Industry hails cyber R&D bill

When the Senate went to work on legislation to pump $878 million into cybersecurity research and development, it got no argument from representatives of industry and academia.

Sen. Ron Wyden (D-Ore.) convened a panel of scientists and businessmen April 24 who unanimously praised the Cyber Security Research and Development Act as a step toward correcting chronic underfunding in computer security research.

The bill passed the House in February by a vote of 400-12.

The panel also endorsed a bill that Wyden introduced to create a volunteer corps of computer experts who would respond swiftly in the event of a computer emergency, such as a cyberattack.

Wyden envisions a National Emergency Technology Guard, or NET Guard, made up of experts and companies who agree to respond immediately with technological know-how and equipment to counter an attack. "The nation's best scientific minds, technology experts and technology companies will be invited to participate," Wyden said.

NET Guard would be created by the Science and Technology Emergency Mobilization Act.

While endorsing the idea, Ronil Hira of the Institute of Electrical and Electronics Engineers Inc. cautioned that calling in a squad of willing scientists might not always be the right response to cyberattacks or other computer-related emergencies.

"It is important to recognize that communication and other technological systems can be extremely complicated, requiring not only general knowledge of the technical factors, but also specific knowledge of the system under stress," he said.

Such detailed knowledge "may only be available in the company and its vendors that installed the system originally," Hira said. Intervention by outsiders — however brilliant — might do more harm than good, he said.

Hira had no reservations about the Cyber Security Research and Development Act, however. He praised the legislation for promising financial support for industry research as well as research by universities and government entities.

More money for research is essential for improving cybersecurity, agreed Lance Hoffman, a computer science professor at George Washington University. Students and faculty have generally not pursued cybersecurity research because funding has been scarce, he said.

Even as daily life increasingly requires reliance on computer systems and networks, "there is a remarkably small amount of long-term funding available for computer security and information assurance research and development designed to solve these problems," Hoffman said. "This bill may remedy these concerns."

The Cyber Security Research and Development Act would put the National Science Foundation and the National Institute of Standards and Technology in charge of selecting research projects for funding.

The aim is to fund research as "a long-term strategy to counter cyberterrorism," said Rep. Sherwood Boehlert (R-N.Y.), chairman of the House Science Committee and primary author of the bill.

"The nation invests a pitifully small amount in cybersecurity research, and that's true of both government and industry," said Boehlert, who was Wyden's star witness. The government doesn't invest enough because no single agency has responsibility for cybersecurity, and industry doesn't invest enough because security does not add as much sales value to information technology products as does speed, price and other attributes, Boehlert said.

Wyden said he expects a committee vote on the two bills by the middle of May.