"This challenge requires a thorough and comprehensive effort in both the public and private sectors," said Rep. Lamar Smith (R-Texas), the chairman of the full House science committee. "Private companies are increasing their investment in cybersecurity. Congress should support those efforts. Only Congress can provide the incentives and protections that would permit necessary information sharing among companies and more importantly between private companies and the federal government."
Of course, at a time of contracting agency budgets, finding new federal funding for cybersecurity research and development is a tall order. Cybersecurity writ has never been a significant line item in the federal budget, amounting to just a fraction of a percentage point of government spending.
But it might be time to make cybersecurity a bigger piece of the pie, Chang suggested, particularly given the increasing reliance on digital systems across virtually every sector of the economy.
"If you think about the priorities that the nation is now placing on cybersecurity, the fact that it's something less than 1 percent seems to be a small number. It's not for me to determine what the priorities are, but that just strikes me as sort of a low number," Chang said.
The debate over cybersecurity often gives air to dire warnings and dramatic rhetoric, with officials warning of an event like a "cyber Pearl Harbor" or "cyber 9-11". Michael Barrett, the chief information security officer at PayPal, pointed out that the true extent of hacking and other criminal activity is shrouded by a shortage of information about attacks, and called for the government to undertake new research aiming to illuminate the scale of the problem.
"What we have found from our years of combating cybercrime is that quantifying the full cost is difficult, if not impossible, because many incidents aren't reported," Barrett said. "Estimates of the magnitude and scope of cybercrime vary widely, making it difficult for policymakers and industry to fully understand the problem and the level of effort needed to combat it. We recommend that policymakers fund some research that helps fill some of the information gaps that currently exist as it relates to cybercrime. We believe that this research will be a critical tool in arming policymakers, law enforcement and industry against the growing threat of cybercrime."
Terry Benzel, deputy director for cyber networks and cybersecurity at the University of Southern California's Information Sciences Institute, urged a broader rethinking of the traditional approach to cybersecurity. Instead of a piecemeal focus on specific attacks and vulnerabilities, she suggested a more holistic view of the threat landscape that would ingrain security across the enterprise.
"All too often our research is narrowly focused on single topics. For example, we have many people conducting excellent research in distributed denial-of-service, worms, botnets and Internet routing, each studied individually and deeply," Benzel said.
Sign up for CIO Asia eNewsletters.