The PITAC Report on CyberSecurity

I finally got around to reading the President's Information Technology Advisory Committee (PITAC) report entitled "Cyber Security: A Crisis of Prioritization" (dated February 2005). The report looks at the current state of federal involvement in cybersecurity research, and makes recommendations for the future. It's a good report, and one which the administration would do well to listen to.

The report's recommendations are based on two observations. The observations are that 1) cybersecurity research is primarily focused on current threats, and not long-term threats, and 2) there simply aren't enough cybersecurity researchers, and no good mechanism for producing them. The federal government isn't doing enough to foster cybersecurity research, and the effects of this shortfall will be felt more in the long term than the short term.

To remedy this problem, the report makes four specific recommendations (in much more detail than I summarize here). One, the government needs to increase funding for basic cybersecurity research. Two, the government needs to increase the number of researchers working in cybersecurity. Three, the government need to better foster the transfer of technology from research to product development. And four, the government needs to improve its own cybersecurity coordination and oversight. Four good recommendations.

More specifically, the report lists ten technologies that need more research. They are (not in any priority order):

Authentication Technologies
Secure Fundamental Protocols
Secure Software Engineering and Software Assurance
Holistic System Security
Monitoring and Detection
Mitigation and Recovery Methodologies
Cyber Forensics
Modeling and Testbeds for New Technologies
Metrics, Benchmarks, and Best Practices
Non-Technology Issues that Can Compromise Cyber Security

It's a good list, and I am especially pleased to see the tenth item -- one that is usually forgotten. I would add something on the order of "Dynamic Cyber Security Systems" -- I think we need serious basic research in how systems should react to new threats and how to update the security of already fielded system -- but that's all I would change.

The report itself is a bit repetitive, but it's definitely worth skimming.

Posted on April 27, 2005 at 8:52 AM • 12 Comments

Comments

Israel TorresApril 27, 2005 9:21 AM

Gee, it appears that a panel of men took a year to regurgitate what hackers have been screaming for decades (slugs in a slurry of salt). Good Job.

Israel Torres

Clive RobinsonApril 27, 2005 11:43 AM

I for one am very woried about,

Holistic System Security

This smacks of more no fly lists and unfocused discrimination not less.

However not having read the report I cann't realy comment.

Xavier AsheApril 27, 2005 12:03 PM

Clive,

I am big believer in Holistic System Security. Why? because I sell security products. I use the term Holistic Security and it translates into "you can share someone else's budget for this purchase." It's a winner for me!

Jon SolworthApril 27, 2005 1:31 PM

Stacy asks how to produce security researchers?

Its pretty easy. You provide funding to do their research; attend conferences, workshops, and summer schools; and develop courseware. Most of all you support and graduate PhD students. PITAC recommended a large increase in funding to support the *current* research proposals at NSF.

They also point out that with funds so short everyone gets conservative and innovative research goes unfunded.

Jon

DonApril 27, 2005 1:31 PM

"Holistic System Security

This smacks of more no fly lists and unfocused discrimination not less."

To me it smacks of crystals and scented candles, maybe herbs. Which might be a step up from some products out there (we're secure cuz we use LETTERS not bits!)

Chung LeongApril 27, 2005 3:26 PM

Has there ever been a government report whose conclusion isn't "we need more funding for X?" :-)

DexApril 27, 2005 4:42 PM

Several of you mentioned the need to produce more security professionals, perhaps at the university level. An effort is already underway.

You might find this interesting:
http://www.sfs.opm.gov/

Programs differ, but I know that at least one particular program addresses most of the ten technologies schneier mentions, especially cyber forensics. This program also works hand-in-hand with government and law enforcement cyber crime divisions. Each student is required to do a 3 month internship and then work in a two year long "covered position" in addition to their academic training and other research. This program produces students who ultimately go to work for some of the nation's top agencies in top secret positions.

In 2002, $19.3 million dollars was given to the SFS Cyber Corps program.

This page gives a better explanation of the Cyber Corps program and seems to be very successful:
http://www.cis.utulsa.edu/CyberCorps/

Curt SampsonApril 27, 2005 11:24 PM

No mention, however, of things that are degrading cybersecurity by hiding problems, such as when companies use the DMCA to chill speech that can expose security problems.

AnonymousApril 28, 2005 2:32 AM

Is it just my strange sense of humour? The acronym PITAC sounds weird to me. Let's hope that for the american government the committee is not just another PITA-Committee whose bragging has to be avoided. In the light of the current military-industrial clique ruling the USA, this report is probably just theater. They will implement whatever they need to stay in business and leave out anything that might increase privacy and security for the people.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..