cambridge, massachusetts march 2017 toward...

KEEPINGAMERICASAFE:TOWARDMORESECURENETWORKSFORCRITICALSECTORS

Cambridge,[email protected]

ReportonaSeriesofMITWorkshops,2015-2016

WithRecommendationsfortheNewAdministration

______

MITCenterforInternationalStudieshttps://cis.mit.edu

MITInternetPolicyResearchInitiative

https://internetpolicy.mit.edu

______

MITCenterforInternationalStudies2MITInternetPolicyResearchInitiative

TableofContents

ExecutiveSummaryandRecommendations 3

AHistoryofHesitancy 3

Background: 17

ThePersistentProblem 17ExpandingOperationalRisk 18WhyAreSystemsInsecure? 20CoordinatingResearchPolicy 24

TheWorkshopPlan 25TheSector-SpecificWorkshops 27

1.ElectricitySectorWorkshop 272.FinancialSectorWorkshop 333.CommunicationsSectorWorkshop 404.Oil-and-Natural-GasSectorWorkshop 45


ExecutiveSummaryandRecommendations

AHistoryofHesitancy

ThedigitalsystemsthatcontrolcriticalinfrastructureintheUnitedStatesandmostothercountriesareeasilypenetratedandarchitecturallyweak,andwehaveknownitforalong time. Yet Presidential leadership on infrastructure security has been hesitant andchiefly rhetorical,while system operators have tended to focus on short-term fixes andtactical improvements. Much effort has been devoted to developing better securitystandards,1butmoststandardsaremerelyadvisory.Keyfederaldepartments,notablybutnotexclusivelyhomelandsecurity,defense,andenergyhavedevotedsignificantefforttoimproving infrastructure security. Examples would be too numerous to cite. But theseeffortshavenotalteredthestrategicbalance.

Offense remains dominant. To break this cycle, the nation will require a

coordinated,multi-yearefforttoaddressdeepstrategicweaknessesinthearchitectureofcritical systems, in how those systems are operated, and in the devices that connect tothem. This effort must in part be technically directed, but it will also require a re-evaluationofthelaws,regulations,andpoliciesthatgovernournetworks.Thechallengeswefacearenotmerelytechnical.Theyarealsoeconomic,managerial,behavioral,political,and legal. Indeed the technical challengesmay be the easiest to address. For example,aligning economic, tax, and liability incentives with the goal of higher security is not atechnical challenge. Re-aligning incentives would be a daunting task, but our criticalinfrastructurecannotbemadereasonablysecureunlesswedoit.

Thisreport identifiesthemoststrategicofthosechallengesandproposesapolicy

andresearchagendathathasthepotentialtoachievesignificantlyhigherlevelsofsecurityin critical networks over a five- to ten-year period. But thenationmust begin now.Ourgoalisaction,bothimmediateandlong-term.

Toaddressthistask,CISandIPRIjointlyconvenedaseriesofworkshopsfocusedonfourcriticaleconomicsectors,allofwhichareoverwhelminglyorentirelyinprivatehands:electricity,finance,communications,andoil-and-naturalgas(ONG).Wedidnotsetouttowriteyetanotherdescriptionofthethreattoourcriticalnetworks.Inthewakeofrepeated,widelyreportedforeignintrusionsintoourpowergridandbankingsystemandtherecentRussianinterferenceinournationalelection,thethreatiswellknown.Rather,wefocused

1 See, e.g.,National Institute for StandardsandTechnology, “NISTReleasesUpdate toCybersecurityFramework,” January 10, 2017, at https://www.nist.gov/news-events/news/2017/01/nist-releases-update-cybersecurity-framework,accessedFebruary9,2017.


onwhattodoaboutit.

Theworkshopswereattendedbyexperts2fromleadingenterprisesineachsector,by academic experts in relevant fields, and by a few government officials.We expectedcommonalities across all four sectors, and we found many. Participants in each sectorbemoaned the difficulty of quantifying network risk, for example; and each workshopexpressed great interest in techniques of containing cascading failure. But we alsoencountereddifferencesamongsectors–inpartbecausethesectorsoperateindifferentregulatoryframeworks,andinpartbecausetwoofthesesectors–electricityandoil-and-natural-gas(ONG)–areheavilydependentonindustrialoperatingtechnology(OT)aswellas information technology (IT). Significantdifferencesalsoexistwithin sectorsaswell asbetweenthemintheirlevelsofinvestmentincybersecurityandabilitytofendoffattacks.Wehavepreservedtheessenceofthe individualworkshops insummariesatthebackofthisreport.TheRecommendations

This report makes both long- and short-term recommendations of broadapplicability tocritical infrastructure in theUnitedStatesand,exceptingcertain legalandregulatorymatters, to critical infrastructure globally. The report identifies eight strategicchallenges to illuminate our predicament and guide our policy and research.Under eachchallenge, itmakes findings that emerged from theworkshops and recommendations toaddressthem.Therecommendationscoverawiderangeofissues,fromtheorganizationofcybersecurity in the Executive Office of the President to technical measures of networksecurityandmisalignedregulatoryincentives.Eachofthechallengesisthenfollowedbyaseries of research questions whose answers could help meet that challenge. The reporttherefore addresses three audiences: governmentofficials, public andprivate institutionsthatfundresearch,andtheresearchersthemselves.Bychangingandfocusingtheresearchenvironment, IPRI and CIS believe the nation could materially improve our long-termsecurity environment. We emphasize the coordination of funding, however; we do notproposebudgetarymeasures.

2Participantswerefreetouseanyinformationreceived,butneithertheidentitynortheaffiliationofany speaker or participant could be revealed. Industry participants came from ten private energycompanies in the United States, Canada, France, and the United Kingdom, including two of the oilmajors;fourleadinginternationalbanks,amajordataprocessorforfinancialinstitutions,andaleadingsecurities clearing organization; two tier-one communications providers; a leading computer chipmanufacturer; a leading maker of commercial and consumer software; and representatives of theGovernmentofCanada,theU.S.departmentsofhomelandsecurityandenergy,andtheOfficeoftheGovernorofMassachusetts.Participants fromfirmsandgovernments in IndiaandfromanotherU.S.universitywereinvitedbutdidnotattend.Theviewsexpressedinthisreportdonotnecessarilyreflectthoseofindividualworkshopparticipantsoroftheirenterprisesandagencies.


Someoftheseresearchquestionsweposearebroadandtechnical(e.g.,Cancyberriskbemeasured?);othersarenarrowandfocusonnon-technicalimpedimentstoadoptingtechnically available securitymeasures (e.g.,Whateconomicorother factors impede theadoptionofsecureconnectionsbetweenserviceproviders?).Differencesingeneralitywereunavoidable if wewere to describe the full range of technical and policy questions thatmustbeanswered,especiallybecausemanyof the impedimentsare legal,economic,andpoliticalratherthantechnical.Takentogether,thesequestionsshouldformthebasisofafocused, national agenda that must be adopted, coordinated, and funded if we are toescapefromatwenty-five-yearcycleoffutiletacticalmeasuresandimpreciseaspirationalstatementsfromanever-endingseriesofgovernmentalandprivategroups.

The nation can no longer afford a pattern of uncoordinated executive action and

scattershot research. Total security is not achievable. But amaterially improved securityenvironment for the infrastructure on which virtually all economic and social activitydependcanbecreatedwith sufficient resourcesandpoliticalwill.Achieving thisgoalwillrequire a more determined and more directive approach from the highest levels ofgovernment and industry. Itwill also requiremoreenergetic and coordinated steps fromthePresidentthananyofhispredecessorshasbeenwillingtotake.


FINDINGSANDRECOMMENDATIONS

FIRSTCHALLENGE

ImproveCoordination.

Finding:

Critical infrastructure defense is insufficiently coordinated across thegovernment.Changing the statusquowill requireamoredirectiveeffortfromtheWhiteHouse.

Recommendation:

ThePresidentshouldelevatehiscybersecurityadvisortothepositionofdeputynationalsecurityadvisorforcybersecurity.Thatofficialshouldbedirected and empowered to work with the Office ofManagement andBudget (OMB) to focus long-term policy across the government on thesubstantivechallengesidentifiedbelowandtoproduceonanacceleratedschedulea federal researchagendaandbudget for the cybersecurityofcritical infrastructure focused on these same challenges. OMB shoulddeterminethatfundsarespentaccordingly.

SECONDCHALLENGEMeasurecyberriskandinfrastructurefragility.

Finding: Quantifyingrisk ineitherabsoluteorrelativetermsisadifficultchallenge

that impedes cybersecurity investment in all sectors examined exceptcertainfinancial institutions.Theasserted inabilitytomeasuretherateofreturn on cybersecurity investment is a closely related problem3 thataffectsoverallinvestmentlevelsandmakesitdifficulttotargetinvestment.Fragilityofsystemsisasalientaspectofriskthatconcernedparticipantsinallsectors.Absentassurancesofconfidentiality,candidparticipationbytheprivate sectorwill not occur. However, the public should be informedofthegeneralstateofsecurityofcriticalinfrastructure.

3Mostparticipantsaccepted theview that cyber risk, changes in cyber risk resulting froma specificsecurityinvestment,andtherateofreturnonthatkindofinvestmentcouldnotbemeasured.Forthecontrary view, see Douglas W. Hubbard and Richard Seiersen, How to Measure Anything inCybersecurityRisk(NewYork,2016).


Recommendation:

ThePresidentshoulddirectthe leaddepartmentalsecretarytoconveneonanacceleratedscheduleameetingofrepresentativesoftherelevantnational laboratories and other experts to assess impediments tomeasuringcyberriskandfragilityandtorecommendanationalstrategytomeetthischallenge.Themeetingshouldbeclosedtothepublicanditsproceedings,thoughnotthestrategy,shouldbekeptconfidential.

ResearchQuestions:

1. Cancyberriskornetworkfragilitybemeasured?Canchangesinriskastheresultofspecificsecurityinvestmentsbemeasured?Ifso,whyareenterprisesnotdoingit?

2. Wouldtheanswerstothesequestionsproducemorerationaldecision-makingby

enterprises?Ifnot,whynot?

3. Can simulation-based modeling be used to create cybersecurity stress-tests forcritical sectors? In theelectricity sector, could that typeofmodelingbeused totest the ability to “cold start” electricity generation? Can the results of suchmodeling be protected from public disclosure? How, and at what level ofgenerality,shouldthepublicbeinformedofvulnerabilitiesincriticalsystems?

4. Shouldtheanswerstothesequestionshaveregulatoryimplicationsforsomeorall

criticalsectors?

5. Canthenecessaryde-identified4databeobtainedtosupportresearchintothesequestions?Wouldlegislationbeappropriatetocompeltheproductionofthatde-identifieddata in the interestofnational security–butwithanexemption fromdisclosure and under a legal privilege that would prevent its use for any otherpurpose?5Howwouldtherequireddatabedefined,andwhoshouldholdit?

4De-identificationmeansremovingidentifyingaspectsofdatasothat,practicallyspeaking,itwouldbedifficultandexpensivetore-associateitwithaparticularperson.Perfectanonymizationofdataisnotpossibleinmostcircumstances.5TheNationalInfrastructureProtectionAct,codifiedas42U.S.C.§§5195cetseq.,doesnotclearlygivetheDepartmentofHomelandSecuritypowertorequireproductionofspecificcategoriesofdatafromprivatefirms.See42U.S.C.§5195c(d)(2)(A)and(B).


THIRDCHALLENGE

Reviewlawsandregulationswiththegoalsofreducingriskandoptimizingsecurityinvestment.

Finding:

Participantsfromallsectorsoverwhelminglybelievedtherewasamaterialdisconnectionbetweenmandatorycomplianceregimesandimprovementsincybersecurity.Mostparticipantsfromallsectorsexceptfinancebelievedthatfederaltaxandregulatoryincentivesforhigherlevelsofcybersecurityinvestment should be considered.Many participants from the electricityandtelecommunicationssectorsbelievedthatregulationseither impededordidnotencouragehigherlevelsofcybersecurityinvestment.

Recommendations:

ThePresident should propose legislation at the earliest opportunity forthemorefavorabletaxtreatmentofqualifiedcybersecurityinvestmentincriticalinfrastructureand,potentially,throughouttheeconomy,includinginvestment necessary to convert to a more secure DNS and to moresecure border gateway protocols. To qualify for favorable treatment,investments should be in products and services that are demonstrablycompliantwiththeframeworkpromulgatedbytheNationalInstituteforStandardsandTechnology(NIST).6The secretary of energy, state public utility commissioners, and theNationalAssociationofRegulatedUtilityCommissionersshouldforthwithexamine the effect of utility regulation on cybersecuritywith particularattention to (i) the effect of current regulations on cybersecurityinvestment and (ii) the usefulness of current compliance standards inachievinghigherlevelsofsecurity.

6 National Institute for Standards and Technology, “Framework for Improving Critical InfrastructureCybersecurity,” version 1.0, February 12, 2014, athttps://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf, accessed February 20, 2017. For draft version 1.1 of the Framework, seehttps://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf,accessedFebruary20,2017.


