{"674073":{"#nid":"674073","#data":{"type":"news","title":"Pass or Fail? Researchers Grade Progress of Long-Term Cybersecurity Goals","body":[{"value":"\u003Cp\u003EIn November 2003, fifty of the nation\u2019s top computer scientists met in the Virginia countryside to create a plan tackling the biggest problems facing the growing field of computer security and privacy, known then as trustworthy computing.\u0026nbsp;\u003C\/p\u003E\r\n\r\n\u003Cp\u003EThe meeting borrowed elements from the Gordon Research Conferences, meaning the discussions and attendees were never made public. It was the\u0026nbsp;second in a series of highly nontraditional conferences\u0026nbsp;meant to define important questions rather than\u0026nbsp;present current research.\u0026nbsp;\u003C\/p\u003E\r\n\r\n\u003Cp\u003EThe grand challenges established by this group of academics drove the cybersecurity research agenda for over a decade. \u0026nbsp;\u003C\/p\u003E\r\n\r\n\u003Cp\u003ETwenty-one years later, conference leaders\u0026nbsp;\u003Cstrong\u003ERich DeMillo\u003C\/strong\u003E, Georgia Tech professor and Charlotte B. and Roger C. Warren Chair in Computing, and Georgia Tech alumnus\u0026nbsp;\u003Cstrong\u003EEugene Spafford\u003C\/strong\u003E\u0026nbsp;have collected feedback from the original participants and created a\u0026nbsp;\u003Ca href=\u0022https:\/\/www.cerias.purdue.edu\/apps\/reports_and_papers\/view\/5048\u0022\u003Ereport\u003C\/a\u003E\u0026nbsp;on the progress made, and where they fell short.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u201cWhen we started the retrospective, we were all convinced that the whole exercise had been a failure,\u201d said DeMillo.\u0026nbsp; \u201cBut after some reflection, that judgment seemed too harsh.\u201d\u0026nbsp;\u003C\/p\u003E\r\n\r\n\u003Cp\u003EThe rapid evolution of technology made it difficult to give each challenge a simple pass\/fail grade, but the group was still able to highlight successes in their report.\u0026nbsp;For example, DeMillo points out that global scale denial of service attacks never materialized because scientists figured out the right combination of policy, governance, and technology to make them ineffective at that scale.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u201cContext matters for when these challenges were issued,\u201d said DeMillo. \u201cWe could not predict the new technologies and methods that sprang up over the years.\u201d\u0026nbsp;\u003C\/p\u003E\r\n\r\n\u003Ch2\u003EThe Official Report Card\u003C\/h2\u003E\r\n\r\n\u003Cp\u003EIn May 2023, twenty years after the first Grand Challenges meeting, DeMillo and Spafford reconvened the original participants for a retrospective at Purdue University\u2019s Center for Education and Research in Information Assurance and Security. The meeting was to see how well the community had done in predicting the course of the field. In effect, they wanted to grade the work of the original\u0026nbsp;\u003Ca href=\u0022http:\/\/www.cra.org\/\u0022\u003EComputing Research Association\u003C\/a\u003E\u0026nbsp;(CRA) conference.\u0026nbsp;\u003C\/p\u003E\r\n\r\n\u003Cp\u003EHere\u2019s the complete list and how today\u2019s researchers grade the community\u2019s progress:\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cstrong\u003EGrand Challenge 1\u003C\/strong\u003E: Within the decade, eradicate widespread viral, spam, and denial of service attacks.\u0026nbsp;\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cstrong\u003EGrade\u003C\/strong\u003E\u0026nbsp;\u003Cstrong\u003EB-\u003C\/strong\u003E: Although global viral attacks have largely been avoided, ransomware, supply chain attacks, and malware that cripple important systems were not foreseen.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cstrong\u003EGrand Challenge 2\u003C\/strong\u003E: Develop the scientific principles, tools, and development methods for building large-scale systems to operate critical infrastructure, support democratic institutions, and further significant societal goals, ensuring their trustworthiness even though they are appealing targets.