When President Kennedy said the United States was going to put a man on the moon, nothing was impossible. He was able to state that because the R&D community in the 1960s—government, academia and industry— was a tenacious bunch, dedicated to problem solving, unafraid of the risks they faced in figuring out how to make things work. They understood that experimentation does not have a guaranteed outcome and that the risk of a failed experiment was not a bad outcome, but an indicator of a new direction for the next round of experimentation.
Before President Kennedy raised the space flag, our research and scientific community had endured a myriad of failures. Rockets detonated on launch pads or shortly after liftoff. These failures were not seen as such. They were seen as one more step toward a solution because, back then, the scientific community was driven by a shared vision of science and research in the national interest.
In my opinion, the nation needs to apply this can-do spirit to the major challenge of our day–protecting critical infrastructure and computer networks from cyber attack.
Today’s R&D Environment
It used to be that government, academia and industry were driven by a common goal—the protection and betterment of the American people. Go back and look at what came out of the space and DoD programs that are incorporated into our everyday lives. I don’t think anyone would argue that anti-lock brakes, as an example, have not positively affected all of our lives. That’s just one of the many benefits the United States, as well as the rest of the world, has gained from government, academia and industry working together. In today’s R&D environment, government is expected to absorb all of the risk but doesn’t have the budget to allow for it. Academia is now driven by grant money, which in a number of cases comes from industry and individual companies. And, what’s driving industry? Profits and losses. The common goal has taken a back seat to individual goals, and therefore, the advancement of science and research in many areas, including cybersecurity, has been hampered by this shift in the R&D community.
R&D and Cybersecurity
Cybersecurity cannot be achieved without research. Its very existence is predicated on a strong, thriving R&D environment. However, the R&D flux that is currently taking place is certainly taking its toll on advancements in cybersecurity. For example, there are a couple of issues affecting today’s cybersecurity conversations.
- Constant attack equals some level of constant penetration. The application of physical security models to a virtual environment is inadequate to the threat. Thus, the approach needs to be one of environmental—or personal—behavior. However, the complexity of this environment is viewed as too risky. Although, academia thrives on answering these challenges, they need funding. Industry asks, “Where’s the profit?” And both academia and industry ask, “What is the government willing to provide?”
- Our nation’s infrastructure is mostly in private hands. Security is a consideration, but the broadband carriers know all too well that most of its customers have little if any application of the most basic security principles. Dot org, .net and .com give adversaries the advantage they desire without the risk of a full-frontal assault on a government site.
If government cuts or, in some cases, kills R&D funding because of the risk involved, then it is in the position of relying on the marketplace to solve inherently governmental issues. This, as we all know, will conflict with the desires of the electronics-driven customers who don’t seem to worry about security features.
The Common Good
The previously cited examples speak to the current fragmentation of the academic, industrial and governmental roles in regard to this country’s cybersecurity dialogue. However, all we have to do is look at the space program as a shining example of how government, industry and academia can work together for the common good of this country. As we understood back then, this common good falls on the back of this R&D triumvirate. And, yet, the three are separated by an arm’s length today. If everyone works together toward a shared vision of the national interest, and realizes that risk is unavoidable, then we’ll be headed back in the right direction.
Keith Rhodes is a partner at IST, LLC and a research scientist with more than 30 years of experience both in and out of government.