Agencies spend more than $1 billion a year on non-classified cyber research and development. But up until last week, a governmentwide strategy to coordinate and oversee how agencies spend that money didn’t exist.
“When we look at the plan itself, it represents our visions for the research necessary to develop game changing technologies that can help neutralize today’s cyber attacks and build an infrastructure to secure our systems from what may come in the future,” Schmidt said in an interview with Federal News Radio. “The intent here, particularly in the view we have budget issues we are looking at as a nation and in the government, how can we use this as a force multiplier? How can we make sure we are not having two or three people doing the same research because we are not doing a coordinated strategy like this.” Schmidt said the goal is to reduce the budget and get more for the money they are spending.
“We will take a look and make sure we don’t have any redundancies out there … What is the low hanging fruit? What are the things we can do a small investment in but make a big impact in cybersecurity across the country overall?” he said.
The White House Office of Science and Technology Policy will lead the coordination effort. Schmidt said his National Security Council office and federal chief information officer Steven VanRoekel’s e-government office in the Office of Management and Budget all will play key roles in the implementation of the strategy.
OSTP will manage the effort
Now that the strategy is out, Schmidt said OSTP will ask industry, agencies, academia and others for input on the four main areas of the plan. He said agencies focusing on specific cyber R&D areas could issue requests for proposals or requests for information.
“We will ask which pieces of this can they work on? What resources do they need to do it? And then we will start laying out the plan,” Schmidt said. “Whether it’s the financial services sector or whether it’s the smart electric grid pieces of it, we want to identify not only who can do the research, but how quickly can we transition it from research to something we can implement.”
The strategy calls for the R&D to focus around four specific areas:
Inducing change to get to the root causes of existing cybersecurity deficiencies with the goal of disrupting the status quo;
Developing scientific foundations to minimize future cybersecurity problems by developing the science of security;
Maximizing research impact by catalyzing coordination, collaboration and integration of research activities across federal agencies
Accelerating transition to practice where research on how to improve cybersecurity make their way to the commercial sector through transition programs.
Schmidt said there also are three specific themes, including designing in security to software from the beginning.
This is not a new problem but Schmidt said while software developers are getting better they still can do more.
“We are using this research to leapfrog ahead so it’s not a matter of upgrading to this generation or that generation, but make it so you leap ahead and reduce the vulnerabilities in your system,” he said. “In many cases, we are finding they are still using old software and systems that are not designed to be resilient and, as a result, have to make critical upgrades in a short amount of time.”
No longer bolted on
Schmidt said the cyber R&D could help improve the tools software developers use to ensure security is part of the effort.
“The intent is to have software systems that will have resistance to cyber attacks built into their core DNA as well as a self awareness to understand the level of their vulnerabilities and do, what we call, self healing, self-repairing,” he said.
Another theme is looking at areas developing trustworthy spaces, where users can’t treat all parts of the Internet the same. There are parts where more trust, more security is necessary.
A third piece is moving targets so systems are less predictable and less static.
“This is exciting from a technology perspective,” Schmidt said. “The ability to find vulnerabilities isn’t that difficult. To exploit them is not that difficult. So we want to make it a little harder for [bad actors], to make sure even if the vulnerability exists and it’s exploited, it only works once so it doesn’t have the ability to be exploited months and years later.”
The final area is developing cyber economics.
“What are the ways we can show businesses that there are metrics for how a particular system can do better for them, reduce their costs and make it less likely they will be a victim,” he said.
Several of the cyber bills on Capitol Hill have a research and development component. For instance, the House Science, Space and Technology Committee approved in July H.R. 2096, the Cybersecurity Enhancement Act of 2011, which coordinates research and related activities conducted across agencies to better address evolving cyber threats.
The bill requires increased coordination and prioritization of federal cybersecurity R&D activities and the development and advancement of cybersecurity technical standards. It also strengthens cybersecurity education and talent development and industry partnership initiatives.
Schmidt said the administration has been meeting with lawmakers over the White House cyber proposal and other bills.
He said the R&D strategy will become a core part of the government’s cyber efforts.