Government devotes more brainpower and money to cybersecurity

Tuesday, June 22, 2010

Cybersecurity, fast becoming Washington's growth industry of choice, appears to be in line for a multibillion-dollar injection of federal research dollars, according to a senior intelligence official.

Delivering the keynote address at a recent cybersecurity summit sponsored by Defense Daily, Dawn Meyerriecks, deputy director of national intelligence for acquisition and technology, said that along with the White House Office of Science and Technology, her office is going to sponsor major research "where the government's about to spend multiple billions of dollars."

This newest element of the federal cybersecurity initiative will not be looking for what Meyerriecks called "classic Beltway . . . commercial answers" to be applied to today's hacker problems at federal agencies. "I think we need to be really innovative, because I think we're going to run out of runway on our current approach," she said.

Three themes are to be stressed in this upcoming cybersecurity research agenda, she said. The first is called "tailored trustworthy spaces," which means creating different security levels for different government and non-government Internet activities. Less security is needed for finding baseball scores than when banking or guarding secrets, she said.

The second is called "moving targets," in which the search is for security systems that change constantly to increase uncertainty for hackers, recognizing that all systems inevitably become vulnerable.

Finally, there will be research in "economic incentives," which, as it sounds, involves seeking to find ways to motivate users to adopt cybersecurity defenses, recognizing that convenience has caused consumers to ignore security pop-ups.

Of course, hardly a week goes by without companies, think tanks or government agencies holding a session on the subject, and there have been multiple hearings on Capitol Hill.

On June 15, for example, Sen. Joseph I. Lieberman (I-Conn.) chaired a Senate Homeland Security and Governmental Affairs Committee hearing on the bipartisan legislation he introduced with Sens. Susan Collins (R-Maine) and Thomas R. Carper (D-Del.). One section of the bill created legal authority to protect the non-defense government and private-sector computer networks from attacks.

The next day, across the Capitol, the Government Accountability Office director of information security, Gregory C. Wilshusen, told the House Homeland Security Committee, "Cyber-based threats to federal systems and critical infrastructure are evolving and growing." Meanwhile, at a Brookings Institution session on the future of defense industry infrastructure, an industry expert described a two-tiered security net where military contractors face different problems than banks and credit card companies that are losing millions that are not reported publicly because the institutions involved did not want consumers to be aware of the problems.

"There is no silver bullet to cybersecurity; we must employ a defense-in-depth approach," Philip Reitinger, deputy undersecretary of homeland security for the national protection and programs directorate, said at the Lieberman hearing.

Robert D. Jamison, Reitinger's predecessor at the Department of Homeland Security, gave the same panel a quick tour of the federal government's "multiple agencies with different missions, networks, authorities and capabilities" when it comes to cyberspace. Homeland Security is primarily focused on operation security of the ".gov" networks, he said. The Defense Department and its National Security Agency "are focused on protecting our military networks, employing offensive measures and determining what constitutes an act of war in cyberspace and how our government responds."

The State Department "is focused on our international efforts"; the Commerce Department, on "issuing standards and guidelines" through the National Institute of Standards and Technology and "educational, research and governance" through the National Science Foundation and National Telecommunications and Information Administration.

All federal agencies, according to Jamison, "are responsible for protection of their respective networks" and all are on "different evolutionary paths of cyber readiness and defense."

This brings us back to Meyerriecks. She said that "tons of products" have been commercially developed to provide cybersecurity and that within the field "things have gotten better." But, she said, "there's not an answer Band-Aid that is going to come with this."

"We're starting to question whether or not the fundamental precepts are right, and that's really what, at least initially, this [new research] will be aimed at."

© 2010 The Washington Post Company