[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]
CYBERSECURITY--GETTING IT RIGHT
=======================================================================
HEARING
of the
SUBCOMMITTEE ON CYBERSECURITY,
SCIENCE, AND RESEARCH, AND DEVELOPMENT
before the
SELECT COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED EIGHTH CONGRESS
FIRST SESSION
__________
JULY 22, 2003
__________
Serial No. 108-18
__________
Printed for the use of the Select Committee on Homeland Security
Available via the World Wide Web: http://www.access.gpo.gov/congress/
house
__________
U.S. GOVERNMENT PRINTING OFFICE
98-150 PDF WASHINGTON : 2005
______________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001
SELECT COMMITTEE ON HOMELAND SECURITY
CHRISTOPHER COX, California, Chairman
JENNIFER DUNN, Washington JIM TURNER, Texas, Ranking Member
C.W. BILL YOUNG, Florida BENNIE G. THOMPSON, Mississippi
DON YOUNG, Alaska LORETTA SANCHEZ, California
F. JAMES SENSENBRENNER, JR., EDWARD J. MARKEY, Massachusetts
Wisconsin NORMAN D. DICKS, Washington
W.J. (BILLY) TAUZIN, Louisiana BARNEY FRANK, Massachusetts
DAVID DREIER, California JANE HARMAN, California
DUNCAN HUNTER, California BENJAMIN L. CARDIN, Maryland
HAROLD ROGERS, Kentucky LOUISE McINTOSH SLAUGHTER,
SHERWOOD BOEHLERT, New York New York
LAMAR S. SMITH, Texas PETER A. DeFAZIO, Oregon
CURT WELDON, Pennsylvania NITA M. LOWEY, New York
CHRISTOPHER SHAYS, Connecticut ROBERT E. ANDREWS, New Jersey
PORTER J. GOSS, Florida ELEANOR HOLMES NORTON,
DAVE CAMP, Michigan District of Columbia
LINCOLN DIAZ-BALART, Florida ZOE LOFGREN, California
BOB GOODLATTE, Virginia KAREN McCARTHY, Missouri
ERNEST J. ISTOOK, JR., Oklahoma SHEILA JACKSON-LEE, Texas
PETER T. KING, New York BILL PASCRELL, JR., New Jersey
JOHN LINDER, Georgia DONNA M. CHRISTENSEN,
JOHN B. SHADEGG, Arizona U.S. Virgin Islands
MARK E. SOUDER, Indiana BOB ETHERIDGE, North Carolina
MAC THORNBERRY, Texas CHARLES GONZALEZ, Texas
JIM GIBBONS, Nevada KEN LUCAS, Kentucky
KAY GRANGER, Texas JAMES R. LANGEVIN, Rhode Island
PETE SESSIONS, Texas KENDRICK B. MEEK, Florida
JOHN E. SWEENEY, New York
JOHN GANNON, Chief of Staff
UTTAM DHILLON, Chief Counsel and Deputy Staff Director
DAVID H. SCHANZER, Democrat Staff Director
MICHAEL S. TWINCHEK, Chief Clerk
______
SUBCOMMITTEE ON CYBERSECURITY, SCIENCE, AND RESEARCH & DEVELOPMENT
MAC THORNBERRY, Texas, Chairman
PETE SESSIONS, Texas, Vice Chairman ZOE LOFGREN, California
SHERWOOD BOEHLERT, New York LORETTA SANCHEZ, California
LAMAR SMITH, Texas ROBERT E. ANDREWS, New Jersey
CURT WELDON, Pennsylvania SHEILA JACKSON-LEE, Texas
DAVE CAMP, Michigan DONNA M. CHRISTENSEN,
ROBERT W. GOODLATTE, Virginia U.S. Virgin Islands
PETER KING, New York BOB ETHERIDGE, North Carolina
JOHN LINDER, Georgia CHARLES GONZALEZ, Texas
MARK SOUDER, Indiana KEN LUCAS, Kentucky
JIM GIBBONS, Nevada JAMES R. LANGEVIN, Rhode Island
KAY GRANGER, Texas KENDRICK B. MEEK, Florida
CHRISTOPHER COX, CALIFORNIA, ex JIM TURNER, Texas, ex officio
officio
(ii)
C O N T E N T S
----------
Page
STATEMENTS
The Honorable Mac Thornberry, Chairman, Subcommittee on
Cybersecurity, Science, and Research and Development, and a
Representative in Congress From the State of Texas............. 1
The Honorable Christopher Cox, Chairman, Select Committee on
Homeland Security, and a Representative in Congress From the
State of California
Oral Statement................................................. 3
Prepared Statement............................................. 4
The Honorable Dave Camp, a Representative in Congress From the
State of Michigan
The Honorable Donna M. Christensen, a Delegate in Congress From
the U.S. Virgin Island......................................... 45
The Honorable Bob Etheridge, a Representative in Congress From
the State of North Carolina.................................... 43
The Honorable James R. Langevin, a Representative in Congress
From the State of Rhode Island................................. 37
The Honorable Sheila Jackson-Lee, a Representative in Congress
From the State of Texas
Oral Statement................................................. 48
Prepared Statement............................................. 5
The Honorable Zoe Lofgren, a Representative in Congress From the
State of California............................................ 1
The Honorable Ken Lucas, a Representative in Congress From the
State of Kentucky.............................................. 47
The Honorable Pete Sessions, a Representative in Congress From
the State of Texas............................................. 34
WITNESSES
Steven Bellovin, Ph.D., Technical Leader and Fellow, AT&T
Laboratory
Oral Statement................................................. 17
Prepared Statement............................................. 19
Shankar Sasry, Ph.D., Chairman, Department of Electric
Engineering and Computer Systems, University of California,
Berkeley
Oral Statement................................................. 6
Prepared Statement............................................. 8
Mr. Daniel G. Wolf, Information Assurance Director, National
Security
Agency
Oral Statement................................................. 21
Prepared Statement............................................. 24
CYBERSECURITY--GETTING IT RIGHT
----------
Tuesday, July 22, 2003
U.S. House of Representatives,
Subcommittee on Cybersecurity, Science,
and Research and Development,
Select Committee on Homeland Security,
Washington, D.C.
The subcommittee met, pursuant to call, at 10:05 a.m., in
Room 2118, Rayburn House Office Building, Hon. Mac Thornberry
[chairman of the committee] presiding.
Present: Representatives Thornberry, Sessions, Camp, Cox
[ex officio], Lofgren, Jackson-Lee, Christensen, Etheridge,
Lucas, and Langevin.
Mr. Thornberry. The hearing will come to order. This
oversight hearing of the Subcommittee on Cybersecurity,
Science, and Research and Development will hear today on the
topic of ``Cybersecurity--Getting It Right.'' This is the next
in a series of hearings that this subcommittee has had on
cybersecurity. We have had virtually unanimous recommendations
from previous witnesses that, among other things, research and
development is a key role for the Federal Government. And we
are here today to hear from some outstanding witnesses to help
guide us in that research and development for the future.
Before proceeding further, let me turn to the distinguished
Ranking Member of this subcommittee, the gentlelady from
California, for any opening comments she would like to make.
Ms. Lofgren. Thank you, Chairman Thornberry, for scheduling
this hearing today and for your wonderful leadership of this
subcommittee.
When the subcommittee was formed back in February, Chairman
Thornberry and I met to discuss our common agenda and
priorities. And at that meeting we both agreed that the
subcommittee should spend considerable time studying incredibly
complex sets of issues surrounding cybersecurity, and we
decided to embark on a mission to educate and inform the
members of the subcommittee. We felt the need to establish a
knowledge base before we attempted to tackle any possible
policy directives or legislative initiatives.
Soon after our initial meeting, we began this educational
process. At our first meeting, we heard from Dr. Charles
McCreary on the work being done within the Science and
Technology Directorate at the Department of Homeland Security.
Soon after that, we began a series of hearings on the
cybersecurity issue. First, we looked into threats,
vulnerabilities, and possible responses to cyber attacks. Last
week, we heard from industry leaders on their experiences.
In addition to these hearings, we have held several
briefings on cyber issues, including a classified briefing on
cyber threats. Chairman Thornberry and I have also had
individual meetings with academics, business leaders, and
public policy experts. All of these meetings and hearings have
been quite informative, and helped the members of this
committee to get a handle on the scope of the issues we face. I
believe that this subcommittee is beginning to have a solid
understanding of the cyber question, and I am sure we are going
to build on this foundation today.
Today, we will explore the research agenda that will help
us to better secure cyberspace. Our panelists represent
academia, the national security community, and industry, and
all are well-versed on cyber issues. Scientific research and
innovative technology may hold some of the most promising
solutions to our IT vulnerabilities, and I believe that we can
stay one step ahead of hackers and cyber terrorists if
government works in a coordinated way with the private sector.
I look forward to learning more about the advanced
technology programs that currently exist and the ones that need
to receive higher priority and funding. I want to hear about
the current efforts to share information between the private
sector, the government, and academia. Government, and this
subcommittee in particular, should play a role in helping these
diverse entities work together to reduce all our
vulnerabilities and better secure cyberspace.
I am looking forward to hearing from all of our witnesses
today, but I especially want to welcome and thank Dr. Shankar
Sastry, Chairman of the Electrical Engineering and Computer
Sciences Department at UC-Berkley. I have had the pleasure of
discussing these issues with Dr. Sastry before, and I
appreciate you coming all the way to be with us here today.
Finally, as I mentioned in my opening statement at last
week's hearing, I have great concerns about the Bush
administration's cybersecurity program. In the last 6 months,
the most senior Bush administration cyber officials have left
the government. These individuals include Richard Clark, the
Special Advisor to the President for Cybersecurity; Howard
Schmidt, the Vice Chair of the President's Critical
Infrastructure Board and Clark's replacement; Ron Dick, the
Chairman of the NIPC; and John Tritak, Director of CIAO. The
last two organizations are part of the National Cybersecurity
Division at DHS which was created on June 6th of this year. To
date, no director has been named for this division. The NCSD is
located within the DHS Information Analysis and Infrastructure
protection directorate, reporting to the Assistant Secretary
for Infrastructure Protection. Some cybersecurity-related R&D
activities, however, will take place within the DHS Science and
Technology Directorate.
I believe that this situation where it is buried within the
bureaucracy is questionable, and that once a person is finally
chosen to lead the division, he or she may not receive the
high-level access to Secretary Ridge and the White House that
is warranted.
The House is going to adjourn at the end of this week for
the summer district work period, and when we return in the
fall, I look forward to hearing directly from the Department of
Homeland Security on their cybersecurity agenda.
I thank Chairman Thornberry for scheduling this hearing,
and I thank him for his leadership and for working so well and
honestly with me. And I thank you, too, our witnesses, for
their testimony, and finally to the committee staff for their
outstanding work.
Mr. Thornberry. Let me thank the gentlelady, and express
agreement with the concerns that she has raised. We will be
hearing from the Department of Homeland Security when we
return, and this committee as well as the full committee, I
know, will be certainly engaged with them.
The Chair is going to yield his time for an opening
statement to the distinguished chairman of the full committee,
the gentleman from California, Mr. Cox.
Mr. Cox. I thank the Chairman and the Ranking Member. And I
will be brief, because we have an excellent panel of witnesses
today and I, like you, am anxious to hear from them. I want to
thank you both for organizing today's hearing and for your
continued diligence in examining the cyber threat, and for this
subcommittee's focus on the Department of Homeland Security's
mission to counter this new and worrisome threat. I would also
like formally to thank our witnesses for making the time to be
with us today.
Just as our focus on science, including notably the
Manhattan Project, contributed to our victories in World War II
and in the Cold War, a similar comprehensive commitment to
scientific inquiry, to basic research, and to the development
of innovative technologies is necessary if we are going to win
the current war on terrorism. For that reason alone, the cyber
challenge in particular requires a mobilization of the American
scientific community.
As recently reported by the National Research Council, the
United States information system vulnerabilities from the
standpoint of both operations and technology are growing faster
than the country's ability, if not willingness, to respond.
This is a critical fault that we have got to address, because
technology is at the center of our economy, our civilian and
defense critical infrastructure, our communications systems,
and indeed every aspect of our way of life.
Superior technology will, therefore, be at the heart of our
efforts to prevent and to deal with cyber attacks. We must
leverage our superior research community resources to address
risks and harden our critical physical and electronic
infrastructure.
Under Chairman Thornberry's leadership, this subcommittee
has held three hearings and a productive half-day workshop on
this issue. During these hearings, representatives from
industry, government, and academia have confirmed our
understanding the gravity of the cybersecurity threat and of
the importance of the Department of Homeland Security's role in
addressing it.
The workshop held yesterday morning, which was co-sponsored
by the Congressional Research Service staff, not only
accentuated the threat, but stressed the importance of the
public-private partnership in developing solutions. Today's
hearing will increase our appreciation for the research being
done to address the cyber threat. Each of our witnesses today
represents a different facet of the cyber research community.
The Department of Homeland Security, to be effective in its
analytic and policy mission, must have a clear understanding of
the best research being done and where it is going. In
exercising oversight, this committee will want to measure the
Department's progress over time in coordinating governmentwide
cyber programs, in advancing research and development efforts
to reduce cyber vulnerabilities, in improving our capabilities
to respond to attacks, and in accelerating our efforts to
promote computer security awareness training across the
country.
I look forward to hearing from our witnesses about research
priorities, both in the Federal Government and in the private
sector and in academia, and about ways that the Department of
Homeland Security can support and capitalize on your efforts.
Mr. Chairman, thank you again for your personal commitment,
and also our Ranking Member for your personal commitment and
for your exemplary performance and the performance of this
subcommittee on this issue. I yield back.
[The information follows:]
PREPARED OPENING STATEMENT OF THE HONORABLE CHRISTOPHER COX, CHAIRMAN,
SELECT COMMITTEE ON HOMELAND SECURITY
I would like to thank Chairman Thornberry and Ranking Member
Lofgren for organizing today's hearing, for their continued diligence
in examining the cyber threat, and for their focus on the Department of
Homeland Security's mission to counter this new and worrisome threat. I
would also like to thank the witnesses for making the time to share
their valuable insights with us today.
As many of you know, the Manhattan Project, launched in 1942,
marked the establishment of a sustained and successful U.S. nuclear
science program that grew stronger and stronger in subsequent years.
This focus on science contributed to our victory in World War II and in
the Cold War. The current War on Terrorism requires a similar
comprehensive commitment to scientific inquiry, to basic research, and
to the development of innovative technologies.
Today, the cyber challenge in particular requires a similar
mobilization of the American scientific community. Technology is at the
center of our economy, our critical infrastructure, our communication
systems, and our way of life. Superior technology will be at the heart
of our efforts to prevent a cyber attack. We must leverage our superior
research community resources to address risks, and harden our critical
physical and electronic infrastructure.
Under Chairman Thornberry's leadership, this Subcommittee has held
three subcommittee hearings and a productive half-day workshop on this
issue. During these hearings, representatives of the industry,
government and academia have confirmed our understanding of the gravity
of the cybersecurity threat and of the importance of the Department of
Homeland Security's role in assessing it. The workshop held yesterday
morning, which was cosponsored by the Congressional Research staff, not
only accentuated the threat, but stressed the importance of the public-
private partnership in developing the solution.
Today's hearing will increase our appreciation for the research
being done to address the cyber threat. Each of our witnesses today
represents a different facet of the cyber research community. The
Department of Homeland Security, to be effective in its analytic and
policy mission, must have a clear understanding of the best research
being done and where it is going. In exercising oversight, the Select
Committee will want to measure the Department's progress over time in
coordinating government-wide cyber programs, in advancing research and
development efforts to reduce cyber vulnerabilities, in improving our
capabilities to respond to attacks, and in accelerating our efforts to
promote computer security awareness training across the country.
I look forward to hearing from our witnesses about research
priorities, and about ways that the Department of Homeland Security can
support your efforts. Mr. Chairman, thank you again for your personal
commitment and for the exemplary performance of your subcommittee on
this issue.
THE PREPARED STATEMENT OF THE HONORABLE SHEILA JACKSON-LEE, A
REPRESENTATIVE IN CONGRESS FROM THE STATE OF TEXAS
Mr. Chairman and Mr. Ranking Member, I thank you for convening this
hearing today so that we can take another step toward securing our
homeland. Today's hearing, ``Cybersecurity: Getting It Right,'' gives
the Members of this Subcommittee another opportunity to explore the
difficult and ever-changing technology sector, and to hear more
invaluable testimony on protecting our information infrastructure.
A common question in our cybersecurity efforts is the issue of
information sharing. The technology industry is highly competitive and
also highly lucrative. Technology companies that develop innovative
ideas can earn millions, if not billions, of dollars. Therefore, there
is a substantial interest on the part of the corporation to keep the
innovation for themselves and reap all of the financial benefits. In
the general market for software and hardware development, research and
development secrecy is an expected part of our capitalist economy. In
the national cybersecurity arena, however, failure to share information
may result in our information infrastructure being more vulnerable to
cyber attacks. It is imperative to national security that the
technology sector shares the information that will protect our
information infrastructure. It is equally imperative that the Members
of Congress pass legislation that promotes information sharing while
protecting the intellectual property of our technology companies.
In order for innovations to be shared the innovations must be
developed. The research and development aspect of national
cybersecurity must be fostered to protect our homeland. As the
capabilities of the Internet and the remainder of our information
infrastructure expands, so too do the capabilities of cyber-terrorists.
The complexity of recent computer viruses and the speed with which they
spread across our information infrastructure illustrates the formidable
task our country faces combating cyber-terrorists. Developing the
technologies to counter cyber attacks will be an on-going endeavor.
Each advancement in computer technology will bring advancements in the
capabilities of cyber-terrorists. New technological defense methods
will be required through research and development in order to
adequately protect our information infrastructure.
Research and development will also be needed to detect and
apprehend those responsible for cyber-terrorist attacks. The nature of
the information infrastructure allows criminal actors to operate
anonymously. Often the perpetrators of cyber-crimes are not located and
are left free to attack our information infrastructure again in the
future. If America's cyberspace is to be protected we must be able to
locate the perpetrators of cyber-attacks and also develop intelligence
methods to detect attacks before they occur. Our national research and
development efforts will also be critical to stopping cyber-crimes
before they occur.
