The gutting of cybersecurity

Congressman James R. Langevin, Chairman of the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology of the House Committee on Homeland Security, had some fairly trenchant words to introduce a hearing on "Addressing the Nation's Cybersecurity Challenges," April 25, 2007. I am moved to quote at length:

Last week was an eye opening experience for many of us up here. We learned that our federal systems and privately owned critical infrastructure are all extremely vulnerable to hacking. These vulnerabilities have significant and dangerous consequences. We learned that the federal government has little situational awareness of what is going on inside our systems. We cannot be sure how much information has been lost from our federal systems, and we have no idea if hackers are still inside our systems...

In the last seven years, more than 20 reports from such entities as the INFOSEC Research Council, the National Science Foundation, the National Institute of Justice, the National Security Telecommunications Advisory Committee, the National Research Council and the President's Commission on Critical Infrastructure Protection have all urged the government to do more to drive, discover and deliver new solutions to address cyber vulnerabilities.

But look at what this Administration has done to cybersecurity and the research budget at the Department of Homeland Security. Though this program was slated to receive $22.7 million dollars in FY 2007, the actual numbers I've received from S&T show that we are only funding this program at $13 million dollars. For FY 2008, the President slashed the budget again, requesting $14.8 million dollars. This is an $8 million cut fom the previous year.

Just listen to some of the important programs that are being cut or reduced in FY 2007:

• The budget for the DNSSEC program -- which adds security to the Domain Name System -- was reduced $670,000 dollars.
• The budget for the Secure Proocols for the Routing Infrastructure was zeroed out from its original amount of $2.4 million dollars.
• The budget for the Next Generation Cyber Security Technologies program, which addresses a variety of topic areas aimed at preventing, protecting against, detecting, responding to, and recovering from large-scale, high-impact cyber attacks was reduced $1.625 million dollars.

Now I don't know who is responsible for these cuts -- Under Secretary Cohen, or Secretary Chertoff, or the White House -- but reducing this funding is a serious strategic error by this Administration.

Just to understand how little we're spending for the sake of comparison, the FBI estimated in 2004 that cybercrime cost companies worldwide around $400 billion dollars. In 2005, the agency estimated that U.S. businesses lost $67 billion dollars. Of course, neither of these figures can measure the loss of federal information off of our networks, which may one day cost us our technological advantage over other nations. And those figures also don't count the potential environmental losses if a successful attack on our control systems is carried out.

I am deeply troubled by the lack of foresight that this Administration has demonstrated. These efforts are simply too important to be cut...

The tools that will improve or revolutionize our security will not just appear overnight. Investment today plants seeds for the future, but it is incumbent upon the Federal government to take the leadership role in this effort.

Edited 5/2/07 to add:Doug Maughan's testimony summarizes where DHS stands; its Appendix provides links to the "20 studies."

Daniel Geer's testimony is pertinent, pithy, easy to read, and mostly on-target.