ResearchQuestions:

1. How should liability rules and regulations be optimized to producemore securebehavior by vendors and by the owners and operators of infrastructure? Acomparativestudyofstateaswellasfederalregulatorymodelswouldbeusefulinaddressingthisquestion.

2. Can cybersecurity regulation be harmonized across government? Governmentregulates by sector. For example, the Federal Communications Commissionregulatestelecommunications;theTreasuryDepartment,theFederalReserve,andother agencies regulate banks; the Energy Department, the EnvironmentalProtection Agency, and the states regulate energy, and so on. But as these“vertical” regulators have also begun to regulate cybersecurity, a complex ofoverlapping, expensive, and potentially inconsistent standards is emerging. Aretheseregulationsdrivinggreatersecurity,oraretheymerelymoreelaborateandexpensivecomplianceregimes?

3. The many competing compliance standards create confusion. Should the

governmentmake the NIST Framework, and only the NIST Framework, a singlemandatory standard across government and for contractors dealing with thegovernment?

4. Could the financial impact on insurers and re-insurers of the damage resultingfromasuccessfulattackononeormorecriticalsectorsbeabsorbedbythem?Ifnot,whatlawandpolicywouldberequiredtomakeitlikelythatsuchlossescouldbeabsorbed?

5. Canthenecessary,de-identifieddatabeobtainedtosupportresearch intothese

questions? If not,would legislation be appropriate to compel the production ofthatde-identifieddatainanysectorwhileprotectingtherightsoftheenterprisesthatwouldproducethedata?Howwouldtherequireddatabedefined?

FOURTHCHALLENGE

Enablecriticalinfrastructureoperatorstoquicklyidentifyandrespondtocyberriskarisingfromcross-sectorlinkagesaswellasfromtheirownnetworks.

Finding:

Allsectorsdependonelectricity,andthefinancialsector’sglobalplatformsupports transactions with energy and telecommunications. These andother linkages create possibilities for cascading failure that areinsufficientlyunderstoodandnotadequatelyilluminatedbysector-specific


simulations and other testing. Participants from all sectors statedemphatically that cooperation on pooling proprietary data and candorregardingtheresultsoftestingcouldnotbeachievedunlesspartiescouldbeassuredthatthedataandresultswouldremainconfidentialandcouldnotbeusedforotherpurposes.

Recommendation:

ThePresidentshoulddirectthe leaddepartmentalsecretarytoconveneonanacceleratedscheduleameetingof representativesof thenation’sleading industrial insurers and other experts to examine the stepsnecessary to enablemore robust cross-sector simulations, including thesharing of data, and to make appropriate recommendations to thePresident.Themeetingshouldbeclosedtothepublicanditsproceedingskeptconfidential,buttheresultingrecommendationsshouldbepublic.

ResearchQuestions:1. What steps would increase the likelihood of early detection of a slow-moving

strategic attack on a critical sector or across critical sectors?Howwill detectiontechniques be affected by the anticipated move to IPv6?7

2. Howwouldsuchanattackaffectcriticalbackupsystems?

3. Cansimulation-basedmodelingbeusedtocreatebettercross-sectorstresstests?

4. Can simulated cyber disasters help determine how communications should beprioritizedintheeventofanationalemergency?

5. Can efforts to use big data and fast processing to quickly detect intrusions in

criticalnetworksbeaccelerated?

6. What,ifanything,preventstheeffectiveuseofidentitymanagementtoolsacrossthefullrangeofstepsnecessarytoexecuteasuccessfulexploitorattack?

7IPv6isanInternetaddressingprotocolthatwouldexpandthenumberofIPaddressesavailableunderthecurrentprotocol,calledIPv4,byafactorof7.9x1028.Itcouldthereforerenderineffectivecurrenttechniquesforscanningsystemsformalwarebecausetheaddressspacetobescannedwouldbeexponentiallylarger.


FIFTHCHALLENGEReducecomponentcomplexityandthevulnerabilitiesinherentinthem.Finding:

Participantsfromtheelectricityandenergyandoil-and-naturalgas(ONG)sectorsbelievedthatundulycomplex,andinsufficientlysecure,hardware,software, and industrial controls were a significant source of cybervulnerabilities thatcreatedphysicaldangeraswellas risk to information.ParticipantsfromtheONGsectorwereemphaticonthispoint.Bothenergysectorsarehighlydependenton industrialoperating technology.This isasignificant supply chain risk created by commercial, not technological,factors. Suppliers find it profitable to market cheap, general purposehardware and software formultiple uses, regardless of differing securitytolerationsindifferentsectorsanduses.

Recommendation:

ThePresidentshoulddirecttheleaddepartmentalsecretarytoreporttohimonanacceleratedscheduleonthefeasibility,timeline,andexpenseofsupportingandotherwiseincentivizingtheproductionanduseofmoresecure and less complex hardware, software, and controls for use incriticalinfrastructure.

ResearchQuestions:

1. Can the technical, economic, and regulatory obstacles to reducing complexity inbothinformationtechnologyandindustrialoperatingtechnologybeidentified?

2. Fieldprogrammablegatearrays(multipurposecomputerchips)arecheap,sothey

areusedformanypurposes includingcommercial routersand industrialcontrolsused in critical infrastructure operations, but their complexity and superfluousfunctionality increase risk. The samemaybe said of general purposeprocessingunits,operatingsystems,andsoftwaresystems.

a. Canstandardsbeestablishedtoreducethevulnerabilities in logicprocessors

andthesoftwareandfirmwarethatcontrolthem?

b. Canstandardsbeestablished,orincentivescreated,tophaseoutdesigntoolsthatpermithardwareand softwaredesigners tomake the samebasicerrorsrepeatedly,suchasallowingbufferoverflows?


c. Whatstepswouldbenecessarytoestablishacertificationsystemforhardwareandsoftware,possiblymodeledontheUnderwritersLaboratoryforelectricalproducts?

d. Can microchips be designed so that entire sectors of those chips can becheaply, reliably, and verifiably disabled so that functionality matches taskrequirements?

3. WhatincentivesshouldbeinplacetoinducecontrolsmanufacturersandInternet

serviceproviderstouselessvulnerablechips?

4. Arethedepartmentsofdefense,energy,andhomelandsecurityoptimizing theirroleincreatingandsupportingamarketforsimplerandmoresecurecommercialdevices in critical infrastructure? For example, can these departments jointlyestablish metrics for complexity and standards for controls, and use theirprocurement decisions to favor less complex and more secure hardware andsoftware?

5. Cansimplerfirmwareandoperatingsystemsbecost-effectivelydevelopedandmarketedforuseincriticalinfrastructure?

SixthChallenge

Addressfundamentalissuesofsystemarchitecture.

Findings:

1. The Internet is a legacy systemdesigned for non-commercial useswithlittleornoneedforsecurity.Securityhaschieflybeenanoptionforendpoints, which frequently ignore it in favor of speed-to-market and lowcosts. Hardware and software that run on the Internet display widedifferencesinsecurity,andthetoolsforcreatinghardwareandsoftwareenablemanyofthesamesecurityerrorstoberepeatedovermanyyears,withoutliability.

2. Security professionals from all sectors overwhelmingly believed thatcertainaspectsoftheirsystemscouldnototherwisebemadereasonablysecure unless isolated from public networks. There are significantdifferencesofopinionaboutappropriatedegreesofisolation.


Recommendations:

1.ThePresidentshoulddirectthesecretariesofenergyandhomelandsecurity:

a. inconsultationwiththeFederalEnergyRegulatoryCommission(FERC),to

explore the feasibility, expense, and timelines of isolating from publicnetworks8 all controls and operations of activities within FERC’sjurisdiction,9 to define acceptable degrees of isolation, and to report tothePresidentonanacceleratedschedule;an

b. incoordinationwiththeFERCandtheNorthAmericanElectricReliabilityCorporation (NERC),10 to convene at the earliest practical time aconference of state electricity regulators to explore the feasibility andexpense of isolating key elements of electricity generation and deliveryfrompublicnetworks.

2.ThePresidentshoulddirecttheleaddepartmentalsecretarytoconsult

with key stakeholders, including vendors, users, the public, and theinsurance industry, about the desirability and feasibility of (i)establishing legally binding standards of care in the manufacture ofhardware and software for critical infrastructure, and (ii) theestablishmentofaprivatelyownedandmanagedaccreditationbureauforsuchhardwareandsoftware,andtoreport tothePresidentonanacceleratedschedule.

ResearchQuestions:

1. Should some operations of some or all critical sectors be isolated from theInternet? If so, which ones? How should “isolation” be defined?What level ofisolationwouldbeappropriateforparticularsystemsincriticalapplications?Whoshoulddeterminethat?

8 This is not a recommendation to create a single non-public energy network. Isolation from publicnetworksdoesnot imply isolationfromefficient,digitaloperatingsystemsthatproducereal-time,ornearreal-time,informationaboutthosesystems.Non-publicinformationandoperatingsystemsbasedonTCP/IPprotocolsareavailableorcanbecreated.9 FERC has jurisdiction over the interstate transmission of electric power. Power generation anddeliveryareregulatedbythestatesandterritories.10NERC is composed of the owners and operators of the grid and has been namedby FERC as the“Electric Reliability Organization.” It is charged by Congress to “establish and enforce reliabilitystandardsforthebulk-powersystem,”subjecttoFERC’soversight.


2. Canblockchainorothertechnologybeusedtoverifyaccountsinatimelyfashiontoreducetheriskofcorruptedbackupsystemsandwipedaccounts?

3. What changes to security architectures would let us more efficiently managesystem accesses and identities for devices, people, applications, and data, bothinternallyandexternally?

4. Canasystembedesignedsothatitsfailurewouldbeimmediatelytransparentto

itsoperator?Canthestateofthesystem’salgorithmsbemadeunderstandabletohumans?Woulditbecost-effectivetoimposeauditrequirementsonthatkindofsystem? (E.g., if a driverless car ran off a bridge, could its control algorithm bemade to explain why it did that?) If so, why don’t we mandate that kind ofauditabilityincriticalsectors?

5. Whateconomic,regulatory,orotherfactorsimpedethemorerapidphasingoutof

legacy components of electronic systems in favor of components that are notmerelynewerbutaredemonstrablymoresecure?

6. Whateconomicorother factors impedetheadoption intheprivatesectorof the

existingbut largelyunusedsecuredomainnamesystemoranalternativesecurityarchitecture? What incentives could accelerate the adoption of a more securedomainnamesystem?

7. In the communications sector, what economic or other factors impede the

adoption of secure border gateway protocols that would make it impossible, orsubstantially more difficult, to divert network traffic? What incentives couldacceleratetheadoptionofthattypeofcontrol?

8. Companies have differing interests. Academicsmake a living by disagreeingwith

oneanotherandoftenpreferthenotionalperfecttotheachievablegood.Universalagreementonadomainnamesystemandbordergatewaycontrolsisthereforenotachievable. Is thereapoint, shortofwar,when theCongress shouldmake thesechoices?

9. The Internet of Things makes attack surface management geometrically more

difficult. What aspects of insecure devices matter most in this respect? Shouldenhanced security be applied at the device level or only at higher levels withinnetworks?

10. Would it be feasible and efficient in a virtual network to segregate or at least

identifyall executable code, thusmakingunauthorizedexecutablesmore readilydiscoverable?


SEVENTHCHALLENGEFormulateaneffectivedeterrencestrategyforthenation.Findings:

The cybersecurity postures and capabilities of the United States and itspeerornear-peercompetitorsincyberspacehaveservedtodeteroutrightattacks against one another’s critical infrastructure, but have beenunsuccessful in deterring lower-level but increasingly harmful cyberoperationsacrossoureconomy,society,andpolitical system.Hostileactsaresystematicallycarriedoutbelowthe levelofarmedconflict thathavethepotentialtograduallyreducethisnation’sstatureandsecurityanditsability to lead free and open democracies around the globe. In this grayspace between war and peace, the United States does not have aneffectivedeterrence strategyagainsteithernation-statesor transnationalgroups bent on terror or other forms of disruption of our criticalinfrastructure.

Recommendation:

ThePresidentshoulddirecthisnationalsecurityadvisortoreviewthenation’sdeterrence strategy. That strategy should include, but not be limited to, (i)hardening critical American systems and infrastructure; (ii) raising the pricefor attacking them; (iii) constructing a diplomatic strategy for achievingverifiable cybersecurity agreements with potential adversaries; and (iv)evaluating the nation’s ability in the long term to maintain offensivedominance in cyberspace and the stabilizing or destabilizing effect ofattemptingtodoso.

ResearchQuestions:

1. In view of the demonstrated ability of certain nation-states to exploit criticalnetworksforeconomic,political,andpotentiallymilitaryadvantage,wouldamoredirectivepolicytowardhardeningcriticalnetworksbe justified?Wouldthatcourseof action be politically acceptable in the United States and among other nationsinvolvedinglobaltransactionsandtelecommunications?