Mr. Chairman and Mr. Speaker, the task before this Subcommittee is
great. Achieving full cybersecurity for our Nation's critical
information infrastructure is important for the full operation of our
education system, federal, state, and local governments, our financial
system, our travel system and every other segment of our society. The
Internet has become an integral portion of the daily operation of all
of these segments. One successful cyber-attack could have devastating
consequences. I look forward to hearing the testimony of our witnesses
today, and I thank them for their attendance. I hope that their wisdom
will bring us closer to securing our information infrastructure.
Mr. Thornberry. The Chair thanks the gentleman, and would
also join in thanking the Congressional Research Service, Eric
Ficsher and his staff, and the folks who participated in
yesterday's workshop. It really was an outstanding group.
Now, again let me thank each of our witnesses for taking
time to be with us today. We will first hear from Dr. Shankar
Sastry, Chairman of the Department of Electrical Engineering
and Computer Science from the University of California at
Berkley. Thank you for being with us today, sir. And you are
recognized for 5 minutes.
STATEMENT OF S. SHANKAR SASRY, PH.D., CHAIRMAN, DEPARTMENT OF
ELECTRIC ENGINEERING AND COMPUTER SYSTEMS, UNIVERSITY OF
CALIFORNIA, BERKELEY
Mr. Sastry. Thank you very much, honorable Chairman
Thornberry, honorable Ranking Member Lofgren, and distinguished
members of the Subcommittee on Cybersecurity, Science, and
Research. Thank you very much for the opportunity to testify
today.
I would like to testify about areas for investment in
cybersecurity, science, research and development, some priority
areas for funding, and the role of university, industry, the
venture community, and government partnerships in bringing
secure and trusted systems to the marketplace.
By way of background, I should say that I served as
Director of the Information Technology Office at DARPA from
September 1999 to February 2001. My areas of research are in
embedded and autonomous software, complex infrastructure
systems, and secure network embedded systems.
Let me start with my perceptions of the current funding of
cybersecurity research. The most sustained funding for
cybersecurity research to date has been through the Department
of Defense. In DOD, the largest pool for funding for research
has been through DARPA, though there have been some important
research initiatives also through the National Security Agency.
The programs have been in three generations. The first
generation is to prevent intrusions, and there have been a
number of successes that have come out of this, including
several sets of cryptographic tools, access control, and
multiple levels of security.
In the second generation, if intrusions happen, how does
one detect them and how does one limit damage? Examples of
successful products that came out of this: firewalls, boundary
controllers, intrusion detection systems, virtual private
networks, and a public key infrastructure.
In the third generation, which we are now in the midst of,
the goal is to operate through attacks. And these goals are
intrusion tolerance and graceful degradation. In my opinion,
this is the space that we need to be in to be able to have
critical infrastructure systems that can weather attacks.
From its high watermark of close to $100 million of
research funding per year for information assurance and
survivability research, IA&S, in 2000 the funding for
unclassified IA&S research has decreased significantly in the
following years. While it is understandable that there are
important other priorities in DOD for more focused efforts on
command and control networks and other sensitive DOD networks,
I feel that, given the scope and magnitude of research that
remains to be done, it is critical that the burden of
supporting cybersecurity research be picked up by other
agencies.
Of course, I also feel that, given the newest generations
of manned and unmanned and autonomous systems in the DOD such
as the UCAV and in Future Combat Systems and so on, it would
also be in the interest of DOD not to scale back its
unclassified programs a great deal.
The National Science Foundation. I feel the NSF has been
proactive in taking steps to boost funding for cybersecurity
research by setting up new programs in trusted computing, and
in secure network embedded systems, which is under planning,
networking research, and more recently test beds for
cybersecurity.
Department of Homeland Security. It is our understanding
that the Science and Technology Directorate is planning an
initiative in cybersecurity and is organizing program
management structures for cybersecurity research centers. The
Congress and the administration should be lauded for having
taken the visionary step of having formed the Homeland Security
Advanced Research Projects Agency, HSARPA, along the DARPA
model. In addition, I feel that the idea of having HSARPA work
with procurement and operational branches of the DHS to
evangelize the adoption of new cyber secure software and
systems is a very attractive one. If such a model was
successful, it would be useful in reforming possible changes in
procurement and operational concept transformation in DOD as
well. The community has felt a great deal of enthusiasm about
this potential outcome. The outcome we feel would be best
achieved if the research centralized in the S&T Directorate at
HSARPA interacted directly with the procurement and operational
needs of the IAIP, Border and Transportation Security, and the
Emergency Preparedness Directorates.
However, a necessary condition for an outcome is an
adequate outlay of funds for research and development coupled
with acquisitions. In my opinion, the level of investment needs
to be somewhere in the range of 100 to $200 million per year,
and we base this number on a road map for research and
cybersecurity which we have developed and is present in the
full testimony. In the interest of time, I will just talk a
little bit about a few highlights of the funding gaps in
research priorities for cybersecurity.
The technology needs may be classed into the following
categories: unsolved difficult research problems and
information assurance and survivability--and a number of these
are taken from the so-called Infotech Research Council hard
problems list, and they are listed in my testimony.
The second one is about technologies for strong security
with strong privacy. The technology needs for strong privacy
are completely compatible with the technology needs for strong
security. So some examples are selective revelation, where the
goal is to minimize revelation of personal data while
facilitating analysis through the approach of partial
incremental revelation of data. Others include strong audit.
And also, rule processing technologies for checking compliance
with privacy rules.
In addition, I feel that the emerging infrastructure of the
future will be based on wired and wireless network devices
ubiquitously embedded in the environment to provide so-called
sensor webs of information for monitoring and controlling
infrastructure. We need to take steps today to start securing
them.
And, finally, the last set of problems comes in under the
title of validated modeling, simulation and visualization of
critical infrastructures and their interdependencies.
Mr. Chairman, am I out of time? Or--.
Mr. Thornberry. The gentleman's 5 minutes has expired. The
Chair is somewhat lenient with time, however. The gentleman may
proceed and conclude his remarks.
Mr. Sastry. Thank you very much, Mr. Chairman. Perhaps in
the interest of time, let me sort of say--to go to the last
part of my testimony and talk a little bit about a model for
public-private partnerships for rapid technology transfer in
cybersecurity.
I think there is clearly a need for cybersecurity research
and development, but even more immediate and pressing is the
need for transitioning this. The most common complaints that
one hears from vendors and service providers are as follows: No
one pays for security. Will the Federal Government play the
role of market maker in the early adoption of security
products? Is there sufficient demand to stimulate new companies
around new ideas in cybersecurity? Who will provide road maps
to help the investment by established companies and the venture
community in cybersecurity products?
So a fundamental organizational problem that exists today
is the lack of mechanisms for filling in the gap between the
end of successful Federal projects. And I feel that a lot of
the Federal investment to date has indeed been a success, but
there is a problem in transitioning from the end of a
successful Federal project to the venture community and
industry in the form of products.
Research prototypes need to be hardened, tested on large-
scale test beds, informed and customized by the customer base
before we get these into the marketplace. And I feel that the
role of public-private partnerships and perhaps the nonprofit
sector is in filling this gap between the end of a successful
research program and industry and venture update.
And let me just conclude by saying that there are exemplars
of successful such partnerships which have been formed by the
legislation of this Congress, and so those are in the
semiconductor industry. In the semiconductor industry, both the
SIA, the Semiconductor Industry Association, and the SRC, the
Semiconductor Research Consortium, have facilitated both the
funding of rapidly transitioned research to the semiconductor
industry and led the continual development of road maps for the
electronics industry. DOD funding, both from OSD and DARPA from
the earliest days of this research, has been instrumental in
maintaining a strategic national component both for
competitiveness as well as for maintaining U.S. superiority in
a vital sector.
My own sense is that nonprofits are the same ilk as the SIA
and SRC. With the same kind of partnership, DHS and DOD could
play an important role in developing a mechanism for rapid
transition of focused research and road mapping for industry in
the investment community.
Thank you very much, Mr. Chairman, for your indulgence.
Thank you very much for the opportunity to testify. We are
really delighted as a community to see your attention to all of
these important issues. Thank you very much.
[The statement of Dr. Sastry follows:]
PREPARED STATEMENT OF DR. SHANKAR SASTRY
Honorable Chairman Thornberry, Honorable Ranking Member Lofgren,
and members of the subcommittee on Cybersecurity, Science, and
Research, thank you for the opportunity to testify today, regarding
areas for investment in cybersecurity research and development,
priority areas for funding, and the role of university-industry-
venture-government partnerships in bringing secure and trusted systems
to the market place. By way of background, I should say that I am
currently the Chairman of Electrical Engineering and Computer Sciences
at the University of California, Berkeley where I have been a professor
for over 20 years. I have also served on the faculties of the
Massachusetts Institute of Technology (1980-1982), where I began my
academic career as an Assistant Professor, and Harvard University where
I was a Gordon Mc Kay chaired professor in 1993-1994. From November
1999 to March 2001, I served as the Director of the Information
Technology Office (ITO) of the Defense Advanced Research Projects
Agency (DARPA) in the DoD. The responsibilities of this office included
planning and managing the investment in all areas of information
technology, including the information assurance and survivability
portfolio of programs. My areas of research are embedded and autonomous
systems and software, complex infrastructure systems, secure networked
embedded systems, and high confidence systems and software. I have
recently led the organization of a collaborative multi-university
cybersecurity research consortium named, and a testbed for network
defense called the national cyber Defense Technology Experimental
Research network (DETER).
To answer the questions asked by you, I will divide my testimony into
the following areas:
1. Current Funding of Cybersecurity Research,
2. Research Gaps and Funding Priorities for Cybersecurity
Research,
3. A collaborative university research program in Ubiquitous
Secure Technologies led by Berkeley partnered with Stanford,
Cornell, Vanderbilt, Carnegie Mellon, and San Jose State
Universities, and Smith College,
4. Testbeds for Cybersecurity,.
5. A model for public-private partnerships for rapid technology
transfer in Cybersecurity
1 Current Funding of Cybersecurity Research
There has been Federal funding of Cybersecurity research thus far
primarily by the Department of Defense and the National Science
Foundation, though there has also been some research funded by NIST,
Department of Energy and NASA as well. The community has followed with
interest the testimony given by the DARPA Director, the NSF Director
and Undersecretary for Science and Technology at DHS to the House
Science Committee. The community feels grateful to the House Science
Committee, its staff and its Chairman, the Honorable Mr. Bohlert, as
well as this Subcommittee on Cybersecurity, Science and Research and
Development, its Chairman, the honorable Mr. Thornberry and ranking
member the Honorable Ms. Lofgren for their close attention to the needs
of cybersecurity research. I will limit my own remarks to the
perceptions of the community and also my own experience with helping to
manage the cybersecurity portfolio at DARPA.
Department of Defense. The most sustained funding for cybersecurity
research to date has been through DoD. In DoD, the largest pool of
funding for research has been through DARPA, though there have been
important research initiatives that have been managed by the National
Security Agency. Some very important University Research Initiatives in
Critical Infrastructure Protection (CIP-URI) were funded through DDR&E
as five-year programs primarily in 2001. Modest 6.1 core programs in
cybersecurity research at AFOSR, ARO and ONR also exist. The
Information Assurance and Survivability (IA&S) programs at DARPA are
the largest and most successful Federal investment to date. This suite
of programs has gone through three generations listed below with some
exemplars of successful outcomes:
1. 1st Generation (Prevent Intrusions): Trusted Computing Base,
Access Control, Cryptographic Tools, Multiple Levels of
Security
2. 2nd Generation (Detect Intrusions, Limit Damage): Firewalls,
Boundary Controllers, Intrusion Detection Systems, Virtual
Private Networks, Public Key Infrastructure
3. 3rd Generation (Operate Through Attacks) Goals are Intrusion
Tolerance, Graceful Degradation, Big Board View of Attacks,
Security Tradeoffs and Metrics, and hardening of the core
infrastructure.
The first generation was aimed at preventing intrusions as much as
possible, the second generation with detecting intrusions when they
occur and limiting the amount of damage that they cause. The third
generation of programs, which is most critical to critical
infrastructure protection, consists of developing the ability to
operate through attacks without failing catastrophically. A very large
number of existing security solutions were developed by companies
either as spin-offs of DARPA research or as an integral part of DARPA
research programs in Generations 1 and 2. We are currently in the 3rd
generation of programs and a research and development base has been
energized to address what remain as difficult technical problems in
IA&S. From its high watermark of close to $ 100M of funding for IA&S in
2000, the funding for unclassified IA&S research at DARPA has decreased
significantly in following years. The DARPA investment has also had the
extremely desirable effect of involving the Service Laboratories (such
as AFRL and Navy SPAWAR), and the services operational commands in
bringing their requirements to the community. While it is
understandable that there are other important priorities in the DoD for
more focused efforts in IA&S for command and control and other
sensitive DoD networks, given the scope and magnitude of research that
remains to be done in cybersecurity, it is critical that the burden of
supporting cybersecurity research be picked up by other agencies. In
addition, given the important strategic nature of IA&S research for new
and emerging DoD systems, including the newest generations of unmanned
and autonomous systems (such as the UCAV and in Future Combat Systems),
it would not be in the interests of DoD to scale back its unclassified
programs a great deal.
National Science Foundation NSF has been proactive in taking steps to
boost funding for cybersecurity research by setting up new programs in
Trusted Computing and in Secure Network Embedded Systems (under
planning), networking research, and testbeds for cybersecurity. These
investments, primarily in the Directorate of Computer and Information
Science and Engineering (CISE) have been timely and strategic.
Nonetheless it is the perception of the community that the level of
funding for cybersecurity and Critical Infrastructure Protection could
be greater. A point about the synergy between funding between DARPA and
NSF is in order here. From the early days of networking when NSF picked
up the ARPA net and helped fund it while it grew into the modern
Internet, and early DARPA funding on high performance computing was
sustained by NSF funding, there has been a rich legacy of cooperation
in funding information technology research between the two agencies on
Fairfax Avenue in Arlington, Virginia. It would be extremely desirable
to have this synergistic relation continue in the area of
cybersecurity.
Department of Homeland Security. It is our understanding that the
Science and Technology Directorate of DHS is planning its initiative in
cybersecurity and is organizing program management structures for
cybersecurity research centers. The Congress and the administration
should be lauded for having taken the visionary step of having formed
the Homeland Security Research Projects Agency along the DARPA model.
In addition, the idea of having HSARPA work along with procurement and
operational branches of the DHS to evangelize the adoption of new
cybersecure software and systems is a very attractive one. Such a
model, if successful, would be very useful in informing possible
changes in procurement and operational concept transformation at the
DoD as well. The community has felt a great deal of enthusiasm about
this potential outcome. The outcome would be best achieved if research
centralized in the Science and Technology Directorate, at HSARPA,
interacted directly with the procurement and the operational needs of
each of the Information Analysis and Infrastructure Protection (IAIP),
Border and Transportation Security, and the Emergency Preparedness
Directorates. There are some synergies to be gained for example by
engaging with the research needs of the National Communication Systems,
with road-mapping activities for cybersecurity, or by using secure
sensor webs for border patrol and monitoring programs
However, a necessary condition for such an outcome is an adequate
outlay of funds for basic research and development coupled with
acquisitions. In my opinion the level of investment needs to be
somewhere in the range of $100-200 M per year. I base this number on a
roadmap for research in cybersecurity, which we have developed (details
are included in the next section of this testimony). I feel that the
DARPA model is an especially appropriate model for funding research and
development in cybersecurity. Once again HSARPA may wish to involve
groups in the other directorates the way DARPA involves service
laboratories and commands as ``agents'' for contracting the work and
thereby helping the transition of research into products. Thus, one
could view customers in the IAIP Directorate helping program managers
in HSARPA shape the programs for their needs. While HSARPA will need to
have programs that have short term and intermediate term payoff, one
can visualize the role of the NSF in helping HSARPA as an executive
agent in its early years while it is being fully configured. In the
steady state a relationship between HSARPA and NSF along the lines of
the DARPA-NSF model would be highly desirable, with NSF providing
longer term sustained funding.
Other Agency Funding for Cybersecurity. Since the needs of different
mission agencies in cybersecurity are somewhat different it would be
important to have funding from NASA, DoE, and other mission agencies
for their own needs. Additionally the role of the National Institute of
Standards and Technology (NIST) could be an important one in managing
testbeds, whetting and developing cybersecurity standards and best
practices. NIST has also been an important executive agent for managing
DoD programs and could continue to do so for DHS.
2 Funding Gaps and Research Priorities for Cybersecurity
The technology recommendations for suggested areas of funding
given here were developed by a group of researchers, industry
participants and the venture community over the last two years
in a series of workshops, meeting and studies:
1. 25th June 2002, Meeting with a large sample of participants
from Venture firms, DoD; OSD, DARPA, ONR, NSA, the President's
Critical Infrastructure Protection Board, large industry
participants such as IBM, HP, Oracle, Symantec, Microsoft,
Intel, non profits such as SRI, I3P, hosted by me in Palo Alto
2. 18th September 2002, Meeting with industry leaders and Mr.
Richard Clarke Head of the President's Cyber Security
Protection Board on the details of the Presidential
Cybersecurity Plan held at Palo Alto.
3. 19-20 September 2002. Sztipanovits (Vanderbilt), Stankovic
(Virginia), and I ran the NSF/OSTP workshop on New Technologies
for Critical Infrastructure Protection and Cybersecurity in
Leesburg, Virginia with technology recommendations for the
White House Office of Science Technology and Policy. OSTP
report of this workshop will be released shortly.
4. October 7-8 Workshop on Testbeds for Security, Squires
(Chief Scientist of HP) led a meeting on networking research
testbeds.
5. August 2001, NSF Workshop on New Directions in Security,
Doug Tygar, Berkeley
6. August 2002, DARPA Information Sciences and Technology study
on Security with Privacy, Doug Tygar.
While the whole list of participants is too long to list, I would
especially like to acknowledge the help of former colleagues at DARPA,
Terry Benzel, Doug Tygar, and Ruzena Bajcsy of the University of
California Berkeley, Janos Sztipanovits of Vanderbilt University, Jack
Stankovic of the University of Virginia, Teresa Lunt of PARC (formerly
Xerox PARC), Pat Lincoln and Victoria Stavridou of SRI, Patrick Scaglia
and Steven Squires of HP, Robert Morris of IBM, David Tennenhouse of
Intel, Jerry Fiedler of Windriver Systems for their help in developing
these recommendations.
