[ISN] More funding needed for security R&D, IT committee says
isn at c4i.org
Mon Nov 22 07:14:58 EST 2004
By William Jackson
The government has shortchanged basic research into cybersecurity and
should at least quadruple the money available for civilian research,
the President's IT Advisory Committee says.
The government plays a key role in supplying the intellectual capital
to improve the security of IT systems, said F. Thomas Leighton,
chairman of the PITAC subcommittee on cybersecurity.
"The government has largely failed in this regard," he said.
Leighton, chief scientist of Akamai Technologies of Cambridge, Mass.,
and a faculty member at the Massachusetts Institute of Technology,
presented draft findings and recommendations from a subcommittee study
at a PITAC meeting Friday.
In addition to being underfunded, government research efforts are
becoming increasingly classified and focused on short-term results,
the committee found.
It recommended that these trends be reversed and that a central
authority be established to evaluate research needs and oversee
The subcommittee examined funding for basic research by the National
Science Foundation, Defense Advanced Research Projects Agency,
Homeland Security Department, National Security Agency, and the
National Institute of Standards and Technology.
Most R&D money goes to such agencies as DARPA and NSA, where it is
focused on military and intelligence issues. Because more and more of
their work is being classified, little benefit is being seen in
overall IT security.
NSF is the primary source of funds for civilian security research,
with its $30 million Cyber Trust program. In 2004, it funded 8 percent
of grant proposals, at 6 percent of the requested amount. The
subcommittee recommended that the program be expanded by at least $90
The current emphasis on short-term programs means most research is
focused on reactive technologies rather than producing more secure
"We are in a vicious cycle of having to spend more money to plug the
holes in the dyke rather than moving forward," Leighton said.
Money should be made available for more long-term, revolutionary work,
with a willingness to accept the risk of failure in some programs.
* The subcommittee identified 10 critical areas for future research:
* Computer authentication methodologies so sources of packets can be
traced in large-scale networks
* Securing fundamental networking protocols
* Secure software engineering
* End-to-end system security, rather than merely secure components
* Monitoring and detection to quickly identify problems
* Mitigation and recovery methodologies to avoid catastrophic failure
when problems occur
* Cyberforensics tools for aid in criminal prosecutions
* Modeling and test beds for new technologies
* Metrics, benchmarks and best practices for evaluating the security
of security products and implementing them
* Nontechnical societal and government issues.
The subcommittee expects to present a final draft report at the next
PITAC meeting on Dec. 5.
More information about the ISN