2. Cybernetworkoperationsbycapablenation-statesandtheirproxiesaredifficultorimpossible to prevent, yet we expect critical infrastructure operators to defendthemselvesagainst theseattacks. Is this therightpublicpolicy? Ifnot,whatpolicyshouldreplaceit?


3. Willthepursuitofoffensivedominanceincyberspacecontinuetobefeasibleinthenext five to ten years?Will its pursuit be inconsistent with order and stability incyberspace,as itproved tobe in thestrategicnuclear relationshipwith theSovietUnion?Whatare the implicationsof theanswers to thesequestions forAmericandiplomaticstrategyincyberspace?IsthePresidentreceivingrobustcounter-strikeoptions,bothmilitaryandnon-military, for cyber intrusions, including those that do not rise to the level ofarmedconflictunderinternationallaw?

4. Is any department of government conducting realistic simulations and otherexercisestoexploretheconsequencesofnon-militarycounter-strikesinresponsetoa cyberattack? Does the President’s understand and approve of the assumptionsthatunderlietheseexercises?

EIGHTHCHALLENGE

Accelerateandimprovethetrainingofcybersecurityprofessionals.Findings:

ThereisaseriousdearthofcybersecurityexpertiseintheUnitedStates,especially at advanced levels. The nation does not produce enoughgraduates with advanced cybersecurity skills or with skills in bothcybersecurityandintheoperationofindustrialoperatingsystems.

Recommendation:

The President should appoint a blue-ribbon commission on thefeasibilityofincreasingthesupplyofhighlytrainedcomputerscientistsand engineers and developing model curricula for training computerscientists and engineers in the defense of critical systems. ThecommissionshouldreporttothePresidentwithin180days.


Thisisatimeforaction.Itisalsoatimeforcalm,long-termstrategic

thinking,basedonsoundresearch,intotheunderlyingcausesofcyberinsecurityandhowtoaddressthem.

ResearchQuestions:

1. Adm.HymanRickovercreatedarigorousmodelforselectingandtrainingnuclearsubmariners. Should government or industry adopt his model for the cyberdefenseofcriticalinfrastructure?

2. Can effective network defense skills be taught without also teaching high-leveloffensiveskills?Ifnot,giventheriskofteachingthoseskillstoawidercadre,whoshouldbeeligibletoreceivethatinstruction?Shouldqualifiedtrainers,indefinedcircumstances,begrantedliabilityprotectionforteachingoffensivetactics?

3. Aredifferentcorecurriculaappropriatetotrainpeopletooperateanddefendthe

networksofdifferentcriticalinfrastructures?Ifso,whoshoulddevelopthem?

4. Should people in cybersecurity disciplines be subject to specialized training andcertifications,asinotherprofessionaldisciplines?

Background:

ThePersistentProblem

In the United States, Presidential Directives to address infrastructure risk haveemergedfromtheWhiteHouselikeclockworkformorethantwenty-fiveyears.In1990,PresidentGeorgeH.W.Bushannouncedtothecountrywhatintelligenceofficials,butnotmany others, already understood: “Telecommunications and information processingsystems are highly susceptible to interception, unauthorized electronic access, andrelated forms of technical exploitation, as well as other dimensions of the foreignintelligencethreat....“

In 1998, as enterprises were beginning to shift both information systems andoperationstotheInternet,PresidentClintonwarnedoftheinsecuritiescreatedbycyber-basedsystems.In1998hedirectedthat“nolaterthanfiveyearsfromtodaytheUnitedStates shall have achieved and shallmaintain the ability to protect the nation’s criticalinfrastructuresfromintentionalactsthatwouldsignificantlydiminish”oursecurity. Fiveyearslaterwouldhavebeen2003.


In 2003, President GeorgeW. Bush implicitly recognized that this goal had not

beenmet. He stated that his cybersecurity objectiveswere to “[p]revent cyber attacksagainstAmerica’s critical infrastructure; [r]educenational vulnerability to cyber attacks;and[m]inimizedamageandrecoverytimefromcyberattacksthatdooccur.”Meanwhile,virtually all commercial and operational activity was migrating to the Internet, whichremainedinsecure.

By2009,concernsaboutcriticalinfrastructurehadbecomeacute.PresidentObamasaid:

The architecture of the Nation’s digital infrastructure, basedlargelyonthe Internet, isnotsecureorresilient. Withoutmajoradvancesinthesecurityofthesesystemsorsignificantchangeinhow they are constructed or operated, it is doubtful that theUnitedStatescanprotectitselffromthegrowingthreat….

By 2013 – fifteen years after President Clinton had said the country’s criticalinfrastructure should be secure frommalicious disruption by 2003 -- President Obamaacknowledgedthatthegoalhadnotbeenmet:“Thecyberthreattocriticalinfrastructurecontinuestogrowandrepresentsoneofthemostseriousnationalsecuritychallengeswemustconfront.”Theviewattheenterpriselevelismuchthesame.TrendMicro,aleadingInternetsecurity firm, reported in2015thatcritical infrastructureoperators throughouttheWesternhemisphere“paintedapicturethatdepictsthethreat[totheirnetworks]asbeingsevere,whilesomeperceivedthefutureofsecuringtheseinfrastructuresasbleak.”

Thequestionthenationfaces isthereforethis:Arewecondemnedtoremain in

thisunstableandinsecurecondition,inwhichthebestwecandoistorepeaturgentbutfutilewarningsfromhighplacesand,attheoperationallevel,merelytorefineourtacticsinalosinggameofWhac-A-Mole?Tofindananswer,wegatheredexpertsfromindustry,government, and academia, to imagine – in President Obama’s phrase – “a significantchange in how [systems] are constructed or operated.” This meant going beyond theintense and difficult day-to-day tactical challenges that critical sector operators face,importantastheyare,toimagineabettersecurityenvironmentinfivetotenyearsandtounderstandwhatkeepsusfromgettingthere.

ExpandingOperationalRiskFortheownersandoperatorsofcriticalinfrastructure,theprimeconcernisriskto

continuity of operations rather than theft of information, though that, too, is a seriousrisk.Anintruderwhocanstealmassiveamountsofdatafromasystemremotelycanalsocorrupt the information on the system, or wipe information from it, or shut it down.


Information technology and industrial operating technology have largely converged. Adecade ago, researchers at the IdahoNational Laboratory proved they could physicallydestroy a diesel-electric generator using only a keyboard and a mouse.11 Real-worldexamplessoonfollowed.

In2010,thecentrifugesusedtoenrichuraniumgasatIran’sNatanznuclearfacilitystartedfailingrapidly.TheIranianswerebaffled–untilresearchersinGermanydiagnosedtheStuxnetvirus,nowwidelyattributedtotheintelligenceservicesoftheUnitedStatesandIsrael.12 In2012,cyberattacksfromIranwipedall informationfromthirtythousandcomputers at the world’s largest oil refiner, Saudi Aramco.13 In 2014, an unidentifiedintruderusedaspear-phishingrusetogainaccesstothenetworkofaGermansteelmill,then caused multiple components of the industrial control system to fail, resulting inmassive physical damage.14Meanwhile, starting in 2011, a Russianoperation knownas“Dragonfly/Energetic Bear” began targeting North American aviation companies beforeshifting toU.S. and European energy firms. Its targets included “energy grid operators,major electricity generation firms, petroleum pipeline operators, and Energy industryindustrialcontrolsystem(ICS)equipmentmanufacturers.MostofthevictimswereintheUnited States, Spain, France, Italy, Germany, Turkey, and Poland.”15 There were noreportsofdamagefromthesepenetrations;theyappearedtobereconnoiteringexercisesthatcouldfacilitatedamagingattacksonthesystemslater,iftheintruderchosetoattack.In2015theprospectthatanattackermightlaunchadamagingattackonanadversary’senergy grid became reality when portions of Ukraine’s power grid were disabled forseveral hours in a coordinated attack on three energy firms. Thiswas the first publiclyacknowledged attack on a power grid. The Ukraine government immediately blamedRussia.Theattackersemployedarangeofsophisticatedtools,butintheviewofseveralanalysts, “thestrongestcapabilityof theattackerswasnot in their choiceof toolsor intheir expertise, but in their capability to perform long-term reconnaissance operationsrequired to learn the environment and execute a highly synchronized, multistage,multisiteattack.”1611 “The experiment used a computer program to rapidly open and close adiesel generator's circuitbreakersoutofphasefromtherestofthegridandcauseittoexplode.”Wikipedia,“AuroraGeneratorTest,”athttps://en.wikipedia.org/wiki/Aurora_Generator_Test,accessedJanuary6,2017.12Wikipedia,“Stuxnet,”athttps://en.wikipedia.org/wiki/Stuxnet,accessedNovember16,2016.13NicolePerlroth,“InCyberattackonSaudiFirm,U.S.SeesIranFiringBack,”NewYorkTimes,October23, 2012, at http://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm-disquiets-us.html,accessedDecember23,2016. 14 R.M. Lee et al., “German SteelMill Attack,” SANS Institute, ICS DefenseUse Case, December 30,2014, at https://ics.sans.org/media/ICS-CPPE-case-Study-2-German-Steelworks_Facility.pdf, accessedDecember23,2016.15June30,2014,athttps://www.symantec.com/connect/blogs/dragonfly-western-energy-companies-under-sabotage-threat,accessedDecember6,2016.16Leeetal.,“AnalysisoftheCyberattckontheUkrainianPowerGrid,”SANSInstitute,ICSDefenseUseCase, March 18, 2016, at http://www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_SANS_Ukraine_DUC_18Mar2016.pdf,accessedDecember23,2016.


This is the offense-dominant environment that critical infrastructure operators

now live in. Network defense has certainly gotten better in the last fifteen years inabsolute terms, but so has the offense. Relative to the increased resources andsophistication of criminal and nation-state attackers, it is doubtful the defense hasimprovedatall.Attacksarestilleasyandcheaptolaunchanddifficultandexpensivetodefendagainst.

The offense continues to enjoy inherent advantages owing to human fallibility,

architectural flaws in the Internet and the devices connected to it, massive dataaggregation, andpervasive interconnectivity.And theattackermust succeedonlyonce,whilethedefensemustsucceedthousandsormillionsoftimes.Connectinggeographicallydispersed operating equipment to the Internet has brought undoubted efficiencies toelectricity generators and other industries, but it has also created dangerousvulnerabilities in the systems that keep the lights on and power the economy. In late2016, the recently retired chief security officer of AT&T said it was “inevitable thatsignificant,large-scalecyberattackswillbelaunchedagainstourcriticalinfrastructure[inthecomingfouryears].Theseattackswillshiftfromthetheftof intellectualpropertytodestructiveattacksaimedatdisruptingourability to liveas freeAmericancitizens. Idonotknowofa singlecyber securityexpert inour countrywhowoulddisagreewith thisview.”17Weconcur.

WhyAreSystemsInsecure?When the Internetwasbeingdesigned in theearly1970s, itwasnot initially clear

what the important security issues were. Its initial purposes were to assurecommunications in the event of a nuclear attack through packet-switched routing, andthen to serve as the basis for collaboration among geographically dispersed scientistsworking for theDepartmentofDefense.The relatively fewpeoplehavingaccess to theoriginalnetworkwereatrustedgroupforwhomsecuritywasnotanissue.Insofarasthenetwork’s sponsors in the Department of Defense and the intelligence communitythought about security, they preferred that security challenges be pushed onto theattached end-nodes, without appreciating the difficulty of doing so. The Internet’sdesigners understood that many security problems would best be addressed throughencryption, but encryptionwasnot a commercially practical technology at the time forreasons of performance and lack of open standards. At the time, encryption was alsoregulated as a munition for export purposes. These considerations, together with theimperativetogettheInternettoworkatall,ledtoseveralclassesofsecurityproblems.Inparticular:

17 EdwardAmoroso, “AnOpen Letter to thePresident-ElectonCyber Security,” LinkedIn,November25, 2016, at https://www.linkedin.com/pulse/open-letter-president-elect-cyber-security-edward-amoroso,accessedDecember10,2016.


1. SeveralofthecorecontrolprotocolsandsupportingservicesoftheInternetwere

designedwithoutanapproach tosecurity,andaddingsecurityafter the facthasprovedmoredifficult thananticipated.Theseprotocols include theglobal, inter-domain routing protocol (Border Gateway Protocol or BGP), the Domain NameSystem (DNS),18 and the Certificate Authority system. In all these cases, securealternativeshavebeenproposedbuthavenotbeentakenupinthemarketplace.Whattheoriginaldesignersthoughtwouldbeatechnicalchallengehasturnedoutin all cases to be a challenge created by misaligned economic incentives, poorcoordination and leadership, a lack of global trust among stakeholders, anddisagreements about what the security problems are.

