b"<html>\n<title> - CYBER SECURITY RESEARCH AND DEVELOPMENT</title>\n<body><pre>[House Hearing, 108 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n                             CYBER SECURITY\n                        RESEARCH AND DEVELOPMENT\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                          COMMITTEE ON SCIENCE\n                        HOUSE OF REPRESENTATIVES\n\n                      ONE HUNDRED EIGHTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                              MAY 14, 2003\n\n                               __________\n\n                           Serial No. 108-17\n\n                               __________\n\n            Printed for the use of the Committee on Science\n\n\n     Available via the World Wide Web: http://www.house.gov/science\n\n\n\n86-992              U.S. GOVERNMENT PRINTING OFFICE\n                            WASHINGTON : 2003\n____________________________________________________________________________\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpr.gov  Phone: toll free (866) 512-1800; (202) 512\xef\xbf\xbd091800  \nFax: (202) 512\xef\xbf\xbd092250 Mail: Stop SSOP, Washington, DC 20402\xef\xbf\xbd090001\n\n                                 ______\n\n                          COMMITTEE ON SCIENCE\n\n             HON. SHERWOOD L. BOEHLERT, New York, Chairman\nLAMAR S. SMITH, Texas                RALPH M. HALL, Texas\nCURT WELDON, Pennsylvania            BART GORDON, Tennessee\nDANA ROHRABACHER, California         JERRY F. COSTELLO, Illinois\nJOE BARTON, Texas                    EDDIE BERNICE JOHNSON, Texas\nKEN CALVERT, California              LYNN C. WOOLSEY, California\nNICK SMITH, Michigan                 NICK LAMPSON, Texas\nROSCOE G. BARTLETT, Maryland         JOHN B. LARSON, Connecticut\nVERNON J. EHLERS, Michigan           MARK UDALL, Colorado\nGIL GUTKNECHT, Minnesota             DAVID WU, Oregon\nGEORGE R. NETHERCUTT, JR.,           MICHAEL M. HONDA, California\n    Washington                       CHRIS BELL, Texas\nFRANK D. LUCAS, Oklahoma             BRAD MILLER, North Carolina\nJUDY BIGGERT, Illinois               LINCOLN DAVIS, Tennessee\nWAYNE T. GILCHREST, Maryland         SHEILA JACKSON LEE, Texas\nW. TODD AKIN, Missouri               ZOE LOFGREN, California\nTIMOTHY V. JOHNSON, Illinois         BRAD SHERMAN, California\nMELISSA A. HART, Pennsylvania        BRIAN BAIRD, Washington\nJOHN SULLIVAN, Oklahoma              DENNIS MOORE, Kansas\nJ. RANDY FORBES, Virginia            ANTHONY D. WEINER, New York\nPHIL GINGREY, Georgia                JIM MATHESON, Utah\nROB BISHOP, Utah                     DENNIS A. CARDOZA, California\nMICHAEL C. BURGESS, Texas            VACANCY\nJO BONNER, Alabama\nTOM FEENEY, Florida\nVACANCY\n                            C O N T E N T S\n\n                              May 14, 2003\n\n                                                                   Page\nWitness List.....................................................     2\n\nHearing Charter..................................................     3\n\n                           Opening Statements\n\nStatement by Representative Sherwood L. Boehlert, Chairman, \n  Committee on Science, U.S. House of Representatives............     9\n    Written Statement............................................     9\n\nStatement by Representative Ralph M. Hall, Minority Ranking \n  Member, Committee on Science, U.S. House of Representatives....    10\n    Written Statement............................................    10\n\nPrepared Statement by Representative Nick Smith, Chairman, \n  Subcommittee on Research, Committee on Science, U.S. House of \n  Representatives................................................    11\n\nPrepared Statement by Representative Jerry F. Costello, Member, \n  Committee on Science, U.S. House of Representatives............    12\n\nPrepared Statement by Representative Eddie Bernice Johnson, \n  Member, Committee on Science, U.S. House of Representatives....    12\n\nPrepared Statement by Representative Sheila Jackson Lee, Member, \n  Committee on Science, U.S. House of Representatives............    13\n\n                               Witnesses:\n\nDr. Charles E. McQueary, Under Secretary for Science and \n  Technology, Department of Homeland Security\n    Oral Statement...............................................    15\n    Written Statement............................................    18\n    Biography....................................................    21\n\nDr. Rita R. Colwell, Director, National Science Foundation\n    Oral Statement...............................................    21\n    Written Statement............................................    23\n    Biography....................................................    27\n\nDr. Arden L. Bement, Jr., Director, National Institute of \n  Standards and Technology, Technology Administration, U.S. \n  Department of Commerce\n    Oral Statement...............................................    27\n    Written Statement............................................    29\n    Biography....................................................    34\n\nDr. Anthony J. Tether, Director, Defense Advanced Research \n  Projects Agency\n    Oral Statement...............................................    35\n    Written Statement............................................    38\n    Biography....................................................    41\n\nDiscussion.......................................................    42\n\n             Appendix 1: Answers to Post-Hearing Questions\n\nDr. Charles E. McQueary, Under Secretary for Science and \n  Technology, Department of Homeland Security....................    72\n\nDr. Rita R. Colwell, Director, National Science Foundation.......    76\n\nDr. Arden L. Bement, Jr., Director, National Institute of \n  Standards and Technology, Technology Administration, U.S. \n  Department of Commerce.........................................    81\n\n             Appendix 2: Additional Material for the Record\n\nLetter from the Information Security and Privacy Advisory Board \n  to The Honorable Mitchell E. Daniels, Jr., Director, Office of \n  Management and Budget, dated April 8, 2003.....................    86\n\nCurrent Activities of the National Institute of Standards and \n  Technology in Cyber Security and Related Programs..............    89\n\nPublic Law 107-305--Nov. 27, 2002................................    97\n\n \n                CYBER SECURITY RESEARCH AND DEVELOPMENT\n\n                              ----------                              \n\n\n                        WEDNESDAY, MAY 14, 2003\n\n                  House of Representatives,\n                                      Committee on Science,\n                                                    Washington, DC.\n\n    The Committee met, pursuant to call, at 10 a.m., in Room \n2318 of the Rayburn House Office Building, Hon. Sherwood L. \nBoehlert (Chairman of the Committee) presiding.\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n                            HEARING CHARTER\n\n                          COMMITTEE ON SCIENCE\n\n                     U.S. HOUSE OF REPRESENTATIVES\n\n                             Cyber Security\n\n                        Research and Development\n\n                        WEDNESDAY, MAY 14, 2003\n                         10:00 A.M.-12:00 P.M.\n                   2318 RAYBURN HOUSE OFFICE BUILDING\n\n1. Purpose\n\n    On Wednesday, May 14, 2003, the House Science Committee will hold a \nhearing to examine federal cyber security research and development \n(R&D) activities and implementation of last year's Cyber Security \nResearch and Development Act (P.L. 107-305).\n\n2. Witnesses\n\nDr. Charles E. McQueary is the Under Secretary for Science and \nTechnology at the Department of Homeland Security. Prior to joining the \nDepartment, Dr. McQueary served as President of General Dynamics \nAdvanced Technology systems, and as President and Vice President of \nbusiness units for AT&T, Lucent Technologies, and as a Director for \nAT&T Bell Laboratories.\n\nDr. Rita R. Colwell is the Director of the National Science Foundation \n(NSF). Before joining the Foundation, Dr. Colwell served as President \nof the University of Maryland Biotechnology Institute and Professor of \nMicrobiology at the University Maryland. She was also a member of the \nNational Science Board from 1984 to 1990.\n\nDr. Arden L. Bement, Jr. is the Director of the National Institute of \nStandards and Technology (NIST). Prior to his appointment as NIST \ndirector, Dr. Bement was professor and head at the School of Nuclear \nEngineering at Purdue University. Before Purdue, he served in a variety \nof positions, including Vice President of Technical Resources and of \nScience and Technology for TRW Inc. and Deputy Under Secretary of \nDefense for Research and Engineering. Dr. Bement has also served as a \nmember of the National Science Board and as chair of the NIST Visiting \nCommittee on Advanced Technology.\n\nDr. Anthony J. Tether is the Director of the Defense Advanced Research \nProjects Agency (DARPA). Until his appointment as Director of DARPA, \nDr. Tether held the position of Chief Executive Officer and President \nof The Sequoia Group. He has also been Chief Executive Officer for \nDynamics Technology Inc. and Vice President of Science Applications \nInternational Corporation's (SAIC) Advanced Technology Sector. Dr. \nTether has served on Army and Defense Science Boards.\n\n3. Overarching Questions\n\n    The hearing will address the following overarching questions:\n\n        1. What is the current status of federally-supported cyber \n        security research and development programs in the United \n        States? What level and types of effort are needed to meet \n        existing and emerging cyber terrorism threats?\n\n        2. How are cyber security research and development activities \n        coordinated among federal agencies? How are gaps in the \n        research portfolio identified and filled? How will the new \n        Department of Homeland Security affect the coordination \n        process? How will it change the overall portfolio of programs?\n\n        3. What efforts are being made to develop a strong cyber \n        security workforce and to establish and expand university \n        educational and research programs relevant to cyber security?\n\n        4. How do the federal agencies work with industry on cyber \n        security research and development efforts?\n\n4. Brief Overview\n\n        <bullet> Information technology systems underpin key \n        industries such as telecommunications and financial services, \n        and also play a vital role in the smooth functioning of \n        critical infrastructures and services, such as transportation \n        systems, the electric power grid, and emergency response \n        capabilities. As the number of ways in which our economy \n        depends on network and computer systems has grown, so has the \n        number of attacks on these information technology systems. For \n        example, the number of incidents reported to the computer \n        security incident response center at Carnegie Mellon University \n        increased 275% from 2000 to 2002, and over 42,000 incidents \n        have already been reported in 2003.\n\n        <bullet> Active research and development programs to produce \n        new cyber security tools and techniques are necessary to enable \n        us to maintain the performance of important networks and \n        systems and improve our ability to defend against cyber and \n        physical terrorism. Currently, cyber security research and \n        development is supported and performed at a variety of federal \n        agencies, including the National Science Foundation (NSF), the \n        National Institute of Standards and Technology (NIST), and the \n        Defense Advanced Research Projects Agency (DARPA). Within the \n        new Department of Homeland Security, the Science and Technology \n        Directorate will have responsibility for managing research and \n        development programs relevant to cyber security.\n\n        <bullet> In November of 2002, the President signed the Cyber \n        Security Research and Development Act (P.L. 107-305), which \n        authorized appropriations for the National Science Foundation \n        and the National Institute of Standards and Technology to \n        strengthen their programs in computer and network security \n        (CNS) research and development and to support CNS research \n        fellowships and training programs. However, FY 2003 \n        appropriations and FY 2004 proposed funding are significantly \n        below the authorized levels.\n\n        <bullet> New hardware and software technologies are rapidly \n        adopted in many industries and new ways of interfering with \n        computer systems develop just as fast. Multiple federal \n        agencies will need to coordinate their efforts to ensure that \n        new understanding of information and network security is \n        generated and that this knowledge is transitioned into useful \n        cyber security products. Institutions of higher education will \n        have develop and expand degree programs to ensure that an \n        adequate workforce exists to put the new tools and techniques \n        into practice. The private sector has a critical role to play, \n        as it will contain the developers and suppliers as well as the \n        major purchasers of new cyber security technologies and \n        services.\n\n5. Background\n\nCyber Threats to Critical Infrastructures\n    Information technology systems underpin key industries such as \ntelecommunications and financial services, and also play a vital role \nin the smooth functioning of critical infrastructures and services, \nsuch as transportation systems, the electric power grid, and emergency \nresponse capabilities. Remote operation of chemical plant functions and \nmanagement of the aircraft control system also depend on software and \ncomputer networks. Thus vulnerabilities in various components of \nnetworks and computers could be exploited to disrupt and damage these \ncritical systems. For example, distributed denial of service attacks \ncould slow Internet traffic and bring down important web sites. Cyber \nattacks on supervisory control and data acquisition (SCADA) systems \ncould shut down power plants or disrupt processes at chemical \nmanufacturing facilities. Interference with emergency responder \ncommunications technology could amplify the effects of a physical \nterrorist attack.\n    The vulnerability of the Nation's information technology \ninfrastructure has been demonstrated many times in the past several \nyears. ``Hackers'' are arrested for breaking into computer systems to \nsteal and corrupt data, or just to disrupt government or industry \nservices. Major ``infections'' of computer viruses and worms\\1\\ make \nthe news, and smaller ``outbreaks'' occur daily.\\2\\ While the impact on \nphysical systems has been minimal to date, the economic impact of \nsuccessful attacks can be significant. For example, in 2001, the Code \nRed and Nimda worms spread through e-mail, corporate networks, and Web \nbrowsers. Together, they are estimated to have produced $3 billion in \ncosts worldwide due to lost productivity and expenses related to \ntesting, cleaning, and deploying patches to computer systems. In \nJanuary of 2003, the Slammer (or Sapphire) Worm took advantage of \nvulnerabilities in server software to generate a damaging level of \nnetwork traffic, so Internet users experienced difficulty accessing web \nsites and sending e-mail. In addition, Bank of America automated teller \nmachines were taken off line, Continental Airlines reservation computer \nsystems experienced widespread problems, and an emergency call center \nin Seattle was essentially blacked out. Thus developing new defenses is \ncritical to ensure that small weaknesses are not exploited to produce \nmajor economic consequences.\n---------------------------------------------------------------------------\n    \\1\\ A computer virus is a program or piece of code that is loaded \nonto your computer without your knowledge and runs against your wishes. \nViruses can also replicate themselves. They are often capable of \nattaching themselves to other files or e-mail and transmitting \nthemselves across networks and bypassing security systems. Some of the \ndestructive things that viruses can do include deleting or corrupting \nfiles and using all the available memory on a system (thereby bringing \nthe system to a halt). A worm is a special type of virus that can \nreplicate itself and use memory, but cannot attach itself to other \nprograms.\n    \\2\\ In 2002, 82,094 incidents were reported to the CERT \nCoordination Center at Carnegie Mellon University, up 275% from 2000. \nAlso in 2002, the center published 41 security alerts and handled over \n200,000 mail messages and over 800 hotline calls.\n---------------------------------------------------------------------------\n    The above examples show how a terrorist could target computer \nsystems or networks and create a great deal of disruption and damage. \nHowever, terrorists could also use information technology systems to \namplify the effects of a physical attack on people or property. For \nexample, a terrorist planning to release a chemical or biological agent \ncould first send an e-mail that appears to be from a trustworthy source \n(a police department or a news agency) to order or urge evacuation of \nbuildings in order to increase the number of people out in the streets \nwhen he spreads his toxin. Cyber attacks could also be used to \ninterfere with first responder communication and coordination systems, \nhindering the ability to respond to a crisis. Thus protection of \ninformation systems is a critical part of homeland defense.\n    The National Strategy to Secure Cyberspace was released by the \nAdministration in February 2003. It includes a number of \nrecommendations to improve the Nation's cyber security now, both in \nfederal systems and in privately-owned infrastructures. Currently the \nFederal Government's effort to deploy cyber security tools and \ntechniques (the ``operational'' cyber security programs) are scattered \nover many agencies. The National Institute of Standards and Technology \nprovides guidance and tools to federal agencies and to private industry \nthat enable them to evaluate their cyber security needs and the \nperformance of their security systems. The National Security Agency has \nsignificant programs in encryption. The Department of Homeland Security \nwill have significant responsibilities in this area, both in new \nprograms in its Information Analysis and Infrastructure Protection \ndirectorate, and in programs that are being transferred in, like the \nFederal Computer Incident Response Center (FedCIRC), which provides \ncivilian agencies and departments with offerings in computer security \nincident prevention, reporting, analysis, and recovery. There are also \nprivate organizations, such as the federally-funded CERT Coordination \nCenter at Carnegie Mellon University,\\3\\ whose activities include \nproviding technical advice about and coordinating responses to security \nincidents, publishing security alerts, and tracking information about \nvulnerabilities and intruder activities.\n---------------------------------------------------------------------------\n    \\3\\ While ``CERT'' originally stood for ``Computer Emergency \nResponse Team,'' today the center's name is officially just ``CERT.''\n---------------------------------------------------------------------------\nThe Need for Cyber Security Research and Development Programs\n    In addition to discussing ways to reduce cyber infrastructure \nvulnerabilities now, The National Strategy to Secure Cyberspace also \nemphasizes the importance of developing and carrying out a cyber \nsecurity research and development agenda for the Federal Government.\n    Cyber security research and development programs focus on ways to \nprevent attacks, to detect them as they are occurring, to respond to \nthem effectively, to mitigate the severity of their effects, to recover \nas quickly as possible from them, and to find the people responsible. \nIn addition to enabling us to avoid damage from cyber terrorism, a \ngreater understanding of the weaknesses in computer systems and \nnetworks and how to protect them will allow computer operators to \ndeflect the actions of cyber criminals--out to steal credit card \nnumbers and personal information--and hackers--out to disrupt and \ndestroy for the fun of it.\n    In March 2003, the National Academy of Science released Information \nTechnology for Counterterrorism: Immediate Actions and Future \nPossibilities. This report outlines an extensive research agenda for \ninformation technology research in many areas. In the information and \nnetwork security field, the areas of emphasis are: authentication \n(determining that a system's users are those with permission to use \nit), detection (being aware that an attack, or attempted attack, is \noccurring), containment (mitigating the effects of an attack), and \nrecovery (getting the system back up and functioning after an attack). \nThe report also lists a number of research areas in which advances will \nimpact all facets of the effort to improve cyber security. These areas \ninclude reducing the ``bugginess'' of software, managing the trade-offs \nbetween security and functionality more successfully, and gathering \ninformation on new and emerging techniques for cyber attacks.\nExisting Federal Cyber Security Research and Development Programs\n    The National Science Foundation (NSF) and the National Institute of \nStandards and Technology (NIST) currently have active cyber security-\nrelated programs. To support and expand these programs, the Cyber \nSecurity Research and Development Act was signed in November 2002. \nUnder this Act, NSF was authorized to expand its computer and network \nsecurity grants programs and establish new research centers in this \narea and to provide grants to institutes of higher education and \nprovide fellowships to students to increase the number of people \nreceiving degrees in this area. NIST was authorized to create new \nprogram grants for partnerships between academia and industry, new \npost-doctoral fellowships, and a new program to encourage senior \nresearchers in other fields to work on computer security. The Act \nauthorizes $903 million over five years for these new programs, to \nensure that the U.S. is better prepared to prevent and combat terrorist \nattacks on private and government computers. Specifically, for FY 2004, \n$110.25 million was authorized for NSF, and $47.29 million for NIST, to \nenable them to carry out the above programs. However, actual \nappropriations in FY 2003 and the presidential proposals for FY 2004 \nboth fall far short of the authorized numbers.\\4\\ As a result, NIST \nwill be entirely unable to establish the grants program for academic-\nindustrial research partnerships, and NSF's grants programs will be \nsignificantly smaller than those envisioned in the Act.\n---------------------------------------------------------------------------\n    \\4\\ For example, NSF cyber security research programs received $28 \nmillion in FY 2003 (as compared to $47 million authorized in this \narea), and the FY 2004 proposal is for $35 million (authorization was \n$64 million).\n---------------------------------------------------------------------------\n    The Department of Homeland Security is currently setting up its \norganizational structure and defining its programmatic priorities for \nFY 2003 and FY 2004. In the department, responsibility for managing \nresearch and development efforts relevant to cyber security rests in \nthe Science and Technology directorate, while operational \nresponsibilities for implementing cyber security fall in the \nInformation Analysis and Infrastructure Protection directorate. Public \nstatements have been made indicating that there will be no ``box'' in \nthe organization with specific responsibility for cyber security in \neither the operational or research arenas. Operationally, programs to \nsecure the cyber infrastructure will be an element of the broader \ncritical infrastructure protection efforts. In the Science and \nTechnology directorate, cyber security research and development \nprograms will be part of the Threat and Vulnerability, Testing and \nAssessment program, and will focus on meeting critical needs of other \nDHS units, such as the Information Analysis and Infrastructure \nProtection directorate and the U.S. Secret Service. Less than 1 percent \nof the Science and Technology directorate's $803 million budget will be \ndirected toward cyber security research and development. The absence of \na clear advocate for cyber security at the Department is of particular \nconcern in light of the Administration's decision in February 2003 to \neliminate the President's Critical Infrastructure Protection Board. The \nBoard, which was established after the attacks of September 11, 2001, \nauthored The National Strategy to Secure Cyberspace and the Board's \ndirector, Richard Clarke, did much to raise the level of awareness \nabout the vulnerabilities of the Nation's cyber infrastructure and the \nneed for improved cyber security.\n    The Defense Advanced Research Projects Agency (DARPA) has played a \ncritical role in information technology research, including cyber \nsecurity programs. The first firewall,\\5\\ significant advances in \nintrusion detection systems, and important Internet security protocols \nwere all developed through DARPA programs. In the late 1990's, the \nagency made a large investment in ``defensive'' information warfare, \nwhich included unclassified research on computer systems' security and \nsurvivability. However, DARPA does not have a history of sustained, \nstable support of cyber security research and development programs, \nand, since 2000, the size of this program has declined (from \napproximately $90 million in 2000 to $30 million in 2003). Part of this \ndecline is due to the fact that DARPA's focus has shifted to classified \nresearch on ``offensive'' information warfare. Classified research on \ninformation security is also done by the National Security Agency \n(NSA). NSA's funding for information assurance work is estimated to be \nroughly $750 million, with roughly half spent on research, development, \ntesting, and evaluation; a significant part of this effort focuses on \ncryptography. While defense-related work on cyber security is \nnecessary, it is important to recognize that the impact such classified \nwork has on the overall national cyber security is often limited \nbecause the research is mainly performed at government facilities and \ncontractors, and the results are seldom shared publicly or transferred \nto the commercial sector.\n---------------------------------------------------------------------------\n    \\5\\ A firewall is a system designed to prevent unauthorized access \nto or from a private network. Firewalls are frequently used to prevent \nunauthorized people from accessing private networks (like those used at \ncompanies, universities, and government agencies) over the Internet. \nAll messages (like e-mail) entering or leaving the private network pass \nthrough the firewall, which examines each message and blocks those that \ndo not meet the specified security criteria.\n---------------------------------------------------------------------------\n    Overall, it is currently very difficult to determine the total \nspending on cyber security research and development programs across the \nFederal Government. Information is currently collected and reported on \na variety of relevant areas (such as networking and information \ntechnology research and development), but the programs specifically \ndevoted to cyber security research and development have not been pulled \nout. OSTP has indicated that agencies will be asked to quantify cyber \nsecurity research and development funding within their FY 2005 request.\n    Another factor to be considered in assessing the quality of cyber \nsecurity operations and cyber security research in the United States is \nthe critical role of the private sector in both areas. As new results \nemerge from cyber security research and development activities, \ninformation technology companies will have to turn new knowledge into \nnew technologies and services, and industries from banking to electric \npower will have to choose to take advantage of these new capabilities. \nTherefore, federal cyber security research and development programs \nwill have to consider ways to encourage technology transfer and \nfacilitate technology uptake.\n\nWorkforce Issues\n    Research and development goals and useful new cyber security tools \nare of no use if there are not people to carry out the research \nprograms and put the new techniques into practice.\\6\\ The Cyber \nSecurity Research and Development Act, The National Strategy to Secure \nCyberspace, and the National Academy of Sciences' report all emphasize \nthe importance of expanding the relevant workforce. Recommended actions \nrange from developing undergraduate and masters programs to train \noperational cyber security personnel to fellowships for post-doctoral \nand senior scientists and engineers to increase participation in \ninformation security research programs. Current programs in this area \nare quite small. The National Science Foundation has a Cyber Security \nScholarship for Service program ($16 million requested for FY 2004). \nThis program provides scholarships to students in the fields of \ninformation assurance and computer security in return for a commitment \nfollowing graduation to work for a federal agency. The Department of \nDefense started a program\\7\\ in 2000 to provide re-training fellowships \nfor researchers and recent Ph.D.s looking to transfer into the cyber \nsecurity field, but this program is ending in 2003. The Cyber Security \nResearch and Development Act authorizes NIST to establish a senior \nresearch fellowship program that will be open to established \nresearchers who seek to change fields into cyber security research, but \nno funds were requested for that program in FY 2004.\n---------------------------------------------------------------------------\n    \\6\\ According to NSF, only approximately seven Ph.D.s in cyber \nsecurity are awarded each year.\n    \\7\\ The Critical Infrastructure Protection and Information \nAssurance Fellows (CIPIAF) Program provided funds to cyber security \nprincipal investigators to pay post-doctoral fellows coming from non-\ncyber security backgrounds.\n---------------------------------------------------------------------------\n\n6. Current Issues\n\n    The most pressing issue in cyber security research and development \nis the underfunding of relevant programs. The NSF and NIST programs are \nwell under the authorized levels. DARPA is ramping down relevant \nunclassified programs. The proposed effort in DHS is small. Yet the \ncyber infrastructure of the United States penetrates all critical \ninfrastructures and forms a fundamental base of the Nation's physical \nsecurity and economic and social stability. Significant investment in \nresearch and development in computer and network security will be \nneeded to maintain homeland security. Delaying this investment will not \nonly increase current and future vulnerabilities, but will also raise \nfuture cyber security expenses, from the costs associated with damage \ndone by cyber attacks to the expenses of retrofitting security systems \nonto existing hardware and software.\n    Each federal agency has its own mission and thus each has its own \nspecial role to play in cyber security research and development. Multi-\nagency collaboration and a coherent cross-agency strategy are needed to \nmaximize the impact of federal investment and to ensure that gaps do \nnot develop in the effort to develop the tools needed to build a multi-\nlayer defense of the cyber infrastructure. In addition, since many \ninformation technology products and their implementations in critical \ninfrastructures are developed and owned by the private sector, close \ncommunication with industry will be required. Finally, growth is needed \nin educational programs to expand research and development programs and \nto train the workforce required to implement security techniques in \ncritical computer and network systems.\n\n7. Witness Questions\n\n    The witnesses were asked to address the following questions in \ntheir testimony:\n\nQuestions for Dr. Charles McQueary\n\n        <bullet> How will the cyber security research and development \n        agenda at the Department of Homeland Security be defined? Will \n        the department's science and technology directorate develop in-\n        house cyber security expertise and programs? How will it \n        coordinate with the department's operational cyber security \n        programs?\n\n        <bullet> What mechanisms will the Department of Homeland \n        Security use to coordinate its cyber security research and \n        development activities with other federal agencies, such as \n        NSF, NIST, and DARPA, with active programs in this area?\n\n        <bullet> How will the department interact with cyber security \n        research and development efforts underway in industry? How will \n        it interact with university-based cyber security programs?\n\nQuestions for Dr. Rita Colwell\n\n        <bullet> What actions has the National Science Foundation \n        (NSF) taken in response to the Cyber Security Research and \n        Development Act? In particular, how is NSF fulfilling its role \n        as the lead agency for cyber security research and development \n        as specified in Section 7 of the Act?\n\n        <bullet> What are NSF's priorities in cyber security research \n        and development? How are these priorities determined?\n\n        <bullet> How does NSF coordinate its cyber security research \n        and development activities with other federal agencies?\n\n        <bullet> To what extent is NSF identifying and working to fill \n        gaps in the federal cyber security research and development \n        portfolio?\n\nQuestions for Dr. Arden Bement\n\n        <bullet> What actions has NIST taken in response to the Cyber \n        Security Research and Development Act?\n\n        <bullet> How does NIST coordinate its cyber security research \n        and development activities with other federal agencies? How \n        does NIST interact with industry on cyber security research and \n        development activities?\n\n        <bullet> What are NIST's priorities in cyber security research \n        and development? How are these priorities determined?\n\nQuestions for Dr. Anthony Tether\n\n        <bullet> How have DARPA's information assurance research and \n        development programs evolved over the past few years? Is there \n        an increased emphasis on military or offensive applications? \n        How is the balance between classified and unclassified efforts \n        changing?\n\n        <bullet> How does DARPA coordinate its cyber security research \n        and development activities with other federal agencies?\n\n        <bullet> How is information about results or technologies that \n        are applicable to the protection of commercial networks and \n        privately-owned infrastructures provided to relevant research \n        and development communities in industry and academia?\n\n        <bullet> What are DARPA's priorities in cyber security \n        research and development? How are these priorities determined?\n\nAppendix I\n\n    Links to referenced documents on cyber security research and \ndevelopment:\n\nPublic Law 107-305: The Cyber Security Research and Development Act \n(November 2002):\n    http://frwebgate.access.gpo.gov/cgi-bin/\ngetdoc.cgi?dbname=107<INF>-</INF>cong<INF>-</INF>public<INF>-</INF>laws&\ndocid=f:publ305.107.pdf\n\nThe National Strategy to Secure Cyberspace (February 2003)\n    http://www.whitehouse.gov/pcipb/\n\nInformation Technology for Counterterrorism: Immediate Actions and \nFuture Possibilities, National Academy of Sciences (March 2003):\n    http://bob.nap.edu/html/IT<INF>-</INF>counterterror/\n    Chairman Boehlert. The hearing will come to order. It is a \npleasure to welcome everyone here this morning for a hearing on \na subject that has consumed the Committee over the past couple \nof years: cyber security research and development. We have been \nfocused on this topic for good reason. The Nation, quite \nsimply, has been under-investigating--investing woefully in \ncyber security R&D and as a result, we lack both the experts \nand the expertise we ought to have in a world that relies so \nheavily on computers and networks for the necessities of \neveryday life.\n    Last year, led by this committee, Congress passed, and the \nPresident signed into law, two landmark bills to try to remedy \nthis problem: the Cyber Security Research and Development Act \nand the Homeland Security Act. Both established new programs \nand authorized new funds for cyber security R&D.\n    Today is our first chance to see what has happened as a \nresult. At first blush, the answer appears to be: not nearly \nenough. Agencies have neither sought nor set aside adequate \nfunding to implement the Cyber Security R&D Act. We hear \ncomplaints from throughout the research community that the \nDepartment of Homeland Security is not focusing sufficiently on \nthe problem and DARPA is actually reducing its investment in \nthis area.\n    I am sure our witnesses today will describe positive \nactions that have been taken, and there are some, but it is \nimpossible not to conclude that far more needs to be done. I \nassure you that this committee, we will continue pressing for \nmore action on cyber security R&D. This hearing is only the \nbeginning. We need to work together now to prevent devastating \nattacks in the future.\n    I look forward to hearing from all of our witnesses, and we \nare going to do just that. And we have a very distinguished \npanel, and I think all of my colleagues should be very \nimpressed with the panel.\n    With that, let me introduce the distinguished Ranking \nMember from Texas, not Oklahoma, Texas, Mr. Hall.\n    [The prepared statement of Mr. Boehlert follows:]\n\n            Prepared Statement of Chairman Sherwood Boehlert\n\n    It's a pleasure to welcome everyone here this morning for a hearing \non a subject that has consumed the Committee over the past couple of \nyears cyber security R&D.\n    We've been focused on this topic for good reason. The Nation quite \nsimply has been under-investing woefully in cyber security R&D, and as \na result we lack both the experts and the expertise we ought to have in \na world that relies so heavily on computers and networks for the \nnecessities of everyday life.\n    Last year, led by this Committee, Congress passed, and the \nPresident signed into law, two landmark bills to try to remedy this \nproblem. The ``Cyber Security Research and Development Act'' and the \n``Homeland Security Act'' both established new programs and authorized \nnew funds for cyber security R&D. Today is our first chance to see \nwhat's happened as a result.\n    At first blush, the answer appears to be ``not nearly enough.'' \nAgencies have neither sought nor set aside adequate funding to \nimplement the Cyber Security R&D Act. We hear complaints from \nthroughout the research community that the Department of Homeland \nSecurity is not focusing sufficiently on the problem. And DARPA is \nactually reducing its investment in this area.\n    I'm sure our witnesses today will describe positive actions that \nhave been taken and there are some--but still one can only conclude \nthat far more needs to be done. I assure you that this committee will \ncontinue pressing for more action on cyber security R&D. This hearing \nis only the beginning.\n    We need to work together now to prevent devastating attacks in the \nfuture. I look forward to working with all our witnesses to do just \nthat.\n    Mr. Hall.\n\n    Mr. Hall. You know, all my exes are in Oklahoma this \nmorning.\n    I want to join Chairman Boehlert in welcoming everyone to \nthis morning's hearing, because first, you are selected on the \nbasis of your knowledge and your service. And I know it takes \ntime to get ready. It takes time to come here. It takes time to \ntestify. And we appreciate the gift that you give to this \ncommittee, and through us, to the rest of the Congress.\n    Not a day--as Chairman Boehlert has very aptly set out, not \na day goes by without some mention of information technology in \nthe news and as this information technology has become a part \nof almost every aspect of our economy and of our society. As \nthis has happened, we have become familiar with the negative \naspects of the information revolution: cyber crime. The threats \nwe fear range all the way from nuisance hackers, theft and \nfraud, to the breakdown of the information infrastructure and \neverything that depends on it.