Washington Earmarks Megabucks for Cyber Security

Congress is poised to give computer security researchers nearly a billion dollars to make the Internet 'self-healing.' Skeptics warn it may cost more

Computer security specialists stand to get more than $800 million in new federal grants over the next five years if a bill passed last week by the House Science Committee become law.

The events of Sept. 11 have added new impetus to efforts to secure the Internet from attack, making new funding an easy sell, according to sources on the Hill. Less easy are the demands Congress is placing on researchers: This time lawmakers wants a network that isn't just more secure, but one that can heal itself if it's damaged.

"Congress is usually busy with immediate fixes," one committee staffer said. "We had two hearings on cyber security, and what came out of them is this just doesn't receive enough attention from the federal government. There aren't enough researchers and there isn't enough money."

House members are counting on the National Science Foundation, the only federal agency to receive a passing grade for computer security from the General Accounting Office, to hand out much of the funding.

The NSF would distribute $568 million for basic research to independent researchers and universities from 2003 to 2007, under provisions of a bill sponsored by committee chair Sherwood Bohlert, R-NY. $144 million is earmarked for establishing new research facilities at colleges.

The National Institute of Standards and Technology (IST) would hand out $310 million in new research money over the same period, chiefly to universities.

Attractive as the goal of a self-healing Net seems, even researchers who stand to gain from the program warn that the task is formidable.

"The little research that is being done is focused on answering the wrong question," National Academy of Engineering president William Wulf told the committee in hearings last fall. "When funds are scarce, researchers become very conservative, and bold challenges to the conventional wisdom are not likely to pass peer review ... In this context, the right answer to the wrong question is worse than useless."

The US Association for Computing Machinery has urged more funding for long-term research, too. Eugene Spafford, co-head of the USACM's advisory committee on security and a researcher at Purdue University, slammed federal programs for being too short-sighted.

"Several of my colleagues have reported that they have begun to gain understanding of a fundamental problem after several years of research, only to find that the program under which they did their work was discontinued and no further funding was available," he told the committee.

Though free-market advocates often liken research funding to "corporate welfare," criticism of the new security spending has been muted.

"I don't think these efforts will hurt, but the vast amount of effort is going to be carried by the private sector, no matter what the government does," said Solveig Singleton, a researcher at Competitive Enterprise Institute. "It's going to have to a decentralized effort not a centralized one. The net has so many points of vulnerability."

Spafford, for his part, disagreed. Industry has successfully lobbied for exemptions from liability for security flaws, he said, rendering the market incapable of solving cyber security problems. The Digital Millennium Copyright Act, which arguably bars some computer-security research in the name of keeping secret anti-copying protections, is one example, he said. The proposed Uniform Computer Information Transactions Act, which makes blanket exemptions for software flaws legally binding, is another.

"In the current market that does not offer consumers significant choices, and where there is no liability for faulty products, there is little likelihood that industry players will invest in fundamental research to improve products," Spafford told the committee.

By Will Rodger

Before it's here, it's on the Bloomberg Terminal.