2. Strictlyspeaking,theInternetissimplythenetworkthatconnectsend-pointsusinga technical protocol called “TCP/IP.”19 It was never meant to police itself forcriminal or offensivebehavior. To a significantdegree, therefore, the Internet isdoingwhat itwasdesignedtodo: that is, toconnectend-points.Many(perhapsmost) of the vulnerabilities in our systems occur at other levels – in hardwaredesigned with little or no consideration for basic security, for example;20 incarelessly written software;21 and in applications created for quick marketpenetration that are unable tomeet reasonable security requirements.22 In theearly days of the Internet’s development, the designers paid relatively littleattention to the challenge of developing secure applications, since in their viewthey had no control overwhat application designers could do.Most applicationdesigners today are motivated by features, time to market, and return oninvestment.Theseprioritiesalignpoorlywithsecurity.Thissetofactors ishighlydiverse,unregulated,transnational,andsometimeshardtofind,anditisnotclearwhatapproachcouldbeusedtonudgethemtoattendmoretosecurity.

18 “Domain Name System,” Wikipedia, at https://en.wikipedia.org/wiki/Domain_Name_System,accessedDecember12,2016.19 For definitions of the Internet and TCP/IP protocols, see respectively Wikipedia at “Internet,”https://en.wikipedia.org/wiki/Internet, and “Internet Protocol Suite,”https://en.wikipedia.org/wiki/Internet_protocol_suite,bothaccessedJanuary7,2017.20FortheIoTattackonanimportantInternetcompany,seeSchneieronSecurityblog,“LessonsfromtheDynamics’sDDoSAttack,”https://www.schneier.com/blog/archives/2016/11/lessons_from_th_5.html; James Scott and DrewSpaniel,Rise of the Machines: TheDynamics’s Attack Was Just a Practice Run,December 2016,Institute for Critical Infrastructure Technology report, athttp://icitech.org/wp-content/uploads/2016/12/ICIT-Brief-Rise-of-the-Machines.pdf,accessedJanuary8,2017.21See,e.g.,Wikipedia,“BufferOverflows,”athttps://en.wikipedia.org/wiki/Buffer_overflow,accessedJanuary3,2017.Bufferoverflowshavebeenknowntobeasecurityvulnerabilityforyears.22 See, e.g., Lucian Constantin, “App Developers Not Ready for Stricter IoS Security Requirements,”Computerworld, December 6, 2016, at www.computerworld.com/article/3147373/security/app-developers-not-ready-for-stricter-ios-security-requirements.html,accessedDecember7,2016.


3. Thereisnoagreementtodayonwho,ifanyone,shouldberesponsibleformaking

the Internet ecosystemmore secure. For example, it can be extremely difficult,evenimpossible,tobecertainwhoyouarecommunicatingwithontheInternet.Identities can be easily spoofed andwebsites counterfeited, enabling fraud. Butwhich actors in the Internet ecosystem shouldundertake to fix this? Should thepacket-forwardinglayeroftheInternetattempttoimposeasingle,globalidentityscheme that applies to all applications? Doing so would raise yet again thequestionofglobal trustandcoordination. Itwouldmakeanonymousactionverydifficult.Thatwouldreducecrime,butitwouldalsoenhancesurveillancepowersandtherebythreatenprivacy.Shouldthe largeanduncoordinatedcommunityofapplicationdesignersbetoldthatidentityassuranceistheirproblem?Infact,thesolutionprobablyrequiressupportatalllayers.Butthereisnoinstitutionalforumin which an allocation of responsibility can be resolved.

4. Data files,which arepassive, andexecutable files,whichperformoperationsondata,cannotbedistinguishedastheyaretransmittedacrosstheInternet.Butthisapproach left the discrimination between data and executable files to theapplicationdesignersintheend-nodes,whowereoftenindifferenttotheissue.Asaresult,maliciousexecutablesareeasilydisguisedamonglargequantitiesofdata.They are easy to insert and extremely difficult to find in a large database orsystem. This problem becamemuchmore difficult once data files (e.g., aWordfile)weredesignedtoembedexecutablecode(e.g.,macros).

AfterCongressmadetheInternetgenerallyavailableforcommercialusein1992,

the network became the backbone of our entire system of economic and socialcommunication, and increasingly of our physical operations, so these inherentweaknessesassumedenormoussignificance.AsRichardDanzighasnoted,“Cybersystemscreateserioussecurityproblemsbecause theyconcentrate informationandcontrolandbecause the complexity, communicative power and interactive capabilities that enablethem unavoidably create vulnerabilities.”23 Putting massive amounts of information inone place, which is highly efficient, also facilitates massively efficient theft. Andconnecting almost everything to almost everything else, which is also efficient, meansthatavulnerabilityinanypartoftheinterconnectedsystemisavulnerabilityineverypartof it. These factors, togetherwith thedifficultyof tracingandattributingattacks,maketheInternetaprimeenvironmentforcriminals.

23 Richard Danzig, “Surviving on a Diet of Poisoned Fruit: Reducing the National Security Risks ofAmerica’s Cyber Dependencies,” Center for a New American Security (July 2014), p. 9, athttps://www.cnas.org/publications/reports/surviving-on-a-diet-of-poisoned-fruit-reducing-the-national-security-risks-of-americas-cyber-dependencies,accessedDecember24,2016.


It isaseriouserrortoassumethatcybersecurity isentirelyamatteroftechnicalspecificationsandsystemdesign.Poorbusinessmanagement, lackofclearresponsibilitywithin organizations, and bad user behavior would continue to create significantvulnerabilitiesevenifthetechnicalissuescouldsuddenlybefixed.Lastyear,whenforthefirst time the Bank of England included cybersecurity as a major risk factor for thefinancialstabilityoftheUnitedKingdom,itsnumberonefindingwas,“Overemphasisontechnological (as opposed to management, behavioural and cultural) aspects weakenscyberdefensivecapabilities.”24Weconcur.

Acommonhumanerrorenablingfraudissusceptibilitytoanonlinescamknownasphishing.Phishinginvolvessendingamassemailthatappearstocomefromatrustedsourcesuchasabankorawell-knowncompany,butdoesnot.Arecipient(the“phish”)whoopenstheemailandclicksontheattachmentunwittinglydownloadsmalware.Thepurposeofthemalwarevaries.Itmaystealinformationsuchaspasswordsorcredentials,or itmayenlist the recipient’smachine ina campaign toadvertisepornography,drugs,etc. Phishing campaigns are nearly cost-free to conduct and are highly successful.AccordingtoVerizon,thirtypercentofrecipientsopenphishingemails,andaboutathirdof them click on the attachment. “The median time for the first user of a phishingcampaign toopen themaliciousemail [was]1minute,40 seconds.Themedian time tothefirstclickontheattachmentwas3minutes,45seconds….”25

Spearphishing is a socially engineered fraudaimedat a specific person,oftenacorporateorgovernmentofficial.This isa favorite tacticofsophisticatedcriminalgangsand intelligenceservices,whichcancraftanemail thatappears tocomefroma trustedpersononatopicthattherecipientisknowntobeinterestedin.Sometimesthemalwareis automatically downloadedmerely by opening the email. In a recent survey by TrendMicro,“spear-phishingtacticswerecitedbyallrespondingmembersasthesinglebiggestattackmethod they had to defend against, with the exploitation of unpatched vendorsoftware vulnerabilities being a distant second.” Whether an effective technologicaldefensetothisvulnerabilitycanbedeployedremainstobeseen.

Weaknesses in the email system also contribute to identity spoofing. The basic

designofemailisolderthantheInternet;itexistedinthelate1960sinanearlierinternalDefenseDepartment network called ARPAnet. There seemed to be little need in thosedays to build an authenticated identity system to validate the sender of an email on aclosed system involving trustedparties. Since that time, therehavebeenproposalsputforwardtosecureemailbyhavingthesendersignthemailinatrustworthymanner,butthose proposals achieved little market traction owing to lack of market demand,24 Bank of England, “Financial Stability Report,” July 2015, Table A.10, p. 32, athttp://www.bankofengland.co.uk/publications/Documents/fsr/2015/fsrfull1507.pdf, accessed January6,2017.25 Verizon, “2016 Data Breach Investigations Report,” p. 18, available athttp://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/,accessedDecember24,2016.


engineering complexity,development costs,disagreementsabout the correct approach,the lack of an institution that could exercise acceptable global leadership, and so on.Therewouldalsobelittleifanymarketadvantagetoincurringthesecostsifothersfailedtofollow.Theseissuesarenottechnical.

Thevulnerabilitiesatalllevelsofthecyberenvironmenthavebeenwellknownforyears,yetmanyfirmsfailtotakebasicsecurityprecautions.Anditisstillthecasethatalargemajority of intrusions are discovered by law enforcement and other third partiesandnotbytheenterprisethatownsthenetwork.26Evenamongownersandoperatorsofcritical infrastructure, decisions to expose their operations to these vulnerabilities haverepeatedly been made with little or no regard for the risks thus imposed on theenterprise,letalonetherisksimposedacrosstheentireeconomy.EnterprisesthatexposetheiroperationstotheInternetmustacceptInternetservicesastheyfindthem,repletewithvulnerabilities,andprotectthemselvesaccordingly.Insofarasthoseenterprisesareregulated, the cost of doing so should be reflected in the rates they are permitted tocharge.

Inshort,profoundnetworkinsecurityhaspersistedfortwenty-fiveyearsformanyreasons. A problem this enduring in so fundamental an area demands concertedattention.Italsocallsforconcentratingresourcesdevotedtoresearchanddevelopmentefforts(R&D)intotechnologiesandpoliciestomakeattacksmoredifficultandexpensivetolaunchandlessdifficultandexpensivetocombat.

CoordinatingResearchPolicyThere has been no shortage in recent years of federal pleas for research into

critical infrastructure cybersecurity, but they have tended to remain general andhortatory.In2009,forexample,theDepartmentofHomelandSecurity(DHS)published“ARoadmap for Cybersecurity Research” that identified an important problem set but didnot develop a research agenda to deal with it. In 2011, the National Science andTechnologyCouncil(NSTC)articulatedtheneedforfederalspendinginbasiccybersecurityresearchbutwas content todescribe challenge areas (e.g.,mobile security, creationoftrustedspaces,etc.)ratherthanspecificareasforresearch.

In 2013 a presidential policy directive emphasized that research was a criticalaspectofachievingcriticalinfrastructuresecurityandresilience27butwasnotspecific.In

26Verizon,2016DBIR,p.11,fig.9.27Resilienceistheabilitytooperateatanacceptable,ifsuboptimal,levelofperformanceinthefaceofattackorfailure.Forathoughtfulexplorationofthisconcept,seeHarrietGoldman,“BuildingSecure,Resilient Architectures for Cyber Mission Assurance,” Case 10-3301, MITRE Corp., 2010, athttps://pdfs.semanticscholar.org/911a/9c301359a0bcbdc3e49b2f7a04cf7eef14b2.pdf, accessedJanuary5,2017.


June 2014, a subcommittee of the NSTC issued a cogent statement of federalcybersecurityresearchobjectives,butdidnotidentifyapathtogetthere.LastyearDHSbroughtadditionalattentiontothechallengewithitsR&Dplanforresearchinthisarea,buttheplandidnotgobeyondageneralstatementofobjectives.Reportsanddirectivesfrom high levels of government are inevitably general, but lack of follow-through andinattention to detail are not inevitable. At the agency level, specific but uncoordinatedresearchprojectsareunderwaytotackletechnicalcybersecurityproblems.Forexample,at the Defense Advanced Research Project Agency (DARPA) a project on OrganicallyAssuredandSurvivableInformationSystems(OASIS)focusesonincreasingfaulttolerancein systems and networks. But these programs are not coordinated, and many of thegeneral problems described in high-level government documents remain insufficientlyaddressed,ifaddressedatall.

Against this background, the nation must devote substantial coordinatedresources(1)toidentifythemostsalientriskstocritical infrastructurenetworks,and(2)todescribespecificcybersecurityobjectivesthatcouldreducethoserisksandthatcouldbebrokenintomanageableresearchprojects.ThisiswhatIPRIandCIShavesoughttodo.

TheWorkshopPlan

IPRIandCISconvenedfoursector-specificworkshopstostudythechallengeofacoordinatedresearchandpolicyplan,andlaterafifthworkshoptodistillwhatwelearnedfromthefirstfour.Itwasclearfromthestartthat“criticalinfrastructure”hadbecometoobroad a rubric to guide our work. In the United States, the termmeans “systems andassets, whether physical or virtual, so vital to the United States that the incapacity ordestruction of such systems and assets would have a debilitating impact on security,nationaleconomicsecurity,nationalpublichealthorsafety,oranycombinationofthosematters.”28

Sixteensectorshavenowbeendesignated“critical.”Wethereforeselectedfoursectorswedeemedmostcritical,29andscheduledthefollowingday-longworkshops,allheldinCambridge,MassachusettsatMIT:

● Electricity October8,2015● Finance November5,2015● Communications December3,2015● OilandNaturalGas(ONG) February8,2016● FinalWorkshop May2,2016

2842U.S.C.§5195c(e).29Timeconstraintsprecludedanadditionalworkshoponthetransportationsector.


