The days of the big-spending research lab trying to improvise the next big thing is no more, says Hugh Thompson, chief security strategist of Security Innovation (SI), a risk services, mitigation and education provider based in Boston.
"In security, it used to be this free-for-all — do something good and we'll check it out later — and companies had these huge labs," he says, adding that some firms now see the innovation they once asked from scientists coming from universities. "There are so many companies that have labs, like AT&T, Microsoft and Google. But if you look at where innovations have come from, the labs have dissipated into silos where we have to get a product out the door."
Growing market pressure to show near-immediate results from research and development funding has led to labs measuring themselves by a new standard. Instead of waiting years to create an industry-changing technology and push it out to market, firms now try to squeeze many smaller technologies into existing products or new versions, says Thompson.
"In a lab, one of the most interesting questions is, ‘How are you being measured?' If you're a developer, this translates into how much code you put out. But if you're a researcher, how do you measure if someone's doing a good job or not?" he asks. "The answer used to be to hire smart people and let them do what they want to do. But now, one of the big measurements of success is whether your idea has trickled out into the market."
The public sector is getting hit, too. With ongoing conflicts in Iraq and Afghanistan and the threat of domestic terrorism, security researchers are not seeing as much funding as they might like. For instance, only $15 million is scheduled to be distributed to cybersecurity research and development within the U.S. Department of Homeland Security (DHS) in fiscal year 2008, says Liz Gasster, acting executive director of the Cyber Security Industry Alliance.
That's not to say the feds are not spending on cybersecurity. A classified amount of funding goes to the Department of Defense's Defense Advanced Research Projects Agency, according to Gasster.
"A lot of it is push and pull with other projects. When you look at the breakdown for the DHS, just for the Directorate of Science and Technology, you see $562 million for the Domestic Nuclear Detection Office," she says. "There's still a lack of appreciation for a cyberattack or a blended attack that has cyber implications."
Overall, today's projects, private or public, are aimed at improving existing products, and in turn making the lives of end-users simpler. Ari Juels, chief scientist and director of RSA Laboratories, a division of EMC, says researchers at his company are focusing on practical research that will make an average employee's job easier through better password protection and anti-phishing technology.
"Our labs are a little peculiar in that the scientists have had an inclination to see ideas incorporated into products," he says. "There's an odd symmetry between the interests of the scientists and the interests of the business."
So why the switch from big-picture technologies to more easily marketable products? Experts have speculated that in the wake of the dot-com bust, public firms became less likely to spend profits on creating technology that may never see the light of day.
"I think that the dot-com bust was one big contributing factor," says SI's Thompson. "Research and development was on the decline, but I think the dot-com bust really made people focus on fundamentals. Back then, investors were betting on things that could happen in five years or 10 years, and now they want to see things in a much quicker timeframe," he says.
A lot of companies have taken a position of acquisitions over research, he adds. "Look at the number of acquisitions in the security space in the past year. The consolidation has been crazy. Look at Symantec. Look at how many companies they've acquired — they have a running list. Look at the acquisitions that others have made, like EMC and even Microsoft. And that's unusual because they haven't been a big ‘we're going to acquire a lot of companies' kind of company."
Of course, not all lab ideas pan out into marketable products. For some companies, funding a potential product from drawing board to production line to delivery is too much of a risk for a technology that isn't a sure thing, says Kerry Bailey, senior vice president of global services for Cybertrust, a Herndon, Va.-based company that secures critical data, protects identities and helps demonstrate ongoing compliance.
"Our view has been to either white label a technology to embed it with the rest of our program or to go out and acquire the technology. The value is adding it to our intel and our offerings," Bailey says. "With an acquisition we can acquire revenue. To say that we're going to go and start from scratch is just too much of a risk right now."
Federal R&D money
First charged with advising the president and Congress on federal technology in 1991, the President's Information Technology Advisory Committee (PITAC) advised policymakers on cybersecurity, networking, high assurance software and information security issues.
Its 2005 report to President Bush, "Cyber Security: A Crisis of Prioritization," is the foremost report on federal cybersecurity research and development spending, according to Liz Gasster, acting executive director of the Cyber Security Industry Association.
Highlighting the danger of a cyberattack, many of the report's recommendations "are significant, and many will take place over a long period of time," according to Gasster.
Asked to recommend how the federal government should stretch its cybersecurity research and development dollars, PITAC, which had its responsibilities absorbed by the President's Council of Advisors on Science and Technology by executive order in late 2005, urged Bush to direct funding in his second term in office to cybersecurity in the military and intelligence, civilian cybersecurity research and development, and the relationship between the military and intelligence communities and civilian programs.
— Frank Washkuch Jr.