Cybersecurity research plan identifies threats

Federal plan lacks a funding strategy for critical infrastructure protection R&D

For years, industry officials have urged the Bush administration to support cybersecurity research and development. Now they say they are hopeful that a new federal plan released in April will lead to increased funding for cybersecurity.

The National Science and Technology Council, a Cabinet-level body that coordinates governmentwide science and technology policies, issued the “Federal Plan for Cyber Security and Information Assurance Research and Development.” The report identifies critical threats to the nation’s information technology infrastructure and recommends that the government pay for research that would enable manufacturers to build IT security safeguards into infrastructure systems before they are delivered to power plants or other high-risk facilities.

That is the right approach, said Alan Paller, research director at the nonprofit SANS Institute. “This is the first document that I’ve seen that focuses on outcomes rather than favorite research projects,” Paller said. As seatbelts, bumpers and air bags provide motor vehicle safety, cybersecurity should be built into computers and networks, he said.

The 121-page federal plan makes a case for investigating the security implications of emerging broadcast protocols such as multicast and new protocols for wireless, mobile and ad hoc networks. The budding fields of optical computing, quantum computing and pervasively embedded computing could also introduce new hazards, the report states.

Paller praised the plan for prodding agencies to conduct research on IT security metrics. “Metrics that measure the government’s ability to withstand attack are sorely needed,” he said. But, he added, the plan omits any mention of how to pay for the recommended research.

Administration officials said the report establishes a framework for coordinating investments in technologies to secure the nation’s infrastructure. “This country’s IT infrastructure…is vital not only to our national and homeland security but to our economic security,” said John Marburger III, science adviser to the president and director of the Office of Science and Technology Policy. That infrastructure includes the public Internet and networks and IT systems that control critical infrastructure such as power grids and emergency communications systems. The report offers a blueprint for maximizing the return on cybersecurity research spending, Marburger said.

According to the plan, research funding is most needed in the areas of authentication, authorization and trust management; access control and privilege management; attack protection, prevention and pre-emption; wireless security; and software testing and assessment tools.

Ed Lazowska, co-chairman of the President’s IT Advisory Committee from 2003 until its authorization expired in June 2005, said the government must increase funding to reach the goals listed in the report.

“So my entreaty to Dr. Marburger is, ‘Spare me the commendations and show me the money,’ ” Lazowska said. “It’s time for leadership and investment.” Comments on the plan were due April 28.

Some lawmakers criticized the council’s research plan. Rep. Bart Gordon (D-Tenn.), the ranking Democrat on the House Science Committee, said the report’s major weakness is its lack of information about baseline funding levels for the research areas it identifies. “It is strange the report doesn’t provide the current funding amounts,” Gordon said.

The purpose of the House Science Committee’s Cyber Security R&D Act of 2002 was to establish a well-funded and coordinated basic and applied cybersecurity research program, Gordon said. “We’re still waiting.”

Ben Jun, vice president of technology at Cryptography Research, a data security company, described a worst-case scenario that could occur without coordination to protect critical infrastructure. “The next Pearl Harbor that we’re worried about isn’t going to be spam, e-mail or viruses,” Jun said. “It’s going to be on a critical facility like a power plant.”

Existing commercial security software is not designed to retrofit systems such as high-power gas mains. Implementing the administration’s plan to protect critical infrastructure could prevent catastrophe, Jun said. “What I see that’s promising here is that we’re going to pay more attention to solving those infrastructure problems,” he said.

Plan lists 10 actions to enhance cybersecurity

The National Science and Technology Council recommends establishing departmental research and development priorities and coordinating federal and private-sector spending to protect the nation’s information technology infrastructure. The plan includes 10 findings and recommendations, which are:

  • Focusing federal R&D investments on strategic cybersecurity and information assurance needs.

  • Focusing on threats with the greatest potential impact.

  • Making cybersecurity and information assurance R&D an individual agency and an interagency budget priority.

  • Supporting sustained interagency coordination and collaboration on cybersecurity and information assurance R&D.

  • Building in security from the outset when developing new information technologies.

  • Assessing the security implications of emerging information technologies.

  • Developing a road map for federal cybersecurity and information assurance R&D.

  • Developing and applying new metrics to assess cybersecurity and information assurance.

  • Instituting more effective coordination with the private sector.

  • Strengthening R&D partnerships, including those with international partners.

  • Source: National Science and Technology Council

    Featured

    • Cybersecurity
      CISA chief Chris Krebs disusses the future of the agency at Auburn University Aug. 22 2019

      Shared services and the future of CISA

      Chris Krebs, the head of the Cybersecurity and Infrastructure Security Agency at DHS, said that many federal agencies will be outsourcing cyber to a shared service provider in the future.

    • Telecom
      GSA Headquarters (Photo by Rena Schild/Shutterstock)

      GSA softens line on looming EIS due date

      Think of the September deadline for agencies to award contracts under the General Services Administration's $50-billion telecommunications contract as a "yellow light," said GSA's telecom services director.

    • Defense
      Shutterstock photo id 669226093 By Gorodenkoff

      IC looks to stand up a new enterprise IT program office

      The intelligence community wants to stand up a new program executive office to help develop new IT capabilities.

    Stay Connected

    FCW INSIDER

    Sign up for our newsletter.

    I agree to this site's Privacy Policy.