Cyber Security: A Crisis of Prioritization

From Cybersecurity Wiki
Jump to navigation Jump to search

Full Title of Reference

Cyber Security: A Crisis of Prioritization

Full Citation

President's Information Technology Advisory Council, Cyber Security. A Crisis of Prioritization (2005). U.S. Government. Online Paper. Web

BibTeX

Categorization

Key Words

COTS Software, Cyber Security as a Public Good, Department of Homeland Security, Patching, Research & Development, SCADA Systems, Software Vulnerability

Synopsis

The President’s Information Technology Advisory Committee (PITAC) is appointed by the President to provide independent expert advice on maintaining America’s preeminence in advanced information technology (IT). PITAC members are IT leaders in industry and academia with expertise relevant to critical elements of the national IT infrastructure such as high-performance computing, large-scale networking, and high-assurance software and systems design. The Committee’s studies help guide the Administration’s efforts to accelerate the development and adoption of information technologies vital for American prosperity in the 21st century.

The PITAC chose cyber security as one of their topics for evaluation. PITAC concentrated their efforts on the focus, balance, and effectiveness of current Federal cyber security research and development (R&D) activities. The PITAC’s review of current Federally supported R&D in cyber security finds an imbalance in the current cyber security R&D portfolio: most support is for short-term, defense-oriented research; there is relatively little support for fundamental research to address the larger security vulnerabilities of the civilian IT infrastructure, which supports defense systems as well. Therefore, PITAC urges changes in the Federal government’s cyber security R&D portfolio to:

  • Increase Federal support for fundamental research in civilian cyber security by $90 million annually at NSF and by substantial amounts at agencies such as DARPA and DHS to support work in 10 high-priority areas identified by PITAC.
  • Intensify Federal efforts to promote recruitment and retention of cyber security researchers and students at research universities, with an aim of doubling this profession’s numbers by the end of the decade.
  • Provide increased support for the rapid transfer of Federally developed cutting-edge cyber security technologies to the private sector.
  • Strengthen the coordination of the Interagency Working Group on Critical Information Infrastructure Protection and integrate it under the Networking and Information Technology Research and Development (NITRD) Program.

Issue 1: Federal Funding Levels for Fundamental Research in Civilian Cyber Security

Long-term, fundamental research in cyber security requires a significant investment by the Federal government because market forces direct private sector investment away from research and toward the application of existing technologies to develop marketable products. However, Federal funding for cyber security research has shifted from long-term, fundamental research toward shorter-term research and development, and from civilian research toward military and intelligence applications. Research in these domains is often classified and the results are thus unavailable for use in securing civilian IT infrastructure and commercial off-the-shelf (COTS) products in widespread use by both government and the civilian sector. These changes have been particularly dramatic at the Defense Advanced Research Projects Agency (DARPA) and the National Security Agency (NSA); other agencies, such as the National Science Foundation (NSF) and the Department of Homeland Security (DHS), have not stepped in to fill the gaps that have been created. As a result, investment in fundamental research in civilian cyber security is decreasing at the time when it is most desperately needed.

The PITAC finds that the Federal R&D budget provides inadequate funding for fundamental research in civilian cyber security, and recommends that the NSF budget in this area be increased by $90 million annually. Funding for fundamental research in civilian cyber security should also be substantially increased at other agencies, most notably DHS and DARPA. Funding should be allocated so that at least the ten specific areas listed in the “Cyber Security Research Priorities” section beginning on page 37 of Chapter 4 are appropriately addressed. Further increases in funding may be necessary depending on the Nation’s future cyber security posture.

Issue 2: The Cyber Security Fundamental Research Community

Improving the Nation’s cyber security posture requires highly trained people to develop, deploy, and incorporate new cyber security products and practices. The number of such highly trained people in the U.S. is too small given the magnitude of the challenge. At U.S. academic institutions today, the PITAC estimates, there are fewer than 250 active cyber security or cyber assurance specialists, many of whom lack either formal training or extensive professional experience in the field. In part, this situation exists because cyber security has historically been the focus of a small segment of the computer science and engineering research community. The situation has been exacerbated by the insufficient and unstable funding levels for long-term, civilian cyber security research, which universities depend upon to attract and retain faculty.

The PITAC finds that the Nation’s cyber security research community is too small to adequately support the cyber security research and education programs necessary to protect the United States. The PITAC recommends that the Federal government intensify its efforts to promote recruitment and retention of cyber security researchers and students at research universities, with a goal of at least doubling the size of the civilian cyber security fundamental research community by the end of the decade. In particular, the Federal government should increase and stabilize funding for fundamental research in civilian cyber security, and should support programs that enable researchers to move into cyber security research from other fields.

Issue 3: Translating Research into Effective Cyber Security for the Nation

Technology transfer enables the results of Federally supported R&D to be incorporated into products that are available for general use. There has been a long and successful history of Federally funded IT R&D being transferred into products and best practices that are widely adopted in the private sector, in many cases spawning entirely new billion-dollar industries. Technology transfer has been particularly challenging in the area of cyber security, however, because the value of a good cyber security product to the consumer lies in the reduced incidence of successful attacks – a factor difficult to quantify in the short term as a return on investment.

The PITAC finds that current cyber security technology transfer efforts are not adequate to successfully transition Federal research investments into civilian sector best practices and products. As a result, the PITAC recommends that the Federal government strengthen its cyber security technology transfer partnership with the private sector. Specifically, the Federal government should place greater emphasis on the development of metrics, models, datasets, and testbeds so that new products and best practices can be evaluated; jointly sponsor with the private sector an annual interagency conference at which new cyber security R&D results are showcased; fund technology transfer efforts (in cooperation with industry) by researchers who have developed promising ideas or technologies; and encourage Federally supported graduate students and postdoctoral researchers to gain experience in industry as researchers, interns, or consultants.

Issue 4: Coordination and Oversight for Federal Cyber Security R&D

One of the key problems with the Federal government’s current approach to cyber security is that the government-wide coordination of cyber security R&D is ineffective. Research agendas and programs are not systematically coordinated across agencies and, as a result, misconceptions among agencies regarding each others’ programs and responsibilities have been allowed to develop, causing important priorities to be overlooked. In the absence of coordination, individual agencies focus on their individual missions and can lose sight of overarching national needs. Initiatives to strengthen and enlarge the cyber security research community and efforts to implement the results of R&D would be more effective and efficient with significantly stronger coordination across the Federal government.

The PITAC finds that the overall Federal cyber security R&D effort is currently unfocused and inefficient because of inadequate coordination and oversight. To remedy this situation, PITAC recommends that the Interagency Working Group on Critical Information Infrastructure Protection (CIIP) become the focal point for coordinating Federal cyber security R&D efforts. This working group should be strengthened and integrated under the Networking and Information Technology Research and Development (NITRD) Program.

Additional Notes and Highlights

Expertise Required: None