More funding needed for security R&D, IT committee says
Connecting state and local government leaders
The government has shortchanged basic research into cybersecurity and should at least quadruple the money available for civilian research, the President's IT Advisory Committee says.
The government has shortchanged basic research into cybersecurity and should at least quadruple the money available for civilian research, the President's IT Advisory Committee says.
The government plays a key role in supplying the intellectual capital to improve the security of IT systems, said F. Thomas Leighton, chairman of the PITAC subcommittee on cybersecurity.
'The government has largely failed in this regard,' he said.
Leighton, chief scientist of Akamai Technologies of Cambridge, Mass., and a faculty member at the Massachusetts Institute of Technology, presented draft findings and recommendations from a subcommittee study at a PITAC meeting Friday.
In addition to being underfunded, government research efforts are becoming increasingly classified and focused on short-term results, the committee found.
It recommended that these trends be reversed and that a central authority be established to evaluate research needs and oversee federal funding.
The subcommittee examined funding for basic research by the National Science Foundation, Defense Advanced Research Projects Agency, Homeland Security Department, National Security Agency, and the National Institute of Standards and Technology.
Most R&D money goes to such agencies as DARPA and NSA, where it is focused on military and intelligence issues. Because more and more of their work is being classified, little benefit is being seen in overall IT security.
NSF is the primary source of funds for civilian security research, with its $30 million Cyber Trust program. In 2004, it funded 8 percent of grant proposals, at 6 percent of the requested amount. The subcommittee recommended that the program be expanded by at least $90 million annually.
The current emphasis on short-term programs means most research is focused on reactive technologies rather than producing more secure systems.
'We are in a vicious cycle of having to spend more money to plug the holes in the dyke rather than moving forward,' Leighton said.
Money should be made available for more long-term, revolutionary work, with a willingness to accept the risk of failure in some programs.
The subcommittee identified 10 critical areas for future research:
- Computer authentication methodologies so sources of packets can be traced in large-scale networks
- Securing fundamental networking protocols
- Secure software engineering
- End-to-end system security, rather than merely secure components
- Monitoring and detection to quickly identify problems
- Mitigation and recovery methodologies to avoid catastrophic failure when problems occur
- Cyberforensics tools for aid in criminal prosecutions
- Modeling and test beds for new technologies
- Metrics, benchmarks and best practices for evaluating the security of security products and implementing them
- Nontechnical societal and government issues.