Developing an innovation engine to make Canada a global leader in cybersecurity

An engine designed to convert innovation into a country’s global leadership position in a specific product market is examined in this article, using Canada and cybersecurity as an example. Five entities are core to the innovation engine: an ecosystem, a project community, an external community, a platform, and a corporation. The ecosystem is the focus of innovation in firm-specific factors that determine outcomes in global competition; the project community is the focus of innovation in research and development; and the external community is the focus of innovation in resources produced and used by economic actors that operate outside of the focal product market. Strategic intent, governance, resource flows, and organizational agreements bind the five entities together. Operating the innovation engine in Canada is expected to improve the level and quality of prosperity, security, and capacity of Canadians, increase the number of Canadian-based companies that successfully compete globally in cybersecurity product markets, and better protect Canada’s critical infrastructure. Researchers interested in learning how to create, implement, improve, and grow innovation engines will find this article interesting. The article will also be of interest to senior management teams in industry and government, chief information and technology officers, social and policy analysts, academics, and individual citizens who wish to learn how to secure cyberspace

Final Report: Development of a Practical Computer Software Verification System

The purpose of this report is to present an overview of contract W2207-7-AF78/01-SV, entitled "Development of a Practical Computer Software Verification System." EVES Project TR-90-5429-11 1 1 Introduction The purpose of this report 1 is to present an overview of contract W2207-7-AF78/01-SV, entitled "Development of a Practical Computer Software Verification System." This contract was funded by the Canadian Department of National Defence (DND) with Vincent Taylor acting as the Technical Authority. We will call this contract the "EVES contract" for the remainder of this report. 2 The contract started in November 1987 and was completed in the fall of 1989. It was initially awarded to the Trusted Systems Group of I. P. Sharp Associates Limited (IPSA), but was transferred to Odyssey Research Associates (ORA) as of May 1989. The transfer of the contract was a consequence of the change of ownership of IPSA (to Reuters, plc.) in the summer of 1987. Reuters ownership of IPSA resulted in..

Formal Methods, EVES, and Safety Critical Systems

A report on enhancements to the EVES tool

Using EVES to Analyze Authentication Protocols

this paper we have reported upon our experiences with embedding an authentication logic into EVES and shown how we could reason about three example protocols: Kerberos, CCITT X.509, and the idealized OWL authentication protocol. We demonstrated that EVES can be used in a finely controlled manner or more automatically through the introduction of term rewriting. Additionally, we showed how it is possible to build special purpose analytical tools (e.g., the forward chainer) and how such tools can complement the EVES analysis. Trust in the special purpose tools can be achieved by producing EVES proof scripts and having EVES determine whether the proof script is valid. Finally, we have discussed the soundness and completeness of the BAN Logic. We believe that our experiences, over a rather tight timespan, suggest that EVES could be successfully used to analyze authentication protocols, specifically, and, more generally, protocols. Other work (in Germany and Montreal, respectively) has used EVES to analyze a cache coherence protocol and the sliding window protocol. We have shown how the generic EVES capability can be specialized to, at least, one form of protocol analysis. As our experiments with the forward-chaining mechanism suggest, it is important to consider complementary mechanisms for studying protocols and one could certainly envision the development of a formally-based analytical toolkit. One possibility, for example, would be to further solidify the EVES BAN embedding, and to investigate its relationship with the Naval Research Laboratories' protocol analyzer tool and with model checking. 10 Reference

A design science approach to construct critical infrastructure and communicate cybersecurity risks

Academics are increasingly examining the approaches individuals and organizations use to construct critical infrastructure and communicate cybersecurity risks. Recent studies conclude that owners and operators of critical infrastructures, as well as governments, do not disclose reliable information related to cybersecurity risks and that cybersecurity specialists manipulate cognitive limitations to overdramatize and oversimplify cybersecurity risks to critical infrastructures. This article applies a design science perspective to the challenge of securing critical infrastructure by developing a process anchored around evidence-based design principles. The proposed process is expected to enable learning across critical infrastructures, improve the way risks to critical infrastructure are communicated, and improve the quality of the responses to citizens’ demands for their governments to collect, validate, and disseminate reliable information on cybersecurity risks to critical infrastructures. These results will be of interest to the general public, vulnerable populations, owners and operators of critical infrastructures, and various levels of governments worldwide

Using Analytical Approaches for High Integrity Ada95 Systems

The paper reports on a recently completed analysis of the suitability of Ada95 for use in high integrity systems, describes the status of real-time features in this analysis, and identifies how the analysis could be extended to admit more features needed for real-time programs

Managing Cybersecurity Research and Experimental Development: The REVO Approach

We present a systematic approach for managing a research and experimental development cybersecurity program that must be responsive to continuously evolving cybersecurity, and other, operational concerns. The approach will be of interest to research-program managers, academe, corporate leads, government leads, chief information officers, chief technology officers, and social and technology policy analysts. The approach is compatible with international standards and procedures published by the Organisation for Economic Co-operation and Development (OECD) and the Treasury Board of Canada Secretariat (TBS). The key benefits of the approach are the following: i) the breadth of the overall (cybersecurity) space is described; ii) depth statements about specific (cybersecurity) challenges are articulated and mapped to the breadth of the problem; iii) specific (cybersecurity) initiatives that have been resourced through funding or personnel are tracked and linked to specific challenges; and iv) progress is assessed through key performance indicators. Although we present examples from cybersecurity, the method may be transferred to other domains. We have found the approach to be rigorous yet adaptive to change; it challenges an organization to be explicit about the nature of its research and experimental development in a manner that fosters alignment with evolving business priorities, knowledge transfer, and partner engagement