President's Information Technology Advisory Committee (PITAC), Cyber Security: A Crisis of Prioritization (Feb. 2005) (full-text).
In this Report to the President, the independent presidential advisory panel warns that the U.S.'s IT infrastructure is highly vulnerable to attacks that could damage not only the economy but national defense and national security systems as well. Noting that "market forces direct private-sector investment away from research and toward the application of existing technologies to develop marketable products," the report calls on the Federal government to fundamentally improve its approach to cyber security R&D by increasing investments in unclassified cyber security R&D; intensifying its efforts to expand the size of today's small cyber security research community; improving technology transfer to the private sector; and increasing the focus and efficiency of Federal R&D through better coordination and oversight.
The Report noted:
|“|| The Nation's information technology (IT) infrastructure, still evolving from U.S. technological innovations such as the personal computer and the Internet, today is a vast fabric of computers — from supercomputers to handheld devices — and interconnected networks enabling high-speed communications, information access, advanced computation, transactions, and automated processes relied upon in every sector of society. Because much of this infrastructure connects one way or another to the Internet, it embodies the Internet's original structural attributes of openness, inventiveness, and the assumption of good will. . . .
These signature attributes have made the U.S. IT infrastructure an irresistible target for vandals and criminals worldwide. The PITAC believes that terrorists will inevitably follow suit, taking advantage of vulnerabilities including some that the Nation has not yet clearly recognized or addressed. The computers that manage critical U.S. facilities, infrastructures, and essential services can be targeted to set off system-wide failures, and these computers frequently are accessible from virtually anywhere in the world via the Internet.
The Report listed 10 areas as R&D priorities, based on a PITAC analysis of more than 30 documents and reports on cyber security R&D. The report concludes that the U.S. will not be able to secure its IT infrastructure without significant advances in the following areas:
- Authentication technologies
- Secure fundamental protocols
- Secure software engineering and software assurance
- Holistic system security
- Monitoring and detection
- Mitigation and recovery methodologies
- Cyber forensics
- Modeling and testbeds for new technologies
- Metrics, benchmarks, and best practices
- Non-technology issues that can compromise cyber security