- Top computer security experts told a congressional committee yesterday that the US isn't producing the talent or the funding needed to confront the information warfare threats the country now faces.
"Our research base in computer security and network security is miniscule," William Wulf, president of the Washington-based National Academy of Engineering and a computer security expert, told the House Science Committee. "I think we desperately need to do something," he said.
Eugene Spafford, a computer science professor who heads West Lafayette, Indiana-based Purdue University's information assurance centre, surveyed 23 leading universities that grant PhDs in computer security and found that only 20 PhDs were granted in the past three years, "and only a fraction of those have decided to go into academic positions to help increase the supply" of researchers, he said.
Research funding is also inadequate, said Spafford. The National Institute of Standards and Technology, a federal agency that funds critical infrastructure protection research, awarded $US5 million in research grants this year -- enough for just nine of 133 projects submitted, said Spafford.
Industry funds some research, but that money is "usually tied to short-termed deliverables" and includes restrictions on publication of the results, said Spafford.
The Science Committee hearing was one of a number held in recent weeks on information security issues by committees in the US House and Senate. At these hearings, lawmakers have been repeatedly warned that threats to the Internet and critical systems have increased since terrorist attacks on the US on September 11. That warning was repeated today.
"The threats are extensive and serious," said Terry Benzel, vice president of advanced security research at Santa Clara, California-based Network Associates. "A cyberthreat taken in conjunction with a physical threat of terrorism as we witnessed is beyond frightening," she said.
One scenario she outlined was an attack on water-quality systems that would be simultaneous with a bioterrorist attack. "We don't really know how vulnerable we are," said Benzel.
Wulf said new approaches to software development are also needed. While systems administrators can continue to patch systems, this perimeter-focused or Maginot line system of protection is flawed, he said. "It hasn't worked in the past, and it won't work in the future," he said.
One potential security solution is based on a distributed concept. "Instead of having this perimeter defence, you have lots of agents running around seeing if something bad is happening and attacking when it does," said Wulf.