Computing Research Policy Blog

Two Information Week Articles of Interest

Two recent Information Week articles are of interest. The first article discusses the Commission on Professionals in Science and Technology’s newly released report regarding the IT workforce and the need to increase the representation of women and minorities to keep America competitive. This was a theme at the recent conferences in Florida, the Richard Tapia Celebration of Diversity in Computing and the Grace Hopper Celebration of Women in Information Technology. The report is free and available at the CPST web site but you do have to register to access it.

The second article is about the National Research Council report encouraging open exchange of science and technology research on the international stage. The article states the Council’s understanding that there are matters of national security that the United States is trying to protect by classifying research but that “the possibility that the United States might lose its edge in technology and research represents one of the greatest risks to national security.” Again the report is available online and is worth reading.

Computerworld on Sputnik, DARPA and Computing

Computerworld has fantastic coverage of the 50th anniversary of the Sputnik launch (Oct. 4th, 1957) and why, in a sense, we can thank the Soviets for helping create the conditions that led the U.S. to become the technological superpower we've become.

Computerworld's Gary Anthes' piece "Happy Birthday Sputnik! (Thanks for the Internet)" does a great job of chronicling how the federal government's reaction to the surprising Soviet launch created an agency and a research funding culture that proved so extraordinarily productive that nearly every billion-dollar sub-sector of the IT economy today bears its stamp. In the process, he checks in with a number of important figures from computer science who note that the productive culture within DARPA responsible for much of that early innovation seems to have waned -- and perhaps isn't even possible today.

Rather than quote snippets from the piece, I'd just encourage you to read all of it -- it's the piece I would've tried to write in honor of Sputnik's 50th if Anthens hadn't (I'm glad he did...it's assuredly better than anything I would've come up with).

Two other portions of the coverage are worth checking out, too. Computerworld did a pretty good job of simplifying the CSTB's "tire tracks" chart that shows the development of technologies from the initial research in university or industry labs to the time the products that resulted became billion-dollar industries.

And there's a good interview with former (D)ARPA director Charles M. Herzfeld on the state of IT research now.

It's all definitely worth a read.

DDR&E Asks SECDEF for Lots More S&T Money

Recognizing that the Pentagon's science and technology investment "may be inadequate to meet the imposing security threats that challenge our Nation and may not be adequately robust to take advantage of key scientific and technological opportunities that offer breakthrough advantages to our warfighters," John Young, the current Director of Defense Research and Engineering, has written a pretty remarkable memo to the Secretary of Defense asking for a substantial increase in funding. In his request, he singles out several "priority science and technology areas," along with about $9.5 billion in suggested increases. IT R&D figures prominently in his "straw man" proposal:

Foundational Sciences (including computing sciences) -- $300 - $500 M a year increase (he notes that DOD has been "coasting on the basic science investments of the last century" and writes what we've been saying for quite a while: "The DOD must dramatically re-energize and re-invigorate the nation's foremost scientific minds, especially those in early and mid-career, to focus on discovery, innovation, and synthesis in the physical and analytical sciences most crucial to our Nation's security.")
Information Warfare -- $100-200 M per year increase
Information Assurance - $100-200 M per year increase
Networking Technologies -- $40-70 M per year increase
Organiziation, Fusion, and Mining Large Data Sets -- $40-60M per year increase
Software Development Technology -- $40-70M per year increase
Autonomous Operation of Networks of Unmanned Vehicles in Complex Environments -- $100 M per year
Disparate Sensors, Communication and Spectrum Management -- $500 M per year

The memo containing the complete list of priorities is available from InsideDefense.com (subscription required). Overall, Young is proposing about $9.5 billion in increases from FY09-FY13 that would get DOD S&T spending close to 3 percent of the agency's budget (it's at about 2.2 percent right now). While there's no guarantee that the comptroller or the SecDef will give him anywhere close to that amount (though the current SecDef is perhaps more sympathetic to S&T than his predecessor), this sort of stage-setting from the DDR&E is pretty remarkable.

InsideDefense also has an article (sub. req'd) detailing the memo with some reaction from think-tanky-types, which is also worth reading if you've got a subscription.

NY Times on the Challenges of Network Complexity

John Schwartz of the New York Times has an interesting piece today on the rise in complexity of networked applications and the risks that complexity poses. Headlined Who Needs Hackers?, the piece makes the point that the biggest threat to these systems isn't malicious users, but complexity itself. Understanding how these giant interconnected systems work (or not) is a great challenge for the community.

"We have gone from fairly simple computing architectures to massively distributed, massively interconnected and interdependent networks," [Andreas M. Antonopoulos, a founding partner at Nemertes Research] said, adding that as a result, flaws have become increasingly hard to predict or spot. Simpler systems could be understood and their behavior characterized, he said, but greater complexity brings unintended consequences.

"On the scale we do it, it's more like forecasting weather," he said.

By the way, addressing this challenge is one of the goals of those proposing the Global Enivronment for Networking Innovations research network that we've discussed before in this space.

DDR&E Strategic Plan Released

The Department of Defense Research and Engineering released its 2007 Strategic Plan this week. It’s pretty high-level and doesn’t appear to contain any surprises. The DDR&E strategy focuses on countering four different types of threats with research and engineering efforts: traditional, irregular, catastrophic, and disruptive. The plan acknowledges that the DOD has a pretty good handle on dealing with the traditional (ie, Cold War-oriented) threats, but has much work to do to counter the other three. As a result, DDR&E is shifting its priorities slightly to focus more effort on addressing irregular threats (urban operations, war on terror, etc), catastrophic threats (WMDs), and disruptive technologies ("those that could render our most significant weapons systems less effective").

Fortunately, the Department still sees both basic research and research in information technologies as critical to all four efforts. In its list of "enabling technologies that should receive the highest level of corporate attention and coordination," information technology, persistent surveillance technologies, networks and communications, software research, "organization, fusion and mining data," cognitive enhancements, robotics, autonomous systems technologies, and large data set analysis tools all figure prominently. In fact, IT figures in almost all the DOD's "desired capabilities" in the plan.

The whole plan can be found here and is worth a read.

Cyber Security Report Released

The National Research Council of the National Academies of Science released a new report on cyber security and research called "Toward a Safer and More Secure Cyberspace." The report is available for free online at the National Academies Press.

The report lists three broad categories that lack of cyber security falls into:

First is the threat of catastrophe-a cyberattack, especially in conjunction with a physical attack, could result in thousands of deaths and many billions of dollars of damage in a very short time. Second is frictional drag on important economic and security-related processes. Today, insecurities in cyberspace systems and networks allow adversaries (in particular, criminals) to extract billions of dollars in fraud and extortion-and force businesses to expend additional resources to defend themselves against these threats. If cyberspace does not become more secure, the citizens, businesses, and governments of tomorrow will continue to face similar pressures, and most likely on a greater scale. Third, concerns about insecurity may inhibit the use of IT in the future and thus lead to a self-denial of the benefits that IT brings, benefits that will be needed for the national competitiveness of the United States as well as for national and homeland security.

