I’m on the road this week, so light blogging.
Ed has been co-chair of the President’s (that’s President as in GW, not as in the university) Information Technology Advisory Committee, which has been studying the future of computational science and cybersecurity. In this interview Ed is his usual brilliant, engaging, and completely forthright self.
You feel strongly that the government’s treatment of cybersecurity R&D has been particularly neglectful.
PITAC found that the government is currently failing to fulfill this responsibility. (The word failing was edited out of our report, but it was the committee’s finding.) Let me talk very quickly about three federal agencies that you might think are focusing on this but are not:
» Most egregiously, the Department of Homeland Security simply doesn’t get cybersecurity. DHS has a science and technology (S&T) budget of more than a billion dollars annually. Of this, [only] $18 million is devoted to cybersecurity. For FY06, DHS’s S&T budget is slated to go up by more than $200 million, but the allocation to cybersecurity will decrease to $17 million! It’s also worth noting that across DHS’s entire S&T budget, only about 10 percent is allocated to anything that might reasonably be called “research” rather than “deployment.”
» Defense Advanced Research Projects Agency (DARPA) is investing in cybersecurity, but has classified all of its recent new program starts in this field. It’s fine to do classified research, but we must also recognize the negative consequences, and we should (but don’t) fund nonclassified research to make up for it. One negative consequence is that classified research is very slow to impact commercial IT systems, on which the entire nation, and even much of the Department of Defense, relies. Another negative consequence is that the nation’s university-based researchers cannot participate, because universities do not perform classified research. This eliminates many of the nation’s best cybersecurity researchers. It also means that students are not trained in cybersecurity—the training of students is an important byproduct of research.
» The National Science Foundation (NSF), in FY04, mounted a new cybersecurity research program, which was able to fund only 8 percent of the proposals it received. PITAC recommended immediately adding $90 million annually to the NSF Cyber Trust program, as a start. Thus far, there is no sign of any action on this recommendation.