[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]



                             CYBER SECURITY
                        RESEARCH AND DEVELOPMENT

=======================================================================

                                HEARING

                               BEFORE THE

                          COMMITTEE ON SCIENCE
                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED EIGHTH CONGRESS

                             FIRST SESSION

                               __________

                              MAY 14, 2003

                               __________

                           Serial No. 108-17

                               __________

            Printed for the use of the Committee on Science


     Available via the World Wide Web: http://www.house.gov/science



86-992              U.S. GOVERNMENT PRINTING OFFICE
                            WASHINGTON : 2003
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpr.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001

                                 ______

                          COMMITTEE ON SCIENCE

             HON. SHERWOOD L. BOEHLERT, New York, Chairman
LAMAR S. SMITH, Texas                RALPH M. HALL, Texas
CURT WELDON, Pennsylvania            BART GORDON, Tennessee
DANA ROHRABACHER, California         JERRY F. COSTELLO, Illinois
JOE BARTON, Texas                    EDDIE BERNICE JOHNSON, Texas
KEN CALVERT, California              LYNN C. WOOLSEY, California
NICK SMITH, Michigan                 NICK LAMPSON, Texas
ROSCOE G. BARTLETT, Maryland         JOHN B. LARSON, Connecticut
VERNON J. EHLERS, Michigan           MARK UDALL, Colorado
GIL GUTKNECHT, Minnesota             DAVID WU, Oregon
GEORGE R. NETHERCUTT, JR.,           MICHAEL M. HONDA, California
    Washington                       CHRIS BELL, Texas
FRANK D. LUCAS, Oklahoma             BRAD MILLER, North Carolina
JUDY BIGGERT, Illinois               LINCOLN DAVIS, Tennessee
WAYNE T. GILCHREST, Maryland         SHEILA JACKSON LEE, Texas
W. TODD AKIN, Missouri               ZOE LOFGREN, California
TIMOTHY V. JOHNSON, Illinois         BRAD SHERMAN, California
MELISSA A. HART, Pennsylvania        BRIAN BAIRD, Washington
JOHN SULLIVAN, Oklahoma              DENNIS MOORE, Kansas
J. RANDY FORBES, Virginia            ANTHONY D. WEINER, New York
PHIL GINGREY, Georgia                JIM MATHESON, Utah
ROB BISHOP, Utah                     DENNIS A. CARDOZA, California
MICHAEL C. BURGESS, Texas            VACANCY
JO BONNER, Alabama
TOM FEENEY, Florida
VACANCY
                            C O N T E N T S

                              May 14, 2003

                                                                   Page
Witness List.....................................................     2

Hearing Charter..................................................     3

                           Opening Statements

Statement by Representative Sherwood L. Boehlert, Chairman, 
  Committee on Science, U.S. House of Representatives............     9
    Written Statement............................................     9

Statement by Representative Ralph M. Hall, Minority Ranking 
  Member, Committee on Science, U.S. House of Representatives....    10
    Written Statement............................................    10

Prepared Statement by Representative Nick Smith, Chairman, 
  Subcommittee on Research, Committee on Science, U.S. House of 
  Representatives................................................    11

Prepared Statement by Representative Jerry F. Costello, Member, 
  Committee on Science, U.S. House of Representatives............    12

Prepared Statement by Representative Eddie Bernice Johnson, 
  Member, Committee on Science, U.S. House of Representatives....    12

Prepared Statement by Representative Sheila Jackson Lee, Member, 
  Committee on Science, U.S. House of Representatives............    13

                               Witnesses:

Dr. Charles E. McQueary, Under Secretary for Science and 
  Technology, Department of Homeland Security
    Oral Statement...............................................    15
    Written Statement............................................    18
    Biography....................................................    21

Dr. Rita R. Colwell, Director, National Science Foundation
    Oral Statement...............................................    21
    Written Statement............................................    23
    Biography....................................................    27

Dr. Arden L. Bement, Jr., Director, National Institute of 
  Standards and Technology, Technology Administration, U.S. 
  Department of Commerce
    Oral Statement...............................................    27
    Written Statement............................................    29
    Biography....................................................    34

Dr. Anthony J. Tether, Director, Defense Advanced Research 
  Projects Agency
    Oral Statement...............................................    35
    Written Statement............................................    38
    Biography....................................................    41

Discussion.......................................................    42

             Appendix 1: Answers to Post-Hearing Questions

Dr. Charles E. McQueary, Under Secretary for Science and 
  Technology, Department of Homeland Security....................    72

Dr. Rita R. Colwell, Director, National Science Foundation.......    76

Dr. Arden L. Bement, Jr., Director, National Institute of 
  Standards and Technology, Technology Administration, U.S. 
  Department of Commerce.........................................    81

             Appendix 2: Additional Material for the Record

Letter from the Information Security and Privacy Advisory Board 
  to The Honorable Mitchell E. Daniels, Jr., Director, Office of 
  Management and Budget, dated April 8, 2003.....................    86

Current Activities of the National Institute of Standards and 
  Technology in Cyber Security and Related Programs..............    89

Public Law 107-305--Nov. 27, 2002................................    97

 
                CYBER SECURITY RESEARCH AND DEVELOPMENT

                              ----------                              


                        WEDNESDAY, MAY 14, 2003

                  House of Representatives,
                                      Committee on Science,
                                                    Washington, DC.

    The Committee met, pursuant to call, at 10 a.m., in Room 
2318 of the Rayburn House Office Building, Hon. Sherwood L. 
Boehlert (Chairman of the Committee) presiding.



                            HEARING CHARTER

                          COMMITTEE ON SCIENCE

                     U.S. HOUSE OF REPRESENTATIVES

                             Cyber Security

                        Research and Development

                        WEDNESDAY, MAY 14, 2003
                         10:00 A.M.-12:00 P.M.
                   2318 RAYBURN HOUSE OFFICE BUILDING

1. Purpose

    On Wednesday, May 14, 2003, the House Science Committee will hold a 
hearing to examine federal cyber security research and development 
(R&D) activities and implementation of last year's Cyber Security 
Research and Development Act (P.L. 107-305).

2. Witnesses

Dr. Charles E. McQueary is the Under Secretary for Science and 
Technology at the Department of Homeland Security. Prior to joining the 
Department, Dr. McQueary served as President of General Dynamics 
Advanced Technology systems, and as President and Vice President of 
business units for AT&T, Lucent Technologies, and as a Director for 
AT&T Bell Laboratories.

Dr. Rita R. Colwell is the Director of the National Science Foundation 
(NSF). Before joining the Foundation, Dr. Colwell served as President 
of the University of Maryland Biotechnology Institute and Professor of 
Microbiology at the University Maryland. She was also a member of the 
National Science Board from 1984 to 1990.

Dr. Arden L. Bement, Jr. is the Director of the National Institute of 
Standards and Technology (NIST). Prior to his appointment as NIST 
director, Dr. Bement was professor and head at the School of Nuclear 
Engineering at Purdue University. Before Purdue, he served in a variety 
of positions, including Vice President of Technical Resources and of 
Science and Technology for TRW Inc. and Deputy Under Secretary of 
Defense for Research and Engineering. Dr. Bement has also served as a 
member of the National Science Board and as chair of the NIST Visiting 
Committee on Advanced Technology.

Dr. Anthony J. Tether is the Director of the Defense Advanced Research 
Projects Agency (DARPA). Until his appointment as Director of DARPA, 
Dr. Tether held the position of Chief Executive Officer and President 
of The Sequoia Group. He has also been Chief Executive Officer for 
Dynamics Technology Inc. and Vice President of Science Applications 
International Corporation's (SAIC) Advanced Technology Sector. Dr. 
Tether has served on Army and Defense Science Boards.

3. Overarching Questions

    The hearing will address the following overarching questions:

        1. What is the current status of federally-supported cyber 
        security research and development programs in the United 
        States? What level and types of effort are needed to meet 
        existing and emerging cyber terrorism threats?

        2. How are cyber security research and development activities 
        coordinated among federal agencies? How are gaps in the 
        research portfolio identified and filled? How will the new 
        Department of Homeland Security affect the coordination 
        process? How will it change the overall portfolio of programs?

        3. What efforts are being made to develop a strong cyber 
        security workforce and to establish and expand university 
        educational and research programs relevant to cyber security?

        4. How do the federal agencies work with industry on cyber 
        security research and development efforts?

4. Brief Overview

         Information technology systems underpin key 
        industries such as telecommunications and financial services, 
        and also play a vital role in the smooth functioning of 
        critical infrastructures and services, such as transportation 
        systems, the electric power grid, and emergency response 
        capabilities. As the number of ways in which our economy 
        depends on network and computer systems has grown, so has the 
        number of attacks on these information technology systems. For 
        example, the number of incidents reported to the computer 
        security incident response center at Carnegie Mellon University 
        increased 275% from 2000 to 2002, and over 42,000 incidents 
        have already been reported in 2003.

         Active research and development programs to produce 
        new cyber security tools and techniques are necessary to enable 
        us to maintain the performance of important networks and 
        systems and improve our ability to defend against cyber and 
        physical terrorism. Currently, cyber security research and 
        development is supported and performed at a variety of federal 
        agencies, including the National Science Foundation (NSF), the 
        National Institute of Standards and Technology (NIST), and the 
        Defense Advanced Research Projects Agency (DARPA). Within the 
        new Department of Homeland Security, the Science and Technology 
        Directorate will have responsibility for managing research and 
        development programs relevant to cyber security.

         In November of 2002, the President signed the Cyber 
        Security Research and Development Act (P.L. 107-305), which 
        authorized appropriations for the National Science Foundation 
        and the National Institute of Standards and Technology to 
        strengthen their programs in computer and network security 
        (CNS) research and development and to support CNS research 
        fellowships and training programs. However, FY 2003 
        appropriations and FY 2004 proposed funding are significantly 
        below the authorized levels.

         New hardware and software technologies are rapidly 
        adopted in many industries and new ways of interfering with 
        computer systems develop just as fast. Multiple federal 
        agencies will need to coordinate their efforts to ensure that 
        new understanding of information and network security is 
        generated and that this knowledge is transitioned into useful 
        cyber security products. Institutions of higher education will 
        have develop and expand degree programs to ensure that an 
        adequate workforce exists to put the new tools and techniques 
        into practice. The private sector has a critical role to play, 
        as it will contain the developers and suppliers as well as the 
        major purchasers of new cyber security technologies and 
        services.

5. Background

Cyber Threats to Critical Infrastructures
    Information technology systems underpin key industries such as 
telecommunications and financial services, and also play a vital role 
in the smooth functioning of critical infrastructures and services, 
such as transportation systems, the electric power grid, and emergency 
response capabilities. Remote operation of chemical plant functions and 
management of the aircraft control system also depend on software and 
computer networks. Thus vulnerabilities in various components of 
networks and computers could be exploited to disrupt and damage these 
critical systems. For example, distributed denial of service attacks 
could slow Internet traffic and bring down important web sites. Cyber 
attacks on supervisory control and data acquisition (SCADA) systems 
could shut down power plants or disrupt processes at chemical 
manufacturing facilities. Interference with emergency responder 
communications technology could amplify the effects of a physical 
terrorist attack.
    The vulnerability of the Nation's information technology 
infrastructure has been demonstrated many times in the past several 
years. ``Hackers'' are arrested for breaking into computer systems to 
steal and corrupt data, or just to disrupt government or industry 
services. Major ``infections'' of computer viruses and worms\1\ make 
the news, and smaller ``outbreaks'' occur daily.\2\ While the impact on 
physical systems has been minimal to date, the economic impact of 
successful attacks can be significant. For example, in 2001, the Code 
Red and Nimda worms spread through e-mail, corporate networks, and Web 
browsers. Together, they are estimated to have produced $3 billion in 
costs worldwide due to lost productivity and expenses related to 
testing, cleaning, and deploying patches to computer systems. In 
January of 2003, the Slammer (or Sapphire) Worm took advantage of 
vulnerabilities in server software to generate a damaging level of 
network traffic, so Internet users experienced difficulty accessing web 
sites and sending e-mail. In addition, Bank of America automated teller 
machines were taken off line, Continental Airlines reservation computer 
systems experienced widespread problems, and an emergency call center 
in Seattle was essentially blacked out. Thus developing new defenses is 
critical to ensure that small weaknesses are not exploited to produce 
major economic consequences.
---------------------------------------------------------------------------
    \1\ A computer virus is a program or piece of code that is loaded 
onto your computer without your knowledge and runs against your wishes. 
Viruses can also replicate themselves. They are often capable of 
attaching themselves to other files or e-mail and transmitting 
themselves across networks and bypassing security systems. Some of the 
destructive things that viruses can do include deleting or corrupting 
files and using all the available memory on a system (thereby bringing 
the system to a halt). A worm is a special type of virus that can 
replicate itself and use memory, but cannot attach itself to other 
programs.
    \2\ In 2002, 82,094 incidents were reported to the CERT 
Coordination Center at Carnegie Mellon University, up 275% from 2000. 
Also in 2002, the center published 41 security alerts and handled over 
200,000 mail messages and over 800 hotline calls.
---------------------------------------------------------------------------
    The above examples show how a terrorist could target computer 
systems or networks and create a great deal of disruption and damage. 
However, terrorists could also use information technology systems to 
amplify the effects of a physical attack on people or property. For 
example, a terrorist planning to release a chemical or biological agent 
could first send an e-mail that appears to be from a trustworthy source 
(a police department or a news agency) to order or urge evacuation of 
buildings in order to increase the number of people out in the streets 
when he spreads his toxin. Cyber attacks could also be used to 
interfere with first responder communication and coordination systems, 
hindering the ability to respond to a crisis. Thus protection of 
information systems is a critical part of homeland defense.
    The National Strategy to Secure Cyberspace was released by the 
Administration in February 2003. It includes a number of 
recommendations to improve the Nation's cyber security now, both in 
federal systems and in privately-owned infrastructures. Currently the 
Federal Government's effort to deploy cyber security tools and 
techniques (the ``operational'' cyber security programs) are scattered 
over many agencies. The National Institute of Standards and Technology 
provides guidance and tools to federal agencies and to private industry 
that enable them to evaluate their cyber security needs and the 
performance of their security systems. The National Security Agency has 
significant programs in encryption. The Department of Homeland Security 
will have significant responsibilities in this area, both in new 
programs in its Information Analysis and Infrastructure Protection 
directorate, and in programs that are being transferred in, like the 
Federal Computer Incident Response Center (FedCIRC), which provides 
civilian agencies and departments with offerings in computer security 
incident prevention, reporting, analysis, and recovery. There are also 
private organizations, such as the federally-funded CERT Coordination 
Center at Carnegie Mellon University,\3\ whose activities include 
providing technical advice about and coordinating responses to security 
incidents, publishing security alerts, and tracking information about 
vulnerabilities and intruder activities.
---------------------------------------------------------------------------
    \3\ While ``CERT'' originally stood for ``Computer Emergency 
Response Team,'' today the center's name is officially just ``CERT.''
---------------------------------------------------------------------------
The Need for Cyber Security Research and Development Programs
    In addition to discussing ways to reduce cyber infrastructure 
vulnerabilities now, The National Strategy to Secure Cyberspace also 
emphasizes the importance of developing and carrying out a cyber 
security research and development agenda for the Federal Government.
    Cyber security research and development programs focus on ways to 
prevent attacks, to detect them as they are occurring, to respond to 
them effectively, to mitigate the severity of their effects, to recover 
as quickly as possible from them, and to find the people responsible. 
In addition to enabling us to avoid damage from cyber terrorism, a 
greater understanding of the weaknesses in computer systems and 
networks and how to protect them will allow computer operators to 
deflect the actions of cyber criminals--out to steal credit card 
numbers and personal information--and hackers--out to disrupt and 
destroy for the fun of it.
    In March 2003, the National Academy of Science released Information 
Technology for Counterterrorism: Immediate Actions and Future 
Possibilities. This report outlines an extensive research agenda for 
information technology research in many areas. In the information and 
network security field, the areas of emphasis are: authentication 
(determining that a system's users are those with permission to use 
it), detection (being aware that an attack, or attempted attack, is 
occurring), containment (mitigating the effects of an attack), and 
recovery (getting the system back up and functioning after an attack). 
The report also lists a number of research areas in which advances will 
impact all facets of the effort to improve cyber security. These areas 
include reducing the ``bugginess'' of software, managing the trade-offs 
between security and functionality more successfully, and gathering 
information on new and emerging techniques for cyber attacks.
Existing Federal Cyber Security Research and Development Programs
    The National Science Foundation (NSF) and the National Institute of 
Standards and Technology (NIST) currently have active cyber security-
related programs. To support and expand these programs, the Cyber 
Security Research and Development Act was signed in November 2002. 
Under this Act, NSF was authorized to expand its computer and network 
security grants programs and establish new research centers in this 
area and to provide grants to institutes of higher education and 
provide fellowships to students to increase the number of people 
receiving degrees in this area. NIST was authorized to create new 
program grants for partnerships between academia and industry, new 
post-doctoral fellowships, and a new program to encourage senior 
researchers in other fields to work on computer security. The Act 
authorizes $903 million over five years for these new programs, to 
ensure that the U.S. is better prepared to prevent and combat terrorist 
attacks on private and government computers. Specifically, for FY 2004, 
$110.25 million was authorized for NSF, and $47.29 million for NIST, to 
enable them to carry out the above programs. However, actual 
appropriations in FY 2003 and the presidential proposals for FY 2004 
both fall far short of the authorized numbers.\4\ As a result, NIST 
will be entirely unable to establish the grants program for academic-
industrial research partnerships, and NSF's grants programs will be 
significantly smaller than those envisioned in the Act.
---------------------------------------------------------------------------
    \4\ For example, NSF cyber security research programs received $28 
million in FY 2003 (as compared to $47 million authorized in this 
area), and the FY 2004 proposal is for $35 million (authorization was 
$64 million).
---------------------------------------------------------------------------
    The Department of Homeland Security is currently setting up its 
organizational structure and defining its programmatic priorities for 
FY 2003 and FY 2004. In the department, responsibility for managing 
research and development efforts relevant to cyber security rests in 
the Science and Technology directorate, while operational 
responsibilities for implementing cyber security fall in the 
Information Analysis and Infrastructure Protection directorate. Public 
statements have been made indicating that there will be no ``box'' in 
the organization with specific responsibility for cyber security in 
either the operational or research arenas. Operationally, programs to 
secure the cyber infrastructure will be an element of the broader 
critical infrastructure protection efforts. In the Science and 
Technology directorate, cyber security research and development 
programs will be part of the Threat and Vulnerability, Testing and 
Assessment program, and will focus on meeting critical needs of other 
DHS units, such as the Information Analysis and Infrastructure 
Protection directorate and the U.S. Secret Service. Less than 1 percent 
of the Science and Technology directorate's $803 million budget will be 
directed toward cyber security research and development. The absence of 
a clear advocate for cyber security at the Department is of particular 
concern in light of the Administration's decision in February 2003 to 
eliminate the President's Critical Infrastructure Protection Board. The 
Board, which was established after the attacks of September 11, 2001, 
authored The National Strategy to Secure Cyberspace and the Board's 
director, Richard Clarke, did much to raise the level of awareness 
about the vulnerabilities of the Nation's cyber infrastructure and the 
need for improved cyber security.
    The Defense Advanced Research Projects Agency (DARPA) has played a 
critical role in information technology research, including cyber 
security programs. The first firewall,\5\ significant advances in 
intrusion detection systems, and important Internet security protocols 
were all developed through DARPA programs. In the late 1990's, the 
agency made a large investment in ``defensive'' information warfare, 
which included unclassified research on computer systems' security and 
survivability. However, DARPA does not have a history of sustained, 
stable support of cyber security research and development programs, 
and, since 2000, the size of this program has declined (from 
approximately $90 million in 2000 to $30 million in 2003). Part of this 
decline is due to the fact that DARPA's focus has shifted to classified 
research on ``offensive'' information warfare. Classified research on 
information security is also done by the National Security Agency 
(NSA). NSA's funding for information assurance work is estimated to be 
roughly $750 million, with roughly half spent on research, development, 
testing, and evaluation; a significant part of this effort focuses on 
cryptography. While defense-related work on cyber security is 
necessary, it is important to recognize that the impact such classified 
work has on the overall national cyber security is often limited 
because the research is mainly performed at government facilities and 
contractors, and the results are seldom shared publicly or transferred 
to the commercial sector.
---------------------------------------------------------------------------
    \5\ A firewall is a system designed to prevent unauthorized access 
to or from a private network. Firewalls are frequently used to prevent 
unauthorized people from accessing private networks (like those used at 
companies, universities, and government agencies) over the Internet. 
All messages (like e-mail) entering or leaving the private network pass 
through the firewall, which examines each message and blocks those that 
do not meet the specified security criteria.
---------------------------------------------------------------------------
    Overall, it is currently very difficult to determine the total 
spending on cyber security research and development programs across the 
Federal Government. Information is currently collected and reported on 
a variety of relevant areas (such as networking and information 
technology research and development), but the programs specifically 
devoted to cyber security research and development have not been pulled 
out. OSTP has indicated that agencies will be asked to quantify cyber 
security research and development funding within their FY 2005 request.
    Another factor to be considered in assessing the quality of cyber 
security operations and cyber security research in the United States is 
the critical role of the private sector in both areas. As new results 
emerge from cyber security research and development activities, 
information technology companies will have to turn new knowledge into 
new technologies and services, and industries from banking to electric 
power will have to choose to take advantage of these new capabilities. 
Therefore, federal cyber security research and development programs 
will have to consider ways to encourage technology transfer and 
facilitate technology uptake.

Workforce Issues
    Research and development goals and useful new cyber security tools 
are of no use if there are not people to carry out the research 
programs and put the new techniques into practice.\6\ The Cyber 
Security Research and Development Act, The National Strategy to Secure 
Cyberspace, and the National Academy of Sciences' report all emphasize 
the importance of expanding the relevant workforce. Recommended actions 
range from developing undergraduate and masters programs to train 
operational cyber security personnel to fellowships for post-doctoral 
and senior scientists and engineers to increase participation in 
information security research programs. Current programs in this area 
are quite small. The National Science Foundation has a Cyber Security 
Scholarship for Service program ($16 million requested for FY 2004). 
This program provides scholarships to students in the fields of 
information assurance and computer security in return for a commitment 
following graduation to work for a federal agency. The Department of 
Defense started a program\7\ in 2000 to provide re-training fellowships 
for researchers and recent Ph.D.s looking to transfer into the cyber 
security field, but this program is ending in 2003. The Cyber Security 
Research and Development Act authorizes NIST to establish a senior 
research fellowship program that will be open to established 
researchers who seek to change fields into cyber security research, but 
no funds were requested for that program in FY 2004.
---------------------------------------------------------------------------
    \6\ According to NSF, only approximately seven Ph.D.s in cyber 
security are awarded each year.
    \7\ The Critical Infrastructure Protection and Information 
Assurance Fellows (CIPIAF) Program provided funds to cyber security 
principal investigators to pay post-doctoral fellows coming from non-
cyber security backgrounds.
---------------------------------------------------------------------------

6. Current Issues

    The most pressing issue in cyber security research and development 
is the underfunding of relevant programs. The NSF and NIST programs are 
well under the authorized levels. DARPA is ramping down relevant 
unclassified programs. The proposed effort in DHS is small. Yet the 
cyber infrastructure of the United States penetrates all critical 
infrastructures and forms a fundamental base of the Nation's physical 
security and economic and social stability. Significant investment in 
research and development in computer and network security will be 
needed to maintain homeland security. Delaying this investment will not 
only increase current and future vulnerabilities, but will also raise 
future cyber security expenses, from the costs associated with damage 
done by cyber attacks to the expenses of retrofitting security systems 
onto existing hardware and software.
    Each federal agency has its own mission and thus each has its own 
special role to play in cyber security research and development. Multi-
agency collaboration and a coherent cross-agency strategy are needed to 
maximize the impact of federal investment and to ensure that gaps do 
not develop in the effort to develop the tools needed to build a multi-
layer defense of the cyber infrastructure. In addition, since many 
information technology products and their implementations in critical 
infrastructures are developed and owned by the private sector, close 
communication with industry will be required. Finally, growth is needed 
in educational programs to expand research and development programs and 
to train the workforce required to implement security techniques in 
critical computer and network systems.

7. Witness Questions

    The witnesses were asked to address the following questions in 
their testimony:

Questions for Dr. Charles McQueary

         How will the cyber security research and development 
        agenda at the Department of Homeland Security be defined? Will 
        the department's science and technology directorate develop in-
        house cyber security expertise and programs? How will it 
        coordinate with the department's operational cyber security 
        programs?

         What mechanisms will the Department of Homeland 
        Security use to coordinate its cyber security research and 
        development activities with other federal agencies, such as 
        NSF, NIST, and DARPA, with active programs in this area?

         How will the department interact with cyber security 
        research and development efforts underway in industry? How will 
        it interact with university-based cyber security programs?

Questions for Dr. Rita Colwell

         What actions has the National Science Foundation 
        (NSF) taken in response to the Cyber Security Research and 
        Development Act? In particular, how is NSF fulfilling its role 
        as the lead agency for cyber security research and development 
        as specified in Section 7 of the Act?

         What are NSF's priorities in cyber security research 
        and development? How are these priorities determined?

         How does NSF coordinate its cyber security research 
        and development activities with other federal agencies?

         To what extent is NSF identifying and working to fill 
        gaps in the federal cyber security research and development 
        portfolio?

Questions for Dr. Arden Bement

         What actions has NIST taken in response to the Cyber 
        Security Research and Development Act?

         How does NIST coordinate its cyber security research 
        and development activities with other federal agencies? How 
        does NIST interact with industry on cyber security research and 
        development activities?

         What are NIST's priorities in cyber security research 
        and development? How are these priorities determined?

Questions for Dr. Anthony Tether

         How have DARPA's information assurance research and 
        development programs evolved over the past few years? Is there 
        an increased emphasis on military or offensive applications? 
        How is the balance between classified and unclassified efforts 
        changing?

         How does DARPA coordinate its cyber security research 
        and development activities with other federal agencies?

         How is information about results or technologies that 
        are applicable to the protection of commercial networks and 
        privately-owned infrastructures provided to relevant research 
        and development communities in industry and academia?

         What are DARPA's priorities in cyber security 
        research and development? How are these priorities determined?

Appendix I

    Links to referenced documents on cyber security research and 
development:

Public Law 107-305: The Cyber Security Research and Development Act 
(November 2002):
    http://frwebgate.access.gpo.gov/cgi-bin/
getdoc.cgi?dbname=107-cong-public-laws&
docid=f:publ305.107.pdf

The National Strategy to Secure Cyberspace (February 2003)
    http://www.whitehouse.gov/pcipb/

Information Technology for Counterterrorism: Immediate Actions and 
Future Possibilities, National Academy of Sciences (March 2003):
    http://bob.nap.edu/html/IT-counterterror/
    Chairman Boehlert. The hearing will come to order. It is a 
pleasure to welcome everyone here this morning for a hearing on 
a subject that has consumed the Committee over the past couple 
of years: cyber security research and development. We have been 
focused on this topic for good reason. The Nation, quite 
simply, has been under-investigating--investing woefully in 
cyber security R&D and as a result, we lack both the experts 
and the expertise we ought to have in a world that relies so 
heavily on computers and networks for the necessities of 
everyday life.
    Last year, led by this committee, Congress passed, and the 
President signed into law, two landmark bills to try to remedy 
this problem: the Cyber Security Research and Development Act 
and the Homeland Security Act. Both established new programs 
and authorized new funds for cyber security R&D.
    Today is our first chance to see what has happened as a 
result. At first blush, the answer appears to be: not nearly 
enough. Agencies have neither sought nor set aside adequate 
funding to implement the Cyber Security R&D Act. We hear 
complaints from throughout the research community that the 
Department of Homeland Security is not focusing sufficiently on 
the problem and DARPA is actually reducing its investment in 
this area.
    I am sure our witnesses today will describe positive 
actions that have been taken, and there are some, but it is 
impossible not to conclude that far more needs to be done. I 
assure you that this committee, we will continue pressing for 
more action on cyber security R&D. This hearing is only the 
beginning. We need to work together now to prevent devastating 
attacks in the future.
    I look forward to hearing from all of our witnesses, and we 
are going to do just that. And we have a very distinguished 
panel, and I think all of my colleagues should be very 
impressed with the panel.
    With that, let me introduce the distinguished Ranking 
Member from Texas, not Oklahoma, Texas, Mr. Hall.
    [The prepared statement of Mr. Boehlert follows:]

            Prepared Statement of Chairman Sherwood Boehlert

    It's a pleasure to welcome everyone here this morning for a hearing 
on a subject that has consumed the Committee over the past couple of 
years cyber security R&D.
    We've been focused on this topic for good reason. The Nation quite 
simply has been under-investing woefully in cyber security R&D, and as 
a result we lack both the experts and the expertise we ought to have in 
a world that relies so heavily on computers and networks for the 
necessities of everyday life.
    Last year, led by this Committee, Congress passed, and the 
President signed into law, two landmark bills to try to remedy this 
problem. The ``Cyber Security Research and Development Act'' and the 
``Homeland Security Act'' both established new programs and authorized 
new funds for cyber security R&D. Today is our first chance to see 
what's happened as a result.
    At first blush, the answer appears to be ``not nearly enough.'' 
Agencies have neither sought nor set aside adequate funding to 
implement the Cyber Security R&D Act. We hear complaints from 
throughout the research community that the Department of Homeland 
Security is not focusing sufficiently on the problem. And DARPA is 
actually reducing its investment in this area.
    I'm sure our witnesses today will describe positive actions that 
have been taken and there are some--but still one can only conclude 
that far more needs to be done. I assure you that this committee will 
continue pressing for more action on cyber security R&D. This hearing 
is only the beginning.
    We need to work together now to prevent devastating attacks in the 
future. I look forward to working with all our witnesses to do just 
that.
    Mr. Hall.

    Mr. Hall. You know, all my exes are in Oklahoma this 
morning.
    I want to join Chairman Boehlert in welcoming everyone to 
this morning's hearing, because first, you are selected on the 
basis of your knowledge and your service. And I know it takes 
time to get ready. It takes time to come here. It takes time to 
testify. And we appreciate the gift that you give to this 
committee, and through us, to the rest of the Congress.
    Not a day--as Chairman Boehlert has very aptly set out, not 
a day goes by without some mention of information technology in 
the news and as this information technology has become a part 
of almost every aspect of our economy and of our society. As 
this has happened, we have become familiar with the negative 
aspects of the information revolution: cyber crime. The threats 
we fear range all the way from nuisance hackers, theft and 
fraud, to the breakdown of the information infrastructure and 
everything that depends on it.
    With the events of the last few years, the security of the 
information infrastructure has received even more public 
attention. In February, the President released The National 
Strategy to Secure Cyberspace. The President's strategy 
emphasizes the need for more research efforts, and what I hope 
to learn today is the context for these research efforts and 
the amount of coordination that occurs between agencies and 
with the private sector.
    In addressing any public policy question, the first thing 
to ask is: ``What problems need to be solved?'' As was pointed 
out in a recent article in Issues in Science and Technology, 
``Cyber Security: Who's Watching the Store?'', we still lack a 
solid assessment of this threat. Despite the attention that 
cyber attacks receive in the media, there is little real data 
for estimating the size of the cyber security threat. And 
although I like a good story as much as anyone, the plural of 
anecdote is not data. Without the research to define the 
problem, I think it is difficult to determine the amount of 
money and the effort required to develop a solution to it.
    So I hope today's witnesses can tell us what they are doing 
to define the scope and size of the problem with real data. We 
can't afford to have agencies going off on their own to develop 
a cyber security program and then hope the sum will be greater 
than the parts. Because their information infrastructure is 
largely in the hands of the private sector, any effective 
research agenda must be developed with input from the industry. 
A strategy that relies on simply training personnel and then 
hoping they find jobs is not sufficient. Research efforts need 
to be focused on the real problems, so I hope our witnesses 
will tell us about the interactions with industry and 
developing research agendas.
    And I want to thank the witnesses for appearing before the 
Committee, and I look forward to their input on this issue. And 
I yield back my time.
    [The prepared statement of Mr. Hall follows:]

           Prepared Statement of Representative Ralph M. Hall

    I want to join Chairman Boehlert in welcoming everyone to this 
morning's hearing.
    Not a day goes by without some mention of information technology in 
the news. As information technologies have become a part of every 
aspect of our economy and society, we have become familiar with the 
negative aspects of the information revolution--cyber crime. The 
threats we fear range from nuisance hackers, theft and fraud, to the 
breakdown of the information infrastructure and everything that depends 
upon it.
    With events of the few years, the security of the information 
infrastructure has received even more public attention. In February, 
the President released The National Strategy to Secure Cyberspace. The 
President's strategy emphasizes the need for more research efforts. 
What I hope to learn today, is the context for these research efforts 
and the amount of coordination that occurs between agencies and with 
the private sector.
    In addressing any public policy question, the first thing to ask is 
``What problem needs to be solved?'' As was pointed out in a recent 
article in Issues in Science and Technology, ``Cyber Security: Who's 
watching the Store?'', we still lack a solid assessment of the threat. 
Despite the attention that cyber attacks receive in the media there is 
little real data for estimating the size of the cyber security threat. 
And although I like a good story as much as anyone, the plural of 
anecdote is not data. Without the research to define the problem, I 
think it's difficult to determine the amount of money and effort 
required to develop a solution. So I hope today's witnesses can tell us 
what they are doing to define the scope and size of the problem with 
real data.
    I don't believe we can simply spend our way out of this problem. 
Therefore, I'm hoping that our witnesses can tell us how they 
coordinate the development of their research programs. We can't afford 
to have agencies going off on their own to develop a cyber security 
program and then hope the sum will be greater than the parts. Because 
our information infrastructure is largely in the hands of the private 
sector, any effective research agenda must be developed with input from 
the industry. A strategy that relies on simply training personnel and 
then hoping they find jobs is not sufficient. Research efforts need to 
be focused on the real problems. So, I hope our witnesses will tell us 
about their interactions with industry in developing the research 
agendas.
    I want to thank our witnesses for appearing before the Committee 
and I look forward to their insight on this issue.