It also lists a set of ten provisions that could form a Cyber Security Bill of Rights. The provisions are:

I. Availability of system and network resources to legitimate users.
II. Easy and convenient recovery from successful attacks.
III. Control over and knowledge of one's own computing environment.
IV. Confidentiality of stored information and information exchange.
V. Authentication and provenance.
VI. The technological capability to exercise fine-grained control over the flow of information in and through systems.
VII. Security in using computing directly or indirectly in important applications, including financial, health care, and electoral transactions and real-time remote control of devices that interact with physical processes.
VIII. The ability to access any source of information (e.g., e-mail, Web page, file) safely.
IX. Awareness of what security is actually being delivered by a system or component.
X. Justice for security problems caused by another party.

GENI Gets Some Press

The Chronicle of Higher Education (sub. req’d.) has a great article on the future of the Internet and the Global Environment for Network Innovations or GENI. It contains quotes from many participants of the new Computing Community Consortium (CCC) that CRA helped launch.

The article talks about the problems with the current state of the Internet:

Identity theft, viruses, and attacks on Web sites are on the rise — a few weeks ago the country of Estonia was practically shut down, digitally, by deliberate attempts to jam government computers. Spam, which was less than 50 percent of e-mail traffic back in 2002, is now close to 90 percent, according to Commtouch Software Ltd., an Internet-security company.

Moreover, the Internet has great difficulty coping with the sharp increase in mobile devices like cellphones and laptops, and handling bandwidth-hungry traffic such as video, now demanded by an increasing number of users.

GENI and its possibilities are discussed in great detail:

The people pushing for change are the very people at universities and colleges who built the Internet in the first place. Researchers at the Massachusetts Institute of Technology, the University of California at Berkeley, and the University of Southern California, among others, have joined Mr. Peterson in the GENI planning process. Industry players such as chip-maker Intel are also on board.

…

In late May of this year, the science foundation awarded Cambridge-based BBN Technologies the job of planning GENI, giving them $10-million to spend over the next four years. The company has deep roots in the old Internet: It built the first network segment connecting four universities back in 1969.

Chip Elliott, the BBN engineer who will be running the GENI project office, thinks the project calls for two approaches. "First, if you don't like conventional Internet protocols, try something completely different. Second, do it on a large enough scale, with enough users, so that your results actually mean something." People associated with GENI say that "large enough" means access for experimenters at several hundred universities and, eventually, a user community in the tens of thousands.

Thousands of users will provide a crucial dose of reality, say planners. Over the years, there have been many papers published on new Internet design, and simulations run on networks such as PlanetLab. "But you don't know how an Internet design will behave until a large group of people actually use it," says Ms. Zegura, who will co-chair a GENI science council charged with rounding up ideas from the research community. "They will do things that you don't expect, just like in the real Internet, and then you'll see how robust your idea is. That's where the rubber meets the road."

Two Interesting Posts...

...on Jim Horning's Nothing is as simple as we hope it will be blog. The first, on a recent cyber security hearing on the Hill has a nice extended quote from the Chairman of the Subcommittee on Emerging Threats, Cybersecurity, and S&T of the House Committee on Homeland Security, complaining about the gutting of the cyber security R&D budget at DHS.

The second is a summary of a paper by Robert Meyer and Michel Cukier on the impact of (perceived) user gender on the cyber attack threat (quick summary: "females" are much more likely to get attacked), which concludes with this great quote from Jim:

If this hostility is anywhere near the typical Internet experience, is it any wonder that computing and IT are increasingly losing the women?"

Innovation Briefing Event

The Task Force on the Future of American Innovation and the House R&D Caucus are hosting a lunch briefing on Tuesday, April 17 at noon. The Role of Basic Research in Innovation, Economic Competitiveness and National Security will include speakers from industry and academia and will be based on the second Benchmarks report, “Measuring the Moment: Innovation, National Security, and Economic Competitiveness” that we have previously covered in this space.

Speakers will include:

Dr. Anita Jones from the University of Virginia giving a presentation called, “The Role of Defense Research in the Innovation and Competitiveness Debate”

Dr. C. Dan Mote, President of the University of Maryland . His presentation is “Progress Since the Rising Above the Gathering Storm Report and What Still Needs Attention”

Amy Burke from Texas Instruments speaking on “Industry Perspective on the Importance of Federal Investment in Basic Research”

Task Force Chair Doug Comer, the director of legal affairs and technology policy at Intel, will do the welcome, introductions, and speak to the Benchmark’s report.

Rep. Rush Holt (D-NJ) and Rep. Judy Biggert (R-IL), the co-chairs of the House R&D Caucus will also make remarks at the briefing.

Anyone with an interest in innovation and competitiveness is welcome to attend. RSVP to Jessica Delucchi at 202.646.5046 or delucchij@battelle.org by Monday, April 16. Space is limited so reservations are on a first come basis.

Update: Doug Comer, Dr. Mote, and Amy Burke spoke to a packed room at the Task Force on the Future of American Innovation and House R&D Caucus briefing " The Role of Basic Research in Innovation, Economic Competitiveness and National Security." Over 100 people attended from industry, academia, and the Hill, including Representatives Judy Biggert (R-IL), Rush Holt (D-NJ), and Dana Rohrabacher (R-CA).

Comer discussed the Measuring the Moment report issued last year by the Task Force and gave an overview of the continued importance of federal funding for basic research to the economy as a whole.

As one of the Rising Above the Gathering Storm authors, Dr. Mote discussed the impact the report has had and what is still undone. He emphasized that the states need to be actively engaged in support of basic research at the university level and vocal about their support to their federal delegations.

Burke presented a specific picture of why federally funded basic research is important to Texas Instruments and how that translates to industry as a whole. She gave specific examples of technologies that have had major economic impact and were begun through basic research.

Maybe just as importantly, each attendee left with a copy of the Benchmarks report (pdf) and other Task Force material and at least one Member of Congress was seen toting the report around later that day....

All in all, a good, well-attended event.

Cyber Security Road Map

NITRD is asking the computing community for input on a roadmap for cyber security R&D called for in the Federal Plan for Cyber Security and Information Assurance Research and Development. Individuals from academic institutions, industry, government research labs and development centers, and international organizations are encouraged to submit white papers. The request was put out by the Cyber Security and Information Assurance Interagency Working Group.

The CSIA request includes submission guidelines, background and scope, and questions that the white papers need to address. The broad topics that the questions are under are:

CSIA R&D Strategic Issues
CSIA R&D Technical Topics and Priorities (as listed in the request)
CSIA R&D Roadmap
R&D Recommendations in the Federal Plan

CSIA is looking for papers to be submitted by November 30 but the submission guidelines state: “White papers submitted by January 31, 2007 will be used to the greatest extent possible.”

For questions or more information visit the web site or contact Dr. Ernest McDuffie at csia-comments@nitrd.gov or 703.292.4504.

GAO Report on Cyber Security R&D

The Government Accountability Office has just released its report (pdf) on the state of Federal Coordination for Cyber Security R&D requested by the House Committee on Government Reform. It's goal wasn't to assess the state of the research portfolio, but to look at how the agencies coordinate. Here's what they recommended:

To strengthen cyber security research and development programs, we recommend that the Director of the Office of Science and Technology Policy take the following action:

• Establish firm timelines for the completion of the federal cyber security R&D agenda that includes near-term, mid-term, and long-term research. Such an agenda should include the following elements:
  • timelines and milestones for conducting research and development activities;
  • goals and measures for evaluating research and development activities;
  • assignment of responsibility for implementation, including the accomplishment of the focus areas and suggested research priorities; and
  • the alignment of funding priorities with technical priorities.

