Guess how much the federal government spends annually on unclassified cybersecurity research?
How about $5 billion? That's a little more than 1 percent of the amount spent on defense. Nope, guess again.
OK, how about $189 million? That's the amount of tax breaks given to General Motors dealers who sold the now-discontinued Oldsmobile line. Ah, no, keep guessing.
Maybe $92 million? That's how much NASCAR is pocketing thanks to federal economic incentives. Now you're getting warmer.
The actual amount is $74 million, according to a report by the President's Information Technology Advisory Committee (PITAC).
That may seem like a lot of money, but $74 million is ridiculously low compared to the size and scope of the need. To understand why this is so, you first need to navigate the muddy waters of applied vs. basic research and classified vs. unclassified civilian funding.
Applied research attempts to solve short-term, finger-in-the-dike-type problems. Basic research, on the other hand, examines big picture challenges without a predetermined outcome. Where applied research tries to create things like new patching algorithms, basic research investigates systems that never require patching.
In all, the federal government spends about $300 million a year on applied and basic cybersecurity research. The problem is twofold.
First, the lion's share of the funding--roughly $225 million--is devoted to classified R&D. Some of this funding is focused on national security, and therefore should be classified. But a lot of research is classified to avoid public attention.
Some research is eventually declassified, but breakthrough insights are either kept secret or made public too late to have much practical impact. The point is that classified research will never be used to improve commercial products or enhance our understanding of pressing security issues. The findings can't be used to train the people running the power grid and banking systems. And they can't be used to train the next generation of security professionals.
The second problem is the imbalance between applied and basic research. Only one-tenth of the classified R&D funding ($27 million) is specifically earmarked for long-term, basic research. The bulk of the money is for firefighting activities, plugging holes and duct-taping insecure systems.
More troubling is the fact that only $31 million of the $74 million in unclassified cybersecurity funding is spent on basic research. The amount is so low that the National Science Foundation, which administers these funds, only approves 8 percent of grant proposals and 6 percent of requested funds--four times lower than the NSF average. One consequence of scarce research money is that researchers and proposals tend to become very conservative. So even the basic research that's being conducted is less likely to shed light on the really big problems: the need to eliminate epidemic-style viral attacks, develop practical risk metrics, create attack-resistant distributed systems, etc.
Security research is suffering "death by incrementalism." Without a significant increase in civilian basic research funding--PITAC recommends an additional $90 million per year--we're headed for a crisis. Everyone wonders why the big security problems never seem to get any better. Now you know.
I guess we can all take solace in the fact that the Feds are funding more important projects than cybersecurity--like the $50 million spent last year on an indoor rain forest in Coralville, Iowa.