\n    With the events of the last few years, the security of the \ninformation infrastructure has received even more public \nattention. In February, the President released The National \nStrategy to Secure Cyberspace. The President's strategy \nemphasizes the need for more research efforts, and what I hope \nto learn today is the context for these research efforts and \nthe amount of coordination that occurs between agencies and \nwith the private sector.\n    In addressing any public policy question, the first thing \nto ask is: ``What problems need to be solved?'' As was pointed \nout in a recent article in Issues in Science and Technology, \n``Cyber Security: Who's Watching the Store?'', we still lack a \nsolid assessment of this threat. Despite the attention that \ncyber attacks receive in the media, there is little real data \nfor estimating the size of the cyber security threat. And \nalthough I like a good story as much as anyone, the plural of \nanecdote is not data. Without the research to define the \nproblem, I think it is difficult to determine the amount of \nmoney and the effort required to develop a solution to it.\n    So I hope today's witnesses can tell us what they are doing \nto define the scope and size of the problem with real data. We \ncan't afford to have agencies going off on their own to develop \na cyber security program and then hope the sum will be greater \nthan the parts. Because their information infrastructure is \nlargely in the hands of the private sector, any effective \nresearch agenda must be developed with input from the industry. \nA strategy that relies on simply training personnel and then \nhoping they find jobs is not sufficient. Research efforts need \nto be focused on the real problems, so I hope our witnesses \nwill tell us about the interactions with industry and \ndeveloping research agendas.\n    And I want to thank the witnesses for appearing before the \nCommittee, and I look forward to their input on this issue. And \nI yield back my time.\n    [The prepared statement of Mr. Hall follows:]\n\n           Prepared Statement of Representative Ralph M. Hall\n\n    I want to join Chairman Boehlert in welcoming everyone to this \nmorning's hearing.\n    Not a day goes by without some mention of information technology in \nthe news. As information technologies have become a part of every \naspect of our economy and society, we have become familiar with the \nnegative aspects of the information revolution--cyber crime. The \nthreats we fear range from nuisance hackers, theft and fraud, to the \nbreakdown of the information infrastructure and everything that depends \nupon it.\n    With events of the few years, the security of the information \ninfrastructure has received even more public attention. In February, \nthe President released The National Strategy to Secure Cyberspace. The \nPresident's strategy emphasizes the need for more research efforts. \nWhat I hope to learn today, is the context for these research efforts \nand the amount of coordination that occurs between agencies and with \nthe private sector.\n    In addressing any public policy question, the first thing to ask is \n``What problem needs to be solved?'' As was pointed out in a recent \narticle in Issues in Science and Technology, ``Cyber Security: Who's \nwatching the Store?'', we still lack a solid assessment of the threat. \nDespite the attention that cyber attacks receive in the media there is \nlittle real data for estimating the size of the cyber security threat. \nAnd although I like a good story as much as anyone, the plural of \nanecdote is not data. Without the research to define the problem, I \nthink it's difficult to determine the amount of money and effort \nrequired to develop a solution. So I hope today's witnesses can tell us \nwhat they are doing to define the scope and size of the problem with \nreal data.\n    I don't believe we can simply spend our way out of this problem. \nTherefore, I'm hoping that our witnesses can tell us how they \ncoordinate the development of their research programs. We can't afford \nto have agencies going off on their own to develop a cyber security \nprogram and then hope the sum will be greater than the parts. Because \nour information infrastructure is largely in the hands of the private \nsector, any effective research agenda must be developed with input from \nthe industry. A strategy that relies on simply training personnel and \nthen hoping they find jobs is not sufficient. Research efforts need to \nbe focused on the real problems. So, I hope our witnesses will tell us \nabout their interactions with industry in developing the research \nagendas.\n    I want to thank our witnesses for appearing before the Committee \nand I look forward to their insight on this issue.\n\n    [The prepared statement of Mr. Smith follows:]\n\n            Prepared Statement of Representative Nick Smith\n\n    Today we meet to examine federal efforts to address an extremely \nimportant--but often under-appreciated--threat to our country: the \npotentially devastating attacks on our nation's computer networks and \ninfrastructure.\n    Almost immediately after the September 11th attacks, the Science \nCommittee held multiple hearings to examine just how vulnerable we were \nto the threat of cyber attacks. These hearings revealed that the United \nStates uses more and has become more dependent on ``cyber'' than any \nother country. Technological advancements in computers, software, \nnetworks and information technology greatly improved our lives, but \nthey also made our society more vulnerable to disruption.\n    We also learned that the threat from other risks, such as computer \nviruses, hacking, and electronic identity theft, present significant \nhazards to general commerce, personal privacy, and our overall economic \nsystem. Finally, and in large part due to the interconnectedness of our \ntechnological age, we learned that physical security was permanently \nlinked to cyber security. As a result, we concluded that Congress \nneeded to address cyber security with the same vigilance with which we \nwere addressing our physical security at home and abroad.\n    So we responded to these realizations by drafting and passing into \nlaw the Cyber Security Research and Development Act of 2002. This \nlegislation provided a comprehensive, coordinated research framework to \naddress the threats to our computer systems.\n    I am interested today to learn not only how the Federal Government \nis implementing the research coordination provisions of the cyber \nsecurity bill, but also how they are working to ensure implementation \nof the technologies we now have readily available today. Although I am \npleased that the Department of Homeland Security has requested over \n$800 million for applied research and development in its Science and \nTechnology Directorate, it is not clear whether cyber security will \nreceive appropriate attention within the Directorate.\n    We have a very esteemed panel of agency witnesses with us here \ntoday, and I have many important issues to discuss with them. I look \nforward to their testimony and I am confident that Congress, the \nAdministration, the university community, and the private sector will \nbe able to work together to find solutions to the cyber security \nchallenges facing America.\n\n    [The prepared statement of Mr. Costello follows:]\n\n         Prepared Statement of Representative Jerry F. Costello\n\n    Good morning. I want to thank the witnesses for appearing before \nour committee to examine the federal cyber security research and \ndevelopment activities and implementation of the Cyber Security \nResearch and Development Act (P.L. 107-305).\n    The Cyber Security Research and Development Act authorized $903 \nmillion over five years for new federal programs to ensure that the \nU.S. is better prepared to prevent and combat terrorist attacks on \nprivate and government computers. The legislation was developed \nfollowing a series of post-September 11th Science Committee hearings on \nthe emerging cyber-terrorist threat and the lack of a coordinated U.S. \nresponse. Despite this new legislative and programmatic initiative, our \ncomputer and communications networks, upon which the country's economic \nand critical infrastructures for finance, transportation, energy and \nwater distribution, and health and emergency services depend, are still \namong the Nation's vulnerabilities. In addition, funding for FY 2003 \nand proposed funding for FY 2004 is significantly below the authorized \nlevels.\n    As a result, valid concerns remain that the U.S. is still not \nappropriately organized and prepared to counter and respond to cyber \nsecurity. Multiple federal agencies, as well as institutions of higher \neducation and the private sector, have critical roles to play; yet, no \nenactment of or planning for the National Strategy has occurred and \nthere is no evidence of coordination among agencies as they developed \ntheir research and development budget requests for FY 2004. The absence \nof a clear advocate for cyber security at the Department of Homeland \nSecurity, coupled with the Administration's decision in February 2003 \nto eliminate the President's Critical Infrastructure Protection Board, \nis of particular concern. Further, I am interested to know from our \nwitnesses how the Administration determines where the emphasis should \nbe in cyber security and how this is reflected in the agency's budget \nrequests.\n    I again thank the witnesses for being with us today and providing \ntestimony to our committee.\n\n    [The prepared statement of Ms. Johnson follows:]\n\n       Prepared Statement of Representative Eddie Bernice Johnson\n\n    Thank you, Chairman, for calling this important hearing to examine \nfederal cyber security research and development (R&D) activities and \nthe Cyber Security Research and Development Act (P.L. 107-305) and I \nalso want to thank our witnesses for agreeing to appear today.\n    Cyber security is an emerging concept that will redefine computer \nscience and engineering in our nation as we know it.\n    Last February, the Administration released its long-awaited \nNational Strategy to Secure Cyber Security. However, it seems that \ncyber security has slipped in importance for the Bush Administration. \nRather than target specific industry segments and require that they \nsecure themselves by recommending tough new laws and regulations, the \nAdministration's plan recommends that industry and individuals simply \ntake greater care.\n    Overall, the new DHS's $37.7 billion budget earmarks only $3 \nbillion for cyber security. So the Infrastructure Protection \ndirectorate, one of five directorates in the DHS, appears in line for \nless than 10 percent of funds.\n    To be fair, the DHS is an immense undertaking, the biggest \ngovernment reorganization effort since the Department of Defense was \ncreated after World War II. Such a reorganization will require time.\n    Unfortunately, the Administration does not address criticism that \nits lack of regulations render it toothless. For example, previous, \nunpublished drafts had included measures that would have forced \nInternet service providers to offer firewalls to their users and would \nhave a required wireless hardware makers to improve security.\n    It is very important that any plan from the Administration does an \neffective job at identifying threats. Regrettably, this plan does not \npropose to collect reliable data and perform the analysis necessary to \ndefine the threat. Without a reliable threat assessment, it is almost \nimpossible to tailor an R&D program to meet real needs, let alone \nallocate the appropriate amount of funding to develop solutions. \nHopefully, our witnesses today will be able to provide answers to our \nquestions that will shine light on some of the short comings of the \nAdministration's proposals.\n\n    [The prepared statement of Ms. Lee follows:]\n\n        Prepared Statement of Representative Sheila Jackson Lee\n\nMr. Chairman,\n\n    Thank you for calling this extremely timely and enlightening \nhearing. I also serve on the Select Committee on Homeland Security, \nwhich is now several months old. Despite the continuous pressure from \nRanking Member Turner and all of the other Democratic Members, that \nCommittee--charged with providing Congressional oversight to our \nnation's domestic efforts to protect the American people--has yet to \nhold a single substantive hearing. I am glad that as usual, the Science \nCommittee has risen to the challenge, to ask tough questions on \nsensitive issues.\n    National security is obviously foremost on everyone's minds these \ndays. As we work to improve our country's security, it is important \nthat we take inventory of all systems that are vital to the functioning \nof the Nation, and do all we can to protect them. This certainly \nincludes our computer networks systems that can be attacked anonymously \nand from far away. These networks are the glue that holds our nation's \ninfrastructure together. An attack from cyberspace could jeopardize \nelectric power grids, railways, hospitals and financial services, to \nname a few.\n    We are all aware of the growing number of Internet security \nincidents. These incidents can come in many flavors: annoying attacks \nthrough e-mails, involving such things as computer viruses, denial of \nservice attacks, and defaced web sites; or cyber crime, such as \nidentity theft. Such events have disrupted business and government \nactivities, and have sometimes resulted in significant recovery costs.\n    Our hospitals and power grids, our communications, our \ntransportation systems, are all critically dependent on computers and \ninformation flow and the satellites above us. A terrorist or other \ncriminal tampering with those systems could devastate entire industries \nand potentially cost lives. While we have been fortunate so far in \navoiding a catastrophic cyber attack, Richard Clarke, the President's \ncyber-terrorism czar from last year, I guess I should say ``two czars \nago,'' said that the government must make cyber security a priority or \nface the possibility of a ``Digital Pearl Harbor.''\n    This was truly a frightening prospect. It motivated me to get more \nknowledgeable and active in the area of cyber security. It motivated \nthis committee, the Chairman and Ranking Member, to get busy on \nhearings and legislation. The Cyber Security Research and Development \nAct is the product of our work. Now I look forward to hearing how the \nAdministration and the Agencies are stepping up the challenges that are \nbefore us.\n    Of course here in the Science Committee, we tend to appreciate good \nScience--good data to guide smart policy. I am troubled by the fact \nthat it seems we still do not have good data as to what is the scope of \nour cyber-vulnerability. We hear almost daily anecdotal reports of \nviruses, or worms, and crashes, but still do not know the true \nmagnitude of the problem. We do not know how much is at risk, how much \nis being spent to protect ourselves, and what needs to spent in the \nfuture.\n    That has led to a fairly arbitrary set of appropriations figures, \nprobably considerably lower than what is needed, and probably not \nalways targeted to the programs that are most likely to produce \nresults. I am troubled by the Administration's FY04 budget request \nwhich under-funds cyber security priorities dictated by the Cyber \nSecurity Research and Development Act. I do not understand why NIST \ngrant programs, which have been successful in the past, are being \ndiscarded for the near to distant future. I hear that we need to save \nmoney so that we can offset giant tax cuts for the rich that are \nsupposed to grow our economy and create jobs.\n    But what kind of economy will we have if our power grid is \ncompromised, or if people are afraid to fly because the computers that \nrun our air-traffic have been hacked, or if we lost the Internet \nshopping industry? We need to make smart investments now. We need to \nmake sure our agencies are communicating well and covering all bases, \nand filling in security gaps.\n    We are in a massive restructuring now of all of our nation's \nhomeland security efforts. We cannot do this in the dark. We need \ncongressional insight and oversight. We need public and private sector \ninput. And we need guidance from the top, from the Administration.\n    I look forward to the dialogue. Thank you.\n\n    Chairman Boehlert. Thank you very much. For the purpose of \nan introduction, the Chair recognizes Mr. Miller of North \nCarolina.\n    Mr. Miller. Thank you, Mr. Chairman. I am pleased to \nintroduce Dr. Charles McQueary, who is here and I believe is a \nconstituent, so--although I think as we were chatting just \nbefore the Committee began, have you now moved within \nGreensboro?\n    Dr. McQueary. Yes, I have.\n    Mr. Miller. And where do you now live?\n    Dr. McQueary. I now live in the Grandover complex, which I \nbelieve is Congressman Coble--if I am not mistaken.\n    Chairman Boehlert. The gentleman's time is expired.\n    Mr. Miller. Well, I have this all prepared. I might as well \ngo ahead.\n    Chairman Boehlert. Please do.\n    Dr. McQueary. But I still do--I do own a home in your \ndistrict, though, as you point out, that I haven't sold it yet.\n    Mr. Miller. And I will speak--I hope you will speak to \nwhoever buys the home and mention my name to them. Well, my \nformer constituent, Dr. McQueary, is well regarded in \nGreensboro in both the business community and in--for his civic \nwork. In the private sector, he was the president of the \nGeneral Dynamics Advanced Technology Systems. That company \nfocused on electro-optic undersea systems, networking and \ndecision support systems, active control systems, and signal \nprocessing solutions and software solutions. I am told that \nthat was a good job for Dr. McQueary. He also was a respected \nmember of the community for his civic leadership. He was a \nmember of the Board of Trustees of North Carolina A&T, North \nCarolina State University. He was on the Guilford Technical \nCommunity College as President, CEO Advisory Board. He was \nchairman of Action Greensboro, a political--a public education \ninitiative, and a member of the Board of Guilford County \nEducation Network. He was also chairman of the Board and a \ncampaign chair for the United Way of Greensboro and a member of \nthe Board of the World Trade Center of North Carolina. So I am \npleased to welcome my former constituent, Dr. McQueary.\n    Dr. McQueary. Thank you.\n    Chairman Boehlert. Mr. Hall was tempted to claim him for \nTexas. This is Dr. McQueary's first visit to the Committee, and \nwe welcome him here. I gave you the privilege, Mr. Miller, of \nintroducing----\n    Mr. Hall. Mr. Chairman, we all own Dr. Colwell, though.\n    Dr. Colwell. Thank you, sir.\n    Chairman Boehlert. The other three witnesses are all good \nfriends of long standing and have appeared many times and are \nvaluable resources for the Committee, but this is your maiden \nvoyage, Dr. McQueary, and we wish you smooth sailing. I avoided \nintroducing you, because this committee created the position of \nUnder Secretary for Science and Technology, because we thought \nit was so important. And I was so pleased that the \nAdministration agreed with that and Governor Ridge did, also. \nBut I wasn't sure if I was--I would be well-received in \nintroducing you, because I am not sure if you want to thank me \nor shoot me right about now, because you have got a most \ndemanding position. But we are glad to have you here.\n    And we are always pleased to see Dr. Rita Colwell back. \nThis Committee has worked long and well with you. And we are \nvery proud of your outstanding accomplishments and the work of \nthe National Science Foundation. And with NIST, Dr. Arden \nBement, a good friend of long standing. We have a special \nrelationship, too, and we are glad to welcome you back. And Dr. \nTether, it is good to see you back.\n    I think we should all appreciate the fact that we have four \ncritically important people performing exceptional service for \nthe Nation in their positions. And so we anxiously await your \ntestimony. We will start with you, Dr. McQueary. You are first \nup.\n\n   STATEMENT OF DR. CHARLES E. McQUEARY, UNDER SECRETARY FOR \n    SCIENCE AND TECHNOLOGY, DEPARTMENT OF HOMELAND SECURITY\n\n    Dr. McQueary. Thank you. Good morning, Chairman Boehlert, \nCongressman Hall, and all Members of the Committee. It is a \npleasure for me to accept the opportunity to be with you today \nand discuss the cyber security R&D from a Homeland Security \nperspective. It is an honor and a great responsibility to lead \nthe Department of Homeland Security's scientific efforts to \nmeet the challenges of securing the technology supporting our \nnation's infrastructures, loosely referred to as ``cyber''. And \nI do want to say thank you for having created this position, \nand it is an honor for me to be the first person to fill the \nposition. And I do thank you for the work that this committee \ndid in forming that group.\n    An important mission of the Science and Technology \nDirectorate is to develop and deploy leading technologies and \ncapabilities so those who serve to secure the Homeland can \nperform effectively and efficiently. This Directorate will \nrespond, then, to the needs and requirements in this area from \nwithin the Department.\n    The threats to our Homeland are many. We must constantly \nmonitor these threats and assess our vulnerabilities to them. \nWe must develop new or improved capabilities to counter \nchemical, biological, radiological, nuclear, explosive, and \ncyber threats and mitigate the effects of terrorist attacks, \nshould they occur.\n    The Science and Technology Directorate's program must also \nenhance the conventional missions of the Department to protect \nand provide assistance to civilians in response to national \ndisasters, law enforcement needs, and other activities. Thus, \nScience and Technology's key specific areas of emphasis are as \nfollows: develop and deploy state-of-the-art, high-performance, \nlow operating cost systems to prevent the illicit traffic of \nradiological and nuclear materials and weapons into and within \nthe United States. The second item is to provide state-of-the-\nart, high-performance, low operating cost systems to rapidly \ndetect and mitigate the consequences of the release of \nbiological and chemical agents. Third, provide state-of-the-\nart, high-performance, low operating cost systems to detect and \nprevent illicit, high-explosive transit into and within the \nUnited States. Fourth, enhance the missions of all of the \ndepartmental operational units through targeted research, \ndevelopment, test and evaluation, and systems engineering and \ndevelopment. Fifth, develop and provide capabilities for \nprotecting cyber and other critical infrastructures. The sixth \nitem is to develop capabilities to prevent technology surprise \nby anticipating emerging threats. And last, develop, \ncoordinate, and implement technical standards for chemical, \nbiological, radiological, and nuclear countermeasures.\n    This Directorate will implement its activities through \nfocused portfolios that address biological, chemical, \nradiological, nuclear, and cyber threats; secondly, support the \nresearch and development needs of the operational units of the \nDepartment; and last, receive innovative input from private \nindustry and academia as well as national and federal \nlaboratories.\n    Now allow me to specifically address the Science and \nTechnology Directorate in response to cyber security concerns. \nThe operational responsibility for this mission within Homeland \nSecurity resides with the Under Secretary for Information \nAnalysis and Infrastructure Protection. The Under Secretary for \nScience and Technology carries the responsibility for ensuring \nthat the necessary research, development, test and evaluation \nactivities are carried out to support the IAIP mission in cyber \nsecurity. In practice, the term ``cyber security'' is broadly \ndefined within the community. S&T uses ``cyber security'' to \nmean ``securing the availability, integrity, and \nconfidentiality of those services provided through technology, \nsuch as hardware and software systems connected to public and \nprivate networks that support the critical infrastructures''.\n    Our approach to cyber security is essentially to apply the \ntechnology that supports the infrastructures. To address cyber \nsecurity issues, we recognize that R&D efforts are one facet of \na larger mosaic that includes elements, such as identification \nand mitigation of the threat, industry partnership and \ncompliance, and physical security.\n    Today, there are many cyber security R&D efforts underway \nand more yet to be established that address a range of cyber \nsecurity issues. These represent opportunities for Science and \nTechnology, our organization, to leverage existing work in \norder to address those needs and technology gaps that \nDepartment of Homeland Security identifies as important to \nsecuring the Homeland.\n    We have started to work with familiarization and \ncoordination across the federal sector. During the DHS \ntransition and start-up period, members of the Transition Team \nbegan to participate in the INFOSEC Research Council. Members \nof this Council include DARPA, the NIST, and National Science \nFoundation, and it is our method of coordinating with the \ncommunity on this topic.\n    Additionally, within our staff for Homeland--for the \nScience and Technology Directorate, we have detailees from \nNIST, the Secret Service, National Science Foundation, and NSA \nto help craft a national strategy in cyber R&D that is required \nby the Homeland Security Act and to identify areas for \ninvestment that would be carried out by Science and Technology.\n    One of the S&T's key areas of emphasis is our role in \nestablishing DHS technical standards, which will establish DHS \nperformance criteria for acceptable cyber security--cyber \nprotection technologies. Currently, there is a Memorandum of \nUnderstanding nearing completion for signature between DHS and \nthe technical administration of the Department of Commerce. \nThis MOU is an agreement to work together to develop common \nstandards to support U.S. industry and the Department of \nHomeland Security.\n    As I noted earlier, it is this Directorate's role to \nsupport the needs and requirements of DHS and, in particular, \nthose defined by the Information Analysis and Infrastructure \nProtection Directorate to provide an enduring resource and \nensure the--to provide an enduring resource and assure that the \nnecessary RDT&E activities are carried out.\n    To support the IAIP mission in cyber security, we intend to \ncreate a DHS R&D cyber security center. The DHS R&D cyber \nsecurity center will team with, through partnership and \ncooperation, with those representatives here at this table with \nme today. This center will provide DHS focus for R&D activities \nand leverage the many, many cyber security RDT&E efforts \nunderway in the defense and intelligence, academic, and private \nlaboratory communities. We see this as a critical--this is \ncritical to coordinate the resources and efforts across the \ngovernment R&D community to accelerate technical capabilities \nthat address DHS priorities.\n    The center will have five primary roles or functions as \nfollows. The center will promote and coordinate cyber security \nresearch, innovation, invention, and evaluation in support of \nthe DHS mission needs. It will develop strategic research and \ndevelopment programs and create testing and evaluation programs \nto address specific gaps in U.S. cyber security capabilities. \nFor example, a unique feature of the center will be the \nutilization of existing or the development of new test beds \nwhere cyber security methods, tools, and approaches can be \nexercised in a controlled environment and evaluated against \ncommon, accepted standards.\n    Developing the test beds and measurement performance \nstandards will be an element of the center's program. It will \nprovide communication and coordination among various public and \nprivate organizations dealing with the many diverse aspects of \ncyber security. The center will foster national and \ninternational cooperation in creating a robust and defensible \ncyber security infrastructure. It will support the operational \nneeds of the IAIP Directorate relative to vulnerability \nassessments and new tools and methods for enhancing cyber \nsecurity. In addition to responding to DHS research, \ndevelopment, test, and evaluation needs, the center will \nprovide emergency response and reach-back capabilities to on-\ncall technical experts to support rapid vulnerability \nmitigation in response to cyber threats. It will cooperate with \nthe National Science Foundation to foster educational programs \nand curriculum development to help ensure the Nation has the \nnecessary human resources to present--who possess the requisite \nknowledge and skills to advance and secure the Nation's cyber \ninfrastructure. This will be done in conjunction with \nparticipating universities, who will serve as a nucleus for \ncreating the next generation of scientists and engineers.\n    In closing, I would like to thank the Members of the \nScience Committee for the opportunity to speak with you today \nabout the Science and Technology concept for addressing cyber \nsecurity research and development. We will work hard to partner \nwith the community to address the needs and requirements of DHS \nas well as those gaps that exist between the many significant \nprojects already developed. S&T is determined to support the \nmission of DHS to protect the critical infrastructures of this \nnation by working to secure the technology that supports them.\n    Mr. Chairman and Members of the Committee, this concludes \nmy prepared remarks, and I would be happy to take any questions \nthat you might have at this time.\n    [The prepared statement of Dr. McQueary follows:]\n\n               Prepared Statement of Charles E. McQueary\n\n    Good morning Chairman Boehlert, Congressman Hall, Congressmen and \nMembers of the Committee. It is a pleasure for me to accept your \ninvitation to be with you today to discuss cyber security R&D. It is an \nhonor and great responsibility to lead the Department of Homeland \nSecurity (DHS), Science and Technology Directorate's efforts to meet \nthe challenges of securing the technology supporting our nation's \ninformation technology infrastructures, often termed ``cyber.'' An \nimportant mission of this Directorate is to develop and deploy leading \ntechnologies and capabilities so those who serve to secure the homeland \ncan perform effectively and efficiently--they are my customers. This \nDirectorate will respond then to the needs and requirements in this \narea from within the department.\n    The threats to our homeland are many. We must constantly monitor \nthese threats and assess our vulnerabilities to them; develop new or \nimproved capabilities to counter chemical, biological, radiological, \nnuclear, explosive and cyber threats; and mitigate the effects of \nterrorists attacks should they occur. The Science and Technology (S&T) \nDirectorate's program must also enhance all of the Department's \nmissions, whether or not they are focused on the threat of terrorism.\n    Throughout the initial planning process for the S&T Directorate we \nhave been guided by current threat assessments, our understanding of \ncapabilities that exist today or that can be expected to appear in the \nnear-term, and, importantly, by the priorities spelled out in the \nPresident's National Strategies for Homeland Security, Physical \nProtection of Critical Infrastructures and Key Assets and to Secure \nCyberspace.\n    Thus Science and Technology's key specific areas of emphasis are \nto:\n\n        1. Develop and deploy state-of-the-art, high-performance, low-\n        operating-cost systems to prevent the illicit traffic of \n        radiological/nuclear materials and weapons into and within the \n        United States.\n\n        2. Provide state-of-the-art, high-performance, low-operating-\n        cost systems to rapidly detect and mitigate the consequences of \n        the release of biological and chemical agents.\n\n        3. Provide state-of-the-art, high-performance, low-operating-\n        cost systems to detect and prevent illicit high explosives \n        transit into and within the United States.\n\n        4. Enhance missions of all Department operational units \n        through targeted research, development, test and evaluation, \n        and systems engineering and development.\n\n        5. Develop and provide capabilities for protecting cyber and \n        other critical infrastructures.\n\n        6. Develop capabilities to prevent technology-surprise by \n        anticipating emerging threats.\n\n        7. Develop, coordinate and implement technical standards for \n        chemical, biological, radiological and nuclear countermeasures.\n\n    We have requested $803M in FY04 to provide applied research, \ndevelopment, demonstrations, and testing of products and systems that \naddress these key areas of emphasis. This directorate will implement \nits activities through focused portfolios that address biological, \nchemical, radiological and nuclear, and cyber threats; support the \nresearch and development needs of the operational units of the \nDepartment; and receive innovative input from private industry and \nacademia as well as national and federal laboratories. In particular, \nthe Homeland Security Advanced Research Projects Agency (HSARPA) will \nhave an essential role in meeting the goals and objectives of the \nDepartment and the Directorate across the range of the portfolios.\n    Allow me now to specifically address the Science and Technology \nDirectorate (S&T) response to critical infrastructure protection \nconcerns, including cyber security. Consistent with law and policy, the \noperational assistance and advisory role and responsibilities for \ncertain elements of cyber security resides with the Under Secretary for \nInformation Analysis and Infrastructure Protection (IAIP). The Under \nSecretary for S&T carries the responsibility for ensuring that the \nnecessary research, development, test and evaluation (RDT&E) activities \nare carried out to support the IAIP mission in cyber security. In \npractice, the term ``cyber security'' is broadly defined within the \ncommunity. S&T uses ``cyber security'' to mean securing the \navailability, integrity and confidentiality of those services provided \nthrough technology such as hardware and software systems, connected to \npublic and private networks (i.e., voice, data and Internet Protocol \nnetworks) that support the critical infrastructures. Our concern with \ncyber security is essentially applied to the technology that supports \nthe infrastructures. To address cyber security concerns, we recognize \nthat R&D efforts are an element of a larger mosaic that includes \nelements such as identification and mitigation of the threat, industry \npartnership and compliance, and physical security.\n    Today there are many cyber security R&D efforts already underway, \nand more yet to be established, that address a range of cyber security \nissues. These represent opportunities for S&T to leverage existing work \nin order to address both those needs and technology gaps for the \nFederal Government and industry as important to securing the Homeland. \nFederal gaps are identified through annual agency and Inspector General \nreports required under the Federal Information Security Management Act. \nVulnerability assessments will also help identify federal gaps. There \nis a wide array of technologies that address many needs today not only \nin government laboratories, but also throughout the commercial sector. \nHowever, the existence of many hard and currently unsolved problems, \nand the changing nature of the threat, will require an ongoing research \neffort.\n    We have started the work of familiarization and coordination across \nthe federal sector. During the DHS transition and startup period, \nmembers of the transition team began to participate in the Infosec \nResearch Council. Membership in this council includes DARPA, NIST and \nNSF; and it is our means of coordinating with the community on this \ntopic. In addition, we have been in communication with the Office of \nScience and Technology Policy, and will be participating in the \ninteragency R&D coordination activities of the National Science and \nTechnology Council.\n    One of S&T's key areas of emphasis is our role in establishing DHS \ntechnical standards, which will establish DHS performance criteria for \nacceptable cyber-protection technologies. Currently, there is a \nMemorandum of Understanding presented for signature between DHS and the \nTechnology Administration at the Department of Commerce; this MOU is an \nagreement to work together to develop common standards to support U.S. \nIndustry and DHS. We will work closely with NIST in this endeavor, and \nhave a person on staff detailed from NIST to address cyber security \nprograms and standards.\n    As I noted earlier, it is this directorate's role to support the \nneeds and requirements of DHS, in particular those defined by the IAIP \nDirectorate. The Science and Technology directorate carries the \nresponsibility for ensuring that the necessary RDT&E activities are \ncarried out to support the IAIP mission in cyber security. To provide \nan enduring resource to help meet our mission and responsibilities, we \nintend to create a DHS R&D Cyber Security Center.\n    The DHS Cyber Security R&D Center will team through partnership and \ncooperation with NSF and NIST. This center will provide a DHS focus for \nR&D activities and leverage the many cyber security RDT&E efforts \nunderway in the defense and intelligence, academic and private \nlaboratory communities. We see this as critical to coordinate the \nresources and efforts across the government R&D community to accelerate \ntechnical capabilities that address DHS priorities.\n    The center will have five primary roles or functions, as follows:\n\n        <bullet> Promoting and coordinating cyber security research, \n        innovation, invention and evaluation in support of the DHS \n        mission needs. It will develop strategic research and \n        development programs, and create testing and evaluation \n        programs to address specific gaps in U.S. cyber security \n        capabilities. For example, a unique feature of the Center will \n        be the utilization of existing, or the development of new, test \n        beds where cyber security methods, tools, and approaches can be \n        exercised in a controlled environment and evaluated against \n        common, accepted standards. Developing the test beds and \n        measurement-performance standards will be an element of the \n        Center's program.\n\n        <bullet> Providing communication and coordination among \n        various public and private organizations dealing with the many \n        diverse aspects of cyber security. The Center will foster \n        national and international cooperation in creating a robust and \n        defensible cyber infrastructure.\n\n        <bullet> Supporting the operational needs of the IAIP \n        directorate relative to vulnerability assessments and new tools \n        and methods for enhancing cyber security.\n\n        <bullet> Cooperating with NSF to foster educational programs \n        and curriculum development to help ensure the Nation has the \n        necessary human resources who possess the requisite knowledge \n        and skills to advance and secure the Nation's cyber \n        infrastructure. This will be done in conjunction with \n        participating universities who will serve as a nucleus for \n        creating the next generation of scientists and engineers.\n\n    Although much of the S&T portfolio will be focused on very \ndifficult problems requiring extensive research, a portion of the \nprogram will be dedicated to addressing nearer-term problems in support \nof DHS mission requirements. In addition to establishing the center \nthrough FY03 funding, S&T will begin work on the following specific \nareas:\n\n        <bullet> Supporting the U.S. Secret Service National Threat \n        Assessment Center and CERT/Coordination Center at Carnegie \n        Mellon University on a comprehensive assessment of Insider \n        Threats and defense strategies.\n\n                \x17 The need to identify and mitigate the insider threat \n                is critical to the physical and cyber security plans of \n                the critical infrastructures of the United States.\n\n                \x17 Reducing the ability of inside actors to assist \n                outside threats will provide increased security to the \n                critical infrastructures of this country.