CRA Government Affairs
About CRA
Membership
CRA for Students
CRA for Faculty
CRA-Women
Computer Community Consortium (CCC)
Awards
Projects
Events
Jobs
Gov't Affairs
Computing Research Policy Blog
Publications
Data and Resources
CRA Bulletin
What's New
Home
CRA Blog Issues Resources
Information Technology R&D Cybersecurity R&D IT Workforce Defense R&D Impediments to Research Advocacy Archives

In this section...

Cybersecurity R&D

The 2002 Cyber Security Research and Development Act (P.L. 107-305) authorized nearly $900 million in long-term cyber security R&D at the National Science Foundation and National Institute of Standards and Technology. CRA remains concerned that the President's current budget request continues to underfund this critical area of research at both NSF and NIST, as well as at the Department of Homeland Security.

  • Information technology systems underpin key industries such as telecommunications and financial services, and also play a vital role in the smooth functioning of critical infrastructure and services, such as transportation systems, the electric power grid, and emergency response capabilities.
  • Over 137,000 individual cyber attacks were reported in 2003.
  • Out of a science and technology budget of over $800 million in FY 2004, the Department of Homeland Security targeted only $18 million on cybersecurity research and development.
  • CRA remains especially concerned at the $22 million cut to NIST's FY 2004 appropriation, which will result in a substantial reduction in the agency's cyber security efforts -- including the agency's work to aid other federal agencies defend themselves from cyber attack.
  • CRA is pleased that NSF has undertaken a Cyber Trust program aimed at blostering the agency's investment in long-term cybersecurity research. We support continued funding for this effort.
  • While it is important that DHS efforts to improve US cybersecurity in the short term by focusing on technologies with very short time-to-deployments, we feel it is in the long-range interest of the US to allow DHS to focus some effort on fundamental, long-term cybersecurity R&D.
CRA's Take on the Current State of Cybersecurity R&D
From CRA testimony (pdf, 3.8 MB) before the President's Information Technology Advisory Committee (PITAC) Subcommittee on Cybersecurity R&D.

TESTIMONY OF THE COMPUTING RESEARCH ASSOCIATION

PREPARED FOR
THE PITAC CYBER SECURITY SUBCOMMITTEE TOWN HALL MEETING ON CYBER SECURITY RESEARCH AND DEVELOPMENT

July 29, 2004

Thank you Chairman Leighton and other members of the PITAC Subcommittee on Cyber Security for this opportunity to provide input to the committee's efforts to review the Nation's cyber security research and development enterprise. The Computing Research Association (CRA), an organization representing more than 200 North American academic departments of computer science, computer engineering and related fields; 23 laboratories and centers in industry, government, and academia engaging in basic computing research; and 6 affiliated professional societies, has great interest in the current state of federally-supported cyber security research and development activities, and a few concerns.

As the National Research Council noted in its 2002 report Making the Nation Safer, information technology constitutes the "control loop" of essentially every aspect of our critical national infrastructure - the electric power grid, the financial grid, the telecommunications grid, the food distribution network - "[making] the computers and communications systems of the nation a critical infrastructure in and of themselves." In that report, the NRC concluded that the most significant long-term step the Federal government could take to protect this information infrastructure was a sustained commitment to IT research and development, specifically in the areas of information and network security, new IT for emergency response, and new IT for detection, prevention, remediation and attribution of attacks.

The NRC report delineated a number of research areas in five broad categories important to the goal of protecting the information infrastructure: improved information and networking security; command, control, communications and information (C3I) for emergency response; information fusion; privacy and confidentiality; and planning for the future. The list is well-conceived and we commend it to the attention of the committee. Just as significantly, the panel identified a number of important attributes the federal investment in cyber security research and development should posses. Federally-supported research, the panel concluded, should:

  • Engage and support multidisciplinary, problem-oriented research useful to both civilian and military users.
  • Have a research program driven by a deep understanding of vulnerabilities. This will likely require access to classified information, even though most of the research will be unclassified.
  • Support a substantial effort in research areas with a long time horizon for payoff, with recognition that such investigations have been housed most often in academia.
  • Provide support extending for time scales that are long enough to make meaningful progress on hard problems and in sufficient amounts that reasonably operating environments for the technology could be constructed.
  • Invest some small fraction of its budget on thinking "outside the box" in consideration (and possible creation) of alternative futures.
  • Be more tolerant of research directions that appear not to promise immediate applicability.
  • Be overseen by a board or other entity with sufficient stature to attract top talent, provide useful feedback, and be an effective sounding board for that talent.
  • Pay attention to the human resources needed to sustain the counterterrorism information technology research agenda - noting that only a very small fraction of the nation's graduating doctoral students in information technology specialize in information and network security or emergency communications, very few professors conduct research in these areas, and only a very few universities support research programs in these fields.

CRA's most serious concern with the current state of Federal support for cyber security R&D, particularly research supported by two key mission agencies - the Defense Advanced Research Projects Agency (DARPA) and the Department of Homeland Security (DHS) - is that it lacks a significant number of the key attributes identified by the NRC. We are concerned that the federal effort is under-funded and poorly balanced between short and long-term efforts. Additionally, we are concerned that current law has a chilling effect on some research efforts in cyber security, and that current agency policies at odds with the attributes cited above appear to be driving university-based researchers away from research funded by critical mission agencies.

Read the whole testimony here....

CRA Conference on "Grand Research Challenges in Information Security & Assurance"

Airlie House, Warrenton, Virginia
November 16-19, 2003

In 2002, CRA sponsored its first "Grand Research Challenges in Computer Science and Engineering." This was the first in a series of highly non-traditional conferences where the goal is to define important questions rather than expose current research. Grand Challenges meetings seek "out-of-the-box" thinking to expose some of the exciting, deep challenges yet to be met in computing research. Because of the clear importance and pressing needs in information security and assurance, CRA's second "Grand Research Challenges Conference" was devoted to defining technical and social challenges in information security and assurance.

Attendance was limited to 50 people and was by invitation only. We sought scientists, educators, business people, futurists, and others who have some vision and understanding of the big challenges (and accompanying advances) that should shape the research agenda in this field over the next few decades. These meetings are not structured as traditional conferences with scheduled presentations, but rather as highly participatory meetings exposing important themes and ideas. As such, this was not a conference for security specialists alone: We sought to convene a diverse group from a variety of fields and at all career stagesÑwe sought insight and vision wherever it may reside.Ê

At the conclusion of the conference, the participants identified four challenges worthy of sustained commitments of resources and effort:

  • Eliminate epidemic-style attacks (viruses, worms, email spam) within 10 years;
  • Develop tools and principles that allow construction of large-scale systems for important societal applications -- such as medical records systems -- that are highly trustworthy despite being attractive targets;
  • Develop quantitative information-systems risk management to be at least as good as quantitative financial risk management within the next decade;
  • Give end-users security controls they can understand and privacy they can control for the dynamic, pervasive computing environments of the future.

    These challenges will be detailed in a forthcoming report due in 2004.

    For more information about the conference, including streaming video of a Congressional briefing announcing the conclusions, see CRA's Grand Research Challenges.

    		• Useful Graphs and Charts


    NITRD Cybersecurity Budgets by Agency
    Enlarge - PDF (104k)