IT Securities' Catch 22
A big predicament the government faces is the high cost to fix IT security problems on federal government legacy systems that steals money away from the research needed to build new, secure systems.
That's the point made by Eugene Spafford, professor and executive director of Purdue University Center for Education and Research in Information Assurance and Security, when he testified before the Senate Commerce, Science and Transportation Committee on Thursday:
"The problems with deployed systems are so numerous that we would need more money than is reasonably available simply to patch existing systems to a reasonable level. Unfortunately, this leads to a lack of funding for long term research into more secure systems to replace what we currently have. The result is that we are stuck in a cycle of trying to patch existing systems and not making significant progress towards deploying more secure systems."
In conducting information security research, risks must be taken, even if the outcome isn't guaranteed. We can't afford not to. Again Spafford, from his prepared Senate testimony:
"We must understand that real research does not always succeed as we hope, and if we are to make major advances it requires taking risks. Risky research led to computing and the Internet, among other things, so it is clear that some risky investments can succeed in a major way."
Do you agree with Spafford? What type of information security research do you feel the government should invest in? Please share your thoughts below.
And for more from Gene Spafford, listen to his recent podcast interview.