The National Academy of Sciences (NAS) released a prepublication issue of a new report entitled "Cybersecurity Today and Tomorrow: Pay Now or Pay Later." The report is a collection of excerpts from prior reports published between 1990 and 2000, all of which relate to cyberspace security.

According to NAS, the academy is publishing the report because the Computer Science and Telecommunications Board (CSTB) of the National Research Council (NRC) examined aspects of computer security since the September 11 attack and decided that previously published reports remain relevant.

The NAS said, "...not much has changed \[over the last decade\] with respect to security as it is practiced. The unfortunate reality is that relative to the magnitude of the threat, our ability and willingness to deal with threats has, on balance, changed for the worse, making many of the analyses, findings, and recommendations of these reports all the more relevant, timely, and applicable today."

The CSTB maintains security studies as an important part of its portfolio, and the board has held workshops about security over the last 2 years that have also produced published reports (e.g., "Cyber-Security and the Insider Threat to Security" and "Critical Infrastructure Protection").

In the new NAS report about cybersecurity, NAS quotes the CSTB as saying, "Policy makers should consider legislative responses to the failure of existing incentives to cause the market to respond adequately to the security challenge. Possible options include steps that would increase the exposure of software and system vendors and system operators to liability for system breaches and mandated reporting of security breaches that could threaten critical societal functions." The quote comes from a CSTB report entitled "Computers at Risk: Safe Computing in the Information Age," and even though the CSTB originally published the report in 1991 the statements strike an even greater relevance now because of the threat of cyberwar and the large number of security risks users have reported in widely-used products and the recent efforts to change the way users report security risks.

The CSTB maintains a number of published reports at its Web site, and you can find the new report preview at NAS' respective Web site as a Web document, a searchable OpenBook, and a PDF. You can also order a hardcopy of the new NAS report.