    [The prepared statement of Mr. Smith follows:]

            Prepared Statement of Representative Nick Smith

    Today we meet to examine federal efforts to address an extremely 
important--but often under-appreciated--threat to our country: the 
potentially devastating attacks on our nation's computer networks and 
infrastructure.
    Almost immediately after the September 11th attacks, the Science 
Committee held multiple hearings to examine just how vulnerable we were 
to the threat of cyber attacks. These hearings revealed that the United 
States uses more and has become more dependent on ``cyber'' than any 
other country. Technological advancements in computers, software, 
networks and information technology greatly improved our lives, but 
they also made our society more vulnerable to disruption.
    We also learned that the threat from other risks, such as computer 
viruses, hacking, and electronic identity theft, present significant 
hazards to general commerce, personal privacy, and our overall economic 
system. Finally, and in large part due to the interconnectedness of our 
technological age, we learned that physical security was permanently 
linked to cyber security. As a result, we concluded that Congress 
needed to address cyber security with the same vigilance with which we 
were addressing our physical security at home and abroad.
    So we responded to these realizations by drafting and passing into 
law the Cyber Security Research and Development Act of 2002. This 
legislation provided a comprehensive, coordinated research framework to 
address the threats to our computer systems.
    I am interested today to learn not only how the Federal Government 
is implementing the research coordination provisions of the cyber 
security bill, but also how they are working to ensure implementation 
of the technologies we now have readily available today. Although I am 
pleased that the Department of Homeland Security has requested over 
$800 million for applied research and development in its Science and 
Technology Directorate, it is not clear whether cyber security will 
receive appropriate attention within the Directorate.
    We have a very esteemed panel of agency witnesses with us here 
today, and I have many important issues to discuss with them. I look 
forward to their testimony and I am confident that Congress, the 
Administration, the university community, and the private sector will 
be able to work together to find solutions to the cyber security 
challenges facing America.

    [The prepared statement of Mr. Costello follows:]

         Prepared Statement of Representative Jerry F. Costello

    Good morning. I want to thank the witnesses for appearing before 
our committee to examine the federal cyber security research and 
development activities and implementation of the Cyber Security 
Research and Development Act (P.L. 107-305).
    The Cyber Security Research and Development Act authorized $903 
million over five years for new federal programs to ensure that the 
U.S. is better prepared to prevent and combat terrorist attacks on 
private and government computers. The legislation was developed 
following a series of post-September 11th Science Committee hearings on 
the emerging cyber-terrorist threat and the lack of a coordinated U.S. 
response. Despite this new legislative and programmatic initiative, our 
computer and communications networks, upon which the country's economic 
and critical infrastructures for finance, transportation, energy and 
water distribution, and health and emergency services depend, are still 
among the Nation's vulnerabilities. In addition, funding for FY 2003 
and proposed funding for FY 2004 is significantly below the authorized 
levels.
    As a result, valid concerns remain that the U.S. is still not 
appropriately organized and prepared to counter and respond to cyber 
security. Multiple federal agencies, as well as institutions of higher 
education and the private sector, have critical roles to play; yet, no 
enactment of or planning for the National Strategy has occurred and 
there is no evidence of coordination among agencies as they developed 
their research and development budget requests for FY 2004. The absence 
of a clear advocate for cyber security at the Department of Homeland 
Security, coupled with the Administration's decision in February 2003 
to eliminate the President's Critical Infrastructure Protection Board, 
is of particular concern. Further, I am interested to know from our 
witnesses how the Administration determines where the emphasis should 
be in cyber security and how this is reflected in the agency's budget 
requests.
    I again thank the witnesses for being with us today and providing 
testimony to our committee.

    [The prepared statement of Ms. Johnson follows:]

       Prepared Statement of Representative Eddie Bernice Johnson

    Thank you, Chairman, for calling this important hearing to examine 
federal cyber security research and development (R&D) activities and 
the Cyber Security Research and Development Act (P.L. 107-305) and I 
also want to thank our witnesses for agreeing to appear today.
    Cyber security is an emerging concept that will redefine computer 
science and engineering in our nation as we know it.
    Last February, the Administration released its long-awaited 
National Strategy to Secure Cyber Security. However, it seems that 
cyber security has slipped in importance for the Bush Administration. 
Rather than target specific industry segments and require that they 
secure themselves by recommending tough new laws and regulations, the 
Administration's plan recommends that industry and individuals simply 
take greater care.
    Overall, the new DHS's $37.7 billion budget earmarks only $3 
billion for cyber security. So the Infrastructure Protection 
directorate, one of five directorates in the DHS, appears in line for 
less than 10 percent of funds.
    To be fair, the DHS is an immense undertaking, the biggest 
government reorganization effort since the Department of Defense was 
created after World War II. Such a reorganization will require time.
    Unfortunately, the Administration does not address criticism that 
its lack of regulations render it toothless. For example, previous, 
unpublished drafts had included measures that would have forced 
Internet service providers to offer firewalls to their users and would 
have a required wireless hardware makers to improve security.
    It is very important that any plan from the Administration does an 
effective job at identifying threats. Regrettably, this plan does not 
propose to collect reliable data and perform the analysis necessary to 
define the threat. Without a reliable threat assessment, it is almost 
impossible to tailor an R&D program to meet real needs, let alone 
allocate the appropriate amount of funding to develop solutions. 
Hopefully, our witnesses today will be able to provide answers to our 
questions that will shine light on some of the short comings of the 
Administration's proposals.

    [The prepared statement of Ms. Lee follows:]

        Prepared Statement of Representative Sheila Jackson Lee

Mr. Chairman,

    Thank you for calling this extremely timely and enlightening 
hearing. I also serve on the Select Committee on Homeland Security, 
which is now several months old. Despite the continuous pressure from 
Ranking Member Turner and all of the other Democratic Members, that 
Committee--charged with providing Congressional oversight to our 
nation's domestic efforts to protect the American people--has yet to 
hold a single substantive hearing. I am glad that as usual, the Science 
Committee has risen to the challenge, to ask tough questions on 
sensitive issues.
    National security is obviously foremost on everyone's minds these 
days. As we work to improve our country's security, it is important 
that we take inventory of all systems that are vital to the functioning 
of the Nation, and do all we can to protect them. This certainly 
includes our computer networks systems that can be attacked anonymously 
and from far away. These networks are the glue that holds our nation's 
infrastructure together. An attack from cyberspace could jeopardize 
electric power grids, railways, hospitals and financial services, to 
name a few.
    We are all aware of the growing number of Internet security 
incidents. These incidents can come in many flavors: annoying attacks 
through e-mails, involving such things as computer viruses, denial of 
service attacks, and defaced web sites; or cyber crime, such as 
identity theft. Such events have disrupted business and government 
activities, and have sometimes resulted in significant recovery costs.
    Our hospitals and power grids, our communications, our 
transportation systems, are all critically dependent on computers and 
information flow and the satellites above us. A terrorist or other 
criminal tampering with those systems could devastate entire industries 
and potentially cost lives. While we have been fortunate so far in 
avoiding a catastrophic cyber attack, Richard Clarke, the President's 
cyber-terrorism czar from last year, I guess I should say ``two czars 
ago,'' said that the government must make cyber security a priority or 
face the possibility of a ``Digital Pearl Harbor.''
    This was truly a frightening prospect. It motivated me to get more 
knowledgeable and active in the area of cyber security. It motivated 
this committee, the Chairman and Ranking Member, to get busy on 
hearings and legislation. The Cyber Security Research and Development 
Act is the product of our work. Now I look forward to hearing how the 
Administration and the Agencies are stepping up the challenges that are 
before us.
    Of course here in the Science Committee, we tend to appreciate good 
Science--good data to guide smart policy. I am troubled by the fact 
that it seems we still do not have good data as to what is the scope of 
our cyber-vulnerability. We hear almost daily anecdotal reports of 
viruses, or worms, and crashes, but still do not know the true 
magnitude of the problem. We do not know how much is at risk, how much 
is being spent to protect ourselves, and what needs to spent in the 
future.
    That has led to a fairly arbitrary set of appropriations figures, 
probably considerably lower than what is needed, and probably not 
always targeted to the programs that are most likely to produce 
results. I am troubled by the Administration's FY04 budget request 
which under-funds cyber security priorities dictated by the Cyber 
Security Research and Development Act. I do not understand why NIST 
grant programs, which have been successful in the past, are being 
discarded for the near to distant future. I hear that we need to save 
money so that we can offset giant tax cuts for the rich that are 
supposed to grow our economy and create jobs.
    But what kind of economy will we have if our power grid is 
compromised, or if people are afraid to fly because the computers that 
run our air-traffic have been hacked, or if we lost the Internet 
shopping industry? We need to make smart investments now. We need to 
make sure our agencies are communicating well and covering all bases, 
and filling in security gaps.
    We are in a massive restructuring now of all of our nation's 
homeland security efforts. We cannot do this in the dark. We need 
congressional insight and oversight. We need public and private sector 
input. And we need guidance from the top, from the Administration.
    I look forward to the dialogue. Thank you.

    Chairman Boehlert. Thank you very much. For the purpose of 
an introduction, the Chair recognizes Mr. Miller of North 
Carolina.
    Mr. Miller. Thank you, Mr. Chairman. I am pleased to 
introduce Dr. Charles McQueary, who is here and I believe is a 
constituent, so--although I think as we were chatting just 
before the Committee began, have you now moved within 
Greensboro?
    Dr. McQueary. Yes, I have.
    Mr. Miller. And where do you now live?
    Dr. McQueary. I now live in the Grandover complex, which I 
believe is Congressman Coble--if I am not mistaken.
    Chairman Boehlert. The gentleman's time is expired.
    Mr. Miller. Well, I have this all prepared. I might as well 
go ahead.
    Chairman Boehlert. Please do.
    Dr. McQueary. But I still do--I do own a home in your 
district, though, as you point out, that I haven't sold it yet.
    Mr. Miller. And I will speak--I hope you will speak to 
whoever buys the home and mention my name to them. Well, my 
former constituent, Dr. McQueary, is well regarded in 
Greensboro in both the business community and in--for his civic 
work. In the private sector, he was the president of the 
General Dynamics Advanced Technology Systems. That company 
focused on electro-optic undersea systems, networking and 
decision support systems, active control systems, and signal 
processing solutions and software solutions. I am told that 
that was a good job for Dr. McQueary. He also was a respected 
member of the community for his civic leadership. He was a 
member of the Board of Trustees of North Carolina A&T, North 
Carolina State University. He was on the Guilford Technical 
Community College as President, CEO Advisory Board. He was 
chairman of Action Greensboro, a political--a public education 
initiative, and a member of the Board of Guilford County 
Education Network. He was also chairman of the Board and a 
campaign chair for the United Way of Greensboro and a member of 
the Board of the World Trade Center of North Carolina. So I am 
pleased to welcome my former constituent, Dr. McQueary.
    Dr. McQueary. Thank you.
    Chairman Boehlert. Mr. Hall was tempted to claim him for 
Texas. This is Dr. McQueary's first visit to the Committee, and 
we welcome him here. I gave you the privilege, Mr. Miller, of 
introducing----
    Mr. Hall. Mr. Chairman, we all own Dr. Colwell, though.
    Dr. Colwell. Thank you, sir.
    Chairman Boehlert. The other three witnesses are all good 
friends of long standing and have appeared many times and are 
valuable resources for the Committee, but this is your maiden 
voyage, Dr. McQueary, and we wish you smooth sailing. I avoided 
introducing you, because this committee created the position of 
Under Secretary for Science and Technology, because we thought 
it was so important. And I was so pleased that the 
Administration agreed with that and Governor Ridge did, also. 
But I wasn't sure if I was--I would be well-received in 
introducing you, because I am not sure if you want to thank me 
or shoot me right about now, because you have got a most 
demanding position. But we are glad to have you here.
    And we are always pleased to see Dr. Rita Colwell back. 
This Committee has worked long and well with you. And we are 
very proud of your outstanding accomplishments and the work of 
the National Science Foundation. And with NIST, Dr. Arden 
Bement, a good friend of long standing. We have a special 
relationship, too, and we are glad to welcome you back. And Dr. 
Tether, it is good to see you back.
    I think we should all appreciate the fact that we have four 
critically important people performing exceptional service for 
the Nation in their positions. And so we anxiously await your 
testimony. We will start with you, Dr. McQueary. You are first 
up.

   STATEMENT OF DR. CHARLES E. McQUEARY, UNDER SECRETARY FOR 
    SCIENCE AND TECHNOLOGY, DEPARTMENT OF HOMELAND SECURITY

    Dr. McQueary. Thank you. Good morning, Chairman Boehlert, 
Congressman Hall, and all Members of the Committee. It is a 
pleasure for me to accept the opportunity to be with you today 
and discuss the cyber security R&D from a Homeland Security 
perspective. It is an honor and a great responsibility to lead 
the Department of Homeland Security's scientific efforts to 
meet the challenges of securing the technology supporting our 
nation's infrastructures, loosely referred to as ``cyber''. And 
I do want to say thank you for having created this position, 
and it is an honor for me to be the first person to fill the 
position. And I do thank you for the work that this committee 
did in forming that group.
    An important mission of the Science and Technology 
Directorate is to develop and deploy leading technologies and 
capabilities so those who serve to secure the Homeland can 
perform effectively and efficiently. This Directorate will 
respond, then, to the needs and requirements in this area from 
within the Department.
    The threats to our Homeland are many. We must constantly 
monitor these threats and assess our vulnerabilities to them. 
We must develop new or improved capabilities to counter 
chemical, biological, radiological, nuclear, explosive, and 
cyber threats and mitigate the effects of terrorist attacks, 
should they occur.
    The Science and Technology Directorate's program must also 
enhance the conventional missions of the Department to protect 
and provide assistance to civilians in response to national 
disasters, law enforcement needs, and other activities. Thus, 
Science and Technology's key specific areas of emphasis are as 
follows: develop and deploy state-of-the-art, high-performance, 
low operating cost systems to prevent the illicit traffic of 
radiological and nuclear materials and weapons into and within 
the United States. The second item is to provide state-of-the-
art, high-performance, low operating cost systems to rapidly 
detect and mitigate the consequences of the release of 
biological and chemical agents. Third, provide state-of-the-
art, high-performance, low operating cost systems to detect and 
prevent illicit, high-explosive transit into and within the 
United States. Fourth, enhance the missions of all of the 
departmental operational units through targeted research, 
development, test and evaluation, and systems engineering and 
development. Fifth, develop and provide capabilities for 
protecting cyber and other critical infrastructures. The sixth 
item is to develop capabilities to prevent technology surprise 
by anticipating emerging threats. And last, develop, 
coordinate, and implement technical standards for chemical, 
biological, radiological, and nuclear countermeasures.
    This Directorate will implement its activities through 
focused portfolios that address biological, chemical, 
radiological, nuclear, and cyber threats; secondly, support the 
research and development needs of the operational units of the 
Department; and last, receive innovative input from private 
industry and academia as well as national and federal 
laboratories.
    Now allow me to specifically address the Science and 
Technology Directorate in response to cyber security concerns. 
The operational responsibility for this mission within Homeland 
Security resides with the Under Secretary for Information 
Analysis and Infrastructure Protection. The Under Secretary for 
Science and Technology carries the responsibility for ensuring 
that the necessary research, development, test and evaluation 
activities are carried out to support the IAIP mission in cyber 
security. In practice, the term ``cyber security'' is broadly 
defined within the community. S&T uses ``cyber security'' to 
mean ``securing the availability, integrity, and 
confidentiality of those services provided through technology, 
such as hardware and software systems connected to public and 
private networks that support the critical infrastructures''.
    Our approach to cyber security is essentially to apply the 
technology that supports the infrastructures. To address cyber 
security issues, we recognize that R&D efforts are one facet of 
a larger mosaic that includes elements, such as identification 
and mitigation of the threat, industry partnership and 
compliance, and physical security.
    Today, there are many cyber security R&D efforts underway 
and more yet to be established that address a range of cyber 
security issues. These represent opportunities for Science and 
Technology, our organization, to leverage existing work in 
order to address those needs and technology gaps that 
Department of Homeland Security identifies as important to 
securing the Homeland.
    We have started to work with familiarization and 
coordination across the federal sector. During the DHS 
transition and start-up period, members of the Transition Team 
began to participate in the INFOSEC Research Council. Members 
of this Council include DARPA, the NIST, and National Science 
Foundation, and it is our method of coordinating with the 
community on this topic.
    Additionally, within our staff for Homeland--for the 
Science and Technology Directorate, we have detailees from 
NIST, the Secret Service, National Science Foundation, and NSA 
to help craft a national strategy in cyber R&D that is required 
by the Homeland Security Act and to identify areas for 
investment that would be carried out by Science and Technology.
    One of the S&T's key areas of emphasis is our role in 
establishing DHS technical standards, which will establish DHS 
performance criteria for acceptable cyber security--cyber 
protection technologies. Currently, there is a Memorandum of 
Understanding nearing completion for signature between DHS and 
the technical administration of the Department of Commerce. 
This MOU is an agreement to work together to develop common 
standards to support U.S. industry and the Department of 
Homeland Security.
    As I noted earlier, it is this Directorate's role to 
support the needs and requirements of DHS and, in particular, 
those defined by the Information Analysis and Infrastructure 
Protection Directorate to provide an enduring resource and 
ensure the--to provide an enduring resource and assure that the 
necessary RDT&E activities are carried out.
    To support the IAIP mission in cyber security, we intend to 
create a DHS R&D cyber security center. The DHS R&D cyber 
security center will team with, through partnership and 
cooperation, with those representatives here at this table with 
me today. This center will provide DHS focus for R&D activities 
and leverage the many, many cyber security RDT&E efforts 
underway in the defense and intelligence, academic, and private 
laboratory communities. We see this as a critical--this is 
critical to coordinate the resources and efforts across the 
government R&D community to accelerate technical capabilities 
that address DHS priorities.
    The center will have five primary roles or functions as 
follows. The center will promote and coordinate cyber security 
research, innovation, invention, and evaluation in support of 
the DHS mission needs. It will develop strategic research and 
development programs and create testing and evaluation programs 
to address specific gaps in U.S. cyber security capabilities. 
For example, a unique feature of the center will be the 
utilization of existing or the development of new test beds 
where cyber security methods, tools, and approaches can be 
exercised in a controlled environment and evaluated against 
common, accepted standards.
    Developing the test beds and measurement performance 
standards will be an element of the center's program. It will 
provide communication and coordination among various public and 
private organizations dealing with the many diverse aspects of 
cyber security. The center will foster national and 
international cooperation in creating a robust and defensible 
cyber security infrastructure. It will support the operational 
needs of the IAIP Directorate relative to vulnerability 
assessments and new tools and methods for enhancing cyber 
security. In addition to responding to DHS research, 
development, test, and evaluation needs, the center will 
provide emergency response and reach-back capabilities to on-
call technical experts to support rapid vulnerability 
mitigation in response to cyber threats. It will cooperate with 
the National Science Foundation to foster educational programs 
and curriculum development to help ensure the Nation has the 
necessary human resources to present--who possess the requisite 
knowledge and skills to advance and secure the Nation's cyber 
infrastructure. This will be done in conjunction with 
participating universities, who will serve as a nucleus for 
creating the next generation of scientists and engineers.
    In closing, I would like to thank the Members of the 
Science Committee for the opportunity to speak with you today 
about the Science and Technology concept for addressing cyber 
security research and development. We will work hard to partner 
with the community to address the needs and requirements of DHS 
as well as those gaps that exist between the many significant 
projects already developed. S&T is determined to support the 
mission of DHS to protect the critical infrastructures of this 
nation by working to secure the technology that supports them.
    Mr. Chairman and Members of the Committee, this concludes 
my prepared remarks, and I would be happy to take any questions 
that you might have at this time.
    [The prepared statement of Dr. McQueary follows:]

               Prepared Statement of Charles E. McQueary

    Good morning Chairman Boehlert, Congressman Hall, Congressmen and 
Members of the Committee. It is a pleasure for me to accept your 
invitation to be with you today to discuss cyber security R&D. It is an 
honor and great responsibility to lead the Department of Homeland 
Security (DHS), Science and Technology Directorate's efforts to meet 
the challenges of securing the technology supporting our nation's 
information technology infrastructures, often termed ``cyber.'' An 
important mission of this Directorate is to develop and deploy leading 
technologies and capabilities so those who serve to secure the homeland 
can perform effectively and efficiently--they are my customers. This 
Directorate will respond then to the needs and requirements in this 
area from within the department.
    The threats to our homeland are many. We must constantly monitor 
these threats and assess our vulnerabilities to them; develop new or 
improved capabilities to counter chemical, biological, radiological, 
nuclear, explosive and cyber threats; and mitigate the effects of 
terrorists attacks should they occur. The Science and Technology (S&T) 
Directorate's program must also enhance all of the Department's 
missions, whether or not they are focused on the threat of terrorism.
    Throughout the initial planning process for the S&T Directorate we 
have been guided by current threat assessments, our understanding of 
capabilities that exist today or that can be expected to appear in the 
near-term, and, importantly, by the priorities spelled out in the 
President's National Strategies for Homeland Security, Physical 
Protection of Critical Infrastructures and Key Assets and to Secure 
Cyberspace.
    Thus Science and Technology's key specific areas of emphasis are 
to:

        1. Develop and deploy state-of-the-art, high-performance, low-
        operating-cost systems to prevent the illicit traffic of 
        radiological/nuclear materials and weapons into and within the 
        United States.

        2. Provide state-of-the-art, high-performance, low-operating-
        cost systems to rapidly detect and mitigate the consequences of 
        the release of biological and chemical agents.

        3. Provide state-of-the-art, high-performance, low-operating-
        cost systems to detect and prevent illicit high explosives 
        transit into and within the United States.

        4. Enhance missions of all Department operational units 
        through targeted research, development, test and evaluation, 
        and systems engineering and development.

        5. Develop and provide capabilities for protecting cyber and 
        other critical infrastructures.

        6. Develop capabilities to prevent technology-surprise by 
        anticipating emerging threats.

        7. Develop, coordinate and implement technical standards for 
        chemical, biological, radiological and nuclear countermeasures.

    We have requested $803M in FY04 to provide applied research, 
development, demonstrations, and testing of products and systems that 
address these key areas of emphasis. This directorate will implement 
its activities through focused portfolios that address biological, 
chemical, radiological and nuclear, and cyber threats; support the 
research and development needs of the operational units of the 
Department; and receive innovative input from private industry and 
academia as well as national and federal laboratories. In particular, 
the Homeland Security Advanced Research Projects Agency (HSARPA) will 
have an essential role in meeting the goals and objectives of the 
Department and the Directorate across the range of the portfolios.
    Allow me now to specifically address the Science and Technology 
Directorate (S&T) response to critical infrastructure protection 
concerns, including cyber security. Consistent with law and policy, the 
operational assistance and advisory role and responsibilities for 
certain elements of cyber security resides with the Under Secretary for 
Information Analysis and Infrastructure Protection (IAIP). The Under 
Secretary for S&T carries the responsibility for ensuring that the 
necessary research, development, test and evaluation (RDT&E) activities 
are carried out to support the IAIP mission in cyber security. In 
practice, the term ``cyber security'' is broadly defined within the 
community. S&T uses ``cyber security'' to mean securing the 
availability, integrity and confidentiality of those services provided 
through technology such as hardware and software systems, connected to 
public and private networks (i.e., voice, data and Internet Protocol 
networks) that support the critical infrastructures. Our concern with 
cyber security is essentially applied to the technology that supports 
the infrastructures. To address cyber security concerns, we recognize 
that R&D efforts are an element of a larger mosaic that includes 
elements such as identification and mitigation of the threat, industry 
partnership and compliance, and physical security.
    Today there are many cyber security R&D efforts already underway, 
and more yet to be established, that address a range of cyber security 
issues. These represent opportunities for S&T to leverage existing work 
in order to address both those needs and technology gaps for the 
Federal Government and industry as important to securing the Homeland. 
Federal gaps are identified through annual agency and Inspector General 
reports required under the Federal Information Security Management Act. 
Vulnerability assessments will also help identify federal gaps. There 
is a wide array of technologies that address many needs today not only 
in government laboratories, but also throughout the commercial sector. 
However, the existence of many hard and currently unsolved problems, 
and the changing nature of the threat, will require an ongoing research 
effort.
    We have started the work of familiarization and coordination across 
the federal sector. During the DHS transition and startup period, 
members of the transition team began to participate in the Infosec 
Research Council. Membership in this council includes DARPA, NIST and 
NSF; and it is our means of coordinating with the community on this 
topic. In addition, we have been in communication with the Office of 
Science and Technology Policy, and will be participating in the 
interagency R&D coordination activities of the National Science and 
Technology Council.
    One of S&T's key areas of emphasis is our role in establishing DHS 
technical standards, which will establish DHS performance criteria for 
acceptable cyber-protection technologies. Currently, there is a 
Memorandum of Understanding presented for signature between DHS and the 
Technology Administration at the Department of Commerce; this MOU is an 
agreement to work together to develop common standards to support U.S. 
Industry and DHS. We will work closely with NIST in this endeavor, and 
have a person on staff detailed from NIST to address cyber security 
programs and standards.
    As I noted earlier, it is this directorate's role to support the 
needs and requirements of DHS, in particular those defined by the IAIP 
Directorate. The Science and Technology directorate carries the 
responsibility for ensuring that the necessary RDT&E activities are 
carried out to support the IAIP mission in cyber security. To provide 
an enduring resource to help meet our mission and responsibilities, we 
intend to create a DHS R&D Cyber Security Center.
    The DHS Cyber Security R&D Center will team through partnership and 
cooperation with NSF and NIST. This center will provide a DHS focus for 
R&D activities and leverage the many cyber security RDT&E efforts 
underway in the defense and intelligence, academic and private 
laboratory communities. We see this as critical to coordinate the 
resources and efforts across the government R&D community to accelerate 
technical capabilities that address DHS priorities.
    The center will have five primary roles or functions, as follows:

         Promoting and coordinating cyber security research, 
        innovation, invention and evaluation in support of the DHS 
        mission needs. It will develop strategic research and 
        development programs, and create testing and evaluation 
        programs to address specific gaps in U.S. cyber security 
        capabilities. For example, a unique feature of the Center will 
        be the utilization of existing, or the development of new, test 
        beds where cyber security methods, tools, and approaches can be 
        exercised in a controlled environment and evaluated against 
        common, accepted standards. Developing the test beds and 
        measurement-performance standards will be an element of the 
        Center's program.

         Providing communication and coordination among 
        various public and private organizations dealing with the many 
        diverse aspects of cyber security. The Center will foster 
        national and international cooperation in creating a robust and 
        defensible cyber infrastructure.

         Supporting the operational needs of the IAIP 
        directorate relative to vulnerability assessments and new tools 
        and methods for enhancing cyber security.

         Cooperating with NSF to foster educational programs 
        and curriculum development to help ensure the Nation has the 
        necessary human resources who possess the requisite knowledge 
        and skills to advance and secure the Nation's cyber 
        infrastructure. This will be done in conjunction with 
        participating universities who will serve as a nucleus for 
        creating the next generation of scientists and engineers.

    Although much of the S&T portfolio will be focused on very 
difficult problems requiring extensive research, a portion of the 
program will be dedicated to addressing nearer-term problems in support 
of DHS mission requirements. In addition to establishing the center 
through FY03 funding, S&T will begin work on the following specific 
areas:

         Supporting the U.S. Secret Service National Threat 
        Assessment Center and CERT/Coordination Center at Carnegie 
        Mellon University on a comprehensive assessment of Insider 
        Threats and defense strategies.

                 The need to identify and mitigate the insider threat 
                is critical to the physical and cyber security plans of 
                the critical infrastructures of the United States.

                 Reducing the ability of inside actors to assist 
                outside threats will provide increased security to the 
                critical infrastructures of this country.

         Conducting a feasibility study for trace-back and 
        geo-location of source attack.

                 The watch and warning mission of the IAIP 
                directorate requires the ability to identify and track 
                the source location of cyber attackers.

                 This study will determine the status of currently 
                available trace-back and geographical location 
                technology, capability gaps, and potential policy 
                implications.

         Developing patch verification technology in support 
        of IAIP's patch management efforts to accelerate the speed with 
        which cyber-protection software updates are evaluated, 
        validated, and applied to civilian organizations.

                 Computer network attacks have historically exploited 
                known, published vulnerabilities. All of the infected 
                systems were without the appropriate patches in time to 
                close the vulnerabilities and ensure protection. As a 
                result, there was significant economic impact and 
                resource availability issues to the private businesses 
                that participate in the critical infrastructure of this 
                country.

                 Many times the failure to apply the patch was a 
                result of time required to test the patch against a 
                duplicate of a critical system to ensure there would be 
                no negative impact on business or government critical 
                services. The goal of this project is to provide an 
                efficient, low cost solution to this problem.

                 This study will determine the feasibility of this 
                technology and recommend potential solutions for 
                further RDT&E.

         Expanding development of technologies for detecting 
        covert threats that carry the risk of creating major disruption 
        to critical infrastructures such as financial systems before 
        they are discovered.

                 Existing intrusion and threat detection systems 
                utilizing signature based identification often provide 
                false positives or large amounts of log data so that 
                their effectiveness has diminished in the overall cyber 
                security architecture. The benefits of the next-
                generation intrusion detection system will identify and 
                categorize all intrusions regardless of the threat 
                signature.

                 This project will begin research, development, test 
                and evaluation on next generation detection systems.

         Conducting a feasibility study for the scalability 
        and technology application of Secure Border Gateway Protocol 
        and Secure Domain Name Services.

                 The Secure Border Gateway Protocol and Secure Domain 
                Name Services protocol seek to secure two vulnerable 
                protocols, on which the movement of network traffic is 
                depends.

                 This study will determine the feasibility and 
                scalability of these protocols on existing network 
                infrastructure; and make any recommendations on the 
                need for further RDT&E if required.

    We are therefore taking steps in S&T to establish key relationships 
with the major cyber security R&D organizations to provide a focus for 
DHS technology innovation and capability development in a new Center, 
and have defined initial projects in support of the Secret Service and 
IAIP near-term needs. As the IAIP Directorate begins to define its 
long-term goals and needs, we will leverage other federally funded 
activities, academia, and private industry to provide solutions.
    In closing, I would like to thank the Members of the Science 
Committee for the opportunity to speak with you today about the Science 
and Technology concept for addressing cyber security research and 
development. We will work with diligence to partner with the R&D 
community to address the needs and requirements of DHS, as well as 
those gaps that exist between the many productive projects already 
developed. S&T is determined to support the mission of DHS to protect 
the critical infrastructures of this nation by working to secure the 
technology that supports them.
    Mr. Chairman and Members of the Committee, this concludes my 
prepared statement. I would be pleased to address any questions you may 
have.

                   Biography for Charles E. McQueary

    On January 10 President Bush announced his intention to nominate 
Dr. Charles E. McQueary to be Under Secretary for Science and 
Technology.
    Most recently, Dr. McQueary served as President, General Dynamics 
Advanced Technology systems, in Greensboro, N.C., a company that 
focuses on electro-optic undersea systems, networking and decision 
support systems, active control systems, signal processing solutions 
and software solutions.
    Prior to General Dynamics, Dr. McQueary served as President and 
Vice President of business units for AT&T, Lucent Technologies, and as 
a Director for AT&T Bell Laboratories.
    In addition to his professional experience, Dr. McQueary has served 
his community in many leadership roles--as Chair of the Board, and 
Campaign Chair, of the United Way of Greensboro; Member of the Board of 
Trustees of North Carolina Agricultural and Technical (A&T) State 
University; Member of the Guilford Technical Community College (GTCC) 
President's CEO Advisory Committee; Member of Board of World Trade 
Center North Carolina; Chair for Action Greensboro Public Education 
Initiative; and as a Member of the Board of Guilford County Education 
Network.
    Dr. McQueary holds both a Ph.D. in Engineering Mechanics and an 
M.S. in Mechanical Engineering from the University of Texas, Austin. 
The University of Texas has named McQueary a Distinguished Engineering 
Graduate.

    Chairman Boehlert. Thank you very much. You are now a 
veteran testifying----
    Dr. McQueary. Thank you.
    Chairman Boehlert [continuing]. Before the Science 
Committee.
    Dr. McQueary. Thank you.
    Chairman Boehlert. Welcome back, Dr. Colwell. You are up 
next.

