The long-awaited PITAC report on Cyber Security, Cyber Security: A Crisis of Prioritization (pdf, 2.2mb) has just been released. The committee spent nearly a year reviewing the federal government’s cyber security R&D effort, a process we’ve covered in this space. The resulting report concludes that the IT infrastructure — beyond the public Internet — is a crucial piece of the nation’s critical infrastructures, such as power grids, air traffic control systems, financial systems, and military and intelligence systems. Given it’s importance, the committee finds that the federal cyber security R&D investment is inadequate and “imbalanced” towards short-term, defense oriented research, with little support for fundamental research to address the larger vulnerabilities of the civilian IT infrastructure. As a result the committee recommends changes to the portfolio to:
Increase Federal support for fundamental research in civilian cyber security by $90 million annually at NSF and by substantial amounts at agencies such as DARPA and DHS to support work in 10 high-priority areas identified by PITAC. Intensify Federal efforts to promote recruitment and retention of cyber security researchers and students at research universities, with an aim of doubling this professions numbers by the end of the decade. Provide increased support for the rapid transfer of Federally developed cutting-edge cyber security technologies to the private sector. Strengthen the coordination of the Interagency Working Group on Critical Information Infrastructure Protection and integrate it under the Networking and Information Technology Research and Development (NITRD) Program.
I’ll have more detail on the report as I work my way through it, but wanted to get a link up to it ASAP. At 72 pages cover-to-cover, the report is a very revealing examination of the federal cyber security R&D portfolio.
Update: (3/19/05) – The NY Times’ John Markoff has more on the report today, including this quote from PITAC co-Chair Ed Lazowska:
“The federal government is largely failing in its responsibility to protect the nation from cyberthreats,” said Edward D. Lazowska, chairman of the computer science and engineering department at the University of Washington and co-chairman of the panel. “The Department of Homeland Security simply doesn’t ‘get’ cybersecurity. They are allocating less than 2 percent of their science and technology budget to cybersecurity, and only a small proportion of this is forward-looking.”
Michelle Petrovich, a spokeswoman for the Department of Homeland Security, disputed the criticism. “We take cybersecurity seriously and have taken aggressive measures to address various needs,” she said. “Our cybersecurity budget has gone up every year.”
For the record, it may be true that DHS’ overall budget for “cyber security” activities has gone up, but cyber security R&D — the focus of this report and, one would think, a focus of the DHS Science and Technology directorate — has actually been flat at DHS for the last two fiscal years at a paltry $18 million out of an overall S&T budget of just about $1 billion per year. And of that tiny share only $1.5 million could truly be called “long-term” research — research beyond patching the holes in the current systems. As the report points out, without research into fundamentally new approaches, we’ll be “endlessly patching and plugging holes in the dike” for years to come. It’s also worth noting that the President’s budget for cyber security research at DHS this year actually takes a step backwards. For FY 2006, the President’s budget would cut cyber security R&D at the agency to $17 million, a decrease of $1 million from FY 2005….