Computer trustworthiness continues to increase in importance as a
pressing scientific, economic, and social problem. The last decade has
seen a rapid increase in computer security attacks at all levels, as
more individuals connect to common networks and as motivations and
means to conduct sophisticated attacks increase. In today's environment
there is heightened awareness of the threat of well-funded professional
cyber hackers and the potential for nation-state sponsored cyber
warfare. Cyber attacks are increasingly motivated by the financial gain
and global politics. A parallel and accelerating trend of the last
decade has been the rapidly growing integration role of computing and
communication in critical infrastructure systems, such as financial,
energy distribution, telecommunication and transportation, which now
have complex interdependencies rooted in information technologies.
These overlapping and interacting trends force us to recognize that
trustworthiness of our computer systems is not an IT issue anymore; it
has a direct and immediate impact on our critical infrastructure.
Security is often a collective enterprise, with complicated
interdependencies and composition issues among a variety of
participants. This poses a challenge for traditional competitive
economic models. Clearly there is an acute need for developing much
deeper understanding of and scientific foundation for analyzing the
interaction between cyber security, critical infrastructure systems and
economic policy.
The fundamentals of reliable infrastructure have not been adequately
worked out for complex networks of highly interacting subsystems, such
as the power grid and the airspace-aircraft environment. These are
complex, often dynamically reconfigured, networks. The primary
challenge for future generations of these systems is to provide
increasingly higher efficiency, while assuring joint physical and
logical containment of adverse effects. Increasingly, autonomous but
cooperative action is demanded of constituent elements. Examples
include the technology needed to support aircraft in high-capacity
airspace, enabling the execution of parallel landing patterns under
terminal area control. A deregulated power grid draws new market
participants. These new players may produce highly variable efficiency,
potentially adverse environmental effects, and they may pose hazards to
system-wide stability. This trend towards autonomous, cooperative
action will continue, with the demands of current and next-generation
systems for open, interoperating, and cooperating systems. The
achievement of a satisfactory level of interoperable functionality is
both enabled by, and dependent upon, advances in information and
control infrastructure for coordinated operation. Furthermore, entirely
new capabilities, such as networks of devices for pervasive sensing and
actuation are becoming viable, and the control and communication
technologies for their effective use must be fully developed and
integrated into distributed infrastructure systems.
Although reference frequently is made to the next generation of
technologies as ``intelligent agent'' systems or self-healing or self-
reconfiguring or autonomic systems, this terminology conceals a complex
of carefully integrated systems and software concerns. There is no
panacea; services must be carefully engineered from the ground up in
order to safely support a facade of highly autonomous action. Advances
in software and information technology have improved the potential for
a better substrate for future, more reliable infrastructures. The
technology needs may be classed into the following categories:
1. Unsolved Difficult Research Problems in Information Assurance and
Survivability. The areas of research highlighted here are:
a. Intrusion and Misuse Detection: methods need to be
automatic, predictive, have a low false alarm rate, and
possibly identify the adversary.
b. Intrusion and Misuse Response: methods should provide a
shared situational awareness, automatic attack assessment, a
dynamic reconfiguration of the system and possibly an automated
counter attack.
c. Security of foreign and malicious code: desired attributes
for systems that protect against malicious mobile code include
confinement of access and capability and encapsulation of the
code.
d. Controlled sharing of information: the ability to
dynamically authorize the sharing of information and automated
data tagging.
e. Distributed Denial of Service (DDoS) and Worm Defense:
solutions are needed for modeling, measurement and analysis of
attacks, detection of the attacks, attribution, dissipation of
the attack, and possible retribution.
f. Secure Wireless Communications
g. New and Emerging Challenges
i. Peer to peer computing
ii. Security in ubiquitous and nomadic computers
iii. Human factors and ergonomics in security
iv. Networks surveillance and hygiene
v. Insider threat detection, monitoring and response
2. Technologies for Strong Security with Strong Privacy
a. Selective Revelation: the goal here is to minimize
revelation of personal data while facilitating analysis through
the approach of partial, incremental revelation of data.
b. Strong Audit: the goal here is to protect abuse by watching
the watchers: everyone is subject to audit, there is cross-
organizational audit, and usage records are tamper proof.
Possible new technologies include encrypted searches and
crypto-protocols.
c. Rule processing technologies: there is need for a formal
language for expressing privacy rules and tools for automated
checking of compliance, a privacy toolbar for helping users. A
related technology is the one needed for digital rights
management
3. Secure Network Embedded Systems. The emerging infrastructure of the
future will be based on wired and wireless networked devices
ubiquitously embedded in the environment to provide ``sensor-webs'' of
information for monitoring and controlling infrastructure networks. The
embedded software, which will be present in these complex systems,
needs to have the following attributes:
a. Automated Design, Verification and Correctness by
Construction. A large number of infrastructures suffer from
being difficult to configure correctly and the resulting
glitches are frequently as serious as cyber attacks. In
addition they need to be fault tolerant: such systems are
referred to as High Confidence Systems.
b. Layered Security for Embedded Systems: the defenses need to
be in depth to protect from attacks from the physical layer up
through the applications layer:
i. Physical Layer: protection from attacks like jamming
and tampering
ii. Link Layer: protection from unfairness and over
frequent collisions of packets
iii. Networks and Routing Layer: protects from attacks
due to greed, homing, misdirection and black holes.
iv. Transport Layer protection from attacks such as
flooding and desynchronization.
4. Validated Modeling, Simulation and Visualization of Critical
Infrastructures and their Interdependencies
a. Tools for the assessment of the level of risk
b. New modeling and simulation tools for complex systems
c. Development of simulation testbeds for teaming exercises,
response preparation and assessment.
3 A Collaborative University Research Program in Ubiquitous Secure
Technology
Here I describe a sample collaborative university research program that
is focused at research problems in many of the areas described above.
It is important to note that activities of this scale need to be
engaged in by the scientific community in groups rather than as
individual institutions. At Berkeley we have found it important to
build such partnerships and consortia for research and development. We
have put together a team of some of the strongest research universities
led by Berkeley and including Stanford University, Vanderbilt
University, Cornell University, Carnegie Mellon University, along with
San Jose State University, Smith College, Fiske University to develop a
Team for Research in Ubiquitous Secure Technology (TRUST) to radically
transform the ability of organizations (software vendors, operators,
local and federal agencies) to design, build, and operate trustworthy
information systems for our critical infrastructure. TRUST will bring
together a research team with proven track record in relevant areas of
computer security, systems modeling and analysis, software technology,
economics, and social sciences. The research team will be advised and
supported by vendors of information technology and critical
infrastructure (utility, telecommunication, finance, and
transportation) protection providers and stakeholders.
3.1 Technical Research Program
Our multidisciplinary approach allows solutions to emerge from an
integrated of view of computer security; software technology, analysis
of complex interacting systems, and economic policy in the following
areas:
Composition and computer security--Computer security attacks today
occur on a minute-by-minute basis. Organizations producing individual
components, such as routers or central office switches, have
increasingly devoted energy to protecting those components against
attack. However, protection of individual components does not always
result in protection of the entire systems: different machines and
different systems running on a single network often have complex
interdependencies--and a malicious attacker can exploit those
interdependencies for example in denial of service attacks, inter-
machine authentication failures, and routing disruptions. Attackers can
attack systems where different software programs must interact on a
single operating system (examples include e-mail with attachments
leading to e-mail worms, buffer-overflow problems caused by unexpected
use of software function libraries, and windowing systems displaying
bogus, malicious systems messages.) Modularization can increase the
problem: when common IT components are integrated with specialized
applications and embedded systems, deep knowledge of the underlying
computational model is needed to avoid vulnerability. TRUST will bring
together an integrated scientific approach to composition and computer
security.
Privacy--As a large amount of commercial and communication activity has
moved to the Internet and World Wide Web, privacy concerns have
increased both for individual users and organizations. Users perceive
they have little control over information, and often those perceptions
are correct--organizations are unable to accurately describe policy
procedures and privacy-information crimes such as identity theft have
increased sharply. Even disclosure of apparently innocuous information,
such as an e-mail address, leads to unsavory activities, such as spam,
which in turn can grow to a magnitude that can cause systemic problems.
Organizations also have a need for privacy--not only to protect their
customers, but also in cross-organizational exchanges including
auctions and communications. Privacy is a challenging problem because
when information is shared (laterally, between organization, or
vertically, between different subsystems) each of the individual
components involved in the sharing, the mechanism for sharing, and the
consequences of the sharing, all present opportunities for invading
privacy. Issues related to privacy emerge as a result of interaction
between technology and economic policy, such as in online bidding on
energy markets or dynamic allocation of the frequency spectrum. To
tackle privacy, TRUST will develop solutions to the complex tradeoff
between technology, economic policy and security. This will require a
new look at the fundamental underpinnings of information management,
storage, and retrieval.
Critical infrastructure protection--Critical infrastructure systems are
large networks that move energy, information and material. Information
technology is used to monitor, control and manage these systems by
means of vast networks of computing equipment. Faults caused by natural
disasters or malicious attacks can cause these networks to completely
fail, leading to widespread damage. Critical infrastructure protection
requires making systems that are highly robust and available in the
presence of hostile attacks. TRUST will approach computer security from
a holistic systems view, considering a union of concerns including
physical design, performance, power consumption, reliability and
others. For example, we don't just consider secure and highly available
communication between sensor devices and SCADA (Supervisory Control And
Data Acquisition) centers, TRUST will consider the potential impact of
feasible security attacks on the power distribution network, and the
impact of signal encryption on feedback control loops. Anecdotal
evidence and the findings of more systematic red team activities such
as the Joint Chiefs' Eligible Receiver program, strongly suggest that
the United States is highly vulnerable to attacks on its critical
infrastructure--including key utilities (gas, water, and energy),
communications services, finance, transportation, medical coordination,
government services, and emergency services. Even in a single
organization, such as a national telecom service provider, critical
infrastructure protection is difficult, because these systems are
highly complex and involve so many components that even their designers
cannot understand all the interactions. The interaction of different
critical infrastructure systems, and their interaction with public
(critical or non-critical) systems, creates complex dependencies and
control paths. Today, we have no good way of detecting these
interdependencies, although hackers have proven themselves highly
capable of finding attack opportunities and exploiting subtle
vulnerabilities.
TRUST will take a systems view which raises a broad set of trust
questions: they range from protecting individual privacy to protecting
large complex interacting critical infrastructure, from embedded
systems to networks, and they have a strong focus on security problems
arising from composition. Not only is a large effort necessary to take
the broad view--and to anchor this view in the context of large-scale
operational environments - but this work requires strength from a wide
variety of disciplines both inside computer science (cryptography,
programming languages, distributed systems, networking, human-computer
interfaces, logic and model checking, configuration, software
engineering, etc.) and outside computer science (economics, policy,
law, statistics).
3.2 Economics, Public Policy, Societal Challenges
Solutions to today's problems are an essential requirement to
fulfilling the vision of ubiquitous computing. Many of today's security
vulnerabilities in networked embedded systems and SCADA are very
specialized and hence visible to only a few. However, as society
increasingly employs the use of software agents to control and organize
multiple aspects of day-to-day life these security vulnerabilities will
become impediments to their widespread adoption. A vision for the
future of information technology in society, implies that the presence
of ubiquitous computing will bring with it access to interfaces that
will become part of every day interchange for a wide class of citizens.
Investigations need to be directed so as to lend maximum benefit to
social questions such as those in the area of economics and incentives.
These are particularly pressing as questions of liability and insurance
are moved up in the nations business and legislative agenda. Issues of
liability have become an important topic given the cost of security
incidents. Economic and legal analysis suggests that a due care
standard provides appropriate incentives, but how should the standard
be set in practice? Without a clear understanding of sufficient
standards or best practices, insurance companies do not have a clear
basis on which to offer insurance policies covering security incidents.
The interaction between liability, insurance, and care has been
examined extensively in the law and economics literature. However, new
questions that arise in the context of information security as
"accidents" are often deliberate attacks. Hence an analysis of the
incentive of attackers must be better understood and modeled. In
addition to these incentive problems, there are also a number of purely
economic issues that need to be better understood. How can one quantify
the benefits and costs from various security policies? How do public
and private security policies interact? What are the nature and size of
``transactions costs'' associated with security? TRUST will address
these questions in the course of our effort. It is anticipated that the
research results will provide a solid basis for the establishment of
policies, procedures and eventually case law for industry and
government in managing the risk of computer security incidents.
3.3 Education and Outreach
American prosperity in the new millennium and increasing national
security concerns make it important to increase the number of students
who will join the nation's technical enterprise as researchers. This is
crucial in the cyber security space as there is currently a severe
shortage of trained scientists (and almost no women and minorities) in
the information security field. Additional need arises from our
concerns about the ``weakest link'' of security. If even one user makes
a serious error, it can endanger all the systems connected to his or
her machines. We have a need to raise the level of security awareness
of all people who use computers and depend on their results--namely,
all citizens. TRUST brings a strong focus on educational outreach
activities through its members many activities. Educational activities
will be integrated with TRUST research, through graduate programs,
summer programs and directed research projects with under represented
educational institutions.
4 Testbed Research
As discussed earlier, over the past ten years,there has been an
increasing investment in research aimed at developing cyber security
technologies, by government agencies (NSF, DARPA, DoD) and by industry.
However, the Nation still lacks large-scale deployment of security
technology sufficient to protect our vital infrastructure. One
important reason is the lack of an experimental infrastructure for
developing and testing next-generation cyber security technology.
Neither existing research network infrastructures (Abilene, vBNS) nor
the operational Internet meet this need, due to the inherent risks of
testing malicious behavior in operational networks. New security
technologies have been tested and validated only in small- to medium-
scale private research laboratories, which are not representative of
large operational networks or of the portion of the Internet that might
be involved in a security attack.
To fill this critical gap, we will build an experimental infrastructure
network to support the development and demonstration of next-generation
information security technologies for cyber defense. This cyber Defense
Technology Experimental Research Network (DETER Network) funded jointly
by the National Science Foundation under its Networking Research
Program in Computer and Information Sciences and Engineering (CISE)
directorate and the DHS Science and Technology Office will provide the
necessary infrastructure networks, tools, methodologies and supporting
process--to support national-scale experimentation on emerging security
research and advanced development technologies. .
Once again, we at Berkeley have led in putting together a broad based
coalition of partners including the University of California Davis,
University of Southern California-Information Systems Institute,
Network Associates Laboratories, SRI, Menlo Park, the Pennsylvania
State University, Purdue University, Princeton University, University
of Utah, and industrial partners Juniper Networks, CISCO, Intel, IBM,
Microsoft, and HP. The DETER project will create, operate, and support
a researcher- and vendor-neutral experimental infrastructure that is
open to a wide community of users. Furthermore, the DETER project will
apply scientific benchmarks and measurements to both the creation of
the experimental infrastructure itself and to validation of the
experimental results. Two important defenses that we will develop on
this testbed are:
1. Distributed Denial of Service Attacks--One major objective of the
DETER network is to make scientific advancements in 1) understanding
the effects of sophisticated, large-scale DDoS attacks and 2) defending
against them. Techniques and software capable of disabling large
portions of the Internet for hours or days could be developed
relatively easily today by sophisticated hackers or nation states.
However, because such an attack has never been observed ``in the
wild'', the scientific and operational communities' understanding of
the underlying scientific phenomenon is at best fragmentary and
speculative. Internet infrastructure components that are pushed to
their limits by such attacks may exhibit non-linear or unstable
behaviors that diverge from predictions derived from models,
simulations, overlay networks, and scaled down demonstrations. As a
result, we cannot accurately predict the impact of a large-scale attack
on different points in the Internet topology. We plan to conduct
experiments to improve understanding of the scientific phenomenon of a
sophisticated large-scale DDoS attack. with special attention paid to
the following factors:
Detection--What kinds of DDoS attacks can the
mechanism detect, how accurately, and under what conditions?
Mitigation--What kinds of DDoS attacks can the
mechanism mitigate (via blocking or rate limiting), how
effectively, at which locations in the networks, and under what
conditions?
Autonomy vs. Coordination--To what extent does the
mechanism's effectiveness depend on deployment in multiple
locations with communication and coordination across locations,
and how effective can the mechanism be if such coordination is
not possible?
Collateral Damage--To what extent does the mechanism
impede benign traffic, and under what conditions, i.e., does it
do more harm than good?
2. Worm Defenses--Worms present a substantial and growing threat to the
Internet and to large government and commercial enterprise networks.
The recently released SQL Slammer (Sapphire) worm provided a stark
illustration of the dramatic speed and potential impact of a simple
worm, spreading to more than 75,000 hosts within ten minutes and
causing ATM failures, airline flight cancellations, and widespread
network outages. The DETER Network can play a crucial role in
supporting study of the behavior of these worms and evaluation of new
worm defense technologies. Worm behavior is currently only poorly
understood. Through testbed experimentation, researchers can study
different models of worm propagation (e.g., random scanning, target-
list, coordinated, hybrid) and their effects on propagation rates in a
realistic network environment. They can further study effects of the
network congestion caused by worm propagation through a large network,
determining how such congestion affects legitimate applications and the
worm itself as infection spreads.
5 A Model for Public-Private Partnerships for Rapid Technology Transfer
in Cybersecurity
The issues in transitioning cybersecurity research and development are
immediate and pressing. There has arguably been a market failure in
bringing cybersecurity technologies to the market. The most common
complaint that one hears from vendors and service providers run
something like: ``No one will pay for security.'' or ``Security is
every one's second most favorite priority'', or ``Security products
suffer from the paradox of the common good''. ``Will the Federal
government play the role of market maker in early adoption of secure
products?'' ``Is there sufficient demand to stimulate new companies
around new ideas in cyber-security'' ``Who will provide roadmaps to
help the investment by established companies and the venture community
in cyber-security products?'' However, there is reason to feel optimism
for change, provided that some steps are taken immediately. Experience
gained from the national response to the potential perils of the Y2K
conversion are worth revisiting in the context of cybersecurity, with
especial attention to the role of the mandatory SEC filings for
corporations to explain their Y2K strategy.
