If you think the term IT security crisis has been over used, think again.

While enterprises across Australia and globally become weary of persistent hype about digital Pearl Harbours, imminent cataclysm, and cyber terrorism, in the US some of the biggest brains in the information technology world are warning about a different problem.

They claim the IT industry has missed the boat on security research, leading to massive and chronic under-funding of civilian IT security research and development.

Such warnings are easy enough to dismiss if they come from security vendors intent on pushing their own agenda and more product.

However, this time the wake-up call comes from the President's Information Technology Advisory Committee (Pitac) a heavyweight assembly of IT and engineering researchers, capital funds, analysts and vendors and a 58-page tome entitled, Cybersecurity: A Crisis of Prioritization.

The committee includes heads of computing faculties from Washington, California, Maryland, North Carolina, Columbia and Purdue universities along with the Massachusetts Institute of Technology.

On the vendor side, AT&T, Microsoft, Global Systems Consulting, Dell, SalesForce, TruSecure (now CyberTrust) and Advanced Scientific Research have all put their names to the report.

In turn they are backed by backed by the likes of Gartner, Riggs Capital Partners, RedPoint Venture and the Potomac Institute for Policy studies.

Research battlelines

One of the most revealing aspects of the Pitac report is how the landscape of IT security funding has changed since September 11. With the US on a war footing ever since the 2001 terrorist attacks on the US, the report points to the undeniable fact that funds and energies have been devoted to developing military IT systems and capability to ensure national security.

While not disputing the essential investment in military computer technologies, the report points out some fundamental home truths about the way the nature of technology irrevocably changed both civilian and military economies.

Central to this theme is that the military is now reliant on many civilian technological infrastructures such as the Internet, communications channels, operating systems and applications.

However, while funding for military improvements - such as new intelligence collection systems, better networking and data fusion technologies abounds, little is being done to secure the essentially civilian underlying architecture of such developments.

"Federal funding for cyber security research has shifted from long-term, fundamental research toward shorter-term research and development, and from civilian research toward military and intelligence applications. Research in these domains is often classified and the results are thus unavailable for use in securing civilian IT infrastructure and commercial off-the-shelf (COTS) products in widespread use by both government and the civilian sector.

"These changes have been particularly dramatic at the Defense Advanced Research Projects Agency (Darpa) and the National Security Agency (NSA); other agencies, such as the National Science Foundation (NSF) and the Department of Homeland Security (DHS), have not stepped in to fill the gaps that have been created. As a result, investment in fundamental research in civilian cyber security is decreasing at the time when it is most desperately needed," the report states.

Yet it is the report's conclusion that is the most damning:

"The information technology infrastructure of the US, which is now vital for communication, commerce, and control of our physical infrastructure, is highly vulnerable to terrorist and criminal attacks."

It's not just about the money

One of the more careful observations the report makes is that when it comes to R&D priorities, the focus of research is equally if not more important than the amount of money sunk into it.

Rather than attribute a cash cost to fixing the current architectural dilemma, the report finds that current technological research must start to practice what IT security experts have been preaching since the dawn of the first network vulnerability.

Security must be built into emerging and existing architectures, at a holistic level, from the ground up. This literally means a shift in thought and IT design philosophy rather than spending trillions of dollars on recurrent fixes without tackling the issue at hand.

To this end the report finds that the US government must take a leading role rehabilitating the IT industry because core security competencies are now being lost.

"An expanded portfolio of US federal cyber security R&D efforts is required because today we simply do not know how to model, design, and build systems incorporating integral security attributes."

Local change agents

While the Pitac report is still sinking into the minds of many in Australian government circles, local security experts tend to agree with its findings. As a man who counts the daily cost of cyber attacks on the public and business, AusCert director Grahame Ingram agrees that research and development always benefits from a boost, but points out that "coordination at the coal face" is never as simple as it looks.

"There is significant research and development in Australia, and we know most of it is world-class. But whether those solutions will really make a difference is a matter of whether [research achievements] can be commercialized and taken to the market," Ingram said.

Ingram is also positive that vendors are now starting to respond to various security threats by putting more effort into the way they build software and hardware.

"Over the last two years there we have seen some dramatic changes with vendors making security part of their product [rather than leaving it to the perimeter]. They are responding to market requirements, it's a real issue for them," he said.

Others say the Pitac report has to be taken seriously at a local level. Queensland University of Technology's head of software engineering and data communications Professor Bill Caelli said the contents of the report were "disturbing" adding a top level rethink on building security into IT is necessary.

While the Pitac report is still sinking into the minds of many in Australian government circles, local security experts tend to agree with its findings. As a man who counts the daily cost of cyber attacks on the public and business, AusCert director Grahame Ingram agrees that research and development always benefits from a boost, but points out that "coordination at the coalface" is never as simple as it looks.

"There is significant research and development in Australia, and we know most of it is world-class. But whether those solutions will really make a difference is a matter of whether [research achievements] can be commercialized and taken to the market," Ingram said.

Ingram is also positive that vendors are now starting to respond to various security threats by putting more effort into the way they build software and hardware.

"Over the last two years we have seen some dramatic changes with vendors making security part of their product [rather than leaving it to the perimeter]. They are responding to market requirements; it's a real issue for them," he said.

Others say the Pitac report has to be taken seriously at a local level. Queensland University of Technology's head of software engineering and data communications, Professor Bill Caelli, said the contents of the report were "disturbing", adding that a top level rethink on building security into IT - and the commensurate investment required - is also necessary.

Those charged with Australia's cyber security are also aware of the Pitac report. Computerworld understands the report's findings are currently being assessed by the Critical Infrastructure Protection team at the Federal Attorney General's department.

While declining to comment on specifics of the report, the spokesman for the Attorney General said the government remained aware of the need to "assist owners and operators of critical infrastructure to protect critical IT systems from harm".

To this degree the spokesman said the government had created its own IT Security Expert Advisory Group "to examine threats and vulnerabilities to [Australian] IT brought to them by the owners and operators of critical infrastructure.

"The group is currently engaged in raising awareness about potential risks and vulnerabilities in Supervisory Control and Data Acquisition (SCADA) systems," the spokesman said.

The Pitac report is available at: http://www.nitrd.gov/pitac/reports/20050301_cybersecurity/cybersecurity.pdf