[Senate Hearing 107-1070] [From the U.S. Government Publishing Office] S. Hrg. 107-1070 S. 2037, S. 2182, HOMELAND SECURITY AND THE TECHNOLOGY SECTOR ======================================================================= HEARING before the SUBCOMMITTEE ON SCIENCE, TECHNOLOGY, AND SPACE OF THE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION UNITED STATES SENATE ONE HUNDRED SEVENTH CONGRESS SECOND SESSION __________ APRIL 24, 2002 __________ Printed for the use of the Committee on Commerce, Science, and Transportation U.S. GOVERNMENT PRINTING OFFICE 90-267 WASHINGTON : DC ____________________________________________________________________________ For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800 Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001 SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION ONE HUNDRED SEVENTH CONGRESS SECOND SESSION ERNEST F. HOLLINGS, South Carolina, Chairman DANIEL K. INOUYE, Hawaii JOHN McCAIN, Arizona JOHN D. ROCKEFELLER IV, West TED STEVENS, Alaska Virginia CONRAD BURNS, Montana JOHN F. KERRY, Massachusetts TRENT LOTT, Mississippi JOHN B. BREAUX, Louisiana KAY BAILEY HUTCHISON, Texas BYRON L. DORGAN, North Dakota OLYMPIA J. SNOWE, Maine RON WYDEN, Oregon SAM BROWNBACK, Kansas MAX CLELAND, Georgia GORDON SMITH, Oregon BARBARA BOXER, California PETER G. FITZGERALD, Illinois JOHN EDWARDS, North Carolina JOHN ENSIGN, Nevada JEAN CARNAHAN, Missouri GEORGE ALLEN, Virginia BILL NELSON, Florida Kevin D. Kayes, Democratic Staff Director Moses Boyd, Democratic Chief Counsel Jeanne Bumpus, Republican Staff Director and General Counsel ------ Subcommittee on Science, Technology, and Space RON WYDEN, Oregon, Chairman JOHN D. ROCKEFELLER IV, West GEORGE ALLEN, Virginia Virginia TED STEVENS, Alaska JOHN F. KERRY, Massachusetts CONRAD BURNS, Montana BYRON L. DORGAN, North Dakota TRENT LOTT, Mississippi MAX CLELAND, Georgia KAY BAILEY HUTCHISON, Texas JOHN EDWARDS, North Carolina SAM BROWNBACK, Kansas JEAN CARNAHAN, Missouri PETER G. FITZGERALD, Illinois BILL NELSON, Florida C O N T E N T S ---------- Page Hearing held April 24, 2002...................................... 1 Statement of Senator Allen....................................... 3 Statement of Senator Edwards..................................... 5 Statement of Senator Wyden....................................... 1 Witnesses Boehlert, Hon. Sherwood, U.S. House of Representatives........... 6 Hira, Ronil, Institute of Electrical and Electronics Engineers (EEE)-USA...................................................... 21 Prepared statement........................................... 22 Hoffman, Dr. Lance, Department of Computer Science, the George Washington University.......................................... 13 Prepared statement........................................... 14 Logan, Effrey, Business Development Manager, M/A-COM, Inc., Wireless Systems............................................... 24 Prepared statement........................................... 25 Starnes, W. Wyatt, President and Chief Executive Officer, Tripwire, Inc.................................................. 17 Prepared statement........................................... 19 Strawn, Dr. George, Assistant Director (Acting), Directorate for Computer Information Science & Engineering (CISE), National Science Foundation............................................. 9 Prepared statement........................................... 11 Appendix Response to written questions submitted by Hon. John McCain to: Dr. George Strawn............................................ 43 Graham, James W., Chief Operating Officer, Emergency Asset Management Systems, prepared statement......................... 41 Vargo, Franklin J., Vice President, International Economic Policy, letter dated April 8, 2002, to Hon. Wyden and Hon. Allen.......................................................... 42 Vargo, Franklin J., Vice President, International Economic Policy, letter dated April 19, 2002, to Hon. Wyden............. 43 S. 2037, S. 2182, HOMELAND SECURITY AND THE TECHNOLOGY SECTOR ---------- WEDNESDAY, APRIL 24, 2002 U.S. Senate, Subcommittee on Science, Technology, and Space, Committee on Commerce, Science, and Transportation, Washington, DC. The Subcommittee met, pursuant to notice, at 2:30 p.m. in room SR-253, Russell Senate Office Building, Hon. Ron Wyden, Chairman of the Subcommittee, presiding. OPENING STATEMENT OF HON. RON WYDEN, U.S. SENATOR FROM OREGON Senator Wyden. The Subcommittee will come to order. Today, the Subcommittee on Science, Technology, and Space convenes the third in a series of hearings on improving America's homeland security through technology. We are also going to look in detail at two pieces of legislation, S. 2037 and S. 2182. It is my intention, working closely with my friend and colleague, Senator Allen and, of course, the chairman of the full committee, Senator Hollings, and the Ranking Minority Member, Senator McCain--it is our intention to work very closely with the Administration so that it will be possible at the next mark-up of the full Commerce Committee on May 16 to process both pieces of legislation. I did have a very constructive conversation this morning with Mitch Daniels, the head of the Office of Management and Budget. He made it very clear that he wanted to work with our Committee on a bipartisan basis to address both of these important pieces of legislation, and I appreciate Director Daniels' constructive effort. We are going to work closely with the Administration so it will be possible to move these two important pieces of legislation, and I believe it will be possible to do that on May 16. As this country mobilizes to protect itself from terrorism and other threats, a key weapon in our defensive arsenal is this country's great technological prowess. Many of the most promising technologies for improving security reside outside the government in the dynamic arena of private sector entrepreneurship, but the government can supply some key ingredients to make the technology sector's homeland security efforts more effective. Therefore, it is important to forge a strong partnership between the government and the technology sector in order to provide the best protection and response possible for the American public from high-tech cyber attacks to more conventional threats. Many of the solutions for reducing this country's vulnerabilities are rooted in technology. Sophisticated hacker attacks on crucial computer networks must be dealt with by developing technology that can detect and prevent intrusion. More conventional low-tech threats like airplane hijacking likewise demand new technological responses. Better security screening and biometric devices are key to keeping terrorists off our planes, but when disasters do happen, technology can make a huge difference by enabling the first responders to communicate, by coordinating relief efforts to send resources where they are needed most, and by helping families locate loved ones. Today we will look at two pieces of legislation, S. 2037, the Science and Technology Emergency Mobilization Act, which I am proud to have authored with Senator Allen, the Subcommittee's distinguished Ranking Member. This legislation seeks to provide an organizational structure to quickly locate and mobilize private sector scientific and technology expertise in times of crisis. One pillar of that structure has been dubbed the National Emergency Technology Guard, or NET Guard. It would be a central part of a strategic technology reserve, much like this country's strategic petroleum reserve. The difference is, instead of oil the strategic technology reserve would be a deep well of private sector expertise and technological equipment that could be available around this country at a moment's notice. The country's best scientific minds, technology experts, and technology companies would be invited to participate, and these companies, in my view, by helping to assist on a volunteer basis could make a significant difference. We envisage these volunteers becoming part of a NET Guard, and this country would have a central data base where we could catalogue the company's people and resources such as computers, software, wireless devices, and biohazard detection equipment, that would be available on a moment's notice. The legislation has other objectives. One is to speed the evaluation of new products from the technology sector so that they can be matched with particular needs of federal security and response agencies. This seems to me to be particularly important, because with the federal government having been flooded with proposals, or various kinds of technologies, it is important that the government not buy outdated and antiquated equipment. This part of the legislation would make that possible. The second bill the Subcommittee is going to consider focuses more on the direct threat to our technology infrastructures and the dangers posed by cyber terrorism. This is S. 2182, the Cyber Security Research and Development Act, which seeks to build a foundation of basic cyber security research, and grow the ranks of scholars who can devise innovative security defenses. Since basic research is the soil out of which future cyber security advances grow, the government ought to support it. This legislation does so with a series of grants through the National Institute of Standards and Technology and the National Science Foundation. The awards are designed to encourage cutting-edge research today and to call more of the nation's brightest scientific minds to study the problem down the road. We are happy to have the opportunity to followup on our earlier work by examining and hearing testimony on legislative proposals with respect to both of these Senate bills. I would also like to thank all the companies, organizations, and individuals whose support and input has been so helpful in moving both pieces of legislation forward. I want to reiterate my interest in working closely with the Administration on a bipartisan basis. Senator Allen and I have done that consistently throughout our service on this Committee, and I want to welcome my colleague and invite him for any remarks he would like to make. STATEMENT OF HON. GEORGE ALLEN, U.S. SENATOR FROM VIRGINIA Senator Allen. Thank you, Mr. Chairman. I want to begin by thanking you so much for calling this hearing on this subject matter, but in particular the focus on these two bills, S. 2037, the Science and Technology Energy Mobilization Act, and S. 2182, the Cyber Security Research and Development Act. I appreciate both your leadership and your cooperative spirit on these issues, and I look forward to working with you on it, and we will work with our colleagues--this is a bipartisan effort-- and certainly Chairman Hollings and Ranking Member Senator McCain, as well as the Bush Administration, in working together for all of our shared goals in these regards. I would like to thank all our witnesses for being here today, and in particular I do want to thank Mr. Jeff Logan from M/A-COM, Incorporated for testifying at today's hearing, and I look forward to reading your insights and all of your insights on both these bills. Both these bills that will be the main focus of today's Subcommittee hearing highlight the vital role that technology plays in our nation, in our war to protect our homeland from terrorism, as we have highlighted, and I agree wholeheartedly with every remark that you made, Mr. Chairman. And Senator Wyden, it's exactly my sentiments and philosophy in not just this hearing but in so many we have heard, whether in this Subcommittee, or as chairman of the Republican Senators High Tech Task Force, that there are so many technologies that are being developed or are actually currently developed that could help us in so many ways to save the lives of fire fighters, rescue workers, police officers, first responders. There are technologies being developed, or are developed that can help us detect chemicals or radiological or biological agents. They also could improve and protect our communications systems from attack, and obviously the key from a lot of these is the interoperability of communications from all of these various federal, state, and local agencies prior to an attack, or during an attack, or if, sadly, it befalls us again, after an attack. Now, S. 2037, the NET Guard bill, can play in my view a major role in preventing many of the problems that occurred during the attacks in New York City and at the Pentagon. The September 11 attacks taught us two things, one, how many technological improvements there are to help our security that are really, truly needed by our state, local, and federal services, and the second thing we learned from September 11 is that there is a great depth and reservoir of American goodwill to provide solutions. I like the fact that this bill calls upon the ideas of the best and brightest minds of America's technology work force to act as an all-volunteer force to help restore communications and infrastructure operations after a major national disaster. Like all Americans, we had heard earlier in this Subcommittee and, indeed, the full Committee, of the heartening volunteer efforts of companies like Verizon, Intel, Accenture, Cingular, and others that volunteered both staff and equipment to restore communications in New York City and in the Washington, D.C. area, and this bill I think will be a way of helping facilitate their efforts without dampening any voluntary spirit. Now, as you said, Mr. Chairman, there are many enterprises and commercial applications that can be adapted to meet governmental security or safety, public safety needs. I, along with Members--and I know Senator Edwards and everyone else has heard all sorts of ideas about companies, about products, their ideas, and how they will be able to help us, and every single one of them seems like a really good idea. In fact, I was reading in the newspaper and found it interesting about ideas--this did not have to do with homeland security, but how to fight this war on terrorism, and there was one suggestion that the Bush Administration had received about how to get the Al Qaeda terrorists out of the caves, put in hives of killer bees, and I was thinking, you know, we have heard that is not a very high tech idea, but it gives you the idea of the breadth of ideas and at first you may laugh at that idea and say, you know, who knows, that might work. The key, though--and I'm not suggesting we need killer bees for communication. I'm just trying to show you the breadth of ideas that we get as Senators, and I am sure the Bush administration gets, on how we could help. Now, the key to all of this is to have a method of accurately testing and evaluating these ideas so that when procurement is going forward, or if somebody has an idea, there is a way to have that test bed, and that is something that I think is vitally important, and an important part of this bill, and I really look forward to making sure that gets achieved. Now, the other bill in the Subcommittee that we are examining today, S. 2182, will address the important issue of cyber security. I will say that there is another cyber security bill that is not in this Committee, it is in Senator Lieberman's committee that Senator Bennett and others are pushing to make sure that there is the communication as far as cyber security, and I hope they will have a hearing on it. If you were in charge of that, we would have a hearing, but nevertheless, there are many concerns about our critical infrastructure in our country and the Internet. We have seen it in the past. The survey just last year by the Computer Security Institute and the FBI found that 85 percent of 538 respondents experience computer intrusions. According to the Computer Security Institute and FBI survey, the estimated economic loss in these attacks was $378 million, a 43 percent increase from the previous year. This Cyber Security Research and Development Act can, I believe, as you said, Mr. Chairman, play a major role in fostering greater research and methods to prevent future cyber attacks, and design more secure networks. The bill I think can very well harness and link the intellectual power of the National Science Foundation, NIST, our universities, and the private sector to develop new and improved computer cryptography and authentication, firewalls operations and control systems management and computer forensics. I reviewed this bill, and the merits of it, and I would certainly be proud to join you as a cosponsor of the Cyber Security Research and Development Act. I think it is very much needed for our education and for our security, and again I look forward to hearing the testimony. I will say, Mr. Chairman, I am on the Foreign Relations Committee and we are having a Top Secret briefing at 3 p.m. from Secretary Colin Powell on the Middle East situation, so I will have to read a lot of the testimony, but nevertheless we are going to work--although it will not be decided today. This is just one of those steps in the advancement of these good causes and good ideas. Thank you, Mr. Chairman. Senator Wyden. I thank my colleague for an excellent statement, for working closely with us, and of course, we were talking about both these pieces of legislation as recently as 15 minutes ago, we are going to push very hard on a bipartisan basis with the Administration. I thank you for a fine statement and your leadership. Now, I want to recognize Senator Edwards, who has been very passionate about his interest in science policy. We are so pleased to have him on this Subcommittee. What is so striking between the three of us, our states 30 or 40 years ago would not have had a whole lot of technology. They were largely agricultural states, and all of them now, in addition to growing things, something we feel strongly about, have made a big push in technology. Senator Edwards brings great expertise to this field, and we are pleased to have you here, and make whatever statement you choose to. STATEMENT OF HON. JOHN EDWARDS, U.S. SENATOR FROM NORTH CAROLINA Senator Edwards. Thanks, Mr. Chairman. I will be very brief. I think we are all very proud of the leadership that our three states have shown in the area of technology, and I am also proud, Senator Wyden, of the leadership you have shown in this area. Thank you very much for the work you have done, and my colleague from Virginia, thank you for the work you have done. I think we all know that cyber terrorism and cyber crime rank among very serious threats to American security and safety. They are threats that ought to be addressed, need to be addressed. Last fall, I began working on some proposals to address these issues. We collected a lot of very good ideas from leaders in government and academia and the private sector, and in January I introduced two bills, the Cyber Terrorism Preparedness Act, and the Cyber Security Research and Education Act, and my hope, Mr. Chairman, is that we will be able to work together to make sure that our legislation accomplishes all the things that we are interested in accomplishing, and I want to just briefly highlight three points that I think we need to make sure are included in any legislation. One, that we promote cyber security best practices. If you left your house without locking the door, you would expect to be robbed. Right now, government systems and private systems basically have a lot of their doors open. We need to change passwords regularly, but we do not always do it. We need to turn off certain dangerous computer applications, but we do not do it. The legislation that I introduced would first encourage research and public education to develop and encourage best practices and, second, require government to adopt these best practices and move toward requiring them for government contractors and grantees. This should be a priority in any legislation that we move. Second, we need to move some of the grant-making authority for cyber security research outside of the government. Government is full of terrific public servants, but the reality is that too often in this area we do not have the flexibility or the trust from the private sector that we need to lead in this area, so in our bill we propose funding a nonprofit, non- government consortium to do a lot of grant-making. I think that is an important component of any legislation we move forward. And third, we want to encourage the development of cyber security experts in academia. Right now, the prestige in computer science is too often in other fields than cyber security. We need to get our best minds doing work that can protect our country and our economy. Our bill has a range of grants, fellowships, and sabbaticals for research in this field. I know that your legislation does the same thing. I think those are critical components of those bills. So with that, Mr. Chairman, I would yield back to you, and thank you