Steven Aftergood, of the always excellent Secrecy News blog, notes the release of a new report by the JASON panel, an influential, independent advisory committee for the Department of Defense that focuses on issues in science and technology, on the “Science of Cyber Security.” Specifically, DOD asked the panel to examine the theory and practice of cyber security, and “evaluate whether there are underlying fundamental principals that would make it possible to adopt a more scientific approach.”

The committee has released their report on the issue (the Federation of American Scientists managed to obtain a copy (pdf)), have concluded that there is a science of cyber security, but it “seems underdeveloped in reporting experimental results, and consequently in the ability to use them.” The primary recommendation of the committee is to have the DOD sponsor “multiple cyber-security science based centers and projects within universities and other research centers.” The programs should have “a long time horizon and periodic reviews of accomplishments.”

Centers, the panel believes, have several attractive features:

  • they give the sponsors access to the best ideas and people;
  • they give the sponsor a chance to bias the work towards their versions of common problems;
  • there is an opportunity for these centers and programs to leverage a unique collection of resources internal to the DOD, including defensive data and experience from running internal networks.

The centers would be different than DARPAs projects in that the centers “would be expected to make steady progress on a broad set of topics, rather than limit themselves to revolutionary ideas or to try to solve the latest cyber-security crisis.”

Centers would also act as connecting points for the software industry, which would accelerate the translation of new ideas into useful tools for developers. The panel believes that this would correct a long-standing deficiency wherein some very sophisticated approaches to assessing and reasoning about the security of current systems are not available in the form of developer tools, perhaps because there’s insufficient market for the private development of the tools.

A number of representatives from academia, industry and government briefed JASON on the issues, including CRA’s Government Affairs Chair Fred Schneider.

JASON reports often form the basis of action within DOD on S&T matters, and there’s no reason to suggest that the recommendations in this report won’t get consideration. Whether the investment in centers actually happens is, of course, also dependent on the DOD’s budget situation, which is in a bit of flux at the moment until Congress hammers out a final agreement on an FY 11 budget and the Administration releases its plan for FY 12. But it wouldn’t be surprising to see an effort to incorporate the reports recommendations in future DOD budgets.

In any case, the report is well-written and well worth a read.

Tagged with:
 

GAO releases report on cybersecurity strategy

On July 9, 2010, in Uncategorized, by Chase Hensel

This week the Government Accountability Office (GAO) released a report urging the White House Office of Science and Technology Policy (OSTP) to come up with a clear and comprehensive cybersecurity R & D strategy. The report, prepared by request of the House Committee on Homeland Securty, called upon OSTP to show more leadership in the creation of an R & D plan.

There’s been some press coverage of the report. Here’s a good snippet from Infoweek:

“The report notes that officials within the White House’s Office of Science and Technology Policy’s Subcommittee on Networking and Information Technology (NITRD) are endowed with a leadership role in terms of coordinating cybersecurity R&D efforts, they haven’t taken advantage of that role. Despite GAO recommendations and responsibilities laid out in legislation, NITRD has never prioritized a national or federal R&D agenda.”

“The report recommends that the White House follow the Bush administration’s National Strategy to Secure Cyberspace, which urged the creation of near-term, mid-term and long-term goals for cybersecurity R&D. The report notes that OSTP is only in the beginning stages of creating such an agenda and updating its 5-year plan for cybersecurity R&D.”

These conclusions about NITRD’s role aren’t surprising. The computing research community has had long-standing concerns about the ability of the NITRD NCO to exercise a leadership role in coordinating the federal IT R&D investment. A big part of that inability to lead comes down to the NCO’s lack of budgetary authority, but that’s a reality of the federal budget process — there’s no way federal agencies will cede control of a piece of their budgets to some central coordinating office (other than OMB). As a result, NITRD becomes less about leadership and coordination and more about agencies reporting what they plan to do and the NCO collecting that information.