\n\n        <bullet> Conducting a feasibility study for trace-back and \n        geo-location of source attack.\n\n                \x17 The watch and warning mission of the IAIP \n                directorate requires the ability to identify and track \n                the source location of cyber attackers.\n\n                \x17 This study will determine the status of currently \n                available trace-back and geographical location \n                technology, capability gaps, and potential policy \n                implications.\n\n        <bullet> Developing patch verification technology in support \n        of IAIP's patch management efforts to accelerate the speed with \n        which cyber-protection software updates are evaluated, \n        validated, and applied to civilian organizations.\n\n                \x17 Computer network attacks have historically exploited \n                known, published vulnerabilities. All of the infected \n                systems were without the appropriate patches in time to \n                close the vulnerabilities and ensure protection. As a \n                result, there was significant economic impact and \n                resource availability issues to the private businesses \n                that participate in the critical infrastructure of this \n                country.\n\n                \x17 Many times the failure to apply the patch was a \n                result of time required to test the patch against a \n                duplicate of a critical system to ensure there would be \n                no negative impact on business or government critical \n                services. The goal of this project is to provide an \n                efficient, low cost solution to this problem.\n\n                \x17 This study will determine the feasibility of this \n                technology and recommend potential solutions for \n                further RDT&E.\n\n        <bullet> Expanding development of technologies for detecting \n        covert threats that carry the risk of creating major disruption \n        to critical infrastructures such as financial systems before \n        they are discovered.\n\n                \x17 Existing intrusion and threat detection systems \n                utilizing signature based identification often provide \n                false positives or large amounts of log data so that \n                their effectiveness has diminished in the overall cyber \n                security architecture. The benefits of the next-\n                generation intrusion detection system will identify and \n                categorize all intrusions regardless of the threat \n                signature.\n\n                \x17 This project will begin research, development, test \n                and evaluation on next generation detection systems.\n\n        <bullet> Conducting a feasibility study for the scalability \n        and technology application of Secure Border Gateway Protocol \n        and Secure Domain Name Services.\n\n                \x17 The Secure Border Gateway Protocol and Secure Domain \n                Name Services protocol seek to secure two vulnerable \n                protocols, on which the movement of network traffic is \n                depends.\n\n                \x17 This study will determine the feasibility and \n                scalability of these protocols on existing network \n                infrastructure; and make any recommendations on the \n                need for further RDT&E if required.\n\n    We are therefore taking steps in S&T to establish key relationships \nwith the major cyber security R&D organizations to provide a focus for \nDHS technology innovation and capability development in a new Center, \nand have defined initial projects in support of the Secret Service and \nIAIP near-term needs. As the IAIP Directorate begins to define its \nlong-term goals and needs, we will leverage other federally funded \nactivities, academia, and private industry to provide solutions.\n    In closing, I would like to thank the Members of the Science \nCommittee for the opportunity to speak with you today about the Science \nand Technology concept for addressing cyber security research and \ndevelopment. We will work with diligence to partner with the R&D \ncommunity to address the needs and requirements of DHS, as well as \nthose gaps that exist between the many productive projects already \ndeveloped. S&T is determined to support the mission of DHS to protect \nthe critical infrastructures of this nation by working to secure the \ntechnology that supports them.\n    Mr. Chairman and Members of the Committee, this concludes my \nprepared statement. I would be pleased to address any questions you may \nhave.\n\n                   Biography for Charles E. McQueary\n\n    On January 10 President Bush announced his intention to nominate \nDr. Charles E. McQueary to be Under Secretary for Science and \nTechnology.\n    Most recently, Dr. McQueary served as President, General Dynamics \nAdvanced Technology systems, in Greensboro, N.C., a company that \nfocuses on electro-optic undersea systems, networking and decision \nsupport systems, active control systems, signal processing solutions \nand software solutions.\n    Prior to General Dynamics, Dr. McQueary served as President and \nVice President of business units for AT&T, Lucent Technologies, and as \na Director for AT&T Bell Laboratories.\n    In addition to his professional experience, Dr. McQueary has served \nhis community in many leadership roles--as Chair of the Board, and \nCampaign Chair, of the United Way of Greensboro; Member of the Board of \nTrustees of North Carolina Agricultural and Technical (A&T) State \nUniversity; Member of the Guilford Technical Community College (GTCC) \nPresident's CEO Advisory Committee; Member of Board of World Trade \nCenter North Carolina; Chair for Action Greensboro Public Education \nInitiative; and as a Member of the Board of Guilford County Education \nNetwork.\n    Dr. McQueary holds both a Ph.D. in Engineering Mechanics and an \nM.S. in Mechanical Engineering from the University of Texas, Austin. \nThe University of Texas has named McQueary a Distinguished Engineering \nGraduate.\n\n    Chairman Boehlert. Thank you very much. You are now a \nveteran testifying----\n    Dr. McQueary. Thank you.\n    Chairman Boehlert [continuing]. Before the Science \nCommittee.\n    Dr. McQueary. Thank you.\n    Chairman Boehlert. Welcome back, Dr. Colwell. You are up \nnext.\n\n STATEMENT OF DR. RITA R. COLWELL, DIRECTOR, NATIONAL SCIENCE \n                           FOUNDATION\n\n    Dr. Colwell. Mr. Chairman and Members of the Committee, I \nappreciate the opportunity to appear before you today to \ndiscuss the importance of improving the security of our \ninformation infrastructure.\n    Last November, as a result of your strong leadership, Mr. \nChairman, Congress enacted and the President signed into law \nthe Cyber Security Research and Development Act of 2002. This \nlaw authorizes important research and education activities to \nprotect the Nation's critical information technology systems \nagainst failures from accident or attack. NSF is fully \nsupportive of this action.\n    NSF's attention to cyber security dates back to at least \n1978 with an investment in cryptography that led to the public \nkey infrastructure that is widely used to secure cyber \ntransactions today. In 2001, and I would point out September 6, \n2001, we established a trusted computing research program to \nfocus attention on the continuing need for research in this \narea. In 2002, we saw a rapid rise in cyber security interest \nby the research community. And this year, I have to tell you, \nwe are dealing with a flood of proposals as I previously shared \nwith you. The Cyber Security Research and Development Act \nprovides us with new authority and an additional sense of \nurgency to expand our capacity to guard against attacks on our \nnation's computer and network systems.\n    Let me briefly share with you the current state of NSF \nfunding for cyber security research, tell you where we are--\nwhat we are doing, and then indicate where we are going. When \nthe appropriation process was completed in February, our Cyber \nDirectorate doubled its funding for research to $30 million. In \naddition, the NSF Federal Cyber Service--Scholarships for \nService program provides $11 million to increase the production \nof information assurance and computer security professionals. A \ntotal of about $53 million is focused on cyber security, \nbecause NSF clearly understands the urgency of the need for \ncyber security. With these investments, NSF is focusing on \ndiscovery, learning, and innovation to secure today's systems, \nto embed contemporary security principles and practices in all \naspects across the board of cyber systems design in many--in \nall disciplines, and to prepare a world-class workforce of \ninformation technology professionals with state-of-the-art \nsecurity skills that span research all the way to operations.\n    Beginning in 2004, the entire suite of cyber security \nactivities will be managed under one integrated, crosscutting \nprogram called ``Cyber Trust.'' The Cyber Trust portfolio of \nawards will include a range of multidisciplinary, multi-\ninvestigator awards, as well as the more focused single \ninvestigator awards. And we believe this will ensure the NSF's \nwhole investment in cyber security research and education is \ngreater than simply the sum of its parts.\n    In order to generate innovative approaches to the complex \ncomputer and network security problems that our nation faces, \nNSF will fund projects of sufficient scope and scale to foster \nmultidisciplinary collaboration between computer scientists, \nengineers, mathematicians, and social science researchers. We \nwill make awards that range in size from single investigator \ngrants to multi-investigator center-scale awards of up to $3 \nmillion. Now this portfolio of Cyber Trust investments will \nensure that a powerful mix of cutting-edge research is funded \nthrough a number of competitive awards.\n    NSF will also inform the community of opportunities to \ncompete for the center-scale awards in these, and other related \nareas, through programs like the STC's, the science and \ntechnology centers, the engineering research centers, and the \nIndustry/University Cooperative Research Centers.\n    Now I would like to point out that we changed the title \n``Cyber Trust,'' because our understanding is that the public \nnot only wants their information systems to be secure, but they \nwant to be able to trust them in all kinds of situations. As a \nsimple example, they need to be able to trust the data, their \ndata, will be kept private. NSF believes that a highly \ncollaborative and inclusive coordinated effort is necessary to \novercome the many technological challenges that are inherent in \nsecuring the Nation's cyber systems. Accordingly, NSF will seek \nto establish a multi-sector cyber security partnership, a \npublic/private partnership that will allow NSF to develop \nstrategic frameworks to guide future research and education \ninvestments in the field, investments that must be made by both \nthe public and the private sectors.\n    NSF will engage key federal agencies in the partnership \nendeavor, and we have already begun to do so in discussions \nwith NIST. We will draw on the current interagency efforts in \nthis area. The coordination has begun strongly with NIST, \nbecause NIST has the powerful connections to industry. In \naddition, NSF staff are very active in formal interagency \nactivities that support cyber security collaborations, like the \nINFOSEC Research Council and the 12-agency Networking and \nInformation Technology Research and Development Interagency \nWorking Group. We refer to this as NITRD, which NSF chairs. The \nWorking Group, we chair.\n    NSF will convene a series of workshops this summer to \nengage researchers, educators, and practitioners in finding the \nmost effective ways to build capacity and to build it quickly. \nThe workshops will also examine implementation strategies to \nsupport faculty trainee-ships in cyber security. These are \nprograms that will enable existing Ph.D.s to pursue academic \ncareers in cyber security.\n    And we scheduled the meeting for mid-August to facilitate \nmultidisciplinary research and education activities by bringing \ntogether all of the principal investigators, the PIs, from the \nnewly integrated Cyber Trust program. Now this group of PIs \nwill form a research collaboration network, which will \nfacilitate interaction between groups of investigators to \ncommunicate and coordinate research efforts across \ndisciplinary, organizational, institutional, and geographical \nboundaries. And the network can then be coupled to the NIST \nactivities to speed up the practical application of the \nresearch efforts.\n    Mr. Chairman, the Cyber Security Research and Development \nAct addresses a very, very critical need for our nation. NSF is \nappreciative of the confidence you have expressed in us to lead \nthis effort, and we intend to build on that confidence. And we \nwill make sure that all of the funds we are allocated and \nappropriated will be very well used. We eagerly look forward to \nworking with you and your staff to ensure that all of the goals \nof the Act are fulfilled.\n    Thank you.\n    [The prepared statement of Dr. Colwell follows:]\n\n                 Prepared Statement of Rita R. Colwell\n\n    Mr. Chairman and Members of the Committee, I appreciate the \nopportunity to appear before you today to discuss the importance of \nimproving the security of our information infrastructure. Last \nNovember, as a result of the strong leadership that you provided, \nCongress enacted the Cyber Security Research and Development Act \n(Public Law 107-305) of 2002. This law authorizes important research \nand education activities to build our capacity to gird the Nation's \ncritical information technology systems against failures from accident \nor attack.\n    The Cyber Security Research and Development Act accurately focuses \non the need for research, enhanced integration of activities from the \ndiverse disciplines that impact our ability to secure our systems, and \nproduction of computer professionals with the requisite skills needed \nto implement the latest cyber security techniques.\n    NSF agrees wholeheartedly with this focus and we are moving \nexpeditiously to address these needs, both through focused investments \nwith current year appropriations and by carefully fashioning plans for \nimplementation in FY 2004 and beyond.\n\nPersistent Challenges and Preceding Actions\n\n    Computers and networked systems are ubiquitous in our society. Over \nthe past decade, the Internet has grown tremendously, from its early \nstate as a small network of academicians, into a full-fledged vital \ninformation infrastructure that Americans rely on as much as they rely \non electricity, water, and roadway networks. Entire sectors of our \neconomy run minute-to-minute mission critical operations over \nnationally and internationally networked systems. The increase in our \nreliance on these systems, combined with the increased threat of \nmalicious attack, has shed new light on the importance of generating \nnew knowledge to secure them. New knowledge workers are also needed to \ndeploy and operate these systems safely and reliably.\n    Today's computing and communications infrastructure does many \nthings well, but suffers from a number of flaws and weaknesses that \nmake it less than dependable, particularly in the case of attacks. \nThese shortcomings include (1) latent flaws in widely distributed \nsoftware, (2) decreasing diversity of software components, (3) poor \ntechnical means for managing security infrastructure, (4) inadequate \ntechnical controls for needed collaboration policies, (5) lack of \nconvenient, scalable, strong authentication, and (6) inadequate \nsecurity mechanisms for new technologies. Further, the infrastructure \nlacks effective means for detecting when these flaws and weaknesses are \nexploited, and for responding when such exploitations are detected.\n    It is appropriate that government devote substantial public \nresources to develop knowledge and capabilities in the area of cyber \nsecurity. Market pressures tend to emphasize time-to-market of software \nand systems. Often IT products are released with known flaws that \nweaken reliability of the system and may create severe vulnerabilities. \nImproving the quality and diminishing the costs associated with \nembedding security principles into all cyber systems design and \ndevelopment will be essential to our success.\n    NSF has a longstanding commitment to creating new knowledge that \nwill improve the security of our nation's computer and network \ninfrastructure. NSF attention to cyber security dates back to a 1978 \ninvestment in cryptography, which led to the public key infrastructure \nthat is widely used for secure cyber transactions today. Our expanded \nFY 2003 investments in Trusted Computing, Data and Applications \nSecurity, Network Security and the Federal Cyber Service programs shows \nhow our sense of urgency in this field has grown. With the passage of \nthe Cyber Security Research and Development Act, Congress has allowed \nus to act on this sense of urgency and expand the Nation's capacity to \nguard against attacks on our computer and network systems.\n\nCurrent Year Actions\n\n    Mr. Chairman, you and this committee were an important part of the \nsupport for the appropriation increase that NSF received in February. \nCyber security research funding has increased by $15 million over FY \n2002 to reach $30 million. With the Scholarships for Service program, \nthis brings the agency's total FY 2003 investment in cyber security to \n$41 million.\n\nA Strategic Approach\n\n    In short NSF seeks to enable discovery, learning and innovation \nthat will:\n\n        <bullet> Secure today's systems;\n\n        <bullet> Embed contemporary security principles and practices \n        in all aspects of cyber systems design and development of \n        tomorrow's systems; and\n\n        <bullet> Prepare a world-class workforce of information \n        technology professionals, with state-of-the-art security skills \n        spanning research to operations.\n\n    NSF will do so, informed by the interests and efforts of its \npartners in the cyber security field, including those in academe, \nindustry and other government agencies.\n    Our investments are guided by three core strategies that have \nproven effective across all science and engineering domains.\n\n1. Develop intellectual capital.\n\n  LNSF invests in cyber security activities, including \nmultidisciplinary projects, which enhance the individual and collective \ncapacity to contribute cyber security solutions, thus building cyber \nsecurity capacity for many years to come. The agency uses its \ncompetitive, merit-review process to ensure that only research and \neducation projects of the highest quality are funded.\n\n2. Integrate research and education.\n\n  LNSF investments in cyber security integrate research and education, \nassuring that findings and methods of cyber security research are \nquickly and effectively communicated in a broader context, to a larger \naudience and are thus more effectively embedded in practice.\n\n3. Promote Partnerships.\n\n  Effective collaboration and partnerships between researchers, \neducators and practitioners in academe, industry and government will \nenable the timely transformation of research outcomes into \ntechnological innovation that will secure critical cyber systems \nresident in both the public and private sectors. NSF has a strong \ninstitutional tradition of enabling partnerships among the Nation's \nleading scientists, engineers and educators. In convening researchers, \neducators, and other stakeholders we draw on the expertise and \ndeliberations of a vigorous and critical scientific community, exposing \nnew ideas and building consensus for them.\n\n    In FY 2003 and beyond, NSF will build on and increase coordination \nbetween the activities that we have supported for some years. Beginning \nin FY 2004, the entire suite of cyber security activities will be \nmanaged under one integrated, cross-cutting program called Cyber Trust.\n    I would note that we chose the title ``Cyber Trust'' because our \nunderstanding is that the public not only wants their information \nsystems to be secure, but that they want to trust them in all kinds of \nsituations. As a simple example, they need to be able to trust that \ndata will be kept private.\n    The Cyber Trust portfolio of awards will include a range of \nmultidisciplinary, multi-investigator awards, as well as more focused \nsingle investigator awards. This will ensure that NSF's whole \ninvestment in cyber security research and education is greater than the \nsum of its parts.\n    In order to generate innovative approaches to the complex computer \nand network security problems that our nation faces, NSF will fund \nprojects of sufficient scope and center-scale to foster \nmultidisciplinary collaboration between computer scientists, engineers, \nmathematicians, and social science researchers. Awards will range from \nsingle investigator types to multi-investigator awards of up to \n$3,000,000. This portfolio of Cyber Trust investments will ensure that \na rich mix of cutting-edge research is funded. NSF will also inform the \ncommunity of opportunities to compete for center-scale awards in these \nand related areas through activities like the Science and Technology \nCenter, Engineering Research Center, and Industry/University \nCooperative Research Center programs.\n\nIdentification and Coordination of Cyber Security Priorities\n\n    NSF, in its discussions with the scientific and engineering \ncommunity, has identified five vital research areas at the frontier:\n\n        1. Manageable security\n\n        2. Empirical cyber security studies\n\n        3. Cyber security foundations\n\n        4. Cyber security for next generation technology\n\n        5. Cyber security across disciplines\n\n    These research areas include and are representative of the many \nresearch areas included in Section 4(a) of the Act.\n    NSF believes that a highly collaborative and inclusive, coordinated \neffort is necessary to overcome the many technological challenges \ninherent in securing the Nation's cyber systems. Only by drawing upon \nthe expertise resident in relevant stakeholder organizations, including \nindustry, academia, and government, and by aligning the interests and \ninvestments of these broad stakeholder groups, can we ensure that the \nbest solutions are identified and enacted to protect the Nation's vital \ninformation technology resources.\n    Accordingly, NSF will seek to establish a multi-sector cyber \nsecurity partnership. The partnership will allow NSF to develop a \nstrategic framework to guide future research and education investments \nin the field; investments likely to be made by both the public and the \nprivate sectors.\n    NSF will engage key federal agencies in the partnership endeavor, \nby drawing on current interagency efforts in this area. For example, \nNSF staff are very active in formal interagency activities that support \ncyber security collaborations, such as in the Networking and \nInformation Technology Research and Development (NITRD) Interagency \nWorking Group (IWG) that includes representatives from the Defense \nAdvanced Research Projects Agency, the Department of Defense, the \nNational Security Agency, and others.\n    Dr. Peter Freeman, the NSF Assistant Director for Computer and \nInformation Science and Engineering (CISE) has talked with Dr. Arden \nBement to establish formal collaboration between NSF and NIST in the \narea of cyber security and program staff will carry the coordination \nforward. As chair of the NITRD IWG Dr. Freeman has also met with Dr. \nDavid Nelson, Director of the National Coordination Office for NITRD, \nto discuss ways to enhance the coordination activities of the IWG in \nthe area of cyber security.\n    Demonstrating further NSF leadership in cyber security, an NSF/CISE \nProgram Officer co-chairs the High Confidence Software and Systems \nprogram coordination area of NITRD. This subgroup is working to define \nthe federal portfolio of cyber security research and development, and \nwill identify gaps. NSF will draw upon the work of this group to inform \nits future research investments.\n    NSF also has a long tradition of working with industry partners in \nscience and engineering. By encouraging strong industry participation \nin the development of a cyber security research and education \nframework, and in the subsequent funding of appropriate research and \neducation activities, NSF hopes to improve both the transfer of new \nknowledge into the marketplace and the capacity of current and future \ngenerations of IT and information assurance professionals.\n\nCapacity Building\n\n    To establish the partnership, NSF will convene a series of \nworkshops to begin in summer 2003. These workshops will engage \nresearchers, educators and practitioners representing academic, \nindustry, and government stakeholder organizations to develop community \nconsensus on cyber security research and education needs and \nopportunities. In addition to refining research opportunities, the \nworkshops will focus on integration, scale, and capacity building.\n    The first workshops planned are described below.\n\n1. Comprehensive Cyber Security Needs Assessment\n\n    In August 2003, NSF will convene an invitational workshop of \nacademic, industrial, and government leaders to help assess the needs \nand identify the strategies necessary to prepare a world-class cyber \nsecurity workforce. In order to facilitate educational innovation in \ncyber security, design concepts for new cyber security-related \ncurricula will be devised. Implementation strategies will be discussed \nto determine the best way to deliver cyber security education to a \nbroad audience. Strategies will focus on curriculum for three levels of \neducation:\n\n        \x17 Bachelor's/Associate's degree programs to prepare systems \n        administration and IT security operations professionals.\n\n        \x17 Bachelor's and Master's degree programs to prepare systems \n        design and development professionals with specified skills in \n        security.\n\n        \x17 Ph.D. programs to prepare researchers and educators for \n        careers in information security.\n\n    The workshop will also examine implementation strategies to support \nfaculty traineeships in cyber security. These programs will enable \nrecent Ph.D. graduates to pursue academic careers in cyber security.\n    Following this workshop, NSF will assess the extent to which its \ncurrent capacity-building programs address the needs defined by the \nworkshop attendees. For example, the Advanced Technology Education \n(ATE) centers are comprehensive national or regional cooperative \nefforts involving two-year colleges, four-year colleges and \nuniversities, secondary schools, business, industry, and government. \nThis program might serve as a valuable model for other such activities \nin the future. In the meantime it will provide a potential platform for \ncyber security activities at the Bachelor's and Associate's degree \nlevels.\n    I should also note that the Federal Cyber Service: Scholarships for \nService (SFS) program ``seeks to increase the number of qualified \nstudents entering the fields of information assurance and computer \nsecurity and to increase the capacity of the United States higher \neducation enterprise to continue to produce professionals in these \nfields to meet the needs of our increasingly technological society.'' \nThis program directly addresses the future needs of the Federal \nGovernment for access to skilled information security Bachelor's, \nMaster's, and Ph.D. recipients. The program also provides funding to \nschools to ``improve the quality and increase the production of \ninformation assurance and computer security professionals through \nprofessional development of information assurance faculty and the \ndevelopment of academic programs.''\n\n2. Cyber Security Community\n\n    In order to facilitate multidisciplinary research and education \nactivities, NSF will convene a meeting of all Principal Investigators \n(PIs) from the newly integrated Cyber Trust Program. This group of PIs \nwill form a Research Collaboration Network. The RCN will facilitate \ninteraction between groups of investigators, to communicate and \ncoordinate research efforts across disciplinary, organizational, \ninstitutional, and geographical boundaries. It will lead to integration \nof the research activities of scientists working independently on cyber \nsecurity topics of common interest, to nurture a sense of community \namong cyber security researchers, to attract new scientists to the \nfield, and to minimize isolation and maximize cooperation in research, \ntraining, outreach and educational activities. Together, the members of \nthis network will explore further means by which to address the complex \nissues faced by the cyber security community as a whole.\n    The Cyber Security Research and Development Act addresses a \ncritical weakness in the security of our nation. NSF is appreciative to \nthe Committee for extending its confidence to us. We look forward to \nworking with you to ensure that the goals of the Act are fulfilled.\n\n                     Biography for Rita R. Colwell\n\n    Dr. Rita R. Colwell became the 11th Director of the National \nScience Foundation on August 4, 1998.\n    Since taking office, Dr. Colwell has spearheaded the agency's \nemphases in K-12 science and mathematics education, graduate science \nand engineering education/training and the increased participation of \nwomen and minorities in science and engineering.\n    Her policy approach has enabled the agency to strengthen its core \nactivities, as well as establish support for major initiatives, \nincluding Nanotechnology, Biocomplexity, Information Technology, \nSocial, Behavioral and Economic Sciences and the 21st Century \nWorkforce. In her capacity as NSF Director, she serves as Co-chair of \nthe Committee on Science of the National Science and Technology \nCouncil.\n    Under her leadership, the Foundation has received significant \nbudget increases, and its funding recently reached a level of more than \n$4.8 billion.\n    Before coming to NSF, Dr. Colwell was President of the University \nof Maryland Biotechnology Institute, 1991-1998, and she remains \nProfessor of Microbiology and Biotechnology (on leave) at the \nUniversity Maryland. She was also a member of the National Science \nBoard from 1984 to 1990.\n    Dr. Colwell has held many advisory positions in the U.S. \nGovernment, non-profit science policy organizations, and private \nfoundations, as well as in the international scientific research \ncommunity. She is a nationally respected scientist and educator, and \nhas authored or co-authored 16 books and more than 600 scientific \npublications. She produced the award-winning film, Invisible Seas, and \nhas served on editorial boards of numerous scientific journals.\n    She is the recipient of numerous awards, including the Medal of \nDistinction from Columbia University, the Gold Medal of Charles \nUniversity, Prague, and the University of California, Los Angeles, and \nthe Alumna Summa Laude Dignata from the University of Washington, \nSeattle.\n    Dr. Colwell has also been awarded 26 honorary degrees from \ninstitutions of higher education, including her Alma Mater, Purdue \nUniversity. Dr. Colwell is an honorary member of the microbiological \nsocieties of the UK, France, Israel, Bangladesh, and the U.S. and has \nheld several honorary professorships, including the University of \nQueensland, Australia. A geological site in Antarctica, Colwell Massif, \nhas been named in recognition of her work in the polar regions.\n    Dr. Colwell has previously served as Chairman of the Board of \nGovernors of the American Academy of Microbiology and also as President \nof the American Association for the Advancement of Science, the \nWashington Academy of Sciences, the American Society for Microbiology, \nthe Sigma Xi National Science Honorary Society, and the International \nUnion of Microbiological Societies. Dr. Colwell is a member of the \nNational Academy of Sciences.\n    Born in Beverly, Massachusetts, Dr. Colwell holds a B.S. in \nBacteriology and an M.S. in Genetics, from Purdue University, and a \nPh.D. in Oceanography from the University of Washington.\n\n    Chairman Boehlert. Thank you very much. And thank you very \nmuch for giving us some precise figures. And Dr. McQueary, when \nwe get back to you, we would like some figures, if we may.\n    Dr. Bement.\n\n   STATEMENT OF DR. ARDEN L. BEMENT, JR., DIRECTOR, NATIONAL \n       INSTITUTE OF STANDARDS AND TECHNOLOGY, TECHNOLOGY \n          ADMINISTRATION, U.S. DEPARTMENT OF COMMERCE\n\n    Dr. Bement. Thank you, Chairman Boehlert. It is good to be \nback. I want to thank you, Mr. Hall, and Members of the \nCommittee for allowing me to testify today about the \ncontributions of NIST to strengthen the Nation's cyber \nsecurity. Let me congratulate you for your tremendous \nleadership in advancing robust programs to protect our nation's \ninformation infrastructure from attack.\n    We at NIST fully agree with the Committee that helping to \nensure the confidentiality, integrity, trust, and availability \nof civilian information is essential to the functioning of our \neconomy. The Cyber Security R&D Act and FISMA emphasize NIST's \nlong-standing statutory responsibilities for developing federal \ncyber security standards and guidelines and conducting related \nresearch.\n    Let me review just a few of NIST's activities and \naccomplishments. In 2001, Secretary Evans approved the Advanced \nEncryption Standard as a federal security standard. I am \npleased to report that the AES is being actively adopted by \nvoluntary standards bodies and implemented by vendors. In fact, \nover 70 commercial implementations of the AES have already been \nvalidated through our Cryptographic Module Validation Program. \nThis program has also validated over 500 other modules and \nanother 100 or more are expected within the next year.\n    To give you a sense of the quality improvement that the \nprogram achieves, statistics from the testing laboratories show \nthat 48 percent of the modules brought in for voluntary testing \nhad security flaws that were corrected during testing. In other \nwords, without our program, the Federal Government would have \nhad only a 50/50 chance of buying correctly implemented \ncryptography.\n    In support of our federal responsibilities, we have \npublished security guidelines for e-mail, firewalls, \ntelecommuting, and business systems contingency planning. We \nhave also published guidelines on certification and \naccreditation, which are key components needed for successfully \nimplementing E-government and the new FISMA mandates for \nfederal agencies. Hundreds of thousands of copies of our \nguidelines have been downloaded from our computer security \nresource center website. For example, over 400,000 copies of \nour contingency planning guide for information technology have \nbeen downloaded since its publication less than one year ago.\n    Our guidelines and standards provide leadership to industry \nas well, as much as our work is voluntarily adopted by \nindustry. Our Smart Card Interoperatability Specification has \nbeen adopted by federal agencies and is now being considered as \nan ANSI standard and eventually as an international standard.\n    The complexity of systems is growing as components become \nsmaller. And some of the biggest challenges are in ensuring the \nintegrity of information as it flows from component to \ncomponent within a system. This is a major area of research on \nour horizon, so while we are moving ahead with critical tasks \nthat are already on our agenda, we are giving new activities \npriority in our base program as resources become available.\n    This is only a partial representation of our many cyber \nsecurity-related projects and activities. Over the past three \nyears, we have had appropriations of $26 million for grants, \ncritical infrastructure protection, expert assist teams of \nwhich $5 million is recurring in NIST laboratory-based \nprograms. And since 9/11, we have been leveraging another $12 \nmillion in our Information Technology Research Program toward \ncyber security-related priorities.\n    In summary, in fiscal year 2003, approximately $24 million \nis being directed toward cyber security research and related \nprograms. And I can report to you, Mr. Chairman, we have \nalready moved out on many of the requirements specified for \nNIST under the Cyber Security R&D Act.\n    With your permission, I would like to--and also in the \ninterest of time, submit a list of our current activities for \nthe record.\n    [NOTE: The information referred to appears in Appendix 2: \nAdditional Material for the Record.]\n    Chairman Boehlert. Without objection, so ordered. It will \nbe included as part of your testimony.\n    Dr. Bement. We accomplished our mission working side-by-\nside with our federal partners. NIST understands the \nCommittee's desire for greater interagency coordination and \ncollaboration, and we have been reaching out to assist other \nfederal agencies. As Dr. McQueary indicated, Under Secretary \nBond will be meeting with him very soon, I think it is \nscheduled for May 19, to sign a Memorandum of Understanding. \nThis MOU will establish a formal mechanism for NIST to \ncooperate with the Science and Technology Directorate of DHS. \nWe continue to have regular interactions with NSF and OSTP, and \nwe have had a long and successful relationship with both DARPA \nand NSA. We are moving forward with the NRC study called for in \nthe Cyber Security R&D Act. We have already identified the \nStudy Director and are ready to initiate this study, and I am \npleased to say that DARPA will be joining with us in conducting \nthis study.\n    Not all of our work has been accomplished from within the \nFederal Government. NIST awarded $5 million to nine grant \nrecipients in intrusion detection, telecommunications, wireless \nsecurity, electric power infrastructure, and compiler security, \nand we are expecting important advances from this grant \nprogram.\n    In conclusion, I continue to view cyber security research \nand development as having high priority for NIST and the \nNation. NIST takes its role in cyber security seriously, and we \nwill work with the Committee to ensure that we are able to \ncarry out our mandate to work with industry, academia, and \nstandards development organizations to assure the secure flow \nof vital and sensitive information throughout our society.\n    Mr. Chairman, I am grateful to you and this committee for \nyour support of NIST's programs, and this concludes my prepared \nremarks.\n    [The prepared statement of Dr. Bement follows:]\n\n               Prepared Statement of Arden L. Bement, Jr.\n\n    Chairman Boehlert, Mr. Hall, and Members of the Committee, thank \nyou for this opportunity to testify today about the contributions of \nthe National Institute of Standards and Technology (NIST) to strengthen \nthe Nation's cyber security. Let me congratulate you for your \ntremendous leadership in advancing robust programs to protect our \nnation's information infrastructure from attack. I know that Technology \nAdministration Under Secretary Phil Bond and I look forward to working \nvery closely with you to turn your visions into reality. I would like \nto address the questions you asked in your invitation to testify and \ntell you about the many important cyber security activities currently \nunderway at NIST.\n    Protecting our nation's critical infrastructure is of critical \nimportance to our economy and our well-being. The terrorist attacks of \nSeptember 11, 2001 brought to the forefront the Nation's physical and \neconomic vulnerability to an attack within our borders. Among the \nNation's vulnerabilities are the computer and communications networks \non which the country's financial, transportation, energy, and water \nsystems and health and emergency services depend. These critical are \nthe underpinning of the Nation's infrastructure and commerce. The Los \nAngeles Times in a recent editorial emphasized the importance of \nmeeting this challenge: ``A cyberterrorist attack would not carry the \nsame shock and carnage of September 11. But in this information age. . \n.[a cyberterrorist attack] could be more widespread and just as \neconomically destructive.'' We will not be able to address these \nvulnerabilities without applied research and development of enabling \ntechnologies in cyber security.