Dollars, Sense and the Cyber Security Act
The recently passed Cyber Security Research and Development Act aims to provide nearly $1 billion for various forms of security research and scholarships. But it's no sure bet that Congress will vote to fund the legislation.
The CSRDA earmarks gobs of money for different areas of security research and education. Among them:
That's the high-level view, from where it is difficult to determine how the money will translate into improved security. In practice, it depends on where the money goes and how it is used.
Spafford testified before the House of Representatives when the CSRDA was first introduced, an indication of his status in the security field. Given that much of the money is earmarked for education, he seemed a logical choice to explain how it will help.
Let's start with that $275 million for fellowships. Generally, fellowships are merit-based monetary awards that go to students who show aptitude in a given area. Fellowships pay for tuition, fees, room, board and the like.
"They are often given to graduate students, to encourage them to do advanced study, when they might be tempted to leave with a lesser degree and get a job because they can't afford to continue studying," Spafford says.
Schools get the money by applying to whatever authority is charged with finding qualified applicants. In the case of the CSRDA, that responsibility lies with the National Science Foundation (NSF) and National Institute of Standards and Technology (NIST).
NSF and NIST will likewise dole out the $233 million in research grants. The usual scenario is that applicants submit proposals outlining what they propose to do and what effect it will have. Money is awarded to those proposals NSF and NIST deem most qualified, Spafford says, keeping in mind criteria such as the institutional resources behind the proposals, the experience of the submitting individuals and how they've handled such grants in the past.
CERIAS is one such institution that may apply for some of that grant money.
"We have several ideas in mind, having to do with advanced architectures and intelligent security systems," Spafford says.
CERIAS currently can't conduct all the research it would like to for lack of funds. Grant money would cover expenses, including some salary for faculty and assistants, perhaps a stipend for graduate students who are pursuing doctorate degrees, plus equipment, software, books and assorted other fees.
In general, Spafford expects the CSRDA will be helpful in improving cyber security, but he isn't at all confident that the act will be funded at its current level, given the current budget climate and competing interests on Capitol Hill.
The CSRDA is, in effect, a long-term investment. Part of the thinking behind the act is simply to expand the size and number of programs that educate security professionals.
Today, Spafford estimates there are maybe two dozen universities with graduate-level security programs. To create more requires more individuals with a broad base of security expertise and experience.
"That's a problem," Spafford says. "It doesn't mean paying teachers more, it means producing more of them to meet the need."
The thinking goes that if we educate more security professionals, some percentage of them will choose to remain in academia while others go to the private sector; both are positive developments.
But that won't happen anytime soon. Say a program starts today to educate graduate students for doctoral degrees so that they can then teach undergraduates. The first graduates of those undergrad programs would get their degrees eight to 10 years from now, Spafford notes.
"No amount of money is going to make an immediate difference, and that's a hard sell when you've got people worried right now about bioweapons, poverty, unemployment, pollution, Social Security and other things that are contending for funds," he says.
While it remains to be seen whether the feds will ultimately step to the plate and fund the CSRDA, Spafford notes that states can help, too. Many institutions that have better security programs are state schools, he notes.
Individual companies can likewise shoulder some of the burden. Symantec, for instance, in December announced it will provide $50,000 to fund a fellowship providing full tuition and a stipend for two years for a Purdue student working with CERIAS.
"That's one company," Spafford says. "If you look at all the companies in the security space, they could make a real big difference if they each funded one student."
Good point, but so could nearly $1 billion in federal money. Let's hope Congress isn't so shortsighted as to give the CSRDA short shrift.
Desmond is president of Paul Desmond Editorial Services, an IT publishing firm in Framingham, Mass. He serves as editor of eSecurityPlanet.com, a source of practical security information for IT managers, CIOs and business executives. Email him at firstname.lastname@example.org.
By Roy Mark
December 23, 2002
Bush's cybersecurity advisor Richard Clarke claims the proposed Internet monitoring system would be used only to track highly aggregated information on the overall health of the Internet.