Sunday, October 02, 2005

PITAC co-chair Lazowska on cybersecurity

For two years, University of Washington computer science professor Ed Lazowska served as co-chair of the Presidential Information Technology Advisory Committee. His two-year term ended in June 2005, and in a recent interview in CIO Magazine, he's got some things to say. There's so much juicy material in this interview that anyone even vaguely interested in national security or computer science should read it all, but some excerpts follow...

Lazowska doesn't pull any punches when discussing the Bush administration's approach to the issue. "In my opinion," he says, "this administration does not value science, engineering, advanced education and research as much as it should-as much as the future health of the nation requires."


We see some of the effects of cybervulnerabilities on a daily basis on the front page of our newspapers: phishing attacks, pharming attacks, denial-of-service attacks and large-scale disclosure of credit card information. Even phishing attacks, which seem easy to dismiss as a gullibility problem, arise from the basic design of the protocols we use today, which make it impossible to determine the source of a network communication with certainty.

The public, and most CIOs, do not see many activities that are even more threatening. The nation's IT infrastructure is now central to the life of all other elements of the nation's critical infrastructure: the electric power grid, the air traffic control network, the financial system and so on. If you wanted to go after the electric power grid-even the physical elements of the electric power grid-then a cyberattack would surely be the most effective method. It's also worth noting that the vast majority of the military's hardware and software comes from commercial vendors. PITAC was told that 85 percent of the computing equipment used in Iraq was straight commercial. So the military itself is arguably about as vulnerable to a cyberattack as the civilian sector.

Now, the problem is that you can't suddenly decide that you want something like security and expect to be able to buy it, because the technology doesn't necessarily exist. Almost no IT company looks ahead more than one or two product cycles. And historically in IT, those ideas comes from research programs that the federal government underwrites. Just think about e-commerce: You need the Internet, Web browsers, encryption for secure credit card transactions and a high-performance database for back-end systems. The ideas that underlie all of these can trace their roots to federally funded R&D programs.

That's how this relates to the R&D agenda. Long-range R&D has always been the role of the national government. And the trend, despite repeated denials from the White House to the Department of Defense, has decreased funding for R&D. And of the R&D that does get funded, more and more of it is on the development side as opposed to longer-range research, which is where the big payoffs are in the long term. That's a more fundamental problem that CIOs aren't responsible for.


PITAC found that the government is currently failing to fulfill this responsibility. (The word failing was edited out of our report, but it was the committee's finding.)

Of course, given the Bush administration's track record, it's hardly surprising that they're failing here, but it's yet another data point. I also find their editing of the PITAC report pretty shameful; but, again, s.o.p. for the Bush gang.

Incidentally, in September 2005, PITAC's functions were absorbed into PCAST. However, I don't have the inside baseball on whether this means that IT concerns will be taken more seriously (because PCAST is a more important council) or less seriously (because IT will get buried in the millions of other things on PCAST's plate). My guess is that much will depend on the dynamics of the PCAST committee and its leadership.

For more about the state of cybersecurity in general, you might want to see Lazowska's 12/02/04 lecture from Lazowska's course last year on public policy and IT (note that the slides alone won't give you the full impact; you really want slides and video together).

UPDATE 7 Oct.: Regarding the merger of PITAC and PCAST, the Computing Research Association blog, which is more clued in than I am, has similar questions. However, they think that, on balance, "the positives outweigh the negatives", so maybe things are looking up for IT policy in the US.

No comments:

Post a Comment