networks. The document provides detailed research and development agendas relating to 11 hard problem areas
in cybersecurity, for use by agencies of
the U.S. government. The research topics in this roadmap, however, are relevant not just to the governments, but
also to the private sector and anyone
else funding or performing R&D.
While progress in any of the areas
identified in the reports noted previous-
ly would be valuable, I believe the “top
10” list consists of the following (with
short rationale included):
Software Assurance: poorly writ- 1.
ten software is at the root of all of our
Metrics: we cannot measure our 2.
systems, thus we cannot manage them;
Usable Security: information se- 3.
curity technologies have not been deployed because they are not easily usable;
Identity Management: the ability 4.
to know who you are communicating
with will help eliminate many of today’s
online problems, including attribution;
Malware: today’s problems contin- 5.
ue because of a lack of dealing with malicious software and its perpetrators;
Insider Threat: one of the biggest 6.
threats to all sectors that has not been
Hardware Security: today’s com- 7.
puting systems can be improved with
new thinking about the next generation
of hardware built from the start with security in mind;
Data Provenance: data has the 8.
most value, yet we have no mechanisms
to know what has happened to data
from its inception;
Trustworthy Systems: current sys- 9.
tems are unable to provide assurances
of correct operation to include resil-
Cyber Economics: we do not un- 10.
derstand the economics behind cyber-
security for either the good guy or the
Life cycle of innovation
R&D programs, including cybersecurity R&D, consistently have difficulty
in taking the research through a path
of development, testing, evaluation,
and transition into operational environments. Past experience shows that
transition plans developed and applied
early in the life cycle of the research
program, with probable transition
in order to achieve
the full results of
transfer needs to be a
key consideration for
all R&D investments.
paths for the research product, are effective in achieving successful transfer
from research to application and use.
It is equally important, however, to acknowledge that these plans are subject
to change and must be reviewed often.
It is also important to note that different technologies are better suited for
different technology transition paths
and in some instances the choice of the
transition path will mean success or
failure for the ultimate product. There
are guiding principles for transitioning
research products. These principles involve lessons learned about the effects
of time/schedule, budgets, customer
or end-user participation, demonstrations, testing and evaluation, product
partnerships, and other factors.
A July 2007 U.S. Department of Defense Report to Congress on Technology Transition noted there is evidence
that a chasm exists between the DoD
S&T communities and acquisition of
a system prototype demonstration in
an operational environment. DOD is
not the only government agency that
struggles with technology transition.
That chasm, commonly referred to as
the “valley of death,” can be bridged
only through cooperative efforts and
investments by both research and acquisition communities.
There are at least five canonical transition paths for research funded by the
federal government. These transition
paths are affected by the nature of the
technology, the intended end user, participants in the research program, and
other external circumstances. Success
in research product transition is often
accomplished by the dedication of the
program manager through opportunistic channels of demonstration, partnering, and sometimes good fortune.
However, no single approach is more
effective than a proactive technology
champion who is allowed the freedom
to seek potential utilization of the re-
search product. The five canonical tran-
sition paths are:
Department/Agency direct to ˲
Department/Agency to ˲
Department/Agency to Industry ˲
Department/Agency to ˲
Academia to Industry
Department/ ˲ Agency to
Open Source Community
In order to achieve the full results of
R&D, technology transfer needs to be
a key consideration for all R&D invest-
ments. This requires the federal gov-
ernment to move past working models
where most R&D programs support only
limited operational evaluations and ex-
periments. In these old working mod-
els, most R&D program managers con-
sider their job done with final reports,
and most research performers consider
their job done with publications. In or-
der to move forward, government-fund-
ed R&D activities must focus on the real
goal: technology transfer, which follows
transition. Current R&D principal inves-
tigators (PIs) and program managers
(PMs) aren’t rewarded for technology
transfer. Academic PIs are rewarded for
publications, not technology transfer.
The government R&D community must
reward government program managers
and PIs for transition progress.
As noted in the White House Cyberspace Policy Review, 3 an updated national strategy for securing cyberspace
is needed. Research and development
must be a full partner in that discussion. It is only through innovation creation that the U.S. can regain its position as a leader in cyberspace.
1. a roadmap for cybersecurity research, Department
of homeland Security Science and technology
Directorate, November 2009; http://www.cyber.st.dhs.
2. taulbee Survey 2006–2007, computing research News
20, 3. Computer Research Association, May 2008.
3. White house cyberspace Policy review; http://www.
Douglas Maughan (Douglas. Maughan@dhs.gov) is a
program manager for cybersecurity r&D at the U.S.
Department of homeland Security in Washington, D.c.