 STATEMENT OF DR. RITA R. COLWELL, DIRECTOR, NATIONAL SCIENCE 
                           FOUNDATION

    Dr. Colwell. Mr. Chairman and Members of the Committee, I 
appreciate the opportunity to appear before you today to 
discuss the importance of improving the security of our 
information infrastructure.
    Last November, as a result of your strong leadership, Mr. 
Chairman, Congress enacted and the President signed into law 
the Cyber Security Research and Development Act of 2002. This 
law authorizes important research and education activities to 
protect the Nation's critical information technology systems 
against failures from accident or attack. NSF is fully 
supportive of this action.
    NSF's attention to cyber security dates back to at least 
1978 with an investment in cryptography that led to the public 
key infrastructure that is widely used to secure cyber 
transactions today. In 2001, and I would point out September 6, 
2001, we established a trusted computing research program to 
focus attention on the continuing need for research in this 
area. In 2002, we saw a rapid rise in cyber security interest 
by the research community. And this year, I have to tell you, 
we are dealing with a flood of proposals as I previously shared 
with you. The Cyber Security Research and Development Act 
provides us with new authority and an additional sense of 
urgency to expand our capacity to guard against attacks on our 
nation's computer and network systems.
    Let me briefly share with you the current state of NSF 
funding for cyber security research, tell you where we are--
what we are doing, and then indicate where we are going. When 
the appropriation process was completed in February, our Cyber 
Directorate doubled its funding for research to $30 million. In 
addition, the NSF Federal Cyber Service--Scholarships for 
Service program provides $11 million to increase the production 
of information assurance and computer security professionals. A 
total of about $53 million is focused on cyber security, 
because NSF clearly understands the urgency of the need for 
cyber security. With these investments, NSF is focusing on 
discovery, learning, and innovation to secure today's systems, 
to embed contemporary security principles and practices in all 
aspects across the board of cyber systems design in many--in 
all disciplines, and to prepare a world-class workforce of 
information technology professionals with state-of-the-art 
security skills that span research all the way to operations.
    Beginning in 2004, the entire suite of cyber security 
activities will be managed under one integrated, crosscutting 
program called ``Cyber Trust.'' The Cyber Trust portfolio of 
awards will include a range of multidisciplinary, multi-
investigator awards, as well as the more focused single 
investigator awards. And we believe this will ensure the NSF's 
whole investment in cyber security research and education is 
greater than simply the sum of its parts.
    In order to generate innovative approaches to the complex 
computer and network security problems that our nation faces, 
NSF will fund projects of sufficient scope and scale to foster 
multidisciplinary collaboration between computer scientists, 
engineers, mathematicians, and social science researchers. We 
will make awards that range in size from single investigator 
grants to multi-investigator center-scale awards of up to $3 
million. Now this portfolio of Cyber Trust investments will 
ensure that a powerful mix of cutting-edge research is funded 
through a number of competitive awards.
    NSF will also inform the community of opportunities to 
compete for the center-scale awards in these, and other related 
areas, through programs like the STC's, the science and 
technology centers, the engineering research centers, and the 
Industry/University Cooperative Research Centers.
    Now I would like to point out that we changed the title 
``Cyber Trust,'' because our understanding is that the public 
not only wants their information systems to be secure, but they 
want to be able to trust them in all kinds of situations. As a 
simple example, they need to be able to trust the data, their 
data, will be kept private. NSF believes that a highly 
collaborative and inclusive coordinated effort is necessary to 
overcome the many technological challenges that are inherent in 
securing the Nation's cyber systems. Accordingly, NSF will seek 
to establish a multi-sector cyber security partnership, a 
public/private partnership that will allow NSF to develop 
strategic frameworks to guide future research and education 
investments in the field, investments that must be made by both 
the public and the private sectors.
    NSF will engage key federal agencies in the partnership 
endeavor, and we have already begun to do so in discussions 
with NIST. We will draw on the current interagency efforts in 
this area. The coordination has begun strongly with NIST, 
because NIST has the powerful connections to industry. In 
addition, NSF staff are very active in formal interagency 
activities that support cyber security collaborations, like the 
INFOSEC Research Council and the 12-agency Networking and 
Information Technology Research and Development Interagency 
Working Group. We refer to this as NITRD, which NSF chairs. The 
Working Group, we chair.
    NSF will convene a series of workshops this summer to 
engage researchers, educators, and practitioners in finding the 
most effective ways to build capacity and to build it quickly. 
The workshops will also examine implementation strategies to 
support faculty trainee-ships in cyber security. These are 
programs that will enable existing Ph.D.s to pursue academic 
careers in cyber security.
    And we scheduled the meeting for mid-August to facilitate 
multidisciplinary research and education activities by bringing 
together all of the principal investigators, the PIs, from the 
newly integrated Cyber Trust program. Now this group of PIs 
will form a research collaboration network, which will 
facilitate interaction between groups of investigators to 
communicate and coordinate research efforts across 
disciplinary, organizational, institutional, and geographical 
boundaries. And the network can then be coupled to the NIST 
activities to speed up the practical application of the 
research efforts.
    Mr. Chairman, the Cyber Security Research and Development 
Act addresses a very, very critical need for our nation. NSF is 
appreciative of the confidence you have expressed in us to lead 
this effort, and we intend to build on that confidence. And we 
will make sure that all of the funds we are allocated and 
appropriated will be very well used. We eagerly look forward to 
working with you and your staff to ensure that all of the goals 
of the Act are fulfilled.
    Thank you.
    [The prepared statement of Dr. Colwell follows:]

                 Prepared Statement of Rita R. Colwell

    Mr. Chairman and Members of the Committee, I appreciate the 
opportunity to appear before you today to discuss the importance of 
improving the security of our information infrastructure. Last 
November, as a result of the strong leadership that you provided, 
Congress enacted the Cyber Security Research and Development Act 
(Public Law 107-305) of 2002. This law authorizes important research 
and education activities to build our capacity to gird the Nation's 
critical information technology systems against failures from accident 
or attack.
    The Cyber Security Research and Development Act accurately focuses 
on the need for research, enhanced integration of activities from the 
diverse disciplines that impact our ability to secure our systems, and 
production of computer professionals with the requisite skills needed 
to implement the latest cyber security techniques.
    NSF agrees wholeheartedly with this focus and we are moving 
expeditiously to address these needs, both through focused investments 
with current year appropriations and by carefully fashioning plans for 
implementation in FY 2004 and beyond.

Persistent Challenges and Preceding Actions

    Computers and networked systems are ubiquitous in our society. Over 
the past decade, the Internet has grown tremendously, from its early 
state as a small network of academicians, into a full-fledged vital 
information infrastructure that Americans rely on as much as they rely 
on electricity, water, and roadway networks. Entire sectors of our 
economy run minute-to-minute mission critical operations over 
nationally and internationally networked systems. The increase in our 
reliance on these systems, combined with the increased threat of 
malicious attack, has shed new light on the importance of generating 
new knowledge to secure them. New knowledge workers are also needed to 
deploy and operate these systems safely and reliably.
    Today's computing and communications infrastructure does many 
things well, but suffers from a number of flaws and weaknesses that 
make it less than dependable, particularly in the case of attacks. 
These shortcomings include (1) latent flaws in widely distributed 
software, (2) decreasing diversity of software components, (3) poor 
technical means for managing security infrastructure, (4) inadequate 
technical controls for needed collaboration policies, (5) lack of 
convenient, scalable, strong authentication, and (6) inadequate 
security mechanisms for new technologies. Further, the infrastructure 
lacks effective means for detecting when these flaws and weaknesses are 
exploited, and for responding when such exploitations are detected.
    It is appropriate that government devote substantial public 
resources to develop knowledge and capabilities in the area of cyber 
security. Market pressures tend to emphasize time-to-market of software 
and systems. Often IT products are released with known flaws that 
weaken reliability of the system and may create severe vulnerabilities. 
Improving the quality and diminishing the costs associated with 
embedding security principles into all cyber systems design and 
development will be essential to our success.
    NSF has a longstanding commitment to creating new knowledge that 
will improve the security of our nation's computer and network 
infrastructure. NSF attention to cyber security dates back to a 1978 
investment in cryptography, which led to the public key infrastructure 
that is widely used for secure cyber transactions today. Our expanded 
FY 2003 investments in Trusted Computing, Data and Applications 
Security, Network Security and the Federal Cyber Service programs shows 
how our sense of urgency in this field has grown. With the passage of 
the Cyber Security Research and Development Act, Congress has allowed 
us to act on this sense of urgency and expand the Nation's capacity to 
guard against attacks on our computer and network systems.

Current Year Actions

    Mr. Chairman, you and this committee were an important part of the 
support for the appropriation increase that NSF received in February. 
Cyber security research funding has increased by $15 million over FY 
2002 to reach $30 million. With the Scholarships for Service program, 
this brings the agency's total FY 2003 investment in cyber security to 
$41 million.

A Strategic Approach

    In short NSF seeks to enable discovery, learning and innovation 
that will:

         Secure today's systems;

         Embed contemporary security principles and practices 
        in all aspects of cyber systems design and development of 
        tomorrow's systems; and

         Prepare a world-class workforce of information 
        technology professionals, with state-of-the-art security skills 
        spanning research to operations.

    NSF will do so, informed by the interests and efforts of its 
partners in the cyber security field, including those in academe, 
industry and other government agencies.
    Our investments are guided by three core strategies that have 
proven effective across all science and engineering domains.

1. Develop intellectual capital.

  LNSF invests in cyber security activities, including 
multidisciplinary projects, which enhance the individual and collective 
capacity to contribute cyber security solutions, thus building cyber 
security capacity for many years to come. The agency uses its 
competitive, merit-review process to ensure that only research and 
education projects of the highest quality are funded.

2. Integrate research and education.

  LNSF investments in cyber security integrate research and education, 
assuring that findings and methods of cyber security research are 
quickly and effectively communicated in a broader context, to a larger 
audience and are thus more effectively embedded in practice.

3. Promote Partnerships.

  Effective collaboration and partnerships between researchers, 
educators and practitioners in academe, industry and government will 
enable the timely transformation of research outcomes into 
technological innovation that will secure critical cyber systems 
resident in both the public and private sectors. NSF has a strong 
institutional tradition of enabling partnerships among the Nation's 
leading scientists, engineers and educators. In convening researchers, 
educators, and other stakeholders we draw on the expertise and 
deliberations of a vigorous and critical scientific community, exposing 
new ideas and building consensus for them.

    In FY 2003 and beyond, NSF will build on and increase coordination 
between the activities that we have supported for some years. Beginning 
in FY 2004, the entire suite of cyber security activities will be 
managed under one integrated, cross-cutting program called Cyber Trust.
    I would note that we chose the title ``Cyber Trust'' because our 
understanding is that the public not only wants their information 
systems to be secure, but that they want to trust them in all kinds of 
situations. As a simple example, they need to be able to trust that 
data will be kept private.
    The Cyber Trust portfolio of awards will include a range of 
multidisciplinary, multi-investigator awards, as well as more focused 
single investigator awards. This will ensure that NSF's whole 
investment in cyber security research and education is greater than the 
sum of its parts.
    In order to generate innovative approaches to the complex computer 
and network security problems that our nation faces, NSF will fund 
projects of sufficient scope and center-scale to foster 
multidisciplinary collaboration between computer scientists, engineers, 
mathematicians, and social science researchers. Awards will range from 
single investigator types to multi-investigator awards of up to 
$3,000,000. This portfolio of Cyber Trust investments will ensure that 
a rich mix of cutting-edge research is funded. NSF will also inform the 
community of opportunities to compete for center-scale awards in these 
and related areas through activities like the Science and Technology 
Center, Engineering Research Center, and Industry/University 
Cooperative Research Center programs.

Identification and Coordination of Cyber Security Priorities

    NSF, in its discussions with the scientific and engineering 
community, has identified five vital research areas at the frontier:

        1. Manageable security

        2. Empirical cyber security studies

        3. Cyber security foundations

        4. Cyber security for next generation technology

        5. Cyber security across disciplines

    These research areas include and are representative of the many 
research areas included in Section 4(a) of the Act.
    NSF believes that a highly collaborative and inclusive, coordinated 
effort is necessary to overcome the many technological challenges 
inherent in securing the Nation's cyber systems. Only by drawing upon 
the expertise resident in relevant stakeholder organizations, including 
industry, academia, and government, and by aligning the interests and 
investments of these broad stakeholder groups, can we ensure that the 
best solutions are identified and enacted to protect the Nation's vital 
information technology resources.
    Accordingly, NSF will seek to establish a multi-sector cyber 
security partnership. The partnership will allow NSF to develop a 
strategic framework to guide future research and education investments 
in the field; investments likely to be made by both the public and the 
private sectors.
    NSF will engage key federal agencies in the partnership endeavor, 
by drawing on current interagency efforts in this area. For example, 
NSF staff are very active in formal interagency activities that support 
cyber security collaborations, such as in the Networking and 
Information Technology Research and Development (NITRD) Interagency 
Working Group (IWG) that includes representatives from the Defense 
Advanced Research Projects Agency, the Department of Defense, the 
National Security Agency, and others.
    Dr. Peter Freeman, the NSF Assistant Director for Computer and 
Information Science and Engineering (CISE) has talked with Dr. Arden 
Bement to establish formal collaboration between NSF and NIST in the 
area of cyber security and program staff will carry the coordination 
forward. As chair of the NITRD IWG Dr. Freeman has also met with Dr. 
David Nelson, Director of the National Coordination Office for NITRD, 
to discuss ways to enhance the coordination activities of the IWG in 
the area of cyber security.
    Demonstrating further NSF leadership in cyber security, an NSF/CISE 
Program Officer co-chairs the High Confidence Software and Systems 
program coordination area of NITRD. This subgroup is working to define 
the federal portfolio of cyber security research and development, and 
will identify gaps. NSF will draw upon the work of this group to inform 
its future research investments.
    NSF also has a long tradition of working with industry partners in 
science and engineering. By encouraging strong industry participation 
in the development of a cyber security research and education 
framework, and in the subsequent funding of appropriate research and 
education activities, NSF hopes to improve both the transfer of new 
knowledge into the marketplace and the capacity of current and future 
generations of IT and information assurance professionals.

Capacity Building

    To establish the partnership, NSF will convene a series of 
workshops to begin in summer 2003. These workshops will engage 
researchers, educators and practitioners representing academic, 
industry, and government stakeholder organizations to develop community 
consensus on cyber security research and education needs and 
opportunities. In addition to refining research opportunities, the 
workshops will focus on integration, scale, and capacity building.
    The first workshops planned are described below.

1. Comprehensive Cyber Security Needs Assessment

    In August 2003, NSF will convene an invitational workshop of 
academic, industrial, and government leaders to help assess the needs 
and identify the strategies necessary to prepare a world-class cyber 
security workforce. In order to facilitate educational innovation in 
cyber security, design concepts for new cyber security-related 
curricula will be devised. Implementation strategies will be discussed 
to determine the best way to deliver cyber security education to a 
broad audience. Strategies will focus on curriculum for three levels of 
education:

         Bachelor's/Associate's degree programs to prepare systems 
        administration and IT security operations professionals.

         Bachelor's and Master's degree programs to prepare systems 
        design and development professionals with specified skills in 
        security.

         Ph.D. programs to prepare researchers and educators for 
        careers in information security.

    The workshop will also examine implementation strategies to support 
faculty traineeships in cyber security. These programs will enable 
recent Ph.D. graduates to pursue academic careers in cyber security.
    Following this workshop, NSF will assess the extent to which its 
current capacity-building programs address the needs defined by the 
workshop attendees. For example, the Advanced Technology Education 
(ATE) centers are comprehensive national or regional cooperative 
efforts involving two-year colleges, four-year colleges and 
universities, secondary schools, business, industry, and government. 
This program might serve as a valuable model for other such activities 
in the future. In the meantime it will provide a potential platform for 
cyber security activities at the Bachelor's and Associate's degree 
levels.
    I should also note that the Federal Cyber Service: Scholarships for 
Service (SFS) program ``seeks to increase the number of qualified 
students entering the fields of information assurance and computer 
security and to increase the capacity of the United States higher 
education enterprise to continue to produce professionals in these 
fields to meet the needs of our increasingly technological society.'' 
This program directly addresses the future needs of the Federal 
Government for access to skilled information security Bachelor's, 
Master's, and Ph.D. recipients. The program also provides funding to 
schools to ``improve the quality and increase the production of 
information assurance and computer security professionals through 
professional development of information assurance faculty and the 
development of academic programs.''

2. Cyber Security Community

    In order to facilitate multidisciplinary research and education 
activities, NSF will convene a meeting of all Principal Investigators 
(PIs) from the newly integrated Cyber Trust Program. This group of PIs 
will form a Research Collaboration Network. The RCN will facilitate 
interaction between groups of investigators, to communicate and 
coordinate research efforts across disciplinary, organizational, 
institutional, and geographical boundaries. It will lead to integration 
of the research activities of scientists working independently on cyber 
security topics of common interest, to nurture a sense of community 
among cyber security researchers, to attract new scientists to the 
field, and to minimize isolation and maximize cooperation in research, 
training, outreach and educational activities. Together, the members of 
this network will explore further means by which to address the complex 
issues faced by the cyber security community as a whole.
    The Cyber Security Research and Development Act addresses a 
critical weakness in the security of our nation. NSF is appreciative to 
the Committee for extending its confidence to us. We look forward to 
working with you to ensure that the goals of the Act are fulfilled.

                     Biography for Rita R. Colwell

    Dr. Rita R. Colwell became the 11th Director of the National 
Science Foundation on August 4, 1998.
    Since taking office, Dr. Colwell has spearheaded the agency's 
emphases in K-12 science and mathematics education, graduate science 
and engineering education/training and the increased participation of 
women and minorities in science and engineering.
    Her policy approach has enabled the agency to strengthen its core 
activities, as well as establish support for major initiatives, 
including Nanotechnology, Biocomplexity, Information Technology, 
Social, Behavioral and Economic Sciences and the 21st Century 
Workforce. In her capacity as NSF Director, she serves as Co-chair of 
the Committee on Science of the National Science and Technology 
Council.
    Under her leadership, the Foundation has received significant 
budget increases, and its funding recently reached a level of more than 
$4.8 billion.
    Before coming to NSF, Dr. Colwell was President of the University 
of Maryland Biotechnology Institute, 1991-1998, and she remains 
Professor of Microbiology and Biotechnology (on leave) at the 
University Maryland. She was also a member of the National Science 
Board from 1984 to 1990.
    Dr. Colwell has held many advisory positions in the U.S. 
Government, non-profit science policy organizations, and private 
foundations, as well as in the international scientific research 
community. She is a nationally respected scientist and educator, and 
has authored or co-authored 16 books and more than 600 scientific 
publications. She produced the award-winning film, Invisible Seas, and 
has served on editorial boards of numerous scientific journals.
    She is the recipient of numerous awards, including the Medal of 
Distinction from Columbia University, the Gold Medal of Charles 
University, Prague, and the University of California, Los Angeles, and 
the Alumna Summa Laude Dignata from the University of Washington, 
Seattle.
    Dr. Colwell has also been awarded 26 honorary degrees from 
institutions of higher education, including her Alma Mater, Purdue 
University. Dr. Colwell is an honorary member of the microbiological 
societies of the UK, France, Israel, Bangladesh, and the U.S. and has 
held several honorary professorships, including the University of 
Queensland, Australia. A geological site in Antarctica, Colwell Massif, 
has been named in recognition of her work in the polar regions.
    Dr. Colwell has previously served as Chairman of the Board of 
Governors of the American Academy of Microbiology and also as President 
of the American Association for the Advancement of Science, the 
Washington Academy of Sciences, the American Society for Microbiology, 
the Sigma Xi National Science Honorary Society, and the International 
Union of Microbiological Societies. Dr. Colwell is a member of the 
National Academy of Sciences.
    Born in Beverly, Massachusetts, Dr. Colwell holds a B.S. in 
Bacteriology and an M.S. in Genetics, from Purdue University, and a 
Ph.D. in Oceanography from the University of Washington.

    Chairman Boehlert. Thank you very much. And thank you very 
much for giving us some precise figures. And Dr. McQueary, when 
we get back to you, we would like some figures, if we may.
    Dr. Bement.

   STATEMENT OF DR. ARDEN L. BEMENT, JR., DIRECTOR, NATIONAL 
       INSTITUTE OF STANDARDS AND TECHNOLOGY, TECHNOLOGY 
          ADMINISTRATION, U.S. DEPARTMENT OF COMMERCE

    Dr. Bement. Thank you, Chairman Boehlert. It is good to be 
back. I want to thank you, Mr. Hall, and Members of the 
Committee for allowing me to testify today about the 
contributions of NIST to strengthen the Nation's cyber 
security. Let me congratulate you for your tremendous 
leadership in advancing robust programs to protect our nation's 
information infrastructure from attack.
    We at NIST fully agree with the Committee that helping to 
ensure the confidentiality, integrity, trust, and availability 
of civilian information is essential to the functioning of our 
economy. The Cyber Security R&D Act and FISMA emphasize NIST's 
long-standing statutory responsibilities for developing federal 
cyber security standards and guidelines and conducting related 
research.
    Let me review just a few of NIST's activities and 
accomplishments. In 2001, Secretary Evans approved the Advanced 
Encryption Standard as a federal security standard. I am 
pleased to report that the AES is being actively adopted by 
voluntary standards bodies and implemented by vendors. In fact, 
over 70 commercial implementations of the AES have already been 
validated through our Cryptographic Module Validation Program. 
This program has also validated over 500 other modules and 
another 100 or more are expected within the next year.
    To give you a sense of the quality improvement that the 
program achieves, statistics from the testing laboratories show 
that 48 percent of the modules brought in for voluntary testing 
had security flaws that were corrected during testing. In other 
words, without our program, the Federal Government would have 
had only a 50/50 chance of buying correctly implemented 
cryptography.
    In support of our federal responsibilities, we have 
published security guidelines for e-mail, firewalls, 
telecommuting, and business systems contingency planning. We 
have also published guidelines on certification and 
accreditation, which are key components needed for successfully 
implementing E-government and the new FISMA mandates for 
federal agencies. Hundreds of thousands of copies of our 
guidelines have been downloaded from our computer security 
resource center website. For example, over 400,000 copies of 
our contingency planning guide for information technology have 
been downloaded since its publication less than one year ago.
    Our guidelines and standards provide leadership to industry 
as well, as much as our work is voluntarily adopted by 
industry. Our Smart Card Interoperatability Specification has 
been adopted by federal agencies and is now being considered as 
an ANSI standard and eventually as an international standard.
    The complexity of systems is growing as components become 
smaller. And some of the biggest challenges are in ensuring the 
integrity of information as it flows from component to 
component within a system. This is a major area of research on 
our horizon, so while we are moving ahead with critical tasks 
that are already on our agenda, we are giving new activities 
priority in our base program as resources become available.
    This is only a partial representation of our many cyber 
security-related projects and activities. Over the past three 
years, we have had appropriations of $26 million for grants, 
critical infrastructure protection, expert assist teams of 
which $5 million is recurring in NIST laboratory-based 
programs. And since 9/11, we have been leveraging another $12 
million in our Information Technology Research Program toward 
cyber security-related priorities.
    In summary, in fiscal year 2003, approximately $24 million 
is being directed toward cyber security research and related 
programs. And I can report to you, Mr. Chairman, we have 
already moved out on many of the requirements specified for 
NIST under the Cyber Security R&D Act.
    With your permission, I would like to--and also in the 
interest of time, submit a list of our current activities for 
the record.
    [NOTE: The information referred to appears in Appendix 2: 
Additional Material for the Record.]
    Chairman Boehlert. Without objection, so ordered. It will 
be included as part of your testimony.
    Dr. Bement. We accomplished our mission working side-by-
side with our federal partners. NIST understands the 
Committee's desire for greater interagency coordination and 
collaboration, and we have been reaching out to assist other 
federal agencies. As Dr. McQueary indicated, Under Secretary 
Bond will be meeting with him very soon, I think it is 
scheduled for May 19, to sign a Memorandum of Understanding. 
This MOU will establish a formal mechanism for NIST to 
cooperate with the Science and Technology Directorate of DHS. 
We continue to have regular interactions with NSF and OSTP, and 
we have had a long and successful relationship with both DARPA 
and NSA. We are moving forward with the NRC study called for in 
the Cyber Security R&D Act. We have already identified the 
Study Director and are ready to initiate this study, and I am 
pleased to say that DARPA will be joining with us in conducting 
this study.
    Not all of our work has been accomplished from within the 
Federal Government. NIST awarded $5 million to nine grant 
recipients in intrusion detection, telecommunications, wireless 
security, electric power infrastructure, and compiler security, 
and we are expecting important advances from this grant 
program.
    In conclusion, I continue to view cyber security research 
and development as having high priority for NIST and the 
Nation. NIST takes its role in cyber security seriously, and we 
will work with the Committee to ensure that we are able to 
carry out our mandate to work with industry, academia, and 
standards development organizations to assure the secure flow 
of vital and sensitive information throughout our society.
    Mr. Chairman, I am grateful to you and this committee for 
your support of NIST's programs, and this concludes my prepared 
remarks.
    [The prepared statement of Dr. Bement follows:]

               Prepared Statement of Arden L. Bement, Jr.

    Chairman Boehlert, Mr. Hall, and Members of the Committee, thank 
you for this opportunity to testify today about the contributions of 
the National Institute of Standards and Technology (NIST) to strengthen 
the Nation's cyber security. Let me congratulate you for your 
tremendous leadership in advancing robust programs to protect our 
nation's information infrastructure from attack. I know that Technology 
Administration Under Secretary Phil Bond and I look forward to working 
very closely with you to turn your visions into reality. I would like 
to address the questions you asked in your invitation to testify and 
tell you about the many important cyber security activities currently 
underway at NIST.
    Protecting our nation's critical infrastructure is of critical 
importance to our economy and our well-being. The terrorist attacks of 
September 11, 2001 brought to the forefront the Nation's physical and 
economic vulnerability to an attack within our borders. Among the 
Nation's vulnerabilities are the computer and communications networks 
on which the country's financial, transportation, energy, and water 
systems and health and emergency services depend. These critical are 
the underpinning of the Nation's infrastructure and commerce. The Los 
Angeles Times in a recent editorial emphasized the importance of 
meeting this challenge: ``A cyberterrorist attack would not carry the 
same shock and carnage of September 11. But in this information age. . 
.[a cyberterrorist attack] could be more widespread and just as 
economically destructive.'' We will not be able to address these 
vulnerabilities without applied research and development of enabling 
technologies in cyber security.
    The success of the Internet--connecting more than 100 million 
computers and growing--has far outstripped its designers' wildest 
expectations. Although the Internet was not originally designed to 
control power systems, connect massive databases of medical records or 
connect millions of homes, today it serves these functions. It was not 
designed to run critical safety systems but it now does that as well. 
We rely heavily on an open system of networks, so complex that no one 
person, group or entity can describe it, model its behavior or predict 
its reaction to adverse events. The porous nature of the U.S. network 
infrastructure leaves the Nation, including critical federal systems, 
open to the constant possibility of cyber attacks. Such attacks include 
the massive distributed denial of service attacks that overwhelm 
servers with access requests; defacement of web sites and the 
modification of electronically stored information to spread 
disinformation and propaganda; ``Zombies'' that use computers (located 
anywhere) as conduits for wide-scale distribution of destructive worms 
and viruses; and, unauthorized intrusions and sabotage of systems and 
networks, potentially resulting in critical infrastructure outages and 
corruption of vital data.\1\
---------------------------------------------------------------------------
    \1\ CNET News, ``Calculating the Cost of Slammer,'' Robert Lemos, 
February 3, 2003.
---------------------------------------------------------------------------
    Helping to ensure the confidentiality, integrity and availability 
of civilian information is essential to the functioning of our economy 
and indeed to our democracy. And, to this end, NIST has had a long-
standing and successful role in working with federal agencies and 
industry by ensuring the protection of non-national security related 
cyber and information systems through standards and guidelines 
development, testing methodologies, conformity assessment and 
complementary supporting research.
    In 2001, Secretary Evans approved the Advanced Encryption Standard 
(AES) as a federal security standard. I am pleased to report that the 
standard is being actively adopted by voluntary standards bodies and 
implemented by vendors. In fact, over 70 commercial implementations of 
the AES have already been validated through our Cryptographic Module 
Validation Program.
    Enactment of the Cyber Security Research and Development Act 
(CSRDA) of 2002 and the Federal Information Security Management Act 
(FISMA) of 2002 has reinforced our long-standing statutory 
responsibilities for developing federal cyber security standards and 
guidelines and conducting commensurate security research. We fully 
appreciate and are grateful for the trust and support provided by the 
House Science Committee to NIST in assigning us responsibility for 
these critical roles. We see both of these new important laws as a 
``vote of confidence'' in our past work and an expectation of 
continuing successful achievements in the future.
    Today I would like to review new statutory assignments to NIST, 
provide you an overview of NIST's cyber security activities, and 
discuss some of the challenges we continue to confront.

NIST Responsibilities Under the Cyber Security Research and Development 
                    Act of 2002

    Under the legislation, NIST is assigned responsibilities to

         Establish a program of assistance to institutions of 
        higher education that enter into partnerships with for-profit 
        entities;

         Institute a program to award post-doctoral research 
        fellowships to individuals seeking cyber security research 
        positions;

         Develop checklists that minimize security risks 
        associated with Federal Government computer hardware or 
        software systems;

         Ask the National Research Council of the National 
        Academy of Sciences to study the vulnerabilities of the 
        Nation's infrastructure and to make recommendations for 
        appropriate improvements;

         Support and consult with the Information System 
        Security and Privacy Advisory Board, which has the mission to 
        identify emerging issues related to computer security, privacy, 
        and cryptography;

         Conduct intramural cyber security security research; 
        and

         Coordinate with NSF and OSTP on cyber security 
        research.

NIST Responsibilities Under the Federal Information Security Management 
                    Act (FISMA) of 2002

    Responsibilities assigned to NIST under FISMA include:

         Developing IT standards for federal systems,

         Conducting research to identify information security 
        vulnerabilities and developing techniques to provide cost-
        effective security;

         Assessing private-sector policies, practices, and 
        commercially available technologies;

         Assisting the private sector, upon request; and

         Evaluating security policies and practices developed 
        for national security systems to assess potential application 
        for non-national security systems.

    FISMA also contained a number of specific assignments, including 
development of:

         Standards and guidelines to be used by federal 
        agencies to categorize levels of information security according 
        risk;

         Minimum information security requirements, such as 
        management, operational, and technical security controls;

         An Incident Handling Guideline and a Guideline to 
        Identifying a System as a National Security System;

         Security performance indicators; and

         An annual public report of our FISMA activities.

    With these broad legislative mandates in mind, let me review NIST's 
activities and accomplishments in the area of intramural research, 
security grants, and a planned National Research Council study.

Recent NIST Intramural Cyber Security Accomplishments

    In addition to the extraordinary success of the Advanced Encryption 
Standard, NIST has made a number of major contributions to cyber 
security standards and guidelines, research, and testing in order to 
thwart the kinds of economically disabling attacks noted previously. 
Here are but a sampling of numerous successes and ongoing activities:
Security Guidelines and Standards
    Our base program targets the development of standards and 
guidelines in support of our federal responsibilities. In 2002-2003, 
NIST published 12 security guidelines covering a wide variety of topics 
such as e-mail, firewalls, telecommuting and business systems 
contingency planning. We have also published 10 draft guidelines for 
review by federal departments and agencies as well as other interested 
organizations and individuals concerning such topics as certification 
and accreditation, awareness and training, and considerations in 
Federal Information technology procurements. The certification and 
accreditation guidelines are a key component needed for successful 
implementation of the e-government and FISMA mandates for federal 
agencies. Additionally, we have issued numerous NIST Information 
Technology Laboratory (ITL) Bulletins during the last year to provide 
guidance to agencies and others on a broad list of topics. Our 
guidelines and standards provide leadership to industry as much of our 
work is voluntarily adopted in industry. For example, our Smart Card 
Interoperability Specification has been adopted by federal agencies and 
is now being considered for adoption by an ANSI Standards committee and 
eventually as an international standard. All of our work is posted on 
our Computer Security Resource Center website. Hundreds of thousands of 
copies of our guidelines have been downloaded from this online site. 
For example, over 400,000 copies of our Contingency Planning Guide for 
Information Technology have been downloaded since its publication less 
than a year ago.
Security Testing
    I mentioned previously the Cryptographic Module Validation Program 
through which a number of new algorithms that use the Advanced 
Encryption Standard are being tested. The CMVP as it is known is 
operated in conjunction with the Government of Canada's Communication 
Security Establishment. The Cryptographic Module Validation Program has 
now validated over 500 modules with another 100 or more expected within 
the next year. This successful program utilizes private-sector 
accredited laboratories to conduct security conformance testing of 
cryptographic modules against the cryptographic federal standards NIST 
develops and maintains. To give you a sense of the quality improvement 
that the program achieves, consider that our statistics from the 
testing laboratories show that 48 percent of the modules brought in for 
voluntary testing had security flaws that were corrected during 
testing. In other words, without our program, the Federal Government 
would have had only a 50/50 chance of buying correctly implemented 
cryptography!
    In addition, in recent years we have worked to develop the ``Common 
Criteria'' which can be used to specify security requirements. These 
requirements are then used by private-sector laboratories, accredited 
by NIST, for the voluntary evaluation of commercial products needed for 
the protection of government systems and networks. This work is 
undertaken in cooperation with the Defense Department's National 
Security Agency in our National Information Assurance Partnership 
(NIAP). You may be aware that the National Strategy to Secure 
Cyberspace calls for a review of the NIAP. We have begun staff 
discussions with NSA to identify ways we might improve the process, 
through research, process changes, and to understand the resources 
needed for NIAP to fully succeed.
Access Control
    One of the basic tenets of IT security is controlling access to 
vital IT resources--answering the question, ``who is allowed to do 
what?'' A NIST research team created a new approach to controlling user 
access, called Role-Based Access Control (RBAC). What is most striking 
about RBAC is its rapid evolution from a theoretical model to 
commercial implementation and deployment. An independently conducted 
NIST-sponsored economic impact study, estimated that RBAC will soon be 
used by some 30 million users for access to sensitive information. 
Further, the study estimated that RBAC technology will save the U.S. 
software development industry $671 million, and that NIST was 
responsible for 44 percent of the savings.
    And, there are many, many other activities too numerous to describe 
here, including significant efforts in the critical areas of the 
security of systems controlling the U.S. Critical Infrastructure, 
mobile device security, network security, and security awareness. We 
also need to be aware of specific needs of our federal customers and 
work closely with them to achieve our mission. For example, OMB has 
asked us to assist in the preparation of E-Authentication technical 
guidelines in support of the E-Government initiatives. And, there are 
related areas of research, such as biometrics (under mandates from the 
USA Patriot Act) and computer forensics (used to build evidence for 
court cases against terrorists) in which NIST is making extraordinary 
contributions to the Nation's efforts to secure the critical 
infrastructure of the country. So, in addition to our $10M base funding 
for cyber security, we leverage another $14M to enable the use of 
technologies that support the Nation's cyber infrastructure.
    But, even with our very active program and considerable 
interactions with industry and federal agencies, the list of critical 
tools still to be developed is daunting. The need for trustworthy 
computing systems is a theme we hear from various economic sectors on a 
daily basis--from financial institutions, from health care 
professionals, from owners and operators of utility companies--all are 
in need of mechanisms by which they can be assured that the information 
they exchange is available, confidential and that its integrity is 
assured. And, the complexity of systems is growing as components become 
smaller, and systems on a chip become ubiquitous, some of the biggest 
challenges are in ensuring the integrity of information as it flows 
from component to component within a system. This is a major area of 
research on our horizon. So, while we move ahead with critical tasks 
that already are on our agenda, we will give new activities priority in 
our base program as resources are available.

Interaction with Other Federal Government Agencies

    We accomplish our mission working side by side with our federal 
partners. NIST understands the Committee's desire for greater 
interagency coordination and collaboration for successful science and 
technology initiatives and we have been reaching out to supplement and 
assist other federal agencies. Our Technology Administration is 
preparing a Memorandum of Understanding with the Science and Technology 
Directorate of the Department of Homeland Security (DHS) which will be 
signed by Under Secretary Bond and DHS Under Secretary McQueary. This 
MOU will establish a formal mechanism for NIST to cooperate with DHS in 
fulfilling their many homeland security responsibilities including 
cyber security R&D. The MOU is being prepared for signature by the two 
departmental bureaus on May 19. We have detailed one NIST senior 
scientist to the DHS S&T Directorate to assist with standards efforts 
and to avoid duplication of effort. Also, we have regular interactions 
with NSF and OSTP, for example in the INFOSEC Research Council (IRC). 
The IRC provides a community-wide forum to discuss critical information 
security issues, convey the research needs of their respective 
communities, and describe current research initiatives and proposed 
courses of action for future research investments. Additionally, we 
have also invited NSF representatives to meet with our Information 
System Security and Privacy Advisory Board at its June meeting. We have 
had a long and successful relationship with DARPA in a number of 
research areas, particularly in areas of networks, biometrics and 
language recognition technologies.

National Research Council Study of Network Vulnerabilities

    As mandated by CSRDA, we are also moving forward with a National 
Research Council study to review the vulnerabilities and inter-
dependencies in our critical infrastructure networks and identify 
appropriate research needs and associated resource requirements. 
Working with our NRC colleagues we have already identified a study 
director and are ready to initiate this study.