A critical issue for cybersecurity is the ability to quickly transition
products from the laboratory and the research community to industry. A
fundamental organizational problem that exists today is the lack of
mechanisms for filling in the gap between the end of a successful
Federal research program and the investment by the venture community
and industry in products. Research prototypes need to be hardened,
tested on large scale test beds, informed, customized and modified in
response to the needs of a diverse set of customers before they can
attract capital to allow them to be integrated into products. In
addition industry, especially systems integrators and the larger IT
companies would benefit from roadmaps informed by this technology
transition. The term public-private partnerships is used to describe
the need for cooperative arrangements among academia, industry, venture
capital, and government with individual stake holders in the
infrastructures to bring the newest products to the market place and
then to the infrastructure stake holders. It is important for the
research and development community to play a role in developing the
relevant non-profits and trade groups to pursue transfer of ubiquitous
secure technology. It is important for us to continue to hold focused
workshops and seminars on particular topics relating to infrastructure
protection and cyber-security. Research and Development will need to
learn and evolve with results, using an iterative investigate-develop-
educate-apply cycle. It is critical to develop science, technology and
proof of concept prototypes that will be tested through models that
emerge from a series of analytical and case studies, experimentation
and simulations. For example, through participation with the Secret
Service's New York City and San Francisco Electronic Crimes Task Force
it has been possible for the cybersecurity research community to
develop an understanding of the needs of cybersecurity for the
financial community.
A success story in public private partnerships, which has all the
hallmarks that would be desirable for cybersecurity, is in the area of
semiconductor manufacturing. The Semiconductor Industry Association
(SIA) and Semiconductor Research Consortium (SRC) are fine examples of
non-profit organizations, which have facilitated both the funding of
rapidly, transitioned research to the semi-conductor industry and led
the continual development of roadmaps for the electronics industry. DoD
funding, both from the OSD and DARPA, from the earliest days of this
research has been instrumental in maintaining a strategic national
component both for competitiveness and also for maintaining US
superiority in a vital industry sector. My own sense is that non-
profits of the same ilk as the SIA and SRC, with the same kind of
partnership with DHS and DoD, could play an important role for
developing both a mechanism for rapid transition of focused research
and road mapping for industry and the investment community. Once again,
I feel here that for strategic national security reasons that DoD
partner with DHS in co-funding such ventures.
6 Concluding Remarks
Thank you Mr. Chairman and Committee members for the opportunity to
provide this testimony to the House Subcommittee on Cybersecurity,
Science, Research and Development, of the Committee on Homeland
Security. We laud you for holding this very important set of hearings
and for engaging in a matter of deep national and homeland security.
The research community offers the Subcommittee our full support and
cooperation, and every success in your deliberations.
Mr. Thornberry. I thank the gentleman. And I neglected to
say at the outset that each of your full statements will be
made part of the record. And also, let me compliment each of
you on your full written statements, because they did a very
good job of directly addressing the questions in which this
subcommittee is interested, and I appreciate that very much.
Let me now turn to our next witness. Dr. Steve Bellovin is
a member of the National Academy of Engineering at the National
Research Council. He is also a technical leader and fellow from
AT&T Laboratory. Dr. Bellovin, thank you for being with us. And
you are now recognized for 5 minutes.
STATEMENT OF STEVEN BELLOVIN, PH.D., TECHNICAL LEADER AND
FELLOW, AT&T LABORATORY
Mr. Bellovin. Thank you, Mr. Chairman, Ms. Lofgren, and
members of the committee. I am delighted to come to help you.
I should add, one of my other roles, I am Security Area
Director for the Internet Engineering Task Force, which is the
group responsible for most of the standards used on the
Internet today.
We face a very serious cybersecurity problem. Usually we
can protect an individual high-value system, though it is hard.
I run my own personal computers as tightly as I know how to; in
the last 2 years, probably there were a dozen different ways
that, if someone sent me the right message at the right time,
they could have taken over this system. And this is run about
as tightly as anything can be and still be connected to public
networks.
We cannot protect all of the machines, and we simply don't
know how to. We don't even know what the magnitude of the
threat is even from ordinary hackers, let alone nation states
and possible cyber terrorists. The available data on what kinds
of attacks, on the number of attacks, is simply lacking. We
need more research to help us understand what is going on,
because you need different defenses against cyber terrorists
than you do against ordinary hackers.
Most of the security problems we see today are caused by
buggy software. Buggy software is probably the oldest unsolved
problem in computer science. I have no reason to think it is
going to be solved in my professional lifetime. If we design a
software correctly, though, we can restrict our attention to
the crucial pieces for security and probably get those rights.
Software reliability has improved. It is no longer unusual to
see a server that has been up for a year or more. But we have
to design software with that sort of division in mind. We know
somewhat of how to do that, but not nearly enough.
We need new mathematical formal frameworks for assessing
and measuring the security of a system. A locksmith can tell
you how long a safe can resist an attack with certain kinds of
tools. A computer scientist can't do the same.
Pure research on cryptography, basic research on
cryptography is probably not a priority. It is not that
cryptography is not important--I have done a lot of
cryptographic research myself--but we have far more science
there than we have currently applied. We need a great deal of
effort on technology transfer from the theoreticians to the
practitioners; and on engineering, taking the cryptographic
mechanisms and actually engineering them to be used on deployed
systems.
I would note that open standards are better for this
because they promote diversity. The lack of cyberdiversity,
like the lack of biodiversity, leaves us very vulnerable to a
single infection vector, a single attack vector. This is a very
serious issue in the computer industry today, because many
other trends push towards one source rather than many.
If we have all the security technologies, it is often too
hard to use. We need to do a lot of work on the human factors
of computer security. Most people don't configure the systems
securely because, frankly, it is too hard to do so. I find it
hard sometimes myself, and I am a professional in this field,
trying to understand some of the messages and prompts that I
get.
We need incentives for vendors to develop more secure
systems. That is, both security features and more reliable,
less buggy software. And we need incentives for end users to
use these secure systems and these secure features.
We need to improve systems administration. This isn't a
sexy area, but most actual penetrations are caused by failure
to apply available patches to correct known vulnerabilities. It
is once the patch comes out that most of the activity takes
place. Not always, but that is the large, vast majority of
system penetrations. But no responsible system administrator
will patch a production system without testing it. System
administration is not a prime area for research; it seems too
mundane. Nevertheless, if we can have better tools for
automating the administration, for testing systems, and, by the
way, for improving the resources available to system
administrators both in government and in industry, this has got
the potential for a very large payoff. This is some low-hanging
fruit.
Security also depends on authentication. Authentication is
a subtle business. It is hard to get right. If you get it
wrong, you may have a system failure, you also violate
individual privacy. It is important to pay attention to both of
these factors when designing systems.
There are no simple answers to the cybersecurity problem.
There is no one technology that is going to solve it for us.
There are a number of areas, however, that if we put in the
appropriate resources, I think we can make a lot of progress
and get systems not absolutely secure--there is no such thing--
but markedly more secure than they are today.
Thank you, Mr. Chairman, Ms. Lofgren, members of the
committee.
Mr. Thornberry. Thank you, Doctor.
[The statement of Mr. Bellovin follows:]
PREPARED STATEMENT OF MR. STEVEN M. BELLOVIN
Cybersecurity Research Needs
1. Introduction
It is quite clear that cybersecurity is vital to our nation's
safety. A wide variety of National Research Council reports, summarized
in Cybersecurity Today and Tomorrow--Pay Now or Pay Later [1], have
illustrated the threat in no uncertain terms.
Although there are things that the information technology
profession--software vendors, network operators, and end user sites--
can and should do today to improve computer security, the simple fact
is that there are limits on how good a job it can do. Even with
unlimited financial resources, and the best will, we could not do an
adequate job. Quite simply, we do not know how to mount an adequate
defense. It is usually possible to protect an arbitrary resource; it is
not currently possible to protect all critical resources.
2. Threats
The types of defenses that are necessary depend on the nature of
the likely attacker. Schemes that will keep out the stereotypical
``hacker''-- i.e., the bored teenager with too much time and too few
morals--are not very effective against a nation-state. The former
typically use tools downloaded from someone more competent; the latter
could develop its own custom tools, and combine them with physical
world techniques such as ``the three B--bribery, blackmail, and
burglary''--or terrorist attacks.
We do not have an adequate categorization of the threat model. Too
little research has been done on who launches what kind of attacks. It
isn't an easy thing to do; apart from the fact that most attacks are
never detected, many organizations are reluctant to disclose their
vulnerabilities. But we need to know the attackers' capabilities if we
are to devise adequate defenses.
3. Basic Research Questions
Most computer security problems are caused by buggy software [3].
It would be naive to assume that the problem was solvable now, when it
hasn't been solved despite efforts stretching for more than 50 years.
Nevertheless, we must continue to focus effort on it. If nothing else,
the need now is to solve a subtly different problem: making a small
subset of software correct, rather than software as a whole. We may be
able to achieve it; today's operating systems are far more reliable
than those used a generation ago.
However, if we are to focus our efforts on the critical software,
we must learn how to divide up systems appropriately. We have long
known how to do that for operating systems, but many of today's
problems come from faulty applications. More generally, we must learn
how to build secure systems from insecure components, just as we can
produce highly reliable computer systems from unreliable electronic
parts.
We need new formal frameworks for analyzing the security of a
system, and for specifying its security behavior. We do not have
adequate tools for understanding how ``strong'' a computer system is;
at best, we can say that some system can more or less Do certain things
reliably. By contrast, civil engineers can tell you how much weight a
bridge can hold, while locksmiths can tell you how long it will take to
break into a safe using a specified set of tools.
Formal, mathematical statements have proved to be powerful tools in
some areas of computer science. We need to be able to apply them to
computer security issues.
Although basic cryptographic research is important and should be
continued, it is not a high priority. As noted, most penetrations
cannot be prevented by cryptographic means. It is more important to do
a better job using the cryptographic science we have. Note that I say
this as one who has published more than a dozen cryptographic research
papers.
Most basic research work is done at universities. But it is not
possible to scale up the amount of basic security research very
quickly. There are not that many professors who are capable of doing
such work; there is a limit to how much money each one can profitably
use.
4. The Need for Engineering
Although, as noted, there is a need for more basic research, a
great deal of prior research has not yet been translated into practice.
For example, we have far more cryptographic science than we have
network protocols that use this science. We need to support technology
transfer to industry groups and standards organizations; we cannot
protect our infrastructure with theoretical constructs. (I note that
open standards are better; apart from the ``many eyes'' notion, with
open standards there can be multiple independent implementations of the
same function. The National Research Council noted that the lack of
diversity in platforms was a major risk factor [3].)
More subtly, much security technology is not employed because it's
too hard to use. We need research in the human factors of security
technology.
Assuming that industry does the necessary cryptographic and human
factors engineering, the results must be translated into practice. This
may require incentives for software vendors to develop the code, and
for end users to employ it.
As noted earlier, most security holes are due to buggy code. That
is bad enough; what is worse is that most penetrations exploit bugs for
which patches are available but have not yet been applied. The cause is
not laziness or incompetence by systems administrators; rather, it's
reflective of the immense difficulty of the systems administration
task. Patches have a higher bug rate than base code, and may thus be
more likely to create new security holes; beyond that, a remarkable
amount of code functions because of an implicit reliance on some
underlying bug that was present on the development systems. Fixing a
bug may, as a side-effect, disable essential applications. No
responsible systems administrator will install a patch on a production
system without extensive testing, but this behavior leaves the machine
vulnerable. We need research to solve this dilemma. Systems
administration is not a typical research topic; nevertheless, it is the
area with the biggest potential payoff for a relatively modest
investment.
It is worth noting that systems administration is often a high
stress, low status job. Administrators often struggle to perform basic
tasks because of inadequate resources. Measures to improve systems
administration, in industry and government, would likely have a
significant effect on practical computer security.
5. Privacy
Often, computer security depends on proper authentication of
authorized users. Authentication technologies, ranging from passwords
to biometrics, are subtle and difficult to use properly. Beyond simple
issues of correctness, any authentication technology can be used in
ways that violate personal privacy [2]. Both research on cybersecurity
and deployment of technology should protect privacy to the extent
feasible.
6. Conclusions
There are no simple answers to the problem of cybersecurity. What
is needed is a combination of basic research, technology transfer, and
applications of new and previously known techniques. We, as a nation,
cannot afford to neglect the issue.
References
[1] Computer Science and Telecommunication Board, editor. Cybersecurity
Today and Tomorrow--Pay Now or Pay Later. National Academies Press,
2002.
[2] Stephen T. Kent and Lynette I. Millett, editors. Who Goes There?:
Authentication Through the Lens of Privacy. National Academies Press,
2003.
[3] Fred B. Schneider, editor. Trust in Cyberspace. National Academies
Press, 1999.
Mr. Thornberry. There are several areas that you mentioned
we will certainly come back to in questions.
Finally, we have Mr. Dan Wolf, Director of Information
Assurance at the National Security Agency. Members will
remember that Mr. Wolf has helped us before. Really, the first
activity of this subcommittee was kind of a Members-only
workshop on cybersecurity which Mr. Wolf put on for us.
Welcome back, and we appreciate your being here. You are
now recognized for 5 minutes.
STATEMENT OF MR. DANIEL G. WOLF, INFORMATION ASSURANCE
DIRECTOR, NATIONAL SECURITY AGENCY
Mr. Wolf. Thank you, Chairman Thornberry, and members of
the subcommittee. My name is Daniel Wolf, and I am NSA's
Information assurance director.
NSA's Information Assurance Director is responsible for
providing information assurance technologies, services,
processes, and policies to protect national security
information systems. We are also responsible for conducting
research and development.
In regards to your theme for this hearing, Cybersecurity--
Getting It Right--
Mr. Thornberry. Excuse me, Mr. Wolf. Would you pull that
microphone just a little closer to you? Some of us are having
trouble hearing, including me. There you go. Thank you.
Mr. Wolf. In regards to your theme for this hearing,
``Cybersecurity--Getting It Right,'' I am not sure that NSA has
all the answers or we have always got it right, but I am quite
confident during our 50 years of deploying communications, and
now cybersecurity products, we have learned quite a few
lessons. Some people want to keep NSA in a box labeled ``for
classified information only.'' They say that NSA's perspective
is too narrowly focused on national security systems. However,
I believe quite to the contrary. It has been my experience that
there is little difference between the cybersecurity that is
required for a system processing top secret military
information and one that controls a segment of the Nation's
critical infrastructure.
The information management principle within the national
security community has always been the concept of need to know,
but the fundamental information principle for homeland security
is need to share. Because the threat always rolls downhill;
that is, our adversaries will always attack the weakest link.
Information must be protected across the entire system. A
three-sided castle is not very safe. The entire community must
share the same standards if we are to protect everyone on all
four sides of the castle.
Your invitation to this committee outlined a number of
areas where you wanted some specific comments and answers. The
first was in technical approaches to optimize cybersecurity. I
believe that the highest payoff for optimizing cybersecurity
would be creation of an interoperable authentication system
deployed widely throughout the Federal, national security,
first responder, and critical infrastructure community. This
authentication system also forms the basis for all of the other
cybersecurity services.
It is also important to note here that the most critical
infrastructures like this PKI should be built using U.S.
technology. I have concerns with foreign software, unknown
trust and quality, being integrated into critical U.S. systems.
My next priority to cybersecurity is effective border
protection. Just like our national borders or the perimeters of
our buildings, we need to protect our cyber borders. Effective
border protection includes many different technologies,
including firewalls, virtual private networks, high-assurance
guards, and of course intrusion detection.
It has also been estimated that over 90 percent of all
successful attacks on DOD systems are against known
vulnerabilities. System operators struggle to keep up with all
the patches that are issued each month. A system left unpatched
soon becomes a target like an unlocked sports car with the keys
in the ignition. Therefore, we need an automated patch
management system.
Your second question dealt with advanced technologies and
should they be pursued to outpace attacks. Today, most of the
information coordination during a cyber attack occurs at the
speed of humans. Code Red infected 50,000 machines in an hour.
We need the ability for networks to work together automatically
to weather such an attack.
Another significant research topic is attack attribution,
the capability to geolocate and identify the source of attacks.
Without confident knowledge of who and where an attack was
mounted, it is impossible to decide on the appropriate
response. A rapid and reliable capability that separates
nuisance hackers from more serious threats could increase the
overall effectiveness of every cybersecurity practitioner in
both the government and the private sector.
Areas needing higher priority and funding. There is little
coordinated effort today to develop tools and techniques to
effectively and efficiently examine either source or executable
software in large applications. We need a national software
assurance center to pull together representatives from
academia, industry, Federal Government, national labs, the
national security community, sharing techniques to solve this
growing threat. It could liken us to the Manhattan Project that
was mentioned earlier. This is a significant problem, I
believe.
In today's environment, the need is particularly acute for
ways to counter security vulnerabilities found in popular
commercial operating systems. While many of these
vulnerabilities can be fixed by properly configuring the
system, the goal is to configure these systems to be as secure
as possible right out of the box. I am happy to learn from your
last hearing that some equipment vendors are now offering the
security standards as the default configurations.
NSA, working with DISA, NIST, the NIPC, the former NIPC,
the FedCert, SANS, CIS, developed a set of consensus benchmark
security standards. These standards provide a sort of, if you
want to call it, preflight checklist of security settings. The
benchmark standards represent an effective model based on
agreement between and among security experts. NSA is proud to
be part of this project and will continue to support the
community in establishing security standards.
The fourth area was in the role of transfer among
government, academia, and industry. NSA requirements for
cybersecurity products for national security uses are identical
to the requirements found in other mission-critical systems;
for example, homeland security and a critical infrastructure
protection. We have developed a number of programs leveraging
commercial information technology. My written statement
provides the details, but let me just highlight a few of these
programs.
The National Information Assurance Partnership, or NIAP, is
a U.S. Government initiative designed to meet security testing,
evaluation, and assessment needs of both information technology
producers and consumers.
Another is the NSTISSP 11. This is a national security
community policy requiring the acquisition of information
assurance products that have been validated in accordance with
either common criteria or other approved methods.
Another is the Centers of Academic Excellence in
Information Assurance Education. This program promotes higher
education and information assurance, and produces a growing
number of professionals with IA expertise in various
disciplines. Fifteen universities have been designated as
centers of academic excellence to date. We need this type of
program for our workforce development. We must invest in our
future, our people's future.