ParticipantscamefromkeyindustryfirmsintheUnitedStates,Canada,Japan,and

Europe; from pertinent government offices, from MIT, and from Carnegie-MellonUniversity. Most of the MIT participants and several of the industry and governmentparticipantsattendedalltheworkshops.Welimitedattendancetotwentypeopleateachworkshopanddidnotaskforpreparedpresentations.Insteadweaskedparticipantstodothreethings:

1. Describetheirmostseverechallengesintermsofsystemicissues;2. DescribethecharacteristicsofamoresecureenvironmentforITandtheOTlinked

toit;and3. Identify the technical, political, and economic impediments to achieving those

characteristics.

Eachworkshoptookonadynamicofitsown.Weaskedquestionsbutdidnotlimitthetopicsofdiscussion.Notsurprisingly,someindustryparticipantshaddifficultyframingquestions in strategic terms, while some academic participants had difficulty framingtheoreticalquestionsthatwererelevanttotheconcernsoftheindustryparticipants.Yeteach workshop produced spontaneous, lively discussions that served to frame andsharpenissues.Althoughweaskedparticipantstoaddressthethreequestionsjuststated,theoutputofeachworkshopfellintoasimplerdyad:aconsensuslistofthegreatestriskstothesector,andaconsensuslistofmostimportantchallengesforthesector.Exceptforcertain regulatory issues, everymajor challenge was discussed in every workshop. If achallenge appears in the account of oneworkshop but not another, that is because itreceivedthemostemphasisinthatworkshop.

Tocreatearesearchagenda,weconvenedafifthworkshopoftwentyparticipants

selected from the previous workshops and presented themwith a distillation of ideasfromtheprevioussessions.Weaskedthemtoidentifythemostcriticalchallengesacrossall sectors and to turn those challenges into questions amenable to research. TheoutcomeofthatworkshopformedthebasisoftheIRPI-CISstatementofthesevenhigh-levelchallengesandtherelatedrecommendationsandresearchquestionsinthisreport.


TheSector-SpecificWorkshops

1.ElectricitySectorWorkshop

Electricitysitsatthebaseofanymodernsociety’soperationalstructure.Nearlyalleconomicandsocialactivitydependson it.Notsurprisingly, theriskmost feared inthisworkshop,evenmorethanlossofinformation,wasdisruptionofservice.

The electricity sector operates in a unique and complex regulatory environment

and displays striking internal differences, especially between the larger firms and thesmaller enterprises and cooperatives. Electricity transmission in the United States30 isgovernedbyfederallaw,butdeliveryisregulatedbythefiftystatesandtheterritoriesininconsistentways.Asageneralmatter,regulatedentitiesareentitledtoaspecifiedrateofreturnonexpendituresallowedintotheirratebase,asdeterminedbytheirregulator.They therefore have an incentive to make expenditures allowable into that base.Accordingtoourindustryparticipants,stateregulationhashistoricallybeenconsistentinits emphasis on rate regulation, which is a politically sensitive topic, and on safety.Expenditurescalculatedto lowerrates(suchassoftwaredesignedtocreateefficiencies)ortoimprovesafetyarefavored,theysaid.Incontrast,networksecurityhasnotbeenaregulatory focus, and someparticipants asserted that capital expendituresnecessary todefenddigital systemsaremoredifficult candidates for regulatoryapproval.Becauseofthe asserted difficulty of assigning a return on investments in network security, suchexpenditures were also more difficult candidates for corporate approval, according tothese participants. These statements should be verified because, if true, these factors,togetherwiththelonglifespanofmuchofthesector’sOT,wouldimpedetheadoptionofneededsecuritymeasures.

TheMostSevereRisksRisk1:Riskfromagingoperatingsystemsretrofittedwithdigitalcontrols.

Mostparticipantsbelievedthemostimportantriskfactorfortheirsectorwasthe

networking of aging valves, pumps, and other hardware that were designed to bephysicallyisolatedandlockedup,butwhicharenowaccessibleremotely.Manyoftheseoperatingcomponentsweretwentyormoreyearsold.Theynowformpartsofsystemsthat were retrofitted (“cobbled together”) to be electronically accessible throughacquisition programs that failed to take the resulting vulnerabilities into account. Aparticipantcompared thestateof the industry to theOfficeofPersonnelManagement,whichhaddigitizedoldsystemswithoutunderstandingthevulnerabilitiesthuscreated.30TheU.S.electricgridisbetterdescribedasbeingpartoftheNorthAmericanelectricgrid.TherearemanydependenciesatthegridlevelbetweentheU.S.andCanada.


Participants also stated that no one fully understood the extent to which the

electricityindustryistightlycoupledwithothersectors,andthereforedidnotsufficientlyunderstand the risk of catastrophic,macroeconomic failure. Therewas support for theviewthattheDepartmentofEnergyshouldbemoreconcernedaboutdisruptionslastinglongerthantwotothreeweeks.

Risk2:Riskfromthird-partyaccess.

Oneparticipantidentifiedhiscompany’schiefriskasunauthorizedexternalaccess

to networks and systems owing to the extension of access privileges to third parties,mostlyvendorsandothercontractors.Allagreedthiswasasignificantriskfactor.Somedoubted whether meaningful network perimeters still exist. In some cases, companiesrequired dual-factor identification and the use of a VPN to engage in remotemaintenance,butifthethreataroseinatrustedvendor’ssystem,assomethoughtlikely,thosestepsdidnothelp.

DatacentersandtheincreasinglyubiquitousInternetofThings(“IoT”)alsocreated

third-party risk. The IoT created an attack surface that was huge and expandingdramatically,andmanyoftheconnecteddevicesrelatedtoenergyconsumptionandhadlittleornosecuritydesigned into them. Ifattacked, thesedevicescouldcause localizedfailure and be used to steal customer information. They could also be organized intobotnets to attack any sector of the economy. That observation has since been borneout.31Risk3:RiskCreatedbyRegulatoryEmphasisonComplianceversusSecurity.

Participantsstatedtherewasaconfusionamongmanyexecutivesandregulatorsabout the difference between compliance with published standards and adequatesecurity. That confusion is not restricted to this sector. In contrast, no such confusionexistsamongsecurityprofessionals,whounderstandthatcompliancecertificationsareanecessary condition of doing business but insufficient because they do not adequatelyaddressconstantlychangingrisks.Someparticipantsalsostatedthatthebasiccompliancestandard issued by the North American Electric Reliability Corporation, known as the“NERC CIP,” compared unfavorably to standards issued by the Payment Card Industry.Complianceischeck-listorientedandgivesafalseimpressionofsecurity.Participantsalsoemphasized cultural factors,noting that theoil-and-gas sector’s concertedemphasisonphysicalsafetymaybeamodelforanemphasisonsecurity.

31DavidE.SangerandNicolePerlroth,“ANewEraofInternetAttacksPoweredbyEverydayDevices,”NewYorkTimes,October22,2016,athttp://www.nytimes.com/2016/10/23/us/politics/a-new-era-of-internet-attacks-powered-by-everyday-devices.html?_r=0,accessedOctober25,2016.


TheChallenges

The electricity workshop identified high-level security objectives supported, inmostcases,bymoredetailedobjectivesnecessarytoachievethem.Mostoftheidentifiedchallengeswereeconomic,commercial,andlegalratherthantechnical.Innearlyallcases,however,meetingtheobjectiveswouldrequireasubstantialeffortsimplytogatherthedatanecessary forhigh-quality analytics.Obtaining thenecessarydata inways thatdidnotcreateadditionalriskforthedataproviderwoulditselfbeasignificantchallenge.Challenge1:Quantifyingriskattheenterprise,sectoral,andmacroeconomiclevels.

There was general agreement that quantifying risk was both difficult andnecessary. As one participant stated, a dollar spent on “vegetation management”(trimming trees) was more valuable to his company’s board than a dollar spent oncybersecurity, because its effect could be measured, whereas network risk could not.Participants also stated that baselining risk – that is, describing the current state of anetwork–wasdifficultbutnecessarytoquantifyrisk.Oneparticipantstatedthatmanyutilities do not even own their own data, which would be required for risk analysis,intelligencegathering,32andprediction.Challenge2:Measuringandreducingintra-sectorandcross-sectorfragilitiesthroughsimulation-based,cross-sectorexercises.

These fragilitieswere insufficientlyunderstood. Thereareabout3000utilities inthe United States, but seven utility holding companies serve about 70% of U.S.customers.33 The level of operating and security sophistication in themarket was notuniform. More attention should be paid to IT/OT inter-connection risk across thisdisparatemarket and to coordinating defenses. Therewas general agreement that theelectricity sector lagged the financial sector in this regard,and that sectorswere tightlycoupled.Participantsdidnotbelievethecountrycoulddetectaseriesofrolling,low-leveleventsthatcouldprecipitateacrisis.Participantsbrokethischallengeintothreeparts:

a. Compilethedatarequiredforqualitysimulations.Exercisesbetweentheelectric

and the financial sectors could yieldmajor security gains, participantsbelieved.Various exercises coordinated by the Treasury Department and the Financial

32 The U.S. Department of Energy (DoE) has spearheaded an effort called the Cybersecurity RiskInformation Sharing Program,or CRISP, to share classified aswell as unclassified information in thissector.SeeletterofPatriciaHoffman,AssistantSecretary,DoEOfficeofElectricityDeliveryandEnergyReliability to Tom Fanning and Fred Gorbet, August 5, 2014, athttp://www.nerc.com/pa/CI/Resources/Documents/Department%20of%20Energy%20Letter%20-%20Cybersecurity%20Risk%20Information%20Sharing%20Program%20(CRISP).pdf,accessedJanuary6,2017.33InformationcourtesyoftheEdisonElectricInstitute.


Services Sector Coordinating Council were a good model.34 But simulationsrequire largequantitiesofgooddata,whichfirmshavebeenreluctanttoshare.Utilities measure success based on reliability, safety, low costs, and consumersatisfaction.Whatdatawouldinducecompaniestoaddnetworksecuritytothislist?35

b. Securetheparticipationofstate,local,andfederalgovernmentsincross-sectorsimulationexercises.AseriesofdisasterexercisescalledGridexnowexists,butitislimitedtopublic-sectorstakeholders.Inthenextscheduledexercises,plannedfor the autumn of 2017, “participation is open only to registered utilities andothersspecifically invitedbytheutility(e.g.,vendors, local lawenforcement).”36Additional exercises should broaden participation in the public and privatesectors.

c. InacollaborationbetweenMITandindustry,developrealisticscenariosforsimulationexercises.

Challenge3:Creatingamodelforarationalregulatoryschemethatwouldaligninvestmentandsecurityrequirementswithrisk.

Many participants stated that prevailing regulatory regimes create intense

pressure toadopt software technologywithoutanypressure to secure it.The followingspecificstepstowardcreatingabettermodelwereproposed:

a. Perform a comparative analysis of state regulation of electric utilities in

Massachusetts, Rhode Island, and New York. An industry participant withexperience inthese jurisdictionsstatedthatstudyingtheirdifferenceswouldbeenlightening.

b. Compare data integrity measures in the electric and financial sectors. Thefinancial sectorwas said tobe intensely concernedwithdata integrity andwasmoreadvancedthanthissectorinsecuringit.

34See,e.g.,SeanWaterman,“BankregulatorsbriefedonTreasury-ledcyberdrill,”FedScoop, July20,2016, at http://fedscoop.com/us-treasury-cybersecurity-drill-july-2016, accessed November 8, 2016;U.S. Department of Treasury, “Joint Statement from the U.S. Department of The Treasury and HerMajesty’s Treasury,” November 12, 2015, at https://www.treasury.gov/press-center/press-releases/Pages/jl0262.aspx,accessedNovember8,2016.35 A participant noted that the automobile industry had created massive cyber vulnerabilities invehicles,butthattheindustryisfixingthemnowbecausethepotentialliabilitiescouldbeverylarge.Regulatedutilitiesweresaidnottofaceacomparablerisk.36 NERC, “GRIDEX IV Frequently Asked Questions,” p. 1, December 2, 2016, available athttp://www.nerc.com/pa/CI/CIPOutreach/Pages/GridEX.aspx,accessedJanuary5,2017.


c. Studynuclearregulationasapotentialmodelfortheregulationofnon-nuclearelectricity.Aparticipantstatedthatthenuclearindustrywentfromaprescriptiveto a performance-based regulatory regime, recognizing that technologies wereadvancingmorequicklythanregulationcouldkeepup.

d. Optimize legal,regulatory,andtax,policyforsecurity investmenttomaximizeinvestmentincentivesandplacecostswheretheycanbereflectedinthepriceofthegoodsandservicesproduced.Existingregulatoryschemesandtaxpolicydid not do this, according to participants. Therewas broad but not unanimoussupport for the view that liability should play a greater role in driving betternetworksecurity,andthatnowitplaysalmostnone.

Challenge4:Supportingamarketforsimpler,lessvulnerabletechnology.

