The government’s latest Federal Cybersecurity Research and Development (R&D) Strategic Plan is placing human-centered cybersecurity at the forefront of the nation’s cyber research and development activities and investments for the next four years.
“A greater emphasis is needed on human-centered approaches to cybersecurity where people’s needs, motivations, behaviors, and abilities are at the forefront of determining the design, operation, and security of information technology systems,” the document issued last month reads.
The 2023 Federal Cybersecurity R&D Strategic Plan was prepared by the Networking and Information Technology Research and Development (NITRD) Subcommittee of the National Science and Technology Council’s Cyber Security and Information Assurance Interagency Working Group.
The Cybersecurity Enhancement Act of 2014 requires NITRD to develop and update a Federal cybersecurity R&D strategic plan every four years. The December 2023 plan supersedes the document that was released in 2019.
“This 2023 Federal Cybersecurity Research and Development Strategic Plan (the Plan) provides federal agencies updated guidance on the overall priorities for federally funded research and development in cybersecurity,” the introduction to the 42-page document reads. “The guidance incorporates objectives from the [March 2023 National Cybersecurity Strategy] and establishes research priorities for developing the science and technology needed to advance the goals of the Biden-Harris Administration in cybersecurity.”
The updated plan carries forward essential concepts and framing from the 2019 Federal Cybersecurity R&D Strategic Plan:
- Effective cybersecurity requires maturing competencies founded upon four defensive capabilities: deter, protect, detect, and respond;
- To improve cybersecurity practices, science and technology advances are needed in sustainably secure systems development and operation, in proactive risk management, and in demonstrating evidence of efficacy and efficiency of those practices;
- People, specifically users affected by computing and communication systems, must be protected by cybersecurity safeguards with the same, if not greater, urgency as systems, communications, and data;
- Frameworks and methodologies are needed that will enable developers to reason across and manage safety, security, resiliency, trust, and privacy requirements holistically and concurrently; and
- Advances in scientific foundations, research infrastructure, and transition to practice are critical to successful cybersecurity R&D.
Key Updates to the 2023 Federal Cyber Plan
The 2023 plan highlights three cybersecurity priority areas and corresponding research objectives over the next four years: protect people and society; develop means to establish and manage trust; and strengthen cyber resilience.
The document’s introduction highlights that while many of the cyber concepts from past plans have carried over, the new December 2023 plan has three key updates and priorities.
Under priority number one – protecting people and society – the document added “human-centered cybersecurity” as a research objective.
This initiative is intended to “incorporate participatory and iterative designs to address the needs of people, organizations, communities including marginalized and vulnerable populations, and society related to cybersecurity,” the document continues. “This empowers people to be invested in the process and provides a locus of control to support and encourage them to be a part of the cybersecurity solutions created.”
A research action under this objective includes identifying factors that reduce or eliminate memory and cognitive loads of people who interact with digital technologies to ensure the safety and security of people and systems. For example, the plan notes that threats – like phishing campaigns – are becoming more sophisticated, so there “needs to be an emphasis on the development of socio-technical solutions to detect such attacks and mitigate them without relying on people to identify these threats.”
The 2023 plan also updated priority number two: develop means to establish and manage trust.
“A dearth of methods and mechanisms to determine the trustworthiness of an entity in cyberspace and to establish trust among interacting parties and components is a key shortcoming endemic to cyberspace,” the document says. “Capabilities are needed to be able to establish and enforce the required levels of trust at all layers of computing, starting at the hardware layer and including all other layers, such as operating systems, software applications, networking, web browsing, and applications and services such as electronic commerce and information sharing on social media.”
The document offers 30 research actions to evolve trustworthiness in cyberspace, including advancing digital identity methods that can utilize a variety of attributes related to users, entities, and systems, where varying levels of dynamic trust can be continuously assessed.
Finally, the new cyber R&D plan has added cyber resilience as a key research objective for the next four years.
“There is a growing recognition that cybersecurity must go beyond the traditional focus on prevention, protection, and restoration to address the broader range of needs that organizations have when dealing with threats to their systems. Cyber resilience has emerged as a key element in the overall strategies for mission and business assurance,” the document reads. “This necessitates increased attention to how systems can be effectively designed, developed, and operated to withstand cyberattacks and continue to operate at an appropriate level to carry out the mission in the face of ongoing attacks, or even when compromised.”
One research area for cyber resilience includes identifying secure software design principles that could eliminate large portions of common software weaknesses. For example, model-based designs can enable secure-by-design software, validate software execution against secure design principles, and be used to generate software to execute the intended functionality of a cyber-resilient system.
Plan Highlights White House, Congress’ Cyber R&D Priorities
The 2023 plan also highlights specific cyber topics that the Federal government, through executive and legislative actions, has called for in documents such as the National Cybersecurity Strategy and a Blueprint for an AI Bill of Rights.
The three Federal application scenarios include:
- Protecting software and hardware supply chains;
- Realizing secure and trustworthy artificial intelligence; and
- Securing the clean energy future.
The plan also highlights that none of the above research priorities and objectives will be possible without continuing to advance the nation’s sound metrics, measurements, and evaluation methodologies for cyber as well as protecting effective cybersecurity research, development, and experimentation.
The document closes with identifying roles in cybersecurity R&D for the Federal government, industry, and academia, and approaches for coordination and collaboration. It is expected that agencies will detail their approaches for implementing this plan in their strategies, implementation plans, or roadmaps, the document reads.
“Implementing this Plan will create science and technology for cybersecurity to help sustain a trustworthy cyberspace to support the nation’s prosperity and security,” the document concludes.
