More cybersecurity study 'crucial'

Too few researchers are focusing on cybersecurity, putting the U.S. at risk, experts say

New research funds—and possibly a new way of thinking—are necessary to meet an urgent need to secure computer networks supporting the nation's critical infrastructure, said academic, industry and government panelists at a congressional hearing Oct. 10.

The number of academic researchers examining computer security is dangerously low, and the federal government needs to provide more money and focused support to change that, panelists told members of the House Science Committee.

William Wulf, president of the National Academy of Engineering and a professor at the University of Virginia, said he "was simply appalled" at the state of security research since he returned to academia after 15 years in the commercial world. Only 100 to 200 people are pursuing serious security research, he said. "Well-funded, long-term basic research on computer security is crucial to our national security," Wulf said.

No federal funding agency, such as the National Science Foundation or the Defense Advanced Research Projects Agency, has taken responsibility for basic computer security research, he said. Because no agency feels it "owns" the problem, the government has funded only sporadic research projects, he said.

"No one has questioned the underlying assumptions on cybersecurity that were established in the 1960s mainframe environment," he said. One of those assumptions he calls the "Maginot Line" model, after France's famed defense that failed to stop Germany from making "an end run around them" in World War II, he said.

Similarly, cyberspace attackers can bypass firewalls, and "once inside, the entire system is compromised," he said.

Eugene Spafford, director of Purdue University's Center for Education and Research in Information Assurance and Security, said that after a quick survey of 24 universities, he found that only 23 students involved in cybersecurity research have earned doctorate degrees in the past three years.

"We cannot hope to protect our information infrastructure without a sustained commitment to the conduct of research—both basic and applied —and the development of new experts," Spafford said.

Terry Vickers Benzel, vice president of advanced security research at Network Associates Inc., said a cyberattack combined with another kind of terrorist attack, such as on a water-treatment facility, could result in a scenario that's "beyond frightening," she said. Research and development money needs to increase "dramatically," she said.

"The threats are extreme and serious," Benzel said. And with limited research being conducted, "we don't really know how vulnerable we are."

NEXT STORY: Energy may lead cyber info sharing