Group sees security weaknesses

President’s Information Technology Advisory Committee report: “Cyber Security: A Crisis of Prioritiz

Current approaches don't adequately secure the nation’s information technology infrastructure, according to a presidential advisory committee.

In the President’s Information Technology Advisory Committee’s report, “Cyber Security: A Crisis of Prioritization,” committee members wrote that critical IT systems remain highly susceptible to cyberattacks that could have catastrophic effects on infrastructures, national security and the economy.

Cybersecurity problems have been building for several years because organizations failed to develop security protocols, practices and expertise needed to stay current, according to the report from the committee, which includes academic and corporate computer experts. Drafts of the report have been available during the past several months, and the final report was formally presented to the President last week.

The technology infrastructure cited in the report includes not only the Internet but also less visible systems such as power grids, air traffic control, finance, military networks and intelligence systems.

“The growing dependence of these critical infrastructures on the IT infrastructure means that the former cannot be secure if the latter is not,” committee’s co-chairs, Marc Benioff and Edward Lazowska, wrote in the report’s introduction.

The committee recommended shifting federal funds to long-term basic research. The group said there has been a short-sighted emphasis on near-term research and development and intelligence and military applications that are often classified and unavailable for civilian use.

Specifically, the report recommended the National Science Foundation’s budget be increased by $90 million annually and cybersecurity research budget be substantially increased at other agencies, namely the Homeland Security Department and Defense Advanced Research Projects Agency.

The report stated that officials should target research to 10 priorities, including:

* Authentication technologies.

* Secure fundamental protocols.

* Secure software engineering and software assurance.

* Holistic system security.

* Monitoring and detection.

* Mitigation and recovery methodologies.

* Cyber forensics.

* Modeling and test beds for new technologies.

* Metrics, benchmarks and best practices.

* Nontechnological factors, such as psychological, societal, institutional, legal and economic, that can compromise cybersecurity.

Governmentwide research has to be better coordinated, according to the report, which includes a call for an interagency working group to help organize those efforts.

Academic institutions have less than 250 active cybersecurity or cyber assurance specialists, and many lack formal training or extensive professional experience, the committee found. The federal government must promote recruitment and retention of researchers and students at universities to double the number of civilian cybersecurity researchers by 2010, the report states.

Officials should also transfer technology investments from federal research to private-sector development of usable products, committee members stated. They believe federal officials should focus metrics, models, datasets and test beds; jointly sponsor an interagency conference to showcase research and development results; fund technology transfer efforts; and support graduate students and postdoctoral researchers to gain experience in the private sector.