Is Behavioral Cybersecurity R&D Necessary?

As the Cybersecurity Research and Development Amendments Act of 2009 winds its way through Congress, the most precarious provision in the measure would authorize the National Science Foundation to fund research on the social and behavioral aspects of cybersecurity.

"I think it's overlooked because everyone wants to look at, and we need to look at technical issues, but everything is done by humans, and we have look at human factor in all of this," said U.S. Rep. Daniel Lipinski, the bill's sponsor and chairman of the House Science and Technology Committee's Research and Science Education Subcommittee.

The measure, approved by the subcommittee earlier this month, will likely be combined with another bill the full committee is mulling before being sent to the full House for consideration.

In an interview with GovInfoSecurity.com, Lipinksi discussed various provisions of his bill, including overall funding of cybersecurity research and development, a scholarship for service program to attract cybersecurity professionals and an assessment of federal agencies cybersecurity needs.

Lipinski, D.-Ill., said he could face opposition to some provisions of the measure, adding that he suspects some of his colleagues might not think research into social behavior of computer activity would be a worthwhile expenditure of taxpayer money, but is hopeful they can be persuaded to change their mind. Social and behavior research should help the government better plan its cybersecurity defenses, he said.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

"People are the weakest link in many of our IT systems. We really need a cultural change in the way Americans practice computer hygiene. The idea of computer hygiene is something most people don't understand.

"An example I brought up in the hearing is if you want us to spread something malicious onto the computer system in a company, in a federal agency, one of the easiest ways to do it is to go to the parking lot and just drop a bunch of flash drives, USB memory drives. People are going to pick them up; they're probably going to take them into their office, stick into USB slot. It's an easy way to do it."

The legislation, if enacted, would increase National Science Foundation funding for cybersecurity research and development by 31 percent over the coming four years, from $68.7 million in 2010 to $90 million in 2014, compared with a 71 percent increase in funding from $35 million in 2003 to $60 million in 2007. Does the lower percentage of increase suggest less of a commitment by Congress toward cybersecurity R&D? No, Lipinski said.

"There's a limit right now what the government can afford in all areas. There are very difficult choices on what we can afford to make right now. I still think a 31-percent increase over four years is very significant -- higher than increases we're putting into a lot of worthy areas within the federal government. I wish there was more money, but these are difficult budgetary times."

One of the more intriguing parts of the legislation is its scholarship for service program, in which the federal government would pay the tuition of students who study cybersecurity in college and commit to joint the federal workforce as IT security professionals for an equal number of years they received the scholarship.

"I think this is a very good idea, a good incentive, especially at a time when it's becoming more and more expensive to go to college, and more expensive for higher education. It's just a good way of steering people to an area where we need to do better with producing people who have those skills.

"It's always difficult in some areas to attract people to work for the federal government. Oftentimes, the pay is not as good as in the private sector. And a lot of people will leave from the federal government, but even if they do, it still would be very helpful for the country to have people in the private sector able to do cybersecurity."

A key provision of Lipinski's bill would require the president to assess the government's cybersecurity workforce, including an agency-by-agency skills assessment, as well as order the White House to evaluate the pool of available cybersecurity talent and any barriers to the recruitment of cybersecurity professionals.