Shannon Stresses Better Measurement, Better Data Access, and Coordinated National Strategies in House Subcommittee Testimony
•
Article
March 10, 2015—The SEI’s Greg Shannon testified before the House Subcommittee on Oversight and Investigations on March 3, 2015. Shannon provided his testimony as part of the hearing “Cyber Threats and Implications for the 21st Century.” The hearing was the first in the subcommittee’s series addressing cyberspace, the internet, and related challenges and opportunities. The subcommittee sees the hearings as a catalyst for discussion of these issues and the implications they have for businesses and consumers in the cyber economy.
Shannon, who serves as chief scientist for the SEI’s CERT Division, discussed future technologies and strategies for building a trustworthy and resilient cyber economy. Citing the tradeoffs between security, functionality, and cost, he noted that no existing technology, and no amount of money, can stop all serious cyber-attacks without adversely affecting the efficient functioning of electronic commerce. “We do not yet know how to do both of those together,” said Shannon, “which makes enabling continued technology research and innovation essential.”
To better address the security challenges of the cyber economy, Shannon advocated for a research agenda that does not limit innovation and the adoption of new technologies to hardware and software. He suggested that solutions arising out of this research must take into account what he called “the four mainstays of cyber technology and innovation”: trust, people, efficiency, and measured outcomes. To inform and organize research in this area, Shannon proposed short-, medium-, and long-term research goals.
For the short term, Shannon pressed for better measurement of current cybersecurity strategies and outcomes. “We, as a research and development (R&D) community, need to ensure innovation is scientifically and operationally validated,” he said, “and provide compelling return on investment metrics to incentivize adoption [of effective cybersecurity practices].” He suggested the NIST Cybersecurity Framework and the Department of Energy’s Cybersecurity Capability Maturity Model as two approaches for gathering needed metrics.
Midterm, Shannon would like to see access to these improved metrics made available for R&D. “Information sharing is often seen as a defensive strategy,” he said; “however, providing operationally relevant data to researchers and engineers accelerates innovation.” Shannon added that improved access to operational data could help researchers identify relevant data and, over time, narrow the data set required to counter cyber risks.
For the long term, Shannon underscored the need for a coordinated and integrated cybersecurity strategy. “Cyber innovation and research need to address the threat in a more holistic manner,” he said. “Researchers and policymakers should work towards technologies and innovation that make cyber attacks exceptionally more complicated than exploiting a single weakness,” added Shannon.
Expanding on this idea, Shannon stressed the development of strategies that optimize the energy devoted to defending the cyber economy and maximize the energy required of adversaries to launch a successful attack. “Today it takes only modest energy (computing and human) to find and execute economy-threatening attacks,” he said. Shannon devoted the balance of his testimony to highlighting various technologies applicable to these short-, mid-, and long-term goals.