It will be interesting to see whether the PCAST’s new look at NITRD, now underway and due in late August or September, will address these cyber security concerns. That review is being shepherded by PCAST members Eric Schmidt, CEO of Google, and Shirley Ann Jackson, President of RPI, and driven by a subcommittee led by Ed Lazowska, Chair of CRA’s Computing Community Consortium and professor computer science at University of Washington, and David E. Shaw, head of D.E. Shaw and Co. (We’ll have more on the PCAST study in a later post…).

Tagged with:
 

[Each year, AAAS asks CRA to prepare a chapter on IT research funding in the federal budget request for their Research and Development FY 20XX report, and so we plow through the various agency budget documents and the White House releases and come up with 2000 words or so that attempt to sum up the Administration's thinking, the current policy environment, and provide a little background on the program. While our attention will soon shift from budget requests and authorizations to actual appropriations, it's useful to understand the "starting point" in the process: the President's request. Given the immensity of the request ($4.3 billion) and space constraints imposed by AAAS, there's not a ton of analysis here. But for those trying to get a sense of the composition of the NITRD portfolio, this is probably a good starter. For a more in-depth look at individual agency spending, there's always the Budget Supplement prepared by the National Coordination Office for IT. In any case, here's what we saw and submitted to AAAS:]

Computing Research in the FY 2011 Budget
Peter Harsha and Melissa Norr
Computing Research Association

HIGHLIGHTS

  • Funding for the Networking and Information Technology Research and Development (NITRD) program would decrease by 1.0 percent in the President’s FY 2011 Budget Request versus the FY 2010 request.
  • The National Science Foundation (NSF), the primary supporter of university-led computer science research in the United States, would see its share of the NITRD program increase $80 million to $1.17 billion, or just over 7.3 percent, in FY 2011 under the President’s request.
  • Changes in leadership at the Defense Advanced Research Projects Agency (DARPA) have members of the computing research community optimistic that the agency will attempt to reengage its historically fruitful relationship with university computer science researchers.

INTRODUCTION AND BACKGROUND

The importance of computing research in enabling the new economy is well documented. The resulting advances in information technology have led to significant improvements in product design, development and distribution for American industry, provided instant communications for people worldwide, and enabled new scientific disciplines like bioinformatics and nanotechnology.

Information technology has also changed the conduct of research. Innovations in computing and networking technologies are enabling scientific discovery across every scientific discipline – from mapping the human brain to modeling climatic change. Researchers, faced with research problems that are ever more complex and interdisciplinary in nature, are using IT to collaborate across the globe, simulate experiments, visualize large and complex datasets, and collect and manage massive amounts of data.

As of FY 2010, the Federal IT R&D effort is now a $4.3 billion multi-agency enterprise called the Networking and Information Technology Research and Development (NITRD) program and coordinated by the Interagency Working Group (IWG) on Information Technology Research and Development of the National Science and Technology Council (NSTC). NITRD is the successor of the High Performance Computing and Communications Program established by Congress in 1991. NITRD agencies now coordinate research in eight Program Component Areas (PCAs): High End Computing Infrastructure and Applications; High End Computing Research and Development; Human Computer Interaction and Information Management (HCI&IM); Large Scale Networking (LSN); Software Design and Productivity; High Confidence Software and Systems (HCSS); Social, Economic, and Workforce Implications of IT; and Cyber Security and Information Assurance (CSIA). The NSF is the lead agency out of 13 member agencies in NITRD. Additionally, NITRD intends to formally recognize the Department of Homeland Security as a member agency this year after several years as a participating agency.

CURRENT POLICY ENVIRONMENT

Over most of the last decade, policies at DARPA have discouraged university-based computing researchers from participating fully in DARPA-sponsored research. During that time, DARPA – which, along with NSF, has been responsible to some significant degree for most of the major innovations in computing over the last 40 years – adopted a series of policies that hampered the ability of university researchers to participate in DARPA research. As a result, DARPA’s share of support for university computer science dropped from nearly 50 percent in FY 1998, to less than 15 percent in FY 2008.