\n    The success of the Internet--connecting more than 100 million \ncomputers and growing--has far outstripped its designers' wildest \nexpectations. Although the Internet was not originally designed to \ncontrol power systems, connect massive databases of medical records or \nconnect millions of homes, today it serves these functions. It was not \ndesigned to run critical safety systems but it now does that as well. \nWe rely heavily on an open system of networks, so complex that no one \nperson, group or entity can describe it, model its behavior or predict \nits reaction to adverse events. The porous nature of the U.S. network \ninfrastructure leaves the Nation, including critical federal systems, \nopen to the constant possibility of cyber attacks. Such attacks include \nthe massive distributed denial of service attacks that overwhelm \nservers with access requests; defacement of web sites and the \nmodification of electronically stored information to spread \ndisinformation and propaganda; ``Zombies'' that use computers (located \nanywhere) as conduits for wide-scale distribution of destructive worms \nand viruses; and, unauthorized intrusions and sabotage of systems and \nnetworks, potentially resulting in critical infrastructure outages and \ncorruption of vital data.\\1\\\n---------------------------------------------------------------------------\n    \\1\\ CNET News, ``Calculating the Cost of Slammer,'' Robert Lemos, \nFebruary 3, 2003.\n---------------------------------------------------------------------------\n    Helping to ensure the confidentiality, integrity and availability \nof civilian information is essential to the functioning of our economy \nand indeed to our democracy. And, to this end, NIST has had a long-\nstanding and successful role in working with federal agencies and \nindustry by ensuring the protection of non-national security related \ncyber and information systems through standards and guidelines \ndevelopment, testing methodologies, conformity assessment and \ncomplementary supporting research.\n    In 2001, Secretary Evans approved the Advanced Encryption Standard \n(AES) as a federal security standard. I am pleased to report that the \nstandard is being actively adopted by voluntary standards bodies and \nimplemented by vendors. In fact, over 70 commercial implementations of \nthe AES have already been validated through our Cryptographic Module \nValidation Program.\n    Enactment of the Cyber Security Research and Development Act \n(CSRDA) of 2002 and the Federal Information Security Management Act \n(FISMA) of 2002 has reinforced our long-standing statutory \nresponsibilities for developing federal cyber security standards and \nguidelines and conducting commensurate security research. We fully \nappreciate and are grateful for the trust and support provided by the \nHouse Science Committee to NIST in assigning us responsibility for \nthese critical roles. We see both of these new important laws as a \n``vote of confidence'' in our past work and an expectation of \ncontinuing successful achievements in the future.\n    Today I would like to review new statutory assignments to NIST, \nprovide you an overview of NIST's cyber security activities, and \ndiscuss some of the challenges we continue to confront.\n\nNIST Responsibilities Under the Cyber Security Research and Development \n                    Act of 2002\n\n    Under the legislation, NIST is assigned responsibilities to\n\n        <bullet> Establish a program of assistance to institutions of \n        higher education that enter into partnerships with for-profit \n        entities;\n\n        <bullet> Institute a program to award post-doctoral research \n        fellowships to individuals seeking cyber security research \n        positions;\n\n        <bullet> Develop checklists that minimize security risks \n        associated with Federal Government computer hardware or \n        software systems;\n\n        <bullet> Ask the National Research Council of the National \n        Academy of Sciences to study the vulnerabilities of the \n        Nation's infrastructure and to make recommendations for \n        appropriate improvements;\n\n        <bullet> Support and consult with the Information System \n        Security and Privacy Advisory Board, which has the mission to \n        identify emerging issues related to computer security, privacy, \n        and cryptography;\n\n        <bullet> Conduct intramural cyber security security research; \n        and\n\n        <bullet> Coordinate with NSF and OSTP on cyber security \n        research.\n\nNIST Responsibilities Under the Federal Information Security Management \n                    Act (FISMA) of 2002\n\n    Responsibilities assigned to NIST under FISMA include:\n\n        <bullet> Developing IT standards for federal systems,\n\n        <bullet> Conducting research to identify information security \n        vulnerabilities and developing techniques to provide cost-\n        effective security;\n\n        <bullet> Assessing private-sector policies, practices, and \n        commercially available technologies;\n\n        <bullet> Assisting the private sector, upon request; and\n\n        <bullet> Evaluating security policies and practices developed \n        for national security systems to assess potential application \n        for non-national security systems.\n\n    FISMA also contained a number of specific assignments, including \ndevelopment of:\n\n        <bullet> Standards and guidelines to be used by federal \n        agencies to categorize levels of information security according \n        risk;\n\n        <bullet> Minimum information security requirements, such as \n        management, operational, and technical security controls;\n\n        <bullet> An Incident Handling Guideline and a Guideline to \n        Identifying a System as a National Security System;\n\n        <bullet> Security performance indicators; and\n\n        <bullet> An annual public report of our FISMA activities.\n\n    With these broad legislative mandates in mind, let me review NIST's \nactivities and accomplishments in the area of intramural research, \nsecurity grants, and a planned National Research Council study.\n\nRecent NIST Intramural Cyber Security Accomplishments\n\n    In addition to the extraordinary success of the Advanced Encryption \nStandard, NIST has made a number of major contributions to cyber \nsecurity standards and guidelines, research, and testing in order to \nthwart the kinds of economically disabling attacks noted previously. \nHere are but a sampling of numerous successes and ongoing activities:\nSecurity Guidelines and Standards\n    Our base program targets the development of standards and \nguidelines in support of our federal responsibilities. In 2002-2003, \nNIST published 12 security guidelines covering a wide variety of topics \nsuch as e-mail, firewalls, telecommuting and business systems \ncontingency planning. We have also published 10 draft guidelines for \nreview by federal departments and agencies as well as other interested \norganizations and individuals concerning such topics as certification \nand accreditation, awareness and training, and considerations in \nFederal Information technology procurements. The certification and \naccreditation guidelines are a key component needed for successful \nimplementation of the e-government and FISMA mandates for federal \nagencies. Additionally, we have issued numerous NIST Information \nTechnology Laboratory (ITL) Bulletins during the last year to provide \nguidance to agencies and others on a broad list of topics. Our \nguidelines and standards provide leadership to industry as much of our \nwork is voluntarily adopted in industry. For example, our Smart Card \nInteroperability Specification has been adopted by federal agencies and \nis now being considered for adoption by an ANSI Standards committee and \neventually as an international standard. All of our work is posted on \nour Computer Security Resource Center website. Hundreds of thousands of \ncopies of our guidelines have been downloaded from this online site. \nFor example, over 400,000 copies of our Contingency Planning Guide for \nInformation Technology have been downloaded since its publication less \nthan a year ago.\nSecurity Testing\n    I mentioned previously the Cryptographic Module Validation Program \nthrough which a number of new algorithms that use the Advanced \nEncryption Standard are being tested. The CMVP as it is known is \noperated in conjunction with the Government of Canada's Communication \nSecurity Establishment. The Cryptographic Module Validation Program has \nnow validated over 500 modules with another 100 or more expected within \nthe next year. This successful program utilizes private-sector \naccredited laboratories to conduct security conformance testing of \ncryptographic modules against the cryptographic federal standards NIST \ndevelops and maintains. To give you a sense of the quality improvement \nthat the program achieves, consider that our statistics from the \ntesting laboratories show that 48 percent of the modules brought in for \nvoluntary testing had security flaws that were corrected during \ntesting. In other words, without our program, the Federal Government \nwould have had only a 50/50 chance of buying correctly implemented \ncryptography!\n    In addition, in recent years we have worked to develop the ``Common \nCriteria'' which can be used to specify security requirements. These \nrequirements are then used by private-sector laboratories, accredited \nby NIST, for the voluntary evaluation of commercial products needed for \nthe protection of government systems and networks. This work is \nundertaken in cooperation with the Defense Department's National \nSecurity Agency in our National Information Assurance Partnership \n(NIAP). You may be aware that the National Strategy to Secure \nCyberspace calls for a review of the NIAP. We have begun staff \ndiscussions with NSA to identify ways we might improve the process, \nthrough research, process changes, and to understand the resources \nneeded for NIAP to fully succeed.\nAccess Control\n    One of the basic tenets of IT security is controlling access to \nvital IT resources--answering the question, ``who is allowed to do \nwhat?'' A NIST research team created a new approach to controlling user \naccess, called Role-Based Access Control (RBAC). What is most striking \nabout RBAC is its rapid evolution from a theoretical model to \ncommercial implementation and deployment. An independently conducted \nNIST-sponsored economic impact study, estimated that RBAC will soon be \nused by some 30 million users for access to sensitive information. \nFurther, the study estimated that RBAC technology will save the U.S. \nsoftware development industry $671 million, and that NIST was \nresponsible for 44 percent of the savings.\n    And, there are many, many other activities too numerous to describe \nhere, including significant efforts in the critical areas of the \nsecurity of systems controlling the U.S. Critical Infrastructure, \nmobile device security, network security, and security awareness. We \nalso need to be aware of specific needs of our federal customers and \nwork closely with them to achieve our mission. For example, OMB has \nasked us to assist in the preparation of E-Authentication technical \nguidelines in support of the E-Government initiatives. And, there are \nrelated areas of research, such as biometrics (under mandates from the \nUSA Patriot Act) and computer forensics (used to build evidence for \ncourt cases against terrorists) in which NIST is making extraordinary \ncontributions to the Nation's efforts to secure the critical \ninfrastructure of the country. So, in addition to our $10M base funding \nfor cyber security, we leverage another $14M to enable the use of \ntechnologies that support the Nation's cyber infrastructure.\n    But, even with our very active program and considerable \ninteractions with industry and federal agencies, the list of critical \ntools still to be developed is daunting. The need for trustworthy \ncomputing systems is a theme we hear from various economic sectors on a \ndaily basis--from financial institutions, from health care \nprofessionals, from owners and operators of utility companies--all are \nin need of mechanisms by which they can be assured that the information \nthey exchange is available, confidential and that its integrity is \nassured. And, the complexity of systems is growing as components become \nsmaller, and systems on a chip become ubiquitous, some of the biggest \nchallenges are in ensuring the integrity of information as it flows \nfrom component to component within a system. This is a major area of \nresearch on our horizon. So, while we move ahead with critical tasks \nthat already are on our agenda, we will give new activities priority in \nour base program as resources are available.\n\nInteraction with Other Federal Government Agencies\n\n    We accomplish our mission working side by side with our federal \npartners. NIST understands the Committee's desire for greater \ninteragency coordination and collaboration for successful science and \ntechnology initiatives and we have been reaching out to supplement and \nassist other federal agencies. Our Technology Administration is \npreparing a Memorandum of Understanding with the Science and Technology \nDirectorate of the Department of Homeland Security (DHS) which will be \nsigned by Under Secretary Bond and DHS Under Secretary McQueary. This \nMOU will establish a formal mechanism for NIST to cooperate with DHS in \nfulfilling their many homeland security responsibilities including \ncyber security R&D. The MOU is being prepared for signature by the two \ndepartmental bureaus on May 19. We have detailed one NIST senior \nscientist to the DHS S&T Directorate to assist with standards efforts \nand to avoid duplication of effort. Also, we have regular interactions \nwith NSF and OSTP, for example in the INFOSEC Research Council (IRC). \nThe IRC provides a community-wide forum to discuss critical information \nsecurity issues, convey the research needs of their respective \ncommunities, and describe current research initiatives and proposed \ncourses of action for future research investments. Additionally, we \nhave also invited NSF representatives to meet with our Information \nSystem Security and Privacy Advisory Board at its June meeting. We have \nhad a long and successful relationship with DARPA in a number of \nresearch areas, particularly in areas of networks, biometrics and \nlanguage recognition technologies.\n\nNational Research Council Study of Network Vulnerabilities\n\n    As mandated by CSRDA, we are also moving forward with a National \nResearch Council study to review the vulnerabilities and inter-\ndependencies in our critical infrastructure networks and identify \nappropriate research needs and associated resource requirements. \nWorking with our NRC colleagues we have already identified a study \ndirector and are ready to initiate this study.\n\nCyber Security Research Grants\n\n    Now, not all of our work has been accomplished from within the \nFederal Government. NIST has provided twelve cyber security research \ngrants in the past: one to the Critical Infrastructure Protection \nProject; nine under the NIST 2001 Critical Infrastructure Protection \nGrants Program, and two to the Institute for Information Infrastructure \nProtection (I3P) at Dartmouth College's Institute for Security and \nTechnology Studies.\nNIST Critical Infrastructure Protection Grants Program\n    In September 2001, NIST awarded $5M to nine grant recipients under \nthe FY 2001 Critical Infrastructure Protection Grants Program (CIPGP) \nto improve the robustness, resilience, and security information in all \nthe critical infrastructures. Under the competitive grant application \nprocess, we received 133 proposals requesting roughly $73M from \napplicants in both industry and academia. We selected proposals in \nintrusion detection, telecommunications, wireless security, electric \npower infrastructure, and compiler security.\n    Funded research addresses a variety of topics to include tools and \nmethods for analyzing security and detecting attacks due to \nvulnerabilities introduced by merging of data networks (i.e., the \nInternet) and voice networks (i.e., the public switched telephone \nnetwork). Other topics addressed are attack detection for wireless and \nconverged networks, the development of security controls for protecting \nthe North American power grid, and methods for evaluating intrusion \ndetection systems.\n    While results are still preliminary from the Grants program and \nsome projects will not be completed due to a discontinuation of program \nfunding in FY 2002, we will still produce important results especially \nin the wireless area, converged data/IP networks and security of the \nelectric power infrastructure.\n\nCyber Security Funding Increases\n\n    NIST takes its cyber security responsibilities very seriously and \nwe appreciate your confidence in our abilities as witnessed by passage \nof the Cyber Security Research and Development Act and the Federal \nInformation Security Management Act (FISMA). We also appreciate that in \nFY 2003 Congress provided $1M in funding for operation of our Computer \nSecurity Expert Assist Team capability, and approximately $2M for \nwireless security and networks via our Program to Accelerate Critical \nInformation Technologies initiative.\n    The President's FY 2004 budget request includes increased funding \nfor two existing NIST program areas related to cyber security research:\nBiometrics Standards\n    The FY 2004 request includes $1M specifically for standards for \nbiometric identification in continuing support of the USA PATRIOT Act \nto develop a national biometric identification system, using unique \nphysical characteristics such as fingerprints, facial features, and eye \npatterns, to accurately identify people entering the United States or \napplying for visas. With the funding requested, NIST will help to \ndevelop effective, efficient, and interoperable biometric identifier \nstandards, certification tests, guidelines, and techniques for \nfingerprint and face recognition and verification.\nQuantum Information Systems\n    The FY 2004 $3M requested for work in quantum information science \nwill also have significant cyber security benefits. Quantum mechanics, \nthe strange behavior of matter on the atomic scale, provides an \nentirely new and uniquely powerful way for computing and \ncommunications, potentially replacing the current binary computing and \ndigital communications based on ones and zeros, and could have enormous \nimpacts in homeland security. Quantum computers could perform \nprocessing tasks that are currently impossible. They also could solve \nproblems that conventional computers could not manage given realistic \namounts of time, memory, and processing power.\n    This enormous computational power would be particularly valuable in \ncryptography, making codes that would be unbreakable by the best \nsupercomputers of tomorrow, or breaking codes in seconds that could not \nbe cracked in years by the most powerful binary computers. Quantum \ninformation also can be used for remarkably secure communications. In \nthis particular area, we are partnering closely with DARPA.\n    With the requested funding, NIST will work to develop the \nmeasurements and standards infrastructure (hardware and software) \ncritical to the development of a quantum communications system. This \nincludes methods to test and verify the actual performance \ncharacteristics of these systems, to determine their security \nproperties, and to enable integration of such systems into the existing \ncommunications infrastructure.\n    In conclusion, NIST takes its role in cyber security seriously and \nwill work with the Committee to ensure that we are able to carry out \nour mandate to work with industry, academia, and standards development \norganizations to assure the secure flow of vital and sensitive \ninformation throughout our society. These examples of our work and \naccomplishments demonstrate NIST's commitment to cyber security, across \nthe government and the Nation. They also demonstrate the base upon \nwhich NIST hopes to build our efforts. It is an absolutely critical \nnational need, and it is fundamental to providing the technical \ntesting, standards and guidelines needed to protect our information \ninfrastructure.\n    I am grateful to Chairman Boehlert for holding this hearing, and \nfor his support of NIST's programs.\n    This concludes my prepared remarks.\n    I will be pleased to answer your questions.\n\n                   Biography for Arden L. Bement, Jr.\n\n    Arden L. Bement, Jr., was sworn in as the 12th Director of NIST on \nDec. 7, 2001. Bement oversees an agency with an annual budget of about \n$812 million and an on-site research and administrative staff of about \n3,000, complemented by a NIST-sponsored network of 2,000 locally \nmanaged manufacturing and business specialists serving smaller \nmanufacturers across the United States. Prior to his appointment as \nNIST director, Bement served as the David A. Ross Distinguished \nProfessor of Nuclear Engineering and head of the School of Nuclear \nEngineering at Purdue University. He has held appointments at Purdue \nUniversity in the schools of Nuclear Engineering, Materials \nEngineering, and Electrical and Computer Engineering, as well as a \ncourtesy appointment in the Krannert School of Management. He was \ndirector of the Midwest Superconductivity Consortium and the Consortium \nfor the Intelligent Management of the Electrical Power Grid.\n    Bement came to his position as NIST director well versed in the \nworkings of the agency, having previously served as head of the \nVisiting Committee on Advanced Technology, the agency's primary \nprivate-sector policy adviser; as head of the advisory committee for \nNIST's Advanced Technology Program; and on the Board of Overseers for \nthe Malcolm Baldrige National Quality Award.\n    Bement joined the Purdue faculty in 1992 after a 39-year career in \nindustry, government, and academia. These positions included: Vice \nPresident of Technical Resources and of Science and Technology for TRW \nInc. (1980-1992); Deputy Under Secretary of Defense for Research and \nEngineering (1979-1980); Director, Office of Materials Science, DARPA \n(1976-1979); Professor of Nuclear Materials, MIT (1970-1976); Manager, \nFuels and Materials Department and the Metallurgy Research Department, \nBattelle Northwest Laboratories (1965-1970); and Senior Research \nAssociate, General Electric Co. (1954-1965).\n    Along with his NIST advisory roles, Bement served as a member of \nthe U.S. National Science Board, the governing board for the National \nScience Foundation, from 1989 to 1995. He also chaired the Commission \nfor Engineering and Technical Studies and the National Materials \nAdvisory Board of the National Research Council; was a member of the \nSpace Station Utilization Advisory Subcommittee and the \nCommercialization and Technology Advisory Committee for NASA; and \nconsulted for the Department of Energy's Argonne National Laboratory \nand Idaho Nuclear Energy and Environmental Laboratory.\n    He has been a director of Keithley Instruments Inc. and the Lord \nCorp. and was a member of the Science and Technology Advisory Committee \nfor the Howmet Corp. (a division of ALCOA).\n    Bement holds an engineer of metallurgy degree from the Colorado \nSchool of Mines, a Master's degree in metallurgical engineering from \nthe University of Idaho, a doctorate degree in metallurgical \nengineering from the University of Michigan, and a honorary doctorate \ndegree in engineering from Cleveland State University. He is a member \nof the U.S. National Academy of Engineering.\n\n    Chairman Boehlert. Thank you very much. And thank you for \nthe kind words about the Committee's leadership in this area. I \nguess the question we have is is there a follower-ship, and we \nwill address that in the questions.\n    Dr. Tether, welcome back. And I hope in your testimony you \nwill enlighten us as to why we are moving in the wrong \ndirection with respect to funding in DARPA for cyber security \nor Cyber Trust, as we now occasionally refer to it.\n    Dr. Tether. Thank you very much, Chairman Boehlert, Members \nof the Committee. I am pleased to be here to discuss our work \nin cyber security, which we really refer to as ``information \nassurance.'' If you would, please, accept my written testimony \nfor the record.\n    Chairman Boehlert. Without objection, the entire written \nstatements will appear in the record in their entirety, and we \nappreciate the others summarizing, and we would welcome your \nsummary, but we are not being arbitrary with the five minutes, \nso don't get nervous about the green light, red light. It is \njust to see if we are colorblind.\n\nSTATEMENT OF DR. ANTHONY J. TETHER, DIRECTOR, DEFENSE ADVANCED \n                    RESEARCH PROJECTS AGENCY\n\n    Dr. Tether. As you know, DARPA's mission is to maintain the \ntechnological superiority of the U.S. military by sponsoring \nhigh payoff research that basically bridges the gap between \nfundamental discoveries and the--their military use. The \ntestimony goes into a little bit more detail of how we go about \ndoing that, so I won't bother to go into that.\n    However, all of--DARPA is a very low-overhead organization. \nI would say about 98 percent of the money that is appropriated \nto us literally goes out to performers, and only about $100 \nmillion, or I will say three billion is really for security, \noperating the building, operating DARPA, paying for salaries. \nAll the rest goes out to performers. These performers are \nmostly industry, but there are universities and also government \nlabs involved. Now in doing that, we really--we partner with \nthe services quite heavily. In fact, we contract to these \nperformers through service organizations.\n    A major service organization in this area, information \nassurance, is AFRL in Rome, New York, as you know. They are a \ngreat partner with us, and probably--and really carry the \nlongevity of the projects.\n    Basically, we mine the talents and discoveries that are \ncreated by organizations, such as NSF. We collaborate with NSF \nat the Program Manager level primarily to make sure that we are \naware of what new is happening. And what we try to do is we try \nto find when an idea is ripe to be taken from an idea to an \napplication, to a product in itself. And that is what we do and \nthat is what DARPA has done very successfully for nearly 45 \nyears now.\n    The military, however, is moving to what they are calling \n``network centric warfare.'' And this requires--and this will \nrequire that we seamlessly network the organizations, weapon \nplatforms, people, immediately upon entry into a theater. Now \nthis allows us to plan and execute operations more quickly and \neffectively than opponents. We are able to be very agile with \nthis network centric warfare. And the recent conflicts in \nAfghanistan and Iraq really have given you only a hint of the \npower of the network centric techniques that are coming to our \nmilitary.\n    However, while moving to a network centric warfare has \ncreated for us an enormous capability in--capability to \nhandle--be very agile, it has also created a tremendous \nvulnerability. Basically, the network now must achieve the same \navailability, reliability, et cetera, that we used to enforce \non our platforms, our weapon platforms itself. The network \nitself now has become the weapon.\n    Our enemies are watching this, and our enemies know this. \nSo our enemies are clearly going to go and attack the network \nin the future as they have attacked our platforms and so in the \npast. Because of this, we are working hard on techniques and \nall to make sure that these networks can not be attacked \nbecause of the--if they are attacked, the whole--our whole \ncapability goes down. Because of that, this is one of the \nreasons why our work is becoming more classified now than it \nhas been in the past, because this--the network itself is \nbecoming a capability and if the vulnerabilities of those \nnetworks were known, obviously it would be easy for an enemy to \nattack them. And if the techniques that we were developing to \nprevent from attacking them were known, then that is valuable \ninformation as well to an aggressor. So that is one of the \nreasons why you will find that in the future more and more of \nour work in this area will, by definition, have to become \nclassified.\n    Because we are idea or project-oriented in the sense that \nwe don't work in general, we take ideas and we create a \nproject, it sometimes appears that we don't have a consistent \nthrust. But what you see--what I believe you are seeing are \njust the natural variations as projects are started and as \nprojects are finished. It is true that from 2002 to 2004 it \nlooks like our--at least our unclassified budget is decreasing \nin this area. What you don't have is the classified budget, and \nI would be happy to give that to you in a closed session. And \nif you saw that, you would see it probably wasn't decreasing \nthat----\n    Chairman Boehlert. I would be a little more comfortable.\n    Dr. Tether. Yeah. And most of that, by the way, once again \ngoes through AFRL in Rome, New York. But for example, as these \nprojects variations, in the early '90's, somebody got an idea, \n``Well, let us not let the attackers in.'' And the result of \nthat research were firewalls. And all of the--most of the \nfirewalls that you have now being used by people came from a \nDARPA program back in the early '90's on the techniques to \nkeep--just keep the attackers from ever getting in. However, it \nturns out that firewalls have flaws, and these flaws aren't \nnecessarily the firewalls, the people that implement them.\n    So next we moved to detecting that an attack was going on \nand trying to limit the damage. However, in order to do this, \nwe end up with high false alarm rates or false positives where \nwe say an attack is going on and an attack really is not going \non. So we developed technology to greatly reduce that false \nalarm rate so that when an attack--we said an attack was going \non, it truly was.\n    Third, we finally--somebody had an idea that said, ``Look, \nwe can't keep them out. We are getting pretty good at detecting \nthese attacks, but what we really have to do now, because the \nnetworks are becoming, really, the weapon system, is learn how \nto operate through the attack.'' In other words while the \nattack is ongoing to be able to still have the network operate, \nperhaps at a reduced capability, but degrade more gracefully \nthan just falling off the cliff because there was an attack \ngoing on. So we have technology developments going on there.\n    Some of the projects we have were listed in the testimony: \nCyber Panel, Fault Tolerant Networks, Dynamic Coalitions, \nOASIS. And what we are doing is we are taking all of this \ntechnology and we are building a prototype system where we are \ngoing to be able to take our technology and implement it in a \nprototype network, a very large network, 400 nodes or so, \ntypical of a military network, and then attack it and really be \nable to test our technology. Unfortunately, that will be, \nobviously, for obvious reasons, classified.\n    So the last question is: Where are we going and what are \nour priorities? I believe that you asked that. As I said, we \nare focused on the problems that DOD must solve for network \ncentric warfare. And these include problems not currently faced \nby the commercial world. DOD networks are--can be characterized \nas large, distributed, mobile networks of networks becoming \nincreasingly wireless. We are facing very sophisticated \nattackers. I mean, these aren't just hackers going and erasing \nfor mischief but really attackers whose life depends upon \ntaking the network down. These networks have to assemble and \nreassemble on-the-fly, and they have to do this without any \nfixed infrastructure. In other words, we can't go in and put \ntowers up and then have the networks arrive. These networks \nhave to basically be what is known as a peer-to-peer network \nwhere each node in itself becomes the relay for communicating \nwith other people.\n    We are really far ahead of the commercial world in this \nregard, but there is great commercial interest in these DOD \nnetworks, especially those that do not require a fixed \ninfrastructure, and the reasons for that are obvious: cost. If \nwe could have a cellular network that didn't require the towers \nwhere each cell phone itself was a relay, you obviously have \nsaved a lot of money on building the towers and also saved a \nlot of money in trying to get the towers put up.\n    Now I know that--again, and I will close with that--you \nhave been concerned about our level of funding, but let me \nassure you that we have, and will continue to have, a very \nrobust program in information assurance, because we have to. \nThe whole structure of the DOD depends upon that. And while we \nare putting more emphasis on the military's specific problems, \nthe work we are doing will have a long-term beneficial impact \non the commercial world, mainly because we are developing all \nof the capability in industry, and industry will undoubtedly \ntake that capability and go two ways with it: one for the \nmilitary and also one for the commercial world.\n    And with that, I will be glad to answer any questions you \nmight have.\n    [The prepared statement of Dr. Tether follows:]\n\n                Prepared Statement of Anthony A. Tether\n\n    Mr. Chairman, Committee Members, and staff: I am Tony Tether, \nDirector of the Defense Advanced Research Projects Agency (DARPA). I am \npleased to appear before you today to talk about DARPA's work to \ndevelop secure Defense networks and how that work relates to the \nsubject of cyber security, or what we call information assurance.\n    Some of you may not be familiar with DARPA, so let me begin by \nsaying a few words about who we are and what we do.\n    Since the time of Sputnik, DARPA has had a special mission within \nthe Department of Defense (DOD): maintain the technological superiority \nof the U.S. military and prevent technological surprise from harming \nour national security. DARPA does this by sponsoring revolutionary, \nhigh-payoff research that bridges the gap between fundamental \ndiscoveries and their military uses.\n    Let me tell you a little bit about how DARPA works.\n    Imagine a science and technology (S&T) investment time-line that \nruns from ``Near'' to ``Far,'' indicative of how long it takes for an \nS&T investment to be incorporated into an acquisition program. On the \n``Near side'' of this timeline we have a lot of investment that \nrepresents most of the work of the Service S&T organizations. This S&T \ntends to gravitate towards the Near side because the Services emphasize \nproviding technical capabilities critical to the mission requirements \nof today's warfighter. This excellent work continuously hones U.S. \nmilitary capabilities. However, it is typically focused on known \nsystems and problems.\n    In contrast, out at the other end of the investment timeline--we'll \ncall this the ``Far side''--there is a much smaller investment that \nrepresents funding fundamental discoveries, where new science, new \nideas, and radical new concepts typically first surface. People working \non the Far side have ideas for entirely new types of devices, or new \nways to put together capabilities from different Services in a \nrevolutionary manner. But, the people on the Far side have a difficult, \nand sometimes impossible time obtaining funding from the larger, near \nside investors because of the near side's focus on current, known, and \npressing problems.\n    DARPA was created to span the gap between these two groups. DARPA's \nmission is to find the promising ideas (and people) out on the Far side \nand accelerate those ideas to the Near side as quickly as possible. \nDARPA emphasizes what future commanders might want and pursues \nopportunities for bringing entirely new core capabilities into the \nDepartment.\n    Hence, DARPA mines fundamental discoveries--the Far side--and \naccelerates their development and lowers their risks until they prove \ntheir promise and can be adopted by the Services. DARPA's work is high-\npayoff precisely because it fills the gap between fundamental \ndiscoveries and their military use.\n    What is surprising to many people, but entirely in-line with \nDARPA's mission, is that only about five percent of DARPA's research is \nbasic research. Basic research, much of that ``Far side'' investment, \nis primarily supported by organizations like the Office of Naval \nResearch (ONR), the National Science Foundation (NSF), the National \nInstitutes of Health (NIH), and the Department of Energy (DOE).\n    Basic research creates new knowledge and technical capacity, \nwhereas DARPA creates new capabilities for national security by \naccelerating that knowledge and capacity into use. So we count on \ninstitutions like ONR, NSF, NIH, and DOE to provide us with a feedstock \nof revolutionary technical concepts that we, at DARPA, can then develop \nand turn into revolutionary Defense capabilities.\n    Through the years, DARPA has refocused its work in response to \nevolving national security threats and technological opportunities, and \nDARPA's Strategic Plan describes how we are pursuing our mission today. \nOne of our eight strategic thrusts is Robust, Self-Forming Networks, \nwhich contains our work in information assurance.\n    Let me briefly describe it to you:\n\nDARPA's Strategic Thrust in Robust, Self-Forming Networks\n\n    The Department of Defense is in the middle of a transformation to \nwhat is often termed ``network centric warfare.'' In simplest terms, \nnetwork centric warfare is when military organizations and systems are \nseamlessly networked to change the terms of any conflict to favor U.S. \nand coalition forces. It will allow the United States and our allies to \ngo beyond a simple correlation of local forces by providing them better \ninformation and letting them plan and coordinate attacks far more \nquickly and effectively than our adversaries can.\n    However, at the heart of this concept are survivable, assured, \nspectrum-agile communications at both the strategic and tactical \nlevels. The goal of this work is a high capacity network that degrades \nsoftly under attack, while always providing a critical level of \nservice.\n    To support this vision, DARPA is conducting research in areas that \ninclude: (1) self-forming ad hoc networks; (2) high capacity, \nmultiband, multimode communications systems; (3) ultra-wideband \ncommunications; (4) spectrum sharing; (5) low probability of detection/\nintercept/exploitation communications; and, (6) information assurance \nor cyber security.\n    I could spend pages describing our efforts in the first five areas. \nHowever, our focus today is cyber security, so let me turn to what we \nare doing to ensure that those military networks are secure and \nreliable.\n\nDARPA's Information Assurance Research\n\n    What we at DARPA call ``information assurance'' (often referred to \nas ``cyber security'') is crucial to having the robust, self-forming \nnetworks required to successfully conduct network centric warfare. One \nmust look no further than the ongoing Iraq War to see that the United \nStates has been moving toward network-centric warfare.\n    While people can debate the extent to which we have achieved \nnetwork centric warfare, today's U.S. military forces are unmistakably \nnetwork-dependent. Therefore, the very first thing that a sensible \nadversary would do to asymmetrically negate the U.S. force is take down \nour military networks. For quite some time, we have faced the very \ndifficult problem of figuring out how to protect our military networks.\n    DARPA has had information assurance work going on in some form and \nby some name for decades. But, in the early 1990s we started to \nconcentrate in earnest on the problem of information assurance, with \nthe usual DARPA focus on solving extremely hard problems. Initially, \nour emphasis was to secure hardwired computer networks. DARPA's \napproach to solving the problem of information assurance evolved, over \ntime, to a layered approach.\n    The first layer that we worked on in the early 1990's was \npreventing, or ``locking out'' cyber attacks. This resulted in the \n``firewalls'' that are commonly available in the commercial world \ntoday.\n    In fact, today's commonly available commercial firewalls started \nwith a DARPA project to protect the World Wide Web at the White House. \nThe DARPA contractor that did this work published the firewall source \ncode in the open literature, and from that work grew over a hundred \nfirewall companies and an entire market for firewall products.