Communications of the ACM

Government-funded initiatives, in cooperation with private-sector partners in key technology areas, are fundamental to cybersecurity technical transformation.

Nicolas Rouquette

Shifting the role of government-funded R&D from military defense to cyber-security represents for me a significant improvement towards stimulating economic activity on constructive and intellectually challenging endeavors. However, the roadmap for cyber-security raises a basic question: do education and public-private partnerships constitute a sufficient quorum of strategic partnerships?

The roadmap focuses on two extremes of an evolutionary scale of ideas from education (where we learn the basics of innovative thought) to public-private partnerships (where public funding fuels the transition from innovative ideas into leap-ahead technologies). In this context, where will the metrics mentioned in the roadmap for evaluating these ideas and new technologies come from? To define clear and robust metrics, we need good standards with solid foundations. Where do these high-quality standards come from?

Good standards are great but it is very difficult to obtain resources to fund the development and improvement of high-quality standards, even if they are very important in academia, industry and government. For example, the Unified Modeling Language (UML) is the poster child of a successful specification at the Object Management Group (OMG, http://www.omg.org) where it was developed and is currently maintained. Despite being implemented by dozens of commercial tool vendors, taught in hundreds of schools around the world and used by thousands of engineers around the world, it is nonetheless very difficult to secure enough resources to fix known technical issues with the UML specification. This resource limitation problem isnt unique to the UML at the OMG. If anything the same resource limitation issue affects the specifications from the W3C (http://www.w3c.org) even though W3C specifications are even more widely used than those of the OMG. At the other end of the scale, even if we come up with good technical standards and specifications to support a thriving cyber-security R&D program, who will incorporate these evolving standards and specifications into education curricula? Who will train students and professionals on using these specifications and standards properly for evaluating cyber-security ideas, technologies and products? If anything, the gap between high-tech industry and fresh-thinking academia partners is too wide to bridge with just a government-funded R&D program. Partnering with strategic standards organizations like the OMG and W3C can bridge this gap in a way that builds upon existing relationships that academia, industry and government have with standards organizations.