Cornell expert tells Congress that more basic research in cybersecurity is critical


Schneider

Federal expenditures on cybersecurity research are "tiny compared to the severity of the threat," says a Cornell expert in the field.

And most of the research up to now has focused on fixing vulnerabilities as they appear, said Fred B. Schneider, the Samuel B. Eckert Professor of Computer Science. "Our defenses improve only after they have been successfully penetrated," he said in testimony before the Research and Science Education Subcommittee of the House Committee on Science and Technology, June 10 in Washington, D.C.

Long-term, basic research should be aimed at developing a "science base" for computer trustworthiness, he said, to understand the basic principles of how attacks and defenses work. He drew an analogy with medical research: We can repair broken bones and develop vaccines for specific diseases, but advances in cancer treatment and prevention could only have grown out of basic research in how cells work and how cancers grow.

The congressional hearing comes on the heels of the announcement that President Barack Obama will appoint a governmentwide cybersecurity coordinator and seek to develop a new, comprehensive national cybersecurity strategy.

Schneider cited a report that $342.5 million is being requested for cybersecurity and information research in fiscal 2010. This is roughly 0.4 percent of the expenditures that might be leveraged by that research, he suggested, and only part of that is dedicated to academic research. Basic research will benefit both classified and unclassified systems, he added, noting that civilian systems handle most of the nation's critical infrastructure, and the government and the military largely rely on hardware and software produced in the private sector.

"Trustworthy" computer systems, Schneider noted, not only defend against malicious attacks but also perform correctly despite failures and design or implementation errors. The need for greater trustworthiness becomes even more critical as we expand the use of computers to maintain medical records and manage "smart grid" energy systems.

Currently, he said, attackers have the advantage because they have only to find one flaw in order to succeed while defenders must be sure there are no flaws. "We cannot afford simply to develop technologies that plug holes faster, but we need to think of security research more holistically, determining how most efficiently to block, disrupt or disincentivize opponents," he said. Since there is no way to measure the inherent security of a system, he added, industry has little incentive to compete on that basis.

Expanding academic cybersecurity research also will help to prepare students to deal with security challenges as they move into industry, government and academia, Schneider pointed out. "We must give them the mental tools they need to make design decisions when they build a system," he said. However, he urged against Congress mandating the teaching of any particular subject matter in this rapidly evolving field.

Technology is not the sole solution, Schneider said. We must also invest in research that connects technology with policy and human behavior. For example, he said, social security numbers are so widely known that a regulation prohibiting their use as identifiers might do more to prevent identity theft than any technology we might develop and deploy.

Schneider is chief scientist of the National Science Foundation-funded TRUST Science and Technology Center, a collaboration involving researchers at five universities, including Cornell. He serves on the Department of Commerce Information Security and Privacy Advisory Board, as a member of the Computing Research Association's board of directors and as a council member of the Computing Community Consortium. He co-chairs Microsoft's external advisory board on trustworthy computing.

 

Media Contact

Blaine Friedlander