United States Facing Cyber Security Crisis, Experts Tell Capitol Hill Briefing, As IEEE-USA Prepares New Position Statement

by Barton Reppert

The nation’s information technology (IT) infrastructure is “highly vulnerable to terrorist and criminal attacks,” and a White House-appointed expert panel has concluded that “the federal government needs to fundamentally improve its approach to cyber security,” according to a senior member of the President’s Information Technology Advisory Committee (PITAC).

F. Thomson (Tom) Leighton, chair of PITAC’s Subcommittee on Cyber Security, told a Capitol Hill briefing on 26 July that the panel believes “federal support for fundamental research in civilian cyber security must be dramatically increased – or the nation’s security and technological edge will be seriously jeopardized.” He declared that cyber security research and development (R&D) in the United States “is currently suffering from a crisis in prioritization.”

Sponsored by IEEE-USA and the IEEE Computer Society Task Force on Information Assurance (TFIA), in conjunction with the bipartisan House Research and Development Caucus, the Forum on Cyber Security was held as IEEE-USA moves ahead with developing a new policy statement on cyber security issues.

Following the briefing, which was particularly intended to help raise the awareness of congressional staff members, Clifford Lau, chair of IEEE-USA's Research and Development Policy Committee, told IEEE-USA Today’s Engineer, “The country’s problem with cyber security is very serious, and it is going to get worse in the next five years before it gets any better. I would say the situation not only is alarming, but it is almost out of control.”

Lau, a research staff member with the Information Technology and Systems Division, Institute for Defense Analyses, Alexandria, Va., said on 27 July that his committee is coordinating with IEEE-USA's Committee on Communications and Information Policy to prepare the new IEEE-USA position statement on cyber security.

The 26 July session on cyber security – held at the Rayburn House Office Building and attended by about 25 congressional staff members, along with private sector computer experts, technology journalists and IEEE-USA officers and staffers – included opening remarks by Rep. Judy Biggert (R-Ill.), co-chair of the House R&D Caucus and chair of the House Science Committee’s energy subcommittee.

Biggert told the gathering that following the shock of 9/11 almost four years ago, “suddenly the likelihood increased significantly that cyber space could be used to launch an attack against the nation that created it and pioneered its use. And the scale and magnitude of the chaos and havoc that could be wreaked by cyber warfare or a cyber terrorist attack suddenly became almost immeasurable.”

Within six months of the September 2001 attacks, she noted, the House Science Committee reported out a bill that subsequently was enacted by Congress as the Cyber Security Research and Development Act of 2002. The five-year, $902.85 million measure was designed to help address the nation’s vulnerability to cyber attacks, in part by creating new research and education programs at the National Science Foundation (NSF) and the National Institute of Standards and Technology (NIST).

Also, Congress last year approved intelligence reform legislation establishing a new position of assistant secretary for cyber security at the Department of Homeland Security.

Despite these steps, however, Leighton emphasized the continuing seriousness and immediacy of threats to America’s IT infrastructure. His remarks at the Capitol Hill briefing included a summary of key findings presented by PITAC in a February 2005 report to President George W. Bush, entitled Cyber Security: A Crisis of Prioritization.

PITAC itself, a 24-member panel co-chaired by Marc R. Benioff, chairman and CEO of Salesforce.com Inc.; and Edward D. Lazowska, Bill & Melinda Gates Professor and chair of the Department of Computer Science and Engineering at the University of Washington, officially ceased functioning when the executive order which had chartered the presidential committee expired on 30 June.

Leighton, chief scientist at Akamai Technologies, Cambridge, Mass., and professor of applied mathematics at MIT, observed that “computing and data communications are integral to nearly every activity today in the United States. But the nation’s IT infrastructure is highly vulnerable to terrorist and criminal attacks.”

“The problems of vulnerable software and easy access from afar are compounded by the lack of security in basic network protocols,” he told the briefing. “Hostile activities, such as DDoS [distributed denial of service] attacks, cyber extortion and identity theft on a massive scale have become immensely damaging to personal and economic interests.”

Among facts and figures cited by Leighton were:

• More than 10 percent of PCs across the United States were infected by viruses each month in 2003

• 92 percent of organizations reported “virus disasters” in 2003

• The Computer Emergency Response Team Coordination Center (CERT/CC) published 3,780 new electronic vulnerabilities in 2004

• “Phishing” attacks victimized at least one percent of U.S. households and cost about $400 million in the first half of 2004

According to Leighton, “endless patching is not the answer – it doesn’t solve the underlying, fundamental problem of security. We need fundamentally new security models and methods.”

The private sector, he noted, has an important role in securing this country’s IT infrastructure by deploying sound security products and adopting good security practices. “But the federal government also has a key role to play by supporting the discovery and development of cyber security technologies that underpin these products and services,” Leighton said. In this regard, he told the 26 July briefing, “PITAC finds that the federal government needs to fundamentally improve its approach to cyber security to fulfill its responsibilities.”

