[ISN] Rx for IT security: RFP?

From: InfoSec News (alerts@private)
Date: Mon Jul 09 2007 - 23:15:47 PDT


http://www.gcn.com/online/vol1_no1/44627-1.html

By William Jackson
Cybereye
GCN Home
07/09/07

The head of the Homeland Security Department’s research and development 
activities was chastised by a House subcommittee last month for not 
bringing better organization to the department’s Science and Technology 
Directorate.

Yes, things have improved from the “chaos” that characterized the 
directorate when Undersecretary Jay M. Cohen arrived, conceded Rep. 
James R. Langevin (D-R.I.), chairman of the House Homeland Security 
Subcommittee on Emerging Threats, Cybersecurity and Science and 
Technology. But Langevin also said that Cohen has not done enough to 
establish a strategic direction for his R&D efforts or metrics for 
measuring performance.

Cohen said in his defense that, upon assuming the position last August, 
“my first focus was getting my own house in order.”

Part of that house is the Homeland Security Advanced Research Projects 
Agency, charged with promoting commercial development of the information 
technology security tools needed by the department. HSARPA focuses on 
what it calls “high-risk, high-payoff” projects that will produce new 
systems rather than advancements in current technology — revolutionary 
rather than evolutionary improvements. Because the projects are seen as 
high-risk, the government lends a hand in funding and directing them.

But it seems that the private sector is relying a little too much on 
government assistance to meet the basic goals of HSARPA’s IT security 
initiatives. I am not suggesting that government should not cooperate 
with industry to help define the technology it needs. But there already 
is a ready market for the types of products HSARPA is promoting.

HSARPA shares similarities, in both name and mission, with DARPA, its 
Defense Department counterpart. Both solicit partnerships with industry 
to produce new technologies or products that might not be feasible or 
attractive for industry to develop on its own.

But, “HSARPA is different from DARPA,” Cohen told the subcommittee. 
DARPA focuses on long-range basic research projects whose payoff may 
come well down the road, if at all. The Internet was one of those 
projects, developed long before there was any demand for an Internet. 
“DARPA does what they do independent of their customers,” Cohen said. “I 
don’t have that luxury.”

HSARPA focuses on applied research to fill the “capability gaps” of its 
customers, primarily Gregory Garcia, DHS assistant secretary for 
cybersecurity and telecommunications. In other words, it encourages 
development of the tools needed now to support government missions and 
protect the nation’s critical infrastructure. These tools include 
document validation systems for a wide range of paper and electronic 
credentials, improved biometrics, and systems for detecting and 
responding to cyberthreats in real time.

These are the types of products industry should be producing. The need 
for them already exists, both in the government and private sectors. 
Missions differ from one sector to the other, but the equipment, 
protocols and technologies being used to execute those missions are 
essentially the same. They share common vulnerabilities and need the 
same tools to protect themselves.

It would be nice to have the out-of-the-box thinking and revolutionary 
approaches HSARPA is supposed to encourage. But with the need for these 
tools already clear, this seems to be the kind of applied research 
companies ought to be involved in anyway.

The IT industry has shown itself perfectly capable of thinking outside 
the box. It continuously comes up with new products and functionalities 
we don’t know we need but which quickly become incorporated into our 
business lives. Things like BlackBerrys, peer-to-peer networking and 
instant messaging come to mind. The industry is spending something like 
$70 billion a year to extend its wireline and wireless broadband 
networks to enable these new functionalities. It ought to be investing 
in equally innovative tools for securing these networks, devices and 
applications.

HSARPA’s job should be to help identify the needs of its customers and 
make them known to industry. Industry’s job is to build products that 
meet those needs, and then sell them at a reasonable profit. There is no 
reason government can’t help direct the process, but a ready market for 
these tools should be all the incentive industry needs to develop them.



_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Mon Jul 09 2007 - 23:28:57 PDT