And the next area is perspective on leveraging national
security standards for homeland security. The key to success
for protecting the homeland is secure interoperability. NSA has
created a number of secure interoperability standards for
national security use that are directly applicable for homeland
security and public safety. Some sectors are already adopting
these standards. If we are going to share information, these
things are extremely important.
In conclusion, it has been my pleasure to share the work of
my agency with the committee today. I believe that much of the
research and development initiated by NSA for use in the
national security community is directly transferrable to the
needs of homeland security. We must change our fundamental
assumptions from ``need to know'' to ``need to share.'' We must
share policies and processes across the community.
Cybersecurity products and technologies have been the focus of
my remarks today, but technology alone will never be good
enough to protect us. It is ultimately getting cybersecurity
right is more about what you do than what you buy.
Thank you for the opportunity to speak to you today.
[The statement of Mr. Wolf follows:]
PREPARED STATEMENT OF MR. DANIEL G. WOLF
Thank you Chairman Thornberry and the members of the Subcommittee.
I am honored to be here and pleased to have the opportunity to speak
with your committee to discuss cybersecurity research from the point of
view of the National Security Agency as we conduct our mission to
address threats to the security of critical U.S. Government information
systems.
I also would like to thank the Chairman and other members of the
Subcommittee for their strong interest and attention to this vital
area. In my opinion, your leadership is important for raising awareness
of the serious security challenges we all face in our age of
interconnected, inter-dependent digital information networks.
My Name is Daniel Wolf and I am NSA's Information Assurance
Director. NSA's Information Assurance Directorate is responsible for
providing information assurance technologies, services, processes and
policies that protect national security information systems. We are
also responsible for conducting the research and development of
information assurance technologies and systems.
I would like to note that NSA's Information Assurance Directorate
and its predecessor organizations have had technical and policymaking
responsibility regarding the protection of national security
telecommunications and information processing systems across the
Executive Branch since 1953.
In regards to your theme for this hearing: ``Cybersecurity--Getting
It Right.'' I am not sure that NSA has all of the answers or that we
always have gotten it right--but I am quite confident that during our
50 years of deploying communications and now cyber security products we
have learned quite a few lessons. We have had tremendous successes and
our share of failures. We also have gained a deep understanding and
respect for the challenges the nation must overcome to begin to tame
cyberspace.
Some in government and industry want to keep NSA in a box labeled
``for classified information only.'' They suggest that NSA's
perspective is much too narrow due to our focus on the stringent
requirements of national security systems. However, I believe quite the
contrary. It has been my experience--and my testimony will soon
address--that there is little difference between the cybersecurity that
is required for a system processing top-secret military information and
one that controls a segment of the nation's critical infrastructure.
Both systems require the element of assurance or trust. Trust that
the system was designed properly. Trust that it was independently
evaluated against a prescribed set of explicit security standards.
Trust that it will maintain proper operation during its lifetime, even
in the face of malicious attacks and human error. It has been my
experience that effective cybersecurity must be baked into information
systems starting at the R & D phase. Trust cannot be sprinkled over a
system after it is fielded.
Homeland security presents another reason to suggest that
cybersecurity requirements must converge. The information management
principle within the national security community has always been the
concept of need-to-know. But the fundamental information principle for
homeland security is need-to-share. With need-to-share we must develop
technical solutions for secure interoperability that may be called on
to tie top-secret intelligence systems to a local first responder
system.
Because the threat always rolls downhill, that is to say,
adversaries always attack the weakest link. Information must be
protected across the entire system. A three-sided castle is not very
safe. Therefore, I contend that in almost all cases the cybersecurity
requirements found in national security systems are identical to those
found in e-commerce systems or critical infrastructures. It follows
then that the research challenges, security features and development
models are also quite similar.
With these similarities in mind, NSA has been working hard to
converge these cybersecurity markets through a series of programs and
research initiatives. Our goal is to leverage our deep understanding of
cyber threat and vulnerability in a way that lets us harness the power
and innovation provided by the information technology industry. We
believe that the resulting cybersecurity solutions will protect all
critical cyber systems, regardless of the information they process.
I think it will be useful for me to provide a brief description of
NSA's cybersecurity responsibilities and authorities. I will then turn
to the specific questions you asked me to answer in your invitation.
NSA Information Assurance Background
When I began working at NSA some 36 years ago, the ``security''
business we were in was called Communications Security, or COMSEC. It
dealt almost exclusively with providing protection for classified
information against disclosure to unauthorized parties when that
information was being transmitted or broadcasted from point to point.
We accomplished this by building the most secure ``black boxes'' that
could be made, employing high-grade encryption to protect the
information. In the late 1970s, a new discipline we called Computer
Security, or COMPUSEC, developed. It was still focused on protecting
information from unauthorized disclosure, but it brought with it some
additional challenges and threats, e.g., the injection of malicious
code, or the theft of large amounts of data on magnetic media.
With the rapid convergence of communications and computing
technologies in the early 1980s and especially with the explosion of
the personal computer, we soon realized that dealing separately with
COMSEC on the one hand, and COMPUSEC on the other, was no longer
feasible, and so the business we were in became a blend of the two,
which we called Information Systems Security, or INFOSEC. The
fundamental thrust of INFOSEC continued to be providing protection
against unauthorized disclosure, or confidentiality, but it was no
longer the exclusive point of interest.
The biggest change came about when these computer systems started
to be interconnected into local and wide area networks, and eventually
to Internet Protocol Networks, both classified and unclassified. We
soon realized that in addition to confidentiality, we needed to provide
protection against unauthorized modification of information, or data
integrity. We also needed to protect against denial-of-service attacks
and to ensure data availability. Positive identification, or
authentication, of parties to an electronic transaction had been an
important security feature since the earliest days of COMSEC, but with
the emergence of large computer networks, data and transaction
authenticity became an even more important and challenging requirement.
Finally, in many types of network transactions it becomes very
important that parties to a transaction cannot deny their
participation, so that data or transaction non-repudiation joined the
growing list of security services often needed on networks.
Because the term ``security'' had been so closely associated, for
so long, with providing confidentiality to information, we adopted the
term Information Assurance, or IA, within the Department of Defense to
encompass the five security services of confidentiality, integrity,
availability, authenticity and non-repudiation. I should emphasize here
that not every IA application requires all five security services,
although most IA applications for national security systems--and all
applications involving classified information--continue to require high
levels of confidentiality.
Another point worth noting is that there is an important dimension
of Information Assurance that is operational in nature and often time-
sensitive. Much of our work in IA is found in providing an appropriate
mix of security services that are not operational or time-sensitive,
e.g., education and training, threat and vulnerability analysis,
research and development, assessments and evaluations, and tool
development. However, in an age of constant probes and attacks of
networks, an increasingly important element of protection deals with
operational responsiveness in terms of detecting and reacting to these
time-sensitive events. This defensive operational capability is closely
allied with and synergistic with traditional IA activities, but in
recognition of its operational nature is generally described as
Defensive Information Operations, or DIO. NSA's responsibilities in
this area have grown considerably since the late 1990's.
To meet this DIO challenge, NSA's National Security Incident
Response Center (NSIRC) provides real-time reporting of cyber attack
incidents, forensic cyber attack analysis, and threat reporting
relevant to information systems. Through round-the-clock, seven-days-a-
week operations, the NSIRC provides the Departments of Defense, the
Intelligence Community, Federal Law Enforcement, Department of Homeland
Security and other Government organizations with information valuable
in assessing current threats or defining recent cyber intrusions.
NSA's responsibilities and authorities in the area of information
assurance are specified in, or derived from, a variety of Public Laws,
Executive Orders, Presidential Directives, and Department of Defense
Instructions and Directives. The Secretary of Defense is the Executive
Agent for National Security Telecommunications and Information Systems
Security. The Director of NSA has broad responsibilities in providing
for the security of national security \1\ telecommunications and
information systems processing national security information,
including:
---------------------------------------------------------------------------
\1\ The Computer Security Act of 1987 defines national security
systems as telecommunications and information systems operated by the
US Government, its contractors, or agents, that contain classified
information or, as set forth in 10 USC Section 2315, that involves
intelligence activities, involves cryptologic activities related to
national security, involves command and control of military forces,
involves equipment that is an integral part of a weapon or weapon
system, or involves equipment that is critical to the direct
fulfillment of military or intelligence missions.
Evaluating systems vulnerabilities
Acting as the focal point for cryptography and
Information Systems Security
Conducting Research and Development
Reviewing and approving security standards and
policies
Conducting foreign liaison
Assessing overall security posture
Prescribing minimum security standards
Contracting for information security products provided
to other Departments and Agencies
Coordinating with the National Institute of Standards
and Technology (NIST); providing NIST with technical advice and
assistance
While protecting the confidentiality of classified information via
extremely strong cryptographic systems was a major part of NSA's
mission in the past, our mission has changed emphasis considerably over
the last ten years. We now spend the bulk of our time and resources
engaged in research, development and deployment of a full spectrum of
IA technologies for systems processing all types of information. NSA's
days of just building ``crypto for classified'' are long gone.
Specific Issues Related to Cybersecurity R&D
Your invitation outlined a number of areas where you wanted
specific comments and answers.
1. Technical approaches to optimize cybersecurity.
I believe that the highest payoff for optimizing cybersecurity is
the creation of an interoperable authentication system deployed widely
throughout the federal, national security, first responder and critical
infrastructure community. The typical approach used is a public-key-
infrastructure (PKI) system with a smart card that contains your cyber
credentials. This is the type of system that NSA and DISA have built
for DoD. A national PKI system is required that allows for strong
authentication in cyberspace for homeland security.
If we have this national system in the future--then when a first
responder connects to a DHS website to access information or upload a
report--we will know exactly who they are. We can then assign various
privileges according to the role that the person is assuming for that
specific information transaction. This authentication system also forms
the basis for all of the other cybersecurity services from protecting
the control of Supervisory Control and Data Acquisition (SCADA) systems
to encrypting your email and passwords.
It is also important to note here that the most critical
infrastructures, like a PKI, should be built using U.S. technology. I
have concerns with foreign software of unknown trust and quality being
integrated into critical U.S. systems.
My next priority for cybersecurity is effective border protection.
Just like our national borders or the perimeters of our buildings, we
need to protect our cyber borders. Effective border protection includes
many different technologies.
The most important technology is a firewall. Firewalls
help networks resist attacks by establishing a strong but
resilient border between our protected network and the external
Internet.
We also need encrypted tunnels, also called virtual
private networks or VPN's. These devices sit between critical
networks to protect the information as it moves between secure
networks over unprotected pipes.
Another necessary border security technology is called
a ``guard''. A guard is used when we need to share information
between security domains. Consider the case of an intelligence
report that is created on a top-secret network. It must be
sanitized to unclassified and then sent to a local police
department. It would be dangerous to allow this information to
move between security domains without review. High assurance
``guards'' are designed to automatically and safely allow
certain information packets to flow between systems but stops
all others.
Finally, effective borders require the ability to
detect and respond to intrusions. Just like a security camera
on a bank, cyber intrusion detection systems monitor the flow
of information around your border and detect suspicious
activity.
The best way to protect a system from attack is to eliminate its
vulnerabilities. The best way to eliminate vulnerabilities is to
improve the way we write software. High on my research priority list is
the need for assured software design tools and development techniques.
We also need to improve computer operating systems by including
functionality to enhance their ability to defend themselves from
attack.
The elimination of vulnerabilities is the goal but the reality is
that we are a long way from achieving this goal. Attacks are common and
vulnerabilities are discovered daily. It has been estimated that over
90 percent of all successful attacks on DoD systems are based on
vulnerabilities that are already known and that have an updated
software fix or ``patch'' available. The rare system operator can keep
up with all of the ``patches'' that are issued each month. A system
left un-patched soon becomes a target like an unlocked sports car with
the keys in the ignition. Therefore, another way to optimize
cybersecurity is with an automated patch management system.
This system would also use strong authentication as provided by a
PKI but the software producer would sign the new application instead of
a person. The patch would be automatically and safely sent to your
system. The PKI guarantees that it is comes from an authentic source
and has not been corrupted.
2. What areas of advanced technology should be pursued to outpace
attacks?
Research is required to improve a cybersecurity system's ability to
modify itself on-the-fly. New attacks are constantly emerging and new
vulnerabilities are discovered even in the most carefully designed
systems. The ability to update must be safely executed and as
transparent to the user as possible.
NSA is working on a multi-year, nearly $3B development program
called Cryptographic Modernization (CM) that has some of these
features. There are over 1.3 million cryptographic devices in the U.S.
inventory. Over 75% of these systems will be replaced during the next
decade. Future security systems are being designed to use the network
to safely program and reprogram their operating characteristics
automatically and transparently to the user.
Research is also needed to learn how to build cybersecurity systems
that can continue to operate even while under attack. Resilient
systems, like those being investigated by DARPA and others will be
needed in the future. The goal is to have a system that degrades
gracefully instead of causing a cascade of insecurity.
I would also suggest that considerable research is needed to
effectively coordinate information during a cyberattack. Today, most of
this coordination occurs at the speed of humans. But attacks are
carried out in seconds and are often carried out automatically.
The CODE RED attack in 2001 infected 50,000 machines per hour,
ultimately causing billions of dollars in damage. We need a capability
for our networks to work together automatically to weather an attack.
Incident information formats, automatic remediation algorithms, the
ability to learn attack specifics from intrusion detection devices and
other network sensors and then share this info with other networks
without human intervention are high priority requirements.
Another significant research topic is the ability to enhance attack
identification methods. Most intrusion detection or system misuse
systems today rely on patterns or signatures to identify the bad
behavior. This works well for known attacks but is useless against
novel attacks. The ability to detect attacks and misuse from anomalous
behavior is needed.
The ability to detect suspicious or anomalous behavior is also
useful to identify insider attacks. Studies have estimated that 50
percent of the most damaging attacks come from insiders. An insider is
unlikely to use sophisticated attacks because they already have an
account on the system--but the ability to monitor system use during off
hours or track users accessing unusual accounts provides vital clues
for detecting insiders.
Continuing with the cyber attack theme--I believe that one of the
hardest problems we must solve in cybersecurity is attack attribution.
That is the capability to geolocate and positively identify the source
of attacks on the Internet. Without confident knowledge of who and
where an attack was mounted, it is impossible to decide on the
appropriate response. A rapid and reliable capability that separates
nuisance hackers from more serious threats would increase the overall
effectiveness of every cybersecurity practitioner in both government
and the private sector. Effective attribution by law enforcement
leading would also deter the casual hacker and allow resources to spent
on more serious cases.
3. Suggest advanced technology programs needing higher priority &
funding.
A significant cybersecurity improvement over the next decade will
be found in enhancing our ability to find and eliminate malicious code
in large software applications. Beyond the matter of simply eliminating
coding errors, this capability must find malicious software routines
that are designed to morph and burrow into critical applications in an
attempt to hide. There is little coordinated effort today to develop
tools and techniques to examine effectively and efficiently either
source or executable software. I believe that this problem is
significant enough to warrant a considerable effort coordinated by a
truly National Software Assurance Center. This center should have
representatives from academia, industry, federal government, national
laboratories and the national security community all working together
and sharing techniques to solve this growing threat.
We also need the ability to trust the hardware platforms we use for
critical applications. Most microelectronics fabrication in the USA is
rapidly moving offshore. NSA is working on a Trusted Microelectronics
Capability to ensure that state-of-the-art hardware devices will always
be available for our most critical systems.
The DoD is currently undertaking a major program called
transformational communications. This program is developing the
military communications infrastructure of the future and it will be
delivering high-bandwidth, secure, multi-faceted digital capabilities
across the defense enterprise and down to the individual warfighter.
Many new cybersecurity requirements are being generated by this
initiative and they will require significant R&D resources. For
example, additional key management infrastructure capabilities,
techniques for multi-level security networks, and ultra-high bandwidth
encryption are a few of the new technologies being driven by this
requirement. It is important to note that the results of this program
will be dual-use. The technology being developed will have application
for solving many of the same challenges that are found in homeland
security systems.
In today's Information Technology environment, the need is
particularly acute for ways to counter security vulnerabilities found
in popular commercial operating systems and applications. While many of
these vulnerabilities can be fixed by properly configuring the system,
the goal is to configure these systems to be as secure as possible
``right out of box.'' Building on the hugely popular security
configuration guides for Windows 2000, NSA, working with Defense
Information Systems Agency, the National Institute of Standards and
Technology, the FBI's National Infrastructure Protection Center (now at
DHS), the General Services Administration's FedCert, the SANS
Institute, the Center for Internet Security and vendors--developed a
set of consensus benchmark security standards. These standards provide
a sort of "preflight checklist" of security settings.
The benchmark standards represent an effective model based on
agreement between security experts, system operators and software
vendors. A number of standards for the most popular technologies are
being adopted by many government and private sector CIOs.
I am happy to learn from your last hearing that some equipment
vendors are now offering the security standards as the default
configuration. I also understand from your hearing last week that
industry gave high marks to the great work being done by the Center for
Internet Security. NSA is proud to be a part of this project and will
continue to support the community in establishing security standards.
This consensus approach may not eliminate every vulnerability, but by
working together, we can harden our systems against common attacks.
4. Role of technology transfer among government, academia, and
industry?
NSA is motivated by a sincere belief that the requirements for
cybersecurity products and services for national security uses are
identical to the requirements found in other mission critical systems
e.g., homeland security and critical infrastructure protection. We have
developed a number of programs and policies targeted leveraging the
commercial information technology.
The National Information Assurance Partnership (NIAP)
is a U.S. Government initiative designed to meet the security
testing, evaluation, and assessment needs of both information
technology producers and consumers. NIAP is collaboration
between the National Institute of Standards and Technology and
the NSA in fulfilling their respective responsibilities under
the Computer Security Act of 1987. The partnership, originated
in 1997, combines the extensive security experience of both
agencies to promote the development of technically sound
security requirements for IT products and systems and
appropriate metrics for evaluating those products and systems.
The long-term goal of NIAP is to increase the level of trust
consumers have in their information systems and networks
through the use of cost-effective security testing, evaluation,
and assessment programs. NIAP continues to build important
relationships with government agencies and industry in a
variety of areas to help meet current and future IT security
challenges affecting the nation's critical information
infrastructure.
