Computer security specialists stand to get more than $800 million in new
federal grants over the next five years if a bill passed last week by the
House Science Committee become law.
The events of Sept. 11 have added new impetus to efforts to secure the
Internet from attack, making new funding an easy sell, according to sources
on the Hill. Less easy are the demands Congress is placing on researchers:
This time lawmakers wants a network that isn't just more secure, but one
that can heal itself if it's damaged.
"Congress is usually busy with immediate fixes," one committee staffer said.
"We had two hearings on cyber security, and what came out of them is this
just doesn't receive enough attention from the federal government. There
aren't enough researchers and there isn't enough money."
House members are counting on the National Science Foundation, the only
federal agency to receive a passing grade for computer security from the
General Accounting Office, to hand out much of the funding.
The NSF would distribute $568 million for basic research to independent
researchers and universities from 2003 to 2007, under provisions of a bill
sponsored by committee chair Sherwood Bohlert, R-NY. $144 million is
earmarked for establishing new research facilities at colleges.
The National Institute of Standards and Technology (IST) would hand out $310
million in new research money over the same period, chiefly to universities.
Attractive as the goal of a self-healing Net seems, even researchers who
stand to gain from the program warn that the task is formidable.
"The little research that is being done is focused on answering the wrong
question," National Academy of Engineering president William Wulf told the
committee in hearings last fall. "When funds are scarce, researchers become
very conservative, and bold challenges to the conventional wisdom are not
likely to pass peer review ... In this context, the right answer to the
wrong question is worse than useless."
The US Association for Computing Machinery has urged more funding for
long-term research, too. Eugene Spafford, co-head of the USACM's advisory
committee on security and a researcher at Purdue University, slammed federal
programs for being too short-sighted.
"Several of my colleagues have reported that they have begun to gain
understanding of a fundamental problem after several years of research, only
to find that the program under which they did their work was discontinued
and no further funding was available," he told the committee.
Though free-market advocates often liken research funding to "corporate
welfare," criticism of the new security spending has been muted.
"I don't think these efforts will hurt, but the vast amount of effort is
going to be carried by the private sector, no matter what the government
does," said Solveig Singleton, a researcher at Competitive Enterprise
Institute. "It's going to have to a decentralized effort not a centralized
one. The net has so many points of vulnerability."
Spafford, for his part, disagreed. Industry has successfully lobbied for
exemptions from liability for security flaws, he said, rendering the market
incapable of solving cyber security problems. The Digital Millennium
Copyright Act, which arguably bars some computer-security research in the
name of keeping secret anti-copying protections, is one example, he said.
The proposed Uniform Computer Information Transactions Act, which makes
blanket exemptions for software flaws legally binding, is another.
"In the current market that does not offer consumers significant choices,
and where there is no liability for faulty products, there is little
likelihood that industry players will invest in fundamental research to
improve products," Spafford told the committee. By Will Rodger