for the work you are doing, and the leadership you and Senator Allen have shown. Senator Wyden. Well, I thank my colleague, and we are going to work very closely with you. I think there are a lot of areas where there is common ground, and between now and May 16 we will work through the proposals you have, and the Administration's proposals, and we will move forward, and thank you very much for coming today. We are also pleased to have Sherry Boehlert, an individual who has been a friend of mine for 20 years now, and we especially like the chance to partner with him. Chairman Boehlert, you have done a terrific job on the cyber security effort in the House. We appreciate your willingness to work with Senator Allen and I on the bill to mobilize volunteers in the private sector and science and information technology, and we are going to get both of these bills on the President's desk by working together and with the Administration, so you proceed as you choose to, and know that you have our welcome as usual. STATEMENT OF HON. SHERWOOD BOEHLERT, U.S. HOUSE OF REPRESENTATIVES Mr. Boehlert. Thank you very much. It is good to be back with friends, Senator Allen and you and Senator Edwards. I greatly appreciate your inviting me to testify today on the vital issue of cyber security, and I am pleased that our Committees have been able to work so well together. It is a critical matter. We are taking a bicameral, bipartisan approach to cyber security, the only approach that makes sense in dealing with such a massive, growing, and largely unappreciated threat. Indeed, it would be hard to exaggerate our nation's vulnerability to cyber attacks. We rely more every day on an open network of computer systems for the most basic activities of our daily lives, communications, business transactions, and utility transmissions, to name just a few, and even our more secure systems have turned out to be porous when tested. A computer attack by terrorists or common criminals or malicious teenagers, for that matter, could be monumentally disruptive and, indeed, life-threatening. So the obvious question is: What are we doing to prevent and prepare for such an attack? And, unfortunately the answer is just as obvious: Not enough. The Administration deserves enormous credit for the work Governor Tom Ridge and Dick Clarke are doing to address this threat, especially in the near term. That is a full-time job to put it mildly. I think that we in the Congress have to spend some of our time helping to take the somewhat longer-term steps to counter cyber terrorism--even though we are not usually accused around here of long-term thinking. Still, improving cyber security requires a long-term commitment. Our adversaries are going to get more and more skilled, and we must get smarter and smarter to counter them. Like the Cold War, the war against terrorism must be won in the laboratory as much as in the battlefield. With that in mind, I introduced H.R. 3394, the ``Cyber Security Research and Development Act,'' late last year, and the House in February passed it by an overwhelming vote of 400 to 12. I am honored, Mr. Chairman, that you have introduced our bill in the Senate as S. 2182, and we have had some very promising conversations with other Senators of both parties, but I especially appreciate your leadership. This bill directly attacks several problems that we have uncovered in testimony before the House Science Committee, and that I am sure you will hear about here today. First, the nation invests a pitifully small amount in cyber security research, and that is true of both government and industry. Government underinvests in part because no single agency has responsibility for the problem, and industry underinvests because the market has generally not put a high value on security compared with speed and price and other attributes of software. Second, as a result of the minimal investment, few top researchers are engaged in cyber security research, and few students are attracted to the field. Third, as a result of that minimal focus, our basic approach to cyber security has not changed in decades, even though it is known to be riddled with holes. Bill Wulf, the president of the National Academy of Engineering, and a leading computer scientist, calls this current cyber security paradigm a ``Maginot Line'' defense. That is not good enough. So what does H.R. 3394 offer in response? It sets up programs at both the National Science Foundation and the National Institutes of Standards and Technology, two premier science and technology agencies. These programs will bring industry and academic experts together, fund new, more daring research, attract top researchers to the field, and recruit new students to the field. The legislation also tells NSF that it has the lead responsibility for eliminating our deficiencies in cyber security research. It is nice to know someone is going to be in charge. In short, the new research grants, education grants, and fellowships created by H.R. 3394 directly address every problem we have identified that hampers our ability to develop a long- term strategy to counter cyber terrorism. As a result, the bill has been strongly endorsed by such groups as the Information Technology Association of America, and the National Association of Manufacturers and, indeed, by just about every leading high tech industry and academic organization. It has also been endorsed by the Administration, which I think is important to know. The bill is a targeted, thoughtful approach to solve a problem that endangers our nation, and it reflects the advice of a range of experts from government, industry, and academia. I commend it to your attention, and I look forward to working with you to enact it and get it funded. I also want to express my support for the thrust of your bill, Mr. Chairman, S. 2037, popularly known as ``NET Guard.'' We are working on introducing it in the House. The bill addresses another serious gap in our cyber security preparedness--ensuring that we have the ability to respond should an attack actually succeed. We saw after the World Trade Center attack just how important it was to get our communications and utilities up and running again, and Con Ed and Verizon and squadrons of volunteers did a magnificent job. It was little short of a miracle that the New York Stock Exchange was back in business so rapidly. We need to have a system in place to ensure that recovery can always proceed that quickly. That is the goal of Netguard, and we have to find the right language to ensure that we have the pieces in place to allow rapid recovery. So Mr. Chairman, I look forward to continuing to work with you and with your colleagues to address this most difficult problem of cyber security. It is one that remains somewhat invisible to the public, just as the reliance on computer systems is somewhat invisible. If we do our jobs now, maybe the problem can remain invisible forever. A note was just given me. Senator Allen has announced that he will cosponsor our bill, and that is a wonderful addition to the squad. Senator Wyden. Well, let me just say, Chairman Boehlert, you have given, as usual, just an excellent statement. I think you are absolutely right with respect to what you want to accomplish in S. 2182. I think, as you have stated, the Administration deserves substantial credit for their work on the legislation as well, and what it will do, what S. 2182 will do, is ensure that these two premier agencies, NSF and NIST, will have a permanent capability that will allow us to find those cutting edge strategies and technologies to fight terrorism, and I commend you for all your work. I thank you for agreeing to work with us on S. 2087, and since, Chairman Boehlert, you of course had the vote, let me just tell you a little bit of where we are and just sort of invite you to participate. I think it is our desire on May 16, Senator Allen and myself, working with Chairman Hollings and Senator McCain, to have, with your input and that of the Administration, the ability of the Senate to move forward on both of these bills at the May 16 mark-up. Obviously, there are issues that we need to work on to ensure that there is no duplication and that we maximize the efforts to coordinate what is going on in the private sector with what is going on in government, but I think the pieces are falling in place. Mitch Daniels, in my discussions with him this morning, was very positive in terms of working with us, and so we invite you and your staff to work with the Commerce Committee leadership on these issues. With a little luck, we will have both of these bills moving on May 16, and to a great extent that is possible, Sherry, because of all that you have done. Mr. Boehlert. Thank you, Mr. Chairman. It is always a pleasure to work with you. We have a longstanding relationship. It is just nice, as the years pass, to get a little extra seniority and a little extra influence around this town, and we are putting it to good use. Senator Wyden. Well, you are using your gavel well, and we will try to complement what you are doing on this side. Unless you have anything to add, we will excuse you, but know that we are very appreciative of all your leadership. Mr. Boehlert. Thank you very much. Senator Wyden. Our next panel is Mr. Ronil Hira, Institute of Electrical and Electronics Engineers; Dr. Lance Hoffman, Department of Computer Science, George Washington University; Mr. Jeffrey Logan, Business Development Manager, M/A-COM; and Mr. Wyatt Starnes, President and Chief Executive Officer of Tripwire in Portland, Oregon. Let me also apologize, Dr. Strawn, I was reading from the wrong column. I apologize. We are very glad that you are here. Please, all of you, sit down and be comfortable, and we will make up for the omissions in the introductions, Dr. Strawn, by starting with you, and we will make all of your prepared remarks a part of the hearing record in its entirety, and if you could take 5 minutes or so and summarize your principal concerns, that would be great. Dr. Strawn, welcome. STATEMENT OF DR. GEORGE STRAWN, ASSISTANT DIRECTOR (ACTING), DIRECTORATE FOR COMPUTER INFORMATION SCIENCE & ENGINEERING (CISE), NATIONAL SCIENCE FOUNDATION Dr. Strawn. Chairman Wyden, thank you for the opportunity to testify at this hearing on homeland security and the technology sector, and on the cyber security research and development Act. I am George Strawn, the Acting Assistant Director for Computer and Information Science and Engineering at the National Science Foundation. Prior to coming to NSF, I was a faculty member in the university computer science department and the director of an academic computation center. As such, I have been concerned with issues like cyber security for a long time. As you know, the Administration has yet to take a position on S. 2182, and so I will confine my remarks to the need for cyber security research and development and provide you with an overview of NSF's involvement in this important area. The Administration would appreciate an opportunity to analyze S. 2182 and submit written views on it prior to the Subcommittee's consideration of the bill. Cyber security is now understood to be a rather difficult problem. This is true for many reasons, including the fact that cyber security is the property of the total system, not system components, and those components include human and management elements as well as technology elements. This means that individually secure components and procedures can be put together and still comprise a system that is not secure, unless the proper attention is given to system level security considerations. Of course, the fact that the Internet makes one big system out of millions, soon to be billions of IT components is a major source of complexity and insecurity. As you know, NSF focuses on long-term fundamental research and education in all areas of science and engineering. Long-term fundamental research has as its goal increased understanding of the subjects under study, and it has been the experience of science and engineering research that increased understanding leads to technology developments that are then put to important uses by a society. We believe there are important reasons to increase the emphasis on cyber security research and development, that is, seeking a better understanding of cyber security, as NSF has recently been doing. A major problem in developing a robust cyber security research program is that the number of faculty members in academe doing research in cyber security has been quite small. This is perhaps the most important problem to be solved as we seek to increase the amount of long-term fundamental research in cyber security, and unless there is a sufficiently large-size community of cyber security researchers, there will never be a sufficient number of graduate students trained in this field. This translates into a shortage of next generation cyber security workers and faculty. It also means we will continue to lack the courses and curricula needed to educate more students, undergraduates and graduates alike, for the cyber security work force. Last September 5, NSF announced a new research program called Trusted Computing to focus our support for cyber security research. In addition to the estimated $20 million that we have been investing in cyber security-related research projects, we allocated $5 million for our Trusted Computing program. On December 5, we received about 120 proposals in response to that announcement requesting over $80 million of support. Our expert panelists who reviewed those proposals rated almost half of them as worthy of funding. We believe that Trusted Computing program and similar programs will motivate more faculty to turn their attention and expertise to cyber security, and that this will help create a vibrant research community that will attack and ultimately solve many of the difficult problems associated with cyber security. NSF also has considerable experience in supporting curriculum and academic program development and of administering graduate and undergraduate trainee programs such as scholarships for service, the Cyber Corps program. This program has been funded at approximately $11 million for the past 2 years, and the Administration is requesting $19.2 million in supplemental funding to enhance the program in fiscal year 2002. Such activities also help accelerate developments in cyber security, especially when coupled with vibrant research support to attract research faculty into the area, as mentioned above. Thank you again for the opportunity to testify, and I would be happy to respond to any questions you may have. [The prepared statement of Dr. Strawn follows:] Prepared Statement of Dr. George Strawn, Assistant Director (Acting), Directorate for Computer Information Science & Engineering (CISE), National Science Foundation Chairman Wyden, Senator Allen, Members of the Committee, thank you for the opportunity to testify at this hearing on Homeland Security and the Technology Sector and the Cyber Security Research and Development Act. I am George Strawn, acting Assistant Director for Computer and Information Science and Engineering at the National Science Foundation. Prior to coming to NSF, I was a faculty member in a University Computer Science department and the director of an Academic Computation Center. As such I have been concerned about issues such as cybersecurity for a long time. As you know, the Administration has yet to take a position on S. 2182 so I will confine my comments to the need for cybersecurity R&D and provide you with an overview of NSF involvement in this important area. The Administration would appreciate an opportunity to analyze S. 2182 and submit written views on it prior to the Subcommittee's consideration of the bill. Although cybersecurity has always been an important part of information technology (IT), over the last decade its importance has been greatly magnified. This is so because IT systems and services now are pervasive throughout society and because the Internet now ties together so many of our IT systems. While this interconnectedness of IT systems is enabling great productivity gains for the U.S. economy, it has also enabled great gains for IT mischief makers and outlaws. Clearly, there is much understanding yet to be gained if we are to avoid unpleasant surprises and to foil those who would attack the internet or use it for illegal purposes. Although the defense sector has always paid great attention to cybersecurity, the same cannot be said about many civilian applications of IT. Until recently, cybersecurity has been considered an ``optional add-on'' for many IT systems. As recently as two years ago, discussion at a President's IT Advisory Committee (PITAC) meeting indicated that the private sector ``was not being rewarded'' for cybersecurity products and services because they made IT systems more complicated and slower at a time when customers were wanting more simplicity and speed. Although these circumstances have begun to change, there is much to do before we will be able to achieve desired levels of cybersecurity. Cybersecurity is now understood to be a rather difficult problem. This is true for many reasons, including that fact that cybersecurity is a property of the ``total system'', not of the system components (and those components include human and management elements as well as technology). This means that individually secure components and/or procedures can be put together to comprise a system that is not secure--unless the proper attention is given to system-level security considerations. Of course, the fact that the Internet makes ``one big system'' out of millions (soon to be billions) of component IT systems is a major source of complexity and insecurity. Early research and development work on the Internet, as with many IT developments of the past, focused on ``making it work'', not necessarily on making it secure. And because cybersecurity is a systems property, trying to add it on as an afterthought is very problematic. It would be much better to recreate IT systems with cybersecurity as a major design criteria than to attempt to patch it in after the fact. Of course, we must and can attend to short-term needs and to long- term improvements simultaneously. Short-term cybersecurity patches are not only possible but are in progress throughout the IT world. In fact, a major challenge is to get cybersecurity services and procedures that have been developed over the last few years into wide use. Although there may be useful tactical contributions to cybersecurity that NSF can make (such as cybersecurity emphases in our Digital Government program), I would like to focus on longer term issues in cybersecurity because that is where NSF's contributions can be the greatest. As you know, NSF focuses on long-term fundamental research and education in all science and engineering disciplines. This long-term fundamental research has as its goal increased understanding of the subjects under study. And it has been the experience of science and engineering research that increased understanding leads to technology developments that are then put to important uses by society. In many cases the societal uses that result from scientific understandings were not apparent at the time the scientific work was being done. For example, important applications to cybersecurity may arise out of scientific research in IT systems (or even in other sciences) that doesn't initially appear to be related to security. Nevertheless, there are important reasons to increase the emphasis on cybersecurity R&D as NSF has recently been doing. NSF has supported cybersecurity research for a number of years, recently at a level of approximately $20 million. A major problem in developing a robust cybersecurity research program is that the number of faculty members doing research in cybersecurity has been quite small. This is perhaps the most important problem to be solved as we seek to increase the amount of long term fundamental research in cybersecurity. Unless there is a sufficiently large-size community of cybersecurity researchers, there will never be a sufficient number of positions for graduate students to assist in the conduct of that research. This translates into a shortage of next-generation cybersecurity workers and faculty. It also means we will lack the courses and curricula needed to educate more students--undergraduates as well as graduates--ready to go into the cybersecurity workforce. NSF's Scholarships for Service/Cybercorp program is one way we are trying to address this issue. This program makes awards to qualified institutions to provide scholarships to undergraduate and graduate students studying computer security. In exchange, the recipients must serve in the federal government for at least two years. The program also provides capacity building grants to improve the quality and increase the