Cybersecurity R&D Needs New Approach
Current Mindset Out of Step with AdversariesA disconnect exists between research being funded and what is needed to secure critical IT systems, Fred Schneider, a Cornell University computer science professor, told the House Committee on Science and Technology's Subcommittee on Research and Science Education Subcommittee.
Too often, he said, federal R&D funding is focused on established technologies - firewalls, anti-virus, intrusion detection, to name a few - and not on the threats on the horizon. This antiquated focus reflects views held by researchers and program managers of R&D funding agencies, he said. "Whichever it is, this mindset is a decade or more out of step with the reality of our current adversaries," Schneider said.
"We need to re-imagine the scope of the cybersecurity problem itself and refocus our attention the same way our adversaries have refocused," he said. "We cannot afford simply to develop technologies that plug holes faster; we need to think of security research more holistically, determining how most efficiently to block, disrupt or disincentivize opponents."
Seymour Goodman, professor of international affairs and computing at the Georgia Institute of Technology, concurred that R&D efforts must reach beyond technology, saying technical progress is critically important, but in itself not sufficient. Policy, economic and behavioral issues must also be addressed by researchers, he said.
"Market forces have failed to provide the nation with a level of cybersecurity adequate for its needs," Goodman testified. "An authoritative, interdisciplinary research study on how this may be changed could be of enormous benefit to the nation. We must also ensure that federally supported research has a broad impact on current and future security challenges. ... Much of cybersecurity research is classified, and thus unlikely to have much impact in improving civilian security."
Schneider agreed that secrecy requirements in classified research limits the ability for researchers to share ideas that could result in innovative ways to secure IT. "Classified research ... is necessarily less likely to receive broad scrutiny by a diverse community of experts, and does not contribute to educating the next generation of cyber-security researchers and practitioners," he said. "Classified research programs are also slow to impact the civilian cyber-infrastructure and its equipment, on which so much of our nation's critical infrastructure depends."
Anita D'Amico, director of the Secure Decisions division of Applied Visions, a maker of cyber-situational awareness software, suggested that cybersecurity researchers not rely as much on academic journals to publish their results but to share their findings in trade magazines and online forums to reach a wider audience. "[That's] where private security professionals communicate," she said. (Read Does Military Discriminate Against Cyber Pros, a blog that focuses on other comments D'Amico made to the panel.)
Industry lobbyist Liesyl Franz, vice president of the IT trade group TechAmerica, noted that discrete research and development occurring in industry and government isn't always productive in identifying the best cybersecurity solutions, and suggested a method be developed by the federal government to get all parties to collaborate. "That will take some effort to define, fund and implement," she said, "but it will be crucial for addressing long-term challenges and cybersecurity measures for the future."