House bill slashes research critical to cybersecurity

A U.S. House bill that will set the nation's basic research agenda for the next two years increases funding for computer science, but at the expense of other areas important to cybersecurity.

A U.S. House bill that will set the nation's basic research agenda for the next two years increases funding for computer science, but at the expense of other areas important to cybersecurity.

The funding bill, sponsored by Rep. Lamar Smith (R-Texas), the chair of the Science, Space and Technology Committee, hikes funding for computer science, but cuts - almost by half - social sciences funding, which includes the study of human behavior. Cybersecurity uses human behavior research because humans are often the weakest security link.

The bill, known as the Competes Act, sets National Science Foundation (NSF) funding for the 2016 and 2017 fiscal years, and divides it up by research disciplines. The way it works is this: In the computer and information sciences and engineering area, for instance, the bill increases funding from $922 million to $1.050 billion in 2016, a nearly 14% increase. It stays at that funding level in 2017.

But some of the increase in computer science funding is coming at the expense of social, behavioral and economic sciences. Research funding there will fall from $272 million to $150 million, a 45% decrease. The bill also takes a big cut out of geosciences research, which includes climate change study, from $1.3 billion to $1.2 billion, an 8% decrease.

Smith has been a critical of social science funding, and last year termed a $1 million project at Indiana University dubbed "Truthy" as a misuse of public funds. The research analyzed meme behavior on Twitter, but was characterized by critics as an effort to suppress speech. The researchers denied this and said their work was being politicized.

The funding bill was strongly criticized Tuesday by the Computing Research Association (CRA).

The measure raises NSF funding over two years by 3.4% to $7.6 billion, an amount that "fails to provide for steady and real growth in the federal investment in research," said the CRA, in a letter to lawmakers.

The House committee is working on an authorization, not an appropriation, which means the money isn't assured regardless of the funding level set. All this legislation does is set the ceiling for the appropriations.

The CRA also faulted, specifically, the cutbacks in social, behavioral and economic science research, as well as geosciences.

The insight into human behaviors that comes from the social science research, "is critical to understanding how best to design and implement hardware and software systems that are more secure and easier to use," wrote J. Strother Moore, the CRA chair and a professor of computer science at the University of Texas.

This is true at Carnegie Mellon University, where computer and social scientists have been working as a team on cybersecurity issues, said Lorrie Faith Cranor, a professor of computer science and of engineering and public policy at CMU.

In security and privacy, "there are a lot of important human factor questions," said Cranor. For instance, in trying to prevent phishing attacks -- the term used for messages that appear to be coming from a trusted source -- researchers can write software "to try to detect those emails and delete them automatically. But that's not 100% effective. We also need look at why people are falling for these and what educational mechanism that we can deploy to try to prevent that," she said.

Human failure is a leading reason for all types of problems in technology, and understanding human behavior is very important to improving computer security, said Cranor.

Computer security is a system, and not just any one algorithm, and it involves a lot of components that "are totally dependent on human users doing the right thing," said Cranor.

Join the Computerworld newsletter!

Error: Please check your email address.

Tags National Science FoundationintrusionCompetesecurityIndiana UniversityCybercrime & Hacking

More about CRAMellonTechnology

Show Comments