production of computer security professionals. The program has been funded at approximately $11 million the past two years and the Administration is requesting $19.3 million in supplemental funding to enhance this program in FY 2002. Last September 5th, NSF announced a new research program, Trusted Computing, to focus our support for cybersecurity research. In addition to the estimated $20 million that we anticipate as our ongoing investment in distributed cybersecurity research projects, we allocated an additional $5 million for the Trusted Computing program. On December 5th, we received about 120 proposals in response to that announcement requesting over $80 million of support. Our expert panelists who reviewed those proposals rated about 10 percent of them as ``highly competitive'' (high praise from the ever-critical research community) and rated almost half of them as worthy of funding. We will award funding to the highly competitive proposals. We believe that this program will motivate more faculty to turn their attention and expertise to cybersecurity. It will be necessary to focus attention on programs like Trusted Computing over the next several years if we are to help create a vibrant research community that will attack, and ultimately solve, many of the difficult problems associated with cybersecurity. In addition to individual research awards, NSF has recently increased the number of large project interdisciplinary awards it has made in areas of IT research. Under the Information Technology Research (ITR) priority area initiated in 2000, NSF began a major invigoration of its IT research activities, including a focus on large, interdisciplinary research projects. We believe that this focus has already begun to show extremely valuable results by enabling computer scientists and engineers to work collaboratively on problems that require expertise from many areas to solve. I believe that many cybersecurity problems will also benefit from interdisciplinary groups or centers working collaboratively on their solutions. One important goal of fundamental long term research in cybersecurity will be to produce agreement on what, in fact, constitutes as secure system. When such an agreement is in hand, it will be possible to formulate important cybersecurity standards that, like all important standards, will facilitate their realization. NSF also has considerable experience in supporting curriculum and academic program development and of administering graduate traineeship programs. Such activities could also help accelerated academic developments in cybersecurity as long as they are coupled with vibrant research support to attract the research faculty into the area as mentioned above. NSF focuses on people, ideas, and tools as it pursues its goals of helping to keep the U.S. in a world-leadership position in science and engineering research and education. Increasingly IT tools and services are required by all academic disciplines to achieve these goals. Therefore our efforts to contribute to cybersecurity research and development are increasingly required for our science and engineering community as well as by society at large. As IT continues to transform society, cybersecurity continues to increase in importance and is of increasing priority on our list of important scientific and engineering activities. Thank you again for the opportunity to testify, and I would be happy to respond to any questions you may have. Senator Wyden. Very good. Let us move on now to Dr. Hoffman. STATEMENT OF DR. LANCE HOFFMAN, DEPARTMENT OF COMPUTER SCIENCE, THE GEORGE WASHINGTON UNIVERSITY Dr. Hoffman. Thank you, Chairman Wyden. It is an honor to have this opportunity to appear before you today to comment on S. 2037, the Science and Technology Emergency Mobilization Act, and S. 2182, the Cyber Security Research and Development Act. My name is Lance Hoffman. I am professor of computer science at the George Washington University here in Washington, D.C., where I lead the computer security graduate program in computer science. I am a fellow of the Association for Computing Machinery, the ACM, an organization of 75,000 computer professionals with active professional and student chapters in Oregon, Virginia, and most states throughout the nation. This statement today has been endorsed by the ACM's Committee on Computer Security and Privacy and the U.S. Public Policy Committee of the ACM, the USACM. I will summarize it in the interest of time. My entire statement has been submitted for the record. First, let me address S. 2182. This bill takes important steps to develop the cadre of scientists, engineers, and computer specialists who understand current information assurance problems and can ameliorate them while also developing long-term solutions based on improved, smarter technologies. It does this by new research and education programs at the National Science Foundation and the National Institutes of Standards and Technology. Computer security and information assurance have had trouble in the past competing with more established disciplines. Students and faculty have been driven by available funding opportunities to work on problems that are better known and whose solutions are in some cases more developed, but less important and critical to the nation than the security of its infrastructure. This bill will help remedy that situation. I especially like the inclusion of privacy and vulnerability assessments, also known as risk analysis, as important areas of study, since innovative technical solutions will fail if they do not take into consideration the surrounding constraints. These constraints include politics, cost, legal liability, and other technologies like battery life. I very much support the bill. The Committee may wish to consider a few minor improvements. First of all, there is an intense nation-wide competition for the current small number of recent Ph.D graduates interested in a faculty position in computer security and information assurance. Explicitly allowing funds for faculty recruitment from outside, for example, from retirees, might provide another source of qualified people to buildup the training cadre more rapidly. Second, program managers at NIST and NSF should be allowed a bit more discretion in funding extraordinary projects with high risk and high potential. Setting aside a small percentage of the funds of this bill for innovative projects that address evolving and emergency research issues will allow researchers to fund a planning workshop or encourage an add-on specialty day at an existing conference in a hurry, without encountering a lot of red tape. Finally, I respectfully suggest that universities be allowed to concentrate first on curriculum development and student recruitment. Later, universities could be required to collect appropriate placement data from students as they exit the program. The bill as written I believe currently requires placement data up front, and I think this competes with getting these new programs off to a good start. Let me now turn to S. 2037. S. 2037 establishes pilot programs aimed at achieving the interoperability of communications systems used by emergency response agencies. It is good as far as it goes,but it is incomplete. It is also necessary to improve the integrity, assurance, and security of these systems. Standards bodies, including NIST, should work to develop better wireless standards to ensure security and utility of such systems. Also, while this legislation takes necessary steps to require expertise checks, it lacks similar safeguards requiring background checks, potentially allowing the introduction of technically competent, malevolent individuals into the nation's infrastructure defense. We must verify both the technical credibility and the personal background of individuals selected for the National Emergency Technology Guard that is envisioned in this bill. A final point. If and when utilized, the virtual technology reserve data base should only be used, and not misused by those responsible. The data base must be designed and tested properly and vetted by experts in data bases, privacy, and security. A final word on the chilling effects of the Digital Millennium Copyright Act. I would be remiss if I did not mention these. The DMCA's restrictions have the potential to cripple the very security advancements that S. 2037 and S. 2182 are intended to generate, and its limited exemptions have not provided a safe harbor for researchers. I urge you to reexamine it and similar laws. Thank you, Mr. Chairman, for the opportunity to appear before you today. I would be pleased to answer any questions you might have. [The prepared statement of Dr. Hoffman follows:] Prepared Statement of Dr. Lance Hoffman, Department of Computer Science, the George Washington University Thank you, Chairman Wyden, Senator Allen, and other distinguished members of the Science, Technology, and Space Subcommittee. It is an honor to have this opportunity to appear before you today and to assist in your efforts to strengthen our nation's information infrastructure and improve our capability to respond and recover from terrorist attacks and other emergencies. I am Lance J. Hoffman, Professor of Computer Science at the George Washington University here in Washington, D.C. I lead the computer security graduate program in computer science and the Computer Security and Information Assurance Graduate Certificate Program. This academic year, I taught information policy and information warfare courses to students of computer science, international affairs, political science, and other fields. In 1993, I founded the School of Engineering's Cyberspace Policy Institute to examine the relationship between the technical and other factors that affect security, privacy, and related aspects of computer and information systems. I am a Fellow of the Association for Computing Machinery (ACM), the nation's oldest and largest professional society of computer scientists, educators and other computer professionals committed to the open interchange of information concerning computing and related disciplines. The ACM has 75,000 individual members, including active professional and student chapters in Oregon, Virginia, and most states throughout the nation. To underscore the importance of today's hearing this statement has been endorsed by the ACM's Committee on Computer Security and Privacy and the U.S. Public Policy Committee of the ACM (USACM). I appreciate this opportunity to comment on S. 2037, the Science and Technology Emergency Mobilization Act, and S. 2182, the Cyber Security Research and Development Act, two significant pieces of legislation designed to address our nation's information assurance needs. S. 2182 First, let me address S. 2182. This bill takes important steps to develop the cadre of scientists, engineers, and computer specialists who understand current information assurance problems and can ameliorate them while also developing long-term solutions based on improved, smarter technologies. To date, despite the fact that an increasing amount of daily life involves reliance on computer systems and networks, there is a remarkably small amount of long-term, ongoing funding available for computer security and information assurance research and development designed to solve these problems. This bill may remedy these concerns by providing the incentives and human resources necessary to meet some of today's security challenges and to take on tomorrow's. It does this in several ways, notably by the new research and education programs it calls for at the National Science Foundation (NSF) and the National Institute of Standards and Technology (NIST). These programs will promote more innovative research in information assurance by attracting technically competent researchers into this field of national need. The bill is written in such a way that everyone from a senior faculty member wishing to focus his or her attention on computer security to a bright undergraduate student will be encouraged to work in this field. It will help to address the critical shortage of Ph.Ds and graduates in the security field that limits opportunities for research and solving the critical challenges we face. Computer security and information assurance have had trouble in the past competing with more established disciplines. Students and faculty have been driven by available funding opportunities to work on problems that are better known and whose solutions are in some cases more developed, but less important and critical to the nation than the security of its infrastructure. This bill will help to remedy that situation. I especially like the inclusion of privacy and risk analysis as important areas of study, in addition to what some might consider more purely technical areas. Since innovative technical solutions developed in a vacuum without taking into consideration the surrounding constraints related to politics, cost, and legal liability will fail, the inclusion of these areas will guarantee that the pure technological solutions that come out of the programs that this bill funds will actually have a good chance of being implemented, working, and ultimately improving the security of the nation's infrastructure. I also appreciate the foresight of the bill in recognizing and supporting not only traditional undergraduate and graduate fields of study, but also certificate programs in the area. I direct a certification program where working professionals come in after a full day at work, and devote an additional five hours toward a certification in security and information assurance. In the program we have just started, more than a quarter of the students have been motivated to go back to school and pursue more advanced master's and doctoral studies in this area, and to apply the graduate credits earned with their certificate to those higher degrees. The bill is excellent as written, but the Committee may wish to consider a couple of minor changes that would improve it even further. For instance, it currently provides funds for faculty retraining in this area. But in many cases, this may not be a viable option since many universities are stretched thin in trying to properly cover the currently recognized core areas of computer science. It is hard enough to get established faculty members in one field to change specialties, and recruiting across departments is almost impossible. There are only a limited number of faculty members in the U.S. who have significant background in security research. As my colleague Professor Eugene Spafford of Purdue University pointed out in his testimony last fall to the House Committee on Science, an informal survey of 23 preeminent U.S. universities with information security programs found that they graduated a combined total of 20 Ph.Ds in security over the last three years. As you can imagine, there is an intense competition for the even smaller number of graduates interested in a faculty position. Explicitly allowing funds for faculty recruitment from outside (for example, from retiring federal government and contractor security experts who have appropriate credentials, teaching skills, and the motivation to work as part-time or full-time faculty but would not otherwise have the opportunity) might provide another solution to this problem of building up the training cadre more rapidly. While I am very encouraged with the funds authorized by this legislation, I would also suggest that program managers at NIST and NSF be allowed a bit more discretion in funding extraordinary projects with high risk and high potential. Setting aside a small percentage of the funds of this bill for small, innovative projects that address evolving and emerging research issues will allow researchers to, for example, fund a planning workshop or to encourage an add-on specialty day at an existing conference without a lot of red tape. These opportunities for research and information dissemination may lead to new innovative solutions and other advances in information security. My final remark on S. 2182 relates to the requirement for placement data in fields related to computer and network security. A study of potential enrollment and placement for students enrolled in a proposed computer and network security program may be hard for many universities to generate at the same time they are starting these programs and assimilating the additional students generated by this and other programs. As a result, the development and growth of these programs could be unnecessarily impeded. I respectfully suggest that universities be allowed to concentrate on curriculum development and student recruitment up front. If you wish, universities could be required to collect appropriate placement data from students as they go through and exit the program. But requiring this up front is counterproductive. S. 2037 Turning my attention to S. 2037, the Science and Technology Emergency Mobilization Act, I wish to commend the members of this Subcommittee for their noble attempt to harness the outstanding capabilities of our nation's science and technology community, especially in times of national crisis. Faced with the realities of September 11, many members of the computing community wished to provide their technical assistance towards safeguarding our nation's infrastructure and in recovering from the attacks. S. 2037 would provide opportunities to match security experts where their services are most needed. I wish to offer the following recommendations to build upon the many fine provisions of S. 2037. First, in establishing pilot programs aimed at achieving the interoperability of communications systems used by emergency response agencies, it is also necessary to achieve the integrity, assurance, and security of the communications. In attempting to improve emergency communications, it would be shortsighted to sacrifice security to achieve utility, particularly if it leads to vulnerable emergency communication systems. Wireless standards, where they exist, are known to be weak. Standards bodies, including NIST, should work to develop better wireless standards to ensure security and utility of such systems. While the legislation takes necessary steps to require expertise checks, it lacks similar safeguards requiring background checks. This vulnerability might allow the introduction of technically competent malevolent individuals into risk equation. If we don't verify both the technical credibility and the personal background of individuals, we risk doing more harm than good. Authentication precautions and other security mechanisms, combined with privacy policy guidelines, will be necessary so that if and when utilized, the ``virtual technology reserve'' database is only used by those responsible and is not misused (e.g., by an enemy attacking using a form of information warfare and polluting the database or identifying and harassing or impeding the responders identified therein). The database will need to be designed and tested properly; possibly using competing designs with rapid prototyping. Both database and security experts should work on system design to insure appropriate access and security balances, speed of responsiveness, update ability, and accuracy. While S. 2037 will help our nation respond to acts of terror and other emergencies, we must simultaneously engage in a more proactive approach that focuses on prevention. ``Emergency prevention and response'' is stated as an objective but it is much easier to demonstrate response than prevention [it's hard to have a demonstration if nothing is happening]. Chilling Effects of the Digital Millennium Copyright Act One last but critical point that I wish to leave you with is that laws like the Digital Millennium Copyright Act (DMCA) inhibit the ability of individuals to engage in critical research in computer security and related fields. Unfortunately, this has certain implications for national security. For instance, researchers who study or teach encryption, computer security, or otherwise reverse engineer technical measures and who report the results of their research in this area face new risks of legal liability under the DMCA. As University of California at Berkeley Law Professor Pamela Samuelson has noted, the limited exemptions carved-out in the DMCA have been found to be of little value to the research community. I encourage you to re-examine laws that prohibit or restrict computing technology instead of undesirable behavior. DMCA-like restrictions have the potential to cripple the very security advancements S. 2037 and S. 2182 are intended to advance. In summary, I commend the members of the subcommittee for their legislative efforts to enhance the security of our nation's infrastructure and our ability to respond to national emergencies. Thank you for the opportunity to appear before you today. I would be pleased to answer any questions you might have. Senator