NIAP also produces cybersecurity specifications,
called protection profiles that have already been developed for
low and medium assurance applications and are periodically
updated. The profiles are available on the NIAP website for
anyone to use to describe the features needed for cybersecurity
applications.
NSTISSP #11 (National Security Telecommunications and
Information Systems Security Policy #11) is a national security
community policy governing the acquisition of information
assurance products. The policy mandates, effective 1 July 2002,
that departments and agencies within the Executive Branch shall
acquire, for use on national security systems, only those
products that have been validated in accordance with the either
the Common Criteria, or other approved methods. Additionally,
NSTISSP #11 notes that departments and agencies may wish to
consider the acquisition of validated COTS products for use in
information systems that may be associated with the operation
of critical infrastructures as defined in the Presidential
Decision Directive on Critical Infrastructure Protection Number
63.
The Information Assurance Technical Framework Forum
(IATFF) is a NSA sponsored outreach activity created to foster
dialog between U.S. government agencies, industry, and academia
seeking to provide their customers solutions for information
assurance problems. The ultimate objective of the IATFF is to
agree on a framework for information assurance solutions that
meet customers' needs and foster the development and use of
solutions that are compatible with the framework. The forum
serves to increase awareness of available security solutions
and allows attendees to establish contacts with other
individuals and organizations dealing with similar problems.
The Information Assurance Technical Framework document,
currently in its third revision that provides over 500 pages of
technical guidance for protecting information and information
systems.
The Centers of Academic Excellence in Information
Assurance Education Program is an outreach effort designed and
operated by NSA in the spirit of Presidential Decision
Directive 63. The program goal is to reduce vulnerability in
our National Information Infrastructure by promoting higher
education in information assurance, and producing a growing
number of professionals with IA expertise in various
disciplines. Fifty universities have been designated as Centers
of Academic Excellence to date. NSA has also been using the
skills found at the service academies in a number of
interesting ways. One exciting program is the service academies
competition for attacking and defending networks. We also
sponsor visiting professors in IA. We need this type of program
for our workforce development - we must invest in our future.
NSA is also working to transfer techniques to
cybersecurity service providers. One of the services that NSA
offers under this authority is system security assessment.
Since NSA has limited resources to meet the ever-growing demand
for INFOSEC Assessments, a training and certification program
was developed as a partnership between NSA and private INFOSEC
Assessment providers.
NSA also created the INFOSEC OUTREACH Program to
combine the substantial Information Systems Security talents of
government and industry partners. The program provides insight
into secure design, security evaluation, and the security
considerations of system certification. Working together, the
partnership of government and industry can meet the increasing
demands for state-of-the-art secure telecommunications and
information systems.
NSA and the International Information Systems Security
Consortium (ISC)2 developed a new Information Systems Security
Engineering Professional credential for information security
professionals who want to work on national security systems.
The new certification will serve as an extension of the
Certified Information Systems Security Professional, offered by
(ISC)2 for information security.
5. How are research priorities and programs determined in the national
security area?
We base our priority decisions on a number of factors. The first
factor is determined by the technologies and systems most used by our
customers. For example, we recently started a comprehensive R&D program
to enhance the security of PDA's and wireless 802.11 networks over the
last two years because of the explosion of the use of these systems by
our DoD customers.
We also maintain a large number of cooperative research agreements
with many of the most important technology vendors to help us keep
ahead of their development cycles. We also work with small firms
ensuring that their innovative technologies are fully informed by our
cybersecurity expertise. This insight allows us to program for
anticipated cybersecurity enhancements of our systems, or in the best
case, influence our industrial partners, large and small, to add
additional IA features during development.
Our researchers also participate in R&D agenda setting panels and
boards with the NSF, DARPA, National Laboratories, and industry
associations. We collaborate with the R&D functions in our customer's
organizations. All of this information is used in making an R&D
priority and programming decision.
NSA is also unique in that we have considerable insight into the
threat presented by various adversaries from our intelligence
activities. Threat profiles are developed and these, in part, drive our
research agendas.
6. Share your perspectives on leveraging national security standards
for homeland security needs?
National security standards are developed for--and are intended to
be leveraged for all critical cybersecurity requirements.
In order to promote secure interoperability between
wired and wireless systems NSA initiated an industry and
government consortium to agree on a common signaling plan
called the future narrowband digital terminal (FNBDT). Although
in reality it is not just narrow band anymore but a broad
specification, FNBDT includes a common voice processing
capability, a common signaling protocol, a common crypto-
algorithm base, and a common key management process. FNBDT has
become the primary security standard for cell phones, military
radios and many emerging public safety communications devices
intended to serve homeland security missions and first
responders all around the world.
We also created the High Assurance IP Interoperability
Specification (HAIPIS), which will ensure interoperability with
all future generations of IP network encryptors. The IP, or
Internet protocol, is the backbone of the worldwide Internet.
This new cybersecurity specification has become extremely
popular and new products, based on this specification are being
released regularly.
Many of the technologies that we are suggesting for
homeland security requirements were developed to support
coalition military warfare. These systems were designed to
cost-effectively support a highly mobile and constantly
changing set of information sharing partners. We are confident
that they are exactly what many homeland security applications
require.
Conclusion
It has been my pleasure to share the work of my agency with the
committee today. I believe that much of the research and development
initiated by NSA for use in the national security community is directly
transferable to the needs of homeland security. We all need to work
together to shape the demand side of the market. Everyone needs
trustworthy technology. We cannot afford to cut corners.
We must change our fundamental assumption from need-to-know to
need-to-share. We must share policies and processes across the
community. Cybersecurity products and technologies have been the focus
of my remarks today but the technology alone will never be good enough
to protect us because--ultimately--getting cybersecurity right is more
about what you do than what you buy.
Thank you for the opportunity to speak before the subcommittee today.
Mr. Thornberry. I thank the gentleman, and all the
witnesses, for their testimony. It is rather remarkable to me
how much consistency there is really between among all three of
you.
At this time, I would yield to the gentlelady from
California for questions.
Ms. Lofgren. Thank you, Mr. Chairman. And as I have in past
hearings, I am really struck by how fortunate we are in this
subcommittee to be able to really call on some of the smartest
people in the whole country, and then they come and share with
us. So it is a delight to listen to each of you.
I have many questions, but let me just start in with Dr.
Sastry, because one of the concerns I have, you mentioned
HSARPA as an encouraging element of the new Department and one
with great promise. Before you were leading the Department at
Berkeley, you ran the technology, the cyber part for DARPA. And
I am wondering if you can reach back to that part of your
experience and give us some advice on what we might do to
actually get HSARPA up and running.
Right now there is, I believe, a recently hired deputy
director, and that is it. I mean, it was last month you
couldn't even call the division because there wasn't a phone
number or an office. And there is no director, there is no
employees. If you were the czar, what would you do to jump-
start that effort so it could be as productive for the country
as DARPA was?
Mr. Sastry. Thank you very much, the Honorable Ms. Lofgren.
I had the good fortune to serve under the deputy directorship
of Jane Alexander, who is now the Deputy Director of HSARPA;
she was the Deputy Director of DARPA. So I think we are
fortunate to have some leadership with experience in the DARPA
model.
The way I would configure HSARPA is perhaps quite
substantially along the lines of the DARPA model with a few
differences. The way DARPA programs are organized are they are
mission-oriented in the sense that they are 3-to 5-year
programs with very definite outcomes. And so even in the
information assurance and survivability suite of programs, we
had one on secure systems, we had one on fault tolerant
networks, we had one on coalitions. And each one of those was
separately organized, bite-sized pieces of research. And in
addition, the way those were informed by the needs of the
services and the needs of the service labs was to have the
service labs be the individual CTARs of the technical
contractors for executing the contracts.
So I feel that the IAIP Directorate, the Board of Security
Directorate, and the Emergency preparedness directorate could
provide staff to be the executors of the contracts that come
out of HSARPA, very much in that model.
Now, the questions about how one ramps up quickly to this
is a very important one, and I think it will take some time to
hire the right program managers and to have adequate turnover,
the way DARPA does, so as to keep new ideas coming into the
agency. One suggestion is to actually use existing mechanisms
of partnership with NSF the way DARPA does, or with DARPA
itself in the short run, to be able to ramp up to such a state
where it has its own program managers.
The one thing I do differently from DARPA is, because there
are sort of short-and intermediate-term needs which have to be
met in the other directorates, I think I would really have a
separate office which concentrates on the technology transition
issue. And the technology transition issue would be about
setting up the correct structures to make sure that, as the
programs mature, those get taken up. And I alluded to some
mechanisms that I thought were useful.
Ms. Lofgren. Mr. Wolf expressed concern about foreign
software or software developed offshore and its reliability. Do
you, Dr. Bellovin and Dr. Sastry, share that concern?
Mr. Bellovin. I am concerned about all software's
reliability and correctness. I am not in the position to
understand how much greater the threat is when it is coming
from elsewhere, but we are dealing with a screen door, not a
vault door in a lot of the software.
Patching systems--I was asked this question leading up to
Y2K. A lot of the Y2K intermediation work was done offshore. I
was asked if I was concerned about that, and my answer was, I
am concerned about anybody patching systems regardless of who
they are, because patches have a much higher bug rate, hence,
vulnerability rate, than base code.
So I think if we had the technology to examine any code, no
matter where it was, for security and assurance, or vendor back
doors which sometimes are put in for maintenance purposes, we
would be in a lot better shape. And I would leave to
professionals to understand how much greater the threat is from
overseas.
Mr. Sastry. If I could amplify on that, I fully agree with
Dr. Bellovin. I think that one has to be worried about all
software. And one of the problems about these complex systems
has been that even though one can trust individual pieces, when
you put them together, the overall systems tend to suffer from
all kinds of problems. So I think that there are some glints of
hope. But I think that the technologies for guaranteeing that
software, whether it is written overseas or in the United
States, is in fact more or less correct by construction, are in
their infancy.
One specific one that has come out of Carnegie-Mellon is
called proof-carrying code. And this is the notion of providing
code which comes with its own certificate so one can
independently prove to one's self that it works the right way.
The drawback has been that it is not scalable to large systems.
Now, I think that there is an area of research about how
you compose and put together large systems. And this is perhaps
what we have to do on the fly today to reduce vulnerabilities.
And so I guess there are no easy answers.
Mr. Wolf. If I could add a comment to that. Really, there
are two pieces to that. One is certainly the quality of the
code. And as was referenced earlier, certainly there is a lot
of buggy code out there. But the other is the trust factor. And
when you think about the globalization of IT and the people
that are writing code offshore now, there is a wide variety,
many of whom you can say that we trust, and there are others
that you might not have so much trust in.
And frequently my organization is asked, for example, by
law enforcement to look at code and say, is there a back door
in this? Is there something malicious in it? That is a very
difficult problem, and the tools aren't necessarily there to do
that right now. And so that is the reason that we have talked a
lot about the idea of a national lab that looks at software.
Certainly, you know, the goal would be that you write codes so
that up front the code is good and you have trusted code
trusted modules. But in many cases we don't have that luxury.
And if you think about the critical infrastructure of Wall
Street or the power grid in the east coast, and you look at who
wrote some of that code, you might be a little concerned.
Ms. Lofgren. I am intrigued by this, and I don't know if we
will have time for a second round. But I am wondering whether
some of the research--I don't think that is a function you
would want the Federal Government to provide, and yet it might
work nicely with the research that is being discussed, maybe
the test bed research that was referenced in the testimony, so
that you might have--I mean, the last thing you want is the
heavy hand of the Federal Government on the creative element,
and yet we might want some way to examine and have a test bed
research component for critical elements of the infrastructure.
Is that sort of what the two doctors are proposing?
Mr. Sastry. So, I think test bed research is really a lot
of what is needed to take ideas from the research stage into
systems that work. So, the specific kinds of test beds that I
alluded to certainly for network defense, distributed denial of
service and worm attacks, are coming in with an increased
frequency. There are a lot of different solutions that the
research community is putting out, but very few service
providers have faith in them simply because they haven't been
tried out on systems of adequate magnitude. So also in this
software verification the questions of how much faith you can
put in proof-carrying code, which is a piece of code that you
add to a piece of software to check whether it is actually
meeting the functions that it was supposed to and whether or
not it has back doors.
So I think that a test bed activity is one of the things
that is needed to fill the chasm between research and what
comes out of a university or what comes out of other research
agencies, research groups, and products.
And then the questions about the regulations. I think that
while it is true that it is not completely clear whether one
ought to be heavy-handed in the regulation, I do think that as
in the Y2K case, the Federal Government had a very, very
important role in 1997 by the SEC asking for companies to file
their plans for what they were doing with Y2K.
Ms. Lofgren. If I may. I don't disagree that the Federal
Government must play some role. The question is, what is that
role? And I think we have discussed many times, and I think
there seems to be consensus among most of the members of the
subcommittee, that a heavy-handed regulatory role is probably
not the optimal role for the government to play, but there is a
role for the government to play.
Mr. Bellovin. There is a need for test beds. The
fundamental problem of software is scale. We can do small
things well, both developing and testing; we can't do large
things well. That is where a test bed, an opportunity to try
certain things at scale in an experimental setting would be
very, very useful. And there are some things where it is easier
than others. Network technology, it works better.
Software. Most of the large software systems are developed
by industry. A mass--a software project by definition is very
many people over many years with real users and real changes
over the life span. That is hard to put into a test bed.
Nevertheless, an industry/government/academia cooperation is
useful, because industry has the software that everybody is
relying on, including the Defense Department. We are all
running commercial off-the-shelf software for the most part,
and we have to get this right to secure the critical
infrastructure.
Ms. Lofgren. I think I have more than used up my time, and
I would like to thank the Chairman for his courtesy and yield
back.
Mr. Thornberry. The gentlelady is asking some very good
questions.
The Vice Chair of the subcommittee, the gentleman from
Texas.
Mr. Sessions. Thank you, Mr. Chairman.
On behalf of this committee, as you have heard us say, we
appreciate all three of you being before us today. I think this
is an important exercise for this subcommittee and for our own
knowledge.
Mr. Wolf, I think I would like to direct my question to
you, but I am not sure it would be limited to you. You speak
very forthrightly and clearly about effective border
protection. And, quite honestly, that makes my mind race. I am
a free trader. I believe in goods and services and information
flowing back and forth between countries. And I believe one of
the most powerful parts about the World Wide Web is its
availability to people for commerce and other activities.
However, the need of this great Nation to protect itself and
its intellectual property, its secrets, and other things that
emanate from that is important also. And in my mind, I
understand--I think I understand border, but I am not sure that
I do, and it is because I really don't have a concept of where
all these nodes are that bring traffic into this country to
where they share our information.
And standards body. When I was at Bell Labs, we were a part
of a standards body organization for switch manufacturers.
I would like for you, if you could, to perhaps go through
in a detailed way about what you see as this border or cyber
border. And are there things that we as this country should be
doing, just like trade agreements, to say--or just like Customs
would be at an airport in a foreign country or visitors coming
to this country. Should we place a burden upon knowing who is
coming here and where they came from? And I know this is hard
on a real-time basis. Or even if just information that would
travel with that packet that would comment about where someone
originated. I think you see where I am coming from. Can you
address that?
Mr. Wolf. Okay. And I guess let me start by saying when
they talk about border protection, you are really talking about
protecting--if I can start, say, with your computer at home, in
terms of having a firewall such that you can control in terms
of who comes into your computer, who has access to the
computer, the kinds of things that come in and go out of your
computer. So that is not restricting you from going to anywhere
in the world, okay, to look at something on the Internet. But
it is meant to stop a hacker, for example, from coming into
your computer and stealing your tax information. So we talk
about firewalls. And firewalls have a set of privileges that
you can identify with them in terms of how strict and how high
up you want to put the wall, if I can say it that way.
We also talk about intrusion detection systems. So now if
you go a little further out from, say, your home computer and
you want to develop a profile of what kind of activities are
coming across that boundary, looking for hackers, for example,
that is kind of what we would call border protection. In terms
of looking for malicious activity, threats, hackers, whether
that is a terrorist, a nation state, state, whatever. So you
are, if you will, protecting your computer environment,
protecting cyberspace.
Now, if you take that a little further to the borders of
the United States, that would be a very difficult task to put
up, if you will, some kind of protection around the United
States, and probably not necessarily a good investment. But you
certainly would want to put sensors maybe on the periphery of
the U.S. again to look at hackers, to look at people trying to
come in to do malicious things to you, and to look also at
maybe data that is leaving the U.S. the idea of--and I talk
sometimes, and I think in my testimony talk a little bit about
the insider. You know, is there information leaving a facility
that you wouldn't want to leave? Is somebody on the inside
pushing information out to another entity?
So when we talk about border protection, we are really
talking about how do you protect your enterprise, what kind of
protections do you put around it so that somebody can't come in
and do something malicious to your enterprise? So, not really
restricting in terms of, you know, the Internet as a whole, but
it is more the protections that you want to put in to make sure
that somebody isn't doing something malicious to you.
Mr. Sessions. So the border could mean any individual
computer as opposed to in the border I was describing as the
United States of America?
Mr. Wolf. Yes. So we are not necessarily talking
geographic. In DOD, we have something called ``defense in
depth,'' and we talk about the enterprise level, the
information backbone. There are several levels that we talk
about in terms of doing protections. So it is not necessarily a
physical boundary in terms of around the United States.
Although there may be something in terms of implementing a
network of sensors to look for hackers, to look for kinds of
activities, malicious activity. That may be something that we
want to do.
Mr. Sessions. Okay. Any of the other gentlemen choose to
speak?
Mr. Bellovin. Yeah. I am in favor of border protection to
the extent it is possible; I was the author of the first book
on firewalls in 1994. But it is a much more challenging problem
today than it was in 1994, because the amount of
interconnection has increased tremendously. A modern
corporation will have hundreds to thousands of external links
that penetrate its firewall to its outsource functions, to its
joint venture partners, to its customers, to its suppliers. All
of this is done electronically, and all of this is done by
means of mechanisms that bypass the firewall, go through the
border.
