Cybersecurity research plan identifies threats

For years, industry officials have urged the Bush administration to support cybersecurity research and development. Now they say they are hopeful that a new federal plan released in April will lead to increased funding for cybersecurity.

The National Science and Technology Council, a Cabinet-level body that coordinates governmentwide science and technology policies, issued the “Federal Plan for Cyber Security and Information Assurance Research and Development.” The report identifies critical threats to the nation’s information technology infrastructure and recommends that the government pay for research that would enable manufacturers to build IT security safeguards into infrastructure systems before they are delivered to power plants or other high-risk facilities.

That is the right approach, said Alan Paller, research director at the nonprofit SANS Institute. “This is the first document that I’ve seen that focuses on outcomes rather than favorite research projects,” Paller said. As seatbelts, bumpers and air bags provide motor vehicle safety, cybersecurity should be built into computers and networks, he said.

The 121-page federal plan makes a case for investigating the security implications of emerging broadcast protocols such as multicast and new protocols for wireless, mobile and ad hoc networks. The budding fields of optical computing, quantum computing and pervasively embedded computing could also introduce new hazards, the report states.

Paller praised the plan for prodding agencies to conduct research on IT security metrics. “Metrics that measure the government’s ability to withstand attack are sorely needed,” he said. But, he added, the plan omits any mention of how to pay for the recommended research.

Administration officials said the report establishes a framework for coordinating investments in technologies to secure the nation’s infrastructure. “This country’s IT infrastructure…is vital not only to our national and homeland security but to our economic security,” said John Marburger III, science adviser to the president and director of the Office of Science and Technology Policy. That infrastructure includes the public Internet and networks and IT systems that control critical infrastructure such as power grids and emergency communications systems. The report offers a blueprint for maximizing the return on cybersecurity research spending, Marburger said.

According to the plan, research funding is most needed in the areas of authentication, authorization and trust management; access control and privilege management; attack protection, prevention and pre-emption; wireless security; and software testing and assessment tools.

Ed Lazowska, co-chairman of the President’s IT Advisory Committee from 2003 until its authorization expired in June 2005, said the government must increase funding to reach the goals listed in the report.

“So my entreaty to Dr. Marburger is, ‘Spare me the commendations and show me the money,’ ” Lazowska said. “It’s time for leadership and investment.” Comments on the plan were due April 28.

Some lawmakers criticized the council’s research plan. Rep. Bart Gordon (D-Tenn.), the ranking Democrat on the House Science Committee, said the report’s major weakness is its lack of information about baseline funding levels for the research areas it identifies. “It is strange the report doesn’t provide the current funding amounts,” Gordon said.

The purpose of the House Science Committee’s Cyber Security R&D Act of 2002 was to establish a well-funded and coordinated basic and applied cybersecurity research program, Gordon said. “We’re still waiting.”

Ben Jun, vice president of technology at Cryptography Research, a data security company, described a worst-case scenario that could occur without coordination to protect critical infrastructure. “The next Pearl Harbor that we’re worried about isn’t going to be spam, e-mail or viruses,” Jun said. “It’s going to be on a critical facility like a power plant.”

Existing commercial security software is not designed to retrofit systems such as high-power gas mains. Implementing the administration’s plan to protect critical infrastructure could prevent catastrophe, Jun said. “What I see that’s promising here is that we’re going to pay more attention to solving those infrastructure problems,” he said.