Cybersecurity research plan identifies threats

Federal plan lacks a funding strategy for critical infrastructure protection R&D

For years, industry officials have urged the Bush administration to support cybersecurity research and development. Now they say they are hopeful that a new federal plan released in April will lead to increased funding for cybersecurity.

The National Science and Technology Council, a Cabinet-level body that coordinates governmentwide science and technology policies, issued the “Federal Plan for Cyber Security and Information Assurance Research and Development.” The report identifies critical threats to the nation’s information technology infrastructure and recommends that the government pay for research that would enable manufacturers to build IT security safeguards into infrastructure systems before they are delivered to power plants or other high-risk facilities.

That is the right approach, said Alan Paller, research director at the nonprofit SANS Institute. “This is the first document that I’ve seen that focuses on outcomes rather than favorite research projects,” Paller said. As seatbelts, bumpers and air bags provide motor vehicle safety, cybersecurity should be built into computers and networks, he said.

The 121-page federal plan makes a case for investigating the security implications of emerging broadcast protocols such as multicast and new protocols for wireless, mobile and ad hoc networks. The budding fields of optical computing, quantum computing and pervasively embedded computing could also introduce new hazards, the report states.

Paller praised the plan for prodding agencies to conduct research on IT security metrics. “Metrics that measure the government’s ability to withstand attack are sorely needed,” he said. But, he added, the plan omits any mention of how to pay for the recommended research.

Administration officials said the report establishes a framework for coordinating investments in technologies to secure the nation’s infrastructure. “This country’s IT infrastructure…is vital not only to our national and homeland security but to our economic security,” said John Marburger III, science adviser to the president and director of the Office of Science and Technology Policy. That infrastructure includes the public Internet and networks and IT systems that control critical infrastructure such as power grids and emergency communications systems. The report offers a blueprint for maximizing the return on cybersecurity research spending, Marburger said.

According to the plan, research funding is most needed in the areas of authentication, authorization and trust management; access control and privilege management; attack protection, prevention and pre-emption; wireless security; and software testing and assessment tools.

Ed Lazowska, co-chairman of the President’s IT Advisory Committee from 2003 until its authorization expired in June 2005, said the government must increase funding to reach the goals listed in the report.

“So my entreaty to Dr. Marburger is, ‘Spare me the commendations and show me the money,’ ” Lazowska said. “It’s time for leadership and investment.” Comments on the plan were due April 28.

Some lawmakers criticized the council’s research plan. Rep. Bart Gordon (D-Tenn.), the ranking Democrat on the House Science Committee, said the report’s major weakness is its lack of information about baseline funding levels for the research areas it identifies. “It is strange the report doesn’t provide the current funding amounts,” Gordon said.

The purpose of the House Science Committee’s Cyber Security R&D Act of 2002 was to establish a well-funded and coordinated basic and applied cybersecurity research program, Gordon said. “We’re still waiting.”

Ben Jun, vice president of technology at Cryptography Research, a data security company, described a worst-case scenario that could occur without coordination to protect critical infrastructure. “The next Pearl Harbor that we’re worried about isn’t going to be spam, e-mail or viruses,” Jun said. “It’s going to be on a critical facility like a power plant.”

Existing commercial security software is not designed to retrofit systems such as high-power gas mains. Implementing the administration’s plan to protect critical infrastructure could prevent catastrophe, Jun said. “What I see that’s promising here is that we’re going to pay more attention to solving those infrastructure problems,” he said.

Plan lists 10 actions to enhance cybersecurity

The National Science and Technology Council recommends establishing departmental research and development priorities and coordinating federal and private-sector spending to protect the nation’s information technology infrastructure. The plan includes 10 findings and recommendations, which are:

  • Focusing federal R&D investments on strategic cybersecurity and information assurance needs.

  • Focusing on threats with the greatest potential impact.

  • Making cybersecurity and information assurance R&D an individual agency and an interagency budget priority.

  • Supporting sustained interagency coordination and collaboration on cybersecurity and information assurance R&D.

  • Building in security from the outset when developing new information technologies.

  • Assessing the security implications of emerging information technologies.

  • Developing a road map for federal cybersecurity and information assurance R&D.

  • Developing and applying new metrics to assess cybersecurity and information assurance.

  • Instituting more effective coordination with the private sector.

  • Strengthening R&D partnerships, including those with international partners.

  • Source: National Science and Technology Council

    Featured

    Stay Connected

    FCW Update

    Sign up for our newsletter.

    I agree to this site's Privacy Policy.