Expressing strong concern over current “underinvestment” in civilian cyber security R&D, Leighton said that in recent years federal government efforts in this area have involved “a pronounced shift favoring classified military R&D, rendering it unavailable to the civilian sector,” and at the same time “an equally pronounced shift in all sectors favoring short-term research over long-term fundamental research.”

The February report by PITAC recommended increasing the NSF budget for fundamental research in civilian cyber security by $90 million annually. That would amount to a four-fold increase for the NSF’s Cyber Trust program, which in fiscal year 2004 made 32 research awards totaling $31 million. The presidential panel also urged substantial increases for civilian cyber security R&D funding through the Department of Homeland Security and the Defense Advanced Research Projects Agency (DARPA).

Other recommendations by PITAC included intensifying efforts to promote recruitment and retention of cyber security researchers and students at universities, with the goal of doubling their numbers in the next decade, and strengthening government-private sector technology transfer activities involving cyber security.

A fourth PITAC recommendation – the only one so far officially accepted by the Bush administration – called for making the Interagency Working Group on Critical Information Infrastructure Protection (CIIP), which is part of the National Science and Technology Council (NSTC), the focal point for federal cyber security R&D efforts. PITAC said this working group should be strengthened and integrated under the Networking and Information Technology Research and Development (NITRD) program.

Also speaking at the 26 July Capitol Hill briefing was Professor Eugene H. Spafford, a PITAC member who has served on the cyber security subcommittee. Spafford is executive director of the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University, West Lafayette, Ind.

Summarizing the overall current situation with cyber security, Spafford declared: “It’s really awful.” He predicted that “it’s going to take a very large and significant failure” of critical computer systems across the country to galvanize public support for significantly bolstered security measures.

Spafford noted that more than 100,000 known viruses and worms exist, with about 200 new ones being reported per week. “Large-scale attacks” on various organizations are doubling per year, spam comprises up to 85 percent of e-mail in some places, and major end-users (including the U.S. Army) are throwing out infected systems rather than trying to fix them, he said.

The Purdue cyber security expert forecast that in the near future there will be a “growing threat from organized crime,” more incidents of identity theft, loss of public confidence, “national-level incidents,” and a “major drain on the economy.” To help deal with these challenges, Spafford said, the country needs “out-of-the-box” thinking on cyber security and stepped-up resources going to “risky but often high-payoff” research.

After the briefing, Lau commented that he believes the problems discussed at the session amounted to “only scratching the surface.” He indicated that he is particularly concerned over “our national defense and homeland security computer systems, which are presumably more secure, but which are highly dependent on the civil computer network infrastructures.”

“Some effective action can be taken within the next five years, but it is a ‘cat and mouse’ game – or measure and countermeasure and counter-countermeasure,” said Lau. “As soon as an effective measure is developed, another virus or spyware will be developed by the perpetrators. There is no end to it.”

Lau observed that the Internet has evolved over the past decade with open-system architecture. “There is no way to go back and redesign the Internet for it to be completely secured,” he said. “There is a tradeoff and balance between privacy and censorship. Sure, the government can step in and censor everything like the Chinese government is doing with the Internet, but that is not the American way.”

Lau contended that it is “critically important” for the federal government to provide adequate funding for cyber security R&D.

”I believe that if there is enough support from the public to demand secured network services, the federal government and Congress will act to provide sufficient cyber security R&D funding – but not until there is a public outcry for action. On the other hand, the private sector and industry must do their part to ensure that the public has the most secured network services, through secured browsers and encrypted communications and authentication.”

In another development in late July, the Cyber Security Industry Alliance (CSIA) – an advocacy group based in Arlington, Va., comprised of security software, hardware and service vendors – issued a white paper asserting that “the crisis in leadership in cyber security R&D will hold long-term implications for the United States if it is not arrested soon.”

The CSIA paper noted that in June, “PITAC was dissolved for reasons which remain unclear. The recent lapse of PITAC is yet another blow to the R&D community. The loss of this independent committee’s expertise and advice reduces the priority level of cyber security R&D, and it will continue to dissipate without an advisory body or another leader to oversee R&D.”

Looking ahead, the industry group said, “increasing cyber security R&D funding will foster a more secure, stable global information infrastructure, create a larger pool of experts in information assurance, and enable the full potential of the Internet.”

Read the PITAC report online at: www.nitrd.gov/pitac/reports/20050301_cybersecurity/cybersecurity.pdf.

Barton Reppert is a freelance science and technology writer specializing in S&T policy coverage. He previously worked for 18 years as a reporter and editor with The Associated Press in Washington, New York and Moscow. He can be contacted at barton.reppert@verizon.net.