Wyden. Dr. Hoffman, thank you. I think the DMCA proposal may be a little much for us to get into in legislation that we would like to have moving in a month or so, but I think you know we very much value the work you are doing, and your organization. We will have some questions in a moment. We would welcome Mr. Starnes, and we are glad once again Oregon is pioneering in this area, and we welcome you, Wyatt, and you may proceed. STATEMENT OF W. WYATT STARNES, PRESIDENT AND CHIEF EXECUTIVE OFFICER, TRIPWIRE, INC. Mr. Starnes. Thank you, Mr. Chairman. My name is Wyatt Starnes, founder and CEO and president of Tripwire, Incorporated. I would like to start by commending this Subcommittee, led by Senator Wyden, Senator Allen, and their staff in directing focus on critical issues of cyber security. I appreciate the opportunity to testify orally before the Committee today. I have also submitted expanded written comments for the record. For the past decade, the technology that is Tripwire has focused on data integrity assurance as a means to achieve higher levels of security, control, availability, and reliability of computing systems. Our focus has been on protecting critical computing infrastructure within the commercial and government sectors. Tripwire software has been deployed on hundreds of thousands of critical systems worldwide, including many in this building. It is as an information security professional and a business leader, as well as a citizen, that I am here before you today to discuss the security and control of our nation's cyber infrastructure, and why I've concluded that both Senate Bill 2182, the Cyber Security Research and Development Act, as well as Senate Bill 2037, the Science and Technology Emergency Mobilization Act, represent very positive steps forward to safeguard our nation's somewhat fragile digital infrastructure. The development of Tripwire's technology was supported entirely with commercial funding as a part of Purdue's center- based long-term research efforts, which have no federal support. They are almost entirely funded by corporate contributions. Recently, market pressures, including the economic downturn, have put a damper on commercial funding, reducing the capacity of many academic programs. It may even threaten the existence of a few at a time when they are just beginning to realize their full value. We support Senate Bill 2182 as it provides a means to address these issues by creating and funding programs to stimulate new cyber research and development. They should help to prime the pump, enhancing our ability to stay ahead in the development of critical cyber protection technologies. The problem, however, extends beyond federal funding issues. We must enhance the coordination among the state-federal government as well as the academic community and private industry. As a CEO of a commercial company, I routinely see the desire and need for government and commercial entities to enhance their security procedures, in many cases especially within the government sector. These requirements come months, or even years before the funding becomes available. It is in these critical gaps that our cyber vulnerability as a nation is the greatest. Somehow we need to find ways for the government to operate in Internet time when faced with bridging these gaps, and expedite approvals of funding to address them. Turning my attention to Senate Bill 2037, the Science and Technology Emergency Mobilization Act, I believe this legislation can help by establishing a structure within the national Netguard framework to enable public and private sectors to work together more effectively when cyber events threaten our country's electronic infrastructure. This act intends to create an organized process and control structure to allow the private sector to provide the appropriate assistance in times of need, as well as a mechanism for the government to quickly locate and request assistance from qualified individuals within the private sector. These capabilities are useful to enable the country to react quickly and appropriately to cyber security issues, particularly when they impact our national infrastructure. While I am supportive of the concept reflected in Senate bill 2037, I urge the Committee to think and act carefully in defining who and how the Netguard members are qualified and enlisted. We must be certain that the mechanism created to assist does not introduce new vulnerabilities, competitions or confusion. The urgency to get this infrastructure in place must be tempered with the need to get it right. Within the great State of Oregon, industry and government are working together to create a consortium called Oregon RAINS, which stands for the Regional Alliance for Information and Network Security. I believe this effort could serve as a model for other states to organize their cyber resources. Oregon RAINS will be hosting Richard Clarke and other officials for a review of this important program in Oregon in early June. In summary, I am in strong support of both these important acts as they enhance the underpinnings required to address many of these obstacles and challenges. They will enable us to work together more effectively to improve our cyber security capabilities, as well as to ensure we continue to advance the state-of-the-art development of our cyber capability. Thank you, Mr. Chairman, and I would welcome any questions. [ The prepared statement of Mr. Starnes follows:] Prepared Statement of W. Wyatt Starnes, President and Chief Executive Officer, Tripwire, Inc. Good afternoon Mr. Chairman and Members of the Committee. My name is Wyatt Starnes, a founder, CEO and president of Tripwire, Inc. I have followed with great interest the activities of the federal government at this very critical time in our nation's history. I would like to commend this Subcommittee, led by Senator Wyden and Senator Allen, and their staff, in directing focus on the critical issues of Cyber-risk and Cyber-security. I appreciate the opportunity to present before this Committee today. For the past decade, the technology that is Tripwire has focused on data integrity assurance as a means to achieve higher levels of security, control, availability, and reliability of computing systems. Our focus has been on protecting critical computing infrastructure within the commercial and government sectors. Tripwire software has been deployed on hundreds of thousands of systems worldwide, including many inside of this building. At Tripwire, we understand the importance of being able to rapidly detect, assess, and appropriately respond to threats, risks and even accidental changes to critical systems. Intrusions, computer viruses, logic bombs, hackers, ``worm'' programs, and badly written software can all lead to compromise, alteration and destruction of crucial information. Assuring the integrity and control of the ever-expanding digital infrastructure is crucial to our nation's financial viability as well as its safety and security. We understand that to fully manage the risks associated with maintaining information resources requires exerting positive control: our products enable that level of control. It is as an information security professional and business leader-- as well as a citizen--that I am here before you today to discuss the security and control of our nation's cyber-infrastructure, and why I have concluded that both Senate bill 2182, the ``Cyber Security Research and Development Act'' and Senate bill 2037, the ``Science and Technology Emergency Mobilization Act'' represent positive steps forward to safeguard our nation's somewhat fragile digital infrastructure. Relative to Senate bill 2182, our company understands the importance of supporting and funding research within the university system. After all, our core technology was initially developed at Purdue University almost ten years ago under the direction of Professor Eugene Spafford. We later obtained the commercial rights to the technology and have built upon the Purdue work to create high-quality, commercial data integrity assurance solutions that are in wide use around the world, including prominent usage within most branches of the U.S. Government. Other fundamental information security technology, including security scanners, firewalls, VPNs, and intrusion detection systems all have roots in academic research at Purdue and elsewhere. It is important to note that a considerable amount of this technology was developed without federal support, and often without any external support at all. Research efforts over the last decade conducted at leading universities such as Purdue have been supported almost entirely by small corporate contributions. Unfortunately, there has been no federal support for the kind of long-term and center-based research that is being conducted. We can only speculate at the solutions we might have in hand for today's problems had these researchers been supported at a more appropriate level. Because of market pressures, including the recent economic downturn, industry support for leading academic programs with long-term vision has suffered. This scarcity of dollars has reduced the capacity of most academic programs, and may even threaten the existence of a few at a time when we are beginning to realize their importance. The small quantity of funds available, and their dominance by industry, tends to cause researchers to focus on ``quick fix'' patches instead of more fundamental solutions to society's cyber-weaknesses. Consider:There are too few students studying cyber-security needs and issues; Too little is being spent to drive the technological research required to fight a war on the cyber-battle ground; There are too few researchers advancing the state of technology within the university system. There are not enough trained professors to develop and teach the courses to train a new generation of information security professionals. Unless something significant changes, these problems may continue or worsen despite the best efforts of those of us working in cyber- security. It is also necessary to provide mechanisms to allow public universities to accept equity from private industry in order to effectively capitalize on technology developed with public funding. Some states, including Oregon, currently limit or prohibit these transactions. Oregon is moving aggressively to remove these restrictions with a ballot initiative to change the states constitution. This effort has been largely driven by the private sector. We urge other states to begin the important processes to reverse restrictive provisions relating to technology transfer by and between public Universities and the private sector. We support Senate bill 2182 as it provides a means to address these issues by creating and funding programs to stimulate new cyber-research and development. This should help to ``prime the pump'' enhancing our ability as a nation to stay ahead in the development of critical cyber- protection technologies. There is no doubt that leading firms such as Tripwire will respond to immediate security needs by government and society at large. But we also believe it is vital that government take a role in ensuring that the creative minds in leading universities such as Purdue have the resources to work on the solutions we will need a decades from now, too. Does this solve all our problems? No. The problem extends beyond university funding. We must enhance the coordination among state and federal government, the academic community, and private industry. From my perspective as the CEO of a commercial company, we routinely see the desire and need for government and commercial entities to enhance their security processes. In many cases, especially within the government sector, the requirements to `upgrade' critical systems come months or even years before the funding becomes available. It is in these critical gaps that our cyber-vulnerability as a nation is the greatest. I urge the Congress to be aware of these gaps. Somehow, we need to find ways for government to operate in ``Internet Time'' when faced with bridging these gaps and expedite approvals and funding to address them. Another area I would like to comment on are the issues of National and local coordination and cooperation. During the aftermath of the events of September 11, we've all heard stories of companies and organizations with the desire and expertise to help government agencies. However, they found there were limited cross-agency mechanisms to coordinate this interest and well-intended response. I am convinced we should learn from these experiences as the same sorts of challenges exist when dealing with threats and incidents of a ``cyber'' nature. This leads me to offer my comments on Senate bill 2037, the ``Science and Technology Emergency Mobilization Act''. I believe that this legislation can help by establishing a structure within the ``National NetGuard'' framework to enable the public and private sectors to work together more effectively when cyber-events threaten our country's electronic infrastructure. This act intends to create an organized process and control structure to allow private sector to provide the appropriate assistance in times of need, as well as a mechanism for the government to quickly locate and request assistance from qualified individuals within the private sector. These capabilities are useful to enable the country to react quickly and appropriately to cyber-security issues, particularly when they impact our national infrastructure. While I am supportive of the concept reflected in Senate bill 2037 I urge the Committee to think and act carefully in defining who and how the NetGuard members are qualified and enlisted. We must be certain that the mechanism created to assist does not introduce new vulnerabilities, competitions, or confusion. The urgency to get this infrastructure in place must be tempered by the need to `get it right'. Within our great state of Oregon the Private Sector is marshaling its resources to address these gaps at a local level. The Oregon Regional Alliance for Information and Network Security, or RAINS, is a consortium of private and public sector organizations and individuals forming around the following mission: To contribute to U.S. defense and Homeland Security by providing solutions to critical cyber-security problems, and To expand Oregon's cyber-security cluster, creating jobs, cultivating technical innovation and education, and improving the state's economy. I believe that this model can be extended nationally and dovetail with the initiatives proposed in Senate bill 2037. The Oregon RAINS project will be hosting Richard Clarke and other federal officials in Oregon to present this project on June 5-6, 2002. Comments on Homeland Security What the Committee is addressing today could be included under the rubric `Homeland Security'. I think it important to remember that many of the weaknesses in our infrastructures that we are concerned about today were identified by experts in academia, industry and government decades ago. Those warnings were not heeded because they involved additional appropriations and regulation that were not seen as having an immediate effect. Thus, we are now faced with an urgent need and much larger economic and social cost to retrofit solutions--including some of dubious effectiveness--into everything from communication to transportation to power distribution. Experts have likewise been warning for years that our information infrastructure is at risk and that insufficient investment is being made in research, education, and deployment of safeguards. I believe that proactively allocating and expediting significant funding to enhance our National digital infrastructure before there is a major breach would be very prudent. Summary In summary, I am in strong support of this important legislation as it enhances the underpinnings required to address many of these obstacles and challenges. It will enable us to work together more effectively to improve our cyber-security capabilities, as well as ensure that we continue to advance the state-of-the-art with regard to protecting our cyber-infrastructure. Thank you and I welcome any questions from the Committee. Senator Wyden. Wyatt, thank you. That is very helpful. I commend you for all of the innovative work you all have done, and of course, Oregon RAINS really is a pioneering effort. As you know, we have worked very closely with them in our efforts to try to move the legislation we are considering today. We are glad you are here. We will have some questions. Mr. Hira, welcome. STATEMENT OF RONIL HIRA, INSTITUTE OF ELECTRICAL AND ELECTRONICS ENGINEERS (EEE)-USA Mr. Hira. Thank you, Mr. Chairman. Good afternoon. I wanted to thank you, the Ranking Member, and distinguished Subcommittee Members for inviting me here today. My name is Ronil Hira, and I am here on behalf of the 235,000 U.S. members of the Institute of Electrical and Electronics Engineers. I am the chair of the IEEE-USA, which is our acronym here, the IEEE-USA's Research and Development Policy Committee. Our members are electrical, electronics, computer and software engineers who work in government, industry, as private consultants, as well as professors and students in universities. We at IEEE-USA applaud the Subcommittee's efforts to address shortfalls in two critical areas related to homeland security today, disaster response and mobilization, and cyber security research and development. I think it is pretty axiomatic that technology is driving society, but it is also becoming pervasive within society in making things more and more complex. At the same time, we have an increase in terms of the threats and vulnerabilities to outside threats. Fortunately, the United States has the largest and best- qualified pool of technological experts and the most sophisticated technology and communications equipment in the world. The challenge, however, is in coordinating the response, finding the necessary experts and supplies, and getting them into play as quickly as possible. For this reason, IEEE-USA strongly endorses the objectives of S. 2037, the Science and Technology Emergency Mobilization Act. Technology evaluation and standards are important elements in any implementation, but they are really critical elements in any disaster recovery program, and I am glad to see that is being addressed here. In addition, interoperability is obviously critical in those disaster recovery programs. I do not think you have to be an American politics scholar of Alexis de Tocqueville to know and recognize the degree to which volunteerism and voluntary organizations are important in the U.S., so I am glad that S. 2037 does address that. In regard to S. 2182, the Cyber Security Research and Development Act, we were supporters of the legislation when it was introduced the House, H.R. 3394. A couple of points on that. It is not the case that cyber security and computer security has not been going on. Really, the issue is the scale in which it has been going on. There are clients such as military, financial services, who are very concerned about it and have addressed computer security to whatever degrees. The real issue becomes, to what degree is computer security impacting all of technology development, software development, and so on and so forth, and we believe that this bill will help to address that. The point is not just to advance the state-of-the-art, but is to advance the state of the market and the state of the practice that is out there, and we believe S. 2182 is comprehensive enough to get us in the right direction moving toward that. It includes industry, government, and universities working together. You are going to get incremental gains, but you are also going to push the frontiers of cyber security. For those reasons, we are pleased to support S. 2182, and I look forward to any questions you might have. [The prepared statement of Mr. Hira follows:] Prepared Statement of Ronil Hira, Institute of Electrical and Electronics Engineers (EEE)-USA I would like to thank the Chairman, Ranking Member and distinguished Subcommittee Members for inviting me here today. My name is Ronil Hira, I am here on behalf of the more than 235,000 U.S. members of The Institute of Electrical and Electronics Engineers. I am the chair of IEEE-USA's Research and Development Policy Committee. Our members are electrical, electronics, computer and software engineers who work in government and industry, as private consultants and are professors and students in our universities. We at IEEE-USA applaud the Subcommittee's efforts to address shortfalls in two critical areas related to homeland security: disaster response and mobilization, and cyber security research and development. As the nation becomes more dependent upon technology in nearly every aspect of our lives, the level of vulnerability to technological disruption rises accordingly, as