Computing Research Policy Blog: PITAC Approves Cyber Security Report Calling For Significant Increases in Basic Cyber R&D

CRA TumbleLog

January 12, 2005

PITAC Approves Cyber Security Report Calling For Significant Increases in Basic Cyber R&D

The President's Information Technology Advisory Committee (PITAC) achieved consensus yesterday on the final draft of its report on the status of the federal cyber security R&D effort, finding that support for civilian-oriented, fundamental cyber security research is seriously inadequate, the pool of researchers is insufficient, and that coordination between funding agencies is lacking.

Judging by yesterday's presentation (delivered by Tom Leighton, the Chair of PITAC's Subcommittee on Cyber Security), the report will lay out in stark terms the magnitude of the threat posed by vulnerabilities in the information infrastructure. It will also spell out in some detail the difficulties faced by researchers, especially in academic institutions, in finding federal support for the fundamental cyber security research that will address the vulnerabilities long-term. The report will note problems in all three agencies one would expect to be funding critical long-term cyber security R&D: NSF, DARPA and the Department of Homeland Security. I've covered these issues before in this space, but here are the key points:

DHS sees itself as a supporter of short-term research, funding very near-term technologies in an effort to address the current threat. Of a more than $1 billion science and technology budget for FY05, it will spend less than $18 million on cyber security research, of which only $1.5 million might be called "basic." DHS says it's dependent upon DARPA and NSF to provide the long-term research it will need in the future.

Two policies at DARPA have made it very difficult for academic researchers to participate in DARPA-supported research: a short-term focus with an emphasis on weeding out projects that can't demonstrate measurable results in 12- to 18-month timeframes; and, a move towards classification of a larger percentage of the DARPA research budget, especially in cyber security. As a result, university participation in DARPA-led IT research appears to have dropped significantly.

NSF's CyberTrust program (its research in cyber security) is heavily over-subscribed as a result. Proposal success rates are 8 percent, vs. a Foundation-wide average of about 25 percent. Proposal success rates that low are damaging to the discipline and to the nation that depends on that research. The Foundation believes about 40 percent of those proposals as good enough to warrant funding, were funding available.

As a quick fix, the committee will recommend an immediate $90 million infusion of funding into NSF's cyber security research efforts to alleviate some of these funding pressures, while leaving the door open to future funding increases should the situation warrant it.

Rather than summarize Leighton's whole presentation, I'll just link to the slides..~~.once they've been posted (should be soon). When they appear, they'll be here.~~ They're here (pdf).

I'll recommend again CRA's own contribution to the report: our testimony (pdf) submitted to PITAC back in July, which mirrors much of what will be in the final report. In fact, it appears that the only major concern we raised which doesn't get some mention in the report is the chilling effect of various copyright legislation efforts on research in information security and assurance.

CRA's testimony is here (pdf).

The committee is putting its final touches on the report, which should be ready for final approval at the next meeting of PITAC, which I believe will be in March. We'll have all the details here.

Posted by PeterHarsha at January 12, 2005 01:33 PM | TrackBack
Posted to Policy

Comments