Barford, who founded intrusion detection company Nemean Networks that Qualys later acquired, lamented that the tenure system rewards researchers who make limited, clearly defined contributions to science. But today’s cyber threats require big ideas to counter them.
“We need to change the processes to foster innovation at academic institutions”, Barford told the SINET audience. “In the tenure process, you have to publish. And getting published is best accomplished by adding another brick to the foundation of science in whatever domain you happen to be in. Those little bricks tend to be very narrow ideas, not the big jump innovations that we want to solve security problems”, he observed.
Barford stressed that the cybersecurity threat landscape has become increasingly complex, diverse, and dynamic. Significant innovation is required to defend against these increasingly potent threats.
“We are going to continue to see the ‘next big thing’ in the threat space. It has been that way since the worm era began in 2001, and it is likely to continue to be that way as long as there are significant financial rewards for the bad guys”, Barford observed. “The question is, ‘Can we expect the next big thing in terms of countermeasures?’”, he added.
The Qualys chief scientist said that the “next big thing” is not likely to come from large companies. “Established companies are very good at developing incremental technology”, he noted. Rather, entrepreneurs will be the source of the “next big thing” to counter the black hat innovators, he opined.
The challenges in identifying high-impact cybersecurity innovations and bridging the gap between research and deployment remain significant, particularly in the academic realm. “There is a huge gap between developing a security idea and publishing a paper and actually moving it into practice”, Barford said.
Barford called for new processes for facilitating academic technology transfer to the private sector, such as increasing use of public-private partnerships. He warned against a heavy hand on the part of government. Regulation in particular is a “rat hole” that can siphon off innovative energy, he warned.
Jerry Archer, chief security officer at educational loan provider Sallie Mae, agreed with Barford’s negative assessment of regulation.
Archer, who was the summit’s master of ceremonies, related that Sallie Mae has to comply with 162 different laws and regulations in the information security area. He said that 40% of Sallie Mae’s information security budget goes toward compliance efforts. In 2010 alone, Sallie Mae had to go through 28 audits related to access control regulatory compliance.