Presidential Committee Criticizes IT Infrastructure SecurityPresidential Committee Criticizes IT Infrastructure Security

The President's IT Advisory Committee on Friday released the results of a report criticizing the country's IT infrastructure as highly vulnerable to attack by terrorists and cybercriminals. The situation, however, can be remedied through an increased focus on cybersecurity research and development and a rapid transfer of new technologies to the private sector, according to the report, titled "Cyber Security: A Crisis Of Prioritization."

"The IT infrastructure is highly vulnerable to premeditated attacks with potentially catastrophic effects," committee chair Marc Benioff and co-chair Edward Lazowska wrote in a Feb. 28 letter to President Bush. This infrastructure includes the public Internet as well as power grids, air-traffic-control systems, financial systems, and military and intelligence systems, they add. Benioff is the CEO of Salesforce.com Inc., and Lazowska is chair of the University of Washington's computer-science and engineering department.

The report acknowledges that the proliferation of network-based communication, commerce, and physical infrastructure management has been a boon to productivity in recent years, but it also points to this reliance on networks as a major security liability. "Today, it is possible for a malicious agent to penetrate millions of computers around the world in a matter of minutes, exploiting those machines to attack the nation's critical infrastructure, penetrate sensitive systems, and steal valuable data," the report says.

All hope is not lost. The committee, appointed by the president and comprised of IT leaders and academia, makes four key recommendations to help curb security exposures and provide long-term IT infrastructure stability. The first is to increase federal support for fundamental research in civilian cybersecurity by $90 million annually at the National Science Foundation and by "substantial amounts" at agencies such as the Defense Advanced Research Projects Agency and Department of Homeland Security. This funding should specifically address the 10 high-priority areas identified by the committee, including authentication, protocols governing the Internet's operation, and cyberforensics.

The second recommendation is for the government to intensify federal efforts to promote recruitment and retention of cybersecurity researchers and students at research universities, with an aim of doubling this profession's numbers by the end of the decade. The committee estimates there are less than 250 cybersecurity or cyberassurance specialists working today at U.S. academic institutions.

The third recommendation is to provide increased support for the rapid transfer of federally developed, cutting-edge cybersecurity technologies to the private sector. The committee found that cybersecurity technology transfer efforts aren't adequate to successfully move the fruits of government research into private-sector practices and products.

The committee's final recommendation is that the government do a better job of coordinating cybersecurity R&D. This lets individual agencies work in a vacuum, without considering the bigger cybersecurity picture. The committee recommends that the Interagency Working Group on Critical Information Infrastructure Protection become the focal point for coordinating federal cybersecurity R&D efforts.