Is Behavioral Cybersecurity R&D Necessary?

Human Aspect of IT Security Seen as Critical
Is Behavioral Cybersecurity R&D Necessary?
As the Cybersecurity Research and Development Amendments Act of 2009 winds its way through Congress, the most precarious provision in the measure would authorize the National Science Foundation to fund research on the social and behavioral aspects of cybersecurity.

"I think it's overlooked because everyone wants to look at, and we need to look at technical issues, but everything is done by humans, and we have look at human factor in all of this," said U.S. Rep. Daniel Lipinski, the bill's sponsor and chairman of the House Science and Technology Committee's Research and Science Education Subcommittee.

The measure, approved by the subcommittee earlier this month, will likely be combined with another bill the full committee is mulling before being sent to the full House for consideration.

In an interview with, Lipinksi discussed various provisions of his bill, including overall funding of cybersecurity research and development, a scholarship for service program to attract cybersecurity professionals and an assessment of federal agencies cybersecurity needs.

Lipinski, D.-Ill., said he could face opposition to some provisions of the measure, adding that he suspects some of his colleagues might not think research into social behavior of computer activity would be a worthwhile expenditure of taxpayer money, but is hopeful they can be persuaded to change their mind. Social and behavior research should help the government better plan its cybersecurity defenses, he said.

"People are the weakest link in many of our IT systems. We really need a cultural change in the way Americans practice computer hygiene. The idea of computer hygiene is something most people don't understand.

"An example I brought up in the hearing is if you want us to spread something malicious onto the computer system in a company, in a federal agency, one of the easiest ways to do it is to go to the parking lot and just drop a bunch of flash drives, USB memory drives. People are going to pick them up; they're probably going to take them into their office, stick into USB slot. It's an easy way to do it."

The legislation, if enacted, would increase National Science Foundation funding for cybersecurity research and development by 31 percent over the coming four years, from $68.7 million in 2010 to $90 million in 2014, compared with a 71 percent increase in funding from $35 million in 2003 to $60 million in 2007. Does the lower percentage of increase suggest less of a commitment by Congress toward cybersecurity R&D? No, Lipinski said.

"There's a limit right now what the government can afford in all areas. There are very difficult choices on what we can afford to make right now. I still think a 31-percent increase over four years is very significant -- higher than increases we're putting into a lot of worthy areas within the federal government. I wish there was more money, but these are difficult budgetary times."

One of the more intriguing parts of the legislation is its scholarship for service program, in which the federal government would pay the tuition of students who study cybersecurity in college and commit to joint the federal workforce as IT security professionals for an equal number of years they received the scholarship.

"I think this is a very good idea, a good incentive, especially at a time when it's becoming more and more expensive to go to college, and more expensive for higher education. It's just a good way of steering people to an area where we need to do better with producing people who have those skills.

"It's always difficult in some areas to attract people to work for the federal government. Oftentimes, the pay is not as good as in the private sector. And a lot of people will leave from the federal government, but even if they do, it still would be very helpful for the country to have people in the private sector able to do cybersecurity."

A key provision of Lipinski's bill would require the president to assess the government's cybersecurity workforce, including an agency-by-agency skills assessment, as well as order the White House to evaluate the pool of available cybersecurity talent and any barriers to the recruitment of cybersecurity professionals.

"The idea is for all of the NITRD - Network Information Technology Research and Development - agencies to form a plan. We are calling for it to be coordinated, and not just everybody individually to go off and do their own, though there are things that each agency will have to look at, at what it does. But the whole idea here is to do more centralized planning, do a better overall view because as with many things in federal government. doing all the work in separate silos does wind up causing some problems, lack of coordination that winds up being harmful to the overall plan and overall security in this case."

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.