DHS Official: House Besieging Cybersecurity R&D Funding
BERKELEY, Calif. -- Requests for cybersecurity R&D money are in trouble in the House, said a Homeland Security Department official. “Things are getting very interesting in Washington, and none of it is very positive,” Douglas Maughan, the department’s cybersecurity division director, said at an event to preview a strategic plan for federal funding efforts. The event late Wednesday was held in connection with the IEEE Symposium on Security and Privacy. It was organized by the National Coordinating Office for Networking and Information Technology Research and Development, which involves 15 federal agencies and coordinates all government R&D efforts.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
The administration’s proposed fiscal 2012 budget seeks a 51 percent increase in cyberspace R&D funding at Homeland Security, but “Congress wants to use DHS as a whipping boy, so we'll be lucky to stay where we are,” Maughan said. He added, “At least on the House side of things, they're not sold on cybersecurity. The Senate is a lot more so.” Maughan encouraged researchers to make themselves heard on Capitol Hill. “They're making decisions about funding without knowledge,” he said. “It’s all about education.” Asked about lobbying restrictions, Maughan said, “You have to know the rules. … Some of you can” go to Congress members, and “some can’t."
Maughan also said a report on cybersecurity research ethics will come out -- this year, he hopes -- based on a federal working group’s efforts. The group has been looking into research involving data about people who haven’t consented to that use, Maughan said. Behavior must change quickly to avert regulation, he said. But an ethics session scheduled for the IEEE symposium was canceled for lack of interest, Maughan said.
The strategic R&D plan, called “Trustworthy Cyberspace” and now running 19 pages, will be published in the Federal Register for comment “we hope within the next couple of weeks,” Maughan said. A draft went to the White House on March 1 after six months of discussion, he said. A road map for carrying out the plan has been requested, Maughan said. The plan will be reviewed yearly, he said.
A priority of “accelerating transition to practice” came out of the White House, Maughan said. “We actually have to show value and results” from federal R&D funding to Congress members, “or it becomes a difficult discussion,” he said, calling the emphasis on getting commercialization and wide use of R&D results “a new way of doing business.” Homeland Security is taking the lead in the effort, and the NSA and the National Institute of Standards and Technology also are getting funding for it, Maughan said. “New technologies have to be able to stand up to the fire hose in the operational environment,” he said, adding, “Let’s get it out there and make it real.”
Another plan aim is “support for national priorities” -- putting cybersecurity in service of developing health IT and the smart grid, defending finance services and carrying out the National Strategy for Trusted Identities in Cyberspace and the National Initiative for Cybersecurity Education, Maughan said. There’s “an awful lot of insecurity and vulnerability” in health information systems, he said. An effort by Homeland Security, the National Institute of Standards and Technology and the White House hasn’t resulted in the financial services industry’s “putting money on the table, but at least we've gotten them to the table,” Maughan said.
The plan adds a fourth federal R&D theme, “designed-in security” -- “developing and evolving secure software systems” -- to three sifted out last year from recommendations of the National Cyber Leap Year Summit of 2009, Maughan said. The new plank, to be reflected in the fiscal 2013 budget proposal, is meant to “raise the bar” about “the way we construct systems and make them resistant to attacks,” said Brad Martin, who leads an NSA research division and is detailed to the Office of the Director of National Intelligence. “The bar is low, and we need to do better. … The systems that we have are obviously riddled with vulnerabilities.” And “little effort” is needed “to find exploitable vulnerabilities,” he said.
"We're not pushing for perfect security here,” Martin stressed. He said overnight change isn’t realistic. “We'll be expecting incremental progress along the way,” Martin said, acknowledging “there’s mounds” of “research challenges.” Specifically, “we'll really be pushing on the usability of tools” for designing and analyzing systems, he said.
The three older R&D themes are reflected in agency budgets for fiscal 2012, and “there is money coming … assuming Congress doesn’t kill us,” Maughan said. The themes are “tailored trustworthy spaces,” conforming security to what users are doing from where; “moving target,” making systems agile instead of the “sitting ducks” for attacks that they've been; and creating financial incentives for increasing protection, he said.
Two workshops are planned in mid-June at George Mason University about “why people invest where they do and why they don’t invest” in cybersecurity, Maughan said. And a workshop is set for July on smart grid security, he said. The plan also reflects discussion of the importance of mobile security, “security without borders,” “situational understanding,” and “nature-inspired solutions,” Maughan said.