INFOSEC Research Council

Overview

The INFOSEC Research Council is an informally-chartered, government-sponsored, voluntary organization of government program managers who sponsor information security research within the U.S. Government.

Many organizations have representatives as regular members of the IRC: Central Intelligence Agency, Department of Defense (including the Air Force, Army, Defense Advanced Research Projects Agency, National Reconnaissance Office, National Security Agency, Navy, and Office of the Secretary of Defense), Department of Energy, Department of Homeland Security, Federal Aviation Administration, Intelligence Advanced Research Projects Activity, National Aeronautics and Space Administration, National Institutes of Health, National Institute of Standards and Technology, National Science Foundation, and the Technical Support Working Group. In addition, the IRC is regularly attended by partner organizations from Canada and the United Kingdom.

Hard Problem List

The IRC developed the original Hard Problem List (HPL), which was composed in 1997 and published in draft form in 1999. The HPL defines desirable research topics by identifying a set of key problems from the U.S. Government perspective and in the context of IRC member missions. Solutions to these problems would remove major barriers to effective information security (INFOSEC). The Hard Problem List was intended to help guide the research program planning of the IRC member organizations. It was also hoped that nonmember organizations and industrial partners would consider these problems in the development of their research programs.

The original list provided guidance to INFOSEC research, and policy makers and planners find the document useful in evaluating the contributions of ongoing and proposed INFOSEC research programs. However, the significant evolution of technology and threats between 1999 and 2005 required an update to the list. Therefore, an updated version of the HPL was published in November 2005.^[1] This updated document included the following technical hard problems from the information security perspective:

1. Global-scale identity management
2. Insider threat
3. Availability of time-critical systems
4. Building scalable secure systems
5. Situational understanding and attack attribution
6. Information provenance
7. Security with privacy
8. Enterprise-Level Security metrics

These eight problems were selected as the hardest and most critical challenges that must be addressed by the INFOSEC research community if trustworthy systems envisioned by the U.S. Government are to be built. INFOSEC problems may be characterized as “hard” for several reasons. Some problems are hard because of the fundamental technical challenges of building secure systems, others because of the complexity of information technology (IT) system applications. Contributing to these problems are conflicting regulatory and policy goals, poor understanding of operational needs and user interfaces, rapid changes in technology, large heterogeneous environments (including mixes of legacy systems), and the presence of significant, asymmetric threats.

The area of cybersecurity and the associated research and development activities have been written about frequently over the past decade. In addition to both the original IRC HPL in 1999 and the revision in 2005, the following reports^[2] have discussed the need for investment in this area:

• Toward a Safer and More Secure Cyberspace
• Federal Plan for Cyber Security and Information Assurance Research and Development
• Cyber Security: A Crisis of Prioritization
• Hardening the Internet
• Information Security
• Governance: A Call to Action
• The National Strategy to Secure Cyberspace
• Cyber Security Research and Development Agenda

References

1. INFOSEC Research Council Hard Problem List (Nov. 2005).[1]
2. These reports can be found here.