Council releases blueprint for federal cybersecurity research

President Bush's science and technology council has released a blueprint for coordinating federal interagency cybersecurity research and development.

The Federal Plan for Cyber Security and Information Assurance Research and Development, released last week by the National Science and Technology Council, was prepared by representatives of more than 20 federal organizations. Among wide-ranging recommendations, it calls for the establishment of standard cybersecurity metrics.

The document is meant to "help guide the research community on where the government's priorities are and to help [government officials] know where to prioritize their investments," said Simon Szykman, director of the National Coordination Office for Networking and Information Technology Research and Development.

The blueprint was developed exclusively by government officials, Szykman said. But a continuing effort to plan in more detail will incorporate information gathered from private sector researchers through public comments and workshops, he said.

"Certainly having a plan is one thing and executing it is another," Szykman said. "It wasn't the charter to develop investment policy or to develop [a] funding basis for carrying out the plan. This group of people was focused on the [research and development] issues and understanding the existing issues and the priorities."

Alan Paller, research director of the SANS Institute, a Bethesda, Md.-based nonprofit cybersecurity research group, said the document is extraordinary because of three areas it addresses: the development of new metrics for assessing cybersecurity, evaluation of the security implications of emerging technologies and the integration of security at the beginning of a technological development.

But the document does not address how recipients of federal funding are to be kept accountable in their research, Paller said.

"Researchers are going to look at this as justification for anything they want to do," Paller said. "And once you put accountability into the research, researchers will have to do what they say they will do."

The document is too broad to have a significant impact in cybersecurity research and development, said John Pescatore, vice president for internet security at Gartner Inc., an information technology research and advisory company.

The document should have named a couple of areas where the government could exercise influence, Pescatore said. Private sector companies such as Microsoft Corp. and Cisco Systems are investing in significantly greater amounts in cybersecurity research and development, he said.

"Federal money should be where the marketplace isn't working," Pescatore said.

Greg Garcia, vice president of the Information Technology Association of America cybersecurity program, said the document creates a sense of urgency for fundamental long-term research and development in the cybersecurity field.

"There is a lack of information security curricula in higher education," Garcia said. "That results in a lag in our progress in dealing with the information security challenges of today."