The people behind the Cyber Security Research Alliance (CSRA) plan to unite public, private and academic partners in cyber security research efforts that will make the same information available to all parties. And last month, the group issued a press release disclosing their efforts.
Members are collaborating with the National Institute of Standards and Technology (NIST) to arrange joint cybersecurity research symposium early next year to connect researchers from different sectors.
Ron Perez, CSRA treasurer and AMD security architect, answered five questions about the consortium and its upcoming activities.
How would the CSRA’s research differ from research that existing companies and government agencies are doing?
We struggled with these same questions because there are a number of institutes, universities, government labs, and of course, industry labs. Each of the stakeholders — government, industry and academia — have their own perspective and their own way of addressing cybersecurity research. From a government side, they’re interested in technologies and science that help secure the infrastructure of the nation. They’re not interested and can’t do much in terms of ensuring that research exactly results in something that’s commercially applicable, that it can be privatized. From an industry perspective, that’s what we specialize in, trying to make money. Our focus, even at the research labs, tends to be a little more on growing organically our own capabilities for our enterprises and how we can commercialize those. Although we interact a lot with academia and also with government, the industry focus on research tends to be a little shorter.
What about information sharing components? Your group has those?
We’re very much interested in not being a clearinghouse, but being aware of all the research that’s going on and ensuring that everybody gets a good picture of that research so we can look for commercialization and collaboration opportunities. From an information sharing standpoint, that’s the part that we’re interested in: cataloguing and being aware of the research that’s been done and is continuing, who’s actually funding it, and for what purpose.
What forces came into play for you to get this out now? Why not a year ago, or two years ago?
The U.S. government held this national cyber leap year in 2009. About six months after that was completed, mid-way through 2010, maybe 15 different companies actually got together in the Washington, D.C., area to talk about what we could do to answer these calls from our public-private partnership. But the time between mid-2010 until now was a long period of time where we struggled with issues. Where is the return on investment for each of our companies? Is it just amplifying the level of research that we do today? Are we going to get a better understanding of the economics of cyber security?
These are the types of problems that we struggled with, and it was kind of one of those on-again, off-again sets of discussions. I think for the last year or so it’s been pretty constant, with the set of companies we have now and maybe about 10 others who are kind of sitting on the sidelines saying, "Look, if you form this organization, we’ll be there, but we’re not going to lead the effort to form the organization."
How urgent or pressing is the cyber threat? Does government “get it”?
I think the government does get it. They’ve been doing a lot to promote the use of existing technologies, processes [and] procedures. Cloud computing, for example, is largely a lot of processes and procedures and technology in there as well. But NIST, for example, they have a lot of guidelines helping vendors look at how to properly configure their environment. The government has gotten this for awhile, and it’s only gotten more so in the past couple of years. I think everybody understands kind of intuitively that cybersecurity is an issue. Everybody understands that more and more of our economy, of our way of life, is linked to technology.
What government agencies are you working on getting relationships with?
We definitely have to have agencies and departments and academic representation, right? For government and academia, their ability to actually be a member of a consortium like this is, they have legal restrictions, so we’re looking for the types of membership and creating structure that will allow as many of these folks to participate as possible. For industry, it’s pretty straightforward.
As far as the technical research that we pursue, and this will be largely the direction-setting part of our organization, we’ve been working very closely with a large number of agencies over the past two or three years. They don’t have an industry consensus of what the biggest issues are that need to be addressed, and what the priorities are and a plan for how to get there, so having a broader organization that like us would be a great value to them. Government seeks that kind of input from industry on what are the problems that need to be addressed? How should they direct their funding, etc.? This will be the big payoff for them.