Search


CRA TumbleLog

Archives
December 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
Archives by Category
Action Alerts (2)
American Competitiveness Initiative (96)
CRA (61)
Computing Community Consortium (CCC) (22)
Computing Education (6)
Diversity in Computing (26)
Economic Stimulus and Recovery (13)
Events (35)
FY06 Appropriations (13)
FY07 Appropriations (32)
FY08 Appropriations (37)
FY09 Appropriations (28)
FY10 Appropriations (1)
Funding (204)
Misc. (49)
People (106)
Policy (249)
R&D in the Press (90)
Research (85)
Security (30)
Recent Entries
DARPA Challenge
National CS Education Week
Prizes and Computing Research
House S&T Committee Considers Cyber Security R&D
President Obama Touts Role of Basic Research in Innovation
Business Week on Research in Industry
A Systems Approach to Improving K-12 STEM Education
Healthcare Robotics Briefing
CCC Announces New Networking Research Agenda
NSF Shows Off Cyber-Physical Systems on the Hill
CRA Links
Computing Research News
CRA-Bulletin
Computing Data and Resources
CRA in the News
Computing Research in the FY05 Budget
What We're Reading
Computational Complexity
CNSR Online
Danger Room
Defense Tech
Freedom to Tinker
InsideHPC
Lessig Blog
Nothing is as simple...
Reed's Ruminations
Schneier on Security
Techdirt
UMBC eBiquity Blog
USACM Tech Policy Blog
Advocacy Materials
IT R&D One-pager (pdf)
DARPA and University Research One-pager (pdf)
Cyber Security R&D One-pager (pdf)
Current and Requested IT R&D Funding Charts (pdf)
Recent Testimony
Cybersecurity R&D (pdf)
IT R&D Funding (pdf)
Syndicate this site (XML)
Atom (XML)

Subscribe with Bloglines

Powered by
Movable Type 2.65

December 02, 2004

Catching Up: Update on PITAC Cyber Security Efforts

This article I spotted today in Government Computer News on former Director of DHS' National Cybersecurity Division Amit Yoran's thoughts about DHS' niche in federal cybersecurity efforts reminded me that I hadn't provided an update on what I thought was a very interesting meeting of PITAC's Subcommittee on Cybersecurity R&D a week ago last Friday.

The Subcommittee is in the process of evaluating the federal government's efforts in supporting cybersecurity research and development -- trying to figure out how well the government is targeting the right research areas, whether there's good balance between short-term and long-term research, whether we're doing all we can to improve technology transfer, and whether we're well prepared for the security challenges of the future. The goal is to produce a final report the full PITAC can approve at its March 2005 meeting. So far the subcommittee has produced a first draft, which is what was presented by Subcommittee Chair F. Thomson Leighton at the Nov 19th meeting.

And that first draft is very good. It's clear the committee has taken to heart much of the testimony it has received, including testimony CRA submitted to the committee last July. Leighton's slide presentation (pdf) does a good job of laying out the details, but I thought I'd summarize them a bit here.

The committee has identified four main issues: 1) Problems with civilian cyber security research; 2) Problems with the size of the cyber security basic research community; 3) Tech transfer issues; and 4) The coordination of cyber security R&D. They seem to have devoted quite a bit of attention to the first issue, and the points that they raise are all right on the money (and concerns CRA shares), namely:

  • The Federal R&D budget provides severely insufficient funding for basic research in cyber security. Even better, the subcommittee specifies an actual dollar amount increase (at least $90 million per year) necessary to make up for the current under-investment (while leaving the door open for future increases in funding beyond $90 million per year should "the Nation's security posture in the future" warrant it).

  • The subcommittee finds that the current federal focus on near-term applications in cyber security must be reversed.

  • Federal research efforts need to avoid "incrementalism." Research programs need to accommodate longer time periods and accept some "failures."

  • We must buttress civilian cyber security R&D efforts. While there's clearly a need for the Defense Department and the intelligence agencies to sponsor significant amounts of cyber security R&D related to their missions, increasingly, much of that research is being classified. There are costs to bear when research is classified. For example, research results for classified research are very slow to disseminate, if ever, and many/most university researchers are unable to participate -- meaning some of the best minds in the country aren't working on these important problems. As a result, NSF, the primary funder of unclassified, civilian cyber security R&D, is heavily oversubscribed. Its cyber security research program (CyberTrust) has an astonishingly bad award rate of 5-8 percent. The subcommittee estimates that a quadrupling (emph. added) of the CyberTrust budget could be productively used by the civilian cyber security community.

  • There are no shortage of research areas in need of funding: Computer authentication methodologies; securing fundamental protocols, secure software engineering, end-to-end system security, monitoring and detection; mitigation and recovery methodologies' cyberforensics and technology to enable prosecution of criminals; modeling and testbeds for new technologies; metrics, benchmarks and best practices; and societal and governance issues. In short, the subcommittee says
    There is no silver bullet or small set of silver bullets. It is not a matter of "tweaking" in the Internet -- there is no foundation of security to tweak. The existing Internet was built based on assumption of trust: it was assumed no one would harm the infrastructure, even by accident.
    • I think this is all excellent, and basically in agreement with the testimony CRA provided back in July. About the only thing of which I would have liked to have seen discussion is the issue of the potential (and real) chilling effect on research of laws aimed at protecting intellectual property and privacy -- most notably the impediment to research posed by provisions of the Digital Millennium Copyright Act. As we noted in our testimony (by stealing excellent language from our affiliate ACM's U.S. Public Policy Office):
    [T]he “anti-circumvention provisions” of the DMCA interfere with many legal, non-infringing uses of digital computing and prevent scientists and technologists from circumventing access technologies to recognize shortcomings in security systems, to defend patents and copyrights, to discover and fix dangerous bugs in code, to analyze and stop malicious code (e.g., viruses), and to conduct forms of desired educational activities. In some instances, the threat of legal action under the DMCA has deterred scientists from publishing scholarly work or even publicly discussing their research, both fundamental tenets of scientific discourse.
    Other than that, I'm pretty happy with what I've seen from the report so far. (Please read through the slides to get the details on the other three issues the subcommittee identified.) If the final report contains the important discussion of the character of research supported by each of the federal agencies funding cyber security efforts and the subcommittee's funding recommendations, it will be a strong document that should prove very useful in the computing research community's efforts to reshape cyber security R&D policy at federal agencies (see in particular the subcommittee's discussions about the nature and amount of research sponsored by DHS -- too short-term and too little, in sum).

    We'll continue to keep an eye on the committee's progress....

    Oh, and just to get back to the article that triggered this post in the first place, I think it's important to note that though this:

    Yoran also called for more government support for basic security research. He said the initial $18 million budgeted for cybersecurity R&D in the first year of DHS was adequate as the department identified needs. But going forward, “personally, I would like to see greater government support for fundamental security research,” he said.
    implies that DHS is spending $18 million on basic research in cyber security, this isn't actually the case (as the subcommittee points out on slide 25). The agency currently spends just $1.5 million on research that can truly be considered basic, long-term research. The remaining $16.5 million is spent on short-term activities.

    Still, it's encouraging that Yoran at least acknowledges that the agency is lacking in its support for fundamental research. Hopefully his replacement will as well -- and do something about it.

    Posted by PeterHarsha at December 2, 2004 04:50 PM | TrackBack
    Posted to Policy | Research | Security