does the potential impact that disruption has on our lives. As we saw with the problems that became apparent following the attacks of September 11, the promptness and quality of the technological response to terrorist attacks or natural disasters could mean the difference between life and death. Fortunately, the United States has the largest and best-qualified pool of technological experts and the most sophisticated technology and communications equipment in the world. The challenge, however, is in coordinating the response, finding the necessary experts and supplies and getting them into place as quickly as possible. For this reason, IEEE-USA strongly endorses the objectives of the S. 2037, the Science and Technology Mobilization Act. The concept of organizing to focus the nation's technology resources to address the response to terrorist attacks and other emergencies is an important ingredient in a robust homeland defense. As a result of the attacks, local governments are renewing their efforts to design disaster- recovery plans. Many entities have put in place emergency communication plans and have taken steps to ensure optimal use of other technologies. For example, uninterruptible power supplies are now coming into common usage. We strongly concur with Office of Science and Technology Policy Director, Dr. John Marburger's recommendation encouraging voluntary preparedness among organizations, including implementing IT disaster- recovery procedures as well as promoting standards for coordinating disaster-recovery responses. This may well fit into the charter of the National Institute of Standards and Technology; however, IEEE-USA does not take a position on which governmental agency should be charged with overseeing the overall program envisioned by the legislation We do feel that NIST, if designated, and industry can work within the framework of a center for civilian homeland security technology evaluation as envisioned by the legislation to develop standards and protocols to serve as models for local disaster-recovery programs. The standards can not only enable optimal use of technology within a local environment, but can allow for sharing of resources to respond to a regional disaster. The infrastructure reliability advisory board as described in the legislation can work with the center to define best practices on how to make technology and communications infrastructure less vulnerable. This will enable the board to make recommendations on all aspects of deployment of emergency response and recovery of technological and communications systems. We urge caution in proceeding to establish the National Emergency Technology Response Teams. It is important to recognize that communication and other technological systems can be extremely complicated, requiring not only general knowledge of the technical factors but also specific knowledge of the system under stress. This may only be available in the company and its vendors that installed the system originally. Furthermore, if a local government has a sound disaster-recovery program, it may not be feasible, and could be counter-productive, to attempt to bring in teams that have not been integrated into the established program. One valuable service that the U.S. government can perform is to evaluate and critique local disaster-recovery programs. This could consist of plan review and test observation. The government has many agencies with expertise in this kind of service. In regard to S. 2182, the Cyber Security Research and Development Act, IEEE-USA has been a strong supporter of this legislation since the companion bill was introduced in the House of Representatives. There are many excellent provisions in this bill. I would like to highlight one in particular. The Chairman, and author of the legislation, has done a remarkable job in understanding the richness of our research enterprise and symbiotic relationships. Specifically, the bill includes research that will be conducted in universities, government and industry. Each of these institutions brings something important to the table when it comes to research. In addition, the bill recognizes the importance of training future professionals. While some of these folks will become cyber security researchers and professors, many will become cyber security practitioners. The purpose of research is not only to advance the state of the art, but also to ultimately advance its application in the marketplace. Only through all of the mechanisms in this bill will we be able to achieve both. In order to advance the state of the art and the state of the market, we need to advance the state of the science in cyber security. Systematic research is the way in which the cyber security profession can codify its lessons learned, develop its common language, and most importantly, advance the practice of cyber security. IEEE-USA is pleased to support S. 2182, which will pay dividends not only for protection against cyber terrorism, but also for commerce and personal privacy. Thank you very much. Senator Wyden. Mr. Logan. STATEMENT OF JEFFREY LOGAN, BUSINESS DEVELOPMENT MANAGER, M/A- COM, INC., WIRELESS SYSTEMS Mr. Logan. Thank you, Chairman Wyden, Senator Allen, and other distinguished members of the Science, Technology, & Space Subcommittee. It is an honor to have this opportunity to appear before you today and assist your efforts in strengthening our nation's information infrastructure and improve our capability to respond and recover from terrorist attacks and other emergencies. I am Jeffrey Logan, business development manager for M/A- COM Wireless, Incorporated. M/A-COM Wireless Systems is currently deploying fully interoperable statewide public safety radio systems in Pennsylvania and Florida. We have recently been selected to provide county communications systems in the Oakland County, Michigan, and city communications for San Antonio and Oklahoma City. Our company is a world leader in the development and global manufacture of radio components and network solutions for the wireless telecommunications industry. I appreciate this opportunity comment on S. 2037, the Science and Technology Emergency Mobilization Act, regarding recommendations for ensuring that emergency officials and first responders have access to effective and reliable wireless communications capability, and the establishment of state pilot projects aimed at achieving interoperability for emergency preparedness. One of the key concerns for first responders is interoperability. Lack of interoperability occurs when public safety personnel respond to the same emergency but cannot communicate with each other because they have an incompatible radio system, or they are on different frequencies. Lack of interoperability wastes time, wastes effort, and it can risk lives. Safety of life and property can only be assured when public safety agencies can easily communicate with each other. All too often the different systems they use would preclude them from communicating at all. Agencies must have high-quality communications at their disposal to ensure effective and timely coordination during a disaster. Recent high profile incidents, coupled with the events of September 11, have drawn into sharp focus the need for voice radio interoperability. Interoperability is both a technology and management challenge. S. 2037 should include consideration of training, organization, coverage, funding, frequency availability, and incident coordination. It is our recommendation that state pilot projects should include both technical and nontechnical considerations, as well as new approaches to policy in the development of interoperable solutions. A number of states have already made significant headway toward interoperability. The establishment of state pilot programs should build on many of the innovative communication technology advances already achieved in states such as Pennsylvania, Maryland, and Florida. What is the best way to achieve interoperability for our nation's first responders? One solution would be to require state and local government to replace today's fully functioning radios and infrastructure with new equipment that would be based on a single standard. FEMA has estimated the cost to pursue this course to replace all our nation's public safety radios to be in excess of $40 billion. Creating a single radio system standard does not necessarily solve interoperability. Several operational issues, including sufficient communications spectrum and channel management, would still be needed to be resolved. We do agree, Dr. Hoffman, however, that standards should be encouraged, particularly in the area of networking standards, such as established Ethernet and TCIP protocols. An alternate approach, we feel the best approach to our interoperability is to connect existing systems into regional, statewide, and national systems which would provide multiagency interoperability without requiring different agencies to purchase new radio equipment. This could be done for a fraction of the cost. Interconnecting or networking existing systems is the quickest and most cost-effective way to deploy. This is because the network supports all existing radio infrastructure, allowing agencies to use radios, repeaters, and frequencies already in place. We think this makes sense in order to optimize the President's $1.3 billion first responder interoperability budget, leveraging this money to as many communities as possible. A good example of pioneering interoperability is underway right now in a statewide system in Pennsylvania. In 1995, Governor Tom Ridge and Lieutenant Governor Mark Schweiker came into office. They inherited an antiquated radio system. The existing network was more than 20 years old, and becoming impossible to maintain. In fact, it really was a patchwork of several incompatible systems. As a result, Governor Ridge has replaced this with a fully interoperability statewide communications system. In conclusion, I would like to commend to the Members of the Subcommittee for their legislative efforts to enhance the security of the nation's infrastructure and our ability to respond to national emergencies. Lack of communications interoperability is not a new condition. We have two ways to address interoperability. One solution would be to replace today's fully functional radios and infrastructure with a cost- prohibitive solution. A second and alternate approach would be to connect existing systems in a way that we could leverage fully functional systems to our benefit. Thank you for the opportunity to appear before you today. I would be pleased to answer any questions you may have. [The prepared statement of Mr. Logan follows:] Prepared Statement of Jeffrey Logan, Business Development Manager, M/A-COM, Inc., Wireless Systems Thank you, Chairman Wyden, Senator Allen, and other distinguished Members of the Science, Technology, and Space Subcommittee. It is an honor to have this opportunity to appear before you today and to assist in your efforts to strengthen our nation's information infrastructure and improve our capability to respond and recover from terrorist attacks and other emergencies. I am Jeffrey M. Logan, Business Development Manager for M/A-COM Wireless Systems Inc. M/A-COM Wireless Systems is currently deploying fully interoperable statewide public safety radio systems in Pennsylvania and Florida. We have also recently been selected to provide county communications systems for Oakland County Michigan, and city communications for San Antonio and Oklahoma City. Our company is a world leader in the development and global manufacture of radio components and network solutions for the wireless telecommunications industry. Additionally, M/A-COM Wireless Systems is supported as a wholly owned unit of Tyco International, the world's largest manufacturer and servicer of electrical and electronic components. I appreciate this opportunity to comment on S. 2037, the Science and Technology Emergency Mobilization Act, regarding recommendations for ensuring that emergency officials and first responders have access to effective and reliable wireless communications capabilities and the establishment of state pilot projects aimed at achieving interoperability for emergency preparedness agencies. The Pursuit of Interoperability One of the key concerns for the first responders (police, fire, EMS) is interoperability. Lack of interoperability occurs when public safety personnel respond to the same emergency but cannot communicate with each other because they operate on incompatible radio systems or on different frequency bands. Lack of interoperability wastes time, wastes effort, and can risk lives. Safety of life and property can only be assured when public safety agencies can easily communicate with one another. All too often, the different systems they use preclude them from communicating at all. Agencies must have high-quality, interoperable communications at their disposal to ensure effective and timely coordination of disaster responses. Recent high-profile incidents, coupled with the events of September 11, have drawn into sharp focus the need for voice radio interoperability both for routine day-to-day use and during emergencies. ``So poor were communications that on one side of the trade center complex, in the city's emergency management headquarters, a city engineer warned officials that the towers were at risk of ``near imminent collapse,'' but those he told could not reach the highest- ranking fire chief by radio. Instead, a messenger was sent across acres, dodging flaming debris and falling bodies, to deliver this assessment in person. He arrived with the news less than a minute before the first tower fell.'' \1\ --------------------------------------------------------------------------- \1\ Jim Dwyer and Kevin Flynn ``Before the Towers Fell, Fire Dept. Fought Chaos'' The New York Times, January 30, 2002, pp. 1. --------------------------------------------------------------------------- Achieving Interoperability Interoperability is both a technology and a management challenge. Consideration should include training, organization, coverage, funding, frequency availability and incident coordination. It is our recommendations that state pilot projects should include both technical and non-technical considerations, as well as new approaches to policy, in the development of interoperability solutions. A number of states have already made significant headway toward interoperability. The establishment of state pilot programs should build on many of the innovative communication technology advances already achieved in states such as Pennsylvania, Maryland and Florida. What is the best way to achieve interoperability for our nations First Responders? One solution would be to require state and local governments to replace today's fully functional radios and infrastructure with new equipment that would be based on a single radio system standard. FEMA has estimated the cost to pursue this course to replace all our nation's public safety radio systems to be in excess of $40 billion. Creating a single radio system standard does not necessarily solve interoperability. Several operational issues including sufficient communications spectrum and channel management would still be needed to be resolved. However, networking standards such as established Ethernet and TCIP protocols should be leveraged to enable network-to-network communications and voice over IP applications. An alternate approach to interoperability is to interconnect existing systems into regional, statewide or national systems, which would provide multi-agency interoperability without requiring different agencies to purchase new radio equipment--for a fraction of the cost to replace all in-service radio systems. Interconnecting or networking existing systems is the quickest and most cost effective to deploy. This is because the network supports all existing radio infrastructure, allowing agencies to use radios, repeaters and frequency allocations that are already in place. We think this makes sense in order to optimize the President's proposed $1.3 billion first responder interoperability budget to as many communities as possible. Best Practices A good example of pioneering interoperability is underway right now on a statewide system in Pennsylvania. Back in 1995, when Governor Tom Ridge and Lt. Governor Mark Schweiker came to office, they inherited an antiquated radio system. The existing radio network was more than 20 years old and was becoming impossible to maintain. In fact, it really was a patchwork of several incompatible networks serving 23 state agencies. Former Governor Ridge recognized that the outmoded, stand- alone radio systems limited communications between state agencies and local government, particularly during emergencies. It also squandered opportunities for cost savings through shared equipment purchases and mutual aid agreements. As a result, in 1996, Governor Ridge launched a multi-year project to modernize and unify state agencies' two-way radio systems. M/A-COM was selected to provide the radio equipment for the project utilizing IP network technology. This year, when the new system is fully deployed, it will tie Commonwealth agencies and participating local governments into a single, more reliable, high-capacity radio network. A key advantage of the new radio network is that state and local government will be able to communicate with each other through voice over IP networking technology. Additionally, system elements, such as radio towers and transmitters, will be shared across state agencies, thereby holding down costs. Most importantly, the new system will greatly enhance first responders' ability to respond to emergencies quickly and in a coordinated manner. In fact, Pennsylvania's new radio network, completed under Governor Mark Schweiker, will be the first truly interoperable statewide voice and data public safety radio system in the entire country. Conclusion In summary, I commend the Members of the Subcommittee for their legislative efforts to enhance the security of our nation's infrastructure and our ability to respond to national emergencies. Lack of communications interoperability is not a new condition. We have two ways to address lack of interoperability. One solution would be to replace today's fully functional radios and infrastructure with new equipment at a prohibitive cost and years of deployment. An alternate approach is to connect existing systems together using voice over IP networking technology, immediately and affordably. M/A-COM Wireless Systems, Inc. stands ready to support government research and development in this area. Thank you for the opportunity to appear before you today. I would be pleased to answer any questions you might have. Senator Wyden. Thank you, Mr. Logan. Let me start with you, if I could, Dr. Strawn. Some of the information security experts today are painting a bleak picture. They paint a dire picture of the current state of the discipline. They say there are only about 100 professors. There are only a few centers. There are only a handful of Ph.D's in information sciences, and suffice it to say, this is what the Congress is seeking to address. Now, you discuss the need for more researchers in the area of course in your testimony. S. 2182 addresses the problem by increasing the investments in research and training generally. This relates to information security. In your view, how long would it take, with this legislation, to start seeing some tangible improvements in these numbers? Dr. Strawn. I think several years would show some pretty good progress. We have the experience of this first year of our Trusted Computer program, small as it is, which did show that the professoriate in computer science responded to turn its attention increasingly to this area, and so I think additional support and focus can be a very valuable way of building up the size of the professoriate and the size of the student body that will attack these problems. Senator Wyden. And how long do you think it will take before our country sees tangible improvements in the research that is undertaken in the information security field? There are two things we have to do here. We have to deal with the shortage of professors, and we have to beef up the research that is undertaken in the field. Tell me about tangible improvements. Dr. Strawn. I think there are opportunities both for short- term research benefits and for the long-term research benefits. As the words express, of course, it will take longer for the long-term understanding to filter into technologies and services that I think will ultimately provide the best solutions, but I think we have observed that already there are developments in the private sector and by the professoriate some very good steps, intermediate steps, let us say, to improve our security; and solutions range all the way from broader education