Language Selection

English French German Italian Portuguese Spanish

US Advisory panel recommends more federal R&D spending

Filed under
Security

The Presidential IT Advisory Committee (PITAC) has recommended the federal government sharply increase its spending on cybersecurity R&D and shift the focus to fundamental, long-term solutions to security challenges.

"The IT infrastructure is highly vulnerable to premeditated attacks with potentially catastrophic effects," PITAC warned in a letter submitting the report, titled Cyber Security: A Crisis in Prioritization, to the president. "These vulnerabilities put the nation's entire critical infrastructure at risk."

Current practices of patching vulnerabilities as they are found address immediate needs, but the committee concluded that "fundamentally different architectures and technologies are needed so that the IT infrastructure as a whole can become secure."

The government has a vital role to play in supplying the intellectual capital to improve IT security, PITAC said, but in recent years its focus increasingly has been on short-term problems addressing the needs of the military and intelligence communities. The results too often are classified, and more effort is needed to transfer them into the mainstream market.

The advisory committee examined funding for basic research by the National Science Foundation, the Defense Advanced Research Projects Agency, the Homeland Security Department, the National Security Agency, and the National Institute of Standards and Technology.

NSF, with its $30 million Cyber Trust program, is the primary source of funds for civilian security research. PITAC recommended that the program be expanded by at least $90 million annually.

The $5.47 billion NSF appropriation for fiscal 2005, approved by Congress in November 2004, is more than $60 million less than fiscal 2004 funding, and $227 million less than requested by the president.

PITAC recommended that:

  • NSF R&D funding be increased by at least $90 million a year, while also substantially increasing funding for DARPA and DHS.
  • Government increase efforts to expand the number of cybersecurity experts in the academic community, doubling the number by the end of the decade. The committee estimates there are fewer than 250 cybersecurity specialists working now.
  • Security technology transfer programs be strengthened to speed the introduction of needed off-the-shelf tools and technologies into the marketplace. The government should sponsor an annual interagency conference to showcase the results of cybersecurity R&D.
  • The Interagency Working Group on Critical Information Infrastructure Protection should coordinate federal R&D efforts and be integrated under the Networking and Information Technology Research and Development Program.

The committee identified 10 critical areas for future research:

  • Computer authentication methodologies, so sources of packets can be traced in large-scale networks
  • Secure fundamental networking protocols
  • Secure software engineering
  • End-to-end system security, rather than merely secure components
  • Monitoring and detection to quickly identify problems
  • Mitigation and recovery methodologies to avoid catastrophic failure when problems occur
  • Cyberforensics tools for aid in criminal prosecutions
  • Modeling and test beds for new technologies
  • Metrics, benchmarks and best practices for evaluating the security of security products and implementing them
  • Nontechnical societal and government issues.

Article on gcn.com.

More in Tux Machines

Mozilla News and Development

  • Firefox Performance Update #6
    These updates are going to shift format slightly. I’m going to start by highlighting the status of some of the projects the Firefox Performance Team (the front-end team working to make Firefox snappy AF), and then go into the grab-bag list of improvements that we’ve seen landing in the tree.
  • Announcing cargo src (beta)
    cargo src is a new tool for exploring your Rust code. It is a cargo plugin which runs locally and lets you navigate your project in a web browser. It has syntax highlighting, jump to definition, type on hover, semantic search, find uses, find impls, and more.
  • Things Gateway - Series 2, Episode 1
  • Firefox Data engineering newsletter Q1 / 2018
    As the Firefox data engineering teams we provide core tools for using data to other teams. This spans from collection through Firefox Telemetry, storage & processing in our Data Platform to making data available in Data Tools. [...] Most centrally, the Telemetry portal is now the main entry point to our tools, documentation and other resources. When working with Firefox data you will find all the important tools linked from there.
  • Working for Good: Metalwood Salvage of Portland
    The web should be open to everyone, a place for unbridled innovation, education, and creative expression. That’s why Firefox fights for Net Neutrality, promotes online privacy rights, and supports open-source tech around the globe. We strive to make the online community a better place. We also know people everywhere work tirelessly to improve their own communities. In this series, we’re profiling businesses that work to make the world better—and use Firefox to support a healthy, open, and safe internet.
  • It’s time to give Firefox a fresh chance
     