The widespread use of field-programmable gate arrays37 and multi-purpose

controlswerecasesinpoint.Bothwerecheapertoproducethanspecial-purposedevicesandwere highly capable – but were thereforemore vulnerable. Creating amarket forlimited-purposedeviceswas seenasmoreofapolitical andeconomic challenge thanatechnical one. In this regard, some participants wanted to explore the use of analogdeviceswithin,oralongsidedigitalsystems,especiallyatendpoints.Challenge5:Improvinghumanexpertiseinnetworkmanagement.

a. Identifytheskillsetsuniquelyrequired inthissectorandexpandthetalentpool. There are not enough qualified operating engineers and computerscientistswhounderstandthechallengesuniquetotheelectricitysector.

b. Investigate the “Rickover Model” for the training and selection of navy

personnel for thenuclear submarine service.When theU.S.Navy createdanuclear submarine service, Admiral Hyman Rickover required applicants tocompletearigoroustrainingregimenforadmissiontotheservice.Couldthatmodelbeadaptedforsecurityprofessionalsinthisorothersectors?

37 “A field-programmable gate array (FPGA) is an integrated circuit designed to be configured by acustomeroradesigneraftermanufacturing….FPGAscontainanarrayofprogrammablelogicblocks,andahierarchyofreconfigurableinterconnectsthatallowtheblockstobe"wiredtogether",likemanylogic gates that can be inter-wired in different configurations.” “Field-programmable Gate Arrays,”Wikipedia, at https://en.wikipedia.org/wiki/Field-programmable_gate_array, accessed December 12,2016.


Challenge6:IntegratingtheManagementofITandOT.

Each utility is different in the way it integrates, or fails to integrate, themanagementofoperatingtechnology(OT)andinformationtechnology(IT).Somedonotconvergeuntilthecorporatelevel;othersconvergemuchlowerdown.Noonebelievedasinglegovernancemodelwouldbeuseful,butthegroupdidbelievethatITandOThavesubstantiallyconverged–atanyrate,theyhaveconvergedsufficientlysothatoperatingsystemscannowbeattackedthroughITsystems.Managementstructuresshouldreflectthatfact.

a. Unify security functions. In the view of many participants, someone in the

enterpriseshouldhaveaviewofthefullscopeofsecuritythreat,fromwherevertheycame.Thegroupdidnotagreeonthatperson’spropertitleandreportingresponsibilities,butdidagree thatheor sheshould report toanofficerof thecompanyandpossiblytotheboard.

b. OptimizeOT/IT replacement cycles,whichareoutof synch.OT in this sectorhas historically been on replacement cycles of 15-25 years. In contrast, ITmeasures technology generations in 3-5 years. These cycles should be studiedandoptimized.


2.FinancialSectorWorkshop

Thefinanceworkshopidentifiedthreerisksthatwereuniqueorespeciallysevereinthesector:

1. Dataintegrityrisk;2. Systemic risk to the financial system that may not be apparent when

consideringenterprisesorthesectorinisolation;and3. Third-party risk arising from the inability to alter long-term contractual

arrangementswithothermarketparticipants.The financial sectoralso shares riskscommontocritical infrastructure, though it

hasthemostadvancednetworkdefensesofanysector.TheMostSevereRisksRisk1:DataIntegrity.

Risktotheintegrityoffinancialdatatoppedthelistofourparticipants’concerns.

Oureconomyisbasedonasystemofaccountsrecordingwhooweswhattowhomatanymoment. Those accounts are digitized, and so are back-up systems. An attack thatdestroyed or corrupted the accounts of a major financial institution could wreakdevastating economic havoc unless those accounts could be quickly and reliablyreconstituted. The risk extends beyond banks to securities exchanges, brokerage firms,investmentcompanies,clearingorganizations,andotherfinancialenterprises.

A sophisticated network attack could lock-up this sector. A logic bomb, forexample, could randomly delete system files. According to one participant, that hasalreadyoccurred, and it took time tounderstandwhathadhappenedand to fix it. Butdisruption is only one risk that could arise form fromdata loss or corruption.A subtle,more limited operation that corrupted the pricing of selected securities, for example,couldbeusedtomanipulatemarkets,create illegalprofitsand losses,anddrivepartiesoutofbusiness.

Participantsagreedthataslowlyrollingattackonaninstitutionmightcreatemore

havoc than an attack that brought the institution to an immediate halt, for which thelargerinstitutionsprepare.A“lowandslow”corruptionofaccountswouldbedifficulttospot,andunlessitwerestoppedquickly,itwouldinfectback-upsystems,too.Thelongeritlasted,themorebackupaccountswouldalsobeinfected.Researchthataddressedthisriskwouldbeofgreatvalue.


Risk2:SystemicRiskfromTightCouplingWithinandAcrossSectors.Participants were concerned about the cross-sector risk created by the tight

couplingoffinance,energy,andtelecommunications,buttheywerealsoconcernedaboutrisk from tight coupling within their sector. Several participants agreed that financialenterprises assume that in this space all parties aremanaging their own risks and thatsystemicriskisthereforealsobeingmanagedthroughthesector,buttheydoubtedthisistrue.Notwithstandingtheperceptionthatthe levelofcooperation inthissector ishigh,these participants believed it was insufficient and that more collective action oninformation sharing would be required to better protect the sector from attack. Thenuclear power industry was cited as an example. In that sector there was widespreadunderstandingthatanadverseincidentthataffectedanyofthemwouldadverselyaffectthemall.Thefinancialsectorwassaidnottobeatthatpoint.

In particular, several participants complained of poor network security among

competinginstitutions(“shirking”).Theygavetwoexamples:(1)competitorsthatsoughtmarketadvantageby savingmoneyonnetworksecurity,and (2) communitybanks thatlackedthefinancialandotherresourcestomakethemselvesreasonablysecure.Astothelatter, participants noted that the share of assets controlled by community bankscontinues to fall, so some questioned the significance of this risk. Others noted thatimposingfurtherregulationonthesebankswouldaccelerateconsolidationinthebankingsector.However, that riskwas not equally troubling to everyonepresent. A participantnoted that shirkingwasmerely one aspect of themore general problem of consistentstandards.As institutionsother thanbanksandSEC-regulatedbusinessesbecame largerplayers,theproblemofinconsistentregulationwouldpresentagrowingproblem.Severalparticipantsstressedthatoneshouldpaycloseattentiontotheapplicationofregulatorystandardsaswellastotheircontentwhenassessingconsistency.Risk3:ContractualRiskfromLong-TermThird-PartyContracts.

Long-term contracts with other institutions (which some participants called

“lockedhandshakes”)wereaspecialexampleofriskyintra-sectorcoupling.Theexamplegiveninvolvedpaymentprocessors,whichallegedlyemployhard,pre-setpasswordsthatarenot regularly rotated, if rotatedatall. Thatkindofarrangementwas said to lock innetworkaccessrightsofthird-partieswithallegedlypoorsecurity.Thesecontractsweresaid to allocate risk in ways that participants believed were unfair and that were notforeseenwhenthecontractsweremade.Thesecontractscanhavetermsoftwentyyears,and many were made before the sector fully came to grips with network risk. Theseassertionsshouldbetestedempirically.However, industryparticipantsbelievedthisriskwasreal, that thesectorneededameansto forcetherenegotiationof thesecontracts,and that quantifying the problemwould be helpful.We detected a willingness amongseveralindustryparticipantstofavoraregulatorysolutiontothisissue,andoneofthemspecificallysuggestedthattheissuecouldbeofinteresttotheFederalTradeCommission


(whichhasrecentlyusedSection5oftheFTCAct38toaddressunfairaswellasmisleadingpracticesaffectingnetworksecurity).Anothersuggestedthatclearingagenciesmightbeable to provide leverage for achieving higher security levels. In evaluating thesecontentions,attentionmustbepaidtothecompetitiveinterestsinvolvedaswellastotheallegedsecurityrisks.Risk4:DifficultyofIdentifyingMaliciousActors.

Thedifficultyofattributingbehaviortomaliciousactorsisanaspectoftheidentity

management problem common to every sector, but our participants stressed thechallenge of ascertaining internal as opposed to external identities. And they wereconcernedwithcontrollingadministrativeprivilegesbecausemosthackstheydealtwithinvolvedabuseofadministratoraccess. Someparticipants said thatmachinesalsohaveidentities and privileges, and that managing identities was easier for people than formachines. Several participants stated, without dissent, that “operator risk” – that is,insider threat frommalicious or simply negligent behavior –was amedium, not a low,probability. Some participants agreed that the government’s unsuccessful effortsregarding trusted identities illustrated the difficulty of accomplishing anythingcomprehensiveinthisspace.TheChallengesChallenge1:Enhancingtheintegrityofbackupsystems.

Aslowlyevolvingattackcouldbeabiggerthreatto financial institutionsthanan

attackaimedatasuddennetworkcollapsebecauseitwouldnotbediscoveredasquickly–andpossiblynotuntilbackupsystemshadbeeninfected.Participantswereparticularlyinterestedinthepossibleapplicabilityofblockchaintechnologytotheirsystemsandthestatus of blockchain research to the latency problem (that is, the time required tocomplete a communication or transaction). Some participant firms are investing inblockchainresearch.

3815U.S.C.§§41-58,asamended.TheCommission isaconsumerprotectionagency,nota financialregulator. It considers three factors in determining whether a practice violates the prohibition onunfair consumer practices: (1) whether the practice injures consumers; (2) whether it violatesestablishedpublicpolicy; (3)whether it isunethicalorunscrupulous.”FTC,“FTCPolicyStatementonUnfairness,”December17,1980,accessedNovember16,2016.


Challenge2:Identifyingandreducingcross-sectorriskthroughjointcross-sectorexercises.

Robustjointexercisesusingsophisticateddatawouldhelpilluminatetheriskfrom

the tight coupling of power, finance, and telecommunications. These exercises wouldelucidate intra-sectorandcross-sectorvulnerabilitiesandwouldbenefitallparticipatingsectors. They would also highlight sectoral differences about the priorities given toavailability,integrity,confidentiality–anotherareaforpotentialresearch.Challenge3:Improvingidentitymanagementconsistentwithprivacyconcerns.

a. AmongCommunicants

The tension between privacy and identitymanagement among communicantsconcerned many participants, but there was widespread agreement that it isimportanttofocusonthespecificinformationfieldsthatwouldbemostuseful,andthentodeterminewhetherandhowthatdatacanbesharedconsistentwithEUandUSlaw.SeveralparticipantsassertedthatEUlawmadeitmoredifficulttoidentifybothmalwareandmaliciousactorsintheirsystems.

Anon-industryparticipantstatedthatbanksandcreditcardcompaniesarenotusing intheirownnetworksthekindsofdata-driven identitymanagement/riskflagging techniques they employ to monitor credit risk. It would be useful toknowwhether,why,andtowhatextentthismaybetrue.

b. AmongProvidersItistechnicallysimpletodivertlargeamountsoftrafficwhenitis“handedoff”from one service provider to another. This has occurred several times. Thesehand-offsoccuratbordergateways,followingbordergatewayprotocols(BGP).Theseprotocolsareweak,whichistosaythatidentityassurance39isweakattheBGP levelaswellasatthe levelof individualcommunications.Trafficdiversioncouldcripplecommunications,andalthoughitwouldbequicklydiscoveredandrepaired, the delay in a crisis could be critical. Amore secure version of BGPexists,calledBGPSEC,butfewU.S.carriershaveadoptedit,presumablybecausethey do not expect a benefit from adoption that would offset its cost. Whateconomic or other factors impede the adoption of border gateway protocolsthatwouldmakeitimpossible,orsubstantiallymoredifficult,todivertnetworktraffic? How can those factors be reduced or eliminated? Fixing this systemicweaknesswouldnotappeartoraiseprivacyconcerns.

39Machines,systems,andregionsoftheInternet,aswellaspersons,haveidentities.


Challenge4:Containingthe“BlastRadius”ofDestructiveAttacks.Itisnowwidelyunderstoodthatmalwarecannotreliablybekeptoutofevenvery

sophisticatedandwell-runsystems.Thechallengewasthereforetocontainitseffects–orasoneparticipantputit,tocontainits“blastradius.”Participantsreturnedseveraltimesto this topic and were deeply interested in technical means of accomplishing thisobjective(e.g.,flexiblesegmentationandrapidreconstructionofnetworks).Challenge5:ModernizingtheRegulatoryEnvironment

Regulatory challenges fell into two groups: (i) creating flexible standards thatwould improve security as well as guide compliance (a goal that may be as elusive intheory as it has been in practice), and (ii) harmonizing regulations nationally andinternationally.

a. FlexibleStandardsIndustry participants stated that regulatory norms are not adapting to rapidlychangingtechnologyandarerigidandcostlywithoutbeingeffective.Theynotedseveralinstanceswherefirmswerecompliantwithapplicablestandardsbutwerepenetratedanyway.Theywereinterestedinseeingflexiblestandardsthatwouldevolvewith technology and reduce riskwhen implemented – like a standard ofcare. Participants referred to standards issued by the National Institute ofStandardsandTechnology (NIST)andthe InternationalStandardsOrganisation.40These could evolve into enforceable standards of care, but legally bindingstandardsofcareusuallyevolvethroughlitigation;regulationsarepromulgated.A non-industry participant stated that compliance and risk-based standards arenot necessarily in conflict, and that expecting government or a standardsorganization to compel virtue was not realistic. He added that mandating red-teamingforcesthreat-modeling.Morebroadly,heaskedwhatsuccesswouldlooklike under a risk-based approach and suggested this could be a fruitful researchquestion. In this regard, participants would be interested to know whethersectoralstresstestscouldbedeveloped.