\u0026nbsp;\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cstrong\u003EGrade F\u003C\/strong\u003E: Infrastructure protection has not received the same level of attention as IT, and as a result, critical systems, from electrical power grids to electronic voting systems, remain vulnerable to foreign and domestic threats.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cstrong\u003EGrand Challenge 3\u003C\/strong\u003E: For the coming dynamic, ubiquitous computing systems and applications, create an overall framework to provide end users with comprehensible security and privacy that they can manage.\u0026nbsp;\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cstrong\u003EGrade D\u003C\/strong\u003E: Usable security is still an elusive goal, and a unified approach to privacy protection in the U.S. lags most developed countries.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cstrong\u003EGrand Challenge 4\u003C\/strong\u003E: In the next ten years, aim to create and implement quantitative models, methods, and tools for managing information systems risks that are on par with quantitative financial risk management techniques.\u0026nbsp;\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Cstrong\u003EGrade\u003C\/strong\u003E\u0026nbsp;\u003Cstrong\u003EIncomplete\u003C\/strong\u003E: The economics of cybersecurity remains unexplored. From board rooms to kitchen tables, cybersecurity customers still do not know how much protection they get for every dollar spent on cybersecurity products.\u003C\/p\u003E\r\n\r\n\u003Ch2\u003EHighlighting the Successes\u003C\/h2\u003E\r\n\r\n\u003Cp\u003EDespite advancing technology creating a moving target for researchers, the framework laid out by DeMillo and the CRA committee has been a baseline for security research for the past twenty years.\u0026nbsp;\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u201cThe National Science Foundation, DARPA, the Department of Homeland Security, and others reflected on these challenges when they considered new research proposals,\u201d said DeMillo. \u201cThe 2003 conference laid an important foundation for scientific growth.\u201d\u003C\/p\u003E\r\n\r\n\u003Cp\u003EThis growth created a ripple effect across \u201cgenerations\u201d of academic researchers. When the students of DeMillo and his colleagues graduated, they began advising students of their own or guiding Fortune 500 companies through the pitfalls of an ever-changing cyber landscape. Either way, these graduates confronted the challenges defined by their mentors while adapting to new ones.\u0026nbsp;\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u201cThe growth of cybersecurity academic programs like the ones we offer at SCP are directly traceable to the skills gaps that the grand challenges exposed,\u201d he added. \u201cAnd new fields like the security of engineered systems being invented here and elsewhere, are novel ways to approach the problem of systems that society can trust.\u201d\u003C\/p\u003E\r\n\r\n\u003Ch2\u003EWhat are the Grand Challenges to Cybersecurity Now?\u003C\/h2\u003E\r\n\r\n\u003Cp\u003EAccording to DeMillo, those questions need to be defined by the researcher leaders of today.\u0026nbsp;\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u201cThe 2003 report was a milestone, but I hope there will be a cohort of young scientists who will lay out new grand challenges and how to confront them,\u201d he said.\u0026nbsp;\u003C\/p\u003E\r\n\r\n\u003Cp\u003EAs he points out in a report published on the CRA website, topics like AI, side-channel attacks, blockchain, and quantum computing are just a few of the emerging subfields with the potential to define the next 20 years of cybersecurity research.\u0026nbsp;\u003C\/p\u003E\r\n\r\n\u003Ch2\u003EMore Information on the Original Conference\u003C\/h2\u003E\r\n\r\n\u003Cp\u003EIn 2002, the CRA sponsored its first\u0026nbsp;\u003Ca href=\u0022http:\/\/archive.cra.org\/Activities\/grand.challenges\/\u0022\u003E\u003Cem\u003EGrand Research Challenges in Computer Science and Engineering\u003C\/em\u003E.