Everybody complains about lack of information security research, but nobody does anything about it
For some years, I’ve been following the world of academic and industrial research on information security, especially interdisciplinary research. There is wide-spread agreement on what needs to be done:
- A Roadmap for Cybersecurity Research, by DHS
- National Cyber Security Research and Development Challenges [link to http://www.thei3p.org/docs/publications/i3pnationalcybersecurity.pdf no longer works], by the I3P
- Toward a Safer and More Secure Cyberspace, National Academies
- Report to the President on Cyber Security: A Crisis of Prioritization [link to http://www.itrd.gov/pitac/reports/20050301_cybersecurity/cybersecurity.pdf no longer works] , by PITAC
- Ensuring (and Insuring?) Critical Information Infrastructure Protection [link to http://www.rueschlikon-conference.org/pressdocs/56_R_05_Report_Online.pdf no longer works], 2005 Rueschlikon Conference on Information Policy
- Four Grand Challenges in Trustworthy Computing [link to http://www.cra.org/reports/trustworthy.computing.pdf no longer works] , Computing Research Association Conference, 2003
But no one seems to be able to mobilize any signficant research into solutions. It’s been very frustrating to see so much talk and so little action.
This reminds me of the quote by Mark Twain, shown at left, which is the inspiration for the title of this post.
The latest iteration of this was a panel at RSA: “The role of research in industry and government“. SC Magazine summarized the discussion this way:
A disconnect between the primary research sectors and a lack of appropriate funding in each is leading to decreased technological progress, exposing a huge gap in security that is happily being exploited by cybercriminals.
(read on for a diagnosis and two proposed solutions…)
Part of the problem is the the incentives to focus research on problems and not solutions. I run into this a lot at academic and other “thought leadership” conferences. Here’s how it was explained to me: It’s much easier to do a modest-sized research project that shows yet another failure in the economics of security than it is to do the complex, large-scale research that would be necessary to develop both theory and empirical support for solutions.
The bias toward complaining and against doing research work is even stronger at industry conferences. I don’t blame any individuals. Simply put, everyone has a day job that pays them to solve near-term problems and deliver immediate payoffs. High-risk, fundamental research does not fit that template.
There was one recent attempt to mobilize breakthrough research — the “National Cyber Leap Year Summit” last August, sponsored by NITRD. As I’ve previously written, that effort was largely a waste of time and money because you can’t brainstorm your way through hard problems like this.
Gene Spafford (a.k.a. “Spaf”) is one person who has thought long and hard about how to effectively mobilize and support interdisciplinary information security research. In the second half of this blog post, he mentions a white paper [link to http://transfer.spaf.us/is-prop.pdf no longer works] that he has been circulating in DC for feedback. The white paper advocates “changing the way we fund some of the research and education in the US in cybersecurity” and makes specific recommendations. It’s a good read and very thoughtful suggestions. The second of his two suggestions can be summarized:
I suggest a program similar in nature to the MacArthur “Genius Grants” program: the ISPEG, or Information Security and Privacy Extended Grant. Some agency or agencies would provide ISPEG funding to a small number of researchers in multi-year fashion, to “do good things” in cybersecurity and privacy. The intent would be to fund these individuals without requiring specific proposals or highly structured budgets, and with minimal requirements for deliverables and constraints. The researchers would be encouraged to exercise vision and leadership to the betterment of the country and the field of cybersecurity. If they are carefully selected, this will naturally follow.
A small set of ISPEG awardees [should be] chosen annually. These individuals will be senior academic, tenured faculty, chosen on the basis of past accomplishments specifically in the fields of information security and privacy, and because of a commitment to service and education. [emphasis added]
I think this is a keen idea overall. Several formal studies of scientific performance have shown that the most productive method for acheiving major research innovations is through senior, experienced researchers who have both freedom and adequate support over an extended period of time. However, Spaf’s model is aimed at supporting only academic researchers and only those researchers who have been blessed by the academic system (“tenured”). Yes, they merit this sort of support, but they aren’t the only people who can or should play in the advanced research arena. Therefore I want to propose another idea that could work in parallel with ISPEG.
Proposal: Information Security Pioneers Fellowship Program (ISPFP)
Here’s how it might work. A non-profit organization would administer the program and would be the “home” for a number of individuals (the “Pioneer Fellows”) who would have financial and institutional support for a period of time. In return for this support, they would serve as catalysts, leaders, orchestrators, and even program managers for innovative interdisciplinary research projects, esp. those that involve industry, academic, and government partners. They could also work on projects and activities that enable advanced research or help bring advanced research results to the masses: in education, industry, or government policy. For example, here are some specific project ideas that would be well suited for Pioneer Fellows:
- Organizing and leading multi-organization proposal teams for advanced interdisciplinary InfoSec research projects (“Broad Agency Announcments” from DARPA, DHS, NSF, NIST, others).
- Leading the specification and field testing of security metrics, e.g. Center for Internet Security’s consensus metrics , and also pilot implementations.
- Leading the design and implementation of a statistically robust survey of information security practices, metric results, and costs, to displace the current “Computer Crime and Security Survey” [link to http://gocsi.com/survey no longer works] (CSI/FBI). (“Statistically robust” would include random sampling of organization populations, for example.)
- Design and help implement a “Cyber CDC” for advanced vulnerability and threat research and intelligence.
- Organize, lead, and/or collaborate in international research projects.
- Help integrate economics, organization science, and behavioral science into education, training, and certification programs for security managers and executives.
Being a non-profit (preferably 501c3), they could accept and administer donations from many sources — corporations, foundations, and government. This would open the door to funding from many sources, including organizations that don’t usually provide funding, including VCs, industry associations, privacy advocates, IT vendors and consultants of all stripes, etc.
The fellowship period and applicant qualifications are open to consideration. Ideally, this program should be “idea capitalists”, knowing some people and ideas won’t payoff but others will be huge winners. One thing for sure — we shouldn’t focus this program only on people who have been “officially” annointed by some hierarchy, some certification program, or by credentials alone.
OK… now for all of you who might be frustrated with lack of action, this message is for you: THIS IDEA COULD BE IMPLEMENTED IMMEDIATELY!
Sorry to shout, but I want that message to hit you between the eyes.
First, there are several candidates for host institution:
- Center for Internet Security
- Security Innovation Network (SINET)
- European Network and information Security Agency (ENISA)
Second, there are a good list of possible projects, not only the list above but also ideas from any of the reports listed at the top of this post.
Third, there are plenty of good candidates for Pioneer Fellows. Just look for the people who are already doing pioneer work on their own dime or in their “spare time”.
Fourth, the funding would probably start flowing if the right executives were in the same room at the same time, and someone with sufficient “gravitas” asked for the order. $35K to $50K per major sponsor is reasonable and comparable to other sponsorship arrangements. Ten major sponsors would fund 8 to 10 Fellows, assuming they paid full salaries. Once this is all in place, we could probably solicit a “foundational grant” from a major government agency to ramp up recruitment and other administrative parts of the process.
That’s a sketch of the idea. What do you think?