40NIST,“FrameworkforImprovingCriticalInfrastructureCybersecurity,”v.1.0,February12,2014,athttps://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf,accessedJanuary7,2017;ISO/IEC27032:2012InformationTechnology–SecurityTechniques–GuidelinesforCybersecurity,July2012,athttp://www.iso27001security.com/html/27032.html,accessedJanuary7,2017.


b. HarmonizationThe Securities and Exchange Commission, the Commodities Futures TradingCorporation,theFederalFinancialInstitutionsExaminationCouncil(amongothers)regulatethefinancialsectorintheU.S.StandardsissuedbytheNationalInstituteofStandardsandTechnology(NIST)andtheInternationalStandardsOrganisationalso apply. These regulations and standards should be consistent and shouldevolve rapidly. While there was broad agreement on this point, specificinconsistencieswerenotdiscussedexcepttonotethatISO17799wasineffectforabouttenyearsbeforeitwassuperseded.

We heard conflicting views from industry on the issue of global harmonization.SomesaidthatstandardsoftheFederalFinancialInstitutionsExaminationCouncilarealreadyfairlyglobalandthatglobalconvergencewouldhavetooccur;othersstated that the convergence of physical and logical security is making globalregulatory convergence ever more difficult. Regulatory differences betweenEurope and theUnited States over the security of cloud computing remained aproblem. This was particularly troubling because as the number of sensorsexpands dramatically through the IoT, the information they generate can bemanaged only through cloud services based on big data analytics and machinelearning. Could research on the security of encryption in cloud computing beusefulinachievinginternationalharmonization?Again,securingthedatarequiredtodothisresearchwouldbeachallenge.

Challenge6:Re-establishingtrustinU.S.globalleadership.

Since the Snowden disclosures theUnited States is no longer themost trusted

actorinnetworkspace,evenamongitsallies.Thereisnotrusted“sentryontheRomanroad.” Regaining international trust, especially among the Western democracies andJapan,wasastrategicchallengeofhighimportancetothefinancialsector.Challenge7:AssessingPortfolioRiskfromInformationInsecurity.

Thiswasatopicofwidespreadinterestbutnotextendeddiscussion.Whetheritcould be accomplished without aggregating the risks created by weaknesses in thesystemsofeachcompanyinaportfoliowouldbeaninterestingresearchquestion.Mostparticipantsbelievedcyberriskwasnotfactoredintothepricingofsecurities.


Challenge8:Identifyingunauthorizedexecutablecode.

The architecture of the Internet – and the architecture of the hardware andsoftwarethatrunonthe Internet–permitexecutablecodetoresideamongdatafiles.Indeed, embeddingexecutable codewithindata files is a featureof somewidelyusedsystems,making thosesystemsharder tosecure.Unauthorizedormaliciouscodedoesnotidentifyitselfasexecutable;itmasqueradesasadatafile.Inatypicallylargedatafile,thiskindofmaliciousinsertionisthereforeextremelydifficulttofindandeliminate.Canthisweaknessbeeliminatedormadelesssevere?Challenge9:Enhancingworkforcedevelopment.

Technicaleducationand talentmanagementwereproblems.Filling thepipeline

with highly educated, trained network engineers and computer scientists was thechallenge.Educationandtrainingshouldbeginearlyinlife.Challenge10:Creatingeffectivecyberdeterrence.

Is deterrence working? Against whom? Participants had differing views. Somethought it was playing no role in bringing stability to networks because highlysophisticated nation-state actors were operating in our networks. Others noted thatnation-statescouldwreakhavocwithoneanotherbuthadnotdoneit,whichsuggestedthat nation-states were indeed being deterred from escalating exploitation todestruction attacks. However, there was broad agreement that fringe states such asNorth Korea, Iran, and Syriamight not be similarly deterred and that containing theirattackswouldbeachallengegoingforward.Challenge11:Designingsystemsthatdonotfailsilently.

A non-industry participant stated that one of ourmost important and difficult

challengeswastomake“silentfailure”impossible.Hemeantthatwhenasystemfailed,its operators should know immediately that it had failed. They should also be able todeterminewhyithadfailed.Todothat,wehadtolearnhowtointerrogatealgorithms.Absent the ability to do so, algorithms would become increasingly autonomous andbeyondhumancontrol.Hesuggestedthatcriticalsectorswouldprobablydifferonhowfarautonomyshouldgo,andthatresearchonthatpointwouldbeuseful.


3.CommunicationsSectorWorkshop

Thisworkshopwasuniqueinfocusingontherisksofmanagingnetworksthataretoocomplextobeunderstoodandwhosestatescannotbeknownfromonemomenttothenext.Hereagainthisrisknotuniquetothissector,butitwasarticulatedonlyinthisworkshop. The risk feared most in this sector, even more than data security, wascatastrophicfailure.Manyconditionscreatedrisk,buttwoconditionscreatedthemostconcern:(1)systemstoocomplextounderstand,and(2)lossofperimetercontrol.TheMostSevereRisksRisk1:Riskfromindeterminatenetworkstate.

Over theyears, communicationhardwarehasgrownmassiveand softwareevenmoreso.Oncesystemsattainedsufficient size–wherever that thresholdmightbe, theindustryhadcrossedit–participantsagreedthatsystemswereinherentlyunstableanditwas difficult to knowmuch about them. Thatwas unnerving. Communications systemswere so complex that neither the firms that owned them nor their vendors fullyunderstood them. There was agreement, however, that software-defined networks(SDNs) offered advantages in managing complex networks. Yet there were differencesexpressed as to the nature of SDNs. One participant stated that they enableddecentralizedcontrolandwerethereforemoreresilienteven ifmanynodesweretakenout.Anotherstated thatSDNspulled thenetworkcontrolalgorithmsoutof the routersand intoa controller thatwas conceptuallycentralized.But itwasagreed that, throughapplication programing interfaces, SDNs offered significant cost savings and could bereconfigured or rebuilt swiftly even while under attack. No one doubted they wouldbecomeprevalent inthissector,buttherewasdisagreementaboutwhetherSDNswerereducingcomplexity.Risk2:Riskfromthird-partyaccessandporousnetworkperimeters.

Incommonwithothersectors, industryparticipantssawwidespreadthird-party

accesswith consequent loss of perimeter control as amajor risk. The communicationsector isexperiencingamajorperimeterexpansion throughcloudcomputing,networkfunctionvirtualization,vendoraccess,andtheIoT.Theverynotionofaperimeterwasinquestion.More physical devices on the networkmade the stakesmuch higher. Someindustry participants said they were engaged in constant electronic warfare in themilitarysense.

Interoperabilitywith legacysystems,both internalandexternal,waspartoftheproblem. Internally, there would always be some subsystems that were more secure


thanothers.Externally,somelegacysystemsweretheequivalentofbadneighborhoodsthatpacketshadtotraverse.TheChallengesChallenge1:Communicationsnetworksshouldbehardertodisable.

a. Failureinanypartofthenetworkshouldbeevident.Failureswereinevitableandshould be planned for. But no failure should be silent to the operator. Oneparticipantreferredtothe“ChaosMonkey”approachtotesting(inwhichvariouselementsofthesystemareturnedofftoseewhathappens),andsaidthatthewaytoknowifsomethingwouldfailsilently is tomake it fail.An industryparticipantstated that in the public health arena, the reporting of certain diseases wasmandatory,andthatthissectorshouldadoptasimilarpolicy.

b. Legacy systems should be retired on accelerated schedules. Tax incentives,regulatorymeasures, and better internal risk-assessment could all be helpful inachievingthisgoal.

c. Software defined networks (SDNs) should be simpler as well as prevalent.

Participants anticipated that network management and control would becomehighly distributed as a mean of increasing resiliency and that systems wouldincreasingly manage themselves. They also posed three questions relating tonetworkmanagement.First,theyaskedwhetherblockchaintechnologycouldhelpmanage internationalnetworksbykeepinga recordofall changes toanetwork,including the changes that the network made to itself? Second, they askedwhetherSDNshadthepotentialtoimprovetheconfidentialityofcommunications– or make them worse. Third, they asked how SDNs could aid in segmentingnetworksinrealtimetoisolatetheeffectsofamaliciousintrusion.

d. Somecriticalfacilitiesshouldbeisolatedfrompubliclyaccessiblenetworks.

Isolationwasarelativeconcept.Totalisolationwasnotpossible,astheStuxnetattacksonIraniancentrifugesdemonstrated.Withthatunderstanding,participantsagreedthatasmallbutundefinednumberofcriticalfacilitiesshouldnotbe“publicfacing”butshouldoperateonvirtualprivatenetworks(VPNs),withairgapsandsignificantaccessbarriers.

e. Thetechnologicalmonocultureshouldbemorediverse,anditscomponents

shouldbedesignedwithsecurityinmind.Participantssawtechnologicaldiversityasadesirablegoalbutdidnotenvisionapathtogetthere.Theyalsonotedthatdiversitywouldrequireastandards-basedarchitecturetosupportit.Somewereinterestedinthepossibleuseofanalogtechnologyatsomepointstocontainsystemfailure.However,allparticipantsbelievedthatthecostsandbenefitsof


innovationshouldbeassessedwithsecurityinmind,whichisnotnowthecase.Itwasshockingthatwestillhaveinjectionattacks,forexample.Manyparticipantsbelievedthatamorerobustliabilityorregulatoryregimewouldberequiredtomakevendorsdesignforsecurity,buttherewasnoconsensusonwhethertortliabilitywouldbewelcomed,thoughitwasprobablymoredesirablethanmostregulatoryapproaches.

Challenge2:Regulationsandstandardsshouldbeevidence-basedandflexible.

Industry participants severely criticized the current regulatory regime in their

sector.Compliancewithcurrentstandardsdidnotleadtobettersecurityandwassaidtobe “a joke” and “a race to the bottom.” There were frequent fines for low levelviolations, and these fines were taken from security budgets. The net effect was areductioninsecurityspending.Industryparticipantswishedinsteadthatregulatorstookstepstoensurethatsecuritybudgetswereincreased.

Severalparticipantsbelievedthatregulatorsinthebankingsectordidabetterjob

of devising and enforcing reasonable standards. In any case, all industry participantsbelievedthat(1)communicationsregulationsshouldbedynamicandevidence-based,(2)regulation should incentivize discovery of vulnerabilities and penetrations, rather thanthe reverse, and (3) disclosure to the regulator should not be penalized (as in theAviation Safety Reporting System). There was also support for loosened rules inemergenciesbasedonprioritizedthreats.Aparticipantsuggestedthatuniversitiescouldplayanimportantroleindesigningabetterregulatoryschemebybringingeconomicandlegalexpertisetobearonthechallenge.

Like the electricity sector, the communications sector supports all the others.

Historicallythevarioussectorshavebeenregulatedbydifferentagenciesthatfocusedondifferent issues. But now these agencies have begun to create cybersecurity regimes,whicharenotconsistent.Harmonizationwouldbeuseful.Oneparticipantstatedtherewere simply too many regulatory and compliance standards and that the federalgovernmentshouldrecognizeonlytheNISTstandards.Challenge3:Continuity-of-operationplanningshouldbewidespreadandrobustforcriticalinfrastructureandcriticalresourcesectors.

Participants said that in every national level tabletop exercise, the participantsassumedthatcommunicationswouldbeavailable.Thisassumptionwasunrealisticandshould be abandoned. Participants wanted to see systematic use of sophisticatedmodeling and simulations to anticipate and train for attacks. This prescription wascommontoallworkshops,andsowasanacknowledgementoftheimpediment:i.e.,thelackof sufficientdata toperformrobustsimulationsandtocreategoodmodels.Some


participantsproposedthatMITplayarole ingeneratingmodels,buttheneedfordataremained.

Apropos of data sharing, Industry participantswere clear that privacy concernsmust be carefully balanced against security concerns. They also stated that privacyconcerns impeded necessary information sharing – though most admitted thatcompetitiveconcernswereanevenbiggerimpedimenttosharing.Challenge4:Thegovernmentshouldconfronttheneedforcommunicationprioritiesincaseofnationalemergency.

Industryparticipantssaidtheywerehavingdifficultyengaginggovernmentaboutprioritizing critical systems. If communicationswere crippled in a disaster, itwould beessentialtodeterminewhatsectorsandfirmswouldgetpriorityservice,butgovernmentwas said to be reluctant to make that determination. In a national emergency,prioritization(alsoknownastiering)wasthoughttobeinevitable.Itwouldmakesense,forexample,togiveprioritytoanuclearpowerplantorhospitaloverpersonalcalls,butparticipants from telecommunications firms said they had no guidance on how toprioritizecallsand,ascommoncarriers,wererequiredtotreatallcallsalike.

