AN FRANCISCO, March 18 - A report released
Friday by a panel of computer experts criticizes the federal
government, saying that its financing of research on computer
network security is inadequate and that it is making a mistake by
focusing on classified research that is inaccessible to the
commercial sector.
The report, commissioned by the Bush administration, calls for
the government to spend $148 million annually on Internet security
research through the National Science Foundation, over the current
$58 million. It also urges more research spending by the Pentagon's
Defense Advanced Research Projects Agency, or Darpa, and by the
Department of Homeland Security.
The report, "Cybersecurity: A Crisis of Prioritization," was
prepared by a subcommittee of the President's Information Technology
Advisory Committee, a group of industry and university experts.
Research in Internet security is needed to protect systems that
run the government and military operations, as well as other areas,
including the electric power grid, the air traffic control grid and
financial systems, the report said.
"The federal government is largely failing in its responsibility
to protect the nation from cyberthreats," said Edward D. Lazowska,
chairman of the computer science and engineering department at the
University of Washington and co-chairman of the panel. "The
Department of Homeland Security simply doesn't 'get' cybersecurity.
They are allocating less than 2 percent of their science and
technology budget to cybersecurity, and only a small proportion of
this is forward-looking."
Michelle Petrovich, a spokeswoman for the Department of Homeland
Security, disputed the criticism. "We take cybersecurity seriously
and have taken aggressive measures to address various needs," she
said. "Our cybersecurity budget has gone up every year."
Peter Neumann, an independent computer scientist at SRI
International, a research center in Menlo Park, Calif., said that
both Congress and the Bush administration had been neglecting
civilian Internet security research.
"The problem is that there is no sense of the importance of
research in this Congress or in this administration," said Mr.
Neumann, who consults for the government.
The panel also found that the Internet security research
community was too small to meet a government goal of at least
doubling the size of civilian Internet security researchers by the
end of the decade. Fewer than 250 Internet security researchers are
now at United States universities, largely because of unstable
funding levels, the panel said.
The authors argue that because universities have provided many
crucial ideas, technologies and talent, both the civilian and the
military sectors are likely to be hurt by the recent trend.
The panel also criticized a recent shift, at both Darpa and the
National Security Agency, toward short-term classified research over
long-term academic research.
The report found that efforts to transfer federal research to
Internet security businesses were inadequate and that there was a
basic absence of leadership and coordination. The authors
recommended that a federal interagency group take responsibility for
coordinating Internet security research.
The report says the current commercial approach to security
problems tends to consist of a series of patches. "Even if all the
best practices were fully in place, in the absence of any
fundamental new approaches we would still endlessly be patching and
plugging holes in the dike," the report states.
The report also lists 10 Internet security research priorities,
including authentication technologies, secure protocols, improved
engineering techniques, monitoring and detection tools and
cyberforensics.
.gif){kind=spacer}
.gif){kind=spacer}
