Inside the Pentagon
Reposted With Permission
November 25, 2004

Report criticizes ‘trend’ toward classification

WHITE HOUSE PANEL BLASTS PENTAGON’S CYBERSECURITY R&D POLICIES

By John T. Bennett

Inside the Pentagon, Nov. 25, 2004 -- The Defense Department’s dominance of federal cybersecurity research and its practice of classifying information technology projects has hindered private-sector efforts to safeguard U.S. computer networks, a presidential advisory group says.

Last week, Thomson Leighton, chairman of the President’s Information Technology Advisory Committee’s cybersecurity subcommittee, called the federal government’s cybersecurity research and development efforts -- including those run by the military, intelligence community and civilian agencies -- “a failure.” Consequently, hoards of U.S. civilian- and government-run computer networks are vulnerable to attack, according to a new draft report compiled by the subcommittee.

Leighton’s comments came as part of a presentation summarizing the subcommittee’s draft report during a Nov. 19 PITAC session in Washington. PITAC officials expect to deliver the final report on the state of the nation’s cybersecurity efforts to President Bush early next year.

Over the past several years, an increasing number of cybersecurity efforts run by the Defense Advanced Research Projects Agency have been deemed classified, Leighton said during his presentation. That practice means companies and universities are unable to obtain lessons gleaned and technologies developed by many military R&D efforts, Leighton and other PITAC members said during the meeting.

“The current trend in cybersecurity is to go towards classification, towards being specifically dedicated towards the military and intelligence customer. . . . Clearly, the current director at DARPA feels his mission is short-term . . . military products that should be classified for his customers; that’s not a point of view that was held” by past DARPA leaders, Leighton told Inside the Pentagon during a brief interview following the meeting. However, “when they classify stuff, it doesn’t get out into the civilian sector very well.”

DARPA spokesman Jan Walker told ITP Nov. 22 that the Pentagon’s vision of creating a fully networked fighting force makes classifying cybersecurity programs an operational necessity.

“As DOD steadily increases its dependence on information systems to enable network-centric warfare, DARPA has taken on the task of ensuring that those networks perform reliably and that they remain secure,” Walker said. “Because of the military’s increasing dependence on networks, their vulnerabilities and techniques for protecting them become more and more sensitive. Accordingly, DARPA’s R&D efforts have become classified.”

The agency expects “that in the long term, our research will have a broad, beneficial impact on the commercial world, as well,” the spokeswoman said. DARPA has “broad interactions with the civilian and commercial information assurance research communities,” Walker noted, pointing to a list of partnerships the agency has with a number of other entities.

The PITAC subcommittee’s draft report also calls for Congress to create a greater balance in federally appropriated dollars that each year are directed to cybersecurity efforts by the Pentagon, intel community and civilian outfits. The majority of that funding currently flows largely to DOD and intelligence agency programs, which combined receive roughly $220 million annually. In contrast, private-sector and university programs receive approximately $70 million each year.

“It seems the two sides should be in better balance, when you consider the military is critically reliant on the civilian sector and the civilian sector gets very little benefit today from the military-intel side” because many efforts are classified, Leighton told ITP. “That’s not always been the case.”

Leighton stopped short of directly suggesting Congress shift funds from defense and intel cybersecurity R&D accounts to programs run by academics and the private sector. He did, however, hint such a move may be necessary when he reiterated the subcommittee’s call for increased civilian IT protection efforts and quipped: “That money’s got to come from somewhere.”

The subcommittee’s draft report endorses creation of “a single authoritative source that could itemize spending categories and provide basic budget information,” according to briefing slides summarizing the study and obtained by ITP.

The subcommittee chairman’s summary described a government-funded three-ring cybersecurity R&D circus. The problem, according to the briefing slides, stems from the amount of dollars provided to each ring, the performers being largely blind to what is happening in the other rings and the lack of a ringmaster to coordinate the federally funded show.

There is “no entity with the federal government charged with awareness of security needs, funding, and setting standards and direction for agencies,” the briefing slides state. Further, there is “no overall oversight to ensure that the most critical research topics receive funding [and] no systematic effort [exists] to operationalize the results of R&D” performed by the various agencies, it adds.

The panel’s draft report calls for creation of a “high-level” administration post that would “coordinate” all government cybersecurity research efforts -- including those run by DOD -- and report directly to the president, according to Leighton’s presentation.

A single coordinator could help agencies leverage each other’s R&D efforts and encourage “technology transfer” among them, two things largely not happening in today’s construct, Leighton said.

One possibility could be creation of an entity within the National Science and Technology Council that would provide greater coordination and monitoring of the all federally-funded R&D efforts, which the draft study endorses.

During the meeting, PITAC members Judith Klavans and Jonathan Javitt broached whether the panel should recommend in its final report resurrecting the national “cybersecurity czar post” -- a position that has been filled on two occasions, with little measurable success both times.

Leighton told ITP arming a government-wide cybersecurity executive with authority to control the budgets of all federally funded R&D work -- including those administered by the Pentagon and intelligence communities -- would be a tough sell in Washington, where agency leaders fight tooth and nail for power to dictate funding for their department’s programs. -- John T. Bennett

Copyright 2004 Inside Washington Publishers