We also recommend that the Director of the Office of Management and Budget implement the following action:

• Issue guidance to agencies on reporting information about federally funded cyber security R&D projects to the governmentwide repositories.

The report is here (pdf). It's a pretty quick read at only 30 pages.

GCN.com have online coverage here.

OSTP apparently had no comment on the recommendations in the GAO report. The establishment of a research agenda for federal cyber security R&D was also a recommendation and focus of the PITAC report Cyber Security R&D: A Crisis of Prioritization. The committee laid out in the 2005 report ten specific research areas it felt warranted prioritization, along with recommending immediate increases to the cyber security research budgets of NSF, DARPA and DHS (but especially NSF, which they felt was really carrying the load for fundamental, long-term cyber security research). While progress on these funding recommendations has been slow, NITRD has added a Cyber Security and Information Assurance working group into its interagency planning effort....

Homeland Security Appropriations

The Homeland Security Appropriations were passed last week before Congress went home to campaign. The news is mixed with the total appropriations for R&D coming in at $838 million —more than either the House or the Senate recommended individually. The cyber security R&D program will see an increase of $3.3 million to $20 million, up from $16.7 million in FY2006. While it's nice that there's an increase to the cyber security account, the level is still well below "adequate," as PITAC pointed out last year in its report on the federal cyber security research effort Cyber Security R&D: A Crisis of Prioritization. Ed Lazowska, former Chair of PITAC, put it nicely in this interview with CIO Magazine last year:

Most egregiously, the Department of Homeland Security simply doesn't get cybersecurity. DHS has a science and technology (S&T) budget of more than a billion dollars annually. Of this, [only] $18 million is devoted to cybersecurity. For FY06, DHS's S&T budget is slated to go up by more than $200 million, but the allocation to cybersecurity will decrease to $17 million! It's also worth noting that across DHS's entire S&T budget, only about 10 percent is allocated to anything that might reasonably be called "research" rather than "deployment."

Hopefully, this is high on the agenda of the Department's new Assistant Secretary for Cyber Security and Telecommunications, Greg Garcia, who was appointed to the post on September 18th.

Further bad news in the R&D section is that University Programs received $50 million, which is less than the $62 million appropriated last year and below the President’s request of $51.9 million.

Congress used the appropriations bill to express its displeasure with the way Homeland Security S&T has been managed and its expectation that things must improve if S&T is to get any increased appropriations in the future. In fact, Congress expressly withheld $50 million from the R&D budget until the office presents, and Congress approves, “a report prepared by the Under Secretary of Science and Technology that describes the progress to address financial management deficiencies, improve its management controls, and implement performance measures and evaluations.” They also included language requiring a hearing within 60 days of enactment on “the University-Based Centers of Excellence Program goals for fiscal year 2007 and outcomes projected for each center for the next three years.”

As the bill has not yet been signed by the President (although it is expected to be), the Department is operating under a continuing resolution extending the FY2006 budget numbers.

NIST Security Recommendations for Automated Web Services

NIST has released recommendations for automated Web services security. The announcement was published in GCN last week and the recommendations are open to comments. Information for sending comments is at the end of the GCN article. Comments need to be sent by October 30.

NSTC Releases Cyber Security R&D Report

The National Science and Technology Council, the cabinet-level council that coordinates S&T policies across the Federal Government, released (pdf) its plan for federal investment in cyber security research and development today. The 121-page report (pdf), called Federal Plan for Cyber Security and Information Assurance Research and Development, "sets out a framework for multi-agency coordination of Federal R&D investments in technologies that can better secure the interconnected computing systems, networks, and information that together make up the U.S. information technology (IT) infrastructure." Here's more from their release (pdf):

"This country's IT infrastructure -- which includes not only the public Internet but also the networking and IT systems that control critical infrastructures ranging from power grids to emergency communications systems -- is vital not only to our national and homeland security but to our economic security," said John H. Marburger III, Science Adviser to the President and Director of the Office of Science and Technology Policy. "This report provides a blueprint for coordination of Federal R&D across agencies that will maximize the impact of investments in this key area of the national interest."

The Federal Plan for Cyber Security and Information Assurance outlines strategic objectives for coordinated Federal R&D in cyber security and information assurance (CSIA). The Plan presents a broad range of CSIA R&D technical topics and identifies those topics that are multi- agency technical and funding priorities. The Plan’s findings and recommendations address R&D priority-setting, coordination, fundamental R&D, emerging technologies, roadmapping, and metrics. Together with commentaries about the CSIA R&D technical topics that describe their significance, the current state of the art, and gaps in current capabilities, these elements provide a baseline for implementing the Plan’s recommendations.

The plan builds in part on the work of the now-extinct President's Information Technology Advisory Committee, which produced a similar report on the issue -- Cyber Security: A Crisis of Prioritization (pdf) -- last year that we liked very much.

I've only just seen the report, so I can't give any detailed analysis, but here are the report's ten findings and recommendations from the executive summary:

Findings and Recommendations Strategic interagency R&D is needed to strengthen the cyber security and information assurance of the Nation’s IT infrastructure. Planning and conducting such R&D will require concerted Federal activities on several fronts as well as collaboration with the private sector. The specifics of the strategy proposed in this Plan are articulated in a set of findings and recommendations. Presented in greater detail in the report, these findings and recommendations are summarized as follows:

1. Target Federal R&D investments to strategic cyber security and information assurance needs -- Federal cyber security and information assurance R&D managers should reassess the Nation’s strategic and longer-term cyber security and information assurance needs to ensure that Federal R&D addresses those needs and avoids areas in which the private sector is productively engaged.

2. Focus on threats with the greatest potential impact -- Federal agencies should focus cyber security and information assurance R&D investments on high- impact threats as well as on investigation of innovative approaches to increasing the overall security and information assurance of IT systems.

3. Make cyber security and information assurance R&D both an individual agency and an interagency budget priority -- Agencies should consider cyber security and information assurance R&D policy guidance as they address their mission-related R&D requirements. To achieve the greatest possible benefit from investments throughout the Federal government, cyber security and information assurance R&D should have high priority for individual agencies as well as for coordinated interagency efforts.

4. Support sustained interagency coordination and collaboration on cyber security and information assurance R&D -- Sustained coordination and collaboration among agencies will be required to accomplish the goals identified in this Plan. The CSIA IWG should continue to be the primary vehicle for this R&D coordination and collaboration.

5. Build security in from the beginning -- The Federal cyber security and information assurance R&D portfolio should support fundamental R&D exploring inherently more secure next-generation technologies that will replace today’s patching of the current insecure infrastructure.

6. Assess security implications of emerging information technologies -- The Federal government should assess the security implications and the potential impact of R&D results in new information technologies as they emerge in such fields as optical computing, quantum computing, and pervasively embedded computing.