\n    The second layer in DARPA's approach to information assurance has \nbeen detecting attacks and limiting their damage. In addition to \nintrusion detection, DARPA has more recently demonstrated both hundred-\nfold reduction in the false alarm rates that plague current intrusion \ndetection systems, and the ability to detect new and novel forms of \nattack through anomaly based detection. Over the last two years, DARPA \nhas demonstrated such detection capabilities in the field in major \nexercises such as the Navy Fleet Battle Experiment series.\n    A third pursuit, and one that DARPA has been increasingly \nemphasizing, is developing the ability to operate through cyber \nattacks. The simple logic here is that we simply cannot block all \nattacks, nor can we completely limit the damage from attacks. So we \nhave to be able to continue operating while an attack is underway, in \nspite of the damage that the attack may inflict.\n    Let me give you a flavor of where we are today in some of the \ninformation assurance programs that we are working on at DARPA right \nnow:\n\n        <bullet> The Cyber Panel program is working on ways to detect \n        new attacks in real-time, including previously unknown attacks, \n        predict what damage the attacks will inflict, and implement \n        effective defenses.\n\n        <bullet> The Fault Tolerant Networks program is working on \n        ways to ensure that a network remains available, even during an \n        attack, while restricting the network resources available to \n        the attacker. In fact, this program has resulted in a \n        commercial product, PeakflowTM, that is being used to protect \n        against Distributed Denial of Service attacks.\n\n        <bullet> The Dynamic Coalitions program is working on methods \n        to quickly set up secure networks--a critical problem for \n        today's U.S. fighting forces. Some of this technology is being \n        used in the joint DARPA-Army Future Combat Systems program, a \n        program that has network centric warfare as a starting \n        assumption.\n\n        <bullet> The Organically Assured and Survivable Information \n        Systems (OASIS) program is working to provide a ``last line of \n        defense'' by developing ways to enable critical DOD computers \n        (as distinct from the network level) to operate through a cyber \n        attack, degrade gracefully if necessary, and allow real-time, \n        controlled trade-offs between system performance and system \n        security through such techniques as redundancy and diversity of \n        operating systems.\n\n    A prototype military system to produce Air Tasking Orders for the \nU.S. Air Force is also being developed. The system, and the underlying \ninformation assurance technology, will be tested in 2004 by subjecting \nit to a sustained cyber attack from a ``red team.''\n    Much of what we have done, particularly for wired systems, has \nproved useful in both commercial and military systems. But, our focus \nis the specific problems DOD needs solved for network centric warfare.\n    The military-specific problems that we are working on go beyond \nthose faced by the commercial world today. Military networks, more than \ncommercial networks, involve large-scale, highly distributed, mobile \nnetworks-of-networks that are increasingly wireless, deal with time-\ncritical problems, and face potential attackers who are extremely \ndedicated and sophisticated. Failure in military networks has extreme \nconsequences.\n    Moreover, network centric warfare involves networks that must \nassemble and reassemble on-the-fly on an ad hoc basis without having a \nfixed or set infrastructure in-place. In effect, we must achieve what \nhas been called, ``critical infrastructure protection'' without \ninfrastructure.\n    In the most advanced cases, these are peer-to-peer or \n``infrastructure less'' networks. There is no fixed, in-place network \nequipment--the whole network architecture is fluid and reassembles \ndynamically. It could be that, in the long-term, commercial networks \nwill acquire some of these features, but, for now the Department of \nDefense is in the lead in facing these problems.\n    DARPA is taking a broad-based view of information assurance. When \nwe think about information assurance, we include technology such as \ncommunications security and encryption as part of our solution. The \nthreat to military networks is not simply hackers, but organized and \nwell resourced nation states that want to eavesdrop on military network \ntraffic, or interfere with it at precisely the wrong time.\n    In fact, information assurance in a world of growing network \ncentric warfare must become a regular feature of most military \nprograms--in the same sense that everyone building an airplane must \nconsider materials, not only material scientists.\n    A significant and growing element of DARPA's work in information \nassurance is classified, and cannot be discussed in this forum. The \nfuture thrust is for more of these efforts to become classified. Why? \nBecause of our increasing dependence on networks, their vulnerabilities \nand techniques for protecting them become more and more sensitive. \nAccordingly, our efforts have become classified.\n    In the longer-term, I expect that DARPA's strategic thrust in \nCognitive Computing could also lead to important contributions to \ninformation assurance. While I cannot discuss it at length today, our \nCognitive Computing thrust aimed at developing computers and networks \nthat are ``self-aware''--that is, computers that actually know what \nthey're doing and know what is happening to them.\n    Future network-centric warfare systems will be able to leverage \n``self-aware'' capabilities to determine when they are under attack and \nautonomically respond, and reconfigure themselves in much the same way \nas the human body reacts to an infection. If such systems could be \nbuilt, they should be able to do a much better job of protecting \nthemselves because they will understand that they're being attacked.\n    I realize that there has been some concern about DARPA's level of \nfunding in the area of information assurance. For example, some have \nexpressed the opinion that our budget for this effort is dropping \ndrastically.\n    Let me reassure you that we have a robust program in information \nassurance, and we plan to continue this robust program in the coming \nyears. There are natural variations in our budget, and they are due to \nseveral factors such as when large programs like Fault Tolerant \nNetworks and OASIS come to an end.\n    The budget structure does not always capture the great variety of \ninformation assurance work going on, particularly when it is an \nintegral part of another program, as it is in Future Combat Systems. \nAnd, there are the aforementioned classified programs that obscure the \nbudget picture.\n    Thus, while we are putting more emphasis on military-specific \nproblems, we will continue to have a robust program that will, in the \nlong-term, have a broad, beneficial impact on the commercial world.\n    Finally, I understand that a particular interest of the Committee \nis how we coordinate and disseminate the results of our research to \nother federal agencies and to the commercial world.\n    Much of our interaction with industry stems from using companies as \nperformers of our research, and the strong desire of smaller commercial \nfirms to commercialize their technology. For instance, in 1999 DARPA \nforesaw the threat of Distributed Denial of Service that hit Yahoo and \ne-Bay a few years later, and invested accordingly to create the Fault \nTolerant Networks program. Today, the nascent market for solutions \nagainst this threat consists primarily of technologies that have their \nroots in DARPA research, technology that can protect the military, like \nthe example I mentioned earlier.\n    DARPA also makes efforts to broadly communicate our results in a \nmore structured way by sponsoring the DARPA Information Survivability \nConference and Exposition (DISCEX) conferences. The audience at DISCEX \nis very broad, and it includes the extended research community, the \noperational military, developers of military systems, and the \ncommercial industry that generates the ``off the shelf'' systems that \ncomprise most military information systems.\n    Our goal in these meetings is to stimulate scientists, developers, \nand joint operational customers with research products, experimental \nresults, and capabilities emerging from DARPA research to better \naddress the military's needs for information security. The most recent \nconference included over 250 attendees with 60 researchers giving \ntechnology demonstrations and produced two volumes of technical \nproceedings.\n    In addition, while many ideas on information assurance are being \nexchanged informally through the professional relationships between \nresearchers and the U.S. Government officials who sponsor their work, \nDARPA is the primary sponsor of the Infosec Research Council (IRC), an \ninformal coordinating body begun in 1996 that is comprised of U.S. \nGovernment members concerned with funding and conducting research in \ninformation security/information assurance/cyber security. The IRC \nmembers include DARPA, the National Security Agency, the National \nScience Foundation, the National Institute of Standards and Technology, \nthe Department of Energy, and the Federal Aviation Administration.\n    I should also mention the collaborations and consultations between \nNSF and DARPA personnel. This interaction goes beyond the simple \nexchange of technical information that typically characterizes \ninteragency information exchange programs.\n    DARPA and NSF personnel for example co-fund particular projects \nwhere a true synergistic opportunity exists. NSF's program, ``Ultra-\nHigh-Capacity Optical Communications: Challenges in Broadband Optical \nAccess, Materials Processing, and Manufacturing'' has direct \nparticipation by DARPA personnel and a modest level of DARPA funding. \nNSF personnel likewise take part in DARPA source selection panels where \nsimilar technical interests can be found.\n    NSF's ``Networking Research Testbeds Program'' is of special \ninterest to DARPA in that it offers the possibility of making available \nworld-class network testbeds to DOD contractors and personnel. Network \ntestbed collaboration meetings are now routinely held by DARPA and NSF \nprogram managers, and I expect that these testbeds will be very useful \nas we explore alternative architectures, systems and protocols for \nfuture optical networks; wireless networks based on spectrum sharing; \ndistributed sensor networks; and networking in highly dynamic and/or \nharsh environments. We have also been having discussions with NSF \npersonnel about our thrust in Cognitive Computing.\n    The Department of Defense is steadily increasing its dependence on \ninformation systems that are crucial to our future vision of network \ncentric warfare. I hope my remarks today have given you a sense of what \nDARPA is doing to ensure that those networks perform reliably and that \nthey remain secure.\n    I would be happy to answer your questions.\n\n                    Biography for Anthony J. Tether\n    Dr. Anthony J. Tether was appointed as Director of the Defense \nAdvanced Research Projects Agency (DARPA) on June 18, 2001. DARPA is \nthe principal Agency within the Department of Defense for research, \ndevelopment, and demonstration of concepts, devices, and systems that \nprovide highly advanced military capabilities. As Director, Dr. Tether \nis responsible for management of the Agency's projects for high-payoff, \ninnovative research and development.\n    Until his appointment as Director, DARPA, Dr. Tether held the \nposition of Chief Executive Officer and President of The Sequoia Group, \nwhich he founded in 1996. The Sequoia Group provided program management \nand strategy development services to government and industry. From 1994 \nto 1996, Dr. Tether served as Chief Executive Officer for Dynamics \nTechnology Inc. From 1992 to 1994, he was Vice President of Science \nApplications International Corporation's (SAIC) Advanced Technology \nSector, and then Vice President and General Manager for Range Systems \nat SAIC. Prior to this, he spent six years as Vice President for \nTechnology and Advanced Development at Ford Aerospace Corp., which was \nacquired by Loral Corporation during that period. He has also held \npositions in the Department of Defense, serving as Director of DARPA's \nStrategic Technology Office in 1982 through 1986, and as Director of \nthe National Intelligence Office in the Office of the Secretary of \nDefense from 1978 to 1982. Prior to entering government service, he \nserved as Executive Vice President of Systems Control Inc. from 1969 to \n1978, where he applied estimation and control theory to military and \ncommercial problems with particular concentration on development and \nspecification of algorithms to perform real-time resource allocation \nand control.\n    Dr. Tether has served on Army and Defense Science Boards and on the \nOffice of National Drug Control Policy Research and Development \nCommittee. He is a member of the Institute of Electrical and \nElectronics Engineers (IEEE) and is listed in several Who's Who \npublications. In 1986, he was honored with both the National \nIntelligence Medal and the Department of Defense Civilian Meritorious \nService Medal.\n    Dr. Tether received his Bachelor's of Electrical Engineering from \nRensselaer Polytechnic Institute in 1964, and his Master of Science \n(1965) and Ph.D. (1969) in Electrical Engineering from Stanford \nUniversity.\n\n                               Discussion\n\n    Chairman Boehlert. Thank you very much. Thank all of you. \nWhich one of you is the lead agency in cyber security? Tell me \nwhat that means being the lead agency.\n    Dr. Colwell. As the lead agency in cyber security, we, \nparticularly in the area of research, work together with the \nother agencies to coordinate the focus of the research and to \nensure that there is integration of the research effort, non-\nduplication, and there is enhancement in access, particularly \nthe role of NSF, access to outstanding science to the other \nagencies. And we----\n    Chairman Boehlert. So that is sort of an interagency \ncoordinating committee? Is that----\n    Dr. Colwell. Yes, we have a working group, the NITRD \nWorking Group, the Networking and Information Working Group \nthat is chaired by Peter Freeman. We also have another--we have \nother information technology coordinating groups, and we work \ntogether in ensuring that we know what the other is doing, \nparticularly strong with NIST, because NIST acts as the \nstandards----\n    Chairman Boehlert. But am I--are we to assume that your \ncoordinating group, for example, as Dr. Tether pointed out to \nus that increasingly a higher percentage of their work is in a \nclassified arena, do we assume that all of the members of the \ncoordinating group or Working Group have the necessary security \nclearance in order to deal in the responsible way that that \nwork that DARPA is doing and--in the black area and that you \ncan factor that in as you determine the direction you are \ngoing----\n    Dr. Colwell. Yes.\n    Chairman Boehlert [continuing]. For the government?\n    Dr. Colwell. Yes, as a matter of fact, that is the case. \nAnd we have detailed to Dr. McQueary's--an NSF individual, who \nhas been cleared and who is working to connect to agencies and \nto provide, initially, the capability for cyber security within \nHomeland Security.\n    Chairman Boehlert. Well, I hope you all can comfort me and \nthe Members of the Committee, so if you know the answer, I \nwould like, but I am not sure it is the answer that you can \nfeel comfortable in giving me. But are each of you convinced \nthat in your agency and within the government we are giving \nsufficient priority to the needs of cyber security? We will \nstart with you, Dr. McQueary.\n    Dr. McQueary. If you ask are we giving sufficient priority, \ntoday the answer is probably no, but I do believe that we have \na plan in place to be implemented quickly that will put the \nproper emphasis on it. And that major emphasis from a \nDepartment of Homeland Security standpoint, will come from the \nInformation Analysis and Infrastructure Protection Directorate, \nand the Science and Technology Directorate will be actively \nworking with them to--from the scientific and technological \naspect of it.\n    Chairman Boehlert. Dr. Colwell, I think you have already \nreally answered that question.\n    Dr. Colwell. Yes. I would say that I agree with Dr. \nMcQueary. We--as a Nation, we are not focusing sufficiently on \nthis very real threat. I have just come back last night from a \nmeeting in London of the science--my counterparts in the \nscience agencies. It is an international problem. And we also \nneed to understand that we are increasingly being cyber \nsecurity attacked from outside the country as well as hackers \nwithin. And I think we are beginning to understand how serious \nthis problem is that we haven't really gotten to where we \nshould be, in my opinion.\n    Chairman Boehlert. Dr. Bement.\n    Dr. Bement. This requires a very comprehensive approach. \nThrough our work, we have worked not only with industry but \nacademia and also international bodies and also all of the \nfederal interagency coordinating boards and councils to improve \nthe information technology R&D working group, which up until \nrecently was chaired by a person from NIST, Cita Furlani, who \nis now our CIO. We have a pretty good fix on where the \nvulnerabilities are. I think we have done enough workshops with \nindustry and different industrial sectors that we know where \nmany of the vulnerabilities are in some of their control \nnetworks and in information systems. And you are right. This is \ngoing to require a much higher level of effort than we have \ncurrently engaged in, and it is going to have to come fairly \nsoon if we are going to meet some of the vulnerabilities that \ncurrently exist.\n    Chairman Boehlert. Dr. Tether.\n    Dr. Tether. Given that we are idea oriented and project \noriented, I--we are not lacking for funds. We are, perhaps, \nlacking for ideas. And what you see happening right now is--and \none of the reasons why the budget is coming down is that \ncurrent programs are ending very successfully. But on the other \nhand, we don't really have the number of ideas in this area to \nsolve the problem that the DOD faces. I have funded every idea \nthat has come forth in this area over the last year, including \nbuilding the infrastructure to allow people to have a test bed \nand a lot of other things. So we are more idea limited right \nnow than we are funding limited. Now that is why we spent a lot \nof time dealing--collaborating with organizations like NIST and \nNSF, and we will with Chuck as soon as we figure out where--\nwhat his address is.\n    Chairman Boehlert. Well, in all fairness to DHS, I mean, \nthey just stood up, what, 1 March, and they have got a \nmonumental task, but----\n    Dr. Tether. But we will do that, and in fact, in this case, \nhe has got quite a few DARPA people there, so the--you know, \nthe relationship between the two organizations is very good \nfrom the start. But we are constantly searching for ideas. And \nright now, this is a very tough problem. And from the DOD \nviewpoint, we can't fail. I--see, we are not as concerned--we \nare not concerning ourselves, and that may be discomforting to \nyou, on the commercial networks. Hopefully somebody is doing \nthat. We believe our technology will apply, but if we don't \nsolve this problem of making these networks reliable and \navailable through attacks, the whole military structure that we \nare building in the future is at stake. And so we really can't \nfail in this area. And I hope that answers your question.\n    Chairman Boehlert. Yeah, it does. And if I were to \nsummarize, I would think I would summarize in this way, that \nyou all feel that we are not giving sufficient priority now, \nbut we are moving in that direction. And we need to give it the \nhighest of priority.\n    Dr. Tether. Oh, it has to be the highest priority.\n    Chairman Boehlert. And I see all heads nodding yes, for the \nrecord. Thank you very much. My time is expired. Mr. Miller.\n    Mr. Miller. Thank you. Dr. McQueary, the realization that \nyou were no longer my constituent diminishes only slightly the \npride that I feel that you were in--being in the position that \nyou are in. And I know that the people in Greensboro feel a \ngreat deal of pride as well.\n    Dr. McQueary. Thank you.\n    Mr. Miller. And your resume does seem to be exactly what we \nneed for your position. You have the technical expertise, and \nyou supervise people with similar expertise. But I am wondering \nto whom you speak within the Executive Branch. When you are \npreparing a budget, who do you present it to at OMB? What is \ntheir background? What is their level of expertise? What is the \nhighest level person in OMB who really deals only with cyber \nsecurity?\n    Dr. McQueary. I don't know--personally know the answer to \nthat question because I haven't engaged anyone in a discussion \ndirectly in that area. I am sure I have got someone behind me \nwho can answer the questions. If you would like me to ask them, \nI would be happy to do so.\n    Mr. Miller. Okay.\n    Dr. McQueary. I am told Steve McMillin is the name of the \nindividual that we deal with, and he, of course, works for Mark \nForman in OMB.\n    Mr. Miller. And do you know what Mr. McMillin's title is?\n    Dr. McQueary. No, I don't. He has the homeland security \nresponsibility and R&D, I am told.\n    Mr. Miller. Okay. I think it was just in April that Richard \nClarke, who had been at the White House and involved in cyber \nsecurity, said that the answer to the question who is the \nhighest ranking person at OMB who works just on cyber security \nwas pretty frightening. Is that still the case? Is it still a \nfairly low-level person or is it something that does get \nattention at what appears to be the appropriate levels of OMB \nwith someone with that expertise?\n    Dr. McQueary. I do not know the answer to the question, \nsir.\n    Mr. Miller. Okay. A second question, it certainly appears \nthat if--in--within the private sector that if one industry's, \none company's cyber security was insufficient, if it suffered \nan attack, there would likely be a ripple of economic loss, a \ndisruption to others that that business deals with. Is that \ngenerally correct?\n    Dr. McQueary. I would say that would certainly gain a lot \nof attention. And I think--if I could just inject, I think it \nis very important that private industry play a key role in this \nwhole issue of cyber security, because it would be--since some \n85 percent of the industry is privately--what we have in this \ninfrastructure in the country is privately held and therefore \nprivate industry has to have a strong interest in helping \ndetermine what kind of cyber security protection we must have. \nIn fact, any CEO of a company has a responsibility to his or \nher shareholders to be concerned about such an issue would be \nmy view.\n    Mr. Miller. Okay. Or a little concerned not just about \ntheir--maybe to their shareholders, because their duty to their \nshareholders is just to be profitable, but the duty to the \npeople with whom they do business. I know that the \nAdministration's--or I understand the Administration's approach \nhas been not to require by regulation cyber security standards \nbut that the Department promulgates best practices and \nmethodologies----\n    Dr. McQueary. Um-hum.\n    Mr. Miller [continuing]. And that that would be advice--\nencouragement to the private sector to adopt the appropriate \nlevel of precautions. Is that generally the approach, not \nrequire by regulation but promulgate best practices and \nmethodologies?\n    Dr. McQueary. If you would let me defer that question to \none of my peers, who are more knowledgeable about it, I would \ncertainly appreciate it, because I simply have not engaged \nmyself in the short time I have been in this job and the \nsubject to be able to speak adequately to it.\n    Mr. Miller. Does anyone on the panel--yes, sir.\n    Dr. Bement. We regularly hold workshops with industry to \ntry to understand their vulnerabilities. In fact, it has been \nmajor activities of ours over the last two or three years since \n9/11. And in addressing that, we had been working with the \nstandard development organizations to not only develop \nstandards but also we have been working to develop prototypes \nto understand better what those vulnerabilities are along with \ntest beds. In order to accelerate standards developments, we \nare working with the Department of Homeland Security. We have \ndetailed one of our senior scientists, who heads up the \nstandards activities within Dr. McQueary's organization. And we \nhave also detailed another person, who is an expert in cyber \nsecurity. And in addition to that, we have one of our senior \npeople working with ANSI in what is now called the Homeland \nSecurity Standards Panel, which is working with the standard \ndevelopment organizations to try and fast track new standards \nto bring new products in the marketplace that will meet the \nreliability and the security requirements that will meet the \nneeds of industry in this area. So it is almost a full court \npress at the present time.\n    Chairman Boehlert. All right. The gentleman's time has \nexpired. I know he has, as we all do, more questions. So we \nwill have a second round of questioning. We will go now to the \ndistinguished Chairman of the Subcommittee on Research, Mr. \nSmith of Michigan.\n    Mr. Smith of Michigan. Thanks for an exceptional, qualified \npanel to help us decide where we should go on encouraging the \ndirections that we think we should go to protect ourselves. It \nseems to me--help me understand a little bit in terms of the \ntechnology. It would seem like it is almost a weapon system. If \nyou develop a better weapon system and then the other side \ndevelops a better weapon system, and it keeps building up from \nfirewalls to mitigating attacks to how to operate even if the \nattacks are there, like you suggested, Dr. Tether. But \nfollowing up a little bit on Mr. Bell's comment and Dr. \nMcQueary's suggestion that, look, the private sector on how we \nuse computers and software to decide how our food is going to \nbe shipped where so it gets where it belongs to how we transmit \nelectricity to how we run our airlines, how do you decide the \nbalance, Dr. Tether, in protecting the kind of classified \nresearch that is going to enable our Defense Department to \ncommunicate and do things without intervention with the need to \nuse some of that research in the private sector?\n    Dr. Tether. Well, we have a--logistics is a good example of \nwhat you are talking about, which is very close to--you know, \nmost of the Department of Defense is moving supplies. And there \nis a logistics organization called Transcom, which happens to \nbe located in Illinois. We are developing for them a technique \nwhich will allow them to basically be able to go into the \ndistributed databases to find out where supplies are and then \ncreate all of the transportation required to get those supplies \nto the place they are needed. And we are concerned about, once \nyou have distributed databases, of somebody getting into that \ndistributed database and not--either not allowing you to do it \nor changing the data. So it is a very crucial thing for the \nDepartment of Defense to have this be secure and assured.\n    Mr. Smith of Michigan. But still, my--both my points, the \nmore that you accommodate the need to protect in the private \nsector, the more vulnerable you are to discovering some of the \nvulnerabilities of that system after you--because it is more \navailable.\n    Dr. Tether. That is correct. And in this particular case, \nthe technology that is being used is what we happen to call \n``intelligent agents''. These are little software modules that \neffectively--think of it as a--really as an agent that goes out \nand looks for you and brings you back answers.\n    Now this is working very well. We have made it very secure. \nWe have shown that--doing it this way, that we can, with high \nconfidence, know that the data is not being corrupted, and that \nthe system can operate through an attack. The details of how we \ndo it, in the military, are classified. However, the technology \nof intelligent agents, distributed intelligent agents working \ntogether to do this, is unclassified. And again, we are \ndeveloping this technology with a company. And this company \nsees a business in it, not only for supplying the military with \nthis capability, but also supplying private industry. Ford \nMotor Company has the same problem. I mean, they buy parts all \naround the world, and they basically have a logistics problem. \nHow do they get parts here and there? And they are very \ninterested in making sure that their databases are secure and \nthat somebody doesn't get in.\n    So here is a company that will take the technology that was \ndeveloped by the military, which will remain classified in the \nterms--in the context of the details, but is able to use that \ntechnology for a commercial application. I hope I am answering \nyour question.\n    Mr. Smith of Michigan. Yeah, you are, certainly.\n    Dr. Tether. Okay.\n    Mr. Smith of Michigan. My next question, Dr. Colwell. \nAnyway, good to see you. In terms of virtual centers compared \nto bricks and mortar centers, in our--in this Act, in our Cyber \nSecurity Research and Development Act, we put in language that \nwould be directing the National Science Foundation to develop \nphysical centers. And we put in similar language, so it is a \ntwo-fold question in the area of interest that I have expressed \nmany times, is the biological centers that we asked for in our \nNSF authorization bill. And it seems in both cases you have \ntended to lean toward virtual centers rather than following \nwhat I consider the intent of both bills in terms of developing \nreal centers.\n    Dr. Colwell. Actually, we have physical sites that are \nconnected. The approach that we take, and we feel is very \npowerful, is to bring the versatility and the diversity of \ncapability that is located in different parts of a given region \nand to link them, even though they represent physical sites, to \nlink them by the capacity of a cyber infrastructure. That means \nthat you have, for example, the--at--in Missouri, Indiana, \nIllinois, and Washington State, you have different \ncapabilities, but when brought together, it becomes a very \npowerful approach to addressing sequencing and getting it done \nrapidly and effectively. And I think similarly, what we are \ntrying to do here, and actually it is in response, I think, to \nan interest of the Chairman, is to bring together, as fast as \nwe can, the capability that is there, strengthen it, and at the \nsame time, determine how we build further capacity through \nspecific programs.\n    And I would like to address the comment about ideas. NSF is \nfocusing research on embedded systems, like those that are used \nto control the Nation's power grids. And we are also looking at \nthe interplay between the human and the computer to better \nunderstand human behavior and the use of computers and then \nfuture generations of systems that would be beyond the \ncurrently used systems. And I must tell you that there is an \nenormous interest in the community, because we have many, many \nmore proposals than we can possibly fund. And these are good \nideas. These are very good ideas, and they need to be pursued.\n    And then one very brief sideline, Congressman Smith, \nbecause I know of your interest in this, the British are very--\nhow should I say? They are understanding that they have got to \nget beyond this genetically modified food situation, and they \nare pushing really hard to get the acceptance----\n    Mr. Smith of Michigan. I think you might be talking to the \nscientists rather than the traders.\n    Dr. Colwell. These were folks that----\n    Mr. Smith of Michigan. Oh, these are policy issues.\n    Dr. Colwell [continuing]. Are policy folks. These are \npolicy folks.\n    Mr. Smith of Michigan. Mr. Chairman, thank you. But you \nknow, both in the centers that we call for and the computer \nnetwork security research centers in this cyber security bill, \nthe advantages of the interdisciplinary individuals being able \nto talk to each other and feel each other out seems to me that \nit has a great advantage over virtual centers where you are \nsimply putting out grants. And I yield back my time.\n    Chairman Boehlert. The gentleman's time is expired. Mr. \nDavis.\n    Mr. Davis. I yield two minutes of my time to Mr. Miller.\n    Chairman Boehlert. Mr. Miller is recognized for two \nminutes.\n    Mr. Miller. Thank you, Mr. Davis. Dr. Bement, just a couple \nmore questions. Essentially, the same question I asked of Dr. \nMcQueary, has there been an assessment within the private \nsector of whether vulnerability to one entity within the \nprivate sector does have ripple effects if it causes--obviously \nit can cause, as Dr. McQueary points out, huge economic \ndisruption and vulnerability to that entity. But does----\n    Dr. Bement. Yes.\n    Mr. Miller [continuing]. It have a ripple effect? Does it \ncause--is there--would there be an expectation when this \nassessment of what effect it may have on others and--in--within \nthe private sector?\n    Dr. Bement. Yes, there have been those vulnerability \nassessments, and let me just cite three examples. All of you \nknow what the impact was of the strike out on the West Coast \nand how that tied up supply chains throughout the country and \nhow that rippled through our economy. So our transportation \nsystems are all interconnected and all--interconnected in terms \nof their vulnerabilities, and that would be a major backup. \nAlso, with regard to our manufacturing enterprises because \nthere is a supply chain linkage. And many of these enterprises \nare global in nature and depend on, again, the global supply of \nparts and so forth. Any disruption, especially across our \nborders, and especially in the Great Lakes Area with Canada and \nsouth with Mexico, that would also have a ripple effect as far \nas our whole logistics trains throughout the supply chain.\n    The other part that I would also cite is the vulnerability \nof our electric power grid. I might mention parenthetically \nthat before I came to NIST, I was at Purdue University and \nusing intelligent agents in a project co-sponsored by the \nDepartment of Defense to use intelligent agents to come up with \nmore robust control systems to deal with upset conditions in \nour electric power grid. But that would also have a ripple \neffect, because the loss of a shunt or the loss of a major \nelement, critical element in the electric power grid could, of \ncourse, be propagated across the country. So that would have \nmajor implications. And one of the vulnerable components there \nis the Supervisory Control and Data Acquisition System, or the \nSCADA control system, which do have to be made secure. And NIST \nhas been working with the industry. We have been giving grants \nin this area to figure out how we can deal with the security \naspects of information flows that control these SCADA control \nnetworks, some of which now operate on the Internet. So you \nknow, this is a new development in recent years using the \nInternet to control operations across the country.\n    Chairman Boehlert. The gentleman's time has expired. Mr. \nDavis, you can reclaim your time, but just let me observe that \nwhat George Carlin might refer to as the stuff of comic book \nlore is now a reality. I mean, we have to redefine what war is. \nIt is very possible that the next war would not be fought with \nguns and bullets but with computers and--from afar. They don't \neven have to leave their point of origin. A nation could \neffectively wage war on another nation. That might not be as \ndevastating in terms of loss of life, obviously, but the losses \nwould be just monumental. And it is the--that is why, I mean, \nthis committee is so concerned about cyber security and we are \nso avid in our pursuit of attention for this subject and trying \nto get people to realize what you have all acknowledged. But \ntoo many people are much too casual about it.\n    Mr. Davis.\n    Mr. Davis. Mr. Chairman, thank you. And I do reclaim the \nremainder of my time. I have basically one question. It will \nhave a two-part to it. Many of the questions I have would have \nbeen asked and perhaps would have been asked by many, such as \nMr. Miller and others, but the President, our Administration \nbasically has described our national strategy for--to secure \ncyberspace is through the Office of Science and Technology \nPolicy, which is referred to as OSTP, which basically will be \ncoordinating, supposedly, and every year will be--each of your \nentities will be coordinating, bringing together information \nstarting with fiscal year 2004. As I hear each of you giving \ntestimony, Dr. McQueary and Dr. Tether basically mentioned the \nINFOSEC Research Council. Dr. Colwell, you made reference to \nthe network and--Networking and Information Technology Research \nDevelopment Interagency Working Groups. Now as I listened to \neach of those, I assume that perhaps each one that is providing \nresearch development is somewhere assimilating the information \nand then you get together with someone as you discuss what you \nare doing, what your research and development is providing. Are \nyou finding working with the Office of Science and Technology \nPolicy is--are you able to effectively work there? Are you \ncoordinating your information together or do you find that you \nare basically out on your own on an island?\n    Dr. Colwell. No, we are coordinating. In fact, we have had \ndiscussions, particularly on computing research, and especially \neffective is the--putting together the budget requests, making \nsure that it is coordinated, because the--I mean, I can not \nspeak for the Science--the Director of OSTP except for my \ninteractions and say that this is a major interest and concern \nof OSTP and making sure that all of the agencies are doing a \ncoordinated effort toward solving the problem. Yes, I see that \nhappening.\n    Mr. Davis. And that is happening, and you are happy with \nthe coordination of it and with getting results?\n    Dr. Colwell. Well, I have to, again, just as we all four of \nus have said, that even though we had a Cyber Trust program \nstarted September 6, before 9/11, and have gone--our work goes \nback to 1978, it is only in the last--I would say the last year \nor so that this intensive understanding of the disasters that \nhacking into systems creates that we now are putting a very \nstrong attention to this.\n    Mr. Davis. Is there a plan in place, step-by-step how this \nis going to happen? And are you also working with private \nindustry to gather information?\n    Dr. Colwell. Yeah, the--we are developing a plan, and I \nthink probably Dr. Bement can speak more conversantly with \nprivate industry, but we, too, work with industry in our \ncenters, our science and technology centers, our engineering \nresearch centers, and certainly in developing a center approach \nfor cyber security.\n    Mr. Davis. So there is not a plan currently step-by-step \nthat is being developed?\n    Dr. Colwell. Being developed.\n    Mr. Davis. I certainly hope it occurs pretty quickly. Dr. \nBement.\n    Dr. Bement. Of course, one of NIST's responsibilities is \nlook--is to look after the security of our federal agencies as \nfar as sensitive information flows. And that work is \ncoordinated through any number of councils: the CIO Council, \nthe PITAC, the PCAST, the INFOSEC Research Council that has \nbeen mentioned. There is a federal security program managers' \nforum. And we take that information and we pull it together to \ndevelop our program and to establish our priorities. But within \neach one of these bodies, there are plans that, in many cases, \ntie back to the Office of Management and Budget, which links to \nthe President's cyber security plan, so that--there has been a \nlot of planning being done. We are doing a lot within NIST. We \nare doing a lot of it interactively with the organizations that \nare represented here along with NSA and other agencies. And we \nlook pretty much to OSTP for the coordination of the research \nand development program within the federal agencies through \ntheir information technology R&D working group.\n    Dr. Colwell. I would like to, if I may, provide a \nreassurance in the fact that what you don't see, what isn't \nobvious, is that there is strong collaboration and cooperation. \nAs I have said earlier, we have detailed one of our very good \npeople to Homeland Security to help get that started up. We \nhave been working with the intelligence agencies, the Defense \nagency and DARPA and with our scientist panels inviting \nscientists from those agencies to sit in on the NSF panels. And \nthen where there is interest in the research that is being \nproposed and discussed, they can add funds to it and make sure \nthat it gets enhanced. So we are doing quite a lot of what \nwould be not openly and clearly visible. But there is a great \ndeal of interaction.