Cyber Security Research Grants

    Now, not all of our work has been accomplished from within the 
Federal Government. NIST has provided twelve cyber security research 
grants in the past: one to the Critical Infrastructure Protection 
Project; nine under the NIST 2001 Critical Infrastructure Protection 
Grants Program, and two to the Institute for Information Infrastructure 
Protection (I3P) at Dartmouth College's Institute for Security and 
Technology Studies.
NIST Critical Infrastructure Protection Grants Program
    In September 2001, NIST awarded $5M to nine grant recipients under 
the FY 2001 Critical Infrastructure Protection Grants Program (CIPGP) 
to improve the robustness, resilience, and security information in all 
the critical infrastructures. Under the competitive grant application 
process, we received 133 proposals requesting roughly $73M from 
applicants in both industry and academia. We selected proposals in 
intrusion detection, telecommunications, wireless security, electric 
power infrastructure, and compiler security.
    Funded research addresses a variety of topics to include tools and 
methods for analyzing security and detecting attacks due to 
vulnerabilities introduced by merging of data networks (i.e., the 
Internet) and voice networks (i.e., the public switched telephone 
network). Other topics addressed are attack detection for wireless and 
converged networks, the development of security controls for protecting 
the North American power grid, and methods for evaluating intrusion 
detection systems.
    While results are still preliminary from the Grants program and 
some projects will not be completed due to a discontinuation of program 
funding in FY 2002, we will still produce important results especially 
in the wireless area, converged data/IP networks and security of the 
electric power infrastructure.

Cyber Security Funding Increases

    NIST takes its cyber security responsibilities very seriously and 
we appreciate your confidence in our abilities as witnessed by passage 
of the Cyber Security Research and Development Act and the Federal 
Information Security Management Act (FISMA). We also appreciate that in 
FY 2003 Congress provided $1M in funding for operation of our Computer 
Security Expert Assist Team capability, and approximately $2M for 
wireless security and networks via our Program to Accelerate Critical 
Information Technologies initiative.
    The President's FY 2004 budget request includes increased funding 
for two existing NIST program areas related to cyber security research:
Biometrics Standards
    The FY 2004 request includes $1M specifically for standards for 
biometric identification in continuing support of the USA PATRIOT Act 
to develop a national biometric identification system, using unique 
physical characteristics such as fingerprints, facial features, and eye 
patterns, to accurately identify people entering the United States or 
applying for visas. With the funding requested, NIST will help to 
develop effective, efficient, and interoperable biometric identifier 
standards, certification tests, guidelines, and techniques for 
fingerprint and face recognition and verification.
Quantum Information Systems
    The FY 2004 $3M requested for work in quantum information science 
will also have significant cyber security benefits. Quantum mechanics, 
the strange behavior of matter on the atomic scale, provides an 
entirely new and uniquely powerful way for computing and 
communications, potentially replacing the current binary computing and 
digital communications based on ones and zeros, and could have enormous 
impacts in homeland security. Quantum computers could perform 
processing tasks that are currently impossible. They also could solve 
problems that conventional computers could not manage given realistic 
amounts of time, memory, and processing power.
    This enormous computational power would be particularly valuable in 
cryptography, making codes that would be unbreakable by the best 
supercomputers of tomorrow, or breaking codes in seconds that could not 
be cracked in years by the most powerful binary computers. Quantum 
information also can be used for remarkably secure communications. In 
this particular area, we are partnering closely with DARPA.
    With the requested funding, NIST will work to develop the 
measurements and standards infrastructure (hardware and software) 
critical to the development of a quantum communications system. This 
includes methods to test and verify the actual performance 
characteristics of these systems, to determine their security 
properties, and to enable integration of such systems into the existing 
communications infrastructure.
    In conclusion, NIST takes its role in cyber security seriously and 
will work with the Committee to ensure that we are able to carry out 
our mandate to work with industry, academia, and standards development 
organizations to assure the secure flow of vital and sensitive 
information throughout our society. These examples of our work and 
accomplishments demonstrate NIST's commitment to cyber security, across 
the government and the Nation. They also demonstrate the base upon 
which NIST hopes to build our efforts. It is an absolutely critical 
national need, and it is fundamental to providing the technical 
testing, standards and guidelines needed to protect our information 
infrastructure.
    I am grateful to Chairman Boehlert for holding this hearing, and 
for his support of NIST's programs.
    This concludes my prepared remarks.
    I will be pleased to answer your questions.

                   Biography for Arden L. Bement, Jr.

    Arden L. Bement, Jr., was sworn in as the 12th Director of NIST on 
Dec. 7, 2001. Bement oversees an agency with an annual budget of about 
$812 million and an on-site research and administrative staff of about 
3,000, complemented by a NIST-sponsored network of 2,000 locally 
managed manufacturing and business specialists serving smaller 
manufacturers across the United States. Prior to his appointment as 
NIST director, Bement served as the David A. Ross Distinguished 
Professor of Nuclear Engineering and head of the School of Nuclear 
Engineering at Purdue University. He has held appointments at Purdue 
University in the schools of Nuclear Engineering, Materials 
Engineering, and Electrical and Computer Engineering, as well as a 
courtesy appointment in the Krannert School of Management. He was 
director of the Midwest Superconductivity Consortium and the Consortium 
for the Intelligent Management of the Electrical Power Grid.
    Bement came to his position as NIST director well versed in the 
workings of the agency, having previously served as head of the 
Visiting Committee on Advanced Technology, the agency's primary 
private-sector policy adviser; as head of the advisory committee for 
NIST's Advanced Technology Program; and on the Board of Overseers for 
the Malcolm Baldrige National Quality Award.
    Bement joined the Purdue faculty in 1992 after a 39-year career in 
industry, government, and academia. These positions included: Vice 
President of Technical Resources and of Science and Technology for TRW 
Inc. (1980-1992); Deputy Under Secretary of Defense for Research and 
Engineering (1979-1980); Director, Office of Materials Science, DARPA 
(1976-1979); Professor of Nuclear Materials, MIT (1970-1976); Manager, 
Fuels and Materials Department and the Metallurgy Research Department, 
Battelle Northwest Laboratories (1965-1970); and Senior Research 
Associate, General Electric Co. (1954-1965).
    Along with his NIST advisory roles, Bement served as a member of 
the U.S. National Science Board, the governing board for the National 
Science Foundation, from 1989 to 1995. He also chaired the Commission 
for Engineering and Technical Studies and the National Materials 
Advisory Board of the National Research Council; was a member of the 
Space Station Utilization Advisory Subcommittee and the 
Commercialization and Technology Advisory Committee for NASA; and 
consulted for the Department of Energy's Argonne National Laboratory 
and Idaho Nuclear Energy and Environmental Laboratory.
    He has been a director of Keithley Instruments Inc. and the Lord 
Corp. and was a member of the Science and Technology Advisory Committee 
for the Howmet Corp. (a division of ALCOA).
    Bement holds an engineer of metallurgy degree from the Colorado 
School of Mines, a Master's degree in metallurgical engineering from 
the University of Idaho, a doctorate degree in metallurgical 
engineering from the University of Michigan, and a honorary doctorate 
degree in engineering from Cleveland State University. He is a member 
of the U.S. National Academy of Engineering.

    Chairman Boehlert. Thank you very much. And thank you for 
the kind words about the Committee's leadership in this area. I 
guess the question we have is is there a follower-ship, and we 
will address that in the questions.
    Dr. Tether, welcome back. And I hope in your testimony you 
will enlighten us as to why we are moving in the wrong 
direction with respect to funding in DARPA for cyber security 
or Cyber Trust, as we now occasionally refer to it.
    Dr. Tether. Thank you very much, Chairman Boehlert, Members 
of the Committee. I am pleased to be here to discuss our work 
in cyber security, which we really refer to as ``information 
assurance.'' If you would, please, accept my written testimony 
for the record.
    Chairman Boehlert. Without objection, the entire written 
statements will appear in the record in their entirety, and we 
appreciate the others summarizing, and we would welcome your 
summary, but we are not being arbitrary with the five minutes, 
so don't get nervous about the green light, red light. It is 
just to see if we are colorblind.

STATEMENT OF DR. ANTHONY J. TETHER, DIRECTOR, DEFENSE ADVANCED 
                    RESEARCH PROJECTS AGENCY

    Dr. Tether. As you know, DARPA's mission is to maintain the 
technological superiority of the U.S. military by sponsoring 
high payoff research that basically bridges the gap between 
fundamental discoveries and the--their military use. The 
testimony goes into a little bit more detail of how we go about 
doing that, so I won't bother to go into that.
    However, all of--DARPA is a very low-overhead organization. 
I would say about 98 percent of the money that is appropriated 
to us literally goes out to performers, and only about $100 
million, or I will say three billion is really for security, 
operating the building, operating DARPA, paying for salaries. 
All the rest goes out to performers. These performers are 
mostly industry, but there are universities and also government 
labs involved. Now in doing that, we really--we partner with 
the services quite heavily. In fact, we contract to these 
performers through service organizations.
    A major service organization in this area, information 
assurance, is AFRL in Rome, New York, as you know. They are a 
great partner with us, and probably--and really carry the 
longevity of the projects.
    Basically, we mine the talents and discoveries that are 
created by organizations, such as NSF. We collaborate with NSF 
at the Program Manager level primarily to make sure that we are 
aware of what new is happening. And what we try to do is we try 
to find when an idea is ripe to be taken from an idea to an 
application, to a product in itself. And that is what we do and 
that is what DARPA has done very successfully for nearly 45 
years now.
    The military, however, is moving to what they are calling 
``network centric warfare.'' And this requires--and this will 
require that we seamlessly network the organizations, weapon 
platforms, people, immediately upon entry into a theater. Now 
this allows us to plan and execute operations more quickly and 
effectively than opponents. We are able to be very agile with 
this network centric warfare. And the recent conflicts in 
Afghanistan and Iraq really have given you only a hint of the 
power of the network centric techniques that are coming to our 
military.
    However, while moving to a network centric warfare has 
created for us an enormous capability in--capability to 
handle--be very agile, it has also created a tremendous 
vulnerability. Basically, the network now must achieve the same 
availability, reliability, et cetera, that we used to enforce 
on our platforms, our weapon platforms itself. The network 
itself now has become the weapon.
    Our enemies are watching this, and our enemies know this. 
So our enemies are clearly going to go and attack the network 
in the future as they have attacked our platforms and so in the 
past. Because of this, we are working hard on techniques and 
all to make sure that these networks can not be attacked 
because of the--if they are attacked, the whole--our whole 
capability goes down. Because of that, this is one of the 
reasons why our work is becoming more classified now than it 
has been in the past, because this--the network itself is 
becoming a capability and if the vulnerabilities of those 
networks were known, obviously it would be easy for an enemy to 
attack them. And if the techniques that we were developing to 
prevent from attacking them were known, then that is valuable 
information as well to an aggressor. So that is one of the 
reasons why you will find that in the future more and more of 
our work in this area will, by definition, have to become 
classified.
    Because we are idea or project-oriented in the sense that 
we don't work in general, we take ideas and we create a 
project, it sometimes appears that we don't have a consistent 
thrust. But what you see--what I believe you are seeing are 
just the natural variations as projects are started and as 
projects are finished. It is true that from 2002 to 2004 it 
looks like our--at least our unclassified budget is decreasing 
in this area. What you don't have is the classified budget, and 
I would be happy to give that to you in a closed session. And 
if you saw that, you would see it probably wasn't decreasing 
that----
    Chairman Boehlert. I would be a little more comfortable.
    Dr. Tether. Yeah. And most of that, by the way, once again 
goes through AFRL in Rome, New York. But for example, as these 
projects variations, in the early '90's, somebody got an idea, 
``Well, let us not let the attackers in.'' And the result of 
that research were firewalls. And all of the--most of the 
firewalls that you have now being used by people came from a 
DARPA program back in the early '90's on the techniques to 
keep--just keep the attackers from ever getting in. However, it 
turns out that firewalls have flaws, and these flaws aren't 
necessarily the firewalls, the people that implement them.
    So next we moved to detecting that an attack was going on 
and trying to limit the damage. However, in order to do this, 
we end up with high false alarm rates or false positives where 
we say an attack is going on and an attack really is not going 
on. So we developed technology to greatly reduce that false 
alarm rate so that when an attack--we said an attack was going 
on, it truly was.
    Third, we finally--somebody had an idea that said, ``Look, 
we can't keep them out. We are getting pretty good at detecting 
these attacks, but what we really have to do now, because the 
networks are becoming, really, the weapon system, is learn how 
to operate through the attack.'' In other words while the 
attack is ongoing to be able to still have the network operate, 
perhaps at a reduced capability, but degrade more gracefully 
than just falling off the cliff because there was an attack 
going on. So we have technology developments going on there.
    Some of the projects we have were listed in the testimony: 
Cyber Panel, Fault Tolerant Networks, Dynamic Coalitions, 
OASIS. And what we are doing is we are taking all of this 
technology and we are building a prototype system where we are 
going to be able to take our technology and implement it in a 
prototype network, a very large network, 400 nodes or so, 
typical of a military network, and then attack it and really be 
able to test our technology. Unfortunately, that will be, 
obviously, for obvious reasons, classified.
    So the last question is: Where are we going and what are 
our priorities? I believe that you asked that. As I said, we 
are focused on the problems that DOD must solve for network 
centric warfare. And these include problems not currently faced 
by the commercial world. DOD networks are--can be characterized 
as large, distributed, mobile networks of networks becoming 
increasingly wireless. We are facing very sophisticated 
attackers. I mean, these aren't just hackers going and erasing 
for mischief but really attackers whose life depends upon 
taking the network down. These networks have to assemble and 
reassemble on-the-fly, and they have to do this without any 
fixed infrastructure. In other words, we can't go in and put 
towers up and then have the networks arrive. These networks 
have to basically be what is known as a peer-to-peer network 
where each node in itself becomes the relay for communicating 
with other people.
    We are really far ahead of the commercial world in this 
regard, but there is great commercial interest in these DOD 
networks, especially those that do not require a fixed 
infrastructure, and the reasons for that are obvious: cost. If 
we could have a cellular network that didn't require the towers 
where each cell phone itself was a relay, you obviously have 
saved a lot of money on building the towers and also saved a 
lot of money in trying to get the towers put up.
    Now I know that--again, and I will close with that--you 
have been concerned about our level of funding, but let me 
assure you that we have, and will continue to have, a very 
robust program in information assurance, because we have to. 
The whole structure of the DOD depends upon that. And while we 
are putting more emphasis on the military's specific problems, 
the work we are doing will have a long-term beneficial impact 
on the commercial world, mainly because we are developing all 
of the capability in industry, and industry will undoubtedly 
take that capability and go two ways with it: one for the 
military and also one for the commercial world.
    And with that, I will be glad to answer any questions you 
might have.
    [The prepared statement of Dr. Tether follows:]

                Prepared Statement of Anthony A. Tether

    Mr. Chairman, Committee Members, and staff: I am Tony Tether, 
Director of the Defense Advanced Research Projects Agency (DARPA). I am 
pleased to appear before you today to talk about DARPA's work to 
develop secure Defense networks and how that work relates to the 
subject of cyber security, or what we call information assurance.
    Some of you may not be familiar with DARPA, so let me begin by 
saying a few words about who we are and what we do.
    Since the time of Sputnik, DARPA has had a special mission within 
the Department of Defense (DOD): maintain the technological superiority 
of the U.S. military and prevent technological surprise from harming 
our national security. DARPA does this by sponsoring revolutionary, 
high-payoff research that bridges the gap between fundamental 
discoveries and their military uses.
    Let me tell you a little bit about how DARPA works.
    Imagine a science and technology (S&T) investment time-line that 
runs from ``Near'' to ``Far,'' indicative of how long it takes for an 
S&T investment to be incorporated into an acquisition program. On the 
``Near side'' of this timeline we have a lot of investment that 
represents most of the work of the Service S&T organizations. This S&T 
tends to gravitate towards the Near side because the Services emphasize 
providing technical capabilities critical to the mission requirements 
of today's warfighter. This excellent work continuously hones U.S. 
military capabilities. However, it is typically focused on known 
systems and problems.
    In contrast, out at the other end of the investment timeline--we'll 
call this the ``Far side''--there is a much smaller investment that 
represents funding fundamental discoveries, where new science, new 
ideas, and radical new concepts typically first surface. People working 
on the Far side have ideas for entirely new types of devices, or new 
ways to put together capabilities from different Services in a 
revolutionary manner. But, the people on the Far side have a difficult, 
and sometimes impossible time obtaining funding from the larger, near 
side investors because of the near side's focus on current, known, and 
pressing problems.
    DARPA was created to span the gap between these two groups. DARPA's 
mission is to find the promising ideas (and people) out on the Far side 
and accelerate those ideas to the Near side as quickly as possible. 
DARPA emphasizes what future commanders might want and pursues 
opportunities for bringing entirely new core capabilities into the 
Department.
    Hence, DARPA mines fundamental discoveries--the Far side--and 
accelerates their development and lowers their risks until they prove 
their promise and can be adopted by the Services. DARPA's work is high-
payoff precisely because it fills the gap between fundamental 
discoveries and their military use.
    What is surprising to many people, but entirely in-line with 
DARPA's mission, is that only about five percent of DARPA's research is 
basic research. Basic research, much of that ``Far side'' investment, 
is primarily supported by organizations like the Office of Naval 
Research (ONR), the National Science Foundation (NSF), the National 
Institutes of Health (NIH), and the Department of Energy (DOE).
    Basic research creates new knowledge and technical capacity, 
whereas DARPA creates new capabilities for national security by 
accelerating that knowledge and capacity into use. So we count on 
institutions like ONR, NSF, NIH, and DOE to provide us with a feedstock 
of revolutionary technical concepts that we, at DARPA, can then develop 
and turn into revolutionary Defense capabilities.
    Through the years, DARPA has refocused its work in response to 
evolving national security threats and technological opportunities, and 
DARPA's Strategic Plan describes how we are pursuing our mission today. 
One of our eight strategic thrusts is Robust, Self-Forming Networks, 
which contains our work in information assurance.
    Let me briefly describe it to you:

DARPA's Strategic Thrust in Robust, Self-Forming Networks

    The Department of Defense is in the middle of a transformation to 
what is often termed ``network centric warfare.'' In simplest terms, 
network centric warfare is when military organizations and systems are 
seamlessly networked to change the terms of any conflict to favor U.S. 
and coalition forces. It will allow the United States and our allies to 
go beyond a simple correlation of local forces by providing them better 
information and letting them plan and coordinate attacks far more 
quickly and effectively than our adversaries can.
    However, at the heart of this concept are survivable, assured, 
spectrum-agile communications at both the strategic and tactical 
levels. The goal of this work is a high capacity network that degrades 
softly under attack, while always providing a critical level of 
service.
    To support this vision, DARPA is conducting research in areas that 
include: (1) self-forming ad hoc networks; (2) high capacity, 
multiband, multimode communications systems; (3) ultra-wideband 
communications; (4) spectrum sharing; (5) low probability of detection/
intercept/exploitation communications; and, (6) information assurance 
or cyber security.
    I could spend pages describing our efforts in the first five areas. 
However, our focus today is cyber security, so let me turn to what we 
are doing to ensure that those military networks are secure and 
reliable.

DARPA's Information Assurance Research

    What we at DARPA call ``information assurance'' (often referred to 
as ``cyber security'') is crucial to having the robust, self-forming 
networks required to successfully conduct network centric warfare. One 
must look no further than the ongoing Iraq War to see that the United 
States has been moving toward network-centric warfare.
    While people can debate the extent to which we have achieved 
network centric warfare, today's U.S. military forces are unmistakably 
network-dependent. Therefore, the very first thing that a sensible 
adversary would do to asymmetrically negate the U.S. force is take down 
our military networks. For quite some time, we have faced the very 
difficult problem of figuring out how to protect our military networks.
    DARPA has had information assurance work going on in some form and 
by some name for decades. But, in the early 1990s we started to 
concentrate in earnest on the problem of information assurance, with 
the usual DARPA focus on solving extremely hard problems. Initially, 
our emphasis was to secure hardwired computer networks. DARPA's 
approach to solving the problem of information assurance evolved, over 
time, to a layered approach.
    The first layer that we worked on in the early 1990's was 
preventing, or ``locking out'' cyber attacks. This resulted in the 
``firewalls'' that are commonly available in the commercial world 
today.
    In fact, today's commonly available commercial firewalls started 
with a DARPA project to protect the World Wide Web at the White House. 
The DARPA contractor that did this work published the firewall source 
code in the open literature, and from that work grew over a hundred 
firewall companies and an entire market for firewall products.
    The second layer in DARPA's approach to information assurance has 
been detecting attacks and limiting their damage. In addition to 
intrusion detection, DARPA has more recently demonstrated both hundred-
fold reduction in the false alarm rates that plague current intrusion 
detection systems, and the ability to detect new and novel forms of 
attack through anomaly based detection. Over the last two years, DARPA 
has demonstrated such detection capabilities in the field in major 
exercises such as the Navy Fleet Battle Experiment series.
    A third pursuit, and one that DARPA has been increasingly 
emphasizing, is developing the ability to operate through cyber 
attacks. The simple logic here is that we simply cannot block all 
attacks, nor can we completely limit the damage from attacks. So we 
have to be able to continue operating while an attack is underway, in 
spite of the damage that the attack may inflict.
    Let me give you a flavor of where we are today in some of the 
information assurance programs that we are working on at DARPA right 
now:

         The Cyber Panel program is working on ways to detect 
        new attacks in real-time, including previously unknown attacks, 
        predict what damage the attacks will inflict, and implement 
        effective defenses.

         The Fault Tolerant Networks program is working on 
        ways to ensure that a network remains available, even during an 
        attack, while restricting the network resources available to 
        the attacker. In fact, this program has resulted in a 
        commercial product, PeakflowTM, that is being used to protect 
        against Distributed Denial of Service attacks.

         The Dynamic Coalitions program is working on methods 
        to quickly set up secure networks--a critical problem for 
        today's U.S. fighting forces. Some of this technology is being 
        used in the joint DARPA-Army Future Combat Systems program, a 
        program that has network centric warfare as a starting 
        assumption.

         The Organically Assured and Survivable Information 
        Systems (OASIS) program is working to provide a ``last line of 
        defense'' by developing ways to enable critical DOD computers 
        (as distinct from the network level) to operate through a cyber 
        attack, degrade gracefully if necessary, and allow real-time, 
        controlled trade-offs between system performance and system 
        security through such techniques as redundancy and diversity of 
        operating systems.

    A prototype military system to produce Air Tasking Orders for the 
U.S. Air Force is also being developed. The system, and the underlying 
information assurance technology, will be tested in 2004 by subjecting 
it to a sustained cyber attack from a ``red team.''
    Much of what we have done, particularly for wired systems, has 
proved useful in both commercial and military systems. But, our focus 
is the specific problems DOD needs solved for network centric warfare.
    The military-specific problems that we are working on go beyond 
those faced by the commercial world today. Military networks, more than 
commercial networks, involve large-scale, highly distributed, mobile 
networks-of-networks that are increasingly wireless, deal with time-
critical problems, and face potential attackers who are extremely 
dedicated and sophisticated. Failure in military networks has extreme 
consequences.
    Moreover, network centric warfare involves networks that must 
assemble and reassemble on-the-fly on an ad hoc basis without having a 
fixed or set infrastructure in-place. In effect, we must achieve what 
has been called, ``critical infrastructure protection'' without 
infrastructure.
    In the most advanced cases, these are peer-to-peer or 
``infrastructure less'' networks. There is no fixed, in-place network 
equipment--the whole network architecture is fluid and reassembles 
dynamically. It could be that, in the long-term, commercial networks 
will acquire some of these features, but, for now the Department of 
Defense is in the lead in facing these problems.
    DARPA is taking a broad-based view of information assurance. When 
we think about information assurance, we include technology such as 
communications security and encryption as part of our solution. The 
threat to military networks is not simply hackers, but organized and 
well resourced nation states that want to eavesdrop on military network 
traffic, or interfere with it at precisely the wrong time.
    In fact, information assurance in a world of growing network 
centric warfare must become a regular feature of most military 
programs--in the same sense that everyone building an airplane must 
consider materials, not only material scientists.
    A significant and growing element of DARPA's work in information 
assurance is classified, and cannot be discussed in this forum. The 
future thrust is for more of these efforts to become classified. Why? 
Because of our increasing dependence on networks, their vulnerabilities 
and techniques for protecting them become more and more sensitive. 
Accordingly, our efforts have become classified.
    In the longer-term, I expect that DARPA's strategic thrust in 
Cognitive Computing could also lead to important contributions to 
information assurance. While I cannot discuss it at length today, our 
Cognitive Computing thrust aimed at developing computers and networks 
that are ``self-aware''--that is, computers that actually know what 
they're doing and know what is happening to them.
    Future network-centric warfare systems will be able to leverage 
``self-aware'' capabilities to determine when they are under attack and 
autonomically respond, and reconfigure themselves in much the same way 
as the human body reacts to an infection. If such systems could be 
built, they should be able to do a much better job of protecting 
themselves because they will understand that they're being attacked.
    I realize that there has been some concern about DARPA's level of 
funding in the area of information assurance. For example, some have 
expressed the opinion that our budget for this effort is dropping 
drastically.
    Let me reassure you that we have a robust program in information 
assurance, and we plan to continue this robust program in the coming 
years. There are natural variations in our budget, and they are due to 
several factors such as when large programs like Fault Tolerant 
Networks and OASIS come to an end.
    The budget structure does not always capture the great variety of 
information assurance work going on, particularly when it is an 
integral part of another program, as it is in Future Combat Systems. 
And, there are the aforementioned classified programs that obscure the 
budget picture.
    Thus, while we are putting more emphasis on military-specific 
problems, we will continue to have a robust program that will, in the 
long-term, have a broad, beneficial impact on the commercial world.
    Finally, I understand that a particular interest of the Committee 
is how we coordinate and disseminate the results of our research to 
other federal agencies and to the commercial world.
    Much of our interaction with industry stems from using companies as 
performers of our research, and the strong desire of smaller commercial 
firms to commercialize their technology. For instance, in 1999 DARPA 
foresaw the threat of Distributed Denial of Service that hit Yahoo and 
e-Bay a few years later, and invested accordingly to create the Fault 
Tolerant Networks program. Today, the nascent market for solutions 
against this threat consists primarily of technologies that have their 
roots in DARPA research, technology that can protect the military, like 
the example I mentioned earlier.
    DARPA also makes efforts to broadly communicate our results in a 
more structured way by sponsoring the DARPA Information Survivability 
Conference and Exposition (DISCEX) conferences. The audience at DISCEX 
is very broad, and it includes the extended research community, the 
operational military, developers of military systems, and the 
commercial industry that generates the ``off the shelf'' systems that 
comprise most military information systems.
    Our goal in these meetings is to stimulate scientists, developers, 
and joint operational customers with research products, experimental 
results, and capabilities emerging from DARPA research to better 
address the military's needs for information security. The most recent 
conference included over 250 attendees with 60 researchers giving 
technology demonstrations and produced two volumes of technical 
proceedings.
    In addition, while many ideas on information assurance are being 
exchanged informally through the professional relationships between 
researchers and the U.S. Government officials who sponsor their work, 
DARPA is the primary sponsor of the Infosec Research Council (IRC), an 
informal coordinating body begun in 1996 that is comprised of U.S. 
Government members concerned with funding and conducting research in 
information security/information assurance/cyber security. The IRC 
members include DARPA, the National Security Agency, the National 
Science Foundation, the National Institute of Standards and Technology, 
the Department of Energy, and the Federal Aviation Administration.
    I should also mention the collaborations and consultations between 
NSF and DARPA personnel. This interaction goes beyond the simple 
exchange of technical information that typically characterizes 
interagency information exchange programs.
    DARPA and NSF personnel for example co-fund particular projects 
where a true synergistic opportunity exists. NSF's program, ``Ultra-
High-Capacity Optical Communications: Challenges in Broadband Optical 
Access, Materials Processing, and Manufacturing'' has direct 
participation by DARPA personnel and a modest level of DARPA funding. 
NSF personnel likewise take part in DARPA source selection panels where 
similar technical interests can be found.
    NSF's ``Networking Research Testbeds Program'' is of special 
interest to DARPA in that it offers the possibility of making available 
world-class network testbeds to DOD contractors and personnel. Network 
testbed collaboration meetings are now routinely held by DARPA and NSF 
program managers, and I expect that these testbeds will be very useful 
as we explore alternative architectures, systems and protocols for 
future optical networks; wireless networks based on spectrum sharing; 
distributed sensor networks; and networking in highly dynamic and/or 
harsh environments. We have also been having discussions with NSF 
personnel about our thrust in Cognitive Computing.
    The Department of Defense is steadily increasing its dependence on 
information systems that are crucial to our future vision of network 
centric warfare. I hope my remarks today have given you a sense of what 
DARPA is doing to ensure that those networks perform reliably and that 
they remain secure.
    I would be happy to answer your questions.

                    Biography for Anthony J. Tether
    Dr. Anthony J. Tether was appointed as Director of the Defense 
Advanced Research Projects Agency (DARPA) on June 18, 2001. DARPA is 
the principal Agency within the Department of Defense for research, 
development, and demonstration of concepts, devices, and systems that 
provide highly advanced military capabilities. As Director, Dr. Tether 
is responsible for management of the Agency's projects for high-payoff, 
innovative research and development.
    Until his appointment as Director, DARPA, Dr. Tether held the 
position of Chief Executive Officer and President of The Sequoia Group, 
which he founded in 1996. The Sequoia Group provided program management 
and strategy development services to government and industry. From 1994 
to 1996, Dr. Tether served as Chief Executive Officer for Dynamics 
Technology Inc. From 1992 to 1994, he was Vice President of Science 
Applications International Corporation's (SAIC) Advanced Technology 
Sector, and then Vice President and General Manager for Range Systems 
at SAIC. Prior to this, he spent six years as Vice President for 
Technology and Advanced Development at Ford Aerospace Corp., which was 
acquired by Loral Corporation during that period. He has also held 
positions in the Department of Defense, serving as Director of DARPA's 
Strategic Technology Office in 1982 through 1986, and as Director of 
the National Intelligence Office in the Office of the Secretary of 
Defense from 1978 to 1982. Prior to entering government service, he 
served as Executive Vice President of Systems Control Inc. from 1969 to 
1978, where he applied estimation and control theory to military and 
commercial problems with particular concentration on development and 
specification of algorithms to perform real-time resource allocation 
and control.
    Dr. Tether has served on Army and Defense Science Boards and on the 
Office of National Drug Control Policy Research and Development 
Committee. He is a member of the Institute of Electrical and 
Electronics Engineers (IEEE) and is listed in several Who's Who 
publications. In 1986, he was honored with both the National 
Intelligence Medal and the Department of Defense Civilian Meritorious 
Service Medal.
    Dr. Tether received his Bachelor's of Electrical Engineering from 
Rensselaer Polytechnic Institute in 1964, and his Master of Science 
(1965) and Ph.D. (1969) in Electrical Engineering from Stanford 
University.

