Ben Worthen has a great interview with former President’s IT Advisory Committee co-Chair Ed Lazowska in CIO Magazine in which Lazowska, freed from his role as presidential advisor after the President allowed PITAC’s charter to expire, pulls no punches describing the failure of the Administration to adequately support and prioritize cyber security research and development. Here’s a snippet:
[Lazowska:] Long-range R&D has always been the role of the national government. And the trend, despite repeated denials from the White House to the Department of Defense, has decreased funding for R&D. And of the R&D that does get funded, more and more of it is on the development side as opposed to longer-range research, which is where the big payoffs are in the long term. That’s a more fundamental problem that CIOs aren’t responsible for.
[Worthen:] You feel strongly that the government’s treatment of cybersecurity R&D has been particularly neglectful.
[Lazowska:] PITAC found that the government is currently failing to fulfill this responsibility. (The word failing was edited out of our report, but it was the committee’s finding.) Let me talk very quickly about three federal agencies that you might think are focusing on this but are not:
» Most egregiously, the Department of Homeland Security simply doesn’t get cybersecurity. DHS has a science and technology (S&T) budget of more than a billion dollars annually. Of this, [only] $18 million is devoted to cybersecurity. For FY06, DHS’s S&T budget is slated to go up by more than $200 million, but the allocation to cybersecurity will decrease to $17 million! It’s also worth noting that across DHS’s entire S&T budget, only about 10 percent is allocated to anything that might reasonably be called “research” rather than “deployment.”
» Defense Advanced Research Projects Agency (DARPA) is investing in cybersecurity, but has classified all of its recent new program starts in this field. It’s fine to do classified research, but we must also recognize the negative consequences, and we should (but don’t) fund nonclassified research to make up for it. One negative consequence is that classified research is very slow to impact commercial IT systems, on which the entire nation, and even much of the Department of Defense, relies. Another negative consequence is that the nation’s university-based researchers cannot participate, because universities do not perform classified research. This eliminates many of the nation’s best cybersecurity researchers. It also means that students are not trained in cybersecuritythe training of students is an important byproduct of research.