[Isait] Washington Earmarks Megabucks for Cyber Security (significant amounts for universities)

jeremy hunsinger jhuns at vt.edu
Sun Dec 16 10:59:36 EST 2001 

  from securityfocus.com


  Washington Earmarks Megabucks for Cyber Security

Congress is poised to give computer security researchers nearly a 
billion dollars to make the Internet 'self-healing.' Skeptics warn it 
may cost more
By Will Rodger <mailto:wrodger at home.net>
Dec 12 2001 12:01PM PT

Computer security specialists stand to get more than $800 million in new 
federal grants over the next five years if a bill passed last week by 
the House Science Committee become law.

The events of Sept. 11 have added new impetus to efforts to secure the 
Internet from attack, making new funding an easy sell, according to 
sources on the Hill. Less easy are the demands Congress is placing on 
researchers: This time lawmakers wants a network that isn't just more 
secure, but one that can heal itself if it's damaged.

"Congress is usually busy with immediate fixes," one committee staffer 
said. "We had two hearings on cyber security, and what came out of them 
is this just doesn't receive enough attention from the federal 
government. There aren't enough researchers and there isn't enough money."

House members are counting on the National Science Foundation, the only 
federal agency to receive a passing grade for computer security from the 
General Accounting Office, to hand out much of the funding.

The NSF would distribute $568 million for basic research to independent 
researchers and universities from 2003 to 2007, under provisions of a 
bill sponsored by committee chair Sherwood Bohlert, R-NY. $144 million 
is earmarked for establishing new research facilities at colleges.

The National Institute of Standards and Technology (IST) would hand out 
$310 million in new research money over the same period, chiefly to 
universities.

Attractive as the goal of a self-healing Net seems, even researchers who 
stand to gain from the program warn that the task is formidable.

"The little research that is being done is focused on answering the 
wrong question," National Academy of Engineering president William Wulf 
told the committee in hearings last fall. "When funds are scarce, 
researchers become very conservative, and bold challenges to the 
conventional wisdom are not likely to pass peer review ... In this 
context, the right answer to the wrong question is worse than useless."

The US Association for Computing Machinery has urged more funding for 
long-term research, too. Eugene Spafford, co-head of the USACM's 
advisory committee on security and a researcher at Purdue University, 
slammed federal programs for being too short-sighted.

"Several of my colleagues have reported that they have begun to gain 
understanding of a fundamental problem after several years of research, 
only to find that the program under which they did their work was 
discontinued and no further funding was available," he told the committee.

Though free-market advocates often liken research funding to "corporate 
welfare," criticism of the new security spending has been muted.

"I don't think these efforts will hurt, but the vast amount of effort is 
going to be carried by the private sector, no matter what the government 
does," said Solveig Singleton, a researcher at Competitive Enterprise 
Institute. "It's going to have to a decentralized effort not a 
centralized one. The net has so many points of vulnerability."

Spafford, for his part, disagreed. Industry has successfully lobbied for 
exemptions from liability for security flaws, he said, rendering the 
market incapable of solving cyber security problems. The Digital 
Millennium Copyright Act, which arguably bars some computer-security 
research in the name of keeping secret anti-copying protections, is one 
example, he said. The proposed Uniform Computer Information Transactions 
Act, which makes blanket exemptions for software flaws legally binding, 
is another.

"In the current market that does not offer consumers significant 
choices, and where there is no liability for faulty products, there is 
little likelihood that industry players will invest in fundamental 
research to improve products," Spafford told the committee.

-- 
jeremy hunsinger		http://www.cddc.vt.edu/jeremy
cddc/political science		http://www.cddc.vt.edu
526 major williams hall 0130	http://www.dromocracy.com
virginia tech			-under construction
blacksburg, va 24061
540-231-7614

More information about the Isait mailing list