The SolarWinds cyberhack announced earlier this month is a potent reminder that despite considerable investments of resources and intellect, cybersecurity continues to pose serious challenges to national security, business performance, and public well-being. Cybersecurity is a dynamic process involving human attackers who continue to adapt. Responding requires sustained attention to the cybersecurity posture of individuals, firms, and government and involves both efforts to more effectively and more widely use what is known about improving cybersecurity and efforts to develop new knowledge about cybersecurity. Our titles explore preparedness, response and recovery from cyberattack. All are free to download.

Implications of Artificial Intelligence for Cybersecurity: Proceedings of a Workshop

In recent years, interest and progress in the area of artificial intelligence (AI) and machine learning (ML) have boomed, with new applications vigorously pursued across many sectors. At the same time, the computing and communications technologies on which we have come to rely present serious …[more]

Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies

Since 2009, when NCHRP’s last Security 101 report was released, there have been significant advances in transportation security approaches, including new strategies, programs, and ways of doing business that have increased the security of …[more]

Foundational Cybersecurity Research: Improving Science, Engineering, and Institutions

Attaining meaningful cybersecurity presents a broad societal challenge. Its complexity and the range of systems and sectors in which it is needed mean that successful approaches are necessarily multifaceted. Moreover, cybersecurity is a dynamic process involving human attackers who continue to …[more]

Beyond Spectre: Confronting New Technical and Policy Challenges: Proceedings of a Workshop

In 2017, researchers discovered a vulnerability in microprocessors used in computers and devices all over the world. The vulnerability, named Spectre, combines side effects from caching and speculative execution, which are techniques that have been used for many years to increase the speed at …[more]

Recoverability as a First-Class Security Objective: Proceedings of a Workshop

The Forum on Cyber Resilience of the National Academies of Sciences, Engineering, and Medicine hosted the Workshop on Recoverability as a First-Class Security Objective on February 8, 2018, in Washington, D.C. The workshop featured presentations from several experts in industry, research, and …[more]

Securing the Vote: Protecting American Democracy

During the 2016 presidential election, America’s election infrastructure was targeted by actors sponsored by the Russian government. Securing the Vote: Protecting American Democracy examines the challenges arising out of the 2016 federal election, assesses current technology and standards for …[more]

Software Update as a Mechanism for Resilience and Security: Proceedings of a Workshop

Software update is an important mechanism by which security changes and improvements are made in software, and this seemingly simple concept encompasses a wide variety of practices, mechanisms, policies, and technologies. To explore the landscape further, the Forum on Cyber Resilience hosted a …[more]

Data Breach Aftermath and Recovery for Individuals and Institutions: Proceedings of a Workshop

In January 2016, the National Academies of Sciences, Engineering, and Medicine hosted the Workshop on Data Breach Aftermath and Recovery for Individuals and Institutions. Participants examined existing technical and policy remediations, and they discussed possible new mechanisms for better …[more]

Guidebook on Best Practices for Airport Cybersecurity

TRB’s Airport Cooperative Research Program (ACRP) Report 140: Guidebook on Best Practices for Airport Cybersecurity provides information designed to help reduce or mitigate inherent risks of cyberattacks on technology-based systems.

Traditional IT infrastructure such as servers, …[more]

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues

We depend on information and information technology (IT) to make many of our day-to-day tasks easier and more convenient. Computers play key roles in transportation, health care, banking, and energy. Businesses use IT for payroll and accounting, inventory and sales, and research and development. …[more]

Professionalizing the Nation’s Cybersecurity Workforce?: Criteria for Decision-Making

Professionalizing the Nation’s Cybersecurity Workforce? Criteria for Decision-Making considers approaches to increasing the professionalization of the nation’s cybersecurity workforce. This report examines workforce requirements for cybersecurity and the segments and job functions in …[more]

Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy

In a world of increasing dependence on information technology, the prevention of cyberattacks on a nation’s important computer and communications systems and networks is a problem that looms large. Given the demonstrated limitations of passive cybersecurity defense measures, it is natural to …[more]

Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities

The United States is increasingly dependent on information and information technology for both civilian and military purposes, as are many other nations. Although there is a substantial literature on the potential impact of a cyberattack on the societal infrastructure of the United States, …[more]