\n    Mr. Davis. What my hope would be, obviously, is that each \ndifferent entity that is doing research and development would \nbe able to follow a plan that would provide the information. \nAnd I am not sure that--I don't sense that that is happening \ntoday, so my hopes are that from this hearing that there will \nbe efforts to encourage such action to be taken.\n    Chairman Boehlert. The gentleman's time is expired. The \nChair recognizes the distinguished Chairman of the Subcommittee \non Environment, Technology and Standards, Dr. Ehlers.\n    Mr. Ehlers. Thank you. Mr. Chairman. First of all, I have \nbeen struck with all of the work that is going on in cyber \nsecurity, and it sounds like very good work, what we may call \n``cyber defense against enemies foreign and domestic.'' Dr. \nTether, what do you have going on in the what you might call \n``cyber offense,'' in other words cyber warfare? What--do you \nhave programs within Defense dealing with how you would attack \nenemies----\n    Dr. Tether. Yes, we do. And unfortunately, I probably can't \nsay much more than yes we do.\n    Mr. Ehlers. All right.\n    Dr. Tether. But I would be happy to come and tell you about \nit, I just----\n    Mr. Ehlers. Yeah. I----\n    Dr. Tether [continuing]. Can't here. It is----\n    Mr. Ehlers. There may be several of us who would like to do \nthat at some point.\n    Dr. Tether. Okay. That would be fine.\n    Mr. Ehlers. I also was struck by, and I am paraphrasing \nwhat you said, I hope correctly, that Dr. Tether, that you said \nyou are looking for a lot of good ideas that you can try and \nimplement. Dr. Colwell, you were saying you have a lot of ideas \nbut no money to do it. I would suggest the two of you get \ntogether afterwards.\n    Dr. Tether. Well, we do. In fact, as Dr. Colwell said, \nthere is an enormous amount of collaboration going on----\n    Mr. Ehlers. Right.\n    Dr. Tether [continuing]. At the--what I would--we would \ncall at DARPA the Program Manager level. In fact, when this \nhearing was called, I asked, I said, ``How much''--``What is \ngoing on between us and NSF?'' And I was amazed at how much was \ngoing on that I didn't know about.\n    Mr. Ehlers. I realize that. Dr. Bement.\n    Dr. Bement. Yes.\n    Mr. Ehlers. First of all, I commend you for your efforts to \ntry to speed up the standards process for the----\n    Dr. Bement. Thank you, sir.\n    Mr. Ehlers [continuing]. Information technology. That is \nabsolutely essential, because they are very frustrated and \nready to set up their own informal standards organization. So I \nencourage you to pursue that diligently. I appreciate----\n    Dr. Bement. I will.\n    Mr. Ehlers [continuing]. What you have done. First question \nis on a type of cyber security we haven't discussed here at all \nand that is voting security.\n    Dr. Bement. Yes.\n    Mr. Ehlers. I am very, very concerned about that, because I \nthink that is essential to the proper functioning of a \ndemocracy. And we passed a bill last year, which provided money \nfor local governments to buy new equipment. At my insistence, \nresponsibility was given for you to establish standards for \nthese. And I am very concerned. States and localities are \nalready going out and buying equipment and--without an \nassurance of security. And I just covered in my conversations \nwith elected--pardon me, election officials, who are very, very \nknowledgeable about the process, but many are not knowledgeable \nabout cyber security. They just don't realize the pitfalls, and \nit is possible for a good hacker to basically steal an election \nwithout anyone even knowing about it the way some of the voting \nmachines are constructed. So what is the progress on setting up \nthe commission, setting up the standards, and so forth?\n    Dr. Bement. First of all, I agree, entirely, with your \nassessment. We have looked into this matter. We have research \ngoing on, and we have dealt with many vendors in trying to \nunderstand their systems. Unfortunately, much of the \ninformation is proprietary, and we almost have to reverse \nengineer to understand them completely. But with regard to \nelectronic voting machines, the interface between the software \nand the hardware leaves plenty of room for cyber attack, for \nfraud, for lack of trust. We talked about trust earlier. And \nthis is an area where we have to be very active in standards, \nand we feel this needs to be attended to, and we need to put \nmuch more effort behind it.\n    Mr. Ehlers. I urge you to pursue that very, very \naggressively, because it is a major problem, and the public is \nsimply not aware of it.\n    Dr. Bement. It has high priority, as far as I am concerned.\n    Mr. Ehlers. And if you need greater legislative authority \nto obtain proprietary information, that is something we should \ntalk about as well, because I----\n    Dr. Bement. Well, I think we have the authority. I think we \nhave some understanding, not complete understanding of what \nneeds to be done. We just have to go out and get it done.\n    Mr. Ehlers. I appreciate that. The--also, another area \nwithin NIST, you have talked a lot about your activities of \nvarious sorts, but to what extent are you involving the higher \neducation community? And I am talking about two ways: one is \nthrough supporting research there, but secondly through \ntraining of students. And I was astounded to discover recently \nthat the number of math and science--pardon me, math and \ncomputer science majors graduating from undergraduate \ninstitutions today is less than it was approximately 15 years \nago. And in fact, there was--it has dropped. It is starting to \ncome back, but we are still not up where we were. Clearly, \nthere is a real need for training of these people, and I am \namazed. I just met someone in the airport the other day from my \nhome state at a higher educational institution, a very \nprominent person in information technology, who was--degree was \nin master of divinity, and that shows maybe you need that to \noperate a computer properly. I have always wondered if there \nare any strange spirits inside of my computer. But it shows the \nextent to which we are recruiting from people who have not been \ntrained----\n    Dr. Bement. Yes.\n    Mr. Ehlers [continuing]. In this field.\n    Dr. Bement. Clearly, the Committee has recognized one of \nthe key issues, and that is a need for more education and \ntraining. And that is one of our biggest vulnerabilities. It is \nnot just that we don't have the policies and the procedures and \nthe specifications; we don't have the trained personnel to \nmanage the systems. And it is in this regard that we look to \nthe National Science Foundation to do the manpower training, \nwhich we, of course, want to work with them on. But beyond \nthat, in our post-doctorate program at NIST, which is managed \nthrough the National Research Council, we are trying to pull in \nmore expertise at the post-doctorate level working at NIST in \ncyber security so that we can leverage some of our ongoing \nactivities and so we can identify some of the new talent coming \nout of the universities who eventually, hopefully, will join \nour research staff.\n    Also, in linking up with the research community, I did \nmention that we did have $5 million that did go out in research \ngrants to universities. We follow that quite actively. We have \nworked with Dartmouth in their program and helping them roadmap \nor at least reviewing their road map for cyber security \nresearch and development. We have similar interactions with \nother universities, but I think the most exciting opportunity \nis in the Cyber Research and Development Act. By coupling \nindustry with academia and bringing an understanding of the \nneeds and the technical insights, which industry can bring with \nthe scientific insights, which academic researchers can bring \nto the table, and then finding ways to developing prototypes, \nstandards, and test beds to try and reduce the lead time of \ngetting new technologies and new approaches to cyber security \ninto the marketplace in the earliest time possible.\n    Chairman Boehlert. The gentleman's time is expired. Ms. \nWoolsey.\n    Ms. Woolsey. Thank you, Mr. Chairman. Dr. Colwell, it is \nnice to see you, gentlemen. Thank you for knowing so much. Mr. \nChairman, I have a letter here from the Information Security \nand Privacy Advisory Board, which is a board established and \nfunded by the Science Committee, the Computer Security Act of \n1987. And it is responding to the President's report, which is \nhuge, that was dated February 2003. And the very final \nstatement, I am not--of course I want to enter this into the \nrecord and ask unanimous consent to do that, but----\n    Chairman Boehlert. Without objection.\n    [NOTE:The information referred to appears in Appendix 2: \nAdditional Material for the Record.]\n    Ms. Woolsey [continuing]. The last statement in the letter \nregarding the reports, ``Additionally, the strategy minimally \nacknowledges the critical issues of information and citizen \nprivacy and fails to provide specific actions or \nrecommendation. The Board believes this must be addressed as \nwell.'' And so my question to you is are we addressing--I know \nnothing will be perfect, but are we addressing the tradeoff \nbetween privacy and confidentiality and the need for security?\n    Dr. Bement. Well, let me respond to that. That particular \nboard is funded by DARPA and is advisory to me--I am sorry, by \nNIST and is advisory to me as the Director of NIST. So we \nsupport the board and its activities. And of course, we do take \ntheir recommendations very seriously, and those eventually \nbecome priorities in our program. Recently, we have, through \nour interactions with the National Science Foundation and with \nthe Department of Homeland Security, invited them to become \nmuch more active in the workings of the board. And the board \nwill be meeting, I think, in June. The board will be meeting in \nJune, and we will certainly be discussing their recommendations \nagain at that time.\n    Dr. Colwell. But I would also like to add that we plan to \nprovide more funding to make sure we understand the interplay \nbetween policy and technology and human behavior and technology \nand the need for privacy in developing a cyber secure system. \nSo we intend to do a lot more research in that area as well.\n    Ms. Woolsey. And balancing the privacy piece with the \nsecurity piece.\n    Dr. Colwell. Yeah.\n    Ms. Woolsey. I am sure that this has been answered, but for \nsome reason I can't wrap my mind around--my intellect around \nsome of the technical conversation we have had here, so what I \nwould like to do is ask you in down-to-earth questions--words a \ncouple of things. Do we have adequate tools to--in place? Are \nwe putting--getting ready with--for that, and if not, why not? \nWhat is holding us up? And is there a way to spread the costs \nof these developments among other--many agencies or private \nindustry as well? Rita.\n    Dr. Colwell. The answer is yes in that we are beginning to \nput together what really is needed, and that is a concerted, \ncoordinated, and as a result of the Act that was passed, a \nfocus on the need for cyber security. We do have components of \nit in place, and we are coordinating it. But we believe, at \nNSF, that there is a lot more research to be done, and what we \nare trying to do is balance the research that is needed to \nadvance computer architecture and software development, et \ncetera, with this very pressing need for the security of the \nsystems. So you can't really pull money out of the research to \nmake better systems, because that is part of the problem, but \nat the same time, you can't neglect the security aspects of it. \nSo this is a real--at this particular transition stage, this is \na very difficult push and pull.\n    Dr. Bement. I would answer slightly differently. Clearly, \nthere is a research agenda, and there is a technology agenda, \nbut in our assessments, we find that the greatest \nvulnerabilities are not necessarily technical vulnerabilities. \nThey are primarily an ill-educated user population, lack of \nadequate cyber security research expertise, poorly designed \nsystems and software, specific vulnerabilities in commercial IT \nproducts, and new technologies that are coming into the \nmarketplace with inadequate testing at the design and \nmanufacturing stages. So a lot of what is missing is knowledge, \neducation, and discipline in the system.\n    Dr. Colwell. Could I add another comment, please, and that \nis to point out that what we are finding in our discussions \nwith the community is that we really have to include in all of \nthe information technology and computer science training an \nunderstanding of cyber security and understanding of the need \nfor secure systems and that just having an undergraduate and \ngraduate program on security isn't enough. It has got to go \nacross all of the training, just as Dr. Bement has pointed out, \nin order for people to understand what it entails and how to \naddress it.\n    Ms. Woolsey. I will----\n    Chairman Boehlert. The gentlelady's time--well, all right, \none more.\n    Ms. Woolsey. Dr. Bement, you did say, though, we know what \nneeds to be done, I am paraphrasing you, it's just doing it. \nWhat is stopping us?\n    Dr. Bement. Nothing is stopping us. Of course----\n    Ms. Woolsey. Is it time?\n    Dr. Bement [continuing]. Resources--we could accelerate if \nwe had more resources, but a lot of it----\n    Ms. Woolsey. Resources. Well, that is stopping. That is an \nanswer.\n    Dr. Bement. A lot of it is in the private sector. A lot of \nit requires better protocols, better metrics, better standards. \nWe are working with the standard development organizations in \nthis area. It will take time. It is comprehensive. Resources \nwill help.\n    Chairman Boehlert. You know--thank you. The gentlelady's \ntime is expired. Dr. Tether pointed out a, I think, very \nappropriate observation that DARPA is sort of idea limited. And \nthat is one of the reasons why, in the cyber bill, we put in \nall of those programs for students and to get researchers to \nchange fields. Shouldn't funding for those programs be a top \npriority? And will NSF and NIST ask for funding for those \nprograms in '05?\n    Dr. Colwell. I can respond, sir, and say that we are going \nto be very aggressive in our request for the area of research \nin '05.\n    Chairman Boehlert. Dr. Bement.\n    Dr. Bement. I would respond likewise. We are taking it \nseriously. We have discussed it with the Technology \nAdministration. We are still early in our '05 planning, but we \nare giving this very high priority.\n    Chairman Boehlert. Thank you very much. The Chair now \nrecognizes Mr. Smith of Texas.\n    Mr. Smith of Texas. Thank you, Mr. Chairman. First of all, \nMr. Chairman, let me say to you that I am sorry that I missed \nmost of the hearing today. Unfortunately, I am a Member of the \nJudiciary Committee, which has been marking up some legislation \ndownstairs, and so I have had to be there for recorded votes. \nIn fact, there is one going on now, so I will have to be brief \nin my questions.\n    Nonetheless, I did want to ask Dr. Colwell and Dr. McQueary \nto respond to a question that I have. And this question \nbasically comes from a book that I read this last weekend, and \nI don't know if you all are familiar with it or not. It is \ncalled ``Tangled Web.'' And this is a book that makes a \ncompelling case that both the private sector and the Federal \nGovernment are not prepared to deal with the cyber attack \ntoday. And furthermore, Mr. Chairman, just because I am a \nMember of a relevant Subcommittee, and in the briefings that we \nhave had, we had been told that there is at least a 50/50 \nchance that any kind of terrorist attack that might occur in \nthe future will involve some aspect of cyberterrorism, either \nwholly or in part. Given the nature of that present and future \nthreat, my question, really for the two witnesses, is do you \nfeel that the Federal Government today is able to adequately \nrespond to a cyber attack? It is my impression from, as I say, \nreading this book ``Tangled Web'' that we are, today, not \ncapable of responding to a terrorist attack and stopping it \nfrom costing American lives or perhaps disrupting the economy. \nBut I would be interested in your perspectives.\n    Dr. Colwell. Do you care to start and then I will add?\n    Dr. McQueary. Certainly. We do have the NTAC [National \nThreat Assessment Center] and the Carnegie Mellon--the \ncapability to respond if we do see a cyber attack. If--one \ncould postulate attacks that we could not respond to, I \nsuppose, effectively, but certainly there is a wide variety I \nthink have been demonstrated in the past of capability to \nrespond to any----\n    Mr. Smith of Texas. You feel comfortable with our ability \ntoday to not be the victim of a cyber attack?\n    Dr. McQueary. I did not attempt to say that. What I was \ntrying to say was that there are many kinds of attacks that we \ncould respond to. In order to say that we couldn't respond to \nit, one would have to know what kind of attack----\n    Mr. Smith of Texas. What kind of attacks are we not able to \nrespond to?\n    Dr. McQueary. I don't know the answer to that, sir, off the \ntop of my head.\n    Mr. Smith of Texas. How can you know what we can respond to \nif----\n    Dr. McQueary. Well, because we have done this in the past \nthrough this--the NTAC and the--at the Carnegie Mellon Group, \nbecause we have demonstrated----\n    Mr. Smith of Texas. Right.\n    Dr. McQueary [continuing]. That in the past, and therefore \nby definition, we see that we have been able to respond to \nthings that we have seen in the past.\n    Mr. Smith of Texas. Dr. Colwell, do you agree with that?\n    Dr. Colwell. I think that we have done research that has \nallowed us to build firewalls. And I think for the most part, \nthe firewalls that protect sets of data and sets of operations \nare, on a daily basis, effective. Obviously, there are \nopportunities for attack that could be devastating. And it is \nhard to predict exactly what they would be, but I do feel \nsomewhat assured by the--yesterday, the Seattle, I think it was \nin Seattle, there was a mock attack, which included cyber, as \nwell, as the direct attack with chemical and biological \nweaponry. But I think that is important, because it shows that \nthis is a multi-dimensional----\n    Mr. Smith of Texas. Right.\n    Dr. Colwell [continuing]. Terrorist--potential terrorist \nproblem. And cyber security is a component of it. And I think \nwe are well aware of that now. And awareness is the beginning \nof protection.\n    Mr. Smith of Texas. And certainly awareness is the first \nstep. You have both said that you feel that we have protected \nourselves against cyber attacks that have already occurred, but \nnot necessarily--we are not necessarily able to protect \nourselves against all conceivable cyber attacks, is that a fair \nstatement?\n    Dr. Colwell. Well, I--yeah.\n    Mr. Smith of Texas. And I see Dr. Bement is shaking his \nhead yes as well.\n    Dr. Bement. Firewalls tend to be pretty ubiquitous, but, in \nmany cases, they don't contain all of the ``four R's''. And \nwhat I mean by the ``four R's'', first of all, you have to \nrecognize an attack. In many cases, you don't recognize an \nattack through a firewall. Second, you have to resist it once \nyou recognize it. Then you have to respond to it, and then you \nhave to recover from it. And those are the four R's. And----\n    Mr. Smith of Texas. That is exactly the point of this book \nthat I referred to----\n    Dr. Bement. Right.\n    Mr. Smith of Texas [continuing]. That firewalls are not \nsufficient, which is what you just said.\n    Dr. Bement. And so I would say we have a long way to go, \nand with a determined cyber attacker, with the right kind of \ntraining, they would be able to defeat many of the systems we \ncurrently have.\n    Mr. Smith of Texas. Okay. Thank you, Dr. Bement, for your--\nthank you, Mr. Chairman. I am finished.\n    Chairman Boehlert. Mr. Smith, just let me tell you, you are \nright on in terms of focusing on an area we all have to focus \non. And it was--our vulnerability. I recognize vulnerability \nthat prompted this committee to try to provide some leadership, \nand that resulted in this Cyber Security Research and \nDevelopment Act. And now what we are trying to do is make \ncertain that all of the agencies for whom we have earmarked a \nlot of resources, insufficient I might add, but we are trying \nour best, are working together, are coordinating their \nactivities, and are taking the pledge here and now that this is \na matter of high priority. And you have got to give this \nincreasing attention. And that--you were not here earlier, they \nhave assured us of that. Department of Homeland Security has \njust been up since--essentially since 1 March. Dr. McQueary is \nthe new guy on the block, and it is just a mind-boggling \nchallenge. I think he is up to the challenge, and I think we, \ncollectively, are up to the challenge. But we better damn well \nget serious about this and not just talk but act. So thank you \nvery much for those observations.\n    Mr. Smith of Texas. Thank you, Mr. Chairman. Mr. Chairman, \nI might add, I think one of the reasons that Dr. McQueary is up \nto the challenge is because he has two degrees from the \nUniversity of Texas.\n    Dr. McQueary. You are very kind, sir. Thank you.\n    Chairman Boehlert. The Chair now recognizes Mr. Bell.\n    Mr. Bell. Thank you, Mr. Chairman. I apologize for missing \nyour testimony. There is cyber security and there is \nCongressional District security, and since my district is \ncurrently under attack in the state of Texas, we decided we \nwould go pay homage to our friends holed in Ardmore, Oklahoma. \nSo that is why I wasn't present, and I hope you understand.\n    Dr. Tether, I wanted to visit with you for just a moment, \nbecause I found your remarks to be refreshing. I have only been \nhere for four months, and I have had a bunch of people come and \ntell me that they have ideas but they don't have money. You are \nthe first I have heard that has plenty of money but a shortage \nof ideas. So it is a nice turnaround. But I wanted to--you--I \nunderstand your reluctance to talk about cyber warfare and what \nis being planned in that regard, but several months ago, there \nwas a rather extensive article in the Washington Post about \nsome of the plans that were being undertaken by the Department \nof Defense, some of the studies that were being conducted. And \nI sort of subscribe to the theory if it has been in the \nWashington Post, it is going to be hard to keep it secret after \nthat. And they talked about looking at ways to, perhaps, wipe \nout the entire electrical grid in the wake of war or while \ninvolved in war, looking at maybe shutting down hospitals that \nuse cyber technology. My question is, knowing that those \nefforts are going forward, what is the collaboration between \nthose who are looking at ways to attack and using it in an \noffensive position and those looking to defend, because it \nwould seem to me that there should be a great deal of \ncollaboration in those areas?\n    Dr. Tether. Well, it--even though it appeared in the \nWashington Post, I still have a hard time confirming or denying \nthe Washington Post. But let me tell you, one of the--there is \na great collaboration that goes on between those who look at \noffensive things versus those who look at defensive things, \nbecause they are really two sides of the same coin. So the \npeople who are doing the offensive parts, when they develop \ntechniques, we then obviously build a defense against that \ntechnique. So the people--and vice versa. When people build a \ndefensive technique, then the offensive people need to know \nabout it in order to try to penetrate that technique. So there \nis a great amount of collaboration that goes on between those \ntwo communities. Let me say, at least within DARPA, some of the \noperational people would not have a collaboration because it is \nvery, very sensitive, but in our research, there is a great \ncollaboration between the two communities: those who are coming \nup with techniques to penetrate and those who are coming up \nwith techniques to prevent people from penetrating. I really \ncan't give you any--I would be happy to give you all of the \ndetails, quite frankly, but I just can't here.\n    Mr. Bell. No, I understand.\n    Dr. Tether. Yeah.\n    Mr. Bell. And I don't expect you to, and that wasn't the \npoint of the question. I am more interested in what kind of \ncollaboration is taking place.\n    Dr. Tether. There is a lot of collaboration in--between \nthose two communities for those--for the reasons I gave.\n    Mr. Bell. What is the general feeling as to where the \nUnited States stands right now in terms of cyber warfare? Are \nwe behind in that area or are we ahead?\n    Dr. Tether. I almost would have to go country by country, \nand I would rather not, for--again, for classification reasons. \nI----\n    Mr. Bell. But we are certainly not alone?\n    Dr. Tether. Oh, no. No, we are most certainly not alone. We \nare most certainly not alone. And I think you can obviously--\nthe obvious large players like the--like Russia, China, you \nknow, these are people who are taking this very seriously, very \nsmart people. We are not alone.\n    Mr. Bell. Thank you.\n    Chairman Boehlert. Excuse me, if I may interrupt here. Some \nwould argue they are taking it more seriously than we have been \nin the past, but now we have a new focus.\n    Mr. Bell. Well, taking this whole question of collaboration \na step further, because, and I am--and I don't want to put \nwords in your mouth, but you were saying--I don't know if you \nsaid you heard about some things today or recently that you \ndidn't know that were going on. And I would expect that. But \nthis is an area where I would think that it is really incumbent \nupon those who are involved to be talking to each other. And \nare there steps that need to be taken to make that easier?\n    Dr. Tether. Well, you know, when I said that, I was \nreferring to the activity between DARPA and NSF. And what you \nlearn, DARPA is really a Program Manager place, and there are \n160 Program Managers. I don't know how many Dr. Colwell has, \nbut she has a few.\n    And you would be amazed what goes on that the Directors \ndon't know of, each agency doesn't know what is going on. So \nwhat I had--when this hearing came up, I put out a call to all \nmy offices saying, ``Why don't you guys tell me what you are \ndoing with NSF?'' You know. ``Go and find out what the \nprogram''--and I got a lot of activity. I mean, I have got an \nenormous amount of activity that I did not know about. And--but \nit is our Program Managers farming the ideas coming out of NSF \nso that they could bring them back and say, ``Hey, look. Here \nis a great idea.'' And this is--I am talking about cyber \nsecurity type of activity now, not just in general. In general, \nthere is a real large amount of activity, but--so they can come \nback with an idea, which what DARPA does is takes that idea. \nAnd we basically take it to the next step of applying it, you \nknow, taking that idea into a technology that can be used.\n    But there is a great deal of activity that has--that was \ngoing on that I--quite honestly, I was not really aware of. I \nkind of figured it was going on, but I didn't know the \nspecifics. And I was impressed.\n    Chairman Boehlert. The gentleman's time is expired. I am \nsort of surprised by that answer, a veteran like you. With Dr. \nMcQueary, he is just in, the new guy on the block, and he knows \nwhat every one of those 180,000 people are doing within in the \nnew Department of Homeland Security.\n    Mr. Bell. But Dr. McQueary went to UT.\n    Chairman Boehlert. Oh, boy. With that, Mr. Udall.\n    Mr. Udall. Thank you, Mr. Chairman. I, too, want to thank \nthe Chairman for calling this important oversight hearing today \nand thank him for his leadership on this whole area of cyber \nsecurity. It is also--it is inspiring to see the all-stars out \nhere on this panel, and thank you for your service to the \ncountry and for your great help and assistance you provide to \nthe Committee.\n    I want to ask two general questions, and Dr. McQueary, I \nwill give you a heads-up on the second question, which I am \ngoing to ask you first. And your Directorate has requested \nabout $800 million in this fiscal year of 2004. And I am just \ncurious how that money would be allocated, particularly to \ncyber security. If you would, set that question aside and \nhopefully we will get to it.\n    The second one--question was to yourself and Dr. Bement. \nAnd it is always great to see the NIST Director here.\n    Dr. Bement. Thank you.\n    Mr. Udall. I know you have under--you have signed an MOU \nbetween DHS and NIST.\n    Dr. Bement. Pending.\n    Mr. Udall. Yeah, pending. Thanks for that correction. Can \nyou provide me, the two of you, with your understanding of the \nactivities that would be carried out under the MOU and the \nrespective roles of NIST and DHS? And I think most importantly \nfor most--for all of us is will NIST have the resources to \ncarry out the activities envisioned in the MOU?\n    Dr. Bement. The answer to the second question is yes; we \nwill have the resources. The answer to the first question is \nthat the MOU is very comprehensive. It includes technical \nsupport, research and development support, and standards \nsupport across the whole mission spectrum of the Science and \nTechnology Directorate. Cyber security is clearly one of the \nkeystone elements of that MOU, and it is one that we have \nalready anticipated by putting one of our research staff with \nDHS in cyber security to begin coordinating that activity.\n    Mr. Udall. Dr. McQueary, would you like to----\n    Dr. McQueary. I would be happy to. The--in the--as you \ncorrectly point out, the fiscal year 2004 budget request is \n$803 million for the Science and Technology Directorate. Within \nthat budget, we have $7 million that are specifically allocated \ntoward cyber security-related activities. And I would like for \nyou to keep in mind that the basis for that is that our role is \none of supporting the Information Analysis and Infrastructure \nProtection Directorate within Homeland Security and providing \nScience and Technology support to them in that. We are just \nbarely operational. And of course the Critical Infrastructure \nProtection Board was in existence at a time when we actually \nconstructed that budget. And therefore, if we were to find that \nthe money we have, we conclude, is not adequate, I have no \nproblem whatsoever in revisiting what the budget allocation is \nand looking for support from people like yourself for making \nsuch an evaluation.\n    Mr. Udall. Mr. Chairman, if I might, I would like to yield \nto my colleague, Ms. Jackson Lee, for 30 seconds. She has to \nleave, but she wanted to make a brief statement.\n    Ms. Jackson Lee. First of all, let me thank the Chairman \nfor this very important hearing. I was in a markup in \nJudiciary, and now I have been called off to another meeting. \nGentlemen, I would ask the Chairman to have permission to \nunanimously put into the record my statement, and I will----\n    Chairman Boehlert. Without objection.\n    Ms. Jackson Lee [continuing]. Proceed with the individuals \non this important issue as a Member of the Homeland Security \nCommittee. I thank you. This is a major question for our \ncommunity cyber security.\n    Thank you, Mr. Chairman. Thank you, Mr. Udall.\n    Chairman Boehlert. Thank you very much. Mr. Udall, you have \ntwo minutes remaining.\n    Mr. Udall. Thank you, Mr. Chairman. It might be, I think, \nof some interest to the Committee that when the MOU is signed, \nperhaps there is a way to get a further update as to how that \nmight unfold and I don't know whether we would need to do that \nformally or informally, but I would make that request to the \ntwo of you today and----\n    Dr. McQueary. I would be happy to do that.\n    Mr. Udall [continuing]. The Chairman as well. Do you have--\nwhen we talk about the funding, Dr. McQueary, you mentioned \nsome of the criteria you used. Did you cover all of the \ncriteria that had been involved in determining how this cyber \nsecurity money will be directed and where you will focus those \ninitial efforts?\n    Dr. McQueary. Well, initially, when we--when our budget was \nconstructed, our intent was to focus on the forensics aspect of \ncyber security and also attribution, those being two areas that \nappeared as though we could make a contribution in that area. I \nthink that we will be continually examining what our role is, \nbecause, as you know, the IAIP organization did not have--in \nfact, it does not today, have an Under Secretary that leads \nthat effort yet, although a nomination has gone forth for that, \nand we are hopeful that that will be approved expeditiously. \nAnd so we will be working very, very closely with the IAIP \npeople to make sure that we do have the proper amount of budget \nand the right scientific areas being focused in support of \ntheir conclusions on what we need to be doing.\n    Mr. Udall. The--your presence today and the Chairman's \ncommitment to this whole area underlines the crucial nature of \nit. I do think--if I could just make a general comment, we all \nhave work to do to educate the American public as to the threat \nwe face. Like so many other areas in this modern society in \nwhich we live, we take for granted a lot of the conveniences, a \nlot of the systems that make our lives easier than they might \nhave been 100 years ago. And I think anything you can do to \nhelp us, we can help--do to help you in that mission, I think, \nwould be time well spent. I think--I am reminded of the movie \n``Catch Me If You Can''. I don't know if you have all seen \nthat, maybe that has been mentioned today, but in a way, we \nwant to recruit some of those people that fit the model of that \nyoung man in that movie who would be inclined to, because they \nwant the adventure, I think, of breaking these systems and \ngetting into places where other people haven't been and see if \nwe can bring them to the side of us and create a socially \nproductive avenue, so we say, for those young hackers out \nthere. We ought to be looking at that. That is an opportunity, \nI think, as well as a threat.\n    Thank you, Mr. Chairman, and again, I want to thank the \npanel.\n    Chairman Boehlert. Thank you very much. Dr. McQueary, where \nis the research going to be focused in DHS? Who is going to be \ndoing it?\n    Dr. McQueary. For cyber security specifically?\n    Chairman Boehlert. Right.\n    Dr. McQueary. It will be conducted by the Science and \nTechnology Directorate, yes, sir.\n    Chairman Boehlert. All right.\n    Dr. McQueary. And that is the role that we----\n    Chairman Boehlert. Have you earmarked where within your \noperation?\n    Dr. McQueary. Where specifically within----\n    Chairman Boehlert. Right.\n    Dr. McQueary [continuing]. My organization?\n    Chairman Boehlert. Have you identified people and----\n    Dr. McQueary. Yes, we have. In fact, we have\n    people----\n    Chairman Boehlert. People and dollars?\n    Dr. McQueary. People and dollars, yes. Yes.\n    Chairman Boehlert. That is good. Could you provide that for \nthe record----\\1\\\n---------------------------------------------------------------------------\n    \\1\\ This information is provided in Dr. McQueary's answers to post-\nhearing questions, located in Appendix 1.\n---------------------------------------------------------------------------\n    Dr. McQueary. That was a--yes, sir.\n    Chairman Boehlert [continuing]. At your convenience? All \nright. The Chair recognizes Ms. Lofgren.\n    Ms. Lofgren. Thank you, Mr. Chairman. I would also like to \noffer my apologies, as several other Members have. I am also a \nMember of the Judiciary Committee, and I also was tied down in \na markup all morning, so I missed your testimony, although I \nhave read it. And I appreciate the Chairman's calling this \nhearing. I would note, I am a Member of the Homeland Security \nCommittee and ranking on the Cyber Security Subcommittee, and \nwe have beaten Homeland Security to the punch on this hearing. \nAnd so I will see you, I guess, next week as well on some of \nthese issues.\n    Chairman Boehlert. As we all will--several of us will.\n    Ms. Lofgren. Right. I do want to just briefly return to one \nissue and explore another, and then I know the lunch hour is \nhere. As I am sure you recall, Dr. Bement, there was concern \nlast Congress about the proposal to shift some NIST activities \nto DHS. And the concern really--and this committee, on a \nbipartisan basis, objected to that, and in the end, Congress \ndid not approve that shift. I am sure you are aware that there \nis anxiety in the country about the detailing of staff by NIST \nto DHS and whether that has the effect of accomplishing \nadministratively what the Congress did not approve last \nCongress. I am not suggesting that is the case. I would like to \nexplore that with you.\n    Dr. Bement. I would say that--I am sorry.\n    Ms. Lofgren. The question really has to do is what are they \ndoing specifically? I know you say there is a detailed MOU, but \nspecifically, I would like to know the nature of that--their \nactivities relative to encryption. Can you address that?\n    Dr. Bement. To my knowledge, there is no work going on in \nencryption at the present time. We have two people detailed to \nthe Department of Homeland Security. One is providing a \ncoordination role between DHS and NIST in terms of acquainting \nDHS with our cyber security efforts. Now the other person is \nworking with Science and Technology Directorate in, working \nwith Dr. Albright in back of me, as a matter of fact, in \ndeveloping a national strategy for DHS and standards \ndevelopment. And of course, that is our area of expertise----\n    Ms. Lofgren. Right.\n    Dr. Bement [continuing]. So we are willing to assist--I \nmean, we are happy and anxious to assist DHS in that area. And \nas far as the issue that you brought up, we are very grateful \nto the Committee for recognizing the importance of the \nindependent role that NIST plays with the private sector in \ndeveloping guidelines and in developing specifications and \nstandards in the area of cyber security. And anything that we \ndo with other agencies, we preserve that independence and that \nintegrity, so I wanted to assure you of that.\n    Ms. Lofgren. I wonder if I could--I know you are going to \nprovide the draft MOU to the full Committee. I--as a Member of \nthe Homeland Security Committee, it would be especially helpful \nto me if I could get a copy of that prior to our hearings next \nweek, if I could ask that favor.\n    Dr. Bement. We--I think the signing will be taking place on \nMonday.\n    Dr. McQueary. I believe the 19th is the day that we did \nhave that set up.\n    Dr. Bement. The 19th of May, and we will provide a copy to \nyou as soon after it is signed as we can.\n    Ms. Lofgren. Let me ask another question relative--it is \nactually to funding, and I know that probably people who head \nbureaus and directorates and departments or--and are probably \ndiscouraged from complaining about their funding to \nCongressional Committees. But I am concerned about whether \nthere is sufficient funding to do some of the things that I \nthink are essential to the national security. One of the issues \nthat has been discussed informally at the Homeland Security \nCommittee is the lack of--or at least apparent lack of rigorous \nanalysis of biometric standards. And what are we looking for in \nterms of ease of use, reliability, scalability, et cetera, et \ncetera?\n    And I am wondering--it seems to me that the absolute best \nhome for that kind of analysis is NIST, because it is a \nstandards issue. It is not a policy issue. It is not a \npolitical--it is a standards issue. And I know last year, I \nasked NIST to provide me with information about biometrics. You \nvery kindly responded, but it was not original research. It was \nsort of a compilation of what is out there, and I will say it \nwas rather thin. Is NIST sufficiently funded to accomplish that \nkind of biometrics analysis and standard setting if the \nDepartment of Homeland Security were to ask you to do so?\n    Dr. Bement. We certainly have the competence to do that and \nuntil now, most of the resource that has been going into that \narea has partly come out of our base program. Part of it has \nbeen provided by DARPA.\n    Ms. Lofgren. So we would need to provide----\n    Dr. Bement. Part of it has come from----\n    Ms. Lofgren [continuing]. Additional funding?