The U.S. Department of Homeland Security issued a call for proposals this week in a $40m program to encourage research and development in a wide range of topics related to cyber security: from designing more resilient software, to alternatives to passwords and CAPTCHA technology to prevent automated attacks. DHS laid out its areas of interest in a Broad Agency Announcement (BAA) dated January 26. In it, the domestic security agency said it was soliciting papers and proposals centered on 14 different topic areas. At stake is $40m in federal funding for research and development, with individual grants ranging up to $3 million. DHS’s areas of interest include software assurance, enterprise security metrics, usable security, as well as the challenges posed by insider threats.
The proposal comes amid increasing concern that Uncle Sam has been unable to adequately defend government, military and defense-related networks from intruders. Recent headlines have revealed that administrator credentials to U.S. Government Web sites -including the U.S. military’s Communications-Electronics Command (CECOM) — are being fenced online, while other government sites are serving up malicious links and redirects. The so-called Aurora attacks -believed to be backed by the Chinese government - targeted both public sector and defense related firms, while the recent test flight of a Chinese stealth jet suggest that secrets stolen from the U.S. may have already been put into development by foreign governments.
The DHS announcement, made by the DHS Cyber Security Division, is aimed at a wide range of technologies – from early stage development, to prototyped technologies to mature technologies. Grants for early stage development are larger – capping out at $3m, compared with just $750,000 for mature technologies and are intended to encourage R&D related to cyber security or help in the transition of technologies for use in national infrastructure, according to a copy of the announcement posted online.
In addition to providing funding for R&D, the announcement also provides for the use of the DHS’s Cyber Defense Technology Experimental Research (DETER) Network for testing and evaluation of different technologies. Proposals and white papers will be evaluated based on the potential of the technology to meet the goals of individual topic areas, soundness of the technology and proposed development, a qualitative assessment of the ability of the organization or individual proposing the idea to bring it to fruition and the proposer’s track record of success.
The Technical Topic Areas laid out by DHS read like a symptom list for the U.S. Government’s cyber insecurity complex. DHS is looking for ideas on software assurance – building less buggy, more reliable and secure software for use in critical infrastructure, on the threat posed by malicious insiders, for ideas about how to map networks and Internet based attacks, measure security accurately within enterprise environments and for so-called “Usable Security” – building security features that don’t hinder productivity or encourage users to become complacent or even hostile to the operation of security software.
The Federal government has moved in recent ears to attract top security talent, while organization’s like In-Q-Tel, the CIA’s venture firm, have funded new, innovative ideas. But, as in the private sector, an overabundance of security products hasn’t improved the security posture of government networks. At the same time, spending on IT security continues to come under fire for wasting resources and for a poor track record on learning from security incidents. The leak of hundreds of thousands of pages of confidential diplomatic cables to the whistle blower site Wikileaks highlighted a shocking lack of security around sensitive data. Threatpost noted that the Government Accountability Office had frequently warned that Department of Defense wasn’t providing adequate oversight of classified information, and was failing to adequately investigate even the known breaches that its contractors reported. The new DHS proposal moves to address those issues as well, listing “incident response” as one of fourteen topic areas open to proposals from the private sector.