7. Develop a roadmap for Federal cyber security and information assurance -- R&D Agencies should use this Plan’s technical priorities and investment analyses to work with the private sector to develop a roadmap of cyber security and information assurance R&D priorities. This effort should emphasize coordinated agency activities that address technical and investment gaps and should accelerate development of strategic capabilities.

8. Develop and apply new metrics to assess cyber security and information assurance -- As part of roadmapping, Federal agencies should develop and implement a multiagency plan to support the R&D for a new generation of methods and technologies for cost-effectively measuring IT component, network, and system security.

9. Institute more effective coordination with the private sector -- The Federal government should review private- sector cyber security and information assurance practices and countermeasures to help identify capability gaps in existing technologies, and should engage the private sector in efforts to better understand private-sector views on cyber security and information assurance R&D priorities. Federal agencies supporting cyber security and information assurance R&D should improve communication and coordination with operators of both Federal and private-sector critical infrastructures with shared interests. Information exchange and outreach activities that accelerate technology transition should be integral parts of Federal cyber security and information assurance R&D activities.

10. Strengthen R&D partnerships, including those with international partners -- The Federal government should foster a broad partnership of government, the IT industry, researchers, and private-sector users to develop, test, and deploy a more secure next-generation Internet. The Federal government should initiate this partnership by holding a national workshop to solicit views and guidance on cyber security and information assurance R&D needs from stakeholders outside of the Federal research community. In addition, impediments to collaborative international R&D should be identified and addressed in order to facilitate joint activities that support the common interests of the United States and international partners.

Seems hard to quibble with much of that. As the NCO press release indicates, they're accepting comments on the report to aid in the "planning of next steps." Those comments are due by April 28th, so get cracking.

We'll have more as CRA prepares its comments on the plan (we've had strong opinions on the issue in the past).

[Editor's note: Apologies to regular readers for the lag in posts here recently. Lots going on around town and at CRA HQ -- along with some posting fingers that are getting a little worn after 400+ posts over the last couple of years -- but things should be better very soon. :) Thanks for the patience!]

DMCA Slowed Disclosure of Sony/BMG Spyware

CRA has often argued that the Digital Millennium Copyright Act (DMCA) -- enacted in 1998 to combat digital piracy -- is disruptive to the process of research. When computer security researchers feel compelled by the potential liability created by DMCA to consult with an army of attorneys before moving forward with previously legitimate research, there's a cost -- a cost, we'd argue, that affects national and individual security, the pace of innovation, and IP management. In the case of the Sony/BMG spyware debacle, it appears that chilling effect cost unwitting consumers of Sony's CDs at least a month of additional exposure to the major security vulnerability introduced by "copy protection" on the Sony discs.

Ed Felten and Alex Halderman detail this effect in their submission to the Copyright Office requesting exemptions from the anti-circumvention provisions of the DMCA as part of the office's triennial review of the legislation. As Felten notes on Freedom To Tinker, he and Halderman were aware of the vulnerabilities created by the Sony CD a month before the first public disclosure, but delayed publication of their findings until they could consult with university counsel about liability posed by DMCA. From the submission:

Researchers like Professor Edward Felten and Alex Halderman waste valuable research time consulting attorneys due to concerns about liability under the DMCA. They must consult not only with their own attorneys but with the general counsel of their academic institutions as well. Unavoidably, the legal uncertainty surrounding their research leads to delays and lost opportunities. In the case of the CDs at issue, Halderman and Felten were aware of problems with the XCP software almost a month before the news became public, but they delayed publication in order to consult with counsel about legal concerns. This delay left millions of consumers at risk for weeks longer than necessary.

Felten and Halderman are asking the Copyright Office for an exemption to the DMCA that would allow circumvention of compact disk copy protection technologies that have certain spyware-ish features or create security holes. You can read the whole submission here (pdf). Unfortunately, the Copyright Office was pretty miserly about granting exemptions during the last two reviews, so it's not clear how even Felten and Halderman's compelling request will fare. But we'll keep track of the process here and post the details.

HASC to Review DOD Cyber Security Efforts Tomorrow

With short notice, the House Armed Services Committee Panel on Asymmetric and Unconventional Threats will hold a hearing tomorrow to examine cyber security, information assurance and information exploitation issues at the Department of Defense. I say short notice because the witness list for the hearing didn't appear until today and the hearing's lead witness, CRA Board member and Purdue professor Eugene Spafford, didn't receive an invitation to attend until Tuesday. Joining Spaf on the panel are David Grawrock, Principal Engineer and Security Architect at Intel, and Paul Kurtz, Executive Director of the Cyber Security Industry Alliance.

Spaf has already submitted his written testimony (pdf) and it's excellent (especially given the time constraint). In it, he notes that DOD faces some worrisome trends in defending itself from cyber threats:

• The number of reported attacks of various kinds is generally increasing annually;
• Attacks are becoming more sophisticated and more efficient;
• Few perpetrators are ever caught and prosecuted;
• An unknown (but probably large) number of attacks, frauds and violations are not detected with current defenses;
• A large number of detected attacks are not reported to appropriate authorities;
• The problem is international in scope, both in origin of attacks and in location of victims;
• The majority of the attacks are enabled by faulty software, poor configuration, and operator error.

Exacerbating these trends at DOD are a number of factors:

• An over-dependence on commercial-off-the-shelf products (COTS);
• A lack of metrics measuring the safety, security and quality of IT products in a general and meaningful way;
• A lack of deterrence -- vandals and criminals operate with the knowledge that there's almost no chance of being caught unless they are exceedingly careless;
• A lack of fallback alternatives -- no planning for how to proceed with critical mission responsibilities with degraded or disabled IT resources;
• An under-investment in research, especially long-term research at DOD and throughout the federal research portfolio; and
• An ill-informed application of classification by agencies like DARPA that prevent some of the best minds in the country from working on cyber security problems.

Spaf has a number of recommendations of actions to take to reduce the threat to DOD IT systems, but I thought I'd list his primary recommendation here, especially as it echoes recommendations we've made many times in the past:

1. Most importantly, increase the priority and funding for scientific research into issues of security and protection of IT systems. This was the conclusion of the PITAC, and of numerous other studies cited in the PITAC report. Too much money is being spent on upgrading patches and not enough is being spent on fundamental research by qualified personnel. There are too few researchers in the country who understand the issues of information security, and too many of them are unable to find funding to support fundamental research. This is the case at our military research labs, commercial labs, and at our university research centers. Increased spending for research is an investment in national defense and national economic competitiveness, and is not in other expenditures for basic and applied research.

The hearing begins at 9 am, October 27th, and will be webcast (click on the microphone icon next to the hearing notice) and archived.

Spaf's full testimony is here. (pdf)

House Science Cyber Security and Critical Infrastructures Hearing Wrapup

As mentioned previously, the House Science Committee met yesterday to focus on the threat cyber security vulnerabilities pose to various critical sectors of the Nation's critical infrastructure. Representatives from the oil and gas, chemical, electrical and communications sectors all testified that their industries are becoming more and more dependent upon public networks, those networks are under serious threat from cyber attack, and the federal government has a clear role both in supporting information exchange and coordination among all the industry stakeholders, and supporting a research agenda aimed at addressing the threat, primarily in the long-term. I'm not sure there's much more I need to add to that, other than to point to the archived video, the hearing charter (pdf), and the testimony of the five witnesses.