\n    Dr. Bement [continuing]. Department of State, Department of \nJustice. And in our '04 budget request, we have requested that \n$1 million of additional funding in order to beef up our effort \nin this area. So it is in our '04 budget request.\n    Ms. Lofgren. Is $1 million enough to actually accomplish \nthat?\n    Dr. Bement. No, but it is all we could work in.\n    Ms. Lofgren. All right. I--how much would you need if the \nDHS were to ask you to accomplish that function quickly and \nreliably? What would the tag be, do you think?\n    Dr. Bement. We feel it would be $3 million.\n    Ms. Lofgren. All right. Thank you very much, and I see my \ntime is expired.\n    Mr. Ehlers. [Presiding.] We will proceed with a brief \nsecond round of questions. I will kick off a few. First of all, \nDr. McQueary, you have got a blank piece of paper in front of \nyou for what you are going to do. And my question is--I have \nseveral questions related to that. Who is going to perform the \ncyber security research for you? Are you planning to hire staff \nmembers? Do you plan to have--use grants to universities or \ncontracts or grants with the private sector companies or other \nfederal agencies? What do you see as developing here?\n    Dr. McQueary. I see it as being a combination of all of the \nthings that you just talked about. The construct of the Science \nand Technology Directorate is such that we will largely be in \nthe role of managing the programs that will be executed, both \nthe federal and national labs, private sector, as well as \nuniversity academia, if you will. And so we will have the \nleadership role. In fact, we have about four people already in \nroles, which I touched upon earlier, that are detailed to us \nwith--and have experience in the cyber security area. So we \nwill provide the leadership, oversight, program management \nresponsibility, if you will, and contract that work out into \nthe various sectors you talked about, always looking for where \nthe top quality work is being done to capitalize upon that.\n    Mr. Ehlers. Okay. And do you think cyber security will get \nthe attention it needs? Are you going to have sufficient funds \nto do all of the things you are supposed to do in your area? \nAnd given all of the different competing needs that you will \nhave to deal with, is cyber security going to get the attention \nit needs?\n    Dr. McQueary. Well, it certainly has the attention--has my \nattention, and I have the responsibility for constructing the--\na budget and making the proposal to Secretary Ridge as to what \nwe should do there, so if we do not get the sufficient \nattention, then I am the first person that one should come to \nto say why not, because I have that responsibility in Science \nand Technology.\n    Mr. Ehlers. Okay. Our concern would be that it would just \nbe considered just one more aspect of infrastructure protection \nin the overall scheme of things in DHS.\n    Dr. McQueary. I am sorry, I missed the question.\n    Mr. Ehlers. I am just worried that this may just be \nconsidered one other aspect of infrastructure protection within \nDHS and actually be competing with all of the different----\n    Dr. McQueary. I believe that we will see some \norganizational restructuring very shortly within DHS that will, \nI hope, illustrate to you that we do take this issue very, very \nseriously.\n    Mr. Ehlers. Okay. And something else. I don't know if--I \nwould be interested in what all of you have to say, but perhaps \nyou don't have the figures with you and want to respond in \nwriting, which would be fine. I am curious what is being spent \non cyber security R&D by the Federal Government in total and \nhow much by the private sector. Do you have an idea of this or \nwould it be better to just ask you to send in the information?\n    Dr. McQueary. I do not have the information, sir.\n    Mr. Ehlers. All right. Dr. Colwell, if you have----\n    Dr. Colwell. Right now, we have about $53 million, but that \ncan go up to as high as $75 or $76 million, depending on the \noutcome of some competitions that are in play at the moment for \nthe potential for a center award and a potential for \nscholarships and so forth. But we see, pretty much, coming \nclose to the authorized number.\n    Mr. Ehlers. Okay. Dr. Bement.\n    Dr. Bement. Well, I can only speak for NIST. As I indicated \nin my testimony, we currently have $24 million of appropriated \nand base funding going into cyber security. We also have \nadditional funding coming from other agencies: the National \nSecurity Agency and DARPA.\n    Mr. Ehlers. Um-hum.\n    Dr. Bement. I think our DARPA account is around $5.2 \nmillion, so adding that all together, it would still be less \nthan $50 million in NIST. As far as the Federal Government at \nlarge or the Nation at large, I don't really have those \nnumbers.\n    Mr. Ehlers. Okay. And Dr. Tether.\n    Dr. Tether. I also don't really know what the Federal \nGovernment is spending, but at DARPA, we are spending--in '04, \nwe will be spending around $50 million in cyber--in information \nawareness. But there is more that we are spending that I \nactually will give you for the record, because we are doing \ncyber security with other programs. For example, we are \nbuilding networks. And then there are activities within the \nbuilding of a network, which is also to make the network \nsecure, so it is embedded. I will try to pull that out for you. \nBut it might be another $50 million, so it might be a total of \n100. And then we have the classified work, which I will tell \nyou separately.\n    Mr. Ehlers. All right. And are you also including in your \nwork efforts to prevent damage from electromagnetic pulses, or \nis that----\n    Dr. Tether. No.\n    Mr. Ehlers [continuing]. Considered totally separately?\n    Dr. Tether. That is considered totally separate, yeah.\n    Mr. Ehlers. Okay. But by and large, Defense Department \nfacilities are hardened against that?\n    Dr. Tether. They are hardened against that.\n    Mr. Ehlers. Yeah.\n    Dr. Tether. There are requirements for them to be hardened \nagainst that.\n    Mr. Ehlers. Do you have any idea to what extent the private \nsector or--is hardened against EMP?\n    Dr. Tether. I would be surprised--well, first of all, \nthey--all--everybody has, usually, a surge suppresser----\n    Mr. Ehlers. Right.\n    Dr. Tether [continuing]. You know, which gives them some \nhardening, but that would be, probably, the limit. I don't know \nof anything else.\n    Mr. Ehlers. I would think banks, at least, would want that.\n    Dr. Tether. You would think so.\n    Dr. Bement. I think they would still be vulnerable against \npulse power attack. I mean, if----\n    Mr. Ehlers. Yes.\n    Dr. Bement. If an attacker had the capability----\n    Mr. Ehlers. Yeah, a surge protector won't do too much.\n    Dr. Bement. No, it won't do you very much.\n    Dr. Tether. No. No.\n    Mr. Ehlers. No. Okay. My time is expired. Anyone else wish \nto--Mr. Miller, you are recognized for five minutes.\n    Mr. Miller. One last set of questions. Is it Dr. Bement?\n    Dr. Bement. Bement.\n    Mr. Miller. Bement. Okay. What you said in response to Ms. \nWoolsey's questions were very reassuring to me that what we \nneed is knowledge, education, and discipline. The security is \nnow available, I think you said, through protocols, metrics, \nand standards, that we have very smart people working on this, \nand that there is nothing stopping us from doing it, from being \nsecure. And I--and that is greatly reassuring to me. And Dr. \nMcQueary pointed out correctly, of course, that anyone in the \nprivate sector is going to know the risk to their business of \nnot being secure, of suffering an attack.\n    Dr. Bement. Yes.\n    Mr. Miller. What I am concerned about, somewhat, is that \nthere is--there will always be people who do things on the \ncheap, who don't--do not show knowledge, education, and \ndiscipline. And what are we doing to make sure that when people \nin the private sector do their kind of assessment of what it \ncosts to adopt the security measures they should adopt versus \nthe risk that they face if they don't, that they take into \naccount not just the risk to them, to their business, but the \nrisk to others that they deal with--the ripple effect that we \ntalked about earlier? The loss of the power grid, obviously, \nwould have a massive effect. I think you mentioned, or Dr. \nTether mentioned, the possibility that--or it may have been \nyou, that hospitals could be shut down. Obviously there is risk \nto others and not just the direct loss and disruption to the \nvictim of an attack, but of all those deal with. Are we doing \nanything for requiring anyone in the private sector to adopt \nsecurity measures? Have we thought through whether the \nstandards that we are developing, the protocols, form the basis \nof a standard of care for civil liability? What are we doing to \nmake sure that people in the private sector think through the \nrisk, not just to them, but on down the line?\n    Dr. Bement. I can tell you this much that many of the \nprofessional societies who have begun to pay attention to these \nrisks, which are really the product of the probability of the \nevent plus the consequence--times the consequence of the event, \nhave begin--have begun to develop risk models with their \nconstituents so that industry is better informed about what the \nconsequence of a cyber attack might be, or any other \nvulnerability might be. I have to say that, as a Nation, our \ngreatest vulnerability is indifference.\n    I think it was Dr. McQueary that pointed out that 85 \npercent of our industry and productive capacity is owned by the \nprivate sector. And yet, all of the surveys that I have looked \nat recently in surveying the private sector on what they are \ndoing in terms of either vulnerability assessment or dealing \nwith risks, terrorist risks, indicate that they don't really \nsee themselves as a target, which is sort of indifference. And \nin some respects, I think it may, in order to bring it home to \nthem, require some of the kind of exercises or demonstrations \nthat took place this last weekend to actually demonstrate what \nthe consequence might be of these attacks so that CEOs and \nother leaders in industry will have it brought home to them, \nwhat it could, in fact, mean to their manufacturing operation, \ntheir logistics train, their supply train, all of their other \nelements that they have to deal with on a day-to-day basis. And \nI feel that that is our biggest vulnerability right now is they \njust haven't quite stepped up to the plate.\n    Mr. Miller. Do you know if the insurance industry has \nlooked at cyber security as a liability issue?\n    Dr. Bement. I am sure they have. Yes, indeed, they have. \nThe insurance rates have gone up dramatically since 9/11, so \nthere clearly is a payback in being able to demonstrate that \nyou are much better protected against these types of attacks.\n    Mr. Miller. Well, is it the only----\n    Dr. Bement. It is not only insurance; it is the reinsurance \nrate as well.\n    Mr. Miller. Right. Well, yes, the--I imagine the potential \nliability is massive. It would require going to the reinsurance \nmarkets. Is it being excluded for policies? Is it being \nincluded in policies? Are insurance companies--liability \ninsurers having a word of prayer with their insureds about what \nthey are doing?\n    Dr. Bement. Well, I must confess this is getting a little \nbit beyond my ken or my area of expertise, so I really can't--\n--\n    Mr. Miller. But it is a strong economic incentive----\n    Dr. Bement. Yes.\n    Mr. Miller [continuing]. To do the right thing?\n    Dr. Bement. I would think so, yes.\n    Mr. Ehlers. The gentleman's time has expired. Mr. Udall, do \nyou have any questions?\n    Mr. Udall. Mr. Chairman, I had a last question, hopefully, \nthankfully, although this is a topic, which we will revisit. \nDr. Tether, I was just curious in looking over your material \nyou compiled for the Committee and the good work you did here \nin describing network centric warfare and suggesting we maybe \naren't quite there yet, but we are certainly network-dependent. \nHave you gotten any indication out of the recent conflict in \nIraq that the Iraqis had any kind of cyber security tools that \nwe hadn't anticipated or that there were, perhaps, other \ncountries or other individuals developing those for the Iraqis \nor for future opponents?\n    Dr. Tether. The--I don't know of anything. That doesn't \nmean that there wasn't something. GPS jamming was the only \nthing that I know about.\n    Mr. Udall. I am sure you are going to take a look at that, \nand I would bet that some of this may well be classified, but \nwe always have, when we have these encounters, have a chance to \nthen review our mistakes as well as our successes.\n    Dr. Tether. Yes, and that is all being done.\n    Mr. Udall. I hope we will--I know we will do that.\n    Dr. Tether. Yeah.\n    Mr. Udall. And it strikes me that the military, once again, \nis on the cutting edge of some of these technologies and we \nlook at the history of the Armed Services, and much of what was \ngenerated in the Second World War is now used in civilian \nactivities. One of my real interests, and I share with our \nChairman of the Committee is energy, and the military is \nleading the way in certain new technologies: fuel cell \ntechnology, photovoltaic uses and others because of the \ntransformation we are trying to put underway in our military. \nSo I think you all have a very--I just wanted to conclude by \nsaying you, of course, have a very important role to play in \nthis. And we look forward to this all-star team working \ntogether seamlessly to help lead us to a more cyber secure \nfuture.\n    Dr. Tether. Well, it is clear with the--private industry \nreally has not been able to do the tradeoff of what does it \ncost them to not have it. It is very clear for the military, \nwhen we are becoming really dependent upon that network being \nthere, what happens if that network is not there. So the \ntradeoff is, you know, very clear. There is no--we have to make \nthose networks secure, otherwise everything we are building for \nthe future will not work, and that would be a disaster, I mean, \nto the national security.\n    Mr. Udall. Mr. Chairman, I have many more questions, but I \nthink the lunch hour does beckon. I would yield back my \nremaining time. I thank, again, the panel.\n    Mr. Ehlers. The gentleman yields back his time, and I am \nsure the panel appreciates it, and the audience. I just wanted \nto pick up on the last two comments. First of all, perhaps it \nis only through higher insurance rates that people will become \naware of the need for protecting their equipment. And that goes \nto your last point, too, Dr. Tether, that most people and most \nbusinesses don't realize the risk and therefore they don't take \nthe trouble to protect against it.\n    But it is a bit ironic, Dr. Bement, that you mentioned the \nelectric power industry, because I, for roughly five years now, \nI have been telling my constituents in town meetings, and I had \nto, because I voted against the Defense appropriations for \nthree years, because I thought they were funding the wrong \nthings. And of course, all of the veterans show up at my town \nmeetings and castigate me for not supporting Defense. But I \nsimply pointed out that what we are doing is pouring a lot more \nmoney into the same old systems, and the real danger is not a \nmajor nation attacking us, it is terrorists attacking us. \nUnfortunately, I was correct, and so we are all now alerted to \nthat.\n    But the other example I give my constituents now, because \nthey are all terrified about aviation, and I simply say, ``The \nproblem is we always fight the last war.'' And we are now \nmaking our airlines super safe, and we have to worry about port \nsecurity and then the power industry. I have said, for a number \nof times, ``Give me 20 knowledgeable people about computers and \nexplosives--and a little explosives, and I could bring down the \npower grid in one night.'' And of course, we could get it up \nagain in probably four or five days, but can you imagine what \nthe cost is of four or five days' productivity to our nation, \nparticularly if this can happen repetitively?\n    So it is--the best way, of course, is to stop terrorism at \nits source. It is impossible to really totally defend against \nit here, but we can certainly do much more in defending against \nterrorism within our borders than we are currently doing. And \nwe tend not to wake up. As you say, they are--it is \nindifference. The indifference goes away with each specific \nattack, but then we tend to prevent to guard against that \nattack again. And there is a plethora of possibilities for \nterrorist activity.\n    I want to thank the panel very much. It is been an \noutstanding panel. You have each represented very well the \nexpertise available within your agencies or departments. And I \ncertainly appreciate your attendance here. The information you \nhave given will be, indeed, very valuable to us as we continue \nour deliberations. Thank you very much for being here. With \nthat, the hearing is adjourned.\n    [Whereupon, at 12:20 p.m., the Committee was adjourned.]\n                              Appendix 1:\n\n                              ----------                              \n\n\n                   Answers to Post-Hearing Questions\n\n\n<SKIP PAGES = 000>\n\n                   Answers to Post-Hearing Questions\nResponses by Dr. Charles E. McQueary, Under Secretary for Science and \n        Technology, Department of Homeland Security\n\nQuestions submitted by Chairman Sherwood Boehlert\n\nQ1. You stated at the hearing that you would provide for the record \ninformation on the people and dollars that the Department of Homeland \nSecurity (DHS) Science and Technology directorate plans to devote to \ncyber security research and development activities in fiscal years 2003 \nand 2004. Please do so. In addition, to what extent do you expect your \nfiscal year 2003 funding for cyber security research and development to \nbe spent for support of DHS personnel? For support of programs at other \nfederal agencies and national laboratories? For grants and contracts to \nuniversities and companies? (When providing the information requested \nin this question, please distinguish between research and development \nprograms and education and workforce training programs.)\n\nA1. The Science and Technology Directorate's current plans for people \nand funding devoted to cyber security research and development in FY \n2003 and FY 2004 are as follows:\n\nFY 2003: L2 staff members within the DHS Science and Technology \nDirectorate and funding of approximately $5 million.\n\nFY 2004: L2 staff members within the DHS Science and Technology \nDirectorate and funding of approximately $7 million.\n\n    For FY 2003: The DHS Science and Technology Directorate plans to \nfund about $1 million per year at universities through the National \nScience Foundation (NSF). A contract with a private firm for about $1 \nmillion has been awarded to continue work addressing insider threats. \nIn addition, proposals with a total value of about $3 million over \nthree years are pending from the National institute of Standards and \nTechnology (NIST), a nonprofit research institute and another federal \nagency for additional cyber security research and development; until \nthese are actual awards, it is not appropriate to estimate the actual \namounts to these entities. We would be pleased to provide this \ninformation after actual awards are made if this is desired. Each of \nthese existing and pending efforts are research and development \nactivities; none are education/workforce training efforts.\n\nQ2. At the hearing, you said that if the funding you have proposed for \ncyber security research and development for fiscal year 2004 ``is not \nadequate,'' you would ``have no problem whatsoever in revisiting what \nthe budget allocation is.'' When will you begin reviewing the factors \nthat determine what level of spending is needed? How will you decide if \nthe level is ``not adequate''? When will you let us know whether you \nbelieve the allocation should be changed?\n\nA2. The Science and Technology Directorate has reviewed its proposed FY \n2004 funding and currently believes the proposed amount for cyber \nsecurity research and development (R&D) is adequate. However, we \ncontinue to assess our research and development plans in the context of \nthe national effort in cyber security. If we determine that the \nproposed amount of our funding is not adequate, we would first evaluate \nthe impact of reprioritization and re-allocation of existing budgets. \nIf believed necessary, we would bring a request for additional funding \nforward for consideration through the appropriate mechanisms. \nAdditionally, in order to accurately determine what level of funding is \nneeded for cyber security research and development, we will continue to \nwork with other agencies with R&D responsibilities, such as NIST and \nNSF, to identify requirements and gaps in funding. This coordinated \napproach will assist in making the right investments in this area while \npreventing unnecessary and wasteful duplication.\n\nQ3. In other forums, you have stated that most of the focus of the DHS \nScience and Technology Directorate at first will be on shorter-term \ntechnology development. How will you balance technology development and \nbasic research in cyber security? Do you expect that balance to change \nover time?\n\nA3. The Science and Technology Directorate recognizes there are some \ntechnology needs that require immediate attention; some of these needs \nwere identified in the National Strategy to Secure Cyberspace, while \nothers have been identified by the critical infrastructure protection \ncommunity. The Science and Technology Directorate believes that those \ncyber security issues which require basic research to solve are more \nwithin the scope of the National Science Foundation than our \nDirectorate. Our long-term portfolio plan may address basic research to \nsome degree through programs directed out of the cyber security \nresearch and development center.\n\nQ4. At the hearing, you testified that the Committee will ``see some \norganizational restructuring very shortly within DHS that will. . \n.illustrate to [the Committee] that we [at DHS] do take [cyber \nsecurity] very, very seriously.'' Since the hearing, there have been \npress reports that DHS will establish an office to execute the \nPresident's National Strategy to Secure Cyberspace. Please tell us for \nthe record what restructuring is intended and when it will occur. What \nwill the responsibilities and size of the new office be?\n\nA4. The reference to the DHS restructuring around cyber security \nreferred to the subsequent announcement of the creation of the National \nCyber Security Division (NCSD) within the Information Analysis and \nInfrastructure Protection (IAIP) Directorate. The NCSD incorporates \nsome of the operational capabilities of the Federal Computer Incident \nResponse Center (FedCIRC), the National Communications System, and the \nNational Infrastructure Protection Center (NIPC), along with new \nstreamlined and consolidated outreach and awareness capabilities \nrecently formed in the Directorate. The NCSD is adding new capabilities \nfor vulnerability assessments, risk reduction methodologies, threat \nanalysis, and enhancing training and workforce development activities \nin the public and private sectors. At present, it is expected that the \nNCSD will have about 40 FTEs total and a budget of about $86 million, \nincluding the funding for civilian salaries and operating expenses.\n    The Science and Technology Directorate has also organized its cyber \nsecurity research and development with the intent of making it a \nvisible and important component of its total research and development \neffort.\n\nQ5. DHS, through its planned work with critical infrastructure \nsuppliers, has an opportunity to connect researchers with companies \nthat have real, unsolved cyber security problems. How will DHS make \nthese connections? How will the issue of sensitive critical \ninfrastructure information be handled in these situations?\n\nA5. The Science and Technology Directorate is establishing a cyber \nsecurity research and development center that will enable partnerships \nwith academia, private industry and national laboratories. A principal \npurpose of this center is to engage the researchers with the product \ndevelopers and accomplish technology transfer to the companies with \nspecific needs. This center will engage the critical infrastructure \ncompanies through mechanisms such as industry associations and \nconsortia, bridging the gap and connecting companies with researchers \nand developers as required. In addition, the IAIP Directorate will be \nthe chief customer to the center and will deliver needs and \nrequirements based on their interaction with the critical \ninfrastructure sectors.\n    The protection of sensitive critical infrastructure information is \nrecognized as an overarching issue of high importance, not only within \nthe context of cyber security R&D but across the Department. In \naccordance with the authorities provided in the Homeland Security Act \nof 2002, the IAIP Directorate developed proposed procedures for \nhandling Critical Infrastructure Information. The procedures detail the \nreceipt, care, storage and marking of the submitted data. These \nproposed procedures were released for public comment and are now \nundergoing final refinement. Once these procedures are finalized, the \nScience and Technology Directorate will adhere to those policies to \nensure that critical infrastructure information voluntarily submitted \nby the private sector is handled appropriately and protected \naccordingly.\n\nQ6. How will DHS work cooperatively with other agencies on cyber \nsecurity research and development? Specifically,\n\nQ6a. You testified that a Memorandum of Understanding between National \nInstitute of Standards and Technology (NIST) and DHS will be signed \nshortly. Will DHS provide funding to NIST for specific projects? Are \nthere particular areas in cyber security that you are planning to work \ntogether on?\n\nQ6b. Will DHS provide funding to support existing or new cyber \nsecurity grant programs at the National Science Foundation and the \nDefense Advanced Research Projects Agency?\n\nQ6c. Is DHS drawing on the expertise in the Infosec Research Council \n(IRC) and the High Confidence Software and Systems group within the \nNetworking and Information Technology Research and Development \nInteragency Working Group? How will DHS be interacting with these \ninteragency groups?\n\nA6a,b,c. The Science and Technology Directorate's cyber security \nportfolio manager has been, and continues to be, in dialogue with the \nNational Science Foundation and NIST, both individually and \ncooperatively. NSF, NIST and DHS (S&T) recently agreed to formally \norganize their efforts and work collaboratively to identify the R&D \nagenda appropriate to each agency. As stated previously, proposals are \npending from NIST and others; until these are actual awards, it is not \nappropriate to estimate the amount that will be awarded to NIST. The \nScience and Technology Directorate will provide co-funding to NSF and \nNIST on those programs determined to meet requirements of our \ncustomers. At present, there are no plans to fund new or existing cyber \nsecurity grant programs at the Defense Advanced Research Projects \nAgency (DARPA).\n    The Science and Technology Directorate is also participating with \nthe Infosec Research Council (IRC) where interaction across the \ngovernment cyber security R&D stakeholders is accomplished. In \naddition, we participate in the newly established National Science and \nTechnology Council (NSTC) Interagency Working Group on Critical \nInfrastructure Information Protection, created as an interagency R&D \ncoordination working group. The Department of Homeland Security is not \nformally part of the Networking and Information Technology Research and \nDevelopment Interagency Working Group but does interact with the \nrelevant programs through the Infosec Research Council and the \nInteragency Working Group on Critical Infrastructure Information \nProtection.\n\nQ7. The Cyber Security Research and Development Act makes the National \nScience Foundation (NSF) the lead agency for cyber security research \nand development, as Dr. Colwell testified at the hearing. In what ways \nare you interacting with NSF as it acts as the lead agency in this \narea? Does NSF review your budget proposal for programs in this area? \nDoes NSF lead the agencies in a group effort to determine overall cyber \nsecurity research and development priorities, and if so, how?\n\nA7. As mentioned previously, the Science and Technology Directorate \ncoordinates regularly with NSF to understand the existing cyber \nsecurity R&D programs, the agenda and requirements not currently \naddressed, and identify the gaps. These interactions take place via the \ncoordination groups mentioned in the response to the previous question, \nas well as on an individual basis. The Science and Technology \nDirectorate has not relied on the NSF to directly set the agenda for \nDHS's cyber security research and development. Rather, DHS's cyber \nsecurity R&D agenda is being driven by R&D priority areas as determined \nby the Department's mission and scope, e.g., those areas related to the \nneeds and requirements that support the technology necessary for the \nNation's critical infrastructures to operate and provide services.\n\nQ8. The Committee believes that it is important to train skilled \nprofessionals to execute information technology security in the private \nsector and at government agencies, as well as scientists and engineers \nto perform cyber security research and development. What do you see as \nparticular workforce needs in cyber security? What actions is DHS \ntaking or planning to take to provide education and training in the \ncyber security area?\n\nA8. The Science and Technology Directorate recognizes the need for \ncyber security experts that are well trained in technology, science, \npolicy and privacy concerns in order to perform the advanced research \nand development of effective tools to protect our information systems \nand networks. Particular workforce needs are wide and varied in this \narea, ranging from programmers and developers that understand and \nrespect cyber security concerns, to network administrators with an \nunderstanding of risk and appropriate security posture. While the \nmission of university education and curriculum development at the \nuniversity level is something that falls more within the scope of NSF \nthan DHS, we hope to play a role in providing information about \nindustry educational needs to NSF. In addition, the S&T Directorate has \na Homeland Security Fellowships/University Program that is specifically \nfocused on encouraging and supporting U.S. students to study and enter \nfields relevant to homeland security; the field of cyber security is \ncertainly one of those fields we will support. The Science and \nTechnology Directorate will cooperate with IAIP, NSF, and the Office of \nPersonnel Management to encourage and facilitate the expansion and \ninterest in the CyberCorps program, the Cyber Defender program, and \nothers that may be identified, to address the Nation's needs for a work \nforce trained adequately to implement effective cyber security programs \nin both public and private sectors. By executing its mission well, the \nDepartment's cyber security research and development center will \nattract some of the best and the brightest to this field.\n\nQuestions submitted by Representative Ralph M. Hall, Minority Ranking \n                    Member\n\nQ1. The Department of Homeland Security (DHS) will establish \nperformance criteria for acceptable cyber-protection technologies. What \nexactly will this entail and who will be responsible for certifying \nthat these technologies meet DHS performance criteria? Also, will \ngovernment procurement be limited to technologies that meet these DHS \nstandards?\n\nA1. The Science and Technology Directorate will work with the existing \nprocesses, and particularly with NIST, for the development, review, and \nestablishment of appropriate performance criteria. The Department of \nHomeland Security supports certification by private sector bodies/\nprograms that technologies meet established performance criteria; this \nposition is consistent with existing ``standards/certification'' \nprocesses in other areas. At present, government procurement of cyber-\nprotection technologies is not limited to products that meet specific \ncriteria.\n\nQ2. DHS intends to establish a DHS R&D Cyber Security Center in \ncooperation with NSF and NIST. How much funding will DHS allocate to \nthis Center? What will be the role of NSF and NIST in the Center's \nestablishment?\n\nA2. DHS's Science and Technology Directorate will establish a cyber \nsecurity research center as an organizational entity. Once the center \nis established, we anticipate that a significant portion of the cyber \nsecurity R&D funding will flow through this center. NSF and NIST have \nprovided valuable input in the establishment of the center. The DHS \nScience and Technology Directorate expects to allocate funding of $1 \nmillion to the Center in FY 2003 and $2 million in FY 2004 (these \namounts are approximates until contracting is finalized).\n\nQ3. In establishing the near-term research agenda for DHS, which \nindustry sectors did you consult with in developing this agenda, and \nwhat role did industry play in formulating your near-term research \nagenda?\n\nA3. The Science and Technology Directorate developed its near-term \ncyber security research agenda using the areas identified in the \nNational Strategy to Secure Cyberspace and from our chief customer, the \nInformation Analysis and Infrastructure Protection Directorate. The \nNational Strategy to Secure Cyberspace was developed based on extensive \ninteractions with and input from the private sector, including sector-\nspecific industry groups, public town hall meetings, and extensive \ninput received in response to a public draft of the document. \nAdditional input came from interactions with other agencies (such as \nthose through the Infosec Research Council). Subsequent private sector \ninput to cyber security research and development needs and requirements \nwill be sought through the cyber security research and development \ncenter.\n\nQ4. You mentioned in your testimony that your directorate is taking \nsteps to establish key relationships with the major cyber security R&D \norganizations. What are these organizations; are they both governmental \nand in the private sector?\n\nA4. The Science and Technology Directorate interacts regularly with the \ngovernment cyber security R&D organizations both directly and through \ngroups such as the Infosec Research Council and the newly-established \nNational Science and Technology Council (NSTC) Interagency Working \nGroup on Critical Infrastructure Information Protection (IWG on CIIP), \ncreated under the NSTC as an interagency R&D coordination mechanism. \nAlthough DHS is not formally part of the Networking and Information \nTechnology Research and Development (NITRD) Interagency Working Group \nProgram crosscut, DHS does interact with the relevant programs in the \nNITRD through the IRC and the IWG on CIIP. Government agencies that we \nhave interacted with include NSF, NIST, Defense Advance Research \nProjects Agency (DARPA), National Security Agency (NSA), Department of \nEnergy (DOE), Department of Defense (DOD), Office of Science and \nTechnology Policy (OSTP), Advanced Research and Development Activity \n(ARDA), as well as Canada, the United Kingdom, and Australia. We have \nnot yet initiated formal relationships with the private sector; \nhowever, we are planning a workshop to include private companies in \nmid-summer to start this process.\n                   Answers to Post-Hearing Questions\nResponses by Rita R. Colwell, Director, National Science Foundation\n\nQuestions submitted by Chairman Sherwood Boehlert\n\nQ1. In your testimony to the Committee, you said that cyber security \nresearchers will be told about National Science Foundation (NSF) \nfunding opportunities for centers, like the competitions for Science \nand Technology Center grants. However, the Cyber Security Research and \nDevelopment Act authorizes a program specifically for Computer and \nNetwork Security Research Centers. Will NSF run competitions \nspecifically targeted at ``Cyber Security Centers,'' as required by the \nAct?\n\nA1. NSF is currently preparing a program solicitation entitled Cyber \nTrust; we expect that it will be released toward the end of summer, \n2003. The Cyber Trust announcement will solicit proposals describing a \nrange of types, including individual investigator, small group and \ncenter-scale projects. Thus, cyber security centers will be targeted in \nthis competition. It is NSF's intent to continue integrating center-\nscale projects into its existing research and education portfolio of \nactivities at a rate that will nurture and sustain the emerging cyber \nsecurity community in academe.\n    Awards made in FY 2004 as a result of the Cyber Trust competition \nwill complement awards in the agency's current cyber security \nportfolio. As the Committee may be aware, NSF is already funding \ncenter-scale cyber security projects. For example:\n\n    An Industry/University Cooperative Research Center (I/UCRC) on \nCyber Protection is currently being supported by an NSF planning grant. \nBuilding on a strong partnership between Iowa State University, \nMississippi State University and the University of Kansas, as well as \nkey industry partners including EDS, MPI Software Technology, and \nAmerlnd, this Center is planning to provide one of the first facilities \ndedicated to creating a simulated Internet for the purpose of \nresearching, designing, and testing cyber defense mechanisms. By \nrecreating critical components of the infrastructure, end-users and \ndevelopers will be able to test security configurations and help \nresearchers from a broad range of disciplines examine the policy, \nbusiness, systems, and economic implications of cyber security \ninnovations.\n    The Georgia Institute of Technology's Center for Experimental \nResearch on Computer Systems has two primary intellectual thrusts that \nexamine systems survivability and security issues. The first deals with \nthe development of a secure distributed software infrastructure. The \nsecond thrust deals with adaptive management in distributed systems \nwith a goal of tolerating failures, attacks, or performance overloads \nwhile maximizing system performance. This center works closely with the \nGeorgia Tech Information Security Center (GTISC), supporting many of \nthe faculty in GTISC.\n    Although the merit review process is not yet complete for the FY \n2003 ITR competition, it is increasingly likely that several center-\nscale awards will be made in the area of cyber security. If interested, \nwe would be pleased to share these awards with the Committee after they \nare completed.\n    We plan to bring the leaders of these and future center-scale \noperations in the cyber security area together on a regular basis and \nto publicize them as a group. NSF's Cyber Trust portfolio will include \nboth the centers of excellence, as authorized by the Act, and smaller-\nscale projects, including single investigator projects. At NSF we have \nlearned that a variety of coordinated funding approaches is most \neffective in building a strong, coherent research and education \ncommunity.\n\nQ2. The Cyber Security Research and Development Act authorizes NSF to \nrun a broad, cyber security grants program for individual investigators \nand small groups of investigators. You testified about ongoing work in \nthis area and about how cyber security research funding at NSF has \nincreased from $15 million in fiscal year 2002 to $30 million in fiscal \nyear 2003. What is the schedule for awarding the new grants to be made \nfrom the fiscal year 2003 funding and how will proposals be solicited? \nWill there be a competition run specifically in cyber security, or will \nthe cyber security proposals be solicited and evaluated as part of a \nmore general Information Technology Research or Cyber Infrastructure \nsolicitation?\n\nA2. NSF's FY 2003 competitions are drawing to a close at this time. \nConsequently, the agency expects to make many new awards between now \nand the end of the fiscal year.\n    During FY 2003, the agency ran several competitions that \nspecifically targeted cyber security; these included the Trusted \nComputing program and the Data and Applications Security program. These \ntwo competitions yielded over 100 proposals. The proposals received \nhave now completed the merit review process and NSF expects to make \nbetween 30 and 40 new awards before the end of this fiscal year.