PITAC report misses the point entirely

The President's Information Technology Advisory Committee has just released their report on Federal support of basic computer/network security research in this country. As you can probably guess from the title, Cyber Security: A Crisis of Prioritization, the report concludes that the government needs to invest in more support for basic security research if it wants to get the technology and the trained professionals it needs to implement a long-term strategy for securing its information assets.

The report is well worth reading, but by focusing on the research angle, it misses a much more important point for the short- and medium-term security of government systems: The US government often does not provide civilian agencies with adequate funding, personnel or training to carry out appropriate security plans. The entire system is predicated upon the assumption that if a mandate comes down, it will be implemented regardless of operational issues such as cost, suitability to the existing computing environment or available manpower.

Until the government stops trying to simply decree security and starts to really get serious about providing agencies with the ability to implement the decrees, we're not going to see much overall improvement in security posture no matter how much research we do.