                               Discussion

    Chairman Boehlert. Thank you very much. Thank all of you. 
Which one of you is the lead agency in cyber security? Tell me 
what that means being the lead agency.
    Dr. Colwell. As the lead agency in cyber security, we, 
particularly in the area of research, work together with the 
other agencies to coordinate the focus of the research and to 
ensure that there is integration of the research effort, non-
duplication, and there is enhancement in access, particularly 
the role of NSF, access to outstanding science to the other 
agencies. And we----
    Chairman Boehlert. So that is sort of an interagency 
coordinating committee? Is that----
    Dr. Colwell. Yes, we have a working group, the NITRD 
Working Group, the Networking and Information Working Group 
that is chaired by Peter Freeman. We also have another--we have 
other information technology coordinating groups, and we work 
together in ensuring that we know what the other is doing, 
particularly strong with NIST, because NIST acts as the 
standards----
    Chairman Boehlert. But am I--are we to assume that your 
coordinating group, for example, as Dr. Tether pointed out to 
us that increasingly a higher percentage of their work is in a 
classified arena, do we assume that all of the members of the 
coordinating group or Working Group have the necessary security 
clearance in order to deal in the responsible way that that 
work that DARPA is doing and--in the black area and that you 
can factor that in as you determine the direction you are 
going----
    Dr. Colwell. Yes.
    Chairman Boehlert [continuing]. For the government?
    Dr. Colwell. Yes, as a matter of fact, that is the case. 
And we have detailed to Dr. McQueary's--an NSF individual, who 
has been cleared and who is working to connect to agencies and 
to provide, initially, the capability for cyber security within 
Homeland Security.
    Chairman Boehlert. Well, I hope you all can comfort me and 
the Members of the Committee, so if you know the answer, I 
would like, but I am not sure it is the answer that you can 
feel comfortable in giving me. But are each of you convinced 
that in your agency and within the government we are giving 
sufficient priority to the needs of cyber security? We will 
start with you, Dr. McQueary.
    Dr. McQueary. If you ask are we giving sufficient priority, 
today the answer is probably no, but I do believe that we have 
a plan in place to be implemented quickly that will put the 
proper emphasis on it. And that major emphasis from a 
Department of Homeland Security standpoint, will come from the 
Information Analysis and Infrastructure Protection Directorate, 
and the Science and Technology Directorate will be actively 
working with them to--from the scientific and technological 
aspect of it.
    Chairman Boehlert. Dr. Colwell, I think you have already 
really answered that question.
    Dr. Colwell. Yes. I would say that I agree with Dr. 
McQueary. We--as a Nation, we are not focusing sufficiently on 
this very real threat. I have just come back last night from a 
meeting in London of the science--my counterparts in the 
science agencies. It is an international problem. And we also 
need to understand that we are increasingly being cyber 
security attacked from outside the country as well as hackers 
within. And I think we are beginning to understand how serious 
this problem is that we haven't really gotten to where we 
should be, in my opinion.
    Chairman Boehlert. Dr. Bement.
    Dr. Bement. This requires a very comprehensive approach. 
Through our work, we have worked not only with industry but 
academia and also international bodies and also all of the 
federal interagency coordinating boards and councils to improve 
the information technology R&D working group, which up until 
recently was chaired by a person from NIST, Cita Furlani, who 
is now our CIO. We have a pretty good fix on where the 
vulnerabilities are. I think we have done enough workshops with 
industry and different industrial sectors that we know where 
many of the vulnerabilities are in some of their control 
networks and in information systems. And you are right. This is 
going to require a much higher level of effort than we have 
currently engaged in, and it is going to have to come fairly 
soon if we are going to meet some of the vulnerabilities that 
currently exist.
    Chairman Boehlert. Dr. Tether.
    Dr. Tether. Given that we are idea oriented and project 
oriented, I--we are not lacking for funds. We are, perhaps, 
lacking for ideas. And what you see happening right now is--and 
one of the reasons why the budget is coming down is that 
current programs are ending very successfully. But on the other 
hand, we don't really have the number of ideas in this area to 
solve the problem that the DOD faces. I have funded every idea 
that has come forth in this area over the last year, including 
building the infrastructure to allow people to have a test bed 
and a lot of other things. So we are more idea limited right 
now than we are funding limited. Now that is why we spent a lot 
of time dealing--collaborating with organizations like NIST and 
NSF, and we will with Chuck as soon as we figure out where--
what his address is.
    Chairman Boehlert. Well, in all fairness to DHS, I mean, 
they just stood up, what, 1 March, and they have got a 
monumental task, but----
    Dr. Tether. But we will do that, and in fact, in this case, 
he has got quite a few DARPA people there, so the--you know, 
the relationship between the two organizations is very good 
from the start. But we are constantly searching for ideas. And 
right now, this is a very tough problem. And from the DOD 
viewpoint, we can't fail. I--see, we are not as concerned--we 
are not concerning ourselves, and that may be discomforting to 
you, on the commercial networks. Hopefully somebody is doing 
that. We believe our technology will apply, but if we don't 
solve this problem of making these networks reliable and 
available through attacks, the whole military structure that we 
are building in the future is at stake. And so we really can't 
fail in this area. And I hope that answers your question.
    Chairman Boehlert. Yeah, it does. And if I were to 
summarize, I would think I would summarize in this way, that 
you all feel that we are not giving sufficient priority now, 
but we are moving in that direction. And we need to give it the 
highest of priority.
    Dr. Tether. Oh, it has to be the highest priority.
    Chairman Boehlert. And I see all heads nodding yes, for the 
record. Thank you very much. My time is expired. Mr. Miller.
    Mr. Miller. Thank you. Dr. McQueary, the realization that 
you were no longer my constituent diminishes only slightly the 
pride that I feel that you were in--being in the position that 
you are in. And I know that the people in Greensboro feel a 
great deal of pride as well.
    Dr. McQueary. Thank you.
    Mr. Miller. And your resume does seem to be exactly what we 
need for your position. You have the technical expertise, and 
you supervise people with similar expertise. But I am wondering 
to whom you speak within the Executive Branch. When you are 
preparing a budget, who do you present it to at OMB? What is 
their background? What is their level of expertise? What is the 
highest level person in OMB who really deals only with cyber 
security?
    Dr. McQueary. I don't know--personally know the answer to 
that question because I haven't engaged anyone in a discussion 
directly in that area. I am sure I have got someone behind me 
who can answer the questions. If you would like me to ask them, 
I would be happy to do so.
    Mr. Miller. Okay.
    Dr. McQueary. I am told Steve McMillin is the name of the 
individual that we deal with, and he, of course, works for Mark 
Forman in OMB.
    Mr. Miller. And do you know what Mr. McMillin's title is?
    Dr. McQueary. No, I don't. He has the homeland security 
responsibility and R&D, I am told.
    Mr. Miller. Okay. I think it was just in April that Richard 
Clarke, who had been at the White House and involved in cyber 
security, said that the answer to the question who is the 
highest ranking person at OMB who works just on cyber security 
was pretty frightening. Is that still the case? Is it still a 
fairly low-level person or is it something that does get 
attention at what appears to be the appropriate levels of OMB 
with someone with that expertise?
    Dr. McQueary. I do not know the answer to the question, 
sir.
    Mr. Miller. Okay. A second question, it certainly appears 
that if--in--within the private sector that if one industry's, 
one company's cyber security was insufficient, if it suffered 
an attack, there would likely be a ripple of economic loss, a 
disruption to others that that business deals with. Is that 
generally correct?
    Dr. McQueary. I would say that would certainly gain a lot 
of attention. And I think--if I could just inject, I think it 
is very important that private industry play a key role in this 
whole issue of cyber security, because it would be--since some 
85 percent of the industry is privately--what we have in this 
infrastructure in the country is privately held and therefore 
private industry has to have a strong interest in helping 
determine what kind of cyber security protection we must have. 
In fact, any CEO of a company has a responsibility to his or 
her shareholders to be concerned about such an issue would be 
my view.
    Mr. Miller. Okay. Or a little concerned not just about 
their--maybe to their shareholders, because their duty to their 
shareholders is just to be profitable, but the duty to the 
people with whom they do business. I know that the 
Administration's--or I understand the Administration's approach 
has been not to require by regulation cyber security standards 
but that the Department promulgates best practices and 
methodologies----
    Dr. McQueary. Um-hum.
    Mr. Miller [continuing]. And that that would be advice--
encouragement to the private sector to adopt the appropriate 
level of precautions. Is that generally the approach, not 
require by regulation but promulgate best practices and 
methodologies?
    Dr. McQueary. If you would let me defer that question to 
one of my peers, who are more knowledgeable about it, I would 
certainly appreciate it, because I simply have not engaged 
myself in the short time I have been in this job and the 
subject to be able to speak adequately to it.
    Mr. Miller. Does anyone on the panel--yes, sir.
    Dr. Bement. We regularly hold workshops with industry to 
try to understand their vulnerabilities. In fact, it has been 
major activities of ours over the last two or three years since 
9/11. And in addressing that, we had been working with the 
standard development organizations to not only develop 
standards but also we have been working to develop prototypes 
to understand better what those vulnerabilities are along with 
test beds. In order to accelerate standards developments, we 
are working with the Department of Homeland Security. We have 
detailed one of our senior scientists, who heads up the 
standards activities within Dr. McQueary's organization. And we 
have also detailed another person, who is an expert in cyber 
security. And in addition to that, we have one of our senior 
people working with ANSI in what is now called the Homeland 
Security Standards Panel, which is working with the standard 
development organizations to try and fast track new standards 
to bring new products in the marketplace that will meet the 
reliability and the security requirements that will meet the 
needs of industry in this area. So it is almost a full court 
press at the present time.
    Chairman Boehlert. All right. The gentleman's time has 
expired. I know he has, as we all do, more questions. So we 
will have a second round of questioning. We will go now to the 
distinguished Chairman of the Subcommittee on Research, Mr. 
Smith of Michigan.
    Mr. Smith of Michigan. Thanks for an exceptional, qualified 
panel to help us decide where we should go on encouraging the 
directions that we think we should go to protect ourselves. It 
seems to me--help me understand a little bit in terms of the 
technology. It would seem like it is almost a weapon system. If 
you develop a better weapon system and then the other side 
develops a better weapon system, and it keeps building up from 
firewalls to mitigating attacks to how to operate even if the 
attacks are there, like you suggested, Dr. Tether. But 
following up a little bit on Mr. Bell's comment and Dr. 
McQueary's suggestion that, look, the private sector on how we 
use computers and software to decide how our food is going to 
be shipped where so it gets where it belongs to how we transmit 
electricity to how we run our airlines, how do you decide the 
balance, Dr. Tether, in protecting the kind of classified 
research that is going to enable our Defense Department to 
communicate and do things without intervention with the need to 
use some of that research in the private sector?
    Dr. Tether. Well, we have a--logistics is a good example of 
what you are talking about, which is very close to--you know, 
most of the Department of Defense is moving supplies. And there 
is a logistics organization called Transcom, which happens to 
be located in Illinois. We are developing for them a technique 
which will allow them to basically be able to go into the 
distributed databases to find out where supplies are and then 
create all of the transportation required to get those supplies 
to the place they are needed. And we are concerned about, once 
you have distributed databases, of somebody getting into that 
distributed database and not--either not allowing you to do it 
or changing the data. So it is a very crucial thing for the 
Department of Defense to have this be secure and assured.
    Mr. Smith of Michigan. But still, my--both my points, the 
more that you accommodate the need to protect in the private 
sector, the more vulnerable you are to discovering some of the 
vulnerabilities of that system after you--because it is more 
available.
    Dr. Tether. That is correct. And in this particular case, 
the technology that is being used is what we happen to call 
``intelligent agents''. These are little software modules that 
effectively--think of it as a--really as an agent that goes out 
and looks for you and brings you back answers.
    Now this is working very well. We have made it very secure. 
We have shown that--doing it this way, that we can, with high 
confidence, know that the data is not being corrupted, and that 
the system can operate through an attack. The details of how we 
do it, in the military, are classified. However, the technology 
of intelligent agents, distributed intelligent agents working 
together to do this, is unclassified. And again, we are 
developing this technology with a company. And this company 
sees a business in it, not only for supplying the military with 
this capability, but also supplying private industry. Ford 
Motor Company has the same problem. I mean, they buy parts all 
around the world, and they basically have a logistics problem. 
How do they get parts here and there? And they are very 
interested in making sure that their databases are secure and 
that somebody doesn't get in.
    So here is a company that will take the technology that was 
developed by the military, which will remain classified in the 
terms--in the context of the details, but is able to use that 
technology for a commercial application. I hope I am answering 
your question.
    Mr. Smith of Michigan. Yeah, you are, certainly.
    Dr. Tether. Okay.
    Mr. Smith of Michigan. My next question, Dr. Colwell. 
Anyway, good to see you. In terms of virtual centers compared 
to bricks and mortar centers, in our--in this Act, in our Cyber 
Security Research and Development Act, we put in language that 
would be directing the National Science Foundation to develop 
physical centers. And we put in similar language, so it is a 
two-fold question in the area of interest that I have expressed 
many times, is the biological centers that we asked for in our 
NSF authorization bill. And it seems in both cases you have 
tended to lean toward virtual centers rather than following 
what I consider the intent of both bills in terms of developing 
real centers.
    Dr. Colwell. Actually, we have physical sites that are 
connected. The approach that we take, and we feel is very 
powerful, is to bring the versatility and the diversity of 
capability that is located in different parts of a given region 
and to link them, even though they represent physical sites, to 
link them by the capacity of a cyber infrastructure. That means 
that you have, for example, the--at--in Missouri, Indiana, 
Illinois, and Washington State, you have different 
capabilities, but when brought together, it becomes a very 
powerful approach to addressing sequencing and getting it done 
rapidly and effectively. And I think similarly, what we are 
trying to do here, and actually it is in response, I think, to 
an interest of the Chairman, is to bring together, as fast as 
we can, the capability that is there, strengthen it, and at the 
same time, determine how we build further capacity through 
specific programs.
    And I would like to address the comment about ideas. NSF is 
focusing research on embedded systems, like those that are used 
to control the Nation's power grids. And we are also looking at 
the interplay between the human and the computer to better 
understand human behavior and the use of computers and then 
future generations of systems that would be beyond the 
currently used systems. And I must tell you that there is an 
enormous interest in the community, because we have many, many 
more proposals than we can possibly fund. And these are good 
ideas. These are very good ideas, and they need to be pursued.
    And then one very brief sideline, Congressman Smith, 
because I know of your interest in this, the British are very--
how should I say? They are understanding that they have got to 
get beyond this genetically modified food situation, and they 
are pushing really hard to get the acceptance----
    Mr. Smith of Michigan. I think you might be talking to the 
scientists rather than the traders.
    Dr. Colwell. These were folks that----
    Mr. Smith of Michigan. Oh, these are policy issues.
    Dr. Colwell [continuing]. Are policy folks. These are 
policy folks.
    Mr. Smith of Michigan. Mr. Chairman, thank you. But you 
know, both in the centers that we call for and the computer 
network security research centers in this cyber security bill, 
the advantages of the interdisciplinary individuals being able 
to talk to each other and feel each other out seems to me that 
it has a great advantage over virtual centers where you are 
simply putting out grants. And I yield back my time.
    Chairman Boehlert. The gentleman's time is expired. Mr. 
Davis.
    Mr. Davis. I yield two minutes of my time to Mr. Miller.
    Chairman Boehlert. Mr. Miller is recognized for two 
minutes.
    Mr. Miller. Thank you, Mr. Davis. Dr. Bement, just a couple 
more questions. Essentially, the same question I asked of Dr. 
McQueary, has there been an assessment within the private 
sector of whether vulnerability to one entity within the 
private sector does have ripple effects if it causes--obviously 
it can cause, as Dr. McQueary points out, huge economic 
disruption and vulnerability to that entity. But does----
    Dr. Bement. Yes.
    Mr. Miller [continuing]. It have a ripple effect? Does it 
cause--is there--would there be an expectation when this 
assessment of what effect it may have on others and--in--within 
the private sector?
    Dr. Bement. Yes, there have been those vulnerability 
assessments, and let me just cite three examples. All of you 
know what the impact was of the strike out on the West Coast 
and how that tied up supply chains throughout the country and 
how that rippled through our economy. So our transportation 
systems are all interconnected and all--interconnected in terms 
of their vulnerabilities, and that would be a major backup. 
Also, with regard to our manufacturing enterprises because 
there is a supply chain linkage. And many of these enterprises 
are global in nature and depend on, again, the global supply of 
parts and so forth. Any disruption, especially across our 
borders, and especially in the Great Lakes Area with Canada and 
south with Mexico, that would also have a ripple effect as far 
as our whole logistics trains throughout the supply chain.
    The other part that I would also cite is the vulnerability 
of our electric power grid. I might mention parenthetically 
that before I came to NIST, I was at Purdue University and 
using intelligent agents in a project co-sponsored by the 
Department of Defense to use intelligent agents to come up with 
more robust control systems to deal with upset conditions in 
our electric power grid. But that would also have a ripple 
effect, because the loss of a shunt or the loss of a major 
element, critical element in the electric power grid could, of 
course, be propagated across the country. So that would have 
major implications. And one of the vulnerable components there 
is the Supervisory Control and Data Acquisition System, or the 
SCADA control system, which do have to be made secure. And NIST 
has been working with the industry. We have been giving grants 
in this area to figure out how we can deal with the security 
aspects of information flows that control these SCADA control 
networks, some of which now operate on the Internet. So you 
know, this is a new development in recent years using the 
Internet to control operations across the country.
    Chairman Boehlert. The gentleman's time has expired. Mr. 
Davis, you can reclaim your time, but just let me observe that 
what George Carlin might refer to as the stuff of comic book 
lore is now a reality. I mean, we have to redefine what war is. 
It is very possible that the next war would not be fought with 
guns and bullets but with computers and--from afar. They don't 
even have to leave their point of origin. A nation could 
effectively wage war on another nation. That might not be as 
devastating in terms of loss of life, obviously, but the losses 
would be just monumental. And it is the--that is why, I mean, 
this committee is so concerned about cyber security and we are 
so avid in our pursuit of attention for this subject and trying 
to get people to realize what you have all acknowledged. But 
too many people are much too casual about it.
    Mr. Davis.
    Mr. Davis. Mr. Chairman, thank you. And I do reclaim the 
remainder of my time. I have basically one question. It will 
have a two-part to it. Many of the questions I have would have 
been asked and perhaps would have been asked by many, such as 
Mr. Miller and others, but the President, our Administration 
basically has described our national strategy for--to secure 
cyberspace is through the Office of Science and Technology 
Policy, which is referred to as OSTP, which basically will be 
coordinating, supposedly, and every year will be--each of your 
entities will be coordinating, bringing together information 
starting with fiscal year 2004. As I hear each of you giving 
testimony, Dr. McQueary and Dr. Tether basically mentioned the 
INFOSEC Research Council. Dr. Colwell, you made reference to 
the network and--Networking and Information Technology Research 
Development Interagency Working Groups. Now as I listened to 
each of those, I assume that perhaps each one that is providing 
research development is somewhere assimilating the information 
and then you get together with someone as you discuss what you 
are doing, what your research and development is providing. Are 
you finding working with the Office of Science and Technology 
Policy is--are you able to effectively work there? Are you 
coordinating your information together or do you find that you 
are basically out on your own on an island?
    Dr. Colwell. No, we are coordinating. In fact, we have had 
discussions, particularly on computing research, and especially 
effective is the--putting together the budget requests, making 
sure that it is coordinated, because the--I mean, I can not 
speak for the Science--the Director of OSTP except for my 
interactions and say that this is a major interest and concern 
of OSTP and making sure that all of the agencies are doing a 
coordinated effort toward solving the problem. Yes, I see that 
happening.
    Mr. Davis. And that is happening, and you are happy with 
the coordination of it and with getting results?
    Dr. Colwell. Well, I have to, again, just as we all four of 
us have said, that even though we had a Cyber Trust program 
started September 6, before 9/11, and have gone--our work goes 
back to 1978, it is only in the last--I would say the last year 
or so that this intensive understanding of the disasters that 
hacking into systems creates that we now are putting a very 
strong attention to this.
    Mr. Davis. Is there a plan in place, step-by-step how this 
is going to happen? And are you also working with private 
industry to gather information?
    Dr. Colwell. Yeah, the--we are developing a plan, and I 
think probably Dr. Bement can speak more conversantly with 
private industry, but we, too, work with industry in our 
centers, our science and technology centers, our engineering 
research centers, and certainly in developing a center approach 
for cyber security.
    Mr. Davis. So there is not a plan currently step-by-step 
that is being developed?
    Dr. Colwell. Being developed.
    Mr. Davis. I certainly hope it occurs pretty quickly. Dr. 
Bement.
    Dr. Bement. Of course, one of NIST's responsibilities is 
look--is to look after the security of our federal agencies as 
far as sensitive information flows. And that work is 
coordinated through any number of councils: the CIO Council, 
the PITAC, the PCAST, the INFOSEC Research Council that has 
been mentioned. There is a federal security program managers' 
forum. And we take that information and we pull it together to 
develop our program and to establish our priorities. But within 
each one of these bodies, there are plans that, in many cases, 
tie back to the Office of Management and Budget, which links to 
the President's cyber security plan, so that--there has been a 
lot of planning being done. We are doing a lot within NIST. We 
are doing a lot of it interactively with the organizations that 
are represented here along with NSA and other agencies. And we 
look pretty much to OSTP for the coordination of the research 
and development program within the federal agencies through 
their information technology R&D working group.
    Dr. Colwell. I would like to, if I may, provide a 
reassurance in the fact that what you don't see, what isn't 
obvious, is that there is strong collaboration and cooperation. 
As I have said earlier, we have detailed one of our very good 
people to Homeland Security to help get that started up. We 
have been working with the intelligence agencies, the Defense 
agency and DARPA and with our scientist panels inviting 
scientists from those agencies to sit in on the NSF panels. And 
then where there is interest in the research that is being 
proposed and discussed, they can add funds to it and make sure 
that it gets enhanced. So we are doing quite a lot of what 
would be not openly and clearly visible. But there is a great 
deal of interaction.
    Mr. Davis. What my hope would be, obviously, is that each 
different entity that is doing research and development would 
be able to follow a plan that would provide the information. 
And I am not sure that--I don't sense that that is happening 
today, so my hopes are that from this hearing that there will 
be efforts to encourage such action to be taken.
    Chairman Boehlert. The gentleman's time is expired. The 
Chair recognizes the distinguished Chairman of the Subcommittee 
on Environment, Technology and Standards, Dr. Ehlers.
    Mr. Ehlers. Thank you. Mr. Chairman. First of all, I have 
been struck with all of the work that is going on in cyber 
security, and it sounds like very good work, what we may call 
``cyber defense against enemies foreign and domestic.'' Dr. 
Tether, what do you have going on in the what you might call 
``cyber offense,'' in other words cyber warfare? What--do you 
have programs within Defense dealing with how you would attack 
enemies----
    Dr. Tether. Yes, we do. And unfortunately, I probably can't 
say much more than yes we do.
    Mr. Ehlers. All right.
    Dr. Tether. But I would be happy to come and tell you about 
it, I just----
    Mr. Ehlers. Yeah. I----
    Dr. Tether [continuing]. Can't here. It is----
    Mr. Ehlers. There may be several of us who would like to do 
that at some point.
    Dr. Tether. Okay. That would be fine.
    Mr. Ehlers. I also was struck by, and I am paraphrasing 
what you said, I hope correctly, that Dr. Tether, that you said 
you are looking for a lot of good ideas that you can try and 
implement. Dr. Colwell, you were saying you have a lot of ideas 
but no money to do it. I would suggest the two of you get 
together afterwards.
    Dr. Tether. Well, we do. In fact, as Dr. Colwell said, 
there is an enormous amount of collaboration going on----
    Mr. Ehlers. Right.
    Dr. Tether [continuing]. At the--what I would--we would 
call at DARPA the Program Manager level. In fact, when this 
hearing was called, I asked, I said, ``How much''--``What is 
going on between us and NSF?'' And I was amazed at how much was 
going on that I didn't know about.
    Mr. Ehlers. I realize that. Dr. Bement.
    Dr. Bement. Yes.
    Mr. Ehlers. First of all, I commend you for your efforts to 
try to speed up the standards process for the----
    Dr. Bement. Thank you, sir.
    Mr. Ehlers [continuing]. Information technology. That is 
absolutely essential, because they are very frustrated and 
ready to set up their own informal standards organization. So I 
encourage you to pursue that diligently. I appreciate----
    Dr. Bement. I will.
    Mr. Ehlers [continuing]. What you have done. First question 
is on a type of cyber security we haven't discussed here at all 
and that is voting security.
    Dr. Bement. Yes.
    Mr. Ehlers. I am very, very concerned about that, because I 
think that is essential to the proper functioning of a 
democracy. And we passed a bill last year, which provided money 
for local governments to buy new equipment. At my insistence, 
responsibility was given for you to establish standards for 
these. And I am very concerned. States and localities are 
already going out and buying equipment and--without an 
assurance of security. And I just covered in my conversations 
with elected--pardon me, election officials, who are very, very 
knowledgeable about the process, but many are not knowledgeable 
about cyber security. They just don't realize the pitfalls, and 
it is possible for a good hacker to basically steal an election 
without anyone even knowing about it the way some of the voting 
machines are constructed. So what is the progress on setting up 
the commission, setting up the standards, and so forth?
    Dr. Bement. First of all, I agree, entirely, with your 
assessment. We have looked into this matter. We have research 
going on, and we have dealt with many vendors in trying to 
understand their systems. Unfortunately, much of the 
information is proprietary, and we almost have to reverse 
engineer to understand them completely. But with regard to 
electronic voting machines, the interface between the software 
and the hardware leaves plenty of room for cyber attack, for 
fraud, for lack of trust. We talked about trust earlier. And 
this is an area where we have to be very active in standards, 
and we feel this needs to be attended to, and we need to put 
much more effort behind it.
    Mr. Ehlers. I urge you to pursue that very, very 
aggressively, because it is a major problem, and the public is 
simply not aware of it.
    Dr. Bement. It has high priority, as far as I am concerned.
    Mr. Ehlers. And if you need greater legislative authority 
to obtain proprietary information, that is something we should 
talk about as well, because I----
    Dr. Bement. Well, I think we have the authority. I think we 
have some understanding, not complete understanding of what 
needs to be done. We just have to go out and get it done.
    Mr. Ehlers. I appreciate that. The--also, another area 
within NIST, you have talked a lot about your activities of 
various sorts, but to what extent are you involving the higher 
education community? And I am talking about two ways: one is 
through supporting research there, but secondly through 
training of students. And I was astounded to discover recently 
that the number of math and science--pardon me, math and 
computer science majors graduating from undergraduate 
institutions today is less than it was approximately 15 years 
ago. And in fact, there was--it has dropped. It is starting to 
come back, but we are still not up where we were. Clearly, 
there is a real need for training of these people, and I am 
amazed. I just met someone in the airport the other day from my 
home state at a higher educational institution, a very 
prominent person in information technology, who was--degree was 
in master of divinity, and that shows maybe you need that to 
operate a computer properly. I have always wondered if there 
are any strange spirits inside of my computer. But it shows the 
extent to which we are recruiting from people who have not been 
trained----
    Dr. Bement. Yes.
    Mr. Ehlers [continuing]. In this field.
    Dr. Bement. Clearly, the Committee has recognized one of 
the key issues, and that is a need for more education and 
training. And that is one of our biggest vulnerabilities. It is 
not just that we don't have the policies and the procedures and 
the specifications; we don't have the trained personnel to 
manage the systems. And it is in this regard that we look to 
the National Science Foundation to do the manpower training, 
which we, of course, want to work with them on. But beyond 
that, in our post-doctorate program at NIST, which is managed 
through the National Research Council, we are trying to pull in 
more expertise at the post-doctorate level working at NIST in 
cyber security so that we can leverage some of our ongoing 
activities and so we can identify some of the new talent coming 
out of the universities who eventually, hopefully, will join 
our research staff.
    Also, in linking up with the research community, I did 
mention that we did have $5 million that did go out in research 
grants to universities. We follow that quite actively. We have 
worked with Dartmouth in their program and helping them roadmap 
or at least reviewing their road map for cyber security 
research and development. We have similar interactions with 
other universities, but I think the most exciting opportunity 
is in the Cyber Research and Development Act. By coupling 
industry with academia and bringing an understanding of the 
needs and the technical insights, which industry can bring with 
the scientific insights, which academic researchers can bring 
to the table, and then finding ways to developing prototypes, 
standards, and test beds to try and reduce the lead time of 
getting new technologies and new approaches to cyber security 
into the marketplace in the earliest time possible.
    Chairman Boehlert. The gentleman's time is expired. Ms. 
Woolsey.
    Ms. Woolsey. Thank you, Mr. Chairman. Dr. Colwell, it is 
nice to see you, gentlemen. Thank you for knowing so much. Mr. 
Chairman, I have a letter here from the Information Security 
and Privacy Advisory Board, which is a board established and 
funded by the Science Committee, the Computer Security Act of 
1987. And it is responding to the President's report, which is 
huge, that was dated February 2003. And the very final 
statement, I am not--of course I want to enter this into the 
record and ask unanimous consent to do that, but----
    Chairman Boehlert. Without objection.
    [NOTE:The information referred to appears in Appendix 2: 
Additional Material for the Record.]
    Ms. Woolsey [continuing]. The last statement in the letter 
regarding the reports, ``Additionally, the strategy minimally 
acknowledges the critical issues of information and citizen 
privacy and fails to provide specific actions or 
recommendation. The Board believes this must be addressed as 
well.'' And so my question to you is are we addressing--I know 
nothing will be perfect, but are we addressing the tradeoff 
between privacy and confidentiality and the need for security?
    Dr. Bement. Well, let me respond to that. That particular 
board is funded by DARPA and is advisory to me--I am sorry, by 
NIST and is advisory to me as the Director of NIST. So we 
support the board and its activities. And of course, we do take 
their recommendations very seriously, and those eventually 
become priorities in our program. Recently, we have, through 
our interactions with the National Science Foundation and with 
the Department of Homeland Security, invited them to become 
much more active in the workings of the board. And the board 
will be meeting, I think, in June. The board will be meeting in 
June, and we will certainly be discussing their recommendations 
again at that time.
    Dr. Colwell. But I would also like to add that we plan to 
provide more funding to make sure we understand the interplay 
between policy and technology and human behavior and technology 
and the need for privacy in developing a cyber secure system. 
So we intend to do a lot more research in that area as well.
    Ms. Woolsey. And balancing the privacy piece with the 
security piece.
    Dr. Colwell. Yeah.
    Ms. Woolsey. I am sure that this has been answered, but for 
some reason I can't wrap my mind around--my intellect around 
some of the technical conversation we have had here, so what I 
would like to do is ask you in down-to-earth questions--words a 
couple of things. Do we have adequate tools to--in place? Are 
we putting--getting ready with--for that, and if not, why not? 
What is holding us up? And is there a way to spread the costs 
of these developments among other--many agencies or private 
industry as well? Rita.
    Dr. Colwell. The answer is yes in that we are beginning to 
put together what really is needed, and that is a concerted, 
coordinated, and as a result of the Act that was passed, a 
focus on the need for cyber security. We do have components of 
it in place, and we are coordinating it. But we believe, at 
NSF, that there is a lot more research to be done, and what we 
are trying to do is balance the research that is needed to 
advance computer architecture and software development, et 
cetera, with this very pressing need for the security of the 
systems. So you can't really pull money out of the research to 
make better systems, because that is part of the problem, but 
at the same time, you can't neglect the security aspects of it. 
So this is a real--at this particular transition stage, this is 
a very difficult push and pull.
    Dr. Bement. I would answer slightly differently. Clearly, 
there is a research agenda, and there is a technology agenda, 
but in our assessments, we find that the greatest 
vulnerabilities are not necessarily technical vulnerabilities. 
They are primarily an ill-educated user population, lack of 
adequate cyber security research expertise, poorly designed 
systems and software, specific vulnerabilities in commercial IT 
products, and new technologies that are coming into the 
marketplace with inadequate testing at the design and 
manufacturing stages. So a lot of what is missing is knowledge, 
education, and discipline in the system.
    Dr. Colwell. Could I add another comment, please, and that 
is to point out that what we are finding in our discussions 
with the community is that we really have to include in all of 
the information technology and computer science training an 
understanding of cyber security and understanding of the need 
for secure systems and that just having an undergraduate and 
graduate program on security isn't enough. It has got to go 
across all of the training, just as Dr. Bement has pointed out, 
in order for people to understand what it entails and how to 
address it.
    Ms. Woolsey. I will----
    Chairman Boehlert. The gentlelady's time--well, all right, 
one more.
    Ms. Woolsey. Dr. Bement, you did say, though, we know what 
needs to be done, I am paraphrasing you, it's just doing it. 
What is stopping us?
    Dr. Bement. Nothing is stopping us. Of course----
    Ms. Woolsey. Is it time?
    Dr. Bement [continuing]. Resources--we could accelerate if 
we had more resources, but a lot of it----
    Ms. Woolsey. Resources. Well, that is stopping. That is an 
answer.
    Dr. Bement. A lot of it is in the private sector. A lot of 
it requires better protocols, better metrics, better standards. 
We are working with the standard development organizations in 
this area. It will take time. It is comprehensive. Resources 
will help.
    Chairman Boehlert. You know--thank you. The gentlelady's 
time is expired. Dr. Tether pointed out a, I think, very 
appropriate observation that DARPA is sort of idea limited. And 
that is one of the reasons why, in the cyber bill, we put in 
all of those programs for students and to get researchers to 
change fields. Shouldn't funding for those programs be a top 
priority? And will NSF and NIST ask for funding for those 
programs in '05?
    Dr. Colwell. I can respond, sir, and say that we are going 
to be very aggressive in our request for the area of research 
in '05.
    Chairman Boehlert. Dr. Bement.
    Dr. Bement. I would respond likewise. We are taking it 
seriously. We have discussed it with the Technology 
Administration. We are still early in our '05 planning, but we 
are giving this very high priority.
    Chairman Boehlert. Thank you very much. The Chair now 
recognizes Mr. Smith of Texas.
    Mr. Smith of Texas. Thank you, Mr. Chairman. First of all, 
Mr. Chairman, let me say to you that I am sorry that I missed 
most of the hearing today. Unfortunately, I am a Member of the 
Judiciary Committee, which has been marking up some legislation 
downstairs, and so I have had to be there for recorded votes. 
In fact, there is one going on now, so I will have to be brief 
in my questions.
    Nonetheless, I did want to ask Dr. Colwell and Dr. McQueary 
to respond to a question that I have. And this question 
basically comes from a book that I read this last weekend, and 
I don't know if you all are familiar with it or not. It is 
called ``Tangled Web.'' And this is a book that makes a 
compelling case that both the private sector and the Federal 
Government are not prepared to deal with the cyber attack 
today. And furthermore, Mr. Chairman, just because I am a 
Member of a relevant Subcommittee, and in the briefings that we 
have had, we had been told that there is at least a 50/50 
chance that any kind of terrorist attack that might occur in 
the future will involve some aspect of cyberterrorism, either 
wholly or in part. Given the nature of that present and future 
threat, my question, really for the two witnesses, is do you 
feel that the Federal Government today is able to adequately 
respond to a cyber attack? It is my impression from, as I say, 
reading this book ``Tangled Web'' that we are, today, not 
capable of responding to a terrorist attack and stopping it 
from costing American lives or perhaps disrupting the economy. 
But I would be interested in your perspectives.
    Dr. Colwell. Do you care to start and then I will add?
    Dr. McQueary. Certainly. We do have the NTAC [National 
Threat Assessment Center] and the Carnegie Mellon--the 
capability to respond if we do see a cyber attack. If--one 
could postulate attacks that we could not respond to, I 
suppose, effectively, but certainly there is a wide variety I 
think have been demonstrated in the past of capability to 
respond to any----
    Mr. Smith of Texas. You feel comfortable with our ability 
today to not be the victim of a cyber attack?
    Dr. McQueary. I did not attempt to say that. What I was 
trying to say was that there are many kinds of attacks that we 
could respond to. In order to say that we couldn't respond to 
it, one would have to know what kind of attack----
    Mr. Smith of Texas. What kind of attacks are we not able to 
respond to?
    Dr. McQueary. I don't know the answer to that, sir, off the 
top of my head.
    Mr. Smith of Texas. How can you know what we can respond to 
if----
    Dr. McQueary. Well, because we have done this in the past 
through this--the NTAC and the--at the Carnegie Mellon Group, 
because we have demonstrated----
    Mr. Smith of Texas. Right.
    Dr. McQueary [continuing]. That in the past, and therefore 
by definition, we see that we have been able to respond to 
things that we have seen in the past.
    Mr. Smith of Texas. Dr. Colwell, do you agree with that?
    Dr. Colwell. I think that we have done research that has 
allowed us to build firewalls. And I think for the most part, 
the firewalls that protect sets of data and sets of operations 
are, on a daily basis, effective. Obviously, there are 
opportunities for attack that could be devastating. And it is 
hard to predict exactly what they would be, but I do feel 
somewhat assured by the--yesterday, the Seattle, I think it was 
in Seattle, there was a mock attack, which included cyber, as 
well, as the direct attack with chemical and biological 
weaponry. But I think that is important, because it shows that 
this is a multi-dimensional----
    Mr. Smith of Texas. Right.
    Dr. Colwell [continuing]. Terrorist--potential terrorist 
problem. And cyber security is a component of it. And I think 
we are well aware of that now. And awareness is the beginning 
of protection.
    Mr. Smith of Texas. And certainly awareness is the first 
step. You have both said that you feel that we have protected 
ourselves against cyber attacks that have already occurred, but 
not necessarily--we are not necessarily able to protect 
ourselves against all conceivable cyber attacks, is that a fair 
statement?
    Dr. Colwell. Well, I--yeah.
    Mr. Smith of Texas. And I see Dr. Bement is shaking his 
head yes as well.
    Dr. Bement. Firewalls tend to be pretty ubiquitous, but, in 
many cases, they don't contain all of the ``four R's''. And 
what I mean by the ``four R's'', first of all, you have to 
recognize an attack. In many cases, you don't recognize an 
attack through a firewall. Second, you have to resist it once 
you recognize it. Then you have to respond to it, and then you 
have to recover from it. And those are the four R's. And----
    Mr. Smith of Texas. That is exactly the point of this book 
that I referred to----
    Dr. Bement. Right.
    Mr. Smith of Texas [continuing]. That firewalls are not 
sufficient, which is what you just said.
    Dr. Bement. And so I would say we have a long way to go, 
and with a determined cyber attacker, with the right kind of 
training, they would be able to defeat many of the systems we 
currently have.
    Mr. Smith of Texas. Okay. Thank you, Dr. Bement, for your--
thank you, Mr. Chairman. I am finished.
    Chairman Boehlert. Mr. Smith, just let me tell you, you are 
right on in terms of focusing on an area we all have to focus 
on. And it was--our vulnerability. I recognize vulnerability 
that prompted this committee to try to provide some leadership, 
and that resulted in this Cyber Security Research and 
Development Act. And now what we are trying to do is make 
certain that all of the agencies for whom we have earmarked a 
lot of resources, insufficient I might add, but we are trying 
our best, are working together, are coordinating their 
activities, and are taking the pledge here and now that this is 
a matter of high priority. And you have got to give this 
increasing attention. And that--you were not here earlier, they 
have assured us of that. Department of Homeland Security has 
just been up since--essentially since 1 March. Dr. McQueary is 
the new guy on the block, and it is just a mind-boggling 
challenge. I think he is up to the challenge, and I think we, 
collectively, are up to the challenge. But we better damn well 
get serious about this and not just talk but act. So thank you 
very much for those observations.
    Mr. Smith of Texas. Thank you, Mr. Chairman. Mr. Chairman, 
I might add, I think one of the reasons that Dr. McQueary is up 
to the challenge is because he has two degrees from the 
University of Texas.
    Dr. McQueary. You are very kind, sir. Thank you.
    Chairman Boehlert. The Chair now recognizes Mr. Bell.
    Mr. Bell. Thank you, Mr. Chairman. I apologize for missing 
your testimony. There is cyber security and there is 
Congressional District security, and since my district is 
currently under attack in the state of Texas, we decided we 
would go pay homage to our friends holed in Ardmore, Oklahoma. 
So that is why I wasn't present, and I hope you understand.
    Dr. Tether, I wanted to visit with you for just a moment, 
because I found your remarks to be refreshing. I have only been 
here for four months, and I have had a bunch of people come and 
tell me that they have ideas but they don't have money. You are 
the first I have heard that has plenty of money but a shortage 
of ideas. So it is a nice turnaround. But I wanted to--you--I 
understand your reluctance to talk about cyber warfare and what 
is being planned in that regard, but several months ago, there 
was a rather extensive article in the Washington Post about 
some of the plans that were being undertaken by the Department 
of Defense, some of the studies that were being conducted. And 
I sort of subscribe to the theory if it has been in the 
Washington Post, it is going to be hard to keep it secret after 
that. And they talked about looking at ways to, perhaps, wipe 
out the entire electrical grid in the wake of war or while 
involved in war, looking at maybe shutting down hospitals that 
use cyber technology. My question is, knowing that those 
efforts are going forward, what is the collaboration between 
those who are looking at ways to attack and using it in an 
offensive position and those looking to defend, because it 
would seem to me that there should be a great deal of 
collaboration in those areas?
    Dr. Tether. Well, it--even though it appeared in the 
Washington Post, I still have a hard time confirming or denying 
the Washington Post. But let me tell you, one of the--there is 
a great collaboration that goes on between those who look at 
offensive things versus those who look at defensive things, 
because they are really two sides of the same coin. So the 
people who are doing the offensive parts, when they develop 
techniques, we then obviously build a defense against that 
technique. So the people--and vice versa. When people build a 
defensive technique, then the offensive people need to know 
about it in order to try to penetrate that technique. So there 
is a great amount of collaboration that goes on between those 
two communities. Let me say, at least within DARPA, some of the 
operational people would not have a collaboration because it is 
very, very sensitive, but in our research, there is a great 
collaboration between the two communities: those who are coming 
up with techniques to penetrate and those who are coming up 
with techniques to prevent people from penetrating. I really 
can't give you any--I would be happy to give you all of the 
details, quite frankly, but I just can't here.
    Mr. Bell. No, I understand.
    Dr. Tether. Yeah.
    Mr. Bell. And I don't expect you to, and that wasn't the 
point of the question. I am more interested in what kind of 
collaboration is taking place.
    Dr. Tether. There is a lot of collaboration in--between 
those two communities for those--for the reasons I gave.
    Mr. Bell. What is the general feeling as to where the 
United States stands right now in terms of cyber warfare? Are 
we behind in that area or are we ahead?
    Dr. Tether. I almost would have to go country by country, 
and I would rather not, for--again, for classification reasons. 
I----
    Mr. Bell. But we are certainly not alone?
    Dr. Tether. Oh, no. No, we are most certainly not alone. We 
are most certainly not alone. And I think you can obviously--
the obvious large players like the--like Russia, China, you 
know, these are people who are taking this very seriously, very 
smart people. We are not alone.
    Mr. Bell. Thank you.
    Chairman Boehlert. Excuse me, if I may interrupt here. Some 
would argue they are taking it more seriously than we have been 
in the past, but now we have a new focus.
    Mr. Bell. Well, taking this whole question of collaboration 
a step further, because, and I am--and I don't want to put 
words in your mouth, but you were saying--I don't know if you 
said you heard about some things today or recently that you 
didn't know that were going on. And I would expect that. But 
this is an area where I would think that it is really incumbent 
upon those who are involved to be talking to each other. And 
are there steps that need to be taken to make that easier?
    Dr. Tether. Well, you know, when I said that, I was 
referring to the activity between DARPA and NSF. And what you 
learn, DARPA is really a Program Manager place, and there are 
160 Program Managers. I don't know how many Dr. Colwell has, 
but she has a few.
    And you would be amazed what goes on that the Directors 
don't know of, each agency doesn't know what is going on. So 
what I had--when this hearing came up, I put out a call to all 
my offices saying, ``Why don't you guys tell me what you are 
doing with NSF?'' You know. ``Go and find out what the 
program''--and I got a lot of activity. I mean, I have got an 
enormous amount of activity that I did not know about. And--but 
it is our Program Managers farming the ideas coming out of NSF 
so that they could bring them back and say, ``Hey, look. Here 
is a great idea.'' And this is--I am talking about cyber 
security type of activity now, not just in general. In general, 
there is a real large amount of activity, but--so they can come 
back with an idea, which what DARPA does is takes that idea. 
And we basically take it to the next step of applying it, you 
know, taking that idea into a technology that can be used.
    But there is a great deal of activity that has--that was 
going on that I--quite honestly, I was not really aware of. I 
kind of figured it was going on, but I didn't know the 
specifics. And I was impressed.
    Chairman Boehlert. The gentleman's time is expired. I am 
sort of surprised by that answer, a veteran like you. With Dr. 
McQueary, he is just in, the new guy on the block, and he knows 
what every one of those 180,000 people are doing within in the 
new Department of Homeland Security.
    Mr. Bell. But Dr. McQueary went to UT.
    Chairman Boehlert. Oh, boy. With that, Mr. Udall.
    Mr. Udall. Thank you, Mr. Chairman. I, too, want to thank 
the Chairman for calling this important oversight hearing today 
and thank him for his leadership on this whole area of cyber 
security. It is also--it is inspiring to see the all-stars out 
here on this panel, and thank you for your service to the 
country and for your great help and assistance you provide to 
the Committee.
    I want to ask two general questions, and Dr. McQueary, I 
will give you a heads-up on the second question, which I am 
going to ask you first. And your Directorate has requested 
about $800 million in this fiscal year of 2004. And I am just 
curious how that money would be allocated, particularly to 
cyber security. If you would, set that question aside and 
hopefully we will get to it.
    The second one--question was to yourself and Dr. Bement. 
And it is always great to see the NIST Director here.
    Dr. Bement. Thank you.
    Mr. Udall. I know you have under--you have signed an MOU 
between DHS and NIST.
    Dr. Bement. Pending.
    Mr. Udall. Yeah, pending. Thanks for that correction. Can 
you provide me, the two of you, with your understanding of the 
activities that would be carried out under the MOU and the 
respective roles of NIST and DHS? And I think most importantly 
for most--for all of us is will NIST have the resources to 
carry out the activities envisioned in the MOU?
    Dr. Bement. The answer to the second question is yes; we 
will have the resources. The answer to the first question is 
that the MOU is very comprehensive. It includes technical 
support, research and development support, and standards 
support across the whole mission spectrum of the Science and 
Technology Directorate. Cyber security is clearly one of the 
keystone elements of that MOU, and it is one that we have 
already anticipated by putting one of our research staff with 
DHS in cyber security to begin coordinating that activity.
    Mr. Udall. Dr. McQueary, would you like to----
    Dr. McQueary. I would be happy to. The--in the--as you 
correctly point out, the fiscal year 2004 budget request is 
$803 million for the Science and Technology Directorate. Within 
that budget, we have $7 million that are specifically allocated 
toward cyber security-related activities. And I would like for 
you to keep in mind that the basis for that is that our role is 
one of supporting the Information Analysis and Infrastructure 
Protection Directorate within Homeland Security and providing 
Science and Technology support to them in that. We are just 
barely operational. And of course the Critical Infrastructure 
Protection Board was in existence at a time when we actually 
constructed that budget. And therefore, if we were to find that 
the money we have, we conclude, is not adequate, I have no 
problem whatsoever in revisiting what the budget allocation is 
and looking for support from people like yourself for making 
such an evaluation.
    Mr. Udall. Mr. Chairman, if I might, I would like to yield 
to my colleague, Ms. Jackson Lee, for 30 seconds. She has to 
leave, but she wanted to make a brief statement.
    Ms. Jackson Lee. First of all, let me thank the Chairman 
for this very important hearing. I was in a markup in 
Judiciary, and now I have been called off to another meeting. 
Gentlemen, I would ask the Chairman to have permission to 
unanimously put into the record my statement, and I will----
    Chairman Boehlert. Without objection.
    Ms. Jackson Lee [continuing]. Proceed with the individuals 
on this important issue as a Member of the Homeland Security 
Committee. I thank you. This is a major question for our 
community cyber security.
    Thank you, Mr. Chairman. Thank you, Mr. Udall.
    Chairman Boehlert. Thank you very much. Mr. Udall, you have 
two minutes remaining.
    Mr. Udall. Thank you, Mr. Chairman. It might be, I think, 
of some interest to the Committee that when the MOU is signed, 
perhaps there is a way to get a further update as to how that 
might unfold and I don't know whether we would need to do that 
formally or informally, but I would make that request to the 
two of you today and----
    Dr. McQueary. I would be happy to do that.
    Mr. Udall [continuing]. The Chairman as well. Do you have--
when we talk about the funding, Dr. McQueary, you mentioned 
some of the criteria you used. Did you cover all of the 
criteria that had been involved in determining how this cyber 
security money will be directed and where you will focus those 
initial efforts?
    Dr. McQueary. Well, initially, when we--when our budget was 
constructed, our intent was to focus on the forensics aspect of 
cyber security and also attribution, those being two areas that 
appeared as though we could make a contribution in that area. I 
think that we will be continually examining what our role is, 
because, as you know, the IAIP organization did not have--in 
fact, it does not today, have an Under Secretary that leads 
that effort yet, although a nomination has gone forth for that, 
and we are hopeful that that will be approved expeditiously. 
And so we will be working very, very closely with the IAIP 
people to make sure that we do have the proper amount of budget 
and the right scientific areas being focused in support of 
their conclusions on what we need to be doing.
    Mr. Udall. The--your presence today and the Chairman's 
commitment to this whole area underlines the crucial nature of 
it. I do think--if I could just make a general comment, we all 
have work to do to educate the American public as to the threat 
we face. Like so many other areas in this modern society in 
which we live, we take for granted a lot of the conveniences, a 
lot of the systems that make our lives easier than they might 
have been 100 years ago. And I think anything you can do to 
help us, we can help--do to help you in that mission, I think, 
would be time well spent. I think--I am reminded of the movie 
``Catch Me If You Can''. I don't know if you have all seen 
that, maybe that has been mentioned today, but in a way, we 
want to recruit some of those people that fit the model of that 
young man in that movie who would be inclined to, because they 
want the adventure, I think, of breaking these systems and 
getting into places where other people haven't been and see if 
we can bring them to the side of us and create a socially 
productive avenue, so we say, for those young hackers out 
there. We ought to be looking at that. That is an opportunity, 
I think, as well as a threat.
    Thank you, Mr. Chairman, and again, I want to thank the 
panel.
    Chairman Boehlert. Thank you very much. Dr. McQueary, where 
is the research going to be focused in DHS? Who is going to be 
doing it?
    Dr. McQueary. For cyber security specifically?
    Chairman Boehlert. Right.
    Dr. McQueary. It will be conducted by the Science and 
Technology Directorate, yes, sir.
    Chairman Boehlert. All right.
    Dr. McQueary. And that is the role that we----
    Chairman Boehlert. Have you earmarked where within your 
operation?
    Dr. McQueary. Where specifically within----
    Chairman Boehlert. Right.
    Dr. McQueary [continuing]. My organization?
    Chairman Boehlert. Have you identified people and----
    Dr. McQueary. Yes, we have. In fact, we have
    people----
    Chairman Boehlert. People and dollars?
    Dr. McQueary. People and dollars, yes. Yes.
    Chairman Boehlert. That is good. Could you provide that for 
the record----\1\
---------------------------------------------------------------------------
    \1\ This information is provided in Dr. McQueary's answers to post-
hearing questions, located in Appendix 1.
---------------------------------------------------------------------------
    Dr. McQueary. That was a--yes, sir.
    Chairman Boehlert [continuing]. At your convenience? All 
right. The Chair recognizes Ms. Lofgren.
    Ms. Lofgren. Thank you, Mr. Chairman. I would also like to 
offer my apologies, as several other Members have. I am also a 
Member of the Judiciary Committee, and I also was tied down in 
a markup all morning, so I missed your testimony, although I 
have read it. And I appreciate the Chairman's calling this 
hearing. I would note, I am a Member of the Homeland Security 
Committee and ranking on the Cyber Security Subcommittee, and 
we have beaten Homeland Security to the punch on this hearing. 
And so I will see you, I guess, next week as well on some of 
these issues.
    Chairman Boehlert. As we all will--several of us will.
    Ms. Lofgren. Right. I do want to just briefly return to one 
issue and explore another, and then I know the lunch hour is 
here. As I am sure you recall, Dr. Bement, there was concern 
last Congress about the proposal to shift some NIST activities 
to DHS. And the concern really--and this committee, on a 
bipartisan basis, objected to that, and in the end, Congress 
did not approve that shift. I am sure you are aware that there 
is anxiety in the country about the detailing of staff by NIST 
to DHS and whether that has the effect of accomplishing 
administratively what the Congress did not approve last 
Congress. I am not suggesting that is the case. I would like to 
explore that with you.
    Dr. Bement. I would say that--I am sorry.
    Ms. Lofgren. The question really has to do is what are they 
doing specifically? I know you say there is a detailed MOU, but 
specifically, I would like to know the nature of that--their 
activities relative to encryption. Can you address that?
    Dr. Bement. To my knowledge, there is no work going on in 
encryption at the present time. We have two people detailed to 
the Department of Homeland Security. One is providing a 
coordination role between DHS and NIST in terms of acquainting 
DHS with our cyber security efforts. Now the other person is 
working with Science and Technology Directorate in, working 
with Dr. Albright in back of me, as a matter of fact, in 
developing a national strategy for DHS and standards 
development. And of course, that is our area of expertise----
    Ms. Lofgren. Right.
    Dr. Bement [continuing]. So we are willing to assist--I 
mean, we are happy and anxious to assist DHS in that area. And 
as far as the issue that you brought up, we are very grateful 
to the Committee for recognizing the importance of the 
independent role that NIST plays with the private sector in 
developing guidelines and in developing specifications and 
standards in the area of cyber security. And anything that we 
do with other agencies, we preserve that independence and that 
integrity, so I wanted to assure you of that.
    Ms. Lofgren. I wonder if I could--I know you are going to 
provide the draft MOU to the full Committee. I--as a Member of 
the Homeland Security Committee, it would be especially helpful 
to me if I could get a copy of that prior to our hearings next 
week, if I could ask that favor.
    Dr. Bement. We--I think the signing will be taking place on 
Monday.
    Dr. McQueary. I believe the 19th is the day that we did 
have that set up.
    Dr. Bement. The 19th of May, and we will provide a copy to 
you as soon after it is signed as we can.
    Ms. Lofgren. Let me ask another question relative--it is 
actually to funding, and I know that probably people who head 
bureaus and directorates and departments or--and are probably 
discouraged from complaining about their funding to 
Congressional Committees. But I am concerned about whether 
there is sufficient funding to do some of the things that I 
think are essential to the national security. One of the issues 
that has been discussed informally at the Homeland Security 
Committee is the lack of--or at least apparent lack of rigorous 
analysis of biometric standards. And what are we looking for in 
terms of ease of use, reliability, scalability, et cetera, et 
cetera?
    And I am wondering--it seems to me that the absolute best 
home for that kind of analysis is NIST, because it is a 
standards issue. It is not a policy issue. It is not a 
political--it is a standards issue. And I know last year, I 
asked NIST to provide me with information about biometrics. You 
very kindly responded, but it was not original research. It was 
sort of a compilation of what is out there, and I will say it 
was rather thin. Is NIST sufficiently funded to accomplish that 
kind of biometrics analysis and standard setting if the 
Department of Homeland Security were to ask you to do so?
    Dr. Bement. We certainly have the competence to do that and 
until now, most of the resource that has been going into that 
area has partly come out of our base program. Part of it has 
been provided by DARPA.
    Ms. Lofgren. So we would need to provide----
    Dr. Bement. Part of it has come from----
    Ms. Lofgren [continuing]. Additional funding?
    Dr. Bement [continuing]. Department of State, Department of 
Justice. And in our '04 budget request, we have requested that 
$1 million of additional funding in order to beef up our effort 
in this area. So it is in our '04 budget request.
    Ms. Lofgren. Is $1 million enough to actually accomplish 
that?
    Dr. Bement. No, but it is all we could work in.
    Ms. Lofgren. All right. I--how much would you need if the 
DHS were to ask you to accomplish that function quickly and 
reliably? What would the tag be, do you think?
    Dr. Bement. We feel it would be $3 million.
    Ms. Lofgren. All right. Thank you very much, and I see my 
time is expired.
    Mr. Ehlers. [Presiding.] We will proceed with a brief 
second round of questions. I will kick off a few. First of all, 
Dr. McQueary, you have got a blank piece of paper in front of 
you for what you are going to do. And my question is--I have 
several questions related to that. Who is going to perform the 
cyber security research for you? Are you planning to hire staff 
members? Do you plan to have--use grants to universities or 
contracts or grants with the private sector companies or other 
federal agencies? What do you see as developing here?
    Dr. McQueary. I see it as being a combination of all of the 
things that you just talked about. The construct of the Science 
and Technology Directorate is such that we will largely be in 
the role of managing the programs that will be executed, both 
the federal and national labs, private sector, as well as 
university academia, if you will. And so we will have the 
leadership role. In fact, we have about four people already in 
roles, which I touched upon earlier, that are detailed to us 
with--and have experience in the cyber security area. So we 
will provide the leadership, oversight, program management 
responsibility, if you will, and contract that work out into 
the various sectors you talked about, always looking for where 
the top quality work is being done to capitalize upon that.
    Mr. Ehlers. Okay. And do you think cyber security will get 
the attention it needs? Are you going to have sufficient funds 
to do all of the things you are supposed to do in your area? 
And given all of the different competing needs that you will 
have to deal with, is cyber security going to get the attention 
it needs?
    Dr. McQueary. Well, it certainly has the attention--has my 
attention, and I have the responsibility for constructing the--
a budget and making the proposal to Secretary Ridge as to what 
we should do there, so if we do not get the sufficient 
attention, then I am the first person that one should come to 
to say why not, because I have that responsibility in Science 
and Technology.
    Mr. Ehlers. Okay. Our concern would be that it would just 
be considered just one more aspect of infrastructure protection 
in the overall scheme of things in DHS.
    Dr. McQueary. I am sorry, I missed the question.
    Mr. Ehlers. I am just worried that this may just be 
considered one other aspect of infrastructure protection within 
DHS and actually be competing with all of the different----
    Dr. McQueary. I believe that we will see some 
organizational restructuring very shortly within DHS that will, 
I hope, illustrate to you that we do take this issue very, very 
seriously.
    Mr. Ehlers. Okay. And something else. I don't know if--I 
would be interested in what all of you have to say, but perhaps 
you don't have the figures with you and want to respond in 
writing, which would be fine. I am curious what is being spent 
on cyber security R&D by the Federal Government in total and 
how much by the private sector. Do you have an idea of this or 
would it be better to just ask you to send in the information?
    Dr. McQueary. I do not have the information, sir.
    Mr. Ehlers. All right. Dr. Colwell, if you have----
    Dr. Colwell. Right now, we have about $53 million, but that 
can go up to as high as $75 or $76 million, depending on the 
outcome of some competitions that are in play at the moment for 
the potential for a center award and a potential for 
scholarships and so forth. But we see, pretty much, coming 
close to the authorized number.
    Mr. Ehlers. Okay. Dr. Bement.
    Dr. Bement. Well, I can only speak for NIST. As I indicated 
in my testimony, we currently have $24 million of appropriated 
and base funding going into cyber security. We also have 
additional funding coming from other agencies: the National 
Security Agency and DARPA.
    Mr. Ehlers. Um-hum.
    Dr. Bement. I think our DARPA account is around $5.2 
million, so adding that all together, it would still be less 
than $50 million in NIST. As far as the Federal Government at 
large or the Nation at large, I don't really have those 
numbers.
    Mr. Ehlers. Okay. And Dr. Tether.
    Dr. Tether. I also don't really know what the Federal 
Government is spending, but at DARPA, we are spending--in '04, 
we will be spending around $50 million in cyber--in information 
awareness. But there is more that we are spending that I 
actually will give you for the record, because we are doing 
cyber security with other programs. For example, we are 
building networks. And then there are activities within the 
building of a network, which is also to make the network 
secure, so it is embedded. I will try to pull that out for you. 
But it might be another $50 million, so it might be a total of 
100. And then we have the classified work, which I will tell 
you separately.
    Mr. Ehlers. All right. And are you also including in your 
work efforts to prevent damage from electromagnetic pulses, or 
is that----
    Dr. Tether. No.
    Mr. Ehlers [continuing]. Considered totally separately?
    Dr. Tether. That is considered totally separate, yeah.
    Mr. Ehlers. Okay. But by and large, Defense Department 
facilities are hardened against that?
    Dr. Tether. They are hardened against that.
    Mr. Ehlers. Yeah.
    Dr. Tether. There are requirements for them to be hardened 
against that.
    Mr. Ehlers. Do you have any idea to what extent the private 
sector or--is hardened against EMP?
    Dr. Tether. I would be surprised--well, first of all, 
they--all--everybody has, usually, a surge suppresser----
    Mr. Ehlers. Right.
    Dr. Tether [continuing]. You know, which gives them some 
hardening, but that would be, probably, the limit. I don't know 
of anything else.
    Mr. Ehlers. I would think banks, at least, would want that.
    Dr. Tether. You would think so.
    Dr. Bement. I think they would still be vulnerable against 
pulse power attack. I mean, if----
    Mr. Ehlers. Yes.
    Dr. Bement. If an attacker had the capability----
    Mr. Ehlers. Yeah, a surge protector won't do too much.
    Dr. Bement. No, it won't do you very much.
    Dr. Tether. No. No.
    Mr. Ehlers. No. Okay. My time is expired. Anyone else wish 
to--Mr. Miller, you are recognized for five minutes.
    Mr. Miller. One last set of questions. Is it Dr. Bement?
    Dr. Bement. Bement.
    Mr. Miller. Bement. Okay. What you said in response to Ms. 
Woolsey's questions were very reassuring to me that what we 
need is knowledge, education, and discipline. The security is 
now available, I think you said, through protocols, metrics, 
and standards, that we have very smart people working on this, 
and that there is nothing stopping us from doing it, from being 
secure. And I--and that is greatly reassuring to me. And Dr. 
McQueary pointed out correctly, of course, that anyone in the 
private sector is going to know the risk to their business of 
not being secure, of suffering an attack.
    Dr. Bement. Yes.
    Mr. Miller. What I am concerned about, somewhat, is that 
there is--there will always be people who do things on the 
cheap, who don't--do not show knowledge, education, and 
discipline. And what are we doing to make sure that when people 
in the private sector do their kind of assessment of what it 
costs to adopt the security measures they should adopt versus 
the risk that they face if they don't, that they take into 
account not just the risk to them, to their business, but the 
risk to others that they deal with--the ripple effect that we 
talked about earlier? The loss of the power grid, obviously, 
would have a massive effect. I think you mentioned, or Dr. 
Tether mentioned, the possibility that--or it may have been 
you, that hospitals could be shut down. Obviously there is risk 
to others and not just the direct loss and disruption to the 
victim of an attack, but of all those deal with. Are we doing 
anything for requiring anyone in the private sector to adopt 
security measures? Have we thought through whether the 
standards that we are developing, the protocols, form the basis 
of a standard of care for civil liability? What are we doing to 
make sure that people in the private sector think through the 
risk, not just to them, but on down the line?
    Dr. Bement. I can tell you this much that many of the 
professional societies who have begun to pay attention to these 
risks, which are really the product of the probability of the 
event plus the consequence--times the consequence of the event, 
have begin--have begun to develop risk models with their 
constituents so that industry is better informed about what the 
consequence of a cyber attack might be, or any other 
vulnerability might be. I have to say that, as a Nation, our 
greatest vulnerability is indifference.
    I think it was Dr. McQueary that pointed out that 85 
percent of our industry and productive capacity is owned by the 
private sector. And yet, all of the surveys that I have looked 
at recently in surveying the private sector on what they are 
doing in terms of either vulnerability assessment or dealing 
with risks, terrorist risks, indicate that they don't really 
see themselves as a target, which is sort of indifference. And 
in some respects, I think it may, in order to bring it home to 
them, require some of the kind of exercises or demonstrations 
that took place this last weekend to actually demonstrate what 
the consequence might be of these attacks so that CEOs and 
other leaders in industry will have it brought home to them, 
what it could, in fact, mean to their manufacturing operation, 
their logistics train, their supply train, all of their other 
elements that they have to deal with on a day-to-day basis. And 
I feel that that is our biggest vulnerability right now is they 
just haven't quite stepped up to the plate.
    Mr. Miller. Do you know if the insurance industry has 
looked at cyber security as a liability issue?
    Dr. Bement. I am sure they have. Yes, indeed, they have. 
The insurance rates have gone up dramatically since 9/11, so 
there clearly is a payback in being able to demonstrate that 
you are much better protected against these types of attacks.
    Mr. Miller. Well, is it the only----
    Dr. Bement. It is not only insurance; it is the reinsurance 
rate as well.
    Mr. Miller. Right. Well, yes, the--I imagine the potential 
liability is massive. It would require going to the reinsurance 
markets. Is it being excluded for policies? Is it being 
included in policies? Are insurance companies--liability 
insurers having a word of prayer with their insureds about what 
they are doing?
    Dr. Bement. Well, I must confess this is getting a little 
bit beyond my ken or my area of expertise, so I really can't--
--
    Mr. Miller. But it is a strong economic incentive----
    Dr. Bement. Yes.
    Mr. Miller [continuing]. To do the right thing?
    Dr. Bement. I would think so, yes.
    Mr. Ehlers. The gentleman's time has expired. Mr. Udall, do 
you have any questions?
    Mr. Udall. Mr. Chairman, I had a last question, hopefully, 
thankfully, although this is a topic, which we will revisit. 
Dr. Tether, I was just curious in looking over your material 
you compiled for the Committee and the good work you did here 
in describing network centric warfare and suggesting we maybe 
aren't quite there yet, but we are certainly network-dependent. 
Have you gotten any indication out of the recent conflict in 
Iraq that the Iraqis had any kind of cyber security tools that 
we hadn't anticipated or that there were, perhaps, other 
countries or other individuals developing those for the Iraqis 
or for future opponents?
    Dr. Tether. The--I don't know of anything. That doesn't 
mean that there wasn't something. GPS jamming was the only 
thing that I know about.
    Mr. Udall. I am sure you are going to take a look at that, 
and I would bet that some of this may well be classified, but 
we always have, when we have these encounters, have a chance to 
then review our mistakes as well as our successes.
    Dr. Tether. Yes, and that is all being done.
    Mr. Udall. I hope we will--I know we will do that.
    Dr. Tether. Yeah.
    Mr. Udall. And it strikes me that the military, once again, 
is on the cutting edge of some of these technologies and we 
look at the history of the Armed Services, and much of what was 
generated in the Second World War is now used in civilian 
activities. One of my real interests, and I share with our 
Chairman of the Committee is energy, and the military is 
leading the way in certain new technologies: fuel cell 
technology, photovoltaic uses and others because of the 
transformation we are trying to put underway in our military. 
So I think you all have a very--I just wanted to conclude by 
saying you, of course, have a very important role to play in 
this. And we look forward to this all-star team working 
together seamlessly to help lead us to a more cyber secure 
future.
    Dr. Tether. Well, it is clear with the--private industry 
really has not been able to do the tradeoff of what does it 
cost them to not have it. It is very clear for the military, 
when we are becoming really dependent upon that network being 
there, what happens if that network is not there. So the 
tradeoff is, you know, very clear. There is no--we have to make 
those networks secure, otherwise everything we are building for 
the future will not work, and that would be a disaster, I mean, 
to the national security.
    Mr. Udall. Mr. Chairman, I have many more questions, but I 
think the lunch hour does beckon. I would yield back my 
remaining time. I thank, again, the panel.
    Mr. Ehlers. The gentleman yields back his time, and I am 
sure the panel appreciates it, and the audience. I just wanted 
to pick up on the last two comments. First of all, perhaps it 
is only through higher insurance rates that people will become 
aware of the need for protecting their equipment. And that goes 
to your last point, too, Dr. Tether, that most people and most 
businesses don't realize the risk and therefore they don't take 
the trouble to protect against it.
    But it is a bit ironic, Dr. Bement, that you mentioned the 
electric power industry, because I, for roughly five years now, 
I have been telling my constituents in town meetings, and I had 
to, because I voted against the Defense appropriations for 
three years, because I thought they were funding the wrong 
things. And of course, all of the veterans show up at my town 
meetings and castigate me for not supporting Defense. But I 
simply pointed out that what we are doing is pouring a lot more 
money into the same old systems, and the real danger is not a 
major nation attacking us, it is terrorists attacking us. 
Unfortunately, I was correct, and so we are all now alerted to 
that.
    But the other example I give my constituents now, because 
they are all terrified about aviation, and I simply say, ``The 
problem is we always fight the last war.'' And we are now 
making our airlines super safe, and we have to worry about port 
security and then the power industry. I have said, for a number 
of times, ``Give me 20 knowledgeable people about computers and 
explosives--and a little explosives, and I could bring down the 
power grid in one night.'' And of course, we could get it up 
again in probably four or five days, but can you imagine what 
the cost is of four or five days' productivity to our nation, 
particularly if this can happen repetitively?
    So it is--the best way, of course, is to stop terrorism at 
its source. It is impossible to really totally defend against 
it here, but we can certainly do much more in defending against 
terrorism within our borders than we are currently doing. And 
we tend not to wake up. As you say, they are--it is 
indifference. The indifference goes away with each specific 
attack, but then we tend to prevent to guard against that 
attack again. And there is a plethora of possibilities for 
terrorist activity.
    I want to thank the panel very much. It is been an 
outstanding panel. You have each represented very well the 
expertise available within your agencies or departments. And I 
certainly appreciate your attendance here. The information you 
have given will be, indeed, very valuable to us as we continue 
our deliberations. Thank you very much for being here. With 
that, the hearing is adjourned.
    [Whereupon, at 12:20 p.m., the Committee was adjourned.]
                              Appendix 1:

