The U.S. government must collaborate with public and private institutions to spearhead national cyber security research and development efforts, according to a report released by Dartmouth's Institute for Information Infrastructure Protection, or I3P, on Feb. 18.
"The new administration has a major opportunity to direct and coordinate cyber security research and development efforts in ways that could provide protection from threats in the near term," the report said.
The report, which was delivered to Sens. Joseph Lieberman, I-Conn., and Susan Collins, R-Maine, chair and ranking member, respectively, of the Senate Committee on Homeland Security and Governmental Affairs, stems from a series of I3P forums co-chaired by the senators in Washington last fall, Martha Austin, I3P's executive director, said.
The I3P report calls for better coordination among the government, corporations and individuals with respect to cyber research. In addition, it suggests that standards of measurement, or metrics, be created to assess the security of network systems.
The report also recommends that legal and policy frameworks for cyber security be established, and that human behavior and motivations be considered when creating security solutions.
"It is our opinion that if addressed by the government agencies overseeing the national agenda in cyber security, these priorities would lead to a more robust cyber security stance for the nation," the report states.
The four recommendations stem from concerns raised in every forum, Austin said. Each forum was devoted to the application of cyber security within a particular field, including business and economics.
"Those four common themes were very steady in the forums," she said. "They came up over and over and over again, particularly the issue of metrics and the differences between the generations of how people feel about cyber security."
The forums brought together 92 professionals from industry, government and academia, including representatives from the Department of Homeland Security, Staples and Dell Computers, as well as General Dynamics, a defense industry contractor, according to Eric Johnson, a Tuck School of Business professor who moderated a forum focused on business and economic security.
The regulatory frameworks suggested in the report aim to resolve many conflicting guidelines currently in effect, according to the report. The report recommends that regulations must be outcome-based rather than prescriptive, meaning that they should focus on the results of any changes implemented and not the nature of the changes themselves.
"Prescriptive regulation may negatively affect a business's security choices, making it hard to keep up with rapidly evolving technologies and vulnerabilities," according to the report.
The way that individuals interface with cyber security systems must be taken into account when creating new security systems, the report states.
Citing adolescent use of social networking sites, including Facebook.com, Austin said students should be educated annually, from kindergarten through college, about Internet safety. Forum participants frequently returned to the subject of the importance of education, Austin said.
The report differs from those released by other institutions because of its narrow focus on research and development, Austin said.
"We have a very strong research and development focus," she said. "It's a very narrow slice, but it's an important slice."
Holding the forums in Washington, where many of the participants' companies are based, instead of Hanover, where I3P is located, made it easy to garner a variety of opinions, Austin said.
"It was a very cost-effective way to get most of these folks together," she said.
Lieberman said in a Feb. 18 Senate press release that implementing new, easy-to-use security systems to avoid cyber security breaches, which could compromise sensitive data, is crucial to weathering the current economic crisis.
"Cyber security has become an area of critical importance ... in this time of economic competitiveness and increased network intrusions," he said. "I3P has made a valuable contribution to the debate and identified a number of areas for improvement to which we must give serious consideration."
The report's recommendations will help industry professionals address pressing security issues, Johnson said.
"Now that we have a direction, both public and private resources must be applied to solve these shared problems," he said in an e-mail.
I3P was founded at Dartmouth in 2002 to coordinate and support multidisciplinary research and development for cyber security. I3P organized last fall's forums with a grant from the National Institute of Standards and Technology.
Representatives for Lieberman and Collins did not return requests for comment by press time.