However, new leadership at the agency has many in the community optimistic that DARPA will again play a key role in advancing university computer science. The new Director, Regina Dugan, has announced she has already, or intends to reverse each of the problematic policy requirements that hampered university participation. These include removing the requirement for “go/no-go” decisions on DARPA-sponsored research and publication pre-clearance review (except in exceptional cases of national security). Dugan has also promised the agency will be more cautious in its use of classification and will revamp the proposal process to give office directors and program managers more authority to pursue promising research.

In addition, Dugan announced the creation of a new office – the Tactical Convergence Technology Office (TCTO), headed by former Carnegie Mellon Department of Computer Science Chair Peter Lee. The TCTO is charged with reengaging the agency with the university research community and will house much of the fundamental computer science research programs that the community believed had gone neglected under the previous agency leadership. As a result, the computing community is optimistic that a crucial part of the federal computing research portfolio – the DARPA model for research – may be restored.

Cybersecurity R&D will also receive continued attention this year as both chambers of Congress look to move comprehensive cybersecurity bills before the end of the session. In the Senate, S. 773, sponsored by Sens. Jay Rockefeller (D-WV) and Olympia Snowe (R-ME) would authorize $395 million in cybersecurity R&D through FY 2014. In addition, the bill contains a number of more controversial provisions for the community, including a requirement that professionals in cybersecurity be certified, a focus on training to mitigate cybersecurity risks rather than education, and a requirement that NSF promote and enforce a particular “secure coding” curriculum at colleges and universities. The House passed a more limited cybersecurity bill, H.R. 4061, the Cybersecurity Enhancement Act, which would also authorize $395 million in cybersecurity R&D through FY 2014, as well as language to improve the coordination of federal cybersecurity R&D activities. While it is not clear how the House and Senate will align these two differing approaches to cybersecurity policy, it does seem likely that a healthy increase to the authorization for cybersecurity R&D will be part of any final package.

FY 2011 BUDGET REQUEST

Eight agencies included requests for FY 2011 funding as part of the NITRD activity. Under the President’s plan, NSF would once again be designated the lead agency for the initiative. For FY 2011, the President has requested $4.3 billion for the NITRD initiative; a decrease of 1.0 percent over the FY 2010 estimated level. The NITRD budget continues some significant declines within the National Security Agency (NSA) and the DOD service agencies, including the Department of Defense Office of the Secretary of Defense (OSD). NIH, NSF, DOE, and NIST’s IT R&D budgets would receive the bulk of the increases. The remainder of the participating agencies will see flat or slight declines in their budgets under the President’s plan for FY 2011.

National Science Foundation. The National Science Foundation would spend $1.2 billion on NITRD-related research in FY 2011, an increase of $80 million, or 7.3 percent, over its FY 2010 estimated level.

The locus of NSF’s NITRD activity is the Foundation’s Computing and Information Science and Engineering (CISE) directorate, which would account for $685 million of NSF’s NITRD-related funding in FY 2011, an increase of $66 million (or 10.6 percent) over the FY 2010 request. CISE would continue to be the lead directorate for the Foundation-wide “Cyber-enabled Discovery and Innovation” initiative, with funding of $50 million in CISE in FY 2011. Additionally, CISE would contribute $15 million to the cross-foundation “Science and Engineering Beyond Moore’s Law,” initiative, which aims to “position the U.S. at the forefront of communications and computation capability beyond the physical and conceptual limitations of current systems.”

CISE would be heavily involved in two new Foundation-wide programs for FY 2011. CISE would contribute $29.3 million to the Science, Engineering and Education for Sustainability (SEES) program, a Foundation-wide program with a total budget of $765 million, and $15 million to Cyberlearning for Transforming Education (CTE), which has a Foundation-wide budget of $41 million.

NSF’s Office of Cyberinfrastructure (OCI) would also see an increase in the President’s budget for FY 2011. Under the Administration’s plan, the office would grow 6.4 percent over FY 2010 to $228 million.