Thischallengeisnotuniquetothissector.Forexample,inanationalemergency,power might have to be rationed, but it is unclear that anyone has the authority torequire it (asopposedtotheauthorityto“coordinate”withdistributors).Butthe issuearose only in this workshop. Cross-sector simulation exercises could illuminate theconsequencesofthislackofauthority.Challenge5:Thenationshoulddevelopanationaldeterrencestrategy.

Deterrence involves bothmaking targets harder to cripple and exacting a pricefromanattacker.Heretheemphasiswasonthelatter.Participantsweretroubledthatattackers faced little likelihood of paying a price for attacking U.S. targets, that thecountry had no discernible strategy for punishing attackers, and that the lack ofconsequences was emboldening adversaries. They noted the successful cyber theft ofmassive amounts of intellectual property but were even more concerned with theprospectofdestructiveattackssuchas thoseonSaudiAramco in2012andonSony in2014. They predicted that such attacks would increase in the next two years. Playingdefense,theysaid,isnotasufficientstrategy.


Challenge6:Thedomainnamesystemshouldbestrengthened.

The domain name system, commonly referred to as the DNS, correlates plain-languagenamesforcomputers,websites,etc.withanumericalIPaddress.Thus,typing“www.mit.csail.edu” in a browser takes you to 128.30.2.155. The DNS is weak andinsecure,whichmakesspoofingidentitieseasy.Thereiswideagreementthatadoptingasecureversionof theDNSknownasDNSSECwouldbringa significant improvement inthe security of the Internet. Enterprises should be incentivized to move to the moresecuresystem.Challenge7:Thecadreofhighlyqualifiednetworkengineersandcomputerscientistswithsecurityexpertiseshouldbegreatlyexpanded.

Theneedinthisregardwasurgentbutcouldnotbemetintheshortterm.Theneedwasfeltasstronglyintheregulatoryagenciesasinindustry.


4.Oil-and-Natural-GasSectorWorkshop

Like all sectors, the oil-and-natural-gas (“ONG”) industry faced the full array ofcybersecuritychallenges,butitwaschieflyconcernedwithrisktoavailabilityofservice.Thisriskarosechieflyfromthreeconditions:

1. Undulycomplex,generalpurposetechnology;2. Theinabilitytoswiftlydetectmalware;and3. Theuncertainabilitytoswiftlyisolatetheimpactofcompromise.The ONG sector resembles the electricity sector because of their common

relianceon industrialoperatingtechnology,andbothsharecross-cuttingnetworkrisks.At thegeneration/extraction level,however, thissectorenjoysahigher levelof threat-informationsharingamongthemajors,anditabsorbsnewtechnologymorequickly.TheMostSevereRisksRisk1:Operationalriskcreatedbyundulycomplex,generalpurposetechnology.

Industryparticipantssingledout insecure,generalpurposecontrolsasasupply-chain risk to their operations. The components available from vendors had far morefunctionality than they needed or asked for, and with superfluous functionality camevulnerabilities. Theseparticipantswanted lean componentswithnomore functionalitythanneededforaparticulartypeoftask,butsuchcomponentswerenotavailableinthemarket.Vendorsfounditfarmoreprofitabletosellgenericdevicestoawidemarket.Risk2:Operationalriskfromtheinabilitytoswiftlydetectmalware.

Disguisedexecutablecodeiseasytoinsertintoanetworkandexceedinglydifficultto find. The risk of malicious executable code is enhanced by supply chain risk but isseparate from it. Some participants stated that their inability to detectmalware fasterwasalsocausedby their inability (i) tovisualize theirentirenetworkatonceand (ii) toknowwhathardwareandsoftwarewererunningontheirnetwork.Risk3:Operationalriskfromtheinabilitytoswiftlycontaintheimpactofcompromise.

Participantsassumedthatallmalwarecouldnotbekeptoutoftheirsystems.Theyfocusedon the risk from the inability to compartment themalware’s impact. As in thefinancialsectorworkshop,theimageofcontainingthe“blastradius”ofthemalwarewasappealing.Thequestionwashowtoquicklysealoffacompromisedareaofanetwork.


TheChallenges Virtually every challengeaddressed in thepreviousworkshopswasaddressed inthisworkshoptoo,butthefollowingchallengesreceivedthemostattention:Challenge1:Creatingasecurityenvironmentonthemodelofthissector’ssuccessfulcampaigntoimproveitssafetyenvironment.

ONG firms have been successful in fostering safety consciousness across the

industry and thereby driving down the number and severity of physical accidents.Participants did not believe the industry hadmade the same commitment to networksecurity. They noted that cybersecurity and physical security and safety had largelyconverged.Operationswerecontrolledbydigitalnetworks.Network intrusionscouldbeused,and indeedhavebeenused,tosabotageoperationsandthusthreatenhealthandsafety. Inmost companies, however, electronic networks and physical operationswerenotmanagedholistically,andseveralparticipantsstatedthattheengineeringculturetheyconfronteddidnotunderstandnetworksecurity. Theysawthisasbothamanagementproblemandaproblemofcompanyculture–notatechnologicalproblem.Challenge2:Creatingagovernment-industrypartnershiptofosterasupplychainthatproducessimpler,lessvulnerablecomponents,especiallyindustrialoperatingcontrols.

General purpose components came with superfluous functionality, and everyfunctionality created potential vulnerabilities. But general purpose components werecheap andprofitable.Oneparticipant stated that vendors chargemaintenance fees, sotheybenefitfromtheinsecuritiestheycreatebecausetheygetpaidtofixthem.Thisisacommercial, not a technological, problem, andparticipants sawno solution to it unlessthe government would support demand for special purpose components for criticalsectors by becoming a more demanding buyer. Several participants thought that thedepartmentsofdefense,energy,andhomelandsecuritycouldplaythatrole.Participantsalso discussed the potential use of analog devices at key points in their networks butgenerally believed itwouldbe impossible.Doing so, they said,wouldmean losing real-time remote monitoring capability. The digital “toothpaste was out of the tube,” oneparticipantsaid.Thequestionremained,however,whetheranalogdevicescouldserveasfail-safemechanismsworkinginparallelwithdigitalsystems.41

41 For example, at a conference at MIT’s Sloan School of Management in the autumn of 2016, anexecutive of amajorU.S. energy company stated that his company used analog pressure gauges inpipelinesthatwouldoverrideamalfunctioningdigitalpressuresystemandshutdowntheline.


Challenge3:Automaticallyidentifyingunauthorizedexecutables.

The challengeof swiftly identifyingmalware resolved itself into the challengeofautomatically identifying unauthorized executable code. This was an aspect ofparticipants’ demand for adaptive systems and cyber capabilities at scale, which theybelieved would be possible only through machine learning and artificial intelligence.Capabilitiesatscale,machinelearning,andartificialintelligencewouldinturnbeavailableonlythroughcloudservices,whichmustbesecure.Challenge4:Automaticallyneutralizingorcontainingtheeffectsofsystemfailure.

Containingcascadingfailurewouldrequireadaptivesystems. Immediatevisibilityof failure was a prerequisite of containing its effects. Participants also believed thatfollowingafailure,systemshadtobeabletoexplainwhatwentwrong,eveniftheyhadnotpreviouslyconfrontedthesamecircumstances.Todothesethings,systemshadtobecapableofmachine learning. “Patchingon the fly,” “dynamic segmentation,” and “self-repair”werephrases oftenheard. These aspirational capabilities couldbe realizedonlythrough big data analytics, which would likely be available only through secure cloudservices.

Participantsalsobelievedthatcontainingcascadingfailurewouldrequirelimitingcommon mode attacks at scale. Systems were too homogeneous within and acrosssectors.Anattackononesystemcouldthereforeberepeatedsuccessfullyagainstmanyothersystems.Theythereforesawheterogeneityasagoal.Challenge5:Encouraginganenforceablestandardofcare.

Manyparticipants,includingseveralindustryparticipants,favoredalegalstandard

ofcareforsoftwareandequipmentandpossiblyforcertainoperationalactivitiessuchaspatching. Theywanted enforceable standards,much as building codes are enforceable.TheyalsoreferredtothefunctionoftheUnderwritersLaboratoryinraisingstandardsforelectricalappliances.Manufacturers followedthesecodesbecausetheycouldbe legallyliableiftheydidnotandbecausetheirinsurancecarriersrequiredthemtodoso.Atthesametime,noindustryparticipantfavoredmandatingstatutoryorregulatorystandards.There was some support, however, for peer reviews of the kind used in the nuclearindustry.

Several participants stated that standards of any kind required a standard

vocabulary. For example, some participants refer to OT as “everything south of thefirewall.” Others define OT as anything that produces a physical output. “Failure,”“compromise,”and“security”alsorequiredstandarddefinitions.


Challenge6:Acceleratingandautomatingpatchmanagement.

Participants identified three different challenges relating to patching: (i)prioritizing patches, which in turn implied (ii)measuring the relative risk of unpatchedvulnerabilities;and(iii)acceleratingthepatchingprocesswithoutaddingnewoperationalrisk.Currently,patchingsometimestakesuptofourmonths,whichisfartoolong.Challenge7:Assuringmemorysafety.

Oneparticipantstatedthatcomputerscientistsspendtoomuchtimeaddressing

individual vulnerabilities and not enough time addressing classes of vulnerabilities.Memory safety (specifically, eliminating buffer overflow) was a case in point. Anotherparticipantstatedthatthis isnotbasicallyatechnologicalproblem;weknowhowtofixthis.Whydoesthisclassofvulnerabilitiespersist?Challenge8:Developingarational,risk-basedmodelforinvestmentandcompliance.

Participants believed that quantifying risk would help rationalize complianceregimesaswellasinvestmentdecisions.Thechallengeisbroaderthansimplyquantifyingaggregate system risk, however, because rational investment involves more than adeterminationofhowmuchmoneytospend;italsorequiresadeterminationofhowtospend it.Severalparticipantsbelievedthat insurancecarrierscouldprovidemoreusefulrequirements than government-mandated standards. Others said that economicsdepartmentsshouldconsiderfocusingonsecurityeconomicsasafieldofstudy.

Severalindustryparticipantscalledformorerobustthreatintelligence.Onenoted

thatCongresshadresistedfundingforpredictionmarkets,whichcouldbeuseful,andthatMITcouldplayahelpfulroleincreatingorencouragingthosemarkets.

Many of the firms represented in the workshop were not cutting cybersecurity

spending,evenasother IT spending isdecreasingwith the lowpriceofoil. Thevendorparticipantssaidtheywereseeingincreasedrevenuefromcyberproducts.Challenge9:Increasingsupportforsimulation-basedcomplexitymodelingandcapabilitymaturity.

Therewasmixed support in thisworkshop formore information sharing.AnOil

and Natural Gas Cybersecurity Network already exists, and some participants werereluctant to expand this trusted network. One participant’s company was already amemberof twelve information-sharingnetworks; thatwasenough.However, therewasno dissent from a proposal for more sophisticated crisis simulations, which requiremassive amounts of high-quality data from the participants. Several participants


suggested that MIT could play a useful role in co-sponsoring simulation exercises andmightbeatrustedrepositoryfortherequireddata.March2017________________________________________________________________________________________JoelBrennerwas theprincipalauthorof this report,with thesupportandassistanceofIPRI’s DanielWeitzner, Dr. David C. Clark, Professor Hal Abelson, Dr. Shirley Hung, Dr.Taylor Reynolds,Melanie Robinson andAdamConner-Simons (CSAIL) andCIS ProfessorKennethOye,CISDirectorProfessorRichard J. Samuels, CIS ExecutiveDirectorDr. JohnTirman,MichelleNhuchandDanPomeroy.TherapporteursfortheworkshopswereReidPaulyandRachelTecott.THEINTERNETPOLICYRESEARCHINITIATIVE:In2014,MITestablishedtheInternetPolicyResearchInitiative(IPRI).TheInitiativebringstogetherresourcesfrommanydepartmentsandcenterswithinMIT.Itsmissionistoworkwithpolicymakersandtechnologiststoincreasethetrustworthinessandeffectivenessofinterconnected digital systems. Its tools are engineering and public policy research,education, and engagement. IPRI is headquartered inMIT’s The Computer Science andArtificialIntelligenceLaboratory,whichisthelargestresearchlaboratoryatMITandoneoftheworld’smostimportantcentersofinformationtechnologyresearch.MITCenterforInternationalStudiesTheCenter for InternationalStudies (CIS)supports international researchandeducationatMIT.ItisthehomeofMIT’sSecurityStudiesProgram;theMITInternationalScience&TechnologyInitiative,itspioneeringglobaleducationprogram;theProgramonEmergingTechnologies; and seminars and research onmigration, South Asia politics, theMiddleEast, cybersecurity, nuclear weapons, and East Asia. The Center has traditionally beenaligned with the social sciences while also working with MIT’s premier science andengineeringscholars.CISproducesresearchthatcreativelyaddressesglobal issueswhilehelpingtoeducatethenextgenerationofglobalcitizens.