With the Department of Homeland Security (DHS) operating under a temporary continuing resolution (CR) that expires next March, it means delays in contracting actions in cyber security research, according to Douglas Maughan, director of the Cyber Security Division (CSD) at the DHS Science and Technology Directorate (S&T).
“If I have 20 percent of my budget instead of 100 percent, it forces us to slow down in some of the research performers, so that they don’t spend all their money before they get the next year’s increment,” Maughan said in an interview.
As long as the budget is eventually approved the research work can still be done, but “it just impacts the speed at which the research can be accomplished.”
The kind of research CSD is prioritizing, evidenced at last Tuesday’s 2014 Cyber Security Division R&D Showcase and Technical Workshop, includes critical infrastructure like internet protocol and DNS security, research infrastructure, internet measurement to support the community, network and systems security (including biologically-based ideas), and malware analysis.
CSD is also supporting research into cyber forensics, physical systems with the internet of things, cyber security education, and mobile security, Maughan noted.
CSD is particularly focused on international cooperation, education, and large apex projects.
Eleven countries were represented at the showcase because “cybersecurity is a global sport and we don’t have all the answers in the U.S.,” Maughan said.
The technology piece is especially a focus for Maughan. “How do we get the next generation? They’re using this technology all day long and none of them are thinking of it as a career. So how do we get them interested in and aware of it and in the pipeline?”
The Apex project is “large scale technology integration and demonstration.” For example, CSD is trying to work with the finance sector to not only use S&T cybersecurity technologies but commercially-funded technologies as well as other government technologies.
The agreements that CSD has in place with the finance sector “becomes a really good public-private partnership. We help them improve their systems,” Maughan noted.
Maughan also explained who S&T’s customers are for cyber security. Within the department, S&T is working with the National Protection and Programs Directorate (NPPD), Secret Service, Immigration and Customs Enforcement (ICE), Homeland Security investigations, Customs and Border Protection (CBP), the Transportation Security Administration, the Coast Guard, FEMA, and the Office of the CIO.
However, he said that “we might be doing as much outside the department as inside the department.” This is important because if the research CSD funds makes it to the commercial marketplace, it can re-enter the acquisition pipeline as a product that can be certified and accredited.
“You can certify and accredit a commercial product. It’s harder to certify and accredit a research product. That’s why we’re focused on some transition activities–to get them out of the labs, out of the research pipeline and into the marketplace.”
Maughan also highlighted what is wrong with cyber security today in light of the recent private sector hacks. In addition to problems with software quality, usability, and measurement of security, he mentioned the economics of cyber security. The large business hacks companies have been choosing to not spend money on cyber security in the hope that they do not get hacked.
“And if you look at some of the companies, that’s exactly what happened. Certain decisions were made and certain things weren’t done and then next thing you know they’re in the news. It comes down to a risk decision.”