PITAC was a group comprising about equal numbers of academics and representatives of the technology industry, and the Cyber Security Subcommittee, which prepared the report, was chaired by Tom Leighton, MIT prof and Akamai cofounder. Originally appointed by Clinton, the gang was reupped by Bush early in his first term. After it delivered its report, its contract was not renewed. This is not surprising, as it had few encouraging words about the government’ current approach.
The executive branch specifically asked for comments on the state of research and development in Internet security, and PITAC responded with certainty that “the Federal government needs to fundamentally improve its approach to cyber security.” The current security problem, the report argues, derives from a “decades-long failure to develop the security protocols and practices…and to adequately train and grow the numbers of experts needed to employ these mechanisms effectively.”
Research and development funds, the report argues, are increasingly being funneled toward defense-related technology with short-term objectives. Worse, that technology is kept classified, a serious obstacle considering that the majority of the Internet’s infrastructure is in private hands. Nor is the private market picking up the slack, focusing instead on “the application of existing technologies to develop marketable products.”
This, the report points out, is in sad contrast to the larger federal research budgets of old, and the relatively open halls of the Advanced Research Projects Agency in the Department of Defense, which in retrospect comes off as something like Rafael’s School of Athens, and which gave us the Internet in the first place. The National Security Agency is funding such open research through its Information Assurance group, but only 20 percent of that money is headed toward fundamental research, and only $3 million of that toward academic research. In the world of Washington, that’s nothing.
The majority of federal funding for open civilian research is doled out through the National Science Foundation, DHS, the National Institute of Standards and Technology, and the Department of Justice, but the NSF grants the lion’s share of these funds. DHS is barely supporting long-term research, with a mere $1.5 million of its $1 billion science and technology budget. The report recommends an increase of $90 million in the NSF budget alone, noting that merely 8 percent of NSF grant applications for cybersecurity research were filled, or one-third of the agency’s average across disciplines.