In other words, we have many more border crossings than we
do today. The virtual private network technology that lets me
work from my hotel room exactly as if I was inside my office at
AT&T works very well; but if the same employee who is
telecommuting via VAN is using that same computer to surf the
Internet individually, we have a problem because we don't have
an effective border. We are moving more towards a motel rather
than a hotel model. In the hotel, there are one or two
entrances and everyone is walking past the front desk. In the
motel, every room has got its own door to the outside. It is a
lot harder to secure that, and we are moving more towards that
ladder. We have to find a scalable solution to let us protect
all of these doors.
I would note that tracing things, where they are coming
from outside the country, is a lot harder. The hackers don't
use their own computers for the most part. They use their own
computers to hack an easy target, maybe in a university
someplace or a small company, and use those to hack a few more.
Five levels away, that is where they will launch the attack
from. The attack may be coming from inside or the outside, but
you don't know where the controlling messages came from. And
that is what makes it so hard to trace back these things.
Authentication credentials, they are stealing the credentials
identity today. It would be very hard to fundamentally
reengineer things to get around that.
Mr. Sastry. I share you sentiments about being open enough
to, A, have IT products come into the country, and also for us
to be able to sell IT products in other parts of the world. And
so I think that open standards, which I think is one of your
concerns, are in fact better than standards where one erects
barriers.
But having said that, I think that one does need to have
the sense of being able to dial up and down security so that
even if you did have this motel model and sometimes--and
physical security with different threat levels and being able
to dial up and down security depending on your perception of
how threatening the environment around you is, the questions of
how to do this are I think are open research issues.
Also, I think that the questions about being able to trust
software, I think it is easy to trust individual pieces of
software and to be able to test individual pieces of software
regardless of where they are written.
On the other hand, the problems are about what happens when
you try to compose them. And the biggest single problem is when
you put together complex systems--and people inevitably build
complicated systems for reasons of functionality--that is when
we really don't have guarantees both in security and also in
privacy because of the kinds of data sharing that occurs across
large systems.
So coming back, I think in the earlier parts of our
testimony both Steve and I, Steve Bellovin and I, agreed that
really sort of the bottleneck problem is to be able to compose
secure systems so as to guarantee that the overall system
works. And I think that the way to do that is not actually to
stop people from sending software in or for us to be able to
sell overseas.
Mr. Wolf. And if I could add one more comment. We talk
about border protection and firewalls. You also need to think
about what functions you want somebody to be allowed to do on
your computer. So it is not just put a border up and protecting
it, but it is what do you want them to do. Do you want them to
be allowed to look at Web pages? Do you want them to be able to
move files around? So there is a whole set of things to go
along with that. So it is sort of the motel model in terms of
defining what you can do in the motel.
Mr. Sessions. I appreciate that, gentleman. That obviously
led me right to what Mr. Wolf was talking about, and that is
our own systems is our border. And I appreciate the discussion.
I yield back.
Mr. Thornberry. I thank the gentleman.
The gentleman from Rhode Island, Mr. Langevin, is
recognized.
Mr. Langevin. Thank you, Mr. Chairman. I want to thank
members of the panel for being here, and your testimony, and
really some of the questions I have prepared you have
addressed. But I would like to give the opportunity to expand
on them a little more. And I will start with asking if you can
discuss whether there is sufficient information sharing taking
place between researchers who discover most vulnerabilities and
the companies who created the products and the DHS. And also,
how could the government help to foster an environment where
researchers and companies could better work together?
Mr. Langevin. And then, expanding on that point, what do
you see as government's role in terms of increasing security
and standards setting? Should it be fostered through
partnerships and purchasing criteria, or should we take a more
active role? I know you discussed this a bit already, but if
you can expand upon that. And basically would government-
mandated standards, such as the common criteria, be a baseline
or hindrance for future innovations? If you could take a crack
at those, I would appreciate it.
Mr. Bellovin. When it comes to vulnerability reporting,
there is pretty good cooperation between the people who find
the holes and the vendors. There is sometimes an unrealistic
expectation of how soon a problem can be resolved. More
responsiveness, at least acknowledgment, would certainly help.
I think it is cases of people getting frustrated at reports
being ignored. In general that is a path that works well.
Sometimes people have unrealistic expectations about what
can be done. You know, the problems are generally subtle, or
they wouldn't be there in the first place.
For standard setting, I would suggest the procurement model
is much better. We don't know exactly what we are doing. There
is a saying, if we know what we were doing, it wouldn't be
called research. And to try to mandate certain things is
probably premature given the state of the art. The Common
Criteria is a useful step forward. As an NRC report a few years
ago pointed out, it doesn't really address a lot of the
software models we are dealing with today. It is also extremely
expensive to produce software that meets these criteria and can
continue to meet these criteria over the life cycle of the
hardware and software platform.
This has tended to make such systems slower, much less
modern, and much more expensive than the commercial off-the-
shelf alternatives, which has generally led people to buy the
commercial off-the-shelf alternatives, because they don't
perceive the threat, there is no particular push back, no
incentives, as I said earlier, for people to install the more
secure software in most situations.
Mr. Langevin. Okay.
Mr. Sastry. I share a lot of the comments made by Dr.
Bellovin.
Let me talk a little bit about the information-sharing,
which is one of your questions. I think that information-
sharing is an important step. The ISACs are certainly an
attempt to try to get information-sharing across industry
sectors.
My perception is that there is a lot of concern in industry
about sharing this information, partly because there isn't a
lot of sensitivity about how this information would be
protected by FOIA requests. Of course, there are ways, there
are other transactions, authorities and other procurement
mechanisms by which this information could be protected. I
think industry needs to be sensitized to the fact that they
can, in fact, share this information without its being open to
public scrutiny.
My sense also is that there is a certain amount of funding,
and I think the Federal role in being able to smooth this
information-sharing is not to be underestimated. I think that
there is a sense that a lot of especially small companies feel
that they are sort of doing that on their own dime. So I think
that if they had a greater sense of feeling protected when they
shared the information, and also they were given some help,
some financial help, for sharing this, I think this would go a
long ways to where it is helping the ISACs.
Mr. Langevin. Could you expand on that. How we do that? How
we foster that?
Mr. Sastry. I think there are mechanisms inside DHS, and I
think there are questions of appropriation of a certain amount
of resources simply for the ISACs. And the other transaction
authority is simply the contractual mechanism that can be--that
can be chosen to be exercised by the Department of Homeland
Security to actually protect the information from FOIA
requests.
I think they have the--I do think that they have the OTA
authority to do so. The telecom--and the telecom folks that we
talked to at BellSouth and others were really quite concerned
about being sort of reassured about this, partly because this
OTA is not a well-known contracting instrument, and people
don't know all of its possibilities, I guess.
Mr. Langevin. Thank you.
Mr. Wolf. A major part of my mission, if you look at my
mission statement, is to discover vulnerabilities, because my
job is to provide secure systems for the national security
sector. So we put a lot of effort into discovering
vulnerabilities. And we work very closely with industry. We
work very closely with academics in terms of how we do that.
We have various reach agreements such that--with various
companies, they are called CRADAs, cooperative research
agreements, so that we get access, for example, to source code,
and again, with the idea of how do you improve the source code
to improve the security. When we find a problem, we go back to
the company, we explain what the problem is, and in many cases
provide them some of the technology to help improve their
product, because, again, we are trying to build product.
That is my main goal is to get product out there for the
national security sector. Of course, the byproduct of that is
it is dual-use technology. So anything I provide to national
security in many cases can be applied other places.
So I would say there is a very close relationship in terms
of working with industry on that. I can probably go through
many, many examples of successes that we have had in that area.
You mentioned about security settings and benchmarking. I
think that is a very, very important thing. I mentioned that in
my testimony in terms of how do you configure things out of the
box so that they are very secure. And we are very active in
that particular area. Common criteria is something that we
strongly support. We put a lot of effort into common criteria.
Common criteria, what it does is it is really, I will say,
raising the bar, if you will, in terms of information
assurance. It is not the ultimate answer, it doesn't make it
perfect, but what it does is it does put products through a
fairly rigorous testing for certification, so that given a set
of functions that the product is supposed to do, that you have
demonstrated that it does do those functions under certain
conditions.
Now, again, it doesn't solve all of problems, but it does
raise the bar. And common criteria probably needs common
criteria 2, some additional things to common criteria. And I
share the comments and agree that common criteria can be a
little expensive for companies, and that is something we are
also trying to work in terms of how we can improve either the
timeliness of things getting through the process, or how we can
do something in terms of helping in terms of financially. But
that is a difficult problem to resolve.
We have reached out to homeland security, in particular Bob
Liscouski in the IP, and have talked to him about working with
us in NIAP and how we can leverage the kinds of things that he
needs to do with the national security sector. So together what
we do is we come to the table with a larger, if you will,
market share. If we just looked at the national security
sector, that is not a big sector in terms of many of these
products. So in terms of getting the things through common
criteria through NIAP, if there is homeland security and
national security, that makes it a much larger market, and
makes it more cost-effective in terms of a company going
through that and getting that process done.
I guess the other question was about mandated standards. I
don't believe we should mandate standards. We should establish
standards. We should sort of recommend standards. But I think,
you know, one of the problems with standards, and I certainly
see it in my sector, we have everything from a small military
installation with a small requirement to some large network
like the SIPRNET, and to try to mandate one standard in those
two extremes is very, very difficult for anybody to meet.
So I think you want to establish a set of standards,
recommended standards, and do it that way rather than make it
mandatory, because one size does not fit all.
Mr. Bellovin. Let me echo that. It if was that simple to
ship a secure system, Microsoft and Sun Microsystems and
everyone else would have done it years ago. How you use, how
you configure a network or system depends on its purpose. A
laptop that is used for text editing and e-mails has very
different configuration requirements than a software
development machine, which is very different than a Web server,
which is very different than a database server and so on.
There are about as many different uses of computers and
configurations as there are computers, and one size does not
fit all.
Mr. Sastry. If I may just respond to your question of
partnerships. And now I will sort of take the academic. I think
the problems, the research problems and the development
problems, are really too large for just about any group in this
Nation. So I think it is especially important for research
groups to work in teams. And at Berkeley we have really found
it very, very important to collaborate with large numbers of
research groups across the length and breadth of the Nation.
The questions are then about what facilitates this
collaboration is really at the academic, at the research level,
that we have open standards where we don't use IP protections
inside universities for protecting the kinds of software and
systems research that we do, but at the same time we allow for
industry partners to be able to uptake that information and
take it out of the open source development, and then take it
and encapsulate it into their products. And so, for instance,
in sort of a research center and trust, which we are doing with
Stanford, Carnegie Mellon, Cornell and Vanderbilt, we have
found it very important that we voluntarily have adopted an
open source IP policy amongst ourselves, while making sure that
the companies, the industrial partners, can actually take the
open source materials that are created, the secure trusted
systems that are created, and then go take it into their
proprietary products. That is sort of something that I think
that the research sector can do in this particular space.
Mr. Wolf. One of the exciting things that is happening in
NSA right now is that--.
Mr. Thornberry. The gentleman from Rhode Island elicited a
host of interesting responses, which we certainly may want to
pursue, but in the interests of time, let me turn to other
Members, because we have gone well over double the 5 minutes.
Mr. Langevin. I thank the Chairman for his latitude in
allowing the panel to answer.
Mr. Thornberry. I appreciate the gentleman's questions.
Excellent questions.
Does Chairman Cox wish to ask questions at this time?
Mr. Cox. I do. Thank you, Mr. Chairman. I wonder if I could
ask Dr. Sastry and Mr. Wolf whether you agree with the
statement made by Dr. Bellovin in his testimony that when it
comes to cyber, most basic research is being done in our
universities. Is that your opinion as well?
Mr. Wolf. I would--
Mr. Sastry. I am sorry?
Mr. Cox. If you could not hear the question, I am asking
whether you agree with Dr. Bellovin's assessment that when it
comes to cyber, most basic research is being done in our
Nation's universities?
Mr. Sastry. I would say so, even though there are pockets
of excellence in industrial research labs as well, such as Dr.
Bellovin's group itself.
Mr. Wolf. I would disagree. I would say it is done in many
places. Cybersecurity covers--there are many facets to that. I
would point to DARPA, I would point to NSF, I would point to
some of the things that NSA is doing. I would point to the
national labs. There is some very interesting work being done
in the national labs in cybersecurity. Again, some of that is
classified research, so everybody doesn't necessarily get to
view that.
Certainly in the academic areas, there is lots of work
being done, and we partner with the academics, so it is being
done in many places. I don't think there is one area that--one
organization that you can point to, one entity, and say that
they are doing most of it.
Mr. Cox. Well, I ask the question not because I think that
Dr. Bellovin would disagree with anything that you just said,
but because I think, Dr. Bellovin, one of the points that you
are making is that it is--that we know essentially where the
researchers are, and that it is difficult to scale up; that we
can throw a lot of money at this, but we also have to spend
just as much time thinking about which direction we are going,
because we can't make it up on volume. We are not going to be
able to reproduce all of this. Is that a fair statement of your
point, Dr. Bellovin?
Mr. Bellovin. Yes, that is it basically. I am not saying
there is no basic research. There is certainly a very large
need for applied research which does go on very many places.
But university research can't be scaled up, basic research
can't be scaled up by too much, because there aren't the people
to do it yet.
Of course, these are the people who are training the future
generations of researchers. So it is very important that we
encourage this, because it is not a problem that is going to go
away any time soon.
Mr. Cox. Well, taking that point, as supplemented and
augmented by Mr. Wolf's comments, and we are well aware that we
have the Federal piece, some of it is not public, so maybe our
estimates of whether majorities here or there might even be a
little soft, we are going to--I am going to infer from this,
and this is the premise of my next question, that we are going
to need to rely on our Nation's universities for some of the
big objectives that we are attempting to tackle here, that this
is going to be a partnership, and the Federal Government is
going to partner with our universities.
And then that takes me to, Mr. Wolf, your next point, and
our Ranking Member Ms. Lofgren also questioned you about this a
little bit, and that is our need to focus on U.S. technology,
and whether this is possible if we have open standards, if we
have a lot of people participating, if we are using the private
sector as well as universities, it is not all in a black
program in the Federal Government; is it realistic to assume
that this is possible?
Mr. Wolf. Well, I think it would be difficult to say that
we would use all U.S. That wasn't my point. My point was really
that there are certainly critical areas where you want to have
a good control of, you know, your hardware and your software,
maybe in a critical infrastructure, certainly in the national
security sector.
So if you have a system, you may want to look at certain
areas and put better controls over the--I will say both the
quality and the trustworthiness of the software. My comment
about, you know, national software assurance laboratory, that
may be a way of taking software, wherever it is written, and be
able to validate it and say, yes, this is trusted software. The
world right now, we are--IT is globalizing. Lots of work is
going offshore. The U.S. cannot do everything. As I say, it is
globalizing.
So it is a matter of how do you look at software code. How
do you validate it? How do you say you trust it? So whether it
is U.S. or foreign written, it is really a question of trust.
How do you establish trust in the software to make sure that it
really does what it says it does? So it is not only the
quality, but also the trusthworthiness.
Mr. Cox. To the extent that our focus is on firewalls, or
at least on that genre of technology that is meant to help
networks resist attacks, an additional reason besides our own
homeland security that we need to be concerned about theft,
about penetration of these programs is that other nation states
who are wary of the Internet, don't want their citizens using
it, and who are using black boxes and firewalls to prevent
their citizens form having access to the outside world would be
thrilled to lay their hands on the most sophisticated
technology that we have developed at taxpayer expense in order
either to prevent their citizens from having access to the Web,
or to trace the behavior of their citizens so that when they
are doing things on the Internet that the government doesn't
approve of, they can land them in jail.
What can we do, therefore, to focus on security of the
tough measures that we are trying to develop in our own
country? And for this purpose I include both cybersecurity and
physical security. And I address that to all three members. My
time has expired. I thank the Chairman.
Mr. Sastry. So your question is really quite interesting.
Let me first talk about security and privacy. So the questions
about building in privacy with--strong privacy with strong
security, my own sense is that the kinds of technology
solutions that help foster strong privacy include things like
audit, include things like watching the watchers to try to
determine who is watching what; also, these questions of
selective revelations, which means that queries are answered
narrowly so as to selectively reveal information little by
little rather than have access to a lot more than is asked for;
and then finally the questions about being able to understand
if certain privacy standards are being met, and there are a
host of new technologies, such as encrypted queries, crypto
protocols is what they are called, for being able to enforce
that.
So I think that in terms of taking worldwide leadership, I
think we can really build in strong privacy into our strong
security solutions. And then, of course, the questions of how
this may be used overseas, of course those are much more
complicated ones, but nonetheless we will have products which
have strong privacy safeguards build into it. So, I think that
this is one thing that we can do to sort of foster our ideals,
while providing strong security.
And I think that this message is somehow a little different
from a message which says that you have to give up privacy in
order to get security, because the technology indicators are
all that--in fact, they are mutually reinforcing, rather than
one at the expense of the other.
Mr. Wolf. Not necessarily a complete answer to your
question, but certainly one of the things is--at the national
security sector is that we do have levels of protection that
you put into various systems. So, for example, levels of
encryption, where you have the--I will say the high-grade
encryption, which is for the most significant and the most
sensitive communications, where you may have over levels of
encryption that aren't quite as good, but are still adequate to
protect the information.
So you can think of that in terms of the products that we
are putting out. You may have a higher level of protection in
terms of protecting the power grid in a product than maybe the
general product that would be available that would be sold
overseas. So there are ways that you can do them.
Mr. Bellovin. The firewall technology, one of the
criticisms of firewalls is that they assume that everyone on
the inside is a good guy, is following the rules. This is a
problem in industry as well. But in terms of the model you
speak of, with repressive governments trying to isolate their
citizens from the Internet, in that case it is the people on
the inside who are actively trying to get around the firewall
technology. And firewalls are not very good at that. There are
some that do better than others.
We are better off with strong firewall technology to
protect ourselves with multiple overlapping layers of defense
in depth to prevent people from the outside getting in, using
overt mechanisms to provide insider behavior, ones that don't
scale to a whole country, whereas outbound traffic is
relatively unrestricted, and you rely on internal auditing.
That, I think, would not pose nearly as much of a threat of
being used by repressive governments to keep their own citizens
from accessing the Internet. So I don't think there is any
particular conflict there.
Mr. Cox. Well, I am happy to hear that.
Thank you, Mr. Chairman.
