16 November 1998
Source: Excerpt from Critical Foundations: Protecting America's Infrastructures, Part 2: http://www.pccip.gov/part2.pdf

Chapter Eleven

Research and Development

Objective   Increase investment in infrastructure assurance R&D from $250 million to $500 million in FY 99, with incremental increases in investment over a five-year period to $1 billion in FY 04. Target investment in specific areas with high potential to produce needed improvements in infrastructure assurance.

Federal R&D efforts are inadequate for the size of the R&D challenge presented by emerging cyber threats. Only about $250 million per year is being spent on federal infrastructure assurance-related R&D, of which 60 percent—$150 million—is dedicated to information security. There is very little research supporting a national cyber defense. The Commission believes that real-time detection, identification, and response tools are urgently needed. We concluded that market demand is currently insufficient to meet these needs.

R&D for infrastructure protection requires partnership among government, industry, and academia to ensure a successful and focused research and technology development effort.

We Recommend: The President propose an increase in the federal investment in infrastructure assurance research to $500 million in FY99 and incremental increases in annual funding over a five-year period to $1 billion in FY04 for a targeted R&D program focusing on the six R&D areas listed below.

  • R&D Increases for Information Assurance. Assurance of vital information is increasingly a key component to the functioning of our interdependent infrastructures. The urgent need to develop new, affordable means of protection is apparent, given the increasing rate of incidents, the expanding list of known vulnerabilities, and the inadequate set of solutions available.
  • R&D Increases for Intrusion Monitoring and Detection. Reliable automated monitoring and detection systems, timely and effective information collection technologies, and efficient data reduction and analysis tools are needed to identify and characterize structured attacks against infrastructure.
  • R&D Increases for Vulnerability Assessment and Systems Analysis. Advanced methods and tools for vulnerability assessment and systems analysis are needed to identify critical nodes within infrastructures, examine interdependencies, and help understand the behavior of these complex systems. Modeling and simulation tools and test beds for studying infrastructure-related problems are essential for understanding the interdependent infrastructures.
  • R&D Increases for Risk Management Decision Support. Decision support system methodologies and tools are needed to help government and private sector decision-makers effectively prioritize the use of finite resources to reduce risk.
  • R&D Increases for Protection and Mitigation. Real-time system control, infrastructure hardening, and containment and isolation technologies are needed to protect infrastructure systems against the entire threat spectrum.
  • R&D Increases for Incident Response and Recovery. A wide range of new technologies and tools are needed for effective planning, response, and recovery from physical and cyber incidents that affect critical infrastructures.
We Recommend: The National Research Council define, more fully, a national infra-structure assurance research program and lead an effort with departments and agencies already engaged in R&D relevant to each infrastructure.

Assuring Water Quality

Few infrastructures are taken for granted more than our fresh water systems. There is little chance of a threat reducing the quantity of available water sufficiently to endanger the population or cause industrial collapse. But there is risk of malicious attacks over time undermining public confidence. Alternatives for protecting the water supply are few. The most feasible approach we found is a research effort focused on water contamination detection technologies. Effective applications could be developed commercially and implemented at the state and local level.

We Recommend: The creation of a specific R&D program to provide the scientific knowledge and technology necessary to allow highly toxic chemical and biological agents to be detected, identified, measured and treated in near real-time in the nation’s water supply systems. The program should be administered by the EPA.

Provide Early Warning and Response

Real time detection of cyber threats is a special challenge to the R&D community. While this area is included in our recommendation above for additional R&D investment, it is central to the future security of our infrastructures. Some effort is under way, but it requires continued funding and high priority.

Although many industry and government groups are dedicated to ensuring the technical performance of next generation telecommunications networks, there has been no cohesive effort for protecting this infrastructure against the emerging threat of cyber attack. Such effort should include a system of surveillance, assessment, early warning, and response mechanisms to mitigate the potential for cyber threats. Although current methodology for this centralized effort does not exist, several of the basic technical elements required are successfully deployed on a small-scale basis, or in research, and could be integrated into a limited cohesive, national cyber response element.

Conceptually, a successful cyber attack warning and response system would include:

1) A means for near real-time monitoring of the telecommunications infrastructure.

2) The ability to recognize, collect, and profile system anomalies associated with attacks.

3) The capability to trace, re-route, and isolate electronic signals that are determined to be associated with an attack.

We Recommend: The R&D program include a priority effort to develop such an Early Warning and Response capability.

Chemical and Biological Agent Detectors

Considering the serious and growing threat of a chemical or biological attack, chemical and biological agent detectors and effective protective and clean-up equipment are urgently needed and should be included in R&D efforts.