This article I spotted today in Government Computer News on former Director of DHS’ National Cybersecurity Division Amit Yoran’s thoughts about DHS’ niche in federal cybersecurity efforts reminded me that I hadn’t provided an update on what I thought was a very interesting meeting of PITAC’s Subcommittee on Cybersecurity R&D a week ago last Friday.
The Subcommittee is in the process of evaluating the federal government’s efforts in supporting cybersecurity research and development — trying to figure out how well the government is targeting the right research areas, whether there’s good balance between short-term and long-term research, whether we’re doing all we can to improve technology transfer, and whether we’re well prepared for the security challenges of the future. The goal is to produce a final report the full PITAC can approve at its March 2005 meeting. So far the subcommittee has produced a first draft, which is what was presented by Subcommittee Chair F. Thomson Leighton at the Nov 19th meeting.
And that first draft is very good. It’s clear the committee has taken to heart much of the testimony it has received, including testimony CRA submitted to the committee last July. Leighton’s slide presentation (pdf) does a good job of laying out the details, but I thought I’d summarize them a bit here.
The committee has identified four main issues: 1) Problems with civilian cyber security research; 2) Problems with the size of the cyber security basic research community; 3) Tech transfer issues; and 4) The coordination of cyber security R&D. They seem to have devoted quite a bit of attention to the first issue, and the points that they raise are all right on the money (and concerns CRA shares), namely:

The Federal R&D budget provides severely insufficient funding for basic research in cyber security. Even better, the subcommittee specifies an actual dollar amount increase (at least $90 million per year) necessary to make up for the current under-investment (while leaving the door open for future increases in funding beyond $90 million per year should “the Nation’s security posture in the future” warrant it).

The subcommittee finds that the current federal focus on near-term applications in cyber security must be reversed.

Federal research efforts need to avoid “incrementalism.” Research programs need to accommodate longer time periods and accept some “failures.”

We must buttress civilian cyber security R&D efforts. While there’s clearly a need for the Defense Department and the intelligence agencies to sponsor significant amounts of cyber security R&D related to their missions, increasingly, much of that research is being classified. There are costs to bear when research is classified. For example, research results for classified research are very slow to disseminate, if ever, and many/most university researchers are unable to participate — meaning some of the best minds in the country aren’t working on these important problems. As a result, NSF, the primary funder of unclassified, civilian cyber security R&D, is heavily oversubscribed. Its cyber security research program (CyberTrust) has an astonishingly bad award rate of 5-8 percent. The subcommittee estimates that a quadrupling (emph. added) of the CyberTrust budget could be productively used by the civilian cyber security community.

There are no shortage of research areas in need of funding: Computer authentication methodologies; securing fundamental protocols, secure software engineering, end-to-end system security, monitoring and detection; mitigation and recovery methodologies’ cyberforensics and technology to enable prosecution of criminals; modeling and testbeds for new technologies; metrics, benchmarks and best practices; and societal and governance issues. In short, the subcommittee says

There is no silver bullet or small set of silver bullets. It is not a matter of “tweaking” in the Internet — there is no foundation of security to tweak. The existing Internet was built based on assumption of trust: it was assumed no one would harm the infrastructure, even by accident.

I think this is all excellent, and basically in agreement with the testimony CRA provided back in July. About the only thing of which I would have liked to have seen discussion is the issue of the potential (and real) chilling effect on research of laws aimed at protecting intellectual property and privacy — most notably the impediment to research posed by provisions of the Digital Millennium Copyright Act. As we noted in our testimony (by stealing excellent language from our affiliate ACM’s U.S. Public Policy Office):

[T]he “anti-circumvention provisions” of the DMCA interfere with many legal, non-infringing uses of digital computing and prevent scientists and technologists from circumventing access technologies to recognize shortcomings in security systems, to defend patents and copyrights, to discover and fix dangerous bugs in code, to analyze and stop malicious code (e.g., viruses), and to conduct forms of desired educational activities. In some instances, the threat of legal action under the DMCA has deterred scientists from publishing scholarly work or even publicly discussing their research, both fundamental tenets of scientific discourse.

Other than that, I’m pretty happy with what I’ve seen from the report so far. (Please read through the slides to get the details on the other three issues the subcommittee identified.) If the final report contains the important discussion of the character of research supported by each of the federal agencies funding cyber security efforts and the subcommittee’s funding recommendations, it will be a strong document that should prove very useful in the computing research community’s efforts to reshape cyber security R&D policy at federal agencies (see in particular the subcommittee’s discussions about the nature and amount of research sponsored by DHS — too short-term and too little, in sum).
We’ll continue to keep an eye on the committee’s progress….
Oh, and just to get back to the article that triggered this post in the first place, I think it’s important to note that though this:

Yoran also called for more government support for basic security research. He said the initial $18 million budgeted for cybersecurity R&D in the first year of DHS was adequate as the department identified needs. But going forward, “personally, I would like to see greater government support for fundamental security research,” he said.

implies that DHS is spending $18 million on basic research in cyber security, this isn’t actually the case (as the subcommittee points out on slide 25). The agency currently spends just $1.5 million on research that can truly be considered basic, long-term research. The remaining $16.5 million is spent on short-term activities.
Still, it’s encouraging that Yoran at least acknowledges that the agency is lacking in its support for fundamental research. Hopefully his replacement will as well — and do something about it.