Search


CRA TumbleLog

Archives
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
Archives by Category
American Competitiveness Initiative (45)
CRA (38)
Computing Community Consortium (CCC) (6)
Diversity in Computing (9)
Events (8)
FY06 Appropriations (13)
FY07 Appropriations (32)
FY08 Appropriations (8)
Funding (135)
Misc. (42)
People (67)
Policy (179)
R&D in the Press (56)
Research (45)
Security (20)
Recent Entries
NY Times on Women's Interest in Computing
Time on GENI
Innovation Briefing Event
NSF Reauthorization
Eugene Spafford Honored with ACM President's Award
Innovation Bill Moves Forward
CRA's Hiring
Innovation Funding Featured in House Budget Resolution
Announcing the Computing Research Policy TumbleLog
Innovation Press Conference and Hearing
CRA Links
Computing Research News
CRA-Bulletin
Computing Data and Resources
CRA in the News
Computing Research in the FY05 Budget
What We're Reading
Computational Complexity
CNSR Online
Danger Room
Defense Tech
Freedom to Tinker
InsideHPC
Lessig Blog
Nothing is as simple...
Reed's Ruminations
Schneier on Security
Techdirt
UMBC eBiquity Blog
USACM Tech Policy Blog
Advocacy Materials
IT R&D One-pager (pdf)
DARPA and University Research One-pager (pdf)
Cyber Security R&D One-pager (pdf)
Current and Requested IT R&D Funding Charts (pdf)
Recent Testimony
Cybersecurity R&D (pdf)
IT R&D Funding (pdf)
Syndicate this site (XML)
Atom (XML)

Subscribe with Bloglines

Powered by
Movable Type 2.65

October 26, 2005

HASC to Review DOD Cyber Security Efforts Tomorrow

With short notice, the House Armed Services Committee Panel on Asymmetric and Unconventional Threats will hold a hearing tomorrow to examine cyber security, information assurance and information exploitation issues at the Department of Defense. I say short notice because the witness list for the hearing didn't appear until today and the hearing's lead witness, CRA Board member and Purdue professor Eugene Spafford, didn't receive an invitation to attend until Tuesday. Joining Spaf on the panel are David Grawrock, Principal Engineer and Security Architect at Intel, and Paul Kurtz, Executive Director of the Cyber Security Industry Alliance.

Spaf has already submitted his written testimony (pdf) and it's excellent (especially given the time constraint). In it, he notes that DOD faces some worrisome trends in defending itself from cyber threats:

  • The number of reported attacks of various kinds is generally increasing annually;
  • Attacks are becoming more sophisticated and more efficient;
  • Few perpetrators are ever caught and prosecuted;
  • An unknown (but probably large) number of attacks, frauds and violations are not detected with current defenses;
  • A large number of detected attacks are not reported to appropriate authorities;
  • The problem is international in scope, both in origin of attacks and in location of victims;
  • The majority of the attacks are enabled by faulty software, poor configuration, and operator error.
Exacerbating these trends at DOD are a number of factors:
  • An over-dependence on commercial-off-the-shelf products (COTS);
  • A lack of metrics measuring the safety, security and quality of IT products in a general and meaningful way;
  • A lack of deterrence -- vandals and criminals operate with the knowledge that there's almost no chance of being caught unless they are exceedingly careless;
  • A lack of fallback alternatives -- no planning for how to proceed with critical mission responsibilities with degraded or disabled IT resources;
  • An under-investment in research, especially long-term research at DOD and throughout the federal research portfolio; and
  • An ill-informed application of classification by agencies like DARPA that prevent some of the best minds in the country from working on cyber security problems.
Spaf has a number of recommendations of actions to take to reduce the threat to DOD IT systems, but I thought I'd list his primary recommendation here, especially as it echoes recommendations we've made many times in the past:
1. Most importantly, increase the priority and funding for scientific research into issues of security and protection of IT systems. This was the conclusion of the PITAC, and of numerous other studies cited in the PITAC report. Too much money is being spent on upgrading patches and not enough is being spent on fundamental research by qualified personnel. There are too few researchers in the country who understand the issues of information security, and too many of them are unable to find funding to support fundamental research. This is the case at our military research labs, commercial labs, and at our university research centers. Increased spending for research is an investment in national defense and national economic competitiveness, and is not in other expenditures for basic and applied research.
The hearing begins at 9 am, October 27th, and will be webcast (click on the microphone icon next to the hearing notice) and archived.

Spaf's full testimony is here. (pdf)

Posted by PeterHarsha at October 26, 2005 08:03 PM | TrackBack
Posted to Security