No discussion of cybersecurity takes place without mentioning the changing threat landscape. A community of federal cyber practitioners focuses on the notion that knowing what’s next in cybersecurity will help the government be ready for — and less reactive to — threats still to come.
Just what is ahead? For starters, here are three items:
Better understanding of how cybersecurity measures operate at the scale of a large federal agency
Two-edged potential of quantum computing
How to deal with an important quantum offshoot, namely quantum cryptography
Those are among the priorities expressed by a panel of federal cyber researchers during Federal News Network’s Cyber Leaders Exchange 2023 — the Homeland Security Department’s Donald Coulter and Ann Cox, and the National Institute of Standards and Technology’s Dustin Moody.
This group doesn’t deal only with known knowns, but also the unknown unknowns — so called black swan occurrences that can change everything suddenly and generally unexpectedly. Although by definition unknown, such events can have less destructive potential when agencies are more agile and resilient, said Coulter, senior science advisor in DHS’ Science and Technology Directorate.
That’s why one area of S&T research focuses on “thinking through how we design our systems in a flexible manner,” he said. “So that if we see something that we didn’t anticipate, we can kind of flip switches. We can turn things. We can reconfigure as quickly as possible.”
Such work happens in the context of broader research into “how we improve our ability to understand the state of the network and the systems and devices on it, and understand all of the potential ways of identifying anomalous and potentially adversarial behavior,” Coulter said
That’s where the idea of cybersecurity at scale comes in. Networks are growing into ever larger and more complex fabrics of interconnected devices for infrastructure, users and sensors, he said.
“Figuring out how to retain and focus on resilience at scale is really where we’re focused moving forward,” Coulter said.
Preparing for quantum, both the positive and the negative
Quantum computing is both promising and threatening — if it ever arrives as a practical platform.
“Some people think we’ll have something in the next two or three years. Other people think it is 50 years to never,” said Ann Cox, quantum information science technical lead in DHS’ S&T Directorate.
Lab-scale quantum computers exist that hint at what might someday be possible in the fields of drug design, logistics, weather forecasting and many other areas. DHS concentrates on practical applications more than theoretical, Cox said. She offered the example of how quantum computing could be applied to the classic “traveling salesman” algorithmic problem to improve operations and logistics
Because these systems operate according to quantum particle physics, such computers have “really great potential to do some computational things that current classical computing simply cannot do,” pointed out Moody, lead for NIST’s Post-Quantum Cryptography Project.
He added: “Quantum will provide all sorts of amazing applications. It’s in cryptography we stay awake because it is going to break some of our crypto systems.”
Still, specific use cases have been created for the limited quantum facilities available, mainly to help researchers become familiar with the technology, Cox said. The threat will come “when we get what’s called a cryptographically capable quantum computer,” she said. “Then essentially all — or nearly all — of our current cryptography will become obsolete. We need to prepare now.”
Not all encrypted information faces the same threat, Cox added. Data that’s only sensitive in the short term need not get the same treatment as, say, Census data about individuals, which by statute remains secret for 70 years.
Nevertheless, crypto researchers assume future quantum computers will access data encrypted with current crypto algorithms. Hence, the NIST program to develop quantum-resistant encryption algorithms.
Moody said other NIST cryptography research is also underway:
Fully homomorphic encryption that keeps data encrypted even during processing operations
Threshold cryptography for distributed databases
Lightweight encryption for Internet of Things devices with low-power and -processing capabilities
Applying cyber research to current problems too
Despite being forward-focused, the efforts of both the DHS and NIST researchers also look for ways to apply any learnings or capabilities as soon as practical.
At NIST, Moody said much of the work in quantum cryptography requires “an awful lot of mathematics.” Researchers, for instance, come up with new cryptosystems that they are unable to test because large quantum computers are nonexistent. Therefore, they calculate quantum resistance using math and elaborate extrapolation using the somewhat limited quantum computers of today.
As a practical matter, any new systems they develop must run on here-and-now computers, Moody said. In this work, computer scientists and engineers join the pure mathematicians.
“It takes a whole team, and that’s why it can’t just be a mathematician,” Moody said, adding that a team ensures that research results translate into usable code.
“There has to be code for the algorithms,” he said. “A team of experts from a variety of fields who are looking at it ask, ‘How am I going to implement this in hardware? How am I going to implement this in software?’ They’ll optimize it so it will run really well. It’s a multidisciplinary effort.”
NIST also relies on external research done by grant recipients. A year ago, Moody’s team chose winning quantum-resistant algorithms developed during a competition. NIST published proposed standards for three of four algorithms this summer, and the agency hopes to publish the final versions of those three next year, Moody said.
At DHS, research focuses on the specific needs of the department’s component agencies and works to deliver possible operational help today based on its future-leaning efforts.
For example, S&T researchers will apply algorithms resulting from the traveling salesman problem to help the Coast Guard more efficiently service all of its buoys, which float off both U.S. coasts, in the Great Lakes and within many interior waterways. At this point, it’s unclear whether quantum will provide an advantage. The objective is to help the Coast Guard chart the most efficient route to all of its buoys.
Leaning into challenges exclusive to government
Federal research, partly because of limited funds, steers clear of areas where industry might already have an 80% solution, Cox said. In such cases, the government will generally ask industry to adapt a product.
If it can be bought commercially, then don’t build it from scratch, she said. “Only when there’s nothing available, are you going to go to a development project for something that’s kind of unique to the government.”
At S&T, Coulter added, researchers often collaborate with the department’s Cybersecurity and Infrastructure Security Agency.
“We are focused on things that can be broadly applicable to a large set of networks, whether they’re public sector, private sector or for personal use,” he said. He cited work to counter so-called side-channel attacks that involve hackers gaining access through the use of characteristics, such as power consumption or a routine system process.
“Sometimes they even do things like just listen in on you. Using the acoustics, they’re able to do some calculations and come up with some of your secret information” by deriving keystrokes from sound patterns, Coulter said.
The directorate also researches topics unique to the federal government, such as mass-scale passenger screening. Ensuring ever-improving accuracy of screening systems by the Transportation Security Administration and that these systems remain secure increasingly requires use of artificial intelligence, he said.
“Thinking of how to analyze the integrity of these systems, it also makes us look at how we protect the data that was used to train those systems,” Coulter said. “And how we retain ownership and provenance of the data that’s going into these systems.”
Still another area of research, Coulter said, covers the expanding internet dependence on control systems for utilities, process industries and similar critical infrastructure elements.
“Sometimes we might identify a real-world physical risk to a system, but we can take a cyber action to prevent and mitigate that risk,” he said. “And vice versa, with cyber risks we can see and we can make some physical changes to the system that help mitigate those risks.”