                              ----------                              


                   Answers to Post-Hearing Questions




                   Answers to Post-Hearing Questions
Responses by Dr. Charles E. McQueary, Under Secretary for Science and 
        Technology, Department of Homeland Security

Questions submitted by Chairman Sherwood Boehlert

Q1. You stated at the hearing that you would provide for the record 
information on the people and dollars that the Department of Homeland 
Security (DHS) Science and Technology directorate plans to devote to 
cyber security research and development activities in fiscal years 2003 
and 2004. Please do so. In addition, to what extent do you expect your 
fiscal year 2003 funding for cyber security research and development to 
be spent for support of DHS personnel? For support of programs at other 
federal agencies and national laboratories? For grants and contracts to 
universities and companies? (When providing the information requested 
in this question, please distinguish between research and development 
programs and education and workforce training programs.)

A1. The Science and Technology Directorate's current plans for people 
and funding devoted to cyber security research and development in FY 
2003 and FY 2004 are as follows:

FY 2003: L2 staff members within the DHS Science and Technology 
Directorate and funding of approximately $5 million.

FY 2004: L2 staff members within the DHS Science and Technology 
Directorate and funding of approximately $7 million.

    For FY 2003: The DHS Science and Technology Directorate plans to 
fund about $1 million per year at universities through the National 
Science Foundation (NSF). A contract with a private firm for about $1 
million has been awarded to continue work addressing insider threats. 
In addition, proposals with a total value of about $3 million over 
three years are pending from the National institute of Standards and 
Technology (NIST), a nonprofit research institute and another federal 
agency for additional cyber security research and development; until 
these are actual awards, it is not appropriate to estimate the actual 
amounts to these entities. We would be pleased to provide this 
information after actual awards are made if this is desired. Each of 
these existing and pending efforts are research and development 
activities; none are education/workforce training efforts.

Q2. At the hearing, you said that if the funding you have proposed for 
cyber security research and development for fiscal year 2004 ``is not 
adequate,'' you would ``have no problem whatsoever in revisiting what 
the budget allocation is.'' When will you begin reviewing the factors 
that determine what level of spending is needed? How will you decide if 
the level is ``not adequate''? When will you let us know whether you 
believe the allocation should be changed?

A2. The Science and Technology Directorate has reviewed its proposed FY 
2004 funding and currently believes the proposed amount for cyber 
security research and development (R&D) is adequate. However, we 
continue to assess our research and development plans in the context of 
the national effort in cyber security. If we determine that the 
proposed amount of our funding is not adequate, we would first evaluate 
the impact of reprioritization and re-allocation of existing budgets. 
If believed necessary, we would bring a request for additional funding 
forward for consideration through the appropriate mechanisms. 
Additionally, in order to accurately determine what level of funding is 
needed for cyber security research and development, we will continue to 
work with other agencies with R&D responsibilities, such as NIST and 
NSF, to identify requirements and gaps in funding. This coordinated 
approach will assist in making the right investments in this area while 
preventing unnecessary and wasteful duplication.