to train new work force members to putting into place services and security products and processes that we already know about but have not had as much success getting into broad use as we would like. In a certain sense, that requires a certain amount of social science research as well to understand better how we can put what we know into practice more quickly. Senator Wyden. Tell me what you believe to be the most important areas that warrant further research and examination, and why. Take two or three, for example, of the areas that you think are the most important from the standpoint of research and information security, tell me what those areas are, and why. Dr. Strawn. I will do that with the caveat that NSF's approach usually is to ask the research professors who we work with what are the most promising areas they find, and then when their peers are able to look at those proposals and tell us that these are the really promising areas, then we feel very comfortable that, having the smartest friends in the world, we know what we are talking about. Some of the things we have already been told and that I certainly agree with is the importance of looking at the whole picture. As I said before, secure components do not a secure system make; and science has very frequently progressed in great ways by dividing and conquering, looking at small portions of a subject and knowing more and more about it. Security is really a different sort of a beast, in that we must keep a system focus. We must develop the science of the whole system in order to make sure that secure systems will result from secure components, and so I think that is probably one of the most important technical areas. I think a second is the interdisciplinary problem of finding how we can more rapidly introduce advances once we have made them: enabling our organizations to accept beneficial changes more rapidly. We have been working with our social scientists quite a bit in the last several years looking at these types of interdisciplinary problems. I think in the short term that could be a very valuable step. Senator Wyden. Any other areas? Dr. Strawn. Those are the first two that come to mind. Senator Wyden. Dr. Hoffman, do you want to try that one, too? What are the most important areas, in your view, for information security research? Give me, if you would, two or three, and tell me why you think that is the case. Dr. Hoffman. Well, you are asking a tough question when you say limit it to two or three, but I will attempt to limit it to two or three. I would agree that absolutely the most important is to have a big picture, and to look at interdisciplinary research, because when you are dealing with computer security you are tying together disciplines of computer science, electrical engineering, management, forensics, law, and various practices, and all sorts of other things, so it is not only a technological solution. Computer security involves a lot of areas, and they are not only technological, so the interdisciplinary part, including public acceptance, including market acceptance, is very important, so that is one, okay. You said two or three. I will give you two others. Architecture. I think we have been using the same computer architecture effectively linked together in networks, for about 50 or 60 years. There may be other architectures that could be looked at that could help protect--separate data from programs in a way that would very much enhance security, so computer architecture is another area. Finally, as I mentioned in my testimony, wireless. In the not-too-distant future we are going to have very many more wireless devices than we do now, and, as usual, utility is going to trump security the way we are going now. Unfortunately, this is going to lead to some security problems, unless we really get a handle on the existing wireless situation and deal with it whether it is in the wireless devices or in network protocols, or whatever. Senator Wyden. So what do you think the wireless issues are? Dr. Hoffman. What do I think the wireless issues are? There are a bunch of them. For one thing, the existing protocols have been shown to be not sufficient for security. In addition, when they are connected together you have all sorts of applications that are going to be developed using wireless. Take one example, intelligent vehicle systems. If people are driving along or being transported along in squadrons of intelligent vehicles, and the vehicles are communicating with each other, they have to be authenticated, authorized, and at the same time there are privacy issues involved as well. That is just one example. Senator Wyden. Let us return, then, to you Dr. Strawn, and compare, if you would, the cyber security program that you have now against S. 2182. The program that you have now, research includes a scholarship for service program that provides scholarships to undergraduates and graduate students that study computer security. Then they have to serve the federal government, obviously, for a couple of years. What do you see as the big differences between your current program, the scholarship for service program, and what is envisaged in the Senate and House bills? Dr. Strawn. I would say that what we are doing now has some great similarities to what is proposed in the bills, and the major difference is scope and size. The work that we are doing, as I mentioned in my testimony, is on the order of $10 million a year investment, and I observe that the bills propose roughly an order of magnitude increase. Senator Wyden. Tell me what you think the lessons are with respect to what science and technology can do in emergency response and homeland security after September 11. I mean, my sense, and what has really drawn me into this cause, is that there is a chance to mobilize a generation, a generation that was raised on digital technologies that wants to contribute, wants to help. We have been struck by how many companies and individuals are willing to come forward and say, as long as the government does not waste my time, I am going to pitch-in. People from Intel, for example, do not want to spend a lot of time standing around, and unfortunately, in the effort to respond on September 11, some of those private sector efforts were wasted. So, one of the lessons I have learned from September 11 is that I think there is a chance to mobilize a huge number of people with expertise in IT and expertise in various scientific areas, and harness that energy and talent and bring it to bear. But, I would like to have you tell me what you think the lessons with respect to the role of government can play now in science and technology policy to both prevent and respond to the kinds of problems we faced on September 11. Dr. Strawn. First of all, I agree with everything you have said in terms of some lessons to be taken away from it, that we have had a terrible wake-up call, and it focused the energies of the nation in a way that we now must turn to positive results. One of the areas, as I mentioned previously, that we are concerned about is that not enough faculty have been specializing in security research. I think this situation has produced in students and faculty alike more of a focus on the importance of cyber security, and if we can respond properly to that increased interest, it will be much to our benefit to do so. I would also mention in support of Professor Hoffman's comment about computer architecture, and as mentioned in my written testimony, computer security was an add-on to the original design of information processing systems. We weren't thinking as much about that in the early fifties as we are now, 50 years later, and many of our researchers have suggested that a great, fundamental research opportunity would be to go back and rethink the fundamental design of information processing systems with security as a design criterion and requirement, rather than a later add-on to be patched on the side. Senator Wyden. That is what you would call a big lesson. That will be a big exercise, but I think you are right. I think that is really something that the government ought to be researching, and I think that is a thoughtful answer. Why do we not just go down the panel at this point, and I would be interested--we can start with you, Dr. Hoffman, then go to Wyatt, but tell us, if you would, what you think the experience of September 11 says in terms of lessons for science and technology policy as we try to both respond and prevent these terrorism problems. Dr. Hoffman. Well, one thing it indicated to me was the importance of thinking ahead, and the importance of then acting on the lessons. To give you one example, we routinely teach exercises, and the George Washington University has about seven courses in the Computer Science Department, and another seven or eight in the Engineering Management and Systems Engineering department dealing with computer security information assurance, and related topics. Many of these courses deal with vulnerability assessment, and we do scenarios. We actually run--one of my favorites is one developed by the Rand Corporation called The Day After, where you basically sit up a situation, say, 2 years hence, in 2004. You say, here is the situation on the ground. One bad thing happens, another bad thing happens, and you expose students to this, and in essence they cannot deal with it. It is sort of a classic in-box exercise, although worse, and then they go back to 2002, to today, and say, okay, what should we do now, and that is in essence what you are doing. I think the most important thing learned is, if we had been able to more put into effect those actions which we had dealt with in the classroom in real life on September 11, then September 12 we would have been much better off, so just getting people to think that way is the first step, and then getting action plans developed is the next one. Senator Wyden. Mr. Starnes. Mr. Starnes. Yes, Mr. Chairman. I think there are a number of issues that came as a result of learning from September 11. Speaking to the positive side of technology for a moment, there were many systems, Internet systems, wireless systems that were still operable and played a very important role throughout the unfolding of September 11, even with that as a factor. Senator Wyden. I think it is striking none of the satellite systems had problems. All of the satellite systems worked. Mr. Starnes. And a fair amount of interconnect was still in place, and for a while the only communication some people had was via the electronic non-analog infrastructure, which I think is striking. There were also major vulnerability points, major hubs of connectivity that even though we thought they were redundant hubs, we did not plan for the magnitude of the damage that was done. But speaking to the broader issue of the short-term issues, long-term issues, I am coming at this from a commercial angle, which is a slightly different angle than my colleagues on the academic side. The way we see spending in cyber security, it is sort of the spray paint, the moving car problem. In other words, we are trying to get to a destination, and we are trying to get their fast, but we have got to get paint on the car along the way. In other words, we have to protect ourselves while we are getting there, so we really need to divide our thinking into two areas. We have some short-term issues we need to deal with, and there are evolving technologies in the form of data integrity assurance and intrusion detection and other technologies that play a valuable role. At the same time, we need to develop a longer-term view of how technology should be constructed in a world where we have the bigger security issues now than we anticipated when the original designs were done, as Dr. Strawn said, many years ago. So I think we have to move in parallel. We have to give money to government, to commercial industry to protect themselves now. At the same time, we feed money to universities to begin to reverse the course of the attrition we have seen in the cyber research and cyber security arena, and I think both of those paths have to be moved on in parallel. Senator Wyden. Mr. Hira. Mr. Hira. Mr. Chairman, I think the major thing that came to my mind was really the vulnerability, but also the human dimensions that are involved in technology and how dependent that we have, really the average person has become on technology, and the fact that we open the cell phone and we expect it to work, and so I really think that the major lesson there was that the systems were not designed for this kind of event in mind, and we have to rethink the way we design these products so that we accommodate new criteria. It has really changed the criteria to which we have to design these products. Senator Wyden. Mr. Logan. Mr. Logan. Mr. Chairman, I believe--three major areas of lessons learned with regard to wireless. We are also a private company, and certainly recognize the President's budget that is being proposed for first responders, as many private companies do, but we also recognize there is a lot of competition for that money, and we have to be very smart in how we apply those funds to curing the problems. With regard to interoperability, we could certainly apply money in a way that would maybe have new equipment, but the equipment in the end still could not talk to each other. We need to consider how we can interconnect our existing infrastructures in a way that people can communicate. We have to look very hard at training and invest in training, because when these events happen, as all the first responders' reports have said, training, and preparation upfront, the technology alone will not provide the answer. It has to work in concert with the technology. I guess the third item would be where we have various first responders showing up to an event, trying to communicate with each other, not having the ability to have coverage, so I think as we look at this bill, as we can apply moneys to providing mobile coverage, bringing communication to the site and the scene of an incident would go a long way in solving future problems. Senator Wyden. Very good points, and we are struck by what both you and Mr. Hira have talked about, the human dimension of all of this. I think our hearing where we heard from the head of the fire fighting effort at the Pentagon, and we had people hand-carrying messages in to firemen, little snippets of paper, hand-carrying them in. I am glad you two brought it back to people, because it is important, and wireless can make a real difference in that area. Let me, if I might, turn to this question of how we are going to mobilize the volunteers, and Dr. Strawn, you are welcome to participate in this as well. You have heard me comment on this, that the Administration is being very helpful in terms of working with us. It has not fully developed a position, but you are welcome nonetheless to offer your ideas and thoughts here on the strategic technology reserve. I will initially direct this to Dr. Hoffman and Mr. Starnes. What we want to do is say, ``Look, in this country we have got a strategic petroleum reserve, so that when there is a crunch with respect to energy, we are in a position to address that.'' What I envisage is something along the lines of a strategic technology reserve, so all across this country, when faced with bioterrorism efforts or other sorts of dire kinds of threats and problems, it is possible to mobilize people and equipment fairly readily, and some of this does not strike me as particularly hard and cumbersome to do. For example, we were struck how in most communities, for example, there is not even a list of people who would have some expertise in these various health agencies. Say that a community, say Portland, or another community, was hit by a bioterrorism agent. It ought to be possible to fairly quickly turn to a list of medical experts and others that you could call on for help. What we would like to do is develop that kind of data base of volunteers and experts, and virtually everyone we have talked to in terms of municipalities, first responders and others, said absolutely we think it would be very useful to have that on hand, and this would involve a pretty modest role for government. This is essentially making sure that you have this group available when you face these kinds of calamities. I think the points that you are making with respect to authentication and security mechanisms and making sure the data base is not misused or, as you said, Mr. Starnes, taken over by people with malevolent intentions--I want to make it clear, I think that is significant. I think it is important, but I assume, just so we are clear for the record, you two do not think those kinds of issues are insurmountable. What you think is they are issues that Congress has got to get right. Congress has got to work with the private sector in order to get them right, but you certainly do not see this as creating some kind of insurmountable burden that would keep us from having a data base of technology and expertise and equipment around the country, do you? Mr. Starnes. Mr. Chairman, I will take that first. Absolutely not. One of the things we definitely were struck with post 9/11 is the amazing spirit and patriotism of the American people, as well as their just creativity and drive, and really that is the response that motivated both private and local government sectors within our State of Oregon to get together and see if we could organize better and prepare better in advance, and it was striking to us on the organizing Committee how poorly prepared we really are in terms of, as you point out, even knowing who to go to in the case of a potential cyber terrorism issue, and what the resources are. So the first set of procedures we are going through is essentially inventorying our intellectual skills within the state, and the next part of that exercise will be determining how we catalyze those and how we interconnect those in a useful and effective fashion. Absolutely these problems can be taken care of over the long haul. I do believe that private industry needs to be heavily involved in that process. We need to think about issues of data base redundancy and network vulnerabilities and so on to make sure that we plan and build the network that has to support the people involved in advance, and contemplating a number of the different threats that might be present. Senator Wyden. Dr. Hoffman. Dr. Hoffman. Mr. Chairman, I agree with everything Mr. Starnes has said. I agree that it is not an insurmountable problem. I also want to point out that we will never solve the problem perfectly, but if we can get a solution that is 90 percent further along than where we are today, I think we would have made obviously great progress. One thing that is important to realize--I take some of this from my experience serving in my local town where I reside, in Chevy Chase, Maryland, yet we had a committee for Y2K, which I served on, and just knowing the local resources and going up to the county level and so forth on up is very important. So I think rather than having one grand system defined, this might be an excellent opportunity to have a number of local systems deployed, tried out, tried out in the laboratory of the states or even at a lower level of government, and keep the communication system flowing between all the levels of government and the private sector, that would be, I think, a better way to architect it than put all of your eggs in one basket. Senator Wyden. I think those are thoughtful points. We are going to work with you, because I think you are right. You cannot come up with any ideal kind of approach that ensures that you never have a bug anywhere at any time, but I really do see a strategic technology reserve as an insurance policy for this country. Given how many people have said they would help, major companies in this country have said, ``Look, we will get people and equipment when the country's national security interest and well-being are affected by these terrorist attacks.'' It just seems a shame to not try to address some of these issues I advance and not just have all these well-meaning people basically in a position of heading to some disaster site and kind of standing around. That is what some have told us happened in New York, and it is not because New York did a crummy job. Quite the opposite. New York City did a terrific job. How they accomplished so much so quickly is an extraordinary success story. What else could have been done is what I think we want to look at, and of course, most communities are not in a position to have the resources you had in New York City. We are going to work very closely with you to iron out these questions of authentication and privacy and making sure you do not have a system that gets hijacked by the very people you are trying to deal with in terms of the overall effort. It was