Computing Research Policy Blog

Industry Group Calls for Increased Cyber Security R&D; Congress Hears Message from Former PITAC Members

In a report released this week, the Cyber Security Industry Alliance -- a group consisting of information security software, hardware and service vendors -- called on Congress and the Administration to ramp up support for fundamental research in cyber security R&D and increase the prominence of cyber security at key federal agencies. CSIA's report, Federal Funding for Cyber Security R&D (pdf) reiterates the findings of the most recent Presidential IT Advisory Committee (PITAC) report (pdf) on the state of federal cyber security research, concluding that the overall investment in cyber security research is inadequate and too focused on the short-term. The CSIA report agrees with the PITAC report's recommendation to increase funding for long-term research in cyber security, noting a number of key security technologies -- firewalls, intrustion detection systems, fault tolerant networks, operating systems, cryptography and advanced authentication -- that bear the stamp of federally-sponsored, long-term research.

The report differs from the PITAC report slightly in that it calls for the creation of a "designated entity" within DHS to coordinate the federal government's cyber security R&D effort; whereas, PITAC recommended that function remain within the interagency working group activity of the Networking and IT R&D program. CSIA rightly points out that the IWG of NITRD has very little actual influence on priority-setting at the agencies. Instead, they recommend that the new Assistant Secretary for Cyber Security at DHS serve as "the logical choice to drive the prioritization of requirements for research and development." My only concern with that recommendation is that DHS hasn't yet bought into the idea that long-term research efforts should be a priority. DHS's own budget for cyber security R&D remains a paltry $18 million for FY 05, out of an overall science and technology budget of just over a billion dollars. And of that $18 million, barely $2 million could realistically be described as "long-term" research efforts. (DHS's lack of priority for cyber security R&D has been a frequent topic here).

Otherwise, the CSIA report marches in lockstep with the PITAC report on cyber security R&D (pdf) issued back in March. We strongly endorsed that report and I'm pretty thrilled with the industry report issued this week.

Coincidentally, two former PITAC members (former because PITAC has been "disbanded" since June 1, 2005...) were on the Hill yesterday to participate in a briefing on cyber security R&D hosted by the Congressional Research and Development Caucus and put together by IEEE and IEEE-CS. Former PITAC Subcommittee on Cyber Security R&D Chair Tom Leighton (Chief Scientist and Co-Founder of Akamai) and former PITAC member Gene Spafford "Spaf" (Professor and Director of CERIAS at Purdue University) told the assembled congressional staffers, science community folks and assorted press about the problems we face in the cyber security arena and what PITAC recommended.

The briefing was the latest in a series of briefings on the PITAC report and follows a number of hearings on the scope of the cyber security challenge. In April, for example, Spaf and Leighton, along with former PITAC co-Chair Ed Lazowska, participated in a number of focused briefings for Hill staff on the PITAC report. The House Science Committee, as well as the House Homeland Security committee have both held numerous hearings on the subject over the last several years. Yet the extent of the problems we face -- the risk posed by cyber attacks on critical infrastructure, the exposure internet users have to fraud and abuse because of security vulnerabilities, the cost to industry due to cyber extortion and malicious acts -- still appears to shock to congressional staff. I'm not sure they really believe that companies have paid "protection" money to criminals who threatened to take down their web presence with massive distributed denial of service attacks. I'm not sure they really believe that "phishing" and "pharming" attacks are real threats to individual internet users. I'm not sure they understand that IT systems are in the control loop of just about every piece of critical infrastructure in the nation and are vulnerable. I think many believe that the impact of a concerted cyber attack would be limited to something like Amazon being unavailable for the day.

So despite the reports and briefings and hearings, we in the community haven't done a great job breaking through the noise around homeland security and conveying the importance of cyber security, or by extension cyber security R&D. In part, I think this is because the homeland security debate is really dominated by the specter of a nuclear, biological or chemical (NBC) attack (perhaps rightly so). The idea that a cyber attack could exist on the same scale as any one of the big three isn't so easily embraced by staff. Yet in terms of cost to industry and cost to government, the daily onslaught of cyber attacks must add up to dollar losses that exceed even some of the more dramatic NBC scenarios. But the investment in research to mitigate those losses, or prevent them entirely, pales in comparison to the investments in NBC research at DHS.

In any case, the continued efforts of folks like Spaf and Leighton, and industry partners like the members of CSIA and ITAA, are helping to educate members of Congress and their staff to the challenges in the area. And, for better or worse, the growing frequency of breeches of customer data held by credit card companies, banks, universities and others is forcing Congress to climb the learning curve....