[ISN] More funding needed for security R&D, IT committee says

InfoSec News isn at c4i.org
Mon Nov 22 07:14:58 EST 2004 

http://gcn.com/vol1_no1/daily-updates/27979-1.html

By William Jackson 
GCN Staff
11/19/04 

The government has shortchanged basic research into cybersecurity and 
should at least quadruple the money available for civilian research, 
the President's IT Advisory Committee says. 

The government plays a key role in supplying the intellectual capital 
to improve the security of IT systems, said F. Thomas Leighton, 
chairman of the PITAC subcommittee on cybersecurity. 

"The government has largely failed in this regard," he said. 

Leighton, chief scientist of Akamai Technologies of Cambridge, Mass., 
and a faculty member at the Massachusetts Institute of Technology, 
presented draft findings and recommendations from a subcommittee study 
at a PITAC meeting Friday. 

In addition to being underfunded, government research efforts are 
becoming increasingly classified and focused on short-term results, 
the committee found. 

It recommended that these trends be reversed and that a central 
authority be established to evaluate research needs and oversee 
federal funding. 

The subcommittee examined funding for basic research by the National 
Science Foundation, Defense Advanced Research Projects Agency, 
Homeland Security Department, National Security Agency, and the 
National Institute of Standards and Technology. 

Most R&D money goes to such agencies as DARPA and NSA, where it is 
focused on military and intelligence issues. Because more and more of 
their work is being classified, little benefit is being seen in 
overall IT security. 

NSF is the primary source of funds for civilian security research, 
with its $30 million Cyber Trust program. In 2004, it funded 8 percent 
of grant proposals, at 6 percent of the requested amount. The 
subcommittee recommended that the program be expanded by at least $90 
million annually. 

The current emphasis on short-term programs means most research is 
focused on reactive technologies rather than producing more secure 
systems. 

"We are in a vicious cycle of having to spend more money to plug the 
holes in the dyke rather than moving forward," Leighton said. 

Money should be made available for more long-term, revolutionary work, 
with a willingness to accept the risk of failure in some programs. 


* The subcommittee identified 10 critical areas for future research: 

* Computer authentication methodologies so sources of packets can be 
  traced in large-scale networks 

* Securing fundamental networking protocols 

* Secure software engineering 

* End-to-end system security, rather than merely secure components 

* Monitoring and detection to quickly identify problems 

* Mitigation and recovery methodologies to avoid catastrophic failure 
  when problems occur 

* Cyberforensics tools for aid in criminal prosecutions 

* Modeling and test beds for new technologies 

* Metrics, benchmarks and best practices for evaluating the security
  of security products and implementing them 

* Nontechnical societal and government issues. 

The subcommittee expects to present a final draft report at the next
PITAC meeting on Dec. 5.

More information about the ISN mailing list