Department of Defense. Overall funding for IT R&D at the Department of Defense agencies would decrease significantly in FY 2011 compared to FY 2010, with cuts of $83.6 million for NSA (or 53.7 percent), bringing its budget to $72.2 million; a $67 million reduction (11 percent) for the service agencies and OSD, bringing their collective budget to $516 million; and $53 million reduction (9.6 percent) at the Defense Research Projects Agency (DARPA), bringing its budget to $500.8 million under the President’s plan.

According to DOD, the planned decrease at DARPA is largely due to decreases in the CSIA, HCI&IM, and LSN Program Component Areas with a slight increase of $19 million in HEC R&D for extreme computing technologies. The reduction in OSD and the Defense service labs would be due to decreases in HCI&A, CSIA, and HCI&IM. The proposed NSA decrease is due to the elimination of FY 2010’s Congressional add-ons.

Health and Human Services (HHS). The National Institutes of Health (NIH) constitutes the bulk of funding in IT R&D at HHS. For FY 2011, the President’s plan includes $1.3 billion in IT R&D funding at HHS, an increase of $38 million over the FY 2010 estimate. The NIH request of $1.2 billion for FY 2011 includes additional funding for HEC I&A and HCI&IM as well as continued adjustments based on the reporting system NIH implemented last year.

Department of Energy. IT R&D activities in DOE’s Office of Science (DOE SC), National Nuclear Security Administration (NNSA), and the Office of Nuclear Energy constitute DOE’s participation in NITRD. Under the President’s plan DOE NITRD funding would be $510 million, an increase of 5.7 percent, or $28 million, from the FY 2010 estimated level. NNSA would see a $1 million increase in NITRD-related funding to $14 million for FY 2011.

The DOE SC’s Advanced Scientific Computing Research (ASCR) program makes up the majority of the department’s participation in NITRD. For FY 2011, ASCR requested $426 million, up 8.1 percent over FY 2010. ASCR’s mission is to underpin and enable the efforts of programs within the DOE SC, as well as “to provide the high-performance computational and networking resources that are required for world leadership in science.” Additionally, the DOE increase in funding includes additional funding for HEC I&A for Leadership Computing Facilities, in particular the Argonne Leadership Computing Facility.

National Aeronautics and Space Administration (NASA). Under the President’s plan, NASA would see a slight decrease of $0.3 million below the FY 2010 request level for its NITRD programs. The President’s request includes $82 million for NASA IT R&D in FY 2011.

Department of Commerce (DOC). The DOC request for FY 2011 contains NITRD-related funding requests from two agencies: NOAA and NIST. NIST IT R&D efforts include working with industry, educational, and government organizations to make IT systems more useable, secure, scalable, and interoperable. In addition, NIST works to apply IT to specialized areas like biotechnology and manufacturing, and to encourage industry to accelerate development of IT innovations. The President’s request includes $92 million for NIST IT R&D in FY 2011, an increase of $15 million over FY 2010. The increase is to support the Comprehensive National Cybersecurity Initiative, Nationwide Healthcare Information Infrastructure Initiative, and Interoperability Standards Initiative.

NOAA supports IT research in emerging computer technologies for improved climate modeling and weather forecasting, and for improved communications technologies to disseminate weather products and warnings to emergency responders, policymakers, and the general public. The President’s request includes $26 million for NOAA IT R&D in FY 2011, flat funding compared to FY 2010.

Environmental Protection Agency (EPA). EPA IT R&D would receive $6.3 million in FY 2011 under the President’s plan, the same it received in FY 2009 and FY 2010. EPA intends to use that funding to support IT technologies that facilitate ecosystem modeling, risk assessment, and environmental decision making at the federal, state, and local levels.

National Archives and Records Administration (NARA). NARA research focuses on the management and preservation of electronic records and fosters the development of advanced technologies for the management of electronic records for the current and future operations needs of government. For IT R&D, the agency requests $4.5 million, the same it received in FY 2010 and FY 2009.

Tagged with: