You feel strongly that the government’s treatment of cybersecurity R&D has been particularly neglectful.

PITAC found that the government is currently failing to fulfill this responsibility. (The word failing was edited out of our report, but it was the committee’s finding.) Let me talk very quickly about three federal agencies that you might think are focusing on this but are not:

¿ Most egregiously, the Department of Homeland Security simply doesn’t get cybersecurity. DHS has a science and technology (S&T) budget of more than a billion dollars annually. Of this, [only] $18 million is devoted to cybersecurity. For FY06, DHS’s S&T budget is slated to go up by more than $200 million, but the allocation to cybersecurity will decrease to $17 million! It’s also worth noting that across DHS’s entire S&T budget, only about 10 percent is allocated to anything that might reasonably be called "research" rather than "deployment."

¿ Defense Advanced Research Projects Agency (DARPA) is investing in cybersecurity, but has classified all of its recent new program starts in this field. It’s fine to do classified research, but we must also recognize the negative consequences, and we should (but don’t) fund nonclassified research to make up for it. One negative consequence is that classified research is very slow to impact commercial IT systems, on which the entire nation, and even much of the Department of Defense, relies. Another negative consequence is that the nation’s university-based researchers cannot participate, because universities do not perform classified research. This eliminates many of the nation’s best cybersecurity researchers. It also means that students are not trained in cybersecurity—the training of students is an important byproduct of research.

¿ The National Science Foundation (NSF), in FY04, mounted a new cybersecurity research program, which was able to fund only 8 percent of the proposals it received. PITAC recommended immediately adding $90 million annually to the NSF Cyber Trust program, as a start. Thus far, there is no sign of any action on this recommendation.

Where would this $90 million come from?
The federal budget is trillions of dollars, and we waste billions every month. This nation makes all kinds of large-scale spending decisions, and $90 million is one umpteenth of one umpteenth of 1 percent. And the question is, is cybersecurity worth it to this nation?

What are some of the things that more research might yield?
Cybersecurity, today, is all about securing the perimeter, but there is really no "inside" and "outside" anymore. This is not an argument against firewalls, intrusion detection systems and the like. Rather, it is a very strong argument against placing complete faith in them. Today, in cybersecurity, we are applying Band-Aids, and we are developing the next generation of Band-Aids, but we are not investing in research programs that will yield fundamentally new system architectures that will meet the challenges we face today and will face in the future. We need to develop both static and dynamic analysis tools that detect vulnerabilities. We need programming languages that include fundamental security features. We need techniques for assembling trusted software systems out of multiple components.