Q3. In other forums, you have stated that most of the focus of the DHS 
Science and Technology Directorate at first will be on shorter-term 
technology development. How will you balance technology development and 
basic research in cyber security? Do you expect that balance to change 
over time?

A3. The Science and Technology Directorate recognizes there are some 
technology needs that require immediate attention; some of these needs 
were identified in the National Strategy to Secure Cyberspace, while 
others have been identified by the critical infrastructure protection 
community. The Science and Technology Directorate believes that those 
cyber security issues which require basic research to solve are more 
within the scope of the National Science Foundation than our 
Directorate. Our long-term portfolio plan may address basic research to 
some degree through programs directed out of the cyber security 
research and development center.

Q4. At the hearing, you testified that the Committee will ``see some 
organizational restructuring very shortly within DHS that will. . 
.illustrate to [the Committee] that we [at DHS] do take [cyber 
security] very, very seriously.'' Since the hearing, there have been 
press reports that DHS will establish an office to execute the 
President's National Strategy to Secure Cyberspace. Please tell us for 
the record what restructuring is intended and when it will occur. What 
will the responsibilities and size of the new office be?

A4. The reference to the DHS restructuring around cyber security 
referred to the subsequent announcement of the creation of the National 
Cyber Security Division (NCSD) within the Information Analysis and 
Infrastructure Protection (IAIP) Directorate. The NCSD incorporates 
some of the operational capabilities of the Federal Computer Incident 
Response Center (FedCIRC), the National Communications System, and the 
National Infrastructure Protection Center (NIPC), along with new 
streamlined and consolidated outreach and awareness capabilities 
recently formed in the Directorate. The NCSD is adding new capabilities 
for vulnerability assessments, risk reduction methodologies, threat 
analysis, and enhancing training and workforce development activities 
in the public and private sectors. At present, it is expected that the 
NCSD will have about 40 FTEs total and a budget of about $86 million, 
including the funding for civilian salaries and operating expenses.
    The Science and Technology Directorate has also organized its cyber 
security research and development with the intent of making it a 
visible and important component of its total research and development 
effort.

Q5. DHS, through its planned work with critical infrastructure 
suppliers, has an opportunity to connect researchers with companies 
that have real, unsolved cyber security problems. How will DHS make 
these connections? How will the issue of sensitive critical 
infrastructure information be handled in these situations?

A5. The Science and Technology Directorate is establishing a cyber 
security research and development center that will enable partnerships 
with academia, private industry and national laboratories. A principal 
purpose of this center is to engage the researchers with the product 
developers and accomplish technology transfer to the companies with 
specific needs. This center will engage the critical infrastructure 
companies through mechanisms such as industry associations and 
consortia, bridging the gap and connecting companies with researchers 
and developers as required. In addition, the IAIP Directorate will be 
the chief customer to the center and will deliver needs and 
requirements based on their interaction with the critical 
infrastructure sectors.
    The protection of sensitive critical infrastructure information is 
recognized as an overarching issue of high importance, not only within 
the context of cyber security R&D but across the Department. In 
accordance with the authorities provided in the Homeland Security Act 
of 2002, the IAIP Directorate developed proposed procedures for 
handling Critical Infrastructure Information. The procedures detail the 
receipt, care, storage and marking of the submitted data. These 
proposed procedures were released for public comment and are now 
undergoing final refinement. Once these procedures are finalized, the 
Science and Technology Directorate will adhere to those policies to 
ensure that critical infrastructure information voluntarily submitted 
by the private sector is handled appropriately and protected 
accordingly.

Q6. How will DHS work cooperatively with other agencies on cyber 
security research and development? Specifically,

Q6a. You testified that a Memorandum of Understanding between National 
Institute of Standards and Technology (NIST) and DHS will be signed 
shortly. Will DHS provide funding to NIST for specific projects? Are 
there particular areas in cyber security that you are planning to work 
together on?

Q6b. Will DHS provide funding to support existing or new cyber 
security grant programs at the National Science Foundation and the 
Defense Advanced Research Projects Agency?

Q6c. Is DHS drawing on the expertise in the Infosec Research Council 
(IRC) and the High Confidence Software and Systems group within the 
Networking and Information Technology Research and Development 
Interagency Working Group? How will DHS be interacting with these 
interagency groups?

A6a,b,c. The Science and Technology Directorate's cyber security 
portfolio manager has been, and continues to be, in dialogue with the 
National Science Foundation and NIST, both individually and 
cooperatively. NSF, NIST and DHS (S&T) recently agreed to formally 
organize their efforts and work collaboratively to identify the R&D 
agenda appropriate to each agency. As stated previously, proposals are 
pending from NIST and others; until these are actual awards, it is not 
appropriate to estimate the amount that will be awarded to NIST. The 
Science and Technology Directorate will provide co-funding to NSF and 
NIST on those programs determined to meet requirements of our 
customers. At present, there are no plans to fund new or existing cyber 
security grant programs at the Defense Advanced Research Projects 
Agency (DARPA).
    The Science and Technology Directorate is also participating with 
the Infosec Research Council (IRC) where interaction across the 
government cyber security R&D stakeholders is accomplished. In 
addition, we participate in the newly established National Science and 
Technology Council (NSTC) Interagency Working Group on Critical 
Infrastructure Information Protection, created as an interagency R&D 
coordination working group. The Department of Homeland Security is not 
formally part of the Networking and Information Technology Research and 
Development Interagency Working Group but does interact with the 
relevant programs through the Infosec Research Council and the 
Interagency Working Group on Critical Infrastructure Information 
Protection.

Q7. The Cyber Security Research and Development Act makes the National 
Science Foundation (NSF) the lead agency for cyber security research 
and development, as Dr. Colwell testified at the hearing. In what ways 
are you interacting with NSF as it acts as the lead agency in this 
area? Does NSF review your budget proposal for programs in this area? 
Does NSF lead the agencies in a group effort to determine overall cyber 
security research and development priorities, and if so, how?

A7. As mentioned previously, the Science and Technology Directorate 
coordinates regularly with NSF to understand the existing cyber 
security R&D programs, the agenda and requirements not currently 
addressed, and identify the gaps. These interactions take place via the 
coordination groups mentioned in the response to the previous question, 
as well as on an individual basis. The Science and Technology 
Directorate has not relied on the NSF to directly set the agenda for 
DHS's cyber security research and development. Rather, DHS's cyber 
security R&D agenda is being driven by R&D priority areas as determined 
by the Department's mission and scope, e.g., those areas related to the 
needs and requirements that support the technology necessary for the 
Nation's critical infrastructures to operate and provide services.

Q8. The Committee believes that it is important to train skilled 
professionals to execute information technology security in the private 
sector and at government agencies, as well as scientists and engineers 
to perform cyber security research and development. What do you see as 
particular workforce needs in cyber security? What actions is DHS 
taking or planning to take to provide education and training in the 
cyber security area?

A8. The Science and Technology Directorate recognizes the need for 
cyber security experts that are well trained in technology, science, 
policy and privacy concerns in order to perform the advanced research 
and development of effective tools to protect our information systems 
and networks. Particular workforce needs are wide and varied in this 
area, ranging from programmers and developers that understand and 
respect cyber security concerns, to network administrators with an 
understanding of risk and appropriate security posture. While the 
mission of university education and curriculum development at the 
university level is something that falls more within the scope of NSF 
than DHS, we hope to play a role in providing information about 
industry educational needs to NSF. In addition, the S&T Directorate has 
a Homeland Security Fellowships/University Program that is specifically 
focused on encouraging and supporting U.S. students to study and enter 
fields relevant to homeland security; the field of cyber security is 
certainly one of those fields we will support. The Science and 
Technology Directorate will cooperate with IAIP, NSF, and the Office of 
Personnel Management to encourage and facilitate the expansion and 
interest in the CyberCorps program, the Cyber Defender program, and 
others that may be identified, to address the Nation's needs for a work 
force trained adequately to implement effective cyber security programs 
in both public and private sectors. By executing its mission well, the 
Department's cyber security research and development center will 
attract some of the best and the brightest to this field.

Questions submitted by Representative Ralph M. Hall, Minority Ranking 
                    Member

Q1. The Department of Homeland Security (DHS) will establish 
performance criteria for acceptable cyber-protection technologies. What 
exactly will this entail and who will be responsible for certifying 
that these technologies meet DHS performance criteria? Also, will 
government procurement be limited to technologies that meet these DHS 
standards?

A1. The Science and Technology Directorate will work with the existing 
processes, and particularly with NIST, for the development, review, and 
establishment of appropriate performance criteria. The Department of 
Homeland Security supports certification by private sector bodies/
programs that technologies meet established performance criteria; this 
position is consistent with existing ``standards/certification'' 
processes in other areas. At present, government procurement of cyber-
protection technologies is not limited to products that meet specific 
criteria.

Q2. DHS intends to establish a DHS R&D Cyber Security Center in 
cooperation with NSF and NIST. How much funding will DHS allocate to 
this Center? What will be the role of NSF and NIST in the Center's 
establishment?

A2. DHS's Science and Technology Directorate will establish a cyber 
security research center as an organizational entity. Once the center 
is established, we anticipate that a significant portion of the cyber 
security R&D funding will flow through this center. NSF and NIST have 
provided valuable input in the establishment of the center. The DHS 
Science and Technology Directorate expects to allocate funding of $1 
million to the Center in FY 2003 and $2 million in FY 2004 (these 
amounts are approximates until contracting is finalized).

Q3. In establishing the near-term research agenda for DHS, which 
industry sectors did you consult with in developing this agenda, and 
what role did industry play in formulating your near-term research 
agenda?

A3. The Science and Technology Directorate developed its near-term 
cyber security research agenda using the areas identified in the 
National Strategy to Secure Cyberspace and from our chief customer, the 
Information Analysis and Infrastructure Protection Directorate. The 
National Strategy to Secure Cyberspace was developed based on extensive 
interactions with and input from the private sector, including sector-
specific industry groups, public town hall meetings, and extensive 
input received in response to a public draft of the document. 
Additional input came from interactions with other agencies (such as 
those through the Infosec Research Council). Subsequent private sector 
input to cyber security research and development needs and requirements 
will be sought through the cyber security research and development 
center.

Q4. You mentioned in your testimony that your directorate is taking 
steps to establish key relationships with the major cyber security R&D 
organizations. What are these organizations; are they both governmental 
and in the private sector?

A4. The Science and Technology Directorate interacts regularly with the 
government cyber security R&D organizations both directly and through 
groups such as the Infosec Research Council and the newly-established 
National Science and Technology Council (NSTC) Interagency Working 
Group on Critical Infrastructure Information Protection (IWG on CIIP), 
created under the NSTC as an interagency R&D coordination mechanism. 
Although DHS is not formally part of the Networking and Information 
Technology Research and Development (NITRD) Interagency Working Group 
Program crosscut, DHS does interact with the relevant programs in the 
NITRD through the IRC and the IWG on CIIP. Government agencies that we 
have interacted with include NSF, NIST, Defense Advance Research 
Projects Agency (DARPA), National Security Agency (NSA), Department of 
Energy (DOE), Department of Defense (DOD), Office of Science and 
Technology Policy (OSTP), Advanced Research and Development Activity 
(ARDA), as well as Canada, the United Kingdom, and Australia. We have 
not yet initiated formal relationships with the private sector; 
however, we are planning a workshop to include private companies in 
mid-summer to start this process.
                   Answers to Post-Hearing Questions
Responses by Rita R. Colwell, Director, National Science Foundation

Questions submitted by Chairman Sherwood Boehlert

Q1. In your testimony to the Committee, you said that cyber security 
researchers will be told about National Science Foundation (NSF) 
funding opportunities for centers, like the competitions for Science 
and Technology Center grants. However, the Cyber Security Research and 
Development Act authorizes a program specifically for Computer and 
Network Security Research Centers. Will NSF run competitions 
specifically targeted at ``Cyber Security Centers,'' as required by the 
Act?

A1. NSF is currently preparing a program solicitation entitled Cyber 
Trust; we expect that it will be released toward the end of summer, 
2003. The Cyber Trust announcement will solicit proposals describing a 
range of types, including individual investigator, small group and 
center-scale projects. Thus, cyber security centers will be targeted in 
this competition. It is NSF's intent to continue integrating center-
scale projects into its existing research and education portfolio of 
activities at a rate that will nurture and sustain the emerging cyber 
security community in academe.
    Awards made in FY 2004 as a result of the Cyber Trust competition 
will complement awards in the agency's current cyber security 
portfolio. As the Committee may be aware, NSF is already funding 
center-scale cyber security projects. For example:

    An Industry/University Cooperative Research Center (I/UCRC) on 
Cyber Protection is currently being supported by an NSF planning grant. 
Building on a strong partnership between Iowa State University, 
Mississippi State University and the University of Kansas, as well as 
key industry partners including EDS, MPI Software Technology, and 
Amerlnd, this Center is planning to provide one of the first facilities 
dedicated to creating a simulated Internet for the purpose of 
researching, designing, and testing cyber defense mechanisms. By 
recreating critical components of the infrastructure, end-users and 
developers will be able to test security configurations and help 
researchers from a broad range of disciplines examine the policy, 
business, systems, and economic implications of cyber security 
innovations.
    The Georgia Institute of Technology's Center for Experimental 
Research on Computer Systems has two primary intellectual thrusts that 
examine systems survivability and security issues. The first deals with 
the development of a secure distributed software infrastructure. The 
second thrust deals with adaptive management in distributed systems 
with a goal of tolerating failures, attacks, or performance overloads 
while maximizing system performance. This center works closely with the 
Georgia Tech Information Security Center (GTISC), supporting many of 
the faculty in GTISC.
    Although the merit review process is not yet complete for the FY 
2003 ITR competition, it is increasingly likely that several center-
scale awards will be made in the area of cyber security. If interested, 
we would be pleased to share these awards with the Committee after they 
are completed.
    We plan to bring the leaders of these and future center-scale 
operations in the cyber security area together on a regular basis and 
to publicize them as a group. NSF's Cyber Trust portfolio will include 
both the centers of excellence, as authorized by the Act, and smaller-
scale projects, including single investigator projects. At NSF we have 
learned that a variety of coordinated funding approaches is most 
effective in building a strong, coherent research and education 
community.

Q2. The Cyber Security Research and Development Act authorizes NSF to 
run a broad, cyber security grants program for individual investigators 
and small groups of investigators. You testified about ongoing work in 
this area and about how cyber security research funding at NSF has 
increased from $15 million in fiscal year 2002 to $30 million in fiscal 
year 2003. What is the schedule for awarding the new grants to be made 
from the fiscal year 2003 funding and how will proposals be solicited? 
Will there be a competition run specifically in cyber security, or will 
the cyber security proposals be solicited and evaluated as part of a 
more general Information Technology Research or Cyber Infrastructure 
solicitation?

A2. NSF's FY 2003 competitions are drawing to a close at this time. 
Consequently, the agency expects to make many new awards between now 
and the end of the fiscal year.
    During FY 2003, the agency ran several competitions that 
specifically targeted cyber security; these included the Trusted 
Computing program and the Data and Applications Security program. These 
two competitions yielded over 100 proposals. The proposals received 
have now completed the merit review process and NSF expects to make 
between 30 and 40 new awards before the end of this fiscal year.
    In addition, the agency also emphasized the growing importance of 
cyber security in a number of other FY 2003 solicitations and program 
announcements, including the Information Technology Research (ITR) 
solicitation, the Embedded and Hybrid Systems (EHS) program 
announcement, the Networking Research Testbeds (NRT) program 
announcement and the NSF Middleware Initiative. Response to these 
solicitations has been strong in the area of cyber security. If 
interested, we would be pleased to share these awards with the 
Committee after they are completed.

Q3. The Cyber Security Research and Development Act emphasizes the 
importance of workforce development, and the Committee believes that it 
is important to train skilled professionals to execute information 
technology security in the private sector and at government agencies, 
as well as scientists and engineers to perform cyber security research 
and development. What do you see as particular workforce needs in cyber 
security?

A3. In order to determine the workforce needs to meet the cyber 
security demands of government and industry, NSF has held and will 
continue to hold discussions with the higher education establishment, 
and government and industry IT leaders.
    In June 2002 the American Association of Community Colleges (AACC) 
hosted an NSF supported workshop on cyber security education. This 
workshop examined the role of the community colleges in the preparation 
of cyber security professionals. As a result of this workshop, NSF has 
included cyber security education as a main component of the Advanced 
Technology Education (ATE) program. Through this program, NSF will be 
funding two projects related to cyber security, one Center of 
Excellence in Cyber Security Education as well as providing planning 
grants for two more Centers.
    NSF and NIST are planning an invitational workshop of academic, 
industry, and government leaders to help assess the needs and identify 
the strategies necessary to prepare a world-class cyber security 
workforce. In order to facilitate educational innovation in cyber 
security, design concepts for new cyber security-related curricula will 
be devised. Implementation strategies will be discussed to determine 
the best way to deliver cyber security education to a broad audience.
    The workshop will focus its efforts on strategies for workforce 
investments in cyber security at the undergraduate and doctoral levels. 
It will also examine implementation strategies to support faculty 
traineeships in cyber security enabling recent Ph.D. graduates and 
current IT faculty to pursue academic careers in cyber security.

Q4. The Cyber Security Research and Development Act authorizes NSF to 
provide funding for several activities designed to build this nation's 
capacity for cyber security education, both of operational cyber 
security professionals and of future cyber security researchers. What 
steps has NSF taken to execute these programs, specifically:

Q4a. Have programs been started to provide grants to institutions of 
higher education to establish or improve undergraduate and Master's 
degree programs in computer and network security and to increase the 
number of students in these programs?

A4a. NSF has several programs that seek to establish or improve 
undergraduate degree programs in computer and network security, and to 
increase the number of students in these programs.
    Based on the recommendations of the AACC workshop, NSF has included 
security education as a major component of the Advanced Technology 
Education (ATE) program. Through this program, NSF is funding two cyber 
security projects and a Center of Excellence in Cyber Security 
Education as well as providing planning grants for two Centers.
    The Center of Excellence in Cyber Security NSF expects to fund in 
the next two months is a consortium of eight institutions of higher 
learning (two universities, five community colleges and one technical 
college) based in the Midwest. The Center will be funded to develop and 
implement degree programs in IT Security and Data Assurance 
technologies at the certificate, Associate's and Bachelor's level. The 
Center will also undertake a comprehensive outreach and support program 
to increase the number of students from under-represented groups in IT 
professions. In addition, Train-the-Trainer summer workshops will be 
developed for faculty from both two- and four-year institutions 
throughout the region. This project has been approved for funding but 
has not yet been announced to the winners.
    The NSF-CompTIA Cyber Security Fast Track Training and 
Certification Program was a initiated this year as a supplemental award 
to an existing grant. This supplemental award extends the mission of 
the National Workforce Center for Emerging Technologies (NWCET) to 
include the Computing Technology Industry Association's (CompTIA) 
Security+ certification program for cyber security instructors. The 
supplemental training program will train and certify 80 faculty from 60 
community colleges in a four month period. Participating faculty will 
produce best practices documentation once they have begun instructing 
students. This documentation will be disseminated to other faculty via 
the web.
    The Federal Cyber Service: Scholarships for Service (SFS) program 
is specifically designed to address cyber security education issues. 
Though it preceded the Act, it does address the law's intentions for 
capacity building and increased student involvement in cyber security 
through awards to some of the country's leading academic institutions. 
Since the inception of the program in mid-2001, SFS has made 19 
scholarship awards and 35 capacity building awards for a total of about 
$52.9 million. As a result of this investment, the Federal Government 
will have recruitment access to the pool of 200 students currently 
supported at the 19 scholarship institutions. By the end of FY 2004, 
NSF expects the pool of students to grow to 350. These individuals will 
all have degrees, BS, MS, or Ph.D.s in cyber security-related fields. 
All participating institutions have been designated as Centers of 
Academic Excellence in Information Assurance Education (CAE/IAE) by the 
National Security Agency or equivalent. Four new schools have just been 
accorded Center status and their students will enter the program 
starting this fall.

Q4b. Have programs been started to provide grants to institutions of 
higher education to establish traineeship programs for graduate 
students in computer and network security research and to enable these 
students to pursue academic careers in cyber security after they 
graduate?

A4b. NSF's primary support of graduate students in the cyber security 
arena is through research assistantship support in cyber security 
research and education grants. The increasing number of awards made in 
this area will support as many as several hundred graduate students in 
computer and network security in FY'03. It is expected that a 
significant percentage of these students will pursue academic careers 
upon graduation with the doctoral degree.
    In addition to support through research assistantships, graduate 
students can also be supported through traineeships and fellowships 
awards via programs such as the Integrative Graduate Education and 
Research Training (IGERT) and the Graduate Research Fellowships 
programs. NSF will continue to encourage the submission of cyber 
security traineeship and fellowship proposals through these programs, 
and will fund leading projects as they emerge. However the agency 
anticipates that as for other fields of science, graduate student 
support will mainly be provided through research assistantships.
    SFS institutions are supporting graduate students who are uniquely 
qualified to enter academia as the next generation of cyber security 
faculty members. The program has recently been expanded to include 
active Ph.D. students. Plans are under development to increase both the 
number of yearly graduates and the overall capacity of the national 
higher education enterprise to produce the most qualified graduates and 
potential new faculty members in the field of cyber security. At the 
same time, the capacity building awards under SFS include activities 
that support the development of faculty members with expertise in the 
area of Information Assurance.

Q5. How does NSF work with other agencies that have cyber security 
research and development programs?

Q5a. Do you coordinate overall federal goals with the other agencies, 
and if so, can you describe some of the technical milestones or goals 
in workforce development?

A5a. NSF coordinates its investments in cyber security workforce 
development with other agencies in the following ways:

    The NSF Scholarships for Service program has helped the Federal 
Government achieve several milestones that are key to cyber security. 
Through the Federal Cyberservice Initiative, the Federal Government has 
increased access to talented cyber security students prior to 
graduation. NSF has coordinated with the National Security Agency (NSA) 
to make capacity building awards to qualified institutions that wish to 
achieve certification as NSA Cyber Security Centers of Excellence.
    Awardees funded by NSF, NSA and the Department of Defense will come 
together at the 2003 Cyber Service/Cyber Corps Student Symposium. The 
Symposium, to be held at Carnegie Mellon University's Center for 
Computer and Communications Security, will allow students to network 
across programs, as well as with their faculty mentors and senior 
Government officials. This coordinated symposium in which the students 
take center-stage is an example of the success that federal workforce 
development programs in cyber security are enjoying.
    NSF is sponsoring a conference focused on cyber security education 
to be held on June 26-28, 2003. The third annual World Conference on 
Information Security Education (WISE3) will be held at the Naval Post 
Graduate School. The conference brings together leaders in computer 
security education from around the globe. The theme for the conference 
is ``Teaching the Role of Information Assurance in Critical 
Infrastructure Protection.''
    In conjunction with WISE3, the Workshop on Education in Computer 
Security (WECS) will be held in the three days prior (also at the Naval 
Postgraduate School). WECS is an opportunity for educators to learn 
about fundamentals and recent advances in information assurance and 
computer security, and to improve their instructional capabilities in 
these areas. This annual forum allows instructors to share best 
practices and is a significant achievement in building the capacity of 
the Nation's cyber security education enterprise.

Q5b. Two interagency groups were discussed at the hearing: the Infosec 
Research Council (IRC) and the High Confidence Software and Systems 
group within the Networking and Information Technology Research and 
Development Interagency Working Group. How are these two groups 
related?

A5b. The Infosec Research Council (IRC) is an effective knowledge 
sharing body. Though it has no formal charter, the group has served as 
an important technical coordinating organization. Agency 
representatives use this as a forum to discuss security implementations 
and development activities that they are pursuing, which may have 
synergies with other agencies. This kind of informal coordination leads 
to joint-funded projects and helps to avoid duplication of effort in 
security development and implementation programs.
    The High Confidence Software & Systems (HCSS) Program Component 
Area (PCA) of the NITRD-IWG concentrates on Research and Development of 
critical technologies that are needed to enable computer systems to 
achieve high levels of availability, reliability, safety, security, 
survivability, protection and restorability of information services. 
The members of this subgroup take a long-term view. Integrating the 
high-confidence attributes that are essential to secure software and 
systems requires formal scientific design principles, large-scale 
testing and new diagnostic and forensic tools. The HCSS informs 
development of the Administration's budget in this PCA.
    Though the two groups have a different mandates, NSF staff are 
active in both and are working to find synergies along the path from 
research to implementation.

Q5c. Do the groups divide up tasks among various agencies? Do they 
monitor progress in cyber security research and development at the 
agencies?

A5c. Interagency collaboration is well established in the area of cyber 
security. Program Officers involved in these interagency working groups 
share programmatic information and cooperate in jointly funded 
projects.
    In addition to the committees that regularly meet to exchange 
information and coordinate efforts discussed above, the federal cyber 
security enterprise sponsors workshops and meetings with the research 
and education community. One example of the cooperative effort in place 
is the NSF PI meeting to be held in August 2003. This meeting, held in 
cooperation with the Department of Homeland Security (DHS) and the 
National Institute of Standards and Technology (NIST), will be open to 
all federal personnel with an interest in cyber security. This kind of 
interagency information sharing is common and ensures that Program 
Officers are cognizant of the full federal portfolio of cyber security 
activity. It allows them to monitor progress made by other federal 
agencies and leverage it to their specific needs.

Q5d. You testified that the High Confidence Software and Systems group 
is working to define the federal portfolio of cyber security research 
and development and will identify gaps. When will that effort be 
complete? What follow-up actions will NSF and the other agencies in the 
group take?

A5d. The HCSS group, which is co-chaired by an NSF Program Officer, is 
approaching cyber security in the federal portfolio as an ongoing 
program. This work has already begun, and though the work will never be 
complete (cyber security will be a dynamic, changing research subject 
for the foreseeable future) that organization will have a consolidated 
portfolio statement that includes new programs to fill gaps in the 
current portfolio by the end of the fiscal year.
    The agenda will be organized around three interdependent topic 
areas: near-term reduced vulnerability, next-generation embedded 
security, and interoperable migration strategies. NSF will seek to 
increase funding, basing our priorities on the portfolio items that the 
group identifies. NSF will then look for opportunities to share funding 
with the other agencies involved in HCSS, CIIP, and IRC.

                   Answers to Post-Hearing Questions

Responses by Arden L. Bement, Jr., Director, National Institute of 
        Standards and Technology, Technology Administration, U.S. 
        Department of Commerce

Questions submitted by Chairman Sherwood Boehlert

Q1. The National Institute of Standards and Technology (NIST) has not 
yet begun the grants to institutions of higher education that are 
partnering with companies on cyber security research and development or 
the re-training fellowships to increase the cyber security workforce, 
both of which are authorized by the Cyber Security Research and 
Development Act. How much funding would NIST need to implement these 
programs? Will NIST request these funds for fiscal year 2005?

A1. NIST has provided twelve cyber security research grants in the past 
two years: one to the Critical Infrastructure Protection Project; nine 
to various recipients under the NIST 2001 Critical Infrastructure 
Protection Grants Program; and two to the Institute for Information 
Infrastructure Protection (I3P) at Dartmouth College's Institute for 
Security and Technology Studies, as described below. Note that, in 
addition, related awards have been made under the NIST Advanced 
Technology Program and Small Business Innovative Research program.
Critical Infrastructure Protection Project (CIP Project)
    The CIP Project is a joint effort of George Mason University and 
James Madison University to develop a nationally recognized program 
that fully integrates the disciplines of law, policy, and technology 
for enhancing the security of cyber networks and supporting the 
Nation's critical infrastructures. The consideration of all three 
disciplines--law, policy, and technology--is what makes the CIP Project 
unique. The CEP Project is funded by a NIST FY 2002 grant of $6.5 
million. We expect to provide another $6.5 million in FY03 to fund this 
activity.
    The CIP Project's research uniquely and innovatively aligns 
scholarly research with national goals and objectives. Current projects 
include the following:

    Economic Incentives for Cyber Security: Working closely with Nobel 
Laureate Vernon Smith, the CEP Project is developing software to 
conduct replicable human use experiments to study how individuals 
create markets to share risk through self-insuring cyber networks, 
secondary insurance markets, contracting, and standards development. 
There are no similar products available for our nation's critical 
infrastructure owners.
    Securing the Internet Infrastructure: The CIP Project is developing 
a comprehensive ``map'' of our nation's telecommunications 
infrastructure and examining how connectivity and performance are 
affected by removal of critical cities (nodes) resulting from physical 
attacks on key infrastructure facilities. Presently, critical 
infrastructures owners do not have access to such a map for security 
planning or disaster mitigation.
    Cyber Attacker Digital Fingerprinting: The CIP Project is 
developing methods to identify cyber attackers based on characteristics 
discovered during and after their attacks using data mining tools and 
techniques. Additional research will examine the complex intellectual 
property and privacy implications of this developing technology.
    Network Security Risk Assessment Model (NSRAM): The CIP Project is 
creating a tool (the NSRAMT) that will model, detect, and assess 
network vulnerabilities to facilitate enhanced risk quantification, 
intrusion detection, and network security. The NSRAMT improves upon 
existing tools by incorporating the time dimension into the assessment 
of cyber vulnerabilities.

NIST Critical Infrastructure Protection Grants Program
    In September 2001, NIST awarded $5M to nine grant recipients under 
the FY 2001 Critical Infrastructure Protection Grants Program (CIPGP) 
to improve the robustness, resilience, and security information in all 
the critical infrastructures. Under the competitive grant application 
process, we received 133 proposals requesting roughly $73M from 
applicants in both industry and academia. We selected proposals in 
intrusion detection, telecommunications, wireless security, electric 
power infrastructure, and compiler security.
    Funded research addresses a variety of topics to include tools and 
methods for analyzing security and detecting attacks due to 
vulnerabilities introduced by merging of data networks (i.e., the 
Internet) and voice networks (i.e., the public switched telephone 
network). Other topics addressed are attack detection for wireless and 
converged networks, security controls for protecting the North American 
power grid, and methods for evaluating intrusion detection systems.
    While results are still preliminary from the Grants program and 
some projects will not be completed due to a discontinuation of program 
funding, important developments were made in wireless security, 
converged data/IP networks, and electric power infrastructure security. 
Additional information is available via http://csrc.nist.gov/grants/
index.html

Institute for Information Infrastructure Protection (I3P)
    The Institute for Information Infrastructure Protection (I3P) at 
Dartmouth College's Institute for Security and Technology Studies is a 
consortium of twenty-three academic and not-for-profit research 
organizations focused on cyber security and information infrastructure 
protection research and development (R&D). The I3P helps protect the 
information infrastructure of the United States by developing a 
comprehensive, prioritized R&D Agenda for cyber security and promoting 
collaboration and information sharing among academia, industry, and 
government. NIST participated in providing input to the I3P's Cyber 
Security Research and Development Agenda (January 2003) that identified 
the following as priority research areas:

         Enterprise Security Management;

         Trust Among Distributed Autonomous Parties;

         Discovery and Analysis of Security Properties and 
        Vulnerabilities;

         Secure System and Network Response and Recovery;

         Traceback, Identification, and Forensics;

         Wireless Security;

         Metrics and Models; and

         Law, Policy, and Economic Issues.

    Discussion of the I3P's research methodology and details on each of 
these topics is available in the I3P's R&D Agenda at http://
www.thei3p.org/documents/2003 Cyber Security RD Agenda.pdf
    The activities of the I3P are supported by NIST grants of $3 
million in FY 2001 and $3 million in FY 2002.
    While these activities are not specifically identified in the Cyber 
Security Research and Development Act, they demonstrate NIST's 
commitment to cyber security research. NIST will do its best to fulfill 
the specific requirements of the Cyber Security Research and 
Development Act of 2002 within present resources and through future 
budget cycles.

Q2. At the hearing, you described the importance of standards for 
information security. What are some examples of these standards? How 
will NIST and the Department of Homeland Security (DHS) be working 
together on such standards? Will NIST and DHS be working together on 
communications for first responders?

A2. Examples of standards that are important for information security 
include cryptographic-based standards used for encryption (e.g., 
Advanced Encryption Standard) and for digital signatures. Although not 
formal standards, other security specifications are also important, 
such as recommendations for security settings for specific products and 
for security features for procured information technology products.
    When appropriate, NIST and DHS will be working together on these 
standards and other cyber security standards and specifications through 
collaborative research and planning, formal exchange of personal, 
sharing of information, and joint private sector outreach. All of these 
activities will be facilitated by the recently signed Memorandum of 
Understanding between DHS and the Technology Administration (TA) of the 
Department of Commerce. NIST and DHS will also be working together on 
cyber security standards and biometrics through the American National 
Standards Institute--Homeland Security Standards Panel (ANSI-HSSP). The 
Chief of NIST's Standards Services Division co-chairs the ANSI-HSSP.
    NIST will work with DHS to ensure that our work is complementary, 
while maintaining our necessary independence. Of course, DHS, like all 
other federal agencies, can take advantage of NIST cyber security 
guidelines and standards to protect its sensitive information and 
systems. Additionally, like other federal organizations, NIST will 
invite DHS to comment and review NIST's draft security standards and 
guidelines. Our collaboration is furthered by having DHS membership on 
our Information Security and Privacy Advisory Board.
    With regard to first responders communications, NIST and the 
Department of Homeland Security have already begun to coordinate 
efforts aimed at improving the communications capabilities of first 
responders. NIST's Office of Law Enforcement Standards, in partnership 
with DHS' Science and Technology Directorate and the National Institute 
of Justice, will be hosting a Summit on Interoperable Communications 
for Public Safety at the end of June. The goal of the Summit will be to 
gather all of the federal and national programs together that are in 
some way addressing public safety communications and provide an 
understanding on how the various programs inter-relate, thus 
facilitating improved information sharing, coordination, and focus in 
this important area. In addition, NIST has been, and will continue to 
work closely with DHS' SAFECOM program, to provide scientific, 
engineering, and standards expertise to the public safety community.

Q3. The Cyber Security Research and Development Act emphasizes the 
importance of workforce development, and the Committee believes that it 
is important to train skilled professionals to execute information 
technology security in the private sector and at government agencies, 
as well as scientists and engineers to perform cyber security research 
and development. What do you see as particular workforce needs in cyber 
security? What actions is your agency taking or planning to take to 
provide education and training in the cyber security area?