    After spending some quality time comparing the actual experience of using Chrome, Safari, and Firefox across a variety of websites, I’m confident in saying browser benchmarks are profoundly uninformative. The truth is that performance differences are not substantial enough to be noticed. If anything, you’re most likely to clash with “only works in Chrome” incompatibilities, but that’s kind of the whole reason for me to avoid Chrome: someone has to keep using the alternatives so as to give them a reason to exist.

Malware in Microsoft, Bugs in Android Apps

Spyder – The Scientific Python IDE for Data Science

I don’t know how many of our readers are research scientists, data analysts, etc. but today, we introduce an IDE that is ideal for Python development and it goes by the name of Spyder. Spyder is an Open Source IDE written in Python for Python development with a focus on research, data analysis, and scientific package creation. It boasts a well-planned User Interface with interactive options, customizable layouts, and toggle-able sections. Its features include a multi-language editor with automatic code completion, real-time code analysis, go-to definitions, etc. It also contains a history log, developer tools, a documentation viewer, a variable explorer, and an interactive console, among other perks. Read more

LWN on Linux: 'Secure' Boot, AF_XDP Patch, 4.17 Release and 'Beep'

  • Kernel lockdown locked out — for now
    As the 4.17 merge window opened, it seemed possible that the kernel lockdown patch set could be merged at last. That was before the linux-kernel mailing list got its hands on the issue. What resulted was not one of the kernel community's finest moments. But it did result in a couple of evident conclusions: kernel lockdown will almost certainly not be merged for 4.17, but something that looks very much like it is highly likely to be accepted in a subsequent merge window. As a reminder: the purpose of the lockdown patches is to enforce a distinction between running as root and the ability to run code in kernel mode. Proponents of UEFI secure boot maintain that this separation is necessary; otherwise the promise of secure boot (that the system will only run trusted code in kernel mode) cannot be kept. Closing off the paths by which a privileged attacker could run arbitrary code in kernel mode requires disabling a number of features in the kernel; see the above-linked article for the details. Most users will never miss the disabled features, but there are always exceptions. [...] One other aspect of this issue that came up briefly is the fear that, if Linux looks like a tool that can be used to compromise secure-boot systems running Windows, that Microsoft might blacklist the signing key and render Linux unbootable on most x86 hardware. David Howells expressed this worry, for example. Greg Kroah-Hartman said, though, that he has researched this claim numerous times and it has turned out to be an "urban myth".
  • Accelerating networking with AF_XDP
    The Linux network stack does not lack for features; it also performs well enough for most uses. At the highest network speeds, though, any overhead at all is too much; that has driven the most demanding users toward specialized, user-space networking implementations that can outperform the kernel for highly constrained tasks. The express data path (XDP) development effort is an attempt to win those users back, with some apparent success so far. With the posting of the AF_XDP patch set by Björn Töpel, another piece of the XDP puzzle is coming into focus.
  • The first half of the 4.17 merge window
    As of this writing, 5,392 non-merge changesets have been pulled into the mainline repository for the 4.17 release. The 4.17 merge window is thus off to a good start, but it is far from complete. The changes pulled thus far cover a wide part of the core kernel as well as the networking, driver, and filesystem subsystems.
  • What the beep?
    A "simple" utility to make a system beep is hardly the first place one would check for security flaws, but the strange case of the "Holey Beep" should perhaps lead to some rethinking. A Debian advisory for the beep utility, which was followed by another for Debian LTS, led to a seemingly satirical site publicizing the bug (and giving it the "Holey Beep" name). But that site also exploits a new flaw in the GNU patch program—and the increased scrutiny on beep has led to more problems being found.