Rx for IT security: RFP?
Connecting state and local government leaders
The private sector may be relying too much on government assistance to meet the goals of the Homeland Security Advanced Research Projects Agency's IT security initiatives.
The head of the Homeland Security Department's research and development activities was chastised by a House subcommittee last month for not bringing better organization to the department's Science and Technology Directorate.
Yes, things have improved from the 'chaos' that characterized the directorate when Undersecretary Jay M. Cohen arrived, conceded Rep. James R. Langevin (D-R.I.), chairman of the House Homeland Security Subcommittee on Emerging Threats, Cybersecurity and Science and Technology. But Langevin also said that Cohen has not done enough to establish a strategic direction for his R&D efforts or metrics for measuring performance.
Cohen said in his defense that, upon assuming the position last August, 'my first focus was getting my own house in order.'
Part of that house is the Homeland Security Advanced Research Projects Agency, charged with promoting commercial development of the information technology security tools needed by the department. HSARPA focuses on what it calls 'high-risk, high-payoff' projects that will produce new systems rather than advancements in current technology ' revolutionary rather than evolutionary improvements. Because the projects are seen as high-risk, the government lends a hand in funding and directing them.
But it seems that the private sector is relying a little too much on government assistance to meet the basic goals of HSARPA's IT security initiatives. I am not suggesting that government should not cooperate with industry to help define the technology it needs. But there already is a ready market for the types of products HSARPA is promoting.
HSARPA shares similarities, in both name and mission, with DARPA, its Defense Department counterpart. Both solicit partnerships with industry to produce new technologies or products that might not be feasible or attractive for industry to develop on its own.
But, 'HSARPA is different from DARPA,' Cohen told the subcommittee. DARPA focuses on long-range basic research projects whose payoff may come well down the road, if at all. The Internet was one of those projects, developed long before there was any demand for an Internet. 'DARPA does what they do independent of their customers,' Cohen said. 'I don't have that luxury.'
HSARPA focuses on applied research to fill the 'capability gaps' of its customers, primarily Gregory Garcia, DHS assistant secretary for cybersecurity and telecommunications. In other words, it encourages development of the tools needed now to support government missions and protect the nation's critical infrastructure. These tools include document validation systems for a wide range of paper and electronic credentials, improved biometrics, and systems for detecting and responding to cyberthreats in real time.
These are the types of products industry should be producing. The need for them already exists, both in the government and private sectors. Missions differ from one sector to the other, but the equipment, protocols and technologies being used to execute those missions are essentially the same. They share common vulnerabilities and need the same tools to protect themselves.
It would be nice to have the out-of-the-box thinking and revolutionary approaches HSARPA is supposed to encourage. But with the need for these tools already clear, this seems to be the kind of applied research companies ought to be involved in anyway.
The IT industry has shown itself perfectly capable of thinking outside the box. It continuously comes up with new products and functionalities we don't know we need but which quickly become incorporated into our business lives. Things like BlackBerrys, peer-to-peer networking and instant messaging come to mind. The industry is spending something like $70 billion a year to extend its wireline and wireless broadband networks to enable these new functionalities. It ought to be investing in equally innovative tools for securing these networks, devices and applications.
HSARPA's job should be to help identify the needs of its customers and make them known to industry. Industry's job is to build products that meet those needs, and then sell them at a reasonable profit. There is no reason government can't help direct the process, but a ready market for these tools should be all the incentive industry needs to develop them.
NEXT STORY: Somebody is watching you watch