\n    In addition, the agency also emphasized the growing importance of \ncyber security in a number of other FY 2003 solicitations and program \nannouncements, including the Information Technology Research (ITR) \nsolicitation, the Embedded and Hybrid Systems (EHS) program \nannouncement, the Networking Research Testbeds (NRT) program \nannouncement and the NSF Middleware Initiative. Response to these \nsolicitations has been strong in the area of cyber security. If \ninterested, we would be pleased to share these awards with the \nCommittee after they are completed.\n\nQ3. The Cyber Security Research and Development Act emphasizes the \nimportance of workforce development, and the Committee believes that it \nis important to train skilled professionals to execute information \ntechnology security in the private sector and at government agencies, \nas well as scientists and engineers to perform cyber security research \nand development. What do you see as particular workforce needs in cyber \nsecurity?\n\nA3. In order to determine the workforce needs to meet the cyber \nsecurity demands of government and industry, NSF has held and will \ncontinue to hold discussions with the higher education establishment, \nand government and industry IT leaders.\n    In June 2002 the American Association of Community Colleges (AACC) \nhosted an NSF supported workshop on cyber security education. This \nworkshop examined the role of the community colleges in the preparation \nof cyber security professionals. As a result of this workshop, NSF has \nincluded cyber security education as a main component of the Advanced \nTechnology Education (ATE) program. Through this program, NSF will be \nfunding two projects related to cyber security, one Center of \nExcellence in Cyber Security Education as well as providing planning \ngrants for two more Centers.\n    NSF and NIST are planning an invitational workshop of academic, \nindustry, and government leaders to help assess the needs and identify \nthe strategies necessary to prepare a world-class cyber security \nworkforce. In order to facilitate educational innovation in cyber \nsecurity, design concepts for new cyber security-related curricula will \nbe devised. Implementation strategies will be discussed to determine \nthe best way to deliver cyber security education to a broad audience.\n    The workshop will focus its efforts on strategies for workforce \ninvestments in cyber security at the undergraduate and doctoral levels. \nIt will also examine implementation strategies to support faculty \ntraineeships in cyber security enabling recent Ph.D. graduates and \ncurrent IT faculty to pursue academic careers in cyber security.\n\nQ4. The Cyber Security Research and Development Act authorizes NSF to \nprovide funding for several activities designed to build this nation's \ncapacity for cyber security education, both of operational cyber \nsecurity professionals and of future cyber security researchers. What \nsteps has NSF taken to execute these programs, specifically:\n\nQ4a. Have programs been started to provide grants to institutions of \nhigher education to establish or improve undergraduate and Master's \ndegree programs in computer and network security and to increase the \nnumber of students in these programs?\n\nA4a. NSF has several programs that seek to establish or improve \nundergraduate degree programs in computer and network security, and to \nincrease the number of students in these programs.\n    Based on the recommendations of the AACC workshop, NSF has included \nsecurity education as a major component of the Advanced Technology \nEducation (ATE) program. Through this program, NSF is funding two cyber \nsecurity projects and a Center of Excellence in Cyber Security \nEducation as well as providing planning grants for two Centers.\n    The Center of Excellence in Cyber Security NSF expects to fund in \nthe next two months is a consortium of eight institutions of higher \nlearning (two universities, five community colleges and one technical \ncollege) based in the Midwest. The Center will be funded to develop and \nimplement degree programs in IT Security and Data Assurance \ntechnologies at the certificate, Associate's and Bachelor's level. The \nCenter will also undertake a comprehensive outreach and support program \nto increase the number of students from under-represented groups in IT \nprofessions. In addition, Train-the-Trainer summer workshops will be \ndeveloped for faculty from both two- and four-year institutions \nthroughout the region. This project has been approved for funding but \nhas not yet been announced to the winners.\n    The NSF-CompTIA Cyber Security Fast Track Training and \nCertification Program was a initiated this year as a supplemental award \nto an existing grant. This supplemental award extends the mission of \nthe National Workforce Center for Emerging Technologies (NWCET) to \ninclude the Computing Technology Industry Association's (CompTIA) \nSecurity+ certification program for cyber security instructors. The \nsupplemental training program will train and certify 80 faculty from 60 \ncommunity colleges in a four month period. Participating faculty will \nproduce best practices documentation once they have begun instructing \nstudents. This documentation will be disseminated to other faculty via \nthe web.\n    The Federal Cyber Service: Scholarships for Service (SFS) program \nis specifically designed to address cyber security education issues. \nThough it preceded the Act, it does address the law's intentions for \ncapacity building and increased student involvement in cyber security \nthrough awards to some of the country's leading academic institutions. \nSince the inception of the program in mid-2001, SFS has made 19 \nscholarship awards and 35 capacity building awards for a total of about \n$52.9 million. As a result of this investment, the Federal Government \nwill have recruitment access to the pool of 200 students currently \nsupported at the 19 scholarship institutions. By the end of FY 2004, \nNSF expects the pool of students to grow to 350. These individuals will \nall have degrees, BS, MS, or Ph.D.s in cyber security-related fields. \nAll participating institutions have been designated as Centers of \nAcademic Excellence in Information Assurance Education (CAE/IAE) by the \nNational Security Agency or equivalent. Four new schools have just been \naccorded Center status and their students will enter the program \nstarting this fall.\n\nQ4b. Have programs been started to provide grants to institutions of \nhigher education to establish traineeship programs for graduate \nstudents in computer and network security research and to enable these \nstudents to pursue academic careers in cyber security after they \ngraduate?\n\nA4b. NSF's primary support of graduate students in the cyber security \narena is through research assistantship support in cyber security \nresearch and education grants. The increasing number of awards made in \nthis area will support as many as several hundred graduate students in \ncomputer and network security in FY'03. It is expected that a \nsignificant percentage of these students will pursue academic careers \nupon graduation with the doctoral degree.\n    In addition to support through research assistantships, graduate \nstudents can also be supported through traineeships and fellowships \nawards via programs such as the Integrative Graduate Education and \nResearch Training (IGERT) and the Graduate Research Fellowships \nprograms. NSF will continue to encourage the submission of cyber \nsecurity traineeship and fellowship proposals through these programs, \nand will fund leading projects as they emerge. However the agency \nanticipates that as for other fields of science, graduate student \nsupport will mainly be provided through research assistantships.\n    SFS institutions are supporting graduate students who are uniquely \nqualified to enter academia as the next generation of cyber security \nfaculty members. The program has recently been expanded to include \nactive Ph.D. students. Plans are under development to increase both the \nnumber of yearly graduates and the overall capacity of the national \nhigher education enterprise to produce the most qualified graduates and \npotential new faculty members in the field of cyber security. At the \nsame time, the capacity building awards under SFS include activities \nthat support the development of faculty members with expertise in the \narea of Information Assurance.\n\nQ5. How does NSF work with other agencies that have cyber security \nresearch and development programs?\n\nQ5a. Do you coordinate overall federal goals with the other agencies, \nand if so, can you describe some of the technical milestones or goals \nin workforce development?\n\nA5a. NSF coordinates its investments in cyber security workforce \ndevelopment with other agencies in the following ways:\n\n    The NSF Scholarships for Service program has helped the Federal \nGovernment achieve several milestones that are key to cyber security. \nThrough the Federal Cyberservice Initiative, the Federal Government has \nincreased access to talented cyber security students prior to \ngraduation. NSF has coordinated with the National Security Agency (NSA) \nto make capacity building awards to qualified institutions that wish to \nachieve certification as NSA Cyber Security Centers of Excellence.\n    Awardees funded by NSF, NSA and the Department of Defense will come \ntogether at the 2003 Cyber Service/Cyber Corps Student Symposium. The \nSymposium, to be held at Carnegie Mellon University's Center for \nComputer and Communications Security, will allow students to network \nacross programs, as well as with their faculty mentors and senior \nGovernment officials. This coordinated symposium in which the students \ntake center-stage is an example of the success that federal workforce \ndevelopment programs in cyber security are enjoying.\n    NSF is sponsoring a conference focused on cyber security education \nto be held on June 26-28, 2003. The third annual World Conference on \nInformation Security Education (WISE3) will be held at the Naval Post \nGraduate School. The conference brings together leaders in computer \nsecurity education from around the globe. The theme for the conference \nis ``Teaching the Role of Information Assurance in Critical \nInfrastructure Protection.''\n    In conjunction with WISE3, the Workshop on Education in Computer \nSecurity (WECS) will be held in the three days prior (also at the Naval \nPostgraduate School). WECS is an opportunity for educators to learn \nabout fundamentals and recent advances in information assurance and \ncomputer security, and to improve their instructional capabilities in \nthese areas. This annual forum allows instructors to share best \npractices and is a significant achievement in building the capacity of \nthe Nation's cyber security education enterprise.\n\nQ5b. Two interagency groups were discussed at the hearing: the Infosec \nResearch Council (IRC) and the High Confidence Software and Systems \ngroup within the Networking and Information Technology Research and \nDevelopment Interagency Working Group. How are these two groups \nrelated?\n\nA5b. The Infosec Research Council (IRC) is an effective knowledge \nsharing body. Though it has no formal charter, the group has served as \nan important technical coordinating organization. Agency \nrepresentatives use this as a forum to discuss security implementations \nand development activities that they are pursuing, which may have \nsynergies with other agencies. This kind of informal coordination leads \nto joint-funded projects and helps to avoid duplication of effort in \nsecurity development and implementation programs.\n    The High Confidence Software & Systems (HCSS) Program Component \nArea (PCA) of the NITRD-IWG concentrates on Research and Development of \ncritical technologies that are needed to enable computer systems to \nachieve high levels of availability, reliability, safety, security, \nsurvivability, protection and restorability of information services. \nThe members of this subgroup take a long-term view. Integrating the \nhigh-confidence attributes that are essential to secure software and \nsystems requires formal scientific design principles, large-scale \ntesting and new diagnostic and forensic tools. The HCSS informs \ndevelopment of the Administration's budget in this PCA.\n    Though the two groups have a different mandates, NSF staff are \nactive in both and are working to find synergies along the path from \nresearch to implementation.\n\nQ5c. Do the groups divide up tasks among various agencies? Do they \nmonitor progress in cyber security research and development at the \nagencies?\n\nA5c. Interagency collaboration is well established in the area of cyber \nsecurity. Program Officers involved in these interagency working groups \nshare programmatic information and cooperate in jointly funded \nprojects.\n    In addition to the committees that regularly meet to exchange \ninformation and coordinate efforts discussed above, the federal cyber \nsecurity enterprise sponsors workshops and meetings with the research \nand education community. One example of the cooperative effort in place \nis the NSF PI meeting to be held in August 2003. This meeting, held in \ncooperation with the Department of Homeland Security (DHS) and the \nNational Institute of Standards and Technology (NIST), will be open to \nall federal personnel with an interest in cyber security. This kind of \ninteragency information sharing is common and ensures that Program \nOfficers are cognizant of the full federal portfolio of cyber security \nactivity. It allows them to monitor progress made by other federal \nagencies and leverage it to their specific needs.\n\nQ5d. You testified that the High Confidence Software and Systems group \nis working to define the federal portfolio of cyber security research \nand development and will identify gaps. When will that effort be \ncomplete? What follow-up actions will NSF and the other agencies in the \ngroup take?\n\nA5d. The HCSS group, which is co-chaired by an NSF Program Officer, is \napproaching cyber security in the federal portfolio as an ongoing \nprogram. This work has already begun, and though the work will never be \ncomplete (cyber security will be a dynamic, changing research subject \nfor the foreseeable future) that organization will have a consolidated \nportfolio statement that includes new programs to fill gaps in the \ncurrent portfolio by the end of the fiscal year.\n    The agenda will be organized around three interdependent topic \nareas: near-term reduced vulnerability, next-generation embedded \nsecurity, and interoperable migration strategies. NSF will seek to \nincrease funding, basing our priorities on the portfolio items that the \ngroup identifies. NSF will then look for opportunities to share funding \nwith the other agencies involved in HCSS, CIIP, and IRC.\n\n                   Answers to Post-Hearing Questions\n\nResponses by Arden L. Bement, Jr., Director, National Institute of \n        Standards and Technology, Technology Administration, U.S. \n        Department of Commerce\n\nQuestions submitted by Chairman Sherwood Boehlert\n\nQ1. The National Institute of Standards and Technology (NIST) has not \nyet begun the grants to institutions of higher education that are \npartnering with companies on cyber security research and development or \nthe re-training fellowships to increase the cyber security workforce, \nboth of which are authorized by the Cyber Security Research and \nDevelopment Act. How much funding would NIST need to implement these \nprograms? Will NIST request these funds for fiscal year 2005?\n\nA1. NIST has provided twelve cyber security research grants in the past \ntwo years: one to the Critical Infrastructure Protection Project; nine \nto various recipients under the NIST 2001 Critical Infrastructure \nProtection Grants Program; and two to the Institute for Information \nInfrastructure Protection (I3P) at Dartmouth College's Institute for \nSecurity and Technology Studies, as described below. Note that, in \naddition, related awards have been made under the NIST Advanced \nTechnology Program and Small Business Innovative Research program.\nCritical Infrastructure Protection Project (CIP Project)\n    The CIP Project is a joint effort of George Mason University and \nJames Madison University to develop a nationally recognized program \nthat fully integrates the disciplines of law, policy, and technology \nfor enhancing the security of cyber networks and supporting the \nNation's critical infrastructures. The consideration of all three \ndisciplines--law, policy, and technology--is what makes the CIP Project \nunique. The CEP Project is funded by a NIST FY 2002 grant of $6.5 \nmillion. We expect to provide another $6.5 million in FY03 to fund this \nactivity.\n    The CIP Project's research uniquely and innovatively aligns \nscholarly research with national goals and objectives. Current projects \ninclude the following:\n\n    Economic Incentives for Cyber Security: Working closely with Nobel \nLaureate Vernon Smith, the CEP Project is developing software to \nconduct replicable human use experiments to study how individuals \ncreate markets to share risk through self-insuring cyber networks, \nsecondary insurance markets, contracting, and standards development. \nThere are no similar products available for our nation's critical \ninfrastructure owners.\n    Securing the Internet Infrastructure: The CIP Project is developing \na comprehensive ``map'' of our nation's telecommunications \ninfrastructure and examining how connectivity and performance are \naffected by removal of critical cities (nodes) resulting from physical \nattacks on key infrastructure facilities. Presently, critical \ninfrastructures owners do not have access to such a map for security \nplanning or disaster mitigation.\n    Cyber Attacker Digital Fingerprinting: The CIP Project is \ndeveloping methods to identify cyber attackers based on characteristics \ndiscovered during and after their attacks using data mining tools and \ntechniques. Additional research will examine the complex intellectual \nproperty and privacy implications of this developing technology.\n    Network Security Risk Assessment Model (NSRAM): The CIP Project is \ncreating a tool (the NSRAMT) that will model, detect, and assess \nnetwork vulnerabilities to facilitate enhanced risk quantification, \nintrusion detection, and network security. The NSRAMT improves upon \nexisting tools by incorporating the time dimension into the assessment \nof cyber vulnerabilities.\n\nNIST Critical Infrastructure Protection Grants Program\n    In September 2001, NIST awarded $5M to nine grant recipients under \nthe FY 2001 Critical Infrastructure Protection Grants Program (CIPGP) \nto improve the robustness, resilience, and security information in all \nthe critical infrastructures. Under the competitive grant application \nprocess, we received 133 proposals requesting roughly $73M from \napplicants in both industry and academia. We selected proposals in \nintrusion detection, telecommunications, wireless security, electric \npower infrastructure, and compiler security.\n    Funded research addresses a variety of topics to include tools and \nmethods for analyzing security and detecting attacks due to \nvulnerabilities introduced by merging of data networks (i.e., the \nInternet) and voice networks (i.e., the public switched telephone \nnetwork). Other topics addressed are attack detection for wireless and \nconverged networks, security controls for protecting the North American \npower grid, and methods for evaluating intrusion detection systems.\n    While results are still preliminary from the Grants program and \nsome projects will not be completed due to a discontinuation of program \nfunding, important developments were made in wireless security, \nconverged data/IP networks, and electric power infrastructure security. \nAdditional information is available via http://csrc.nist.gov/grants/\nindex.html\n\nInstitute for Information Infrastructure Protection (I3P)\n    The Institute for Information Infrastructure Protection (I3P) at \nDartmouth College's Institute for Security and Technology Studies is a \nconsortium of twenty-three academic and not-for-profit research \norganizations focused on cyber security and information infrastructure \nprotection research and development (R&D). The I3P helps protect the \ninformation infrastructure of the United States by developing a \ncomprehensive, prioritized R&D Agenda for cyber security and promoting \ncollaboration and information sharing among academia, industry, and \ngovernment. NIST participated in providing input to the I3P's Cyber \nSecurity Research and Development Agenda (January 2003) that identified \nthe following as priority research areas:\n\n        <bullet> Enterprise Security Management;\n\n        <bullet> Trust Among Distributed Autonomous Parties;\n\n        <bullet> Discovery and Analysis of Security Properties and \n        Vulnerabilities;\n\n        <bullet> Secure System and Network Response and Recovery;\n\n        <bullet> Traceback, Identification, and Forensics;\n\n        <bullet> Wireless Security;\n\n        <bullet> Metrics and Models; and\n\n        <bullet> Law, Policy, and Economic Issues.\n\n    Discussion of the I3P's research methodology and details on each of \nthese topics is available in the I3P's R&D Agenda at http://\nwww.thei3p.org/documents/2003 Cyber Security RD Agenda.pdf\n    The activities of the I3P are supported by NIST grants of $3 \nmillion in FY 2001 and $3 million in FY 2002.\n    While these activities are not specifically identified in the Cyber \nSecurity Research and Development Act, they demonstrate NIST's \ncommitment to cyber security research. NIST will do its best to fulfill \nthe specific requirements of the Cyber Security Research and \nDevelopment Act of 2002 within present resources and through future \nbudget cycles.\n\nQ2. At the hearing, you described the importance of standards for \ninformation security. What are some examples of these standards? How \nwill NIST and the Department of Homeland Security (DHS) be working \ntogether on such standards? Will NIST and DHS be working together on \ncommunications for first responders?\n\nA2. Examples of standards that are important for information security \ninclude cryptographic-based standards used for encryption (e.g., \nAdvanced Encryption Standard) and for digital signatures. Although not \nformal standards, other security specifications are also important, \nsuch as recommendations for security settings for specific products and \nfor security features for procured information technology products.\n    When appropriate, NIST and DHS will be working together on these \nstandards and other cyber security standards and specifications through \ncollaborative research and planning, formal exchange of personal, \nsharing of information, and joint private sector outreach. All of these \nactivities will be facilitated by the recently signed Memorandum of \nUnderstanding between DHS and the Technology Administration (TA) of the \nDepartment of Commerce. NIST and DHS will also be working together on \ncyber security standards and biometrics through the American National \nStandards Institute--Homeland Security Standards Panel (ANSI-HSSP). The \nChief of NIST's Standards Services Division co-chairs the ANSI-HSSP.\n    NIST will work with DHS to ensure that our work is complementary, \nwhile maintaining our necessary independence. Of course, DHS, like all \nother federal agencies, can take advantage of NIST cyber security \nguidelines and standards to protect its sensitive information and \nsystems. Additionally, like other federal organizations, NIST will \ninvite DHS to comment and review NIST's draft security standards and \nguidelines. Our collaboration is furthered by having DHS membership on \nour Information Security and Privacy Advisory Board.\n    With regard to first responders communications, NIST and the \nDepartment of Homeland Security have already begun to coordinate \nefforts aimed at improving the communications capabilities of first \nresponders. NIST's Office of Law Enforcement Standards, in partnership \nwith DHS' Science and Technology Directorate and the National Institute \nof Justice, will be hosting a Summit on Interoperable Communications \nfor Public Safety at the end of June. The goal of the Summit will be to \ngather all of the federal and national programs together that are in \nsome way addressing public safety communications and provide an \nunderstanding on how the various programs inter-relate, thus \nfacilitating improved information sharing, coordination, and focus in \nthis important area. In addition, NIST has been, and will continue to \nwork closely with DHS' SAFECOM program, to provide scientific, \nengineering, and standards expertise to the public safety community.\n\nQ3. The Cyber Security Research and Development Act emphasizes the \nimportance of workforce development, and the Committee believes that it \nis important to train skilled professionals to execute information \ntechnology security in the private sector and at government agencies, \nas well as scientists and engineers to perform cyber security research \nand development. What do you see as particular workforce needs in cyber \nsecurity? What actions is your agency taking or planning to take to \nprovide education and training in the cyber security area?\n\nA3. Workforce needs in cyber security include skilled researchers in \nthe areas of system vulnerabilities and in security technology, \nmetrology, and testing. A larger and more-skilled workforce in the area \nof systems operations, specifically experts that can use today's tools \nand techniques to better secure existing critical systems, is also \nneeded. The range of skills required is discussed in NIST Special \nPublication 800-16. (See http://csrc.nist.gov/publications/nistpubs/\nindex.html) NIST has a role in providing guidance on training; a draft \nNIST guideline is currently out for public review. We work with \nuniversities (contributor/evaluator for the NSA Centers of Excellence \nprogram), with industry certification groups, such as International \nInformation Systems Security Certification Consortia, CompTIA, and \nSANS, and with the Federal Information Systems Security Educators \nAssociation to develop training guidelines.\n    NIST provides education and training by hosting various security \nworkshops and conferences in the area of cyber security and related \nfields. For example, we hosted a workshop on advanced public key \ninfrastructure research in April. We are also hosting a workshop on IT \nsecurity and capital planning in June.\n\nQ4. How does NIST work with other agencies that have cyber security \nresearch and development programs?\n\n        a. Do you coordinate overall federal goals with the other \n        agencies, and if so, can you describe some of the technical \n        milestones or goals in workforce development?\n\n        b. Two interagency groups were discussed at the hearing: the \n        Infosec Research Council (IRC) and the High Confidence Software \n        and Systems group within the Networking and Information \n        Technology Research and Development Interagency Working Group. \n        How are these two groups related? Does NIST participate in both \n        groups?\n\n        c. Do the groups divide up tasks among various agencies? Do \n        they monitor progress in cyber security research and \n        development at the agencies?\n\nA4. NIST works with DARPA, NSF, OSTP, OMB, NSA, and a range of other \nfederal and private sector organizations involved in cyber security \nresearch. In the specific area of workforce development, NIST \nparticipates in the Service for Scholarship program by hiring students \nand interns. We assist NSA in reviewing their annual applications for \ntheir centers of excellence designation. NIST also has been assigned \nnew responsibilities under the Cyber Security R&D Act for awarding \ncyber security fellowships. In addition, our current CIO recently \nserved a two-year tour as Director of the National Coordination Office \n(NCO) for Information Technology Research and Development, reporting to \nOSTP. The NCO's work involves twelve federal agencies. The High \nConfidence Software and Systems (HCSS) Working Group is the most \nfocused on cyber security issues.\n    NIST participates in both the Infosec Research Council (IRC) and \nthe High Confidence Software and Systems group within the Networking \nand Information Technology Research and Development Interagency Working \nGroup. The IRC serves to share research priorities and activities, \nspecifically in the area of cyber security. As its charter describes:\n\n        ``The INFOSEC Research Council (IRC) consists of U.S. \n        Government sponsors of information security research from the \n        Department of Defense, the Intelligence Community, and Federal \n        Civil Agencies. The IRC provides its membership with a \n        community-wide forum to discuss critical information security \n        issues, convey the research needs of their respective \n        communities, and describe current research initiatives and \n        proposed courses of action for future research investments. By \n        participating in the IRC, sponsors obtain and share valuable \n        information that will help focus their information security \n        research programs, identify high-leverage, high-value research \n        targets of opportunity, and minimize duplication of research. \n        The IRC will be a collective effort for the mutual benefit and \n        collaboration of the participating organizations and is \n        intended to promote intelligent information security research \n        investments. While it is understood that each participating \n        agency will have its own research priorities, it is anticipated \n        that the IRC will be able to identify high priority areas of \n        research to develop a common, shared appreciation of the \n        important and challenging information security problems of the \n        day.'' (www.infosec-research.org)\n\n    The NCO's HCSS Working Group is more broadly focused than just \ncyber security: (www.itrd.gov)\n\n        LThe National Coordination Office (NCO) for Information \n        Technology Research and Development (IT R&D) coordinates \n        planning, budget, and assessment activities for the Federal \n        Networking and IT R&D Program. This 12-agency collaborative \n        effort pioneers fundamental advances in the critical \n        technologies of the Nation's information infrastructure, \n        including high performance computing, large-scale networking, \n        and high assurance software and systems design.\n    The NCO reports to the White House Office of Science and Technology \nPolicy and the National Science and Technology Council (NSTC). The NCO \nworks with the participating federal agencies through the NSTC's \nInteragency Working Group (IWG) on IT R&D and six IWG Coordinating \nGroups to prepare and implement the $2 billion Federal IT R&D budget \ncrosscut. Since no one federal agency cites IT R&D as its primary \nmission, it is vital for agencies to coordinate, collaborate, and \ncooperate to help increase the overall effectiveness and productivity \nof Federal IT R&D. The major research emphases of the IT R&D effort are \ncalled Program Component Areas (PCAs).\n    The High Confidence Software and Systems (HCSS) Program Component \nArea (PCA) concentrates on Research and Development into critical \ntechnologies that are needed to enable computer systems to achieve high \nlevels of availability, reliability, safety, security, survivability, \nprotection and restorability of information services.\n\nQ5. The Cyber Security Research and Development Act makes the National \nScience Foundation (NSF) the lead agency for cyber security research \nand development, as Dr. Colwell testified at the hearing. In what ways \nare you interacting with NSF as it acts as the lead agency in this \narea? Does NSF review your budget proposal for programs in this area? \nDoes NSF lead the agencies in a group effort to determine overall cyber \nsecurity research and development priorities, and if so, how?\n\nA5. We meet regularly with NSF personnel via the IRC, as described \nabove. NSF does not review NIST budget proposals. In addition, as \ndiscussed earlier, NIST's current CIO recently served a two-year tour \nas Director of the National Coordination Office (NCO) for Information \nTechnology Research and Development, reporting to OSTP. The NCO's work \ninvolves twelve federal agencies, including NSF.\n\n\n                              Appendix 2:\n\n                              ----------                              \n\n\n                   Additional Material for the Record\n\n\n<SKIP PAGES = 000>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n                              July 8, 2003\n     Current Activities of the National Institute of Standards and \n           Technology in Cyber Security and Related Programs\n\n1. Cyber Security Research Grants\n\n    NIST has provided twelve cyber security research grants in the past \ntwo years: one to the Critical Infrastructure Protection Project; nine \nunder the NIST 2001 Critical Infrastructure Protection Grants Program \nand two to the Institute for Information Infrastructure Protection \n(I3P) at Dartmouth College's Institute for Security and Technology \nStudies. Each will be briefly described. Note that, in addition, \nrelated awards have been made under the NIST Advanced Technology \nProgram and Small Business Innovative Research program, but for the \nsake of brevity, they will not be included at this time.\nCritical Infrastructure Protection Project (CIP Project)\n    The CIP Project is a joint effort of George Mason University and \nJames Madison University to develop a nationally recognized program \nthat fully integrates the disciplines of law, policy, and technology \nfor enhancing the security of cyber networks and economic processes \nsupporting the Nation's critical infrastructures. The consideration of \nall three disciplines--law, policy, and technology--is what makes the \nCIP Project unique. The CIP Project is funded by a NIST FY 2002 grant \nof $6.5 million. NIST expects to provide another $6.5 million in FY03 \nto fund this activity.\n    The CIP Project's research agenda serves as a unique and innovative \napproach to aligning scholarly research with national goals and \nobjectives. Current projects include the following:\n\n    Economic Incentives for Cyber Security: Working closely with Nobel \nLaureate Vernon Smith, the CIP Project is developing software to \nconduct replicable human use experiments to study how individuals \ncreate markets to share risk through self-insuring cyber networks, \nsecondary insurance markets, contracting, and standards development. \nThere are no similar products available for our nation's critical \ninfrastructure owners.\n    Securing the Internet Infrastructure: The CIP Project is developing \na comprehensive ``map'' of our nation's telecommunications \ninfrastructure and examining how connectivity and performance are \naffected by removal of critical cities (nodes) resulting from physical \nattacks on key infrastructure facilities. Presently, critical \ninfrastructures owners do not have access to such a map for security \nplanning or disaster mitigation purposes.\n    Cyber Attacker Digital Fingerprinting: The CIP Project is \ndeveloping technological methods to identify cyber attackers based on \ncharacteristics discovered during and after their attacks using data \nmining tools and techniques. Additional research will examine the \ncomplex intellectual property and privacy implications of this \ndeveloping technology.\n    Network Security Risk Assessment Model (NSRAM): The CIP Project is \ncreating a tool (the NSRAMT) that will model, detect, and assess \nnetwork vulnerabilities in order to facilitate enhanced risk \nquantification, intrusion detection, and network security. The NSRAMT \nimproves upon existing tools by incorporating the time dimension into \nthe assessment of cyber vulnerabilities.\nNIST Critical Infrastructure Protection Grants Program\n    In September 2001, NIST awarded $5M to nine grant recipients under \nthe FY 2001 Critical Infrastructure Protection Grants Program (CIPGP) \nto improve the robustness, resilience, and security information in all \nthe critical infrastructures. Under the competitive grant application \nprocess, NIST received 133 proposals requesting roughly $73M from \napplicants in both industry and academia. Proposals selected were in \nintrusion detection, telecommunications, wireless security, electric \npower infrastructure, and compiler security.\n    Funded research addresses a variety of topics to include tools and \nmethods for analyzing security and detecting attacks due to \nvulnerabilities introduced by merging of data networks (i.e., the \nInternet) and voice networks (i.e., the public switched telephone \nnetwork). Other topics addressed are attack detection for wireless and \nconverged networks, the development of security controls for protecting \nthe North American power grid, and methods for evaluating intrusion \ndetection systems.\n    While results are still preliminary from the Grants program and \nsome projects will not be completed due to a discontinuation of program \nfunding, NIST will still produce important results especially in the \nwireless area, converged data/IP networks and security of the electric \npower infrastructure. Additional information is available via http://\ncsrc.nist.gov/grants/index.html\nInstitute for Information Infrastructure Protection (I3P)\n    The Institute for Information Infrastructure Protection (I3P) at \nDartmouth College's Institute for Security and Technology Studies is a \nconsortium of twenty-three academic and not-for-profit research \norganizations focused on cyber security and information infrastructure \nprotection research and development (R&D). The UP helps protect the \ninformation infrastructure of the United States by developing a \ncomprehensive, prioritized R&D Agenda for cyber security and promoting \ncollaboration and information sharing among academia, industry, and \ngovernment. NIST participated in providing input to the I3P's Cyber \nSecurity Research and Development Agenda (January 2003) that identified \nthe following as priority research areas:\n\n        <bullet> Enterprise Security Management;\n\n        <bullet> Trust Among Distributed Autonomous Parties;\n\n        <bullet> Discovery and Analysis of Security Properties and \n        Vulnerabilities;\n\n        <bullet> Secure System and Network Response and Recovery;\n\n        <bullet> Traceback, Identification, and Forensics;\n\n        <bullet> Wireless Security;\n\n        <bullet> Metrics and Models; and\n\n        <bullet> Law, Policy, and Economic Issues.\n\n    A substantial discussion about the I3P's research methodology and \ndetails on each of these topics is available in the I3P's R&D Agenda at \nhttp://www.thei3p.org/documents/2003 Cyber Security RD Agenda.pdf\n    The activities of the I3P are supported by NIST grants of $3M in FY \n2001 and a second $3M in FY 2002. NIST expects to provide a third $3M \ngrant in FY 2003 to I3P.\n\n2. National Research Council Study of Network Vulnerabilities\n\n    As called for by CSRDA, NIST is also moving forward with steps to \nfund, in collaboration with DARPA, a National Research Council study to \nreview the vulnerabilities and inter-dependencies in NIST's critical \ninfrastructure networks and identify appropriate research needs and \nassociated resource requirements. NRC colleagues have already \nidentified a study director and are ready to initiate this study.\n\n3. Security of Supervisory Control and Data Acquisition Systems \n                    (SCADA)\n\n    SCADA computerized systems play a key role in controlling \nindustrial processes in the food, pharmaceutical, chemical, and oil and \ngas industries, and other critical sectors of the economy. These \nsystems, typically designed as stand-alone systems, are now often \nnetworked and managed via the Internet. This means that they are now \nvulnerable to the same panoply of security vulnerabilities that \nconfront all other Internet-connected systems. NIST's work in this area \nis aimed at building more secure industrial control systems to protect \nagainst threats by terrorists, hackers, disgruntled employees or anyone \nelse intent on these vitally important elements of the Nation's \ninfrastructure.\n    For example, in the area of SCADA systems used in electrical power \ngeneration and distribution, legacy systems must be retrofitted with \nsecurity hardware and software. NIST is working with EPRI, the electric \npower industry's research arm, to identify precisely where weaknesses \nexist and to develop security requirements for the real-time systems \nthat control the power grid and other critical industrial processes.\n    