Mr. Thornberry. Thank the Chairman.
The gentleman from North Carolina.
Mr. Etheridge. Thank you, Mr. Chairman. And let me thank
you and the Ranking Member for this meeting, and for our
distinguished guests for being here today. It has been very
interesting thus far, and I appreciate that.
Gartner, Incorporated, a respected IT consulting
organization, has estimated that about 90 percent of the cyber
intrusions could be avoided if individuals and companies
consistently maintained the security of their computer systems
by monitoring use and installing software patches to identify
security flaws.
Number one, do you agree with that? And, number two, do you
believe that software vendors could make security maintenance a
little more user-friendly? If each one of you would just touch
on that.
Mr. Bellovin. I would guess that it is more like 95 to 98
percent than 90 percent. I very much agree with that statement.
But, as I indicated in my written testimony, patching systems,
especially production systems, is a much more challenging thing
than it should be. I will not update my PC after about April
1st until I have filed my taxes, because I can't take the risk
of some unrelated change disabling the tax preparation software
I use. And you have got that problem in spades if you are
running a corporate Web server, a major corporate or government
database and so on.
As Dr. Sastry has indicated, the composition of systems,
the components of complex systems working together properly is
a very, very difficult and unsolved problem. We don't know how
to do this. This is why patching is so hard. It is not that the
administrators are irresponsible, or that the vendors haven't
supplied good tools, it is that we don't know how to do it
easily, reliably and without breaking something else.
Mr. Sastry. Mr. Etheridge, if you were like me, when you
are installing a computer and you have all of these queries
which say, will you do this, will you do this? I think
everybody's tendency is just to press, yes, yes, yes, or no,
no, no randomly. So I think what you are alluding to is a big,
big hot-button item.
So people talking about human computer interaction. So I
think the notion of human computer interaction for security to
make it easier for people to actually understand what they are
doing and be able to configure their systems is--I think is a
vast and rather untapped area of research in cybersecurity. If
anything is needed right away, it is one of those for the--and
I agree with your statistics, too.
Mr. Wolf. Operationally my organization does red-teaming,
which is an organization that tries to penetrate networks. So
we have customers in DOD that ask us to go look at their
networks and to see if we can get into them. And I can verify
that your 90 percent is probably correct. It is the networks
that haven't been properly patched, configured properly. We
look for those kinds of things. That is usually the door that
we get in.
If I look at the statistics that come out of the defense--
of the DOD networks, that come out of the JTF-CNO, I think
their statement is it is about 90 some percent of the attempts
to hacks are really trying to get at things that haven't been
patched properly.
In my testimony I talked about automatic patching and how
that is a significant research agenda item. I believe that
needs to be done. How do you make patching much easier for the
system administrators? They are overwhelmed with the number of
patches and problems and configuration settings that they have
to do every day. And the idea of having preconfigured systems
coming out of the box that are security-conscious in terms of
here are the right settings, I think, is also another step
forward.
Mr. Etheridge. As you have noted before, and others before
us, that the government, universities and the industry need to
encourage more students to get into math, science and all of
the science areas of technology in order to produce more
graduates who can deal not only with cybersecurity, but with
this whole issue of technology that we are dealing with.
And let me go to each one of you on this one, starting with
you, Dr. Sastry. Is the academic community acting in a way in
retaining the number of scientists needed in the research area
as it relates to cybersecurity as we look down the road, and,
more specifically, making these systems more user-friendly?
Because I think that is the key to getting the security.
Mr. Sastry. Sir, it has been recognized that human computer
interactions for cybersecurity is something that we need to
focus on. The realization has kind of surprisingly recently. So
in some ways the work is only now beginning.
The questions about training the workforce, I think these
are very, very--this is a really a very important item for us,
because security, of course, depends on making sure that the
entire populace is educated about all the needs of
cybersecurity, because, of course, it is only as strong as the
weakest link. I think that there has been in the last 2 years a
shift in enrollments. I am in an electrical engineering
computer science department. So there has been a shift away
from computer science towards computer engineering, which in
some ways is encouraging, because it does encourage people to
now start thinking about information technology as a technology
that is woven into the fiber of our everyday life and into our
societal scale systems.
But other disturbing trends are that the percentage of
women that are coming into electrical and computer engineering,
we have actually given up the advances that we made in the mid-
1990s in the last 4 or 5 years. That indeed is subject for
concern; so also with other segments of the population. So at
Berkeley, we have actually started going out and visiting high
schools to try to get them thinking about cybersecurity already
in high school, and certainly in Oakland and San Jose and all
of the neighboring schools. So your remarks are really on
target for our priorities.
Mr. Etheridge. Thank you, sir. I see that I am out of time.
But I would be intrigued, because I think it is important in
every area of industry as well.
Mr. Bellovin. I don't have anything to add on that.
Mr. Wolf. I was just going to comment on our outreach
program to educational institutions. We have the Centers of
Excellence. We have 15 universities have an IA curriculum. We
work with the service academies. We are currently starting to
do some things at the community college level, sort of what you
were saying in terms of kind of moving up through the lower
levels up through the universities. We clearly need to make
more people aware of IA in terms of things that need to be
done.
Mr. Etheridge. Thank you.
Mr. Thornberry. Thank the gentleman.
The gentlelady from the Virgin Islands, Dr. Christensen.
Mrs. Christensen. Thank you, Mr. Chairman. I don't expect
that--I want to thank you for this hearing as well. I am
becoming better informed on the area of cybersecurity, although
I am still far from being an expert. My questions are going to
be a little different.
Dr. Sastry, in your testimony, you talked about whether the
Federal Government would play the role of market maker and
asked was there sufficient demand to stimulate new companies
around ideas. It would seem to me that a fairly sizable demand
would be in the private sector, and incorporations for security
and for cybersecurity.
We recently did Bioshield to encourage and expedite the
development of countermeasures for bioterrorism agents, which
will involve a significant expenditure on the Federal
Government's part. Do you foresee in the area of cybersecurity
that the Federal Government would have to provide most of the
funding, or do you see that there is really a sufficient demand
in the private sector that there would be more cost-sharing on
the private side, and there would seem more diverse use, other
than for homeland security, for government use in these kind of
products?
Mr. Sastry. Thank you very much for your question. I think
that the big market, of course, is in the private sector. And
the big market is in the infrastructures which are certainly
not owned by the Federal Government, which are privately owned.
The question, of course, has been about jump-starting this
market. So, just to give you an example, there has been a big
buzz in the venture community about investing in security for
the last 2 years. But, on the other hand, a number of the
portfolio companies that come out of the venture community
actually have not had a stream of revenue in secure products.
So our sense is that since the Department of Homeland Security
itself is committed to, in its Border and Security
Directorates, IAIP Directorates and the Emergency Protection
Directorates, to buy secure products, our sense is that having
this--having this sort of as a badge to distinguish these
products will actually jump-start the market in the private
sector.
I think my own expectation is that that would not--it is
not something that one ought to or perhaps could subsidize. On
the other hand, I think that if one--when I said a market
maker, it was just a question of jump-starting the market by
adopting certain sets of secure products in the beginning.
I think the same--and the model, again, is a little bit
like the DOD model. So the Internet actually grew from the
ARPANET being used for certain DOD applications, and then sort
of everybody else sort of jumped onto it, and so also for high-
performance computing, which resulted in PCs. So that is sort
of the market-maker analogy that I was using.
Mr. Bellovin. I would agree that much of the funding and
energy has to come from industry. The Government's role is to
create the appropriate incentives. If you look at the history
of, say, cryptography, there is 100 to 150 years' worth of
experience of people saying, I have got a really cryptographic
solution and then going bankrupt because nobody wanted to buy
it, because they didn't appreciate that they actually needed
this technology.
We are sometimes seeing the same thing in the computer
security community today. There are solutions that have not
been adopted by corporations that don't perceive the threat. It
is only in the last few years that more than, say, the
financial community and the military have really begun to
realize that there is a real threat out there, and a real
market.
I note in the last year or so Microsoft has finally gotten
religion about security and started to take some very admirable
projects and efforts, from what I have heard, internally, doing
a very nice job. But it is going to take years for this to have
an effect. But the real question, and this is the role for
government, is to create incentives for corporations and
government agencies to start thinking about security when they
design systems and when they procure systems, creating the
incentives for them to do so. That is a difficult problem, but
that is a role for government.
Mr. Wolf. I would agree with some of the things that have
been said so far, but I would sort of focus a little bit on the
global IT, the amount that is being spent in the U.S.
Government on IT, the amount that is being spent on information
assurance kinds of products.
Mrs. Christensen. Can I just interrupt your answer to just
add, that I understand that less than 1 percent of the science
and the technology budget, or about $80 million, is being
directed to cybersecurity and R&D. Is that adequate? Could you
also--.
Mr. Wolf. I am sorry. Say that again.
Mrs. Christensen. I understand that about $80 million is
directed to cybersecurity R&D in the Science and Technology
Directorate budget. It seems like you were going to talk about
the amount of government spending. This is in the Department of
Homeland Security.
Mr. Wolf. Okay. I am not--
Mrs. Christensen. Could you also respond to whether that is
adequate?
Mr. Wolf. I think we need to be spending more money in
research really and in cybersecurity. I think there is a lot
more things. I think we are underfunded in many areas.
The comment that I was going to make is that, you know, we
have tried to move from a demand--or a supply side to a demand;
that customers are educated in terms of information assurance,
in terms of cybersecurity, and they are looking for products
and demanding products, that they actually need them.
That is one piece. The other piece is the idea of maybe
looking at insurance. If you look at a facility in terms of you
evaluated it, is it certified, and then there is an insurance
break that goes along with the corporation that, quote, has
good system administrators, they have gone through some
certification process, you have a reasonable architecture, that
is a way in terms of--rather than overregulating or enforcing
standards--that you indirectly, okay--you can create more of a
demand for the products.
Mrs. Christensen. Thank you.
Thank you, Mr. Chairman.
Mr. Thornberry. Thank the gentlelady.
The gentleman from Kentucky Mr. Lucas.
Mr. Lucas. Thank you, Mr. Chairman.
This is a hypothetical, sort of a holistic, big picture
question. I would ask each of you to comment on this. Let's
assume for the moment that you have been put in charge of
cybersecurity for the Federal Government, Homeland Security,
and have you been asked to prepare a budget for that job, to do
an adequate job, and that you submit this budget, and you get a
third of that budget, one-third of the money that you think you
need. I would ask you how would you prioritize what you would
spend that money on, if you only got a third of the resources
that you felt you needed to do the job. I would like for each
of you to answer that.
Mr. Bellovin. Well, if you are talking about operational
networks, I would first put money into systems administration,
because, as we said, 90 percent of the attacks are from known
holes that haven't been patched. That would be my first
priority, to improve the resources for system administration
and what they need to do the job. Past that, for research
funding, I would start to focus on composition of secure system
development.
Mr. Sastry. I understood your question to be about research
money. Of course, for the operational aspects, I would fully
agree with getting systems administration to the fore and
empowering systems administrators to be more involved in
decision-making.
For the research money, the way I see it, it is sort of a
world of networks and systems. One has got to protect the
systems of the computers, the networks on top of it, and then
finally coalitions of systems on top of it. So I think that if
the research money was cut in a third, I would make sure that
there was coverage at every one of those levels, at the level
of individual systems, at the level of networks, and then, of
course, at coalitions, of groups of users.
Having said that, I think then the question about a few
areas to invest in, I think there the notion of how you build
complicated systems which are trustable from pieces that can be
trusted, which is the composition that we keep coming back to,
needs to cut across all of these layers. Then I think the human
computer interaction question that Mr. Ethridge raised, I think
that is equally important to me.
And finally, the third thing I would do would be the test
beds to make sure that the research got out to companies that
could then sort of produce product.
So those are sort of a matrix. I would make sure that the
network systems are all populated, and then the three areas--
those would be my three pet areas.
Mr. Wolf. I would start, I agree with the operational
aspects, to make sure that your operational pieces were secure.
So it is the system administrators, it is the patches, it is
the kinds of things that we have talked about so far.
The second area that I think I would look at would be sort
of my--I will call it my infrastructure. Given that I only have
a third of the budget that I need, I would look at my
infrastructure and try to build an infrastructure that I could
then build on in the future, so--as you get your funding for
the following years. So, if you want to call it--maybe it is
the--I won't say the key management infrastructure, but it is
the PKI, it is the kind of things that you could then build
tools and techniques and products and services on in future
years. That would be my second area.
And the third, I think that I would take a step back, and I
would look at all of my systems, my networks, my--whatever my
operation is, and I would try to identify what are the most--I
will call them the critical areas and apply the dollars to
those as maybe the third venture there.
And, of course, I would also put a piece to research,
because I think a lot of times we are very short-sighted when
funds are cut--I worked for the government for many years--that
we tend to cut the research piece. If you tend to favor the
operational piece, but the research piece is your investment in
the future. If you don't put dollars towards that, then 5 years
from now you will be dead in the water.
Mr. Lucas. Thank you very much, Mr. Chairman. We have got a
vote coming up, so I will stop there.
Mr. Thornberry. The Chair appreciates the gentleman.
Does the gentlelady from Texas have questions she would
like to ask?
Ms. Jackson-Lee. Thank you very much to the Chairman and
the Ranking Member for holding this hearing.
Mr. Chairman, I ask unanimous consent that my statement be
submitted into the record.
Mr. Thornberry. Without objection.
Ms. Jackson-Lee. I appreciate the testimony of the
witnesses and their indulgence. I am in a Science Committee
mark-up that is going on simultaneously, and so I thank you
very much for your patience.
I just want to focus in one area very quickly. We do have
votes on. That is the need for the prominence of cybersecurity
issues under the Department of Homeland Security. And what we
have noted is that the funding has not been where we would like
it to be. A Director has not yet been appointed. It all
suggests that we need to refocus our attention on this area.
So if you would answer these questions quickly, I would
appreciate it. One, my understanding is, or my sense, that as
we are going into the 21st century, Y2K we were all focused on
what technology, Internet, could do to this Nation. Literally
we were in a panic about it being able to stop us in our
tracks. After 9/11 we began to focus on some very real concerns
about security.
I don't know where we placed the need and the focus of
security in this instance, cybersecurity, inasmuch as we are
still in the same boat, that the--the attack on our security
infrastructure, our technology infrastructure could bring this
Nation to its knees. So my question to you is have we focused
enough?
The second part of it, with respect to research, have we
expanded it enough? I believe we should start expanding our
reach to universities around the Nation, research entities
around the Nation, and as well make sure we include Hispanic-
serving institutions, historically black institutions, Native
American-focused institutions, and others in areas that can
address the questions of urban and rural security as relates to
technology.
And if you would answer those questions, I would appreciate
it very much. And I thank the gentlemen for their testimony.
Mr. Sastry. You have certainly hit the issues that are most
important to the research community. Our sense, too, is that it
would be useful to have a focused Federal effort in
cybersecurity research, and a focused effort which, in fact,
involves groups of institutions across the length and breadth
of the Nation.
There is a very, very substantial educational agenda, and
the educational agenda does indeed need to reach out to every
corner, as you have correctly pointed out. I am in complete
agreement.
Now, the questions about--I do believe that DHS and HSARPA
could be the place where cybersecurity research could be given
marquis status and then be adequately funded and adequately
managed. And I felt that the DARPA model was actually a pretty
effective model for doing this. The Defense Advance Research
Projects Agency, the DARPA model, was an executive model for
managing--this is HSARPA.
Ms. Jackson-Lee. You would encourage the creations of
consortiums with joint working relationships with universities
around the Nation?
Mr. Sastry. Right. The coalitions, of course, could be
created by the institutions themselves, or in the form of
research programs in the DARPA model where you actually bring
institutions together, and a program manager, a Federal program
manager then sort of builds the bridges between those
institutions.
Ms. Jackson-Lee. Do you see the need also for enhancing
experts within the minority communities, because we are
certainly limited in the Ph.D. candidates and Ph.D. graduates
from those communities?
Mr. Sastry. That is absolutely true. And that is true all
the way from the high school level up all of the way through
the graduate programs and the faculty as well.
Ms. Jackson-Lee. Anyone else?
Mr. Bellovin. A national research counsel panel I was on
noted that--concluded that today there probably could not be a
massive disaster caused by a pure cyberattack, something close
to the scale of 9/11. It doesn't mean it can't happen in the
future. As we become more networked, as industrial processes,
so-called SCADA systems, controlled power lines and industrial
processes and so on, as things become more networked, the
danger will increase. We have a few years before we are there.
We need to take precautions right now.
And I would note that everybody's computers can be
leveraged for launching attacks. There has been reports in the
papers in the last few weeks about personal computers being
hacked to serve spammers and pornographers and so on, which
means that anybody's computer in every sector of the society,
we need to learn how to secure these. And individuals need to
learn how to protect things, too.
Ms. Jackson-Lee. Thank you.
Mr. Wolf. There is a long list of research topics that need
to be done, and clearly we need to leverage everybody in terms
of working on those topics. So the idea of having some sort of
coordinated effort in terms of where research--who is doing
what I think is needed. We have done a lot of outreach recently
with DARPA, NSF, academics, et cetera, to try to understand
where research is being done to leverage all of that.
Second, we are going out to the academic institutions with
our list to try to get some help in terms of doing the
research, and that is all universities that are out there.
And your other comment about the--sort of the threat. I am
not sure we really understand the threat in terms of how
serious an attack on the infrastructure of the U.S. could be. I
think there needs to be some focus on that.
Ms. Jackson-Lee. Thank you.
Thank you, Mr. Chairman.
Mr. Thornberry. I thank the gentlelady.
As the witnesses know, we do have votes on. I am not going
to ask you to stay during these votes. So, with each of your
permission, what I would like to do is submit some additional
questions in writing to you. I think there are a number of
areas that you have touched on that I want to follow up,
including this whole software verification issue, this issue of
translating research into the real world, which I think is a
major, important issue. The whole human factors things that you
all have talked about, about government research and how it
affects the private market, you don't have to write those down,
we will send those to you in writing.
Mr. Thornberry. But needless to say, you all have touched
on a number of things that have been very helpful to us. I want
to thank each of you for taking the time to be here and to be
with us today, and with that, this hearing stands adjourned.
[Whereupon, at 11:45 a.m., the subcommittee was adjourned.]