interesting you mentioned Y2K, Dr. Hoffman, because that was an area we wanted to look at, and maybe we can bring you back into this. Dr. Strawn, I was very involved in the Y2K efforts that this Committee tackled under the leadership of Chairman Hollings and Senator McCain, and obviously, a lot of those paid off. That concerted effort to have people working together and preparing for a wide variety of potential threats to this country paid big dividends. I would be curious if this panel thinks there were any parallels to be drawn or any lessons between the Y2K effort and what we are doing now to try to improve cyber security. Dr. Strawn. I would be happy to take a crack at that. I had the good fortune of also being involved in the Y2K efforts at NSF. I had an interesting assignment. NSF undertook, as part of its public knowledge and public education of science tasks, to run a series of surveys, polls of the public to find out what their knowledge was and what their concerns were about the Y2K issue as it went forward; I had the good fortune of serving as NSF's spokesperson during that time on that subject. We observed that, number one, as Y2K approached, it focused the attention and the efforts of the country very greatly toward solving the problem. Number two, the more information that was made available to the public and the more they understood what was going on, the less concern they had, and the more they understood what was happening, and that was a general, very good benefit of education. If I may add one other subject relating to a government analog of the volunteerism that you were discussing a moment ago. I observed that since September 11, there has been a very vital and vigorous interaction between the defense community and the civilian research community, we are working together to make sure that research results that have been developed in universities and the civilian sector are available to the defense and security activities that need advanced research and development. That is not quite volunteerism, but it has the same very beneficial effects of propelling these advances forward. Senator Wyden. Other panel members, parallels between Y2K and what we are trying to do here? Mr. Starnes. I think that is a very interesting and relevant question. One of the advantages of the Y2K issue is that we had a specific and imminent date to work toward, and in the few years ahead of Y2K--the industry estimates range a bit on this, but the upward estimates are that there was almost $300 billion spent on Y2K preparedness. I think it is very interesting to sort of compare that with the industry spending for security technologies in the last 3 years, the composite industry spending, which has been about, somewhat under $20 billion, so on a single incident, that was a very known and measured incident as an industry, as a country we spent almost $300 billion, and cumulatively over the last 3 years we have spent about $20 billion, so I think that really points to a gap, still, in the way we need to look at funding these really important vulnerabilities that we have. Senator Wyden. Okay. Let's move back to the topic, if we could, of the strategic technology reserve. Mr. Hira, I would like to ask you a question, because, of course, your organization represents a large number of technology experts, and I think it would be helpful to get your sense of whether there would be a lot of those individuals and companies that would be willing to volunteer. My sense is that they are looking for a chance to help and participate, and in a situation like this say, if there is a problem in my area, or a problem in my region of the country, we are anxious to be there. We will volunteer; we are sending our name and saying we want to participate in something like the strategic technology reserve. What is your sense about whether the people you work with would say if their expertise is needed emergency officials could know where to find them? Mr. Hira. I am glad you asked that question, actually, because we are a volunteer-driven organization. We do not have industrial membership. Our membership is as individuals. We are structured along a couple of different dimensions, but the two important dimensions that are relevant to this are, one, based on your technical expertise, or your subdiscipline. So, for example, my area is control systems. Somebody else's is antennas and propagation, and so on and so forth, and so there is a technology and technical dimension, but we are also organized geographically via regions and sections. I do not see any reason why something like this could not or should not appeal to many of our members that are out there. Senator Wyden. Let me turn now to the part of our legislation that calls for setting up a clearinghouse or test bed, and maybe we can hear from Mr. Starnes and Mr. Logan, I think both would be good for this question. What we are dealing with here is this: the federal government has received thousands and thousands of ideas and proposals to fund various technologies and products. In effect, it is a new deluge. Thousands of them have come from across the country, and what Senator Allen and I are trying to do is to make sure that we can perform a service for agencies, help them to identify new technologies, figure out if the proposed technologies can meet the specifications needed by the agencies. We do not want new mandates, picking winners and losers and all of this sort of thing, but I think we can begin this round, Mr. Starnes and Mr. Logan, with whether you think the current emergency response agencies are doing enough to harness the potential of new technological developments, and whether we need to do a better job of trying to be open to new technologies so that we can use all of this talent. Mr. Starnes. Mr. Chairman, I will take that one first. Clearly, I think we can be doing a better job. I think there are some wonderful agencies, certainly in the area of security awareness. CERT has done an admirable job for the amount of funding and support that they have received, but we are dealing with a really big issue here, and we really have not, as a nation, been under a coordinated attack. The attacks that we have seen that get headlines every other day are often 15-year-olds in their basement, so it sort of creates a concern in our minds that we have a pretty big gap here, so certainly at Tripwire we have talked about this at a strategic level, and we are very supportive of, in fact pretty involved already with a number of governmental agencies in several different areas, certainly from more of a tactical standpoint in terms of providing them products and capabilities and services and so on, but also from a strategic standpoint there is some extremely good work going on between private industry and government around digital fingerprinting and understanding the security and stability of computer systems at a very fundamental level, and the National Drug Intelligence Agency and many other agencies have been positively involved in that. So we are starting to see the kind of activity that is moving, I think, the nation to a higher level of overall security, but it worries us that it is not moving as quickly as it probably could or should, and so we certainly welcome additional leadership from you and your bills in those areas. Senator Wyden. Mr. Logan, let us have you comment on this as well. You have got an innovative technology, a product out there that you are excited about, that you think makes sense. You have spent a lot of time toiling away on it, but you are not exactly sure where in government to bring it. What Senator Allen and I have said is, you could bring it to a clearinghouse within NIST. That would be where you would go, and the clearinghouse would basically share that information with an agency that expresses a need. Now, that is our sort of bipartisan thinking about how you could streamline this and build on something that we think would not involve a lot of red tape and bureaucracy. Do you by and large feel that is heading in the right direction? Mr. Logan. Yes, I do. In fact, our current process of trying to evaluate new technology standards, the mechanics of that would be a federal government, state government, local government. It can be very cumbersome and time-consuming only to, at the end, to make a decision or arrive at a certain standards level, and now the technology has passed us by. I believe that through a clearinghouse as you have suggested, that would give companies a chance to bring to the table innovative products, see how do they meet the needs of the users, today's needs of the users in a way that could help through enabling grantees to look to these various test beds, to say, well, it works for them, this is our need, our needs are aligned with the test beds, and to make that a part, to enable these grants--I mean, the big concern, obviously, with the user groups is, what are the mechanics associated with the grants that will be coming out, and so to the degree that we can show and demonstrate products and technologies that will enable first responders to better do their job, I think that is absolutely the way to go. Senator Wyden. Well, our hope is that taken together the test bed and the clearinghouse would really accelerate the adoption of new technology by government emergency and security agencies. Again, we would welcome your ideas on some of the specifics about how to address this, but I would hope that we could get agreement on those two areas, because I am struck by how many times private sector companies say, ``Look, I do not know where to turn.'' Clearly there is a governmental interest at a minimum in not buying outdated stuff, and making sure that when you are making these purchases, that you are buying in a cost-effective way for citizens and taxpayers. Just a couple of other areas, one for you, Mr. Logan, with respect to the wireless area, which we do think is especially important. Our hope is that the pilot program that we envisage would be a helpful start. Clearly, this is going to require some very significant expenditures. There are some exciting things going on around the country, as Mr. Starnes noted, where he is involved in some of them in the State of Oregon, in my home state, but our theory is that we could provide grants to states to at least pioneer some innovative efforts and communications interoperability, and these could be shared around the country. We see that as one way to at least make a start and jump-start the effort to come up with some good models. Are you comfortable that is headed in the right direction? Mr. Logan. Yes. I think that is a very good idea, especially working with States that may have already made significant advances in the area of interoperable technology, communications improvements. In fact, a thought we had was in working with these test beds, maybe creating a solution whereby we can not only demonstrate the technologies at that location, but put those technologies on the road in a mobile setting much like FEMA and others, first responders. Usually the event is not going to happen, maybe, right next door or where they think it is going to happen, but if we can develop through those test beds the ability to have those solutions mobile so we can bring them to various communities in other states, I think that could be very beneficial. Senator Wyden. Another area, last area that we were interested in that goes back to S. 2182, and maybe we can start with you, Dr. Strawn, is, I think the theory of this bill is to buildup what has been certainly heretofore an underdeveloped intellectual infrastructure in the cyber security field. Take your academic hat off for a moment, and give me your thoughts on what you think the practical effects of underinvestment, what is happening now, the current underinvestment in cyber security research and personnel would be. Dr. Strawn. I think underinvestment has put us in somewhat of a pickle already, and that the citizens of our country are right not to have trust in their computing and information technology systems. We do not have a high enough level of assurance that our systems are safe from being hijacked, are safe from being abused; and now computer hardware and computer software are going into almost all products and services that society uses these days. We just have to have a higher level of security and a higher level of reliability in these systems, and the public will have to remain doubtful until we take it to a higher level. Senator Wyden. Gentlemen, anybody else, practical effects of underinvestment? Dr. Hoffman. Following up on those earlier comments, I would only add that we have a system where the critical infrastructures are all connected, so in fact what affects computing does not only affect computing. Computing drives energy and water and a number of other infrastructures more and more, so if we do not have secure computing systems, we really do not have a secure infrastructure at all, and it just gets worse as a practical effect. Also, I would like to followup on one comment made a minute ago. When you talk about a test bed, I think it is important to realize--and I agree with the observation that these things can more and more be taken on the road, so you do not need a big lab with lots of rooms out at NIST or somewhere else. The people nowadays come and ask at the university, they say, let us see your lab, and I say, well, where do you want me to bring it, because often for many systems three laptops and a good mobile wireless network is all you need to demonstrate something, and you have much more of an effect when it is there in the right place. Senator Wyden. I think that is a very good point. I was concerned initially when we started talking about the strategic technology reserve people would think about some gigantic building, and there you would store all of these laptops, and they would just be getting dusty and the like, and then you would have your test bed, which would be a similar sort of building hooked up to all kinds of jumper cables and contraptions, and that would be supposed to be in charge of testing. I think you are absolutely right. What we are looking at is trying to use existing laboratories and others to the greatest extent possible, and we are going to take that counsel to heart. I am glad you made that point, because I think people are already starting to envisage how this would work, and it is helpful to have this kind of testimony on the record. Others on that, underinvestment? Mr. Starnes. I cannot resist that one. I think we are actually seeing first-hand the practical effect of underinvestment right now. Customers have been taught to buy based on features, and the number of colors on their screen and other issues, and have not really been taught to understand the issues of security and interconnectedness and various other important areas for infrastructure, so the commercial instincts kick in, which is a part of our democratic process, so somehow we have to find a balance, and sort of back to the issue of test bed clearinghouse again, which is a concept we certainly endorse. The key issue, a couple of the key issues that distinguish the commercial sector from the government sector is speed, so not only does the funding have to be allocated both in terms of internal budgets for agencies, but it has to be made available, and it has to be made available, as I said in my oral testimony, on a faster basis than we currently have the ability to do. That certainly does impact commercial entities, because commercial entities are forced to go out to the venture capital market, and when the venture capital market is strong, as it has been over the last few years, that was a viable option. The fact of the matter is now that the venture capital markets for the most part are weak, and so you are actually seeing a decline of commercial innovation, and government really has not stepped forward in our view to really deal with that yet. Senator Wyden. Well, I really do not have any questions in addition. You all have been excellent, and my hope is that these two bills can, in effect, provide a very solid response to what happened on September 11, and really constitute a new and more targeted effort by government to deal with cyber security issues and the threats that were presented on September 11. It seems to me with the cyber security legislation that passed the House, we have got a chance to make a very effective and well-targeted investment in NIST and the National Science Foundation, and ensuring that we are training tomorrow's leaders. That is essentially what that legislation is all about. I support it strongly, and the Administration's efforts in that area with respect to S. 2037. I think what we would like to say is that while government clearly can make a very significant difference, it would just be a tragedy not to harness and mobilize all of this energy and talent in the private sector that wants to help and pitch-in and make a difference. I am convinced that over the next month, working closely with the Administration, and with all of you in the private sector, we can move this forward. There are not many months left in this session of Congress, and I think it would be a real shame to go home without passing these two bills, bills that are going to allow us to maximize an effective role of tax dollars, particularly in education and research, and a small amount of additional government money basically to ensure that the volunteers and people in science and IT who want to help can have a chance to do so and make a difference. So, if there is nothing that any of you would like to add further, we will adjourn, but I can give each of you the last crack. Anything that our panel would like to add? [No response.] Senator Wyden. All right. We are adjourned. [Whereupon, at 4:15 p.m., the Subcommittee adjourned.] APPENDIX Prepared Statement of James W. Graham, Chief Operating Officer, Emergency Asset Management Systems Mr. Chairman, Members of the Committee, thank you for this opportunity to submit testimony in support of S. 2037, the Science and Technology Emergency Mobilization Act. My name is James W. Graham, Chief Operating Officer of Emergency Asset Management System, a division of GBUCS, LLC. GBUCS is a Chicago- based developer of web-based software solutions for private industry and government, specializing in asset management systems. I am here today to express our strong support for S. 2037. Overseas, our Armed Forces are unbeatable not only because of their training, patriotism and bravery, but also because they are equipped with unsurpassed technological superiority. Here on the home front-- where terrorism must be fought and the safety of our communities and workplaces ensured--we too must equip ourselves with unsurpassed homeland security technology. In recent months, our company has dedicated itself to learning about the technology needs of emergency managers nationwide. Based on our experience I must report to you that there are serious and substantial shortcomings in the technologies now utilized by emergency management agencies. Much has been said about the need to make communications systems between emergency response agencies interoperable. Technology needs on the home front do not stop there. Emergency managers at every level of government in this country are certified and dedicated professionals who typically graduate to their important positions after gaining experience in the military, on police forces and as firefighters. These federal, state and local agencies play a critical role in responding to terrorist attacks. They coordinate and mobilize all available regional, state and federal assets in times of disaster. These include police, fire, National Guard, hazardous materials units, public health and infectious disease professionals, volunteers, donors and many others. Little noticed when there is no emergency, these emergency response professionals took on critical importance when terrorists struck Oklahoma City, New York, Washington and elsewhere. They will play such roles again, and we must equip them with the best tools and technologies available. Seven months after September 11, 2001, many of these emergency managers remain under funded, understaffed and unequipped with the technology they need. State government budgets took a direct hit when the economy crashed, and as much as state legislators and governors wish to invest in homeland security, they often lack the means to do so. To illustrate one of the gaps we discovered, consider that emergency management agencies make little or no use of Internet technologies even though their central function is to gather critical information in emergencies and communicate instructions to needed emergency responders. In other words, although information management and communications is central to their role, they make almost no use of the