NCSC in particular. Now the research activities of the two are combined, owing to NCSC's recent reorganization, and the committee is not in a position to comment on the newly structured program. Although NSA supports active research at several private centers (e.g., SRI International and MITRE Corporation), its support for academic research in computer security appears to have been quite limited in scope and level. That support cannot be tracked straightforwardly, because some of it is passed through other agencies and some recipients have been asked not to divulge NSA's support. NSA has provided some funding for programs, such as the outside cryptographic research program (OCREAE) and DOD's University Research Initiative (URI), that seek to increase the pool of appropriately trained American graduates. In late August 1990, NSA announced a new Computer Security University Research Program, a modest effort aimed at supporting university summer study projects (which are inherently limited in scope and scale).
At the same time, the other agencies with significant agendas related to research in computer security, such as the Department of Energy (DOE), the Navy's Office of Naval Research (ONR), and the National Institute of Standards and Technology (NIST), have had limited programs in funded external research.1 In the area of information integrity, NIST has attempted to establish a role for itself by holding a series of workshops, but no significant research funding has resulted.2
Not-for-profit and vendor laboratories are pursuing a variety of projects, many of which are discussed elsewhere in this report (e.g., see Chapter 4). However, support for these activities fluctuates with both government interest in security and short-term business needs. Although many of the topics proposed below are relevant to industrial research conducted independently or in collaboration with universities, the committee focused on the need to stimulate academic research.
University-based research in computer security is at a dangerously low level.3 Whereas considerable research is being done on theoretical issues related to security—for example, number theory, cryptology, and zero-knowledge proofs—few research projects directly address the problem of achieving system security. This lack of direct attention to system security is particularly serious given the ongoing dramatic changes in the technology of computing (e.g., the emergence of distributed systems and networks) that make it necessary to rethink some of the current approaches to security. High-risk and long-term research, a traditional strength of universities, is essential. Furthermore, the small number of academicians with research interests in the area of computer security makes it impossible to train a sufficient number of