A few observations:

Committee chairman Sherwood Boehlert (R-NY) set the tone for the hearing in his opening statement by declaring that despite everything else that was taking place on the Hill that day -- including the Roberts confirmation hearing and the party caucus meeting to choose a new Chairman of the Homeland Security Committee (Rep. Peter King (R-NY) was the choice) -- he couldn't think of another event more important than this hearing on cyber security.

We shouldn’t have to wait for the cyber equivalent of a Hurricane Katrina - or even and Hurricane Ophelia might serve - to realize that we are inadequately prepared to prevent, detect and respond to cyber attacks.

And a cyber attack can affect a far larger area at a single stroke that can any hurricane. Not only that, given the increasing reliance of critical infrastructures on the Internet, a cyber attack could result in deaths as well as in massive disruption to the economy and daily life.
...
So our goal this morning is to help develop a cybersecurity agenda for the federal government, especially for the new Assistant Secretary. I never want to have to sit on a special committee set up to investigate why we were unprepared for a cyber attack. We know we are vulnerable, it’s time to act.

Despite federally-supported research and development in cyber security being cited as a critical need by each one of the industry witnesses, the only federal witness -- Andy Purdy, Director of the National Cyber Security Division at DHS -- didn't mention R&D in his oral remarks other than to hope that he'd get a chance to talk about it during questioning (alas, he didn't). In his written testimony, Purdy noted that DHS' R&D goals are almost exclusively short-term:

Perform R&D aimed at improving the security of existing deployed technologies and to ensure the security of new emerging systems;

Develop new and enhanced technologies ofr the detection of, prevention of, and response to cyber attacks on the nation's critical infrastructure; and

Facilitate the transfer of these technologies into the national infrastructure as a matter of urgency.

Of course, as PITAC found in its review of the nation's cyber security R&D portfolio, even this narrow commitment to the short-term suffers from a severe lack of priority within the agency. The agency has requested only $17 million for FY 06 ($1 million less than last year) for cyber security research, out of a total S&T budget of over a billion dollars. I was disappointed that the members of the committee didn't spend more time questioning DHS' priority when it comes to funding cyber security R&D.

The hearing was well-attended by members of the committee. Despite lots of other events on the Hill, the hearing drew at least 23 different Members of Congress, with many sticking around to ask questions. There was plenty of room in the audience and the sections reserved for press however, which led Chairman Boehlert to complain that cyber security is still greeted with a "muffled yawn" outside his committee room and that he hoped it wasn't going to take a "cyber Katrina" to wake people up about the dangerous threat.

I was pleased that Boehlert took a few minutes out of the question period to suggest to the industry representatives (SBC, British Petroleum, Dow Chemical, and American Electric Power were all represented) that they make use of their exceptionally persuasive "hired guns" in DC to advocate for more R&D and better coordination. The lobbyists need to be out there putting focus on the importance of this subject, he said.

Finally, an odd tack during the question and answer portion of the hearing: Rep. Roscoe Bartlett (R-MD) used his five minutes to berate DHS and the industry representatives for failing to plan and prepare adequately for the "ultimate low-probability, high-impact event" threatening the nation: a nuclear electromagnetic pulse attack. An EMP attack (by detonating a large yield nuclear weapon many miles in the atmosphere above the US) would potentially render every non-hardened microprocessor in the country completely inoperable, which given the ubiquitousness of microprocessors in just about everything, would have a devastating effect on the country. Bartlett was especially interested in hearing how the energy companies would cope, given that every transformer they operate would likely be destroyed, including ones we no longer have the ability to manufacture domestically. None of the witnesses could point to any significant preparation in their sectors.

Posted by PeterHarsha at 05:02 PM | TrackBack
Posted to Events | Policy | Security

Things Will Get Busier...

Apologies for the dearth of timely updates recently. As many readers familiar with the congressional calendar are aware, Congress disappears for the entire month of August so that members can find their way back to their home districts, partake in a few county fairs and local parades, and generally get a longer-than-usual glimpse of how people outside the Beltway actually live. Consequently, you can see the tumbleweeds blow through the streets of DC until about Labor Day.

Now that Congress is back in town and focused on confirming a Chief Justice, dealing with the aftermath of Katrina, and finishing all the must-pass appropriations bills -- ideally before the end of the fiscal year on Sept 30th (they've finished just 2 of 12) -- things are already heating up quickly, so expect this space to get a bit busier as well.

For example, three events worthy of note are scheduled for this Thursday (September 15th). First, at 10 am, the House Science Committee will revisit federal support for cyber security R&D in a hearing that will focus on the risk cyber vulnerabilities pose to critical industries in the U.S. and what the federal government can do to help. Scheduled to testify are:

Mr. Donald "Andy" Purdy, Acting Director, National Cyber Security Division, Department of Homeland Security;

Mr. John Leggate, Chief Information Officer, British Petroleum Inc.;

Mr. David Kepler, Corporate Vice President, Shared Services, and Chief Information Officer, The Dow Chemical Company;

Mr. Andrew Geisse, Chief Information Officer, SBC Services Inc.; and

Mr. Gerald Freese, Director, Enterprise Information Security, American Electric Power.

Presumably, the committee hopes to hear from the industry representatives how significant the cyber threat is to their industries what the Department of Homeland Security is doing about it. Hopefully the committee and the industry witnesses press DHS about its minimal efforts to engage in long-range research to counter the threats. The hearing, like all Science Committee hearings, will be webcast live (10 am to noon) and archived on the Science Committee website.

Also on Thursday are two policy lunches on Capitol Hill relevant to federal support for R&D. The Forum on Technology and Innovation, an offshoot of the Council on Competitiveness and co-chaired by Sen. John Ensign (R-NV) and Sen. Blanche Lincoln (D-AR), will hold a policy briefing on "Basic Research -- The Foundation of the Innovation Economy." Scheduled to speak are George Scalise, president of the Semiconductor Industry Association; Carl A. Batt, Director of the Cornell University/Ludwig Institute for Cancer Research Partnership; and Brian Halla, Chairman of the Board and CEO of National Semiconductor. The event is scheduled from 12:30 pm - 2:00 pm, in the Senate Hart building, room 209. Readers in DC can register to attend here. It looks like the forum archives video of their events, so those unable to attend might want to check afterwards for the video stream.

Over on the House side, unfortunately at exactly the same time, is a briefing put on by the House R&D Caucus (CRA is a member of the advisory committee for the caucus) focused on the R&D tax credit. The event is sponsored by the R&D Credit Coalition, which is chock full of industry representatives. From the invite:

Microwaves, laptops, car airbags, life-saving medical technologies and even your MP3 player have one thing in common.

U.S.-based research helped create these innovative products. Research makes our lives better.
...
Come learn how we can encourage U.S.-based research through the strengthening and extension of the R&D Credit. See real examples of how research continues to improve America.

The briefing will be in 2325 Rayburn House Office Building, from Noon - 1:30 pm. DC-area folks wishing to attend can find the RSVP info here (pdf). Apparently attendees can also sign-up to drive "the latest hydrogen fuel cell cars," which could be fun.