Internet, the greatest information and communications invention of the past century. In several disasters of the past decade, people by the thousands who wanted to volunteer had to try to get through on the phone; there were no web sites to visit with instructions and information gathering capabilities. On September 11th, 15,000 unsolicited volunteers showed up in Manhattan, forcing authorities to help feed and shelter them. In other disasters, people who wanted to donate filled truckloads and even jumbo jets with unneeded goods, leaving emergency responders with the added burden of sorting through or disposing of inappropriate donations. No web site told donors what was needed nor was the web used to facilitate the logistics of moving and warehousing donations. Public confidence in the official disaster response was thus undermined. No private business facing similar logistical challenges would think of doing so without Internet tools of some kind. A National Emergency Technology Guard would be an important and useful added force in guarding against terrorist attacks here at home. Technology professionals across the country will be willing to volunteer in an emergency. We ourselves volunteered and donated our own donations management software to the Manhattan Chamber of Commerce for use after September 11th. They have found it useful as they help businesses recover from that disaster. A Center for Civilian Homeland Security Technology Evaluation would help identify needs and solutions such as those I have pointed out here today. But state and local emergency managers need help now. If the federal government is to lend that helping hand, let there be money in the palm of that hand. Volunteer programs like a NET Guard and Citizen Corps can do great good, but they must be managed at the local and state level. That costs money and it requires logistical management tools they do not now have. In times like these, the states lack the financial might of the federal government. But the strength of our defense against domestic terrorism depends upon the might of state and local emergency managers. They need new technology to be effective, and they need financial backing to acquire those technologies. We support S. 2037, but we also call upon you to do more for those who are at the front line of terrorism defense at the state and local level. Thank you. ______ April 8, 2002 Hon. Ron Wyden, Chairman, Hon. George Allen, Ranking Minority Member, Senate Committee on Commerce, Science, and Transportation, Subcommittee on Science, Technology, and Space, Washington, DC. Dear Chairman Wyden and Senator Allen: The National Association of Manufacturers (NAM) writes to support your new legislation, S. 2037, the Science and Technology Emergency Mobilization Act (or NETGuard bill). The NAM is the nation's largest industrial trade association and represents 14,000 members (including 10,000 small and mid-sized companies) and 350 member associations serving manufacturers and employees in every industrial sector and all 50 states. Homeland security is an area of significant new endeavor for the NAM in 2002. Governor Ridge, General Magaw and Representative Chambliss have addressed NAM audiences, including the NAM Board of Directors. Furthermore, the NAM has dedicated a major new segment of its Web site to the issue. Your legislation would afford an organized way for industry to express its support, and to channel its involvement, in the homeland security effort. Even without such legislation, many U.S. firms, including many NAM-member companies, rushed to offer assistance in numerous ways following the terrorist attacks of September 11th. As encouraging as that response was, a greater degree of organization in the future can be expected to make industry contributions even more effective. Among other provisions, the bill also would create a new unit at the National Institute of Standards and Technology to evaluate new technologies for their applications to homeland security and to serve as a clearinghouse. The NAM recently wrote to the director of NIST to call attention to a NIST project that we believe has higher homeland security-relevance than was previously appreciated. Our experience suggests, again, that a formal structure for such evaluations is a worthwhile idea. David Peyton would be pleased to provide further information at (202) 637-3147. Sincerely, Franklin J. Vargo, Vice President, International Economic Policy. ______ April 19, 2002 Hon. Ron Wyden, Chairman, Senate Commerce, Science, and Transportation Committee, Science, Technology and Space Subcommittee, Washington, DC. Dear Mr. Chairman: The National Association of Manufacturers wishes to express its support for S. 2182, your cyber security research legislation. We strongly supported the counterpart legislation, H.R. 3394, as passed by the House of Representatives with 400 votes. The National Association of Manufacturers (NAM) is the nation's largest industrial trade association. The NAM represents 14,000 members (including 10,000 small and mid-sized companies) and 350 member associations serving manufacturers and employees in every industrial sector and all 50 states. Since 1998, the NAM has led the effort to increase industry support for science funding generally, given the need to maintain the flow of new discoveries upon which industry can carry out product and process development, the need to produce more U.S. graduates in technical fields, and the need to defend the country against attack, including cyber attack. The NAM supported the broad research authorization bills issuing from this subcommittee (S. 2217, S. 296, S. 2046) that the Senate passed three times by unanimous consent starting in 1998. Today, the NAM is pleased to support the new specific bill, S. 2182, which addresses the most important topic not included in previous legislation: computer security. The sobering hearing held by the House Science Committee last October 10, to be supplemented by your hearing on April 24, afforded evidence for the need for the legislation. Too little money is going into computer security research, too few graduates are being produced, and too little progress is being made. Computer users remain almost totally reliant on passive defenses such as virus filters and firewalls that afford no meaningful defense against distributed denial of service (DDOS) attacks. At Carnegie-Mellon University, the Computer Emergency Response Team's statistics on reported attacks show that malicious attacks are doubling annually, to a rate of over 50,000. Even the NAM itself, as a small business, receives about ten attempts at penetration each day. The NAM views S. 2182 as one important piece of an evolving strategy to bring together the joint strengths of government, industry, and academe to meet the undeniable shared threat of cyber attack, along with the pending Critical Infrastructure Information Security Act, S. 1456. S. 2182 will have our support as it moves forward. Sincerely, Franklin J. Vargo, Vice President, International Economic Policy. ______ Response to Written Questions Submitted by Hon. John McCain to Dr. George Strawn Question 1. One concern that has been raised about S. 2182 is that many of the grants established by this program will be used to develop evolutionary technologies, such as a next generation firewall. How does NSF plan to ensure that it funds research programs that are truly revolutionary? Answer. ``Evolutionary'' and ``revolutionary'' are terms often associated with research proposals. They can be thought of as the ends of a spectrum of research contributions ranging from ``pure'' evolutionary (only a modest or incremental increase in understanding is likely to occur from undertaking the proposed research) through various blends of ``part evolutionary, part revolutionary'', to ``pure revolutionary'' (a very large increase in understanding, often in unexpected directions, is proposed). The other side of the same coin is proposal risk. If only incremental understanding is sought, reviewers can be relatively sure that the proposer will be successful (i.e., the proposal is of lower risk). On the other hand, if large increases in understanding are sought, the reviewers will be less sure that the proposer will succeed (i.e., the proposal is of higher risk). When scientists speak of ``the quality'' of a proposed research project, part of the determination of quality is how revolutionary the proposed project appears to be. NSF selects proposals for funding by merit review. Usually this merit review includes proposal review by scientific experts familiar with the subject material of the proposal. The review focuses on two questions: what is the scientific merit of the proposed research? And what are the broader implications of the proposed research? The NSF program officer in charge of the review then makes awards as possible, utilizing the advice of the expert reviewers. At all stages of the NSF proposal process, revolutionary research is sought. Proposers are told that NSF is interested in funding revolutionary research; reviewers are encouraged by NSF to regard revolutionary proposals highly during the peer review; and program officers are encouraged by NSF to ``take the chance'' on higher risk, revolutionary proposals while making their funding decisions. All of these steps are intended to counter tendencies along the process to lower risks by settling for more evolutionary proposals with higher probabilities of success. One implication of this is that if some proposals funded by NSF don't fail, we aren't taking big enough risks. Question 2. A number of different federal agencies, include the NSF, NIST, and DoD all fund cyber security projects. Is there a guiding organization or established working group that shares information about federal cyber security research and will ensure that the grant and research programs established by this bill will not fund duplicative research? Answer. There is an interagency organization, the Networking and Information Technology Research and Development working group (NITRD), which includes the federal agencies supporting IT research. This working group has been in existence for more the ten years and has a history of providing excellent coordination among the various federal IT research programs. NITRD is under the auspices of OSTP and OMB. Question 3. You have testified that ``the most important problem'' in cyber security research is that there is such a small number of faculty doing research in this field. a) What created this shortage? b) Do you believe S. 2182 will reduce this shortage and increase the number of faculty involved in this field? c) Is the shortage of Ph.D's and graduates in the cyber security research area any worse than in other engineering and science fields? Answer. It is a matter of speculation as to why the cohort of researchers working in the cybersecurity area is so small. One clear cause is that until very recently (coinciding with the rise in the use of the Internet) very few organizations worried about cybersecurity. In the absence of identification of serious, challenging problems, hardly any faculty chose to work in the area, meaning that almost no new researchers were produced. Researchers choose their areas of study based on personal interest, funding availability, and various other reasons. Perhaps the academic values that include ``free and open access to information'' have been at odds with the ``secure and controlled access to information'' requirements of cybersecurity research. Perhaps there just hasn't been enough funding available. For example, NSF funding levels in various areas are often determined in a bottom up fashion (by so-called ``proposal pressure''). In any event, increasing the amount of research funding is an important and usually successful way increasing the number of researchers working in an area. Additional disincentives to working in security include the fact that until recently the only employer was the Department of Defense, so it is likely that many academic advisors did not encourage their students to go into this area. In the private sector, employers are interested in program features, not security. In FY02, NSF initiated a program in cybersecurity (called ``Trusted Computing'') and one result has been an increase in the number of cybersecurity proposals received by NSF. The shortage of computer scientists working and trained in high-demand areas such as cybersecurity and networking is greater than in some traditional areas such as programming languages and operating systems. Other areas of science and engineering exhibit a similar variation between high-demand and lower-demand sub areas. Question 4. You stated that cyber security is a property of the ``total system,'' not of the system components, which includes human and management elements. Do you believe that the bill, S. 2182, as introduced, does an adequate job of providing funding for this ``total system'' approach? Is there a need for additional multi-disciplinary research in this area? Answer. Cybersecurity is a system characteristic, not a component characteristic. This means that researchers have to study the interrelationships among system components as well as the components themselves. Since, broadly speaking, some of the system components are humans and organizations interdisciplinary research arises naturally in this area. S. 2182 addresses these needs because the researchers (and NSF and other federal agencies) are well aware of these characteristics. NSF strives to be as general as possible in its program announcements and solicitations because many of the best proposal ideas ``bubble up'' from the research community itself as opposed to being specified in the announcement. Once an area such as cybersecurity is marked for additional support, over specification can deter, rather than enhance community proposal response. Question 5. You mentioned the research and other education programs that NSF is currently conducting. Can NSF conduct the type of research and education activities called for in the Cyber Security Research and Development Act within their existing statutory authority? Answer. We believe that the research and education called for in S. 2182 can be supported (and indeed is already being supported) within NSF's current statutory authority. Question 6. Your written testimony highlighted the NSF's Cybercorps program, which provides scholarships to undergraduate and graduate students studying computer security and in return the students will serve in the federal government for a least two years. Have you had any problems placing students of the Cybercorps program into summer internships positions within the federal government? Answer. The Federal Cyber Service: Scholarship for Service (SFS) program has placed more than 24 students in internships in various federal agencies this past summer--the first such opportunity provided for students within the program. As in any new undertaking, there have been challenges associated with (a) moving awareness that SFS students are available for internships beyond agency personnel offices to various agencies, (b) achieving understanding that though these students are available for less than 640 hours of employment in a summer, they may be still be incorporated within existing agency provisions for Federal Student Career Experience Program, and (c) overcoming agency concerns that though they may go through a very expensive clearance process, students are not committed to service only within the federal agency within which they have served their internship. The Office of Personnel Management is the lead agency addressing these issues and is working with the hiring agencies, and the grantees institutions to resolve these issues. Question 7. On April 22, Matt Bishop, a computer science professor at the University of California--Davis, and Blaine Burnham, founding director of the Nebraska University Consortium on Information Assurance, detailed concerns about the Cybercorps program at the Infotec 2002 Conference. One criticism raised by these speakers is that government salaries are so low that students prefer to apply for student loans and repay them with private industry jobs instead of joining the Cybercorps program. Another critique of other science-targeted scholarship programs is that students with federal scholarships are able to get out of service requirements, because private companies will re-pay the scholarship as part of their employment package. What has NSF done with the Cybercorps program to attract students to the program and ensure that students that receive scholarships under the program will actually perform the required government service? Another criticism that was raised by the speakers is that graduates of the Cybercorps program are required to only work for civilian agencies. The speakers recommended that graduates of the program be allowed to work for the Department of Defense and its research agencies. What is NSF's position on this recommendation? Answer. Working through its grantees, NSF has been very active in increasing awareness of the program and its requirements. We have been gratified by the level of press attention devoted to the program and the student interest as demonstrated by direct inquiries to NSF. The program's requirements are explicitly communicated to our grantee institutions and, through them, to participating students. Although the criticisms about low government salaries and private industry options may be valid, they are not widespread. In fact, we have noted an enthusiastic response on the part of participating students. The main deterrence here is in the recruitment of students with the proper mindset and attitude about federal service. The vast majority of students currently enrolled in SFS are not planning to make a lot of money in private industry job by abusing a government scholarship program. On the contrary, they are in SFS because they sincerely want to give back to America and contribute to the ongoing war on terrorism. They are motivated by patriotism and a desire to serve in much the same way that young people volunteer for military service. This is the attitude frequently expressed by the student participants, drawn from among all grantee institutions, at the recent Cybercorps Symposium held July 20-24, 2002 at the University of Tulsa. In order to avoid unnecessary duplication with a similar program being run by the National Security Agency (NSA) which provides placement in Department of Defense agencies, NSF would like to see its SFS graduates be placed at federal civilian agencies. However, we do currently permit SFS graduates to be placed at DoD agencies and have done so. NSA and the U.S. Air Force--Rome Laboratory already have SFS graduates placed there and the Defense Computer Forensic Laboratory is scheduled to receive an intern. Question 8. In your written testimony, you stated that ``one important goal of fundamental long term research in cyber security will be to produce an agreement on what . . . constitutes a secure system.'' Could you please discuss why it so hard to reach an agreement on this issue, and what factors are involved in determining a ``secure system'' Answer. The definition of a ``secure system'' depends on ``how big'' a system is being considered (see answer to question 4). That is, if the personnel who operate the computers and networks are thought of as part of the system, then cybersecurity melds with physical security, and issues of insider crime, etc, must be considered. And as with any discussion of security, perfection is not available and we must come to terms with levels of risk. Measuring risk in the computers and networks of a big system is a newer challenge, and less well understood than risk in pre-cyber systems. Question 9. In your view, how vulnerable is the United States to the threat of cyber attack? Do we currently have the resources to prevent and respond to a cyber attack? Answer. Research organizations such as NSF may not be in the best position to evaluate the current threat levels or response and prevention capabilities of the U.S. to cyber attack. Nevertheless, it can be said that today's cybersystems are poorly understood and poorly constructed relative to desired scientific and engineering standards. It is the goal of research to achieve better understanding of cybersystems and to create better engineering approaches for constructing such systems Question 10. Would you consider America as a leader in cyber security research? If not, which countries are? Answer. The U.S. remains the world leader in IT research and development, including cybersecurity. In cybersecurity, however, there is much to be learned and to be applied to a society increasingly dependent on computer technology. In some areas of cybersecurity, Israel is very advanced and may actually lead the U.S., due, perhaps, to their long-time need for security.