Net security research languishing, Congress told

Net security research languishing, Congress told
WASHINGTON — U.S. cybersecurity research is woefully inadequate and should be bolstered in the aftermath of the terror attacks, an expert panel told Congress Wednesday (Oct. 10). The panel said the federal government should provide help by offering the sustained support needed to make computer networks less vulnerable to attack.

"Cybersecurity [should be] part of homeland security," Terry Benzel, vice president of security research for Network Associates Inc., told a House Science Committee hearing on computer security convened in response to the Sept. 11 terror attacks.

The Bush administration this week named Richard Clarke, its point man on cyberterrorism, special advisor to the president for cyberspace security. Clarke will report to both Condoleezza Rice, the president's national security advisor, and Tom Ridge, the new director of homeland security.

Clarke has pressed industry for closer government-industry ties on network security, including development of a separate government network that would handle critical applications like air traffic control. (See related story.)

"America has built cyberspace, and America must now defend its cyberspace," Clarke said this week. "But it can only do that in partnership with industry."

Lawmakers are meanwhile considering legislation in the aftermath of the Sept. 11 attacks that would boost research on computer and network security. The House science panel was told that the current research base, made up primarily of a handful of university research projects, is badly underfunded and focuses on treating symptoms rather than the disease.

"The problem is that our research base in computer security and network security is miniscule," said William Wulf, president of the National Academy of Engineering. It is carried out by a "tiny, very conservative group of [university] researchers."

One of them, Eugene Spafford, director of the Center for Education and Research in Information Assurance and Security at Purdue University, said most government-funded research focused on short-term solutions.

"Instead of finding new ways for us to design systems that are resistant to attack or can recover from attack, we find most of our research being directed at how to apply new patches to the same, old buggy systems," Spafford told lawmakers.

Besides a lack of long-term government support for network security research, Spafford said there is a growing lack of experts in the field: Only 23 PhDs in computer security were awarded over the last three years, he said.

Legal impediments such as digital copyright laws and increased intellectual-property-rights protections have also prevented researchers from pursuing new approaches. The Digital Millennium Copyright Act has chilled information security research after several investigators were threatened with lawsuits, Spafford said.

Proposed legislation backed by Hollywood, the Security Systems Standards and Certification Act (see related story), could further restrict computer security research, he added.

There is growing concern in the government and industry about the vulnerability of public and private networks — concerns that were underscored by the terror attacks. "The threats are extensive and serious," Benzel testified. "These systems are extremely vulnerable."

What is needed, she added, are detailed vulnerability assessments and threat analyses by industry and the new government cyberterror office to identify gaps in current network security research. Then, said Wulf, "We need an agile [funding] mechanism" to support research in areas like distributed network security and active defenses against cyberattacks.

"We need more people to be doing more creative thinking about computer security. That's what our adversaries are doing," said Rep. Sherwood Boehlert, chairman of the House panel.

Boehlert said the committee plans a follow-up hearing next week and is drafting security legislation for computer networks.

Spafford said legislation should focus on illegal behavior, not technology. "Legislation against technology hurts us in other ways. This legislation should be against the behavior, particularly the infringing behavior."

Clarke, the presidential advisor on cyberterrorism, again this week asked the U.S. telecommunications industry to help build a separate, secure government network dubbed "Govnet." One goal would be to take critical government functions off the Internet as part of an effort to keep hackers and viruses from bringing down networks in emergencies.

A separate government network would be costly, given its projected size and security needs, experts said, with no assurance that it wouldn't eventually be breached by hackers.