The presence of so many U.S. manufacturers and companies on the panels and sponsor-cards for the briefings should add a little heft to the message of both events. I only wish that they hadn't been scheduled for almost exactly the same time....

Industry Group Calls for Increased Cyber Security R&D; Congress Hears Message from Former PITAC Members

In a report released this week, the Cyber Security Industry Alliance -- a group consisting of information security software, hardware and service vendors -- called on Congress and the Administration to ramp up support for fundamental research in cyber security R&D and increase the prominence of cyber security at key federal agencies. CSIA's report, Federal Funding for Cyber Security R&D (pdf) reiterates the findings of the most recent Presidential IT Advisory Committee (PITAC) report (pdf) on the state of federal cyber security research, concluding that the overall investment in cyber security research is inadequate and too focused on the short-term. The CSIA report agrees with the PITAC report's recommendation to increase funding for long-term research in cyber security, noting a number of key security technologies -- firewalls, intrustion detection systems, fault tolerant networks, operating systems, cryptography and advanced authentication -- that bear the stamp of federally-sponsored, long-term research.

The report differs from the PITAC report slightly in that it calls for the creation of a "designated entity" within DHS to coordinate the federal government's cyber security R&D effort; whereas, PITAC recommended that function remain within the interagency working group activity of the Networking and IT R&D program. CSIA rightly points out that the IWG of NITRD has very little actual influence on priority-setting at the agencies. Instead, they recommend that the new Assistant Secretary for Cyber Security at DHS serve as "the logical choice to drive the prioritization of requirements for research and development." My only concern with that recommendation is that DHS hasn't yet bought into the idea that long-term research efforts should be a priority. DHS's own budget for cyber security R&D remains a paltry $18 million for FY 05, out of an overall science and technology budget of just over a billion dollars. And of that $18 million, barely $2 million could realistically be described as "long-term" research efforts. (DHS's lack of priority for cyber security R&D has been a frequent topic here).

Otherwise, the CSIA report marches in lockstep with the PITAC report on cyber security R&D (pdf) issued back in March. We strongly endorsed that report and I'm pretty thrilled with the industry report issued this week.

Coincidentally, two former PITAC members (former because PITAC has been "disbanded" since June 1, 2005...) were on the Hill yesterday to participate in a briefing on cyber security R&D hosted by the Congressional Research and Development Caucus and put together by IEEE and IEEE-CS. Former PITAC Subcommittee on Cyber Security R&D Chair Tom Leighton (Chief Scientist and Co-Founder of Akamai) and former PITAC member Gene Spafford "Spaf" (Professor and Director of CERIAS at Purdue University) told the assembled congressional staffers, science community folks and assorted press about the problems we face in the cyber security arena and what PITAC recommended.

The briefing was the latest in a series of briefings on the PITAC report and follows a number of hearings on the scope of the cyber security challenge. In April, for example, Spaf and Leighton, along with former PITAC co-Chair Ed Lazowska, participated in a number of focused briefings for Hill staff on the PITAC report. The House Science Committee, as well as the House Homeland Security committee have both held numerous hearings on the subject over the last several years. Yet the extent of the problems we face -- the risk posed by cyber attacks on critical infrastructure, the exposure internet users have to fraud and abuse because of security vulnerabilities, the cost to industry due to cyber extortion and malicious acts -- still appears to shock to congressional staff. I'm not sure they really believe that companies have paid "protection" money to criminals who threatened to take down their web presence with massive distributed denial of service attacks. I'm not sure they really believe that "phishing" and "pharming" attacks are real threats to individual internet users. I'm not sure they understand that IT systems are in the control loop of just about every piece of critical infrastructure in the nation and are vulnerable. I think many believe that the impact of a concerted cyber attack would be limited to something like Amazon being unavailable for the day.

So despite the reports and briefings and hearings, we in the community haven't done a great job breaking through the noise around homeland security and conveying the importance of cyber security, or by extension cyber security R&D. In part, I think this is because the homeland security debate is really dominated by the specter of a nuclear, biological or chemical (NBC) attack (perhaps rightly so). The idea that a cyber attack could exist on the same scale as any one of the big three isn't so easily embraced by staff. Yet in terms of cost to industry and cost to government, the daily onslaught of cyber attacks must add up to dollar losses that exceed even some of the more dramatic NBC scenarios. But the investment in research to mitigate those losses, or prevent them entirely, pales in comparison to the investments in NBC research at DHS.

In any case, the continued efforts of folks like Spaf and Leighton, and industry partners like the members of CSIA and ITAA, are helping to educate members of Congress and their staff to the challenges in the area. And, for better or worse, the growing frequency of breeches of customer data held by credit card companies, banks, universities and others is forcing Congress to climb the learning curve....

NY Times OpEd on Cyber Security: "Virtually Unprotected"

The New York Times editorializes today that, despite the very real threat, the nation continues to be woefully unprepared to defend against a "cyberattack" on our critical infrastructure.

Power grids, water treatment and distribution systems, major dams, and oil and chemical refineries are all controlled today by networked computers. Computers make the nation's infrastructure far more efficient, but they also make it more vulnerable. A well-planned cyberattack could black out large parts of the country, cut off water supplies or worse. The Nuclear Regulatory Commission found that in 2003 a malicious, invasive program called the Slammer worm infected the computer network at a nuclear power plant and disabled its safety monitoring system for nearly five hours.

Despite the warnings after 9/11 - and again after the 2003 blackout - disturbingly little has been done. The Government Accountability Office did a rigorous review of the Department of Homeland Security's progress on every aspect of computer security, and its findings are not reassuring. It found that the department has not yet developed assessments of the threat of a cyberattack or of how vulnerable major computer systems are to such an attack, nor has it created plans for recovering key Internet functions in case of an attack. The report also expressed concern that many of the department's senior cybersecurity officials have left in the past year. Representative Zoe Lofgren, the California Democrat who was among those who requested the G.A.O. report, said last week that it proved that "a national plan to secure our cybernetworks is virtually nonexistent."

As we've noted previously, the President's IT Advisory Committee came to a similar conclusion in its report (pdf) on Cyber Security R&D, released last March. That report concluded that the federal government is largely failing in its responsibility to protect the nation from cyberthreats and recommended an immediate increase in the amount of support for cyber security research at NSF, DHS, and DARPA, and greater emphasis on civilian networks in addition to military-oriented networks.

Unfortunately, the early results of this appropriations season show that the recommendations for DHS continue to go largely unheeded....

Update: Ed Felten has a thoughtful post at Freedom to Tinker on the difficulty of addressing the cyberthreat problem with government action.

PITAC Cyber Security Report is Out!

The long-awaited PITAC report on Cyber Security, Cyber Security: A Crisis of Prioritization (pdf, 2.2mb) has just been released. The committee spent nearly a year reviewing the federal government's cyber security R&D effort, a process we've covered in this space. The resulting report concludes that the IT infrastructure -- beyond the public Internet -- is a crucial piece of the nation's critical infrastructures, such as power grids, air traffic control systems, financial systems, and military and intelligence systems. Given it's importance, the committee finds that the federal cyber security R&D investment is inadequate and "imbalanced" towards short-term, defense oriented research, with little support for fundamental research to address the larger vulnerabilities of the civilian IT infrastructure. As a result the committee recommends changes to the portfolio to:

Increase Federal support for fundamental research in civilian cyber security by $90 million annually at NSF and by substantial amounts at agencies such as DARPA and DHS to support work in 10 high-priority areas identified by PITAC.

