of cybersecurity as a national priority, the US Cyber Command was chartered to protect our national interests in cyberspace. Although support for this national initiative is gaining ground, it is imperative, going forward, that we broaden our understanding of the science that underpins cybersecurity. We must form collaborative public and private partnerships and devote more attention to understanding security science. And it must be a team effort with the DoD, FBI, and DHS working together for the benefit of the nation. For decades, NSA has invested heavily in cryptology, but because our nation's current security challenges involve so much more than cryptography and cryptanalysis, we will lead the effort to broaden our work in the science of security.
KEITH B. ALEXANDER
General, US Army
Commander, US Cyber Command
Director, NSA/Chief, CSS
View PDF version of this article (52 KB)