\u003C\/a\u003E\u0026nbsp;This was the first in a series of highly non-traditional conferences where the goal was to define important questions rather than expose current research. Grand challenges meetings sought out-of-the-box thinking to expose some of the exciting, deep challenges yet to be met in computing research.\u0026nbsp;\u003C\/p\u003E\r\n\r\n\u003Cp\u003EDue to the importance and pressing needs for information security and assurance, CRA\u0027s second Grand Research Challenges Conference was devoted to defining technical and social challenges in information security and assurance.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EThe CRA and\u0026nbsp;\u003Ca href=\u0022https:\/\/www.nsf.gov\/\u0022\u003ENational Science Foundation\u003C\/a\u003E\u0026nbsp;tasked the conference- led by DeMillo, then dean of Georgia Tech\u0027s College of Computing, and Spafford- to define the biggest security problems facing the growing computing and communications infrastructure of the early 2000\u2019s.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EThe resulting report\u0026nbsp;\u003Ca href=\u0022https:\/\/archive.cra.org\/reports\/trustworthy.computing.pdf\u0022\u003E\u003Cem\u003EFour Grand Challenges in Trustworthy Computing\u003C\/em\u003E\u003C\/a\u003E\u0026nbsp;was released to the public in a\u0026nbsp;ceremony at the National Press Club. It has become one of the pillars for research planners and policy-makers.\u003C\/p\u003E\r\n","summary":"","format":"limited_html"}],"field_subtitle":"","field_summary":[{"value":"\u003Cp\u003EGeorgia Tech professor Rich DeMillo\u0026nbsp;and Georgia Tech alumnus\u0026nbsp;Eugene Spafford\u0026nbsp;have authored a new report that examines progress made in the two decades since a groundbreaking conference in 2003 that defined \u0027grand challenges\u0027 to the field.\u003C\/p\u003E\r\n","format":"limited_html"}],"field_summary_sentence":[{"value":"Georgia Tech\u0027s School of Cybersecurity and Privacy issues report card two decades after conference defining \u0027grand challenges to the field."}],"uid":"32045","created_gmt":"2024-04-09 16:20:21","changed_gmt":"2024-05-13 14:25:17","author":"Ben Snedeker","boilerplate_text":"","field_publication":"","field_article_url":"","dateline":{"date":"2024-04-09T00:00:00-04:00","iso_date":"2024-04-09T00:00:00-04:00","tz":"America\/New_York"},"extras":[],"hg_media":{"673662":{"id":"673662","type":"image","title":"Georgia Tech Cybersecurity and Privacy Professor Rich DeMillo","body":null,"created":"1712679629","gmt_created":"2024-04-09 16:20:29","changed":"1712679629","gmt_changed":"2024-04-09 16:20:29","alt":"Georgia Tech Cybersecurity and Privacy Professor Rich DeMillo","file":{"fid":"257084","name":"Rich_DeMillo_08.jpg","image_path":"\/sites\/default\/files\/2024\/04\/09\/Rich_DeMillo_08.jpg","image_full_path":"http:\/\/hg.gatech.edu\/\/sites\/default\/files\/2024\/04\/09\/Rich_DeMillo_08.jpg","mime":"image\/jpeg","size":50395,"path_740":"http:\/\/hg.gatech.edu\/sites\/default\/files\/styles\/740xx_scale\/public\/2024\/04\/09\/Rich_DeMillo_08.jpg?itok=qBhdaP00"}}},"media_ids":["673662"],"related_links":[{"url":"https:\/\/issuu.com\/gt-computing\/docs\/2023_scp_annual_report_final_for_issuu","title":"2023 School of Cybersecurity and Privacy Annual Report"}],"groups":[{"id":"47223","name":"College of Computing"}],"categories":[{"id":"153","name":"Computer Science\/Information Technology and Security"}],"keywords":[{"id":"10199","name":"Daily Digest"},{"id":"187915","name":"go-researchnews"}],"core_research_areas":[{"id":"145171","name":"Cybersecurity"}],"news_room_topics":[{"id":"71881","name":"Science and Technology"}],"event_categories":[],"invited_audience":[],"affiliations":[],"classification":[],"areas_of_expertise":[],"news_and_recent_appearances":[],"phone":[],"contact":[{"value":"\u003Cp\u003EJP Popham, Communications Officer II\u003C\/p\u003E\r\n\r\n\u003Cp\u003EGeorgia Tech School of Cybersecurity \u0026amp; Privacy\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u003Ca href=\u0022mailto:john.popham@cc.gatech.edu\u0022\u003Ejohn.popham@cc.gatech.edu\u003C\/a\u003E\u003C\/p\u003E\r\n","format":"limited_html"}],"email":[],"slides":[],"orientation":[],"userdata":""}}}