Intensify Federal efforts to promote recruitment and retention of cyber security researchers and students at research universities, with an aim of doubling this profession’s numbers by the end of the decade.

Provide increased support for the rapid transfer of Federally developed cutting-edge cyber security technologies to the private sector.

Strengthen the coordination of the Interagency Working Group on Critical Information Infrastructure Protection and integrate it under the Networking and Information Technology Research and Development (NITRD) Program.

I'll have more detail on the report as I work my way through it, but wanted to get a link up to it ASAP. At 72 pages cover-to-cover, the report is a very revealing examination of the federal cyber security R&D portfolio.

Update: (3/19/05) - The NY Times' John Markoff has more on the report today, including this quote from PITAC co-Chair Ed Lazowska:

"The federal government is largely failing in its responsibility to protect the nation from cyberthreats," said Edward D. Lazowska, chairman of the computer science and engineering department at the University of Washington and co-chairman of the panel. "The Department of Homeland Security simply doesn't 'get' cybersecurity. They are allocating less than 2 percent of their science and technology budget to cybersecurity, and only a small proportion of this is forward-looking."

Michelle Petrovich, a spokeswoman for the Department of Homeland Security, disputed the criticism. "We take cybersecurity seriously and have taken aggressive measures to address various needs," she said. "Our cybersecurity budget has gone up every year."

For the record, it may be true that DHS' overall budget for "cyber security" activities has gone up, but cyber security R&D -- the focus of this report and, one would think, a focus of the DHS Science and Technology directorate -- has actually been flat at DHS for the last two fiscal years at a paltry $18 million out of an overall S&T budget of just about $1 billion per year. And of that tiny share only $1.5 million could truly be called "long-term" research -- research beyond patching the holes in the current systems. As the report points out, without research into fundamentally new approaches, we'll be "endlessly patching and plugging holes in the dike" for years to come. It's also worth noting that the President's budget for cyber security research at DHS this year actually takes a step backwards. For FY 2006, the President's budget would cut cyber security R&D at the agency to $17 million, a decrease of $1 million from FY 2005....

Cyber Security is a Vulnerability for U.S. Power Grid, Wash Post Says

In a story today, the Washington Post notes that the U.S. power grid remains at risk from cyber security threats that could have real physical effects on the network and that the federal government is stepping up its efforts to make sure utility companies are addressing the threat.

Patrick H. Wood III, the chairman of the Federal Energy Regulatory Commission, warned top electric company officials in a private meeting in January that they need to focus more heavily on cyber-security. Wood also has raised the issue at several public appearances. Officials will not say whether new intelligence points to a potential terrorist strike, but Wood stepped up his campaign after officials at the Energy Department's Idaho National Laboratory showed him how a skilled hacker could cause serious problems.

Wood declined to comment on specifics of what he saw. But an official at the lab, Ken Watts, said the simulation showed how someone could hack into a utility's Internet-based business management system, then into a system that controls utility operations. Once inside, lab workers simulated cutting off the supply of oil to a turbine generating electricity and destroying the equipment.

Describing his reaction to the demonstration, Wood said: "I wished I'd had a diaper on."

In our work before Congress and the President's Information Technology Advisory Committee (pdf), we've tried to emphasize the importance of cyber security R&D, especially long-term R&D, because IT systems constitute the "control loop" of most other elements of our nation's critical infrastructure (e.g., the electric power grid, the air traffic control grid, the financial grid, the telecommunications grid), and constitute a significant vulnerability. While the federal government has been reasonably quick to warn companies of the risk, it hasn't done quite as well in ramping up the long-term research to reduce vulnerabilities. Hopefully the imminent release of PITAC's report (pdf) on the state of cyber security R&D will help move things forward at agencies like DHS and DARPA, and result in increased funding for NSF's cyber security R&D efforts.

In the meantime, USACM's Cameron Wilson has more, and Jim Horning has a related post on how the nuclear industry is reacting to new proposed voluntary standards for the increased security of digital systems. Short answer: not well.

Catching Up: Update on PITAC Cyber Security Efforts

This article I spotted today in Government Computer News on former Director of DHS' National Cybersecurity Division Amit Yoran's thoughts about DHS' niche in federal cybersecurity efforts reminded me that I hadn't provided an update on what I thought was a very interesting meeting of PITAC's Subcommittee on Cybersecurity R&D a week ago last Friday.

The Subcommittee is in the process of evaluating the federal government's efforts in supporting cybersecurity research and development -- trying to figure out how well the government is targeting the right research areas, whether there's good balance between short-term and long-term research, whether we're doing all we can to improve technology transfer, and whether we're well prepared for the security challenges of the future. The goal is to produce a final report the full PITAC can approve at its March 2005 meeting. So far the subcommittee has produced a first draft, which is what was presented by Subcommittee Chair F. Thomson Leighton at the Nov 19th meeting.

And that first draft is very good. It's clear the committee has taken to heart much of the testimony it has received, including testimony CRA submitted to the committee last July. Leighton's slide presentation (pdf) does a good job of laying out the details, but I thought I'd summarize them a bit here.

The committee has identified four main issues: 1) Problems with civilian cyber security research; 2) Problems with the size of the cyber security basic research community; 3) Tech transfer issues; and 4) The coordination of cyber security R&D. They seem to have devoted quite a bit of attention to the first issue, and the points that they raise are all right on the money (and concerns CRA shares), namely:

The Federal R&D budget provides severely insufficient funding for basic research in cyber security. Even better, the subcommittee specifies an actual dollar amount increase (at least $90 million per year) necessary to make up for the current under-investment (while leaving the door open for future increases in funding beyond $90 million per year should "the Nation's security posture in the future" warrant it).

The subcommittee finds that the current federal focus on near-term applications in cyber security must be reversed.

Federal research efforts need to avoid "incrementalism." Research programs need to accommodate longer time periods and accept some "failures."

We must buttress civilian cyber security R&D efforts. While there's clearly a need for the Defense Department and the intelligence agencies to sponsor significant amounts of cyber security R&D related to their missions, increasingly, much of that research is being classified. There are costs to bear when research is classified. For example, research results for classified research are very slow to disseminate, if ever, and many/most university researchers are unable to participate -- meaning some of the best minds in the country aren't working on these important problems. As a result, NSF, the primary funder of unclassified, civilian cyber security R&D, is heavily oversubscribed. Its cyber security research program (CyberTrust) has an astonishingly bad award rate of 5-8 percent. The subcommittee estimates that a quadrupling (emph. added) of the CyberTrust budget could be productively used by the civilian cyber security community.

There are no shortage of research areas in need of funding: Computer authentication methodologies; securing fundamental protocols, secure software engineering, end-to-end system security, monitoring and detection; mitigation and recovery methodologies' cyberforensics and technology to enable prosecution of criminals; modeling and testbeds for new technologies; metrics, benchmarks and best practices; and societal and governance issues. In short, the subcommittee says

There is no silver bullet or small set of silver bullets. It is not a matter of "tweaking" in the Internet -- there is no foundation of security to tweak. The existing Internet was built based on assumption of trust: it was assumed no one would harm the infrastructure, even by accident.