A3. Workforce needs in cyber security include skilled researchers in 
the areas of system vulnerabilities and in security technology, 
metrology, and testing. A larger and more-skilled workforce in the area 
of systems operations, specifically experts that can use today's tools 
and techniques to better secure existing critical systems, is also 
needed. The range of skills required is discussed in NIST Special 
Publication 800-16. (See http://csrc.nist.gov/publications/nistpubs/
index.html) NIST has a role in providing guidance on training; a draft 
NIST guideline is currently out for public review. We work with 
universities (contributor/evaluator for the NSA Centers of Excellence 
program), with industry certification groups, such as International 
Information Systems Security Certification Consortia, CompTIA, and 
SANS, and with the Federal Information Systems Security Educators 
Association to develop training guidelines.
    NIST provides education and training by hosting various security 
workshops and conferences in the area of cyber security and related 
fields. For example, we hosted a workshop on advanced public key 
infrastructure research in April. We are also hosting a workshop on IT 
security and capital planning in June.

Q4. How does NIST work with other agencies that have cyber security 
research and development programs?

        a. Do you coordinate overall federal goals with the other 
        agencies, and if so, can you describe some of the technical 
        milestones or goals in workforce development?

        b. Two interagency groups were discussed at the hearing: the 
        Infosec Research Council (IRC) and the High Confidence Software 
        and Systems group within the Networking and Information 
        Technology Research and Development Interagency Working Group. 
        How are these two groups related? Does NIST participate in both 
        groups?

        c. Do the groups divide up tasks among various agencies? Do 
        they monitor progress in cyber security research and 
        development at the agencies?

A4. NIST works with DARPA, NSF, OSTP, OMB, NSA, and a range of other 
federal and private sector organizations involved in cyber security 
research. In the specific area of workforce development, NIST 
participates in the Service for Scholarship program by hiring students 
and interns. We assist NSA in reviewing their annual applications for 
their centers of excellence designation. NIST also has been assigned 
new responsibilities under the Cyber Security R&D Act for awarding 
cyber security fellowships. In addition, our current CIO recently 
served a two-year tour as Director of the National Coordination Office 
(NCO) for Information Technology Research and Development, reporting to 
OSTP. The NCO's work involves twelve federal agencies. The High 
Confidence Software and Systems (HCSS) Working Group is the most 
focused on cyber security issues.
    NIST participates in both the Infosec Research Council (IRC) and 
the High Confidence Software and Systems group within the Networking 
and Information Technology Research and Development Interagency Working 
Group. The IRC serves to share research priorities and activities, 
specifically in the area of cyber security. As its charter describes:

        ``The INFOSEC Research Council (IRC) consists of U.S. 
        Government sponsors of information security research from the 
        Department of Defense, the Intelligence Community, and Federal 
        Civil Agencies. The IRC provides its membership with a 
        community-wide forum to discuss critical information security 
        issues, convey the research needs of their respective 
        communities, and describe current research initiatives and 
        proposed courses of action for future research investments. By 
        participating in the IRC, sponsors obtain and share valuable 
        information that will help focus their information security 
        research programs, identify high-leverage, high-value research 
        targets of opportunity, and minimize duplication of research. 
        The IRC will be a collective effort for the mutual benefit and 
        collaboration of the participating organizations and is 
        intended to promote intelligent information security research 
        investments. While it is understood that each participating 
        agency will have its own research priorities, it is anticipated 
        that the IRC will be able to identify high priority areas of 
        research to develop a common, shared appreciation of the 
        important and challenging information security problems of the 
        day.'' (www.infosec-research.org)

    The NCO's HCSS Working Group is more broadly focused than just 
cyber security: (www.itrd.gov)

        LThe National Coordination Office (NCO) for Information 
        Technology Research and Development (IT R&D) coordinates 
        planning, budget, and assessment activities for the Federal 
        Networking and IT R&D Program. This 12-agency collaborative 
        effort pioneers fundamental advances in the critical 
        technologies of the Nation's information infrastructure, 
        including high performance computing, large-scale networking, 
        and high assurance software and systems design.
    The NCO reports to the White House Office of Science and Technology 
Policy and the National Science and Technology Council (NSTC). The NCO 
works with the participating federal agencies through the NSTC's 
Interagency Working Group (IWG) on IT R&D and six IWG Coordinating 
Groups to prepare and implement the $2 billion Federal IT R&D budget 
crosscut. Since no one federal agency cites IT R&D as its primary 
mission, it is vital for agencies to coordinate, collaborate, and 
cooperate to help increase the overall effectiveness and productivity 
of Federal IT R&D. The major research emphases of the IT R&D effort are 
called Program Component Areas (PCAs).
    The High Confidence Software and Systems (HCSS) Program Component 
Area (PCA) concentrates on Research and Development into critical 
technologies that are needed to enable computer systems to achieve high 
levels of availability, reliability, safety, security, survivability, 
protection and restorability of information services.

Q5. The Cyber Security Research and Development Act makes the National 
Science Foundation (NSF) the lead agency for cyber security research 
and development, as Dr. Colwell testified at the hearing. In what ways 
are you interacting with NSF as it acts as the lead agency in this 
area? Does NSF review your budget proposal for programs in this area? 
Does NSF lead the agencies in a group effort to determine overall cyber 
security research and development priorities, and if so, how?

A5. We meet regularly with NSF personnel via the IRC, as described 
above. NSF does not review NIST budget proposals. In addition, as 
discussed earlier, NIST's current CIO recently served a two-year tour 
as Director of the National Coordination Office (NCO) for Information 
Technology Research and Development, reporting to OSTP. The NCO's work 
involves twelve federal agencies, including NSF.


                              Appendix 2:

                              ----------                              


                   Additional Material for the Record










                              July 8, 2003
     Current Activities of the National Institute of Standards and 
           Technology in Cyber Security and Related Programs

1. Cyber Security Research Grants

    NIST has provided twelve cyber security research grants in the past 
two years: one to the Critical Infrastructure Protection Project; nine 
under the NIST 2001 Critical Infrastructure Protection Grants Program 
and two to the Institute for Information Infrastructure Protection 
(I3P) at Dartmouth College's Institute for Security and Technology 
Studies. Each will be briefly described. Note that, in addition, 
related awards have been made under the NIST Advanced Technology 
Program and Small Business Innovative Research program, but for the 
sake of brevity, they will not be included at this time.
Critical Infrastructure Protection Project (CIP Project)
    The CIP Project is a joint effort of George Mason University and 
James Madison University to develop a nationally recognized program 
that fully integrates the disciplines of law, policy, and technology 
for enhancing the security of cyber networks and economic processes 
supporting the Nation's critical infrastructures. The consideration of 
all three disciplines--law, policy, and technology--is what makes the 
CIP Project unique. The CIP Project is funded by a NIST FY 2002 grant 
of $6.5 million. NIST expects to provide another $6.5 million in FY03 
to fund this activity.
    The CIP Project's research agenda serves as a unique and innovative 
approach to aligning scholarly research with national goals and 
objectives. Current projects include the following:

    Economic Incentives for Cyber Security: Working closely with Nobel 
Laureate Vernon Smith, the CIP Project is developing software to 
conduct replicable human use experiments to study how individuals 
create markets to share risk through self-insuring cyber networks, 
secondary insurance markets, contracting, and standards development. 
There are no similar products available for our nation's critical 
infrastructure owners.
    Securing the Internet Infrastructure: The CIP Project is developing 
a comprehensive ``map'' of our nation's telecommunications 
infrastructure and examining how connectivity and performance are 
affected by removal of critical cities (nodes) resulting from physical 
attacks on key infrastructure facilities. Presently, critical 
infrastructures owners do not have access to such a map for security 
planning or disaster mitigation purposes.
    Cyber Attacker Digital Fingerprinting: The CIP Project is 
developing technological methods to identify cyber attackers based on 
characteristics discovered during and after their attacks using data 
mining tools and techniques. Additional research will examine the 
complex intellectual property and privacy implications of this 
developing technology.
    Network Security Risk Assessment Model (NSRAM): The CIP Project is 
creating a tool (the NSRAMT) that will model, detect, and assess 
network vulnerabilities in order to facilitate enhanced risk 
quantification, intrusion detection, and network security. The NSRAMT 
improves upon existing tools by incorporating the time dimension into 
the assessment of cyber vulnerabilities.
NIST Critical Infrastructure Protection Grants Program
    In September 2001, NIST awarded $5M to nine grant recipients under 
the FY 2001 Critical Infrastructure Protection Grants Program (CIPGP) 
to improve the robustness, resilience, and security information in all 
the critical infrastructures. Under the competitive grant application 
process, NIST received 133 proposals requesting roughly $73M from 
applicants in both industry and academia. Proposals selected were in 
intrusion detection, telecommunications, wireless security, electric 
power infrastructure, and compiler security.
    Funded research addresses a variety of topics to include tools and 
methods for analyzing security and detecting attacks due to 
vulnerabilities introduced by merging of data networks (i.e., the 
Internet) and voice networks (i.e., the public switched telephone 
network). Other topics addressed are attack detection for wireless and 
converged networks, the development of security controls for protecting 
the North American power grid, and methods for evaluating intrusion 
detection systems.
    While results are still preliminary from the Grants program and 
some projects will not be completed due to a discontinuation of program 
funding, NIST will still produce important results especially in the 
wireless area, converged data/IP networks and security of the electric 
power infrastructure. Additional information is available via http://
csrc.nist.gov/grants/index.html
Institute for Information Infrastructure Protection (I3P)
    The Institute for Information Infrastructure Protection (I3P) at 
Dartmouth College's Institute for Security and Technology Studies is a 
consortium of twenty-three academic and not-for-profit research 
organizations focused on cyber security and information infrastructure 
protection research and development (R&D). The UP helps protect the 
information infrastructure of the United States by developing a 
comprehensive, prioritized R&D Agenda for cyber security and promoting 
collaboration and information sharing among academia, industry, and 
government. NIST participated in providing input to the I3P's Cyber 
Security Research and Development Agenda (January 2003) that identified 
the following as priority research areas:

         Enterprise Security Management;

         Trust Among Distributed Autonomous Parties;

         Discovery and Analysis of Security Properties and 
        Vulnerabilities;

         Secure System and Network Response and Recovery;

         Traceback, Identification, and Forensics;

         Wireless Security;

         Metrics and Models; and

         Law, Policy, and Economic Issues.

    A substantial discussion about the I3P's research methodology and 
details on each of these topics is available in the I3P's R&D Agenda at 
http://www.thei3p.org/documents/2003 Cyber Security RD Agenda.pdf
    The activities of the I3P are supported by NIST grants of $3M in FY 
2001 and a second $3M in FY 2002. NIST expects to provide a third $3M 
grant in FY 2003 to I3P.

2. National Research Council Study of Network Vulnerabilities

    As called for by CSRDA, NIST is also moving forward with steps to 
fund, in collaboration with DARPA, a National Research Council study to 
review the vulnerabilities and inter-dependencies in NIST's critical 
infrastructure networks and identify appropriate research needs and 
associated resource requirements. NRC colleagues have already 
identified a study director and are ready to initiate this study.

3. Security of Supervisory Control and Data Acquisition Systems 
                    (SCADA)

    SCADA computerized systems play a key role in controlling 
industrial processes in the food, pharmaceutical, chemical, and oil and 
gas industries, and other critical sectors of the economy. These 
systems, typically designed as stand-alone systems, are now often 
networked and managed via the Internet. This means that they are now 
vulnerable to the same panoply of security vulnerabilities that 
confront all other Internet-connected systems. NIST's work in this area 
is aimed at building more secure industrial control systems to protect 
against threats by terrorists, hackers, disgruntled employees or anyone 
else intent on these vitally important elements of the Nation's 
infrastructure.
    For example, in the area of SCADA systems used in electrical power 
generation and distribution, legacy systems must be retrofitted with 
security hardware and software. NIST is working with EPRI, the electric 
power industry's research arm, to identify precisely where weaknesses 
exist and to develop security requirements for the real-time systems 
that control the power grid and other critical industrial processes.
    In the area of automated building control systems, work is 
addressing the hardening of a host of complex systems that control 
lighting, ventilation, fire alarm and other critical systems. NIST is 
working with industry to develop security enhancements for building 
control systems and also with the General Services Administration to 
implement security features in government buildings.

4. Biometrics

    The United States visa issuance and border entry-exit systems are 
required to use biometrics to prevent unauthorized persons from 
entering the U.S. through nearly 400 air, sea, and land ports of entry. 
Biometrics are automated methods of recognizing a person based on 
physical or behavioral characteristics.
    In response to mandates in the USA PATRIOT Act and the Enhanced 
Border Security and Visa Entry Reform Act, NIST helped develop a report 
to Congress, submitted jointly by the Departments of Justice and State 
and NIST, on February 4, 2003, in which NIST recommended that at least 
two fingerprints and a face image be used as the required biometrics. 
This recommendation was made as a result of biometric tests that used 
hundreds of thousands of samples of real-world data obtained from the 
State Department, the Immigration and Naturalization Service (INS), the 
Texas Department of Public Safety, and the Federal Bureau of 
Investigation (FBI).
    NIST has also obtained a system that models the FBI's Integrated 
Automated Fingerprint Identification System (IAFIS) and has tested this 
system. The results provide accuracy measurements of the FBI 
fingerprint matching system, which is also mandated in the PATRIOT Act. 
These measurements are crucial for determining how to best perform 
background checks of foreign nationals applying for visas.
    NIST has also been working on standards development for biometrics 
to provide inter-operability among different biometric vendors. NIST 
developed and spearheaded the adoption of a standard for inter-
operability and exchange of fingerprint and facial image information. 
This standard is mandatory for data exchange between the FBI and state 
law enforcement organizations. Working through biometrics standards 
committees, NIST is developing image-based standards for face, finger, 
and iris that will lead to inter-operability. NIST is also submitting 
its biometric evaluation methodology as a testing standard to the 
International Committee for Information Technology Standards. Finally, 
NIST's testing results are being used to formulate the U.S. position on 
biometrics with the International Civil Aviation Organization (ICAO), 
which establishes international passport standards.

5. Forensics

    Law enforcement officials and cyber security experts need to sort 
through the reams of files on computers in a timely manner to find 
evidence of terrorist and other criminal activities and to find 
evidence of cyber security events. Moreover, once digital evidence is 
uncovered, it is in danger of not being accepted in the U.S. court 
system. In order to enable the investigation and the subsequent 
prosecution in court, computer forensics must be based on sound, 
scientific practices that are produced and validated by neutral third 
parties.
    In response to this need, NIST, working in partnership with the 
National Institute of Justice, the FBI, the U.S. Secret Service, the 
U.S. Customs Service, the DOD, and many State and local agencies, has 
developed two computer forensics products: the National Software 
Reference Library (NSRL) and the Computer Forensics Tool Testing (CFTT) 
Program. These products are used daily to help solve thousands of 
cases, including terrorism investigations.
    Besides helping solve crimes, the products also help defend digital 
evidence that is introduced in court by prosecutors. The first high 
profile case to address this is the case of alleged terrorist Zacarias 
Moussaoui. As summarized by CNN, ``The (prosecutor's) highly technical 
report on the computers and e-mail search followed a request by court-
appointed defense attorneys assisting Moussaoui that computer evidence 
be authenticated.'' The ``highly technical report,'' filed by the 
Government, relies heavily on NIST and specifically references the CFTT 
project.
    Cyber security experts outside of law enforcement are also using 
these tools. The MIT computer security researchers who set out to prove 
that significant confidential information can be found on discarded 
computers used the NSRL as part of their process. They found over 5000 
credit card numbers, medical records and a year of ATM transactions. 
See http://www.msnbc.com/news/859843.asp?cpl=l

6. Network Security

    NIST's efforts in Internet security research are focused on both 
near-term objectives of expediting significant improvements to the 
security and integrity of today's Internet technologies, and longer-
term objectives such as exploring the use of quantum information theory 
to develop ultra-secure networking technologies of the future.
    Our near-term research is directed at working with industry and 
other government agencies to improve the inter-operability, scalability 
and performance of new Internet security systems and to expedite the 
development of Internet infrastructure protection technologies. NIST 
staff is actively working with the Internet Engineering Task Force 
(IETF) to design, develop, standardize and test new protocols that will 
make authentication, confidentiality and integrity services inherent 
capabilities of all networks based upon Internet technologies. NIST has 
taken leadership roles within the IETF in the specification of public 
key infrastructure, network layer security and key management 
technologies. Working shoulder to shoulder with industry, NIST is 
contributing technical specifications, modeling and analysis results, 
research prototypes and test and measurement tools to the IETF 
community to expedite the standardization of ubiquitous Internet 
security services and to foster the rapid development of commercial 
products.
    Another area of focus for the near-term efforts is the research and 
development of technologies to protect the core infrastructure of 
Internet. NIST is working with the IETF and other government agencies 
to devise means to protect the control protocols and infrastructure 
services that underlie the operation of today's Internet. NIST's 
research and standardization efforts in this area include: extensions 
to the Domain Name System (DNS) to add cryptographic authentication to 
this most basic Internet service, and the design and analysis of 
protection and restoration mechanisms to improve failure resilience of 
core switching and routing infrastructures. NIST's future work in this 
area will focus on improving security and resilience of core Internet 
routing protocols.
    Looking further into the future, NIST sees the potential for new 
computational paradigms to threaten the mathematical underpinnings of 
today's cryptographic systems. In response, NIST is conducting research 
in the use of quantum information theory to devise ultra-secure network 
technologies that are not dependent upon today's cryptographic 
techniques. NIST is collaborating with other government agencies in the 
design and evaluation of quantum information network technologies, 
ranging from physical devices capable of operating on single photons of 
a high speed optical link, to next generation quantum key distribution 
protocols capable of exploiting these physical links to devise provably 
secure cryptographic techniques.

7. Public Key Infrastructure (PKI)

    In the past NIST has done research on PKI, primarily on effective 
revocation strategies and strategies for building large heterogeneous 
PKIs; however, today efforts are primarily focused on devising 
effective assurance tests for PKI components and clients. Assurance 
testing is an important research topic because assurance tests that are 
repeatable and meaningful provide a means for vendors to improve the 
security quality of their products. NIST is attempting to develop 
specific pass/fail tests and techniques for PKI assurance testing based 
on specific test requirements, and thus streamlining PKI security 
testing as compared to ad hoc conventional security assurance 
evaluation testing that requires a great deal of product-specific 
design analysis. There has been some success with this in Certificate 
Issuing and Management Components (CIMC) protection profile, for 
testing certification authorities, which breaks new ground in several 
areas. Work is now extending into client testing, which is more 
challenging and technically complex.
    NIST also hosts and cosponsors, along with Internet2, an annual PKI 
research conference. Recently, informal collaborations were begun with 
investigators at the Korean Information Security Agency (KISA). We are 
seeking to invent a secure authenticator for sensitive personal 
information in PKI certificates to enable the subject to authenticate 
personal information if he or she chooses to divulge it.

8. Quantum Information Systems and Quantum Cryptography

    NIST is working on a scalable quantum information network test-bed 
for research in quantum computing and cryptography. While current 
cryptosystems are extremely hard to break, quantum cryptography has the 
potential to provide truly unbreakable codes. A quantum information 
network is built to exploit the laws of quantum mechanics. Present day 
engineering of computational systems (e.g., clock speed for a 
processor, maximum size of memory) and implementation of algorithms 
(including cryptographic algorithms) are limited by the laws of 
classical mechanics. The results provided by quantum mechanics point 
out the potential for capabilities for computing and communication 
beyond that theoretically possible with the known laws of classical 
mechanics. This is the reason that quantum computation and quantum 
communication have become prime areas of research for applications for 
quantum mechanics.
    NIST seeks to develop an extensible quantum information testbed and 
the scalable component technology essential to the practical 
realization of a quantum communication network. Quantum cryptographic 
systems are the first products of quantum computing research to advance 
to the commercial stage, with two products currently on the market. 
This market is expected to continue to grow, producing products for 
both government and commercial use. The testbed will demonstrate 
quantum communication and quantum cryptographic key distribution with 
high data rate. This testbed, once developed, will provide a 
measurement and standards infrastructure that will be open to the 
scientific community and will enable wide-ranging experiments on both 
the physical- and network-layer aspects of a quantum communication 
system. The infrastructure will be used to provide calibration, 
testing, and development facilities.
    Quantum cryptography offers several advantages over traditional 
methods, including stronger security, eavesdropping detection, and the 
ability to generate and distribute large amounts of keying material 
more efficiently than conventional key distribution infrastructures. 
NIST has developed a hybrid authentication protocol for quantum 
networks, combining conventional and quantum methods. Authentication is 
critical for commercially viable quantum key distribution. In addition, 
this research has led to the discovery of serious vulnerabilities in 
many proposed quantum cryptographic protocols. Lessons learned from 
this research will assist quantum protocol developers in improving 
security, and provide the basis for incorporating quantum cryptographic 
module testing into the NIST Cryptographic Module Validation Program 
for the FIPS 140-2 standard.

9. Wireless Mobile Device Security

    With the trend toward a highly mobile workforce, the acquisition of 
handheld devices such as Personal Digital Assistants (PDAs) is growing 
at an ever-increasing rate. These devices are relatively inexpensive 
productivity tools and are quickly becoming a necessity in today's 
business environment. Most handheld devices can be configured to send 
and receive electronic mail and browse the Internet. However, as 
handheld devices increasingly retain sensitive information or provide 
the means to obtain such information wirelessly, they must be 
protected.
    NIST's efforts to date have focused on improving several aspects of 
security: user authentication, policy enforcement, and wireless 
communications. For user authentication NIST has developed a framework 
for multi-mode authentication that allows more than one authentication 
mechanism to contribute to the verification of a user's identity. For 
example, a biometric, such as voice input, may be required in 
combination with a security token, such as a smart card, before a user 
is permitted to access the contents of a device. In addition, NIST has 
invented a visual means of authentication that not only is easier than 
passwords for users to authenticate, but also significantly more 
powerful, and has contributed updates to an open source code initiative 
that allow smart cards to be used on certain handheld devices.
    For policy enforcement, NIST has developed a system that requires 
users to present a policy certificate to a device, as a means of moving 
from a restricted processing environment to one in which the privileges 
accorded a user via the policy certificate are enabled. Policy rules 
govern such things as application usage, file access, and 
communications interfaces, including wireless communications. This 
mechanism allows organization policy controls to be asserted on 
handheld devices, which typically are at the fringes of an 
organization's influence, and was designed to tie in with emerging 
Public Key Infrastructures.
    For wireless communications, NIST has developed a highly-regarded 
publication on Wireless Network Security, aimed at reducing the risks 
associated with 802.11 wireless local area networks and Bluetooth 
wireless networks that are commonly used with handheld devices. In the 
six months since its publication, the guideline has been downloaded 
over 120,000 times by users in over 50 countries.
    Additionally, NIST is actively supporting the standards community 
in moving towards stronger, more robust security by integrating 
stronger, more secure cryptographic algorithms and their associated 
modes of operation into the next generation of the relevant standards. 
Two of the NIST 2001 Critical Information Protection Grants were 
awarded in the wireless security area to the University of Pittsburgh 
and the University of Maryland.
    The University of Pittsburgh's research is studying interaction 
between the survivability and security of wireless information 
architectures. As part of this research, techniques for evaluating the 
survivability of wireless networks were developed, secure wireless 
architectures were designed, and strategies for meeting survivability 
and security requirements were examined. The impact of security 
services on performance, energy consumption, speed, and bandwidth were 
also simulated. The researchers demonstrated the interaction of 
survivability and security and proposed methods for measuring and 
optimizing both of these requirements. These results are expected to 
ultimately be applied to the design of critical wireless 
infrastructures.
    The University of Maryland research is focused on a secure wireless 
testbed. There are several goals of the Secure Wireless LAN/MAN 
Infrastructure testbed. First, the testbed is testing the secure inter-
operation between a multitude of different wireless equipment--both 
commercial and developmental. Second, the testbed supports research 
designed to address integration issues arising from the new draft 
security architecture for IEEE 802.11 (Enhanced Security Network), as 
well as security and management issues surrounding scalability, naming, 
and fraud control in wireless metropolitan networks. Finally, the 
testbed serves as a wireless security training apparatus for students, 
faculty, and other collaborators

10. Access Control

    One of the basic tenets of IT security is controlling access to 
vital IT resources. NIST has been actively researching for many years 
more cost-effective and efficient ways to administer access to critical 
system resources. In effect, NIST is answering the question ``who is 
allowed to do what?'' Access control mechanisms can take on many forms. 
Recognizing the inadequacies of traditional, labor-intensive, and 
error-prone approaches to controlling user access to sensitive 
information and the security benefits that could be gained via 
breakthroughs in access control technology, a NIST research team 
created a new approach to controlling user access, called Role-Based 
Access Control (RBAC). What is most striking about RBAC is its rapid 
evolution from a theoretical model to commercial implementation and 
deployment. An independently conducted NIST-sponsored economic impact 
study, conducted by RTI, estimated that the team's work will soon be 
used by some 30 millions users for access to sensitive information 
controlled using this technology. RBAC's productivity advantages alone 
are often sufficient to justify its deployment. An outside study by RTI 
estimated that RBAC technology saved U.S. industry $671 million, and 
that NIST was responsible for 44 percent of the savings giving the 
taxpayer a 10,900 percent return on investment.

11. Security Guidelines and Standards

    NIST continues to develop standards and guidelines in support of 
its federal responsibilities. Many of these are also used, on a 
voluntary basis, by organizations in the private sector. Hundreds of 
thousands of copies of NIST guidelines have been downloaded from the 
NIST Computer Security Resource Center. For example, over 400,000 
copies of NIST's Contingency Planning Guide for Information Technology 
have been downloaded since its publication less than a year ago. In 
2002-2003, NIST published the following security guidelines:

         Use of the Common Vulnerabilities and Exposures (CVE) 
        Vulnerability Naming Scheme;

         Federal S/MIME V3 Client Profile;

         Wireless Network Security: 802.11, Bluetooth, and 
        Handheld Devices;

         Security Guide for Interconnecting Information 
        Technology Systems;

         Security for Telecommuting and Broadband 
        Communications;

         Guidelines on Electronic Mail Security;

         Guidelines on Securing Public Web Servers;

         Systems Administration Guidance for Windows 2000 
        Professional;

         Guidelines on Firewalls and Firewall Policy;

         Procedures for Handling Security Patches;

         Contingency Planning Guide for Information Technology 
        Systems; and

         Risk Management Guide for Information Technology 
        Systems.

    See http://csrc.nist.gov/publications/nistpubs/index.html

    NIST has also published the following draft guidelines for review 
by federal departments and agencies as well as other interested 
organizations and individuals concerning:

         Guidelines for the Security Certification and 
        Accreditation of Federal Information Technology Systems;

         Building an Information Technology Security Awareness 
        and Training Program;

         Recommendation on Key Establishment Schemes;

         Recommendation on Key Management;

         Security Metrics Guide for Information Technology 
        Systems;

         Recommendation for Block Cipher Modes of Operation: 
        the RMAC Authentication Mode;

         Guide to Selecting IT Security Products;

         Guide to IT Security Services;

         Security Considerations in Federal Information 
        Technology Procurements; and

         Guideline on Network Security Testing.

    See http://csrc.nist.gov/publications/drafts.html

    In addition, numerous NIST Information Technology Laboratory (ITL) 
Bulletins have been issued during the last year to provide guidance to 
agencies and others on a broad list of topics.

    See http://www.itl.nist.gov/lab/bulletns/cslbull1.htm

    NIST has also completed the Keyed-Hash Message Authentication Code 
as Federal Information Processing Standard (FIPS) 198 and provided 
three new secure hashing codes in the enhanced FIPS 180-2. These new 
enhanced secure hashing codes are used to help users create more secure 
digital signatures. While on the subject of cryptography, late in 2001, 
Secretary Evans approved the Advanced Encryption Standard (or AES) as a 
federal security standard and it is being actively adopted by voluntary 
standards bodies and implemented by vendors. In fact, over 70 
commercial implementations of the AES have already been validated 
though NIST's Cryptographic Module Validation Program. See http://
csrc.nist.gov/publications/fips/index.html and http://csrc.nist.gov/
cryptval/aes/aesval.html

12. Reducing Vulnerabilities Through Security Testing

    Both research and security testing can help reduce vulnerabilities 
in the commercial IT products used to support the Nation's critical 
infrastructures.
    Research on identifying and correcting information technology 
vulnerabilities is urgently needed. When new technologies are 
identified that could potentially influence customers' security 
practices, NIST researches the technologies, their potential 
vulnerabilities and also work to find ways to apply new technologies in 
a secure manner. The solutions that NIST develops are made available to 
both public and private users. Some examples are methods for 
authorization management and policy management, ways to compensate for 
deficiencies in current wireless security standards, and ways to 
implement cryptography. Research helps us find more cost-effective ways 
to implement and address security requirements.
    Security testing complements security standards by providing 
consumers with confidence that security standards and specifications 
are correctly implemented in the products that they buy. Implementing 
cryptography correctly and securely can be complicated. However, unless 
it is correctly implemented, it may provide no protection. Therefore, 
in conjunction with the Government of Canada's Communication Security 
Establishment, NIST operates the Cryptographic Module Validation 
Program, which helps ensure correct and secure implementation of NIST's 
cryptographic standards. The Cryptographic Module Validation Program 
has now validated over 500 modules with another 100 or more expected 
within the next year. This successful program utilizes private-sector 
accredited laboratories to conduct security conformance testing of 
cryptographic modules against the cryptographic federal standards NIST 
develops and maintains. The testing by the laboratories and NIST's work 
with Canada involves access to unclassified public algorithms and test 
suites, and not to any Federal Government operational cryptographic 
keys or classified information. Besides many organizations in the 
financial sector, two major U.S. corporations, Boeing and VISA, see 
such value to the benefits of the testing program that they now require 
CMVP-validated cryptographic modules to protect their sensitive 
information. The Government of the United Kingdom has also officially 
recognized CMVP-validated modules for use in their agencies.
    To give a sense of the quality improvement that the program 
achieves, consider that statistics from NIST's testing laboratories 
show that 48 percent of the modules brought in for voluntary testing 
had security flaws that were corrected during testing. In other words, 
without NIST's program, the Federal Government would have had only a 
50/50 chance of buying correctly implemented cryptography!
    In addition, in recent years NIST has worked to develop the 
``Common Criteria'' (ISO/IEC 15408), which can be used to specify 
security requirements. These requirements are then used by private-
sector laboratories, accredited by NIST, for the voluntary evaluation 
of commercial products needed for the protection of government systems 
and networks. This work is undertaken in cooperation with the Defense 
Department's National Security Agency in our National Information 
Assurance Partnership (NIAP). You may be aware that the National 
Strategy to Secure Cyberspace calls for a review of the NIAP. Staff 
discussions have begun with NSA to identify ways that might improve the 
process, through research, process changes, and to understand the 
resources needed for NIAP to fully succeed.

13. Security Awareness and Outreach

    Timely, relevant, and easily accessible information to raise 
awareness about the risks, vulnerabilities and requirements for 
protection of information systems is urgently needed. This is 
particularly true for new and rapidly emerging technologies, which are 
being delivered with such alacrity by industry. NIST also hosts and 
sponsors information sharing among security educators, the Federal 
Computer Security Program Managers' Forum, and industry. NIST actively 
supports information sharing through conferences, workshops, web pages, 
publications, and bulletins. Finally, NIST also has a guideline 
available to assist agencies with their training activities and is an 
active supporter of the Federal Information Systems Security Educators' 
Association.
    NIST sponsors the web-based Computer Security Resource Center 
(CSRC) to provide a wide-range of security materials and information to 
the community and link to the Federal Computer Incident Response Center 
at DHS and other emergency response centers. CSRC now has over 20 
million ``hits'' annually. On CSRC, one of the most popular resources 
is the NIST-developed web-based tool known as ICAT that allows users to 
identify (and then fix) known vulnerabilities for their specific 
software. ICAT provides links to vendor sites at which the users can 
obtain patches to fix these vulnerabilities. This is important because 
many computer break-ins exploit well known vulnerabilities. Over 5500 
vulnerabilities are now catalogued in this NIST on-line database that 
receives over 200,000 hits per month. See http://icat.nist.gov/icat.cfm

14. Security Assessment Guideline and Automated Security Self-
                    Evaluation Tool (ASSET)

    The Chief Information Officers Council and NIST developed a 
security assessment Framework to assist agencies with a very high level 
review of their security status. The Framework established the 
groundwork for standardizing on five levels of security and defined 
criteria agencies could use to determine if the levels were adequately 
implemented. By using the Framework levels, an agency can prioritize 
agency efforts as well as evaluate progress. Subsequently, NIST issued 
a more detailed security questionnaire that most agencies used in 2001 
to conduct their program and system reviews. Last year, in cooperation 
with OMB, a PC-based automated version of the security questionnaire 
was developed and made available for use by agencies in 2002 to collect 
this information for annual agency security reporting to OMB.

15. Federal Agency Security Practices Website

    NIST recently inaugurated the Federal Agency Security Practices 
(FASP) website (http://csrc.nist.gov/fasp/), building upon past 
successful work of the Federal CIO Council's Best Security Practices 
pilot effort to identify, evaluate, and disseminate best practices for 
CIP and security. NIST was asked to undertake the transition of this 
pilot effort to an operational program. As a result, NIST developed the 
FASP site, which contains agency policies, procedures and practices; 
the CIO pilot best practices; and, a Frequently-Asked-Questions 
section. Agencies are encouraged to share their IT security information 
and IT security practices and submit them for posting on the FASP site. 
Over 80 practices are now available via the site. Some practices have 
been modified so as not to identify the specific submitting agencies.
    In accordance with tasking to NIST under FISMA, discussions are now 
underway to develop a similar web-based service to share security 
practices from private-sector organizations.

16. IT Product Security Configuration Checklists

    The CSRDA tasked NIST with developing IT product security 
checklists that provide settings and option selections that minimize 
the security risks associated with each computer hardware or software 
system that is, or is likely to become, widely used within the Federal 
Government. In response, there are plans to hold a public workshop to 
focus on developing a standardized checklist template to structure 
configuration and related information. Vendors, agencies, and other 
reputable sources can use the template to construct and submit 
checklists that will populate a NIST public web-based repository. It 
should be noted that because of vendors' unique expertise, experience, 
and understanding of the security of their products, voluntary 
participation by vendors in this effort will be particularly sought and 
valued. The workshop will also serve to publicize NIST's plans to 
obtain checklists and make them available via the CSRC website. NIST 
will also be crafting ground rules for the selection and rejection of 
submitted checklists. Discussions have already taken place with 
representatives of DISA, NSA, NASA, and GAO regarding initial plans and 
to gain their valuable feedback. NIST hopes to hold the next checklists 
public workshop later this summer and unveil this new service by the 
end of the year.

































