Experts See Shortfall in Cybersecurity Research

Cybersecurity experts warned a Senate panel today that the nation is ill-prepared to deal with emerging threats to the nation’s digital infrastructure, advising Congress to elevate information security to the highest priority and promote education in the field.

“The simplest way to state this is the nation is under attack,” said Eugene Spafford, a professor and security researcher at Purdue University. “It is a hostile attack, it is a continuing attack, and it has been going on for years, and we have been ignoring it.”

The witnesses told the Senate Commerce Committee that cyber attacks against government and financial systems are pervasive, and ultimately threaten to hobble the nation’s economic infrastructure.

“We’re not talking about explosions or mad hackers or bringing the U.S. to its knees in a few hours,” said James Lewis, director of the Center for Strategic and International Studies. “The real risk lies in the long-term damage to our economic competitiveness and our technological leadership.”

In December, Lewis’ group released an influential report outlining several recommendations for the new administration in combating cyber threats. Chief among them were the consolidation of the federal agencies dealing with cybersecurity and a greater investment in research in the field.

President Obama, who in his campaign pledged to create the position of cyber adviser to oversee and coordinate government information security, recently commissioned a sweeping review of the various agencies’ efforts to fend off digital attacks.

Committee Chairman John Rockefeller, D-W.V., said he was encouraged by the president’s focus on cybersecurity, but cautioned that time is of the essence as computers are increasingly used to manage the nation’s infrastructure.

“We cannot do this soon enough,” Rockefeller said. “We need a coordinated public-private response. Currently this does not exist.”

Rockefeller said he was deeply concerned with the potential for terrorists to “get into the mind” of Americans through attacks on systems like the electrical grid and online medical records, both areas where the government is investing billions of dollars in economic stimulus money.

One of the key challenges lies in law enforcement, as cyber threats defy traditional jurisdictional boundaries. The government faces what Lewis described as “the daunting task of modernizing legal authorities, many of which were written decades ago.”

The witnesses called on the committee to do more to promote fundamental research in information security, particularly at the National Institute of Standards and Technology, a division of the Commerce Department.

A critical flaw in the nation’s defenses is a shortage of highly trained security experts. Spafford estimated that each year universities only graduate between 50 and 60 PhDs in fields relating to computer security.

“Of those perhaps 10 to 15 are going to return to their home countries to start businesses to compete against the U.S. because our visa policies won’t let them stay,” he said. Assuming that private industry siphons off about half of the remainder, Spafford said that that only amounts to around 20 new PhDs entering the university or government system to teach and conduct research in cybersecurity.

“The numbers are way too small,” he said. “We are not portraying an image that this is an exciting career path, or one that they can make a living at.”

Rockefeller said he is planning to introduce a bill to promote education in cybersecurity at the university level, and promised that today’s session would be “the first of several hearings” on the subject.

News Around the Web