New Federal Cybersecurity R&D Strategic Plan Points to Innovation Priorities

In late December 2019 the Networking and Information Technology Research and Development (NITRD) program released its updated 2019 Federal Cybersecurity Research and Development Strategic Plan.

The plan seeks to coordinate and guide federally funded R&D in cybersecurity, including development of consensus-based standards and best practices. The new plan also updates and builds upon the R&D priorities from the previous plan published in 2016. Those previous research priorities focused on Cyber-Physical Systems and the Internet of Things; Cloud Computing; High Performance Computing; Autonomous Systems; and Mobile Devices.

Cybersecurity Research Priorities for FY 2021

The new R&D Strategic Plan prioritizes the following areas for cybersecurity research:

• Artificial Intelligence – AI techniques are expected to enhance cybersecurity by either automating certain routine tasks or assisting human system managers to monitor, analyze, and respond to adversarial threats to cyber systems. R&D goals include: Expand and explore new AI-based techniques for more advanced cybersecurity tasks’ study the behaviors of AI systems to increase trustworthiness; develop tools and techniques for understanding attacks and defenses against ML systems; find cryptographic methods to ensure tamper-resilient data; study potential vulnerabilities of chips, processors, and special-purpose devices built for AI applications; and develop models, definitions, and metrics of security and trust that can be used to evaluate AI cybersecurity systems and AI-based cybersecurity controls.
• Quantum Information Science – The development of quantum technologies raises questions on how these technologies can impact or break current cybersecurity methods (e.g. encryption) and how to protect future quantum computing infrastructure and quantum information technology from attacks. R&D goals include: Design type-safe quantum programming languages; explore new methods to probe quantum states and processes to analyze hardware for its security properties; draft standards and implementation plans for quantum-resistant cryptography; integrate classical, quantum-resistant, and quantum cryptographic techniques; design, analyze, and test quantum security protocols; understand how quantum technologies can be exploited for attacks; and understand security threats against quantum devices.
• Trustworthy Distributed Digital Infrastructure (TDDI) – Next-generation telecommunications and information communications infrastructure are under development, including fifth-generation (5G) wireless networks, edge and fog computing, The Internet of Things (IoT), and cyber-physical systems (CPS). A TDDI will help distribute computing to the new network edge, enabling a wide range of applications for manufacturing, healthcare, smart grids, autonomous vehicles and mobility, and smart cities. R&D goals include: Develop methodologies and standards to support end-to-end security across interconnected networks with multiple owners, trust domains, topologies, and range of mobile devices and network layers; develop technologies to sustain autonomous management of security across the communication infrastructure; develop data-centric security solutions based on the protection requirements of the data across all networking paradigms; develop security and key management capabilities that will allow secure IoT interoperability; develop approaches to assure that CPS systems (e.g., cars, medical devices, and utilities) remain resilient to cyber-attack; and develop methods and technologies to integrate human decision-making with cybersecurity technologies and process control technologies.
• Privacy – The plan focuses primarily on privacy aspects that involve the collection, disclosure, and use of an individual’s private information, including identity; patterns of behavior; and economic, social, or other discriminators. R&D goals include: Develop research methods that can reliably and validly measure people’s privacy desires, expectations, attitudes, beliefs, and interests; develop methods and technologies that can identify privacy violations and privacy harms; devise frameworks that integrate safety, security, and privacy requirements; develop privacy trust models that encompass a broad range of authorized data disseminations and uses; develop privacy controls for distributed analytic applications that can be tailored to the privacy requirements and the available resources of each party (e.g., secure, multiparty computations); foster techniques and models that can systematically assess and quantify privacy risks; and develop models, techniques, and evaluation metrics for redress and recovery from privacy violations.
• Secure Hardware and Software – The authentication of hardware, attestation of low-defect software, and secure software updates and patching are the foundations of security. Challenges range from trusted hardware and secure supply chain to secure-by-design hardware and software. R&D goals include: Develop cost- and threat-proportionate integrated root-of-trust alternatives for various hardware devices; develop new processes, techniques, and mechanisms that protect against reverse-engineering efforts; develop mechanisms and tools that verify the security properties of hardware; develop secure debug and testing techniques; develop crypto-agility to migrate existing advanced encryption standards-based infrastructure to post-quantum cryptographic solutions; develop new software development methodologies that allow rapid revision and regression against security goals; and develop secure update mechanisms that support the full range of product formats, applications and lifecycles.
• Education and Workforce Development – The shortage of qualified cybersecurity workers threatens all sectors of the national critical infrastructure and the supply-demand gap is increasing. R&D goals include: Accelerate adoption of a modern taxonomy of the cybersecurity workforce, such as the National Initiative for Cybersecurity Education—Cybersecurity Workforce Framework; research innovative ways to develop talent in all sectors of society to build the cybersecurity workforce; study the supply-and-demand forces in the innovation workplace to help predict future workforce needs; support experiential learning, such as apprenticeships, internships, job-shadows, and other employer-educator partnerships, to align curriculum with workplace demands; and accelerate adoption of convergence research among faculty and students to solve complex scientific, engineering, and societal problems.

Potential FY 2021 Funding for Cybersecurity R&D

The White House budget request for FY 2021 is anticipated in early February 2020. However, it is common for NITRD’s budget supplement to the new FY budget request – as well as the accompanying Cybersecurity R&D Strategic Plan Implementation Roadmap – to be released six months later. So while we may expect many of the R&D priorities outlined in the new 2019 strategic plan to be included in the corresponding FY 2021 budget we will not get fuller details of the R&D budget investments until much closer to the beginning of the new fiscal year in October 2020.

Nevertheless, we do have some historical data available to approximate how much funding we may anticipate.  For FY 2020 NITRD’s budget request for Cybersecurity-related Program Component Areas (PCAs) totaled nearly $800 million across ten departments and agencies. More than $450 million of those dollars were slated for the Department of Defense (DoD) and Defense Advanced Research Projects Agency (DARPA) while the National Science Foundation (NSF) and the National Institute of Standards and Technology (NIST) accounted for $169 million and $88 million respectively. The remaining $142 million (<20%) is spread among the Department of Energy (DOE), the Department of Homeland Security (DHS), the National Institutes of Health (NIH), the Department of Agriculture (USDA) and others.