Making a Federal Case of IT Security
The federal government needs to play a greater role in protecting the IT infrastructure of the United States, according to two recent reports. The first report, from the President’s Information Technology Advisory Committee (PITAC), a group of independent experts appointed by the president to provide advice on IT issues, warns that the nation’s IT infrastructure “is highly vulnerable to attack.”
In its 58-page paper, PITAC provides four recommendations. It calls for “a significant investment” of federal funds (such as increasing the National Science Foundation’s budget in cybersecurity by $90 million annually), because “market forces direct private sector investment away from research” and toward the development of marketable products. PITAC notes that the number of “highly trained” security professionals is woefully small, and urges the government to “intensify its efforts to promote recruitment and retention of cyber security researchers and students.”
The government should “strengthen its cyber security technology transfer partnership with the private sector” so that federal research investments become “civilian sector best practices and products,” the report says.
Finally, PITAC lambastes federal research and development efforts as “unfocused and inefficient because of inadequate coordination and oversight,” a situation which could be improved by making the Interagency Working Group on Critical Information Infrastructure Protection (IWG/CIIP) the focal point of federal cybersecurity research and development. This working group is part of the National Science and Technology Council, a Cabinet-level group that works to establish national goals for federal science and technology investments.
There are two models the federal government could look to if it decided to play a greater role in developing a national cybersecurity framework, according to the second report, which comes from the Congressional Research Service (CRS).
One approach is to follow the model used in the response to the Y2K problem, in which, for example, the Securities and Exchange Commission promulgated rules to force companies to address the problem. Another is safety and environmental regulations, such as Food and Drug Administration rules for regulating food safety. The CRS report examines the issues in depth and discusses the pros and cons of each model.