I think this is all excellent, and basically in agreement with the testimony CRA provided back in July. About the only thing of which I would have liked to have seen discussion is the issue of the potential (and real) chilling effect on research of laws aimed at protecting intellectual property and privacy -- most notably the impediment to research posed by provisions of the Digital Millennium Copyright Act. As we noted in our testimony (by stealing excellent language from our affiliate ACM's U.S. Public Policy Office):

[T]he “anti-circumvention provisions” of the DMCA interfere with many legal, non-infringing uses of digital computing and prevent scientists and technologists from circumventing access technologies to recognize shortcomings in security systems, to defend patents and copyrights, to discover and fix dangerous bugs in code, to analyze and stop malicious code (e.g., viruses), and to conduct forms of desired educational activities. In some instances, the threat of legal action under the DMCA has deterred scientists from publishing scholarly work or even publicly discussing their research, both fundamental tenets of scientific discourse.

Other than that, I'm pretty happy with what I've seen from the report so far. (Please read through the slides to get the details on the other three issues the subcommittee identified.) If the final report contains the important discussion of the character of research supported by each of the federal agencies funding cyber security efforts and the subcommittee's funding recommendations, it will be a strong document that should prove very useful in the computing research community's efforts to reshape cyber security R&D policy at federal agencies (see in particular the subcommittee's discussions about the nature and amount of research sponsored by DHS -- too short-term and too little, in sum).

We'll continue to keep an eye on the committee's progress....

Oh, and just to get back to the article that triggered this post in the first place, I think it's important to note that though this:

Yoran also called for more government support for basic security research. He said the initial $18 million budgeted for cybersecurity R&D in the first year of DHS was adequate as the department identified needs. But going forward, “personally, I would like to see greater government support for fundamental security research,” he said.

implies that DHS is spending $18 million on basic research in cyber security, this isn't actually the case (as the subcommittee points out on slide 25). The agency currently spends just $1.5 million on research that can truly be considered basic, long-term research. The remaining $16.5 million is spent on short-term activities.

Still, it's encouraging that Yoran at least acknowledges that the agency is lacking in its support for fundamental research. Hopefully his replacement will as well -- and do something about it.

House Leadership Wants Cyber Security Back In White House?

The AP reports today (via USA Today) that the House Republican leadership will propose moving the cyber security offices of the Department of Homeland Security back to the White House as part of the House version of the intelligence reorganization. According to the article, the change reflects "frustration among some Republican lawmakers about what they view as a lack of attention paid to cybersecurity by the Department of Homeland Security (DHS)."

CRA has certainly shared that frustration, especially a frustration with DHS's relative lack of adequate funding support for cyber security research and development efforts at the agency. As we've noted before, cyber security gets a very small share of a $1 billion science and technology budget at DHS -- $18 million in FY 04 (and that is double the amount the administration initially proposed). However, it's not clear to me -- having only seen the proposal summarized in news reports -- that this new effort would have any effect on the current level of support for cyber security R&D or address any of the concerns we've raised (pdf) concerning cyber R&D efforts at other agencies as well.

Judging from the responses of the industry folks cited in the article, it doesn't sound like very many folks were consulted before this got put on the fast track.

More details as we figure them out....

ITAA Accuses Security Researchers of Waging "Religious War" in Opposing E-voting Systems

Computerworld has an article today with quotes from ITAA's Harris Miller complaining that IT security researchers are opposing e-voting systems because they're pushing a political agenda on behalf of the open-source software community.

Some choice quotes:

"It's not about voting machines. It's a religious war about open-source software vs. proprietary software," Miller said in an interview with Computerworld. "If you're a computer scientist and you think that open-source software is the solution to everything because you're a computer scientist and you can spot all flaws, then you hate electronic voting machines. But if you're a person who believes that proprietary software and open-source software can both be reliable, then you don't hate electronic voting machines."

Kim Alexander, president of the California Voter Foundation, called Miller's characterization "nonsense."

"Every technologist that I have worked with believes that even if we had open-source software, we would still need a paper [audit] trail," said Alexander. "There would be no guarantee that the software that was inspected by the public would be the same software that is running on every machine in every jurisdiction in the country."

Eric Raymond, president of the Open Source Initiative (OSI), a nonprofit organization that promotes standards and criteria for open-source software, said Miller has the issue wrong. "Most [e-voting] critics, including me, aren't focusing on open-source vs. closed-source at all, but rather on the lack of any decent audit trail of votes -- one that can't be corrupted by software. Open-source would be nice for all the real reasons but is less important than the audit trail."

It's an interesting article.

Update: Spaf e-mails:

[O]ne thing left out of all the press accounts is that ITAA and Harris Miller are being paid by the voting machine vendors to help them establish a better image. Thus, Harris's comments should be viewed with a very strong filter in place.

CAPPS II Cancelled

From Declan McCullagh's Politech list: Plan to collect flier data canceled; Color-coded system seen as privacy threat from USA Today

Update from Andy Bernat: "Don't believe everything you read in USA Today. From the Washington Post Friday morning:

New Airline Screening System Postponed
Controversy Over Privacy Leads to CAPPS II Paring, Delay Until After Election

Somehow this seems more likely to be accurate."

Monoculture Debate at USENIX

Ed Felten's got a rundown of the Dan Geer vs. Scott Charney debate at the USENIX conference on whether operating-system monoculture is a threat to computer security. Some interesting points on both sides (and from Felten).

Insecure and Unaware

The Chronicle of Higher Education has a story (available for another 5 days or so) on computer security at the nation's universities, which concludes that security lapses are common. Here are some choice quotes:

"What I've seen is a top-to-bottom lack of awareness of issues related to security," says Eugene H. Spafford, a computer-science professor who is executive director of the Center for Education and Research in Information Assurance and Security, at Purdue University at West Lafayette. Too many students, he says, don't know that they need to fix computer holes and use antivirus software, and that some of their activities -- particularly downloading copyrighted music without paying for it -- are illegal.

"You have faculty who believe that because it's their machine and because of academic freedom they should be able to do whatever they want," he says. "And you have administrators who don't understand the risk or the need to invest in appropriate technology and set policy appropriately."

Indeed, E. Eugene Schultz, a principal engineer at the Lawrence Berkeley National Laboratory who is editor in chief of the journal Computers & Security, says universities are "among the least secure places in the universe, as far as computing goes."

Some of the problems identified in campus security audits are:

Colleges are not doing enough to encourage students and other campus users to protect their campus accounts. Passwords are not changed periodically, are too short, or are not always required for employees to gain access to confidential information.

Many colleges have not created disaster-recovery plans so that crucial information can be saved if a campus is leveled by a hurricane, terrorist attack, or other catastrophe.

College officials are often slow to terminate or revise employees' computer access after they leave. Such delays increase the chance that a disgruntled worker can sabotage the network.

Because colleges are not performing risk assessments of their networks, officials don't know where to concentrate resources to protect networks and data.

Here's the full article.