With some amount of fanfare, Congress late last year passed and President Bush signed the Cyber Security Research and Development Act (CSRDA), which provides nearly $1 billion for various forms of security research and scholarships. Soon we'll find out whether Congress will ultimately appropriate the money to fund the Act -- no sure bet by any stretch.

The CSRDA earmarks gobs of money for different areas of security research and education. Among them:

  • $275 million for security related post-doctoral and senior research fellowships over five years.
  • $233 million for research grants in nine security disciplines.
  • $144 million to promote security research by creating Computer and Network Security Research Centers.
  • $95 million in college grants for undergraduate and graduate security programs.
  • $32 million to pay for "long-term, high risk" research aimed at improving computer security.
  • That's the high-level view, from where it is difficult to determine how the money will translate into improved security. In practice, it depends on where the money goes and how it is used.

    To find out how the money will wind up in the hands of folks who can do some good with it, I talked to Dr. Eugene Spafford, a professor at Purdue University and director of Purdue's Center for Education and Research in Information and Assurance and Security (CERIAS).

    Spafford testified before the House of Representatives when the CSRDA was first introduced, an indication of his status in the security field. Given that much of the money is earmarked for education, he seemed a logical choice to explain how it will help.

    Let's start with that $275 million for fellowships. Generally, fellowships are merit-based monetary awards that go to students who show aptitude in a given area. Fellowships pay for tuition, fees, room, board and the like.

    "They are often given to graduate students, to encourage them to do advanced study, when they might be tempted to leave with a lesser degree and get a job because they can't afford to continue studying," Spafford says.

    Schools get the money by applying to whatever authority is charged with finding qualified applicants. In the case of the CSRDA, that responsibility lies with the National Science Foundation (NSF) and National Institute of Standards and Technology (NIST).

    NSF and NIST will likewise dole out the $233 million in research grants. The usual scenario is that applicants submit proposals outlining what they propose to do and what effect it will have. Money is awarded to those proposals NSF and NIST deem most qualified, Spafford says, keeping in mind criteria such as the institutional resources behind the proposals, the experience of the submitting individuals and how they've handled such grants in the past.

    CERIAS is one such institution that may apply for some of that grant money.

    "We have several ideas in mind, having to do with advanced architectures and intelligent security systems," Spafford says.

    CERIAS currently can't conduct all the research it would like to for lack of funds. Grant money would cover expenses, including some salary for faculty and assistants, perhaps a stipend for graduate students who are pursuing doctorate degrees, plus equipment, software, books and assorted other fees.

    Security Guard Archives
    SAML Just The Start For Web Services Security

    Free! Expert Help Fixing Your Top Security Problems

    The Need For Security -- And Ethics -- Education

    Identity Management Combines Security, ROI

    Who To Call About Computer Crime

    CSI/FBI Security Survey: Questions Behind The Numbers

    Experts Warn of Cyber Terrorist Attacks

    In general, Spafford expects the CSRDA will be helpful in improving cyber security, but he isn't at all confident that the act will be funded at its current level, given the current budget climate and competing interests on Capitol Hill.

    The CSRDA is, in effect, a long-term investment. Part of the thinking behind the act is simply to expand the size and number of programs that educate security professionals.

    Today, Spafford estimates there are maybe two dozen universities with graduate-level security programs. To create more requires more individuals with a broad base of security expertise and experience.

    "That's a problem," Spafford says. "It doesn't mean paying teachers more, it means producing more of them to meet the need."

    The thinking goes that if we educate more security professionals, some percentage of them will choose to remain in academia while others go to the private sector; both are positive developments.

    But that won't happen anytime soon. Say a program starts today to educate graduate students for doctoral degrees so that they can then teach undergraduates. The first graduates of those undergrad programs would get their degrees eight to 10 years from now, Spafford notes.

    "No amount of money is going to make an immediate difference, and that's a hard sell when you've got people worried right now about bioweapons, poverty, unemployment, pollution, Social Security and other things that are contending for funds," he says.

    While it remains to be seen whether the feds will ultimately step to the plate and fund the CSRDA, Spafford notes that states can help, too. Many institutions that have better security programs are state schools, he notes.

    Individual companies can likewise shoulder some of the burden. Symantec, for instance, in December announced it will provide $50,000 to fund a fellowship providing full tuition and a stipend for two years for a Purdue student working with CERIAS.

    "That's one company," Spafford says. "If you look at all the companies in the security space, they could make a real big difference if they each funded one student."

    Good point, but so could nearly $1 billion in federal money. Let's hope Congress isn't so shortsighted as to give the CSRDA short shrift.

    Desmond is president of Paul Desmond Editorial Services, an IT publishing firm in Framingham, Mass. He serves as editor of eSecurityPlanet.com, a source of practical security information for IT managers, CIOs and business executives. Email him at paul@pdedit.com.