Government Relations Update

The July cyber attacks against Web sites at the U.S. Treasury Department, Secret Service, Federal Trade Commission and Department of Transportation were not that surprising to some psychologists. In fact, for years a handful of them have been using their behavioral expertise to help the nation prepare for such strikes.

One such APA member is human factors psychologist Anita D'Amico, PhD, of Applied Visions Inc., a company that enhances the "situational awareness" of agencies that defend the nation's computing infrastructure. D'Amico testified about the role psychologists play in preventing cyber attacks at a June 10 hearing on cyber security research and development held by the U.S. House Science and Technology Subcommittee on Research and Education. The hearing, the first of three scheduled on cyber security, followed on the heels of an Obama administration review of cyberspace policy and President Obama's announcement that he would implement one of the review's recommendations by naming a cyber security czar.

Subcommittee Chairman Daniel Lipinski (D-Ill.) opened the hearing by reeling off frightening statistics, among them that there have been 360 million attempts to break into Department of Defense computer systems, according to the Pentagon. The Federal Trade Commission estimates consumer identity theft costs the nation $50 billion annually.

Speaking to those issues, D'Amico—who was recommended to testify by APA's Science Directorate Government Relations staff—underscored that psychology must play a key role in the evolution of cyber security. She told the committee that while the current emphasis in cyber security research and development has been technological—creating or improving tools to enforce security—there is a significant human element to the problem that cannot be ignored.

"As researchers and educators, we must address all the many different roles that we humans play in cyber security, beyond just the security practitioner who administers firewalls, tunes intrusion detection systems and monitors networks," she said. "We must also educate the software developer, lawyer, policymaker and all of us users who are unwitting accomplices of the attacker."

Specifically, D'Amico called for:

• Gaining a deeper understanding of how people use technology. Bringing together computer science and the behavioral sciences can make our technological breakthroughs actually useful and relevant to society, she said.

• Educating cyber policymakers and legal professionals about confidentiality, integrity and availability of information as it pertains to the nation's computing systems so that they understand the context in which to regulate and prosecute.

• Educating the general public—those who actually use the nation's software and cyber infrastructure—on how to better understand the risks associated with computer use, and how to make better decisions.

The need for such multidisciplinary education includes a large role for the social sciences in developing the next generation of cyber security professionals, she said. She also pointed to the need for training in high-fidelity simulations to provide a safe but realistic learning environment as well as a test-bed for new technologies.

As for enabling useful and useable improvements in cyber security, D'Amico lamented that few results of federally funded cyber research and development make it into the real world. One area of federal funding—the Small Business Innovation Research program—is an exception to that rule. It offers grants that hold recipients accountable for—and rewards—prototype development and technology transition.

D'Amico also expressed concern about the lack of private sector input on the federal cyber security research and development portfolio. That, however, may be changing. In July, the National Academy of Sciences held a workshop to examine collaborative research opportunities and potential roles for the federal government, academia and industry to embed usability considerations in research, design, and development related to security and privacy.

D'Amico concluded her testimony by saying that, as one of just a few psychologists engaged in cyber security research and development, surrounded by computer scientists and engineers, "I hope, with this committee's support, that in the future, my position as a psychologist in cyber security will be a bit less lonely."

With sustained effort, cross-fertilization opportunities such as those at the NAS should provide D'Amico with many more psychologist friends.

D'Amico's written testimony as well as the archived webcast of the hearing are available on the House Science Committee Web site.

More about the National Academy of Sciences workshop can be found online

More about the Obama administration Cyberspace Policy Review can be found online.

Geoff Mumford, PhD, directs APA's Science Government Relations Office.