We are winning the battles but the war is elusive!

The news continues to report instances of cyber incidents. These intrusions continue to compromise privacy, security, and call into question the stability and assurance of the power grid, elections, and the internet of things. The research community has ramped up and produced excellent theoretical and empirical research that can be leveraged preventing compromise and stimulating further research.

Representative work can be seen; there are papers as well as emerging research initiatives throughout the Science of Security web site. Without knowing the exact details of the compromises, it is not without reason to think existing work might have thwarted a number of these attacks but is not being incorporated. Transition to practice is problematic. Many suspected factors can be cited: rush to product, ignorance of research, poor publication and exposition of results, not-invented-here syndrome, and so on. The nation needs a cadre of researchers and companies aware of all the areas that contribute to security and to be continuously aware of the state of the art in these areas to proactively prevent future failures.

It is not clear what actions would move this forward. Not all the research produces gems, but in the scholarly written papers/reports the assumptions made and the hypotheses tested can be reviewed, challenged, and independently validated. The nation spends a good amount of money to stimulate strategic security work. It is impossible to judge how much of this work is examined or affirmed by the community. What is clear is until we establish a vetting and adoption of strategic research into the internet of things, we will continue to be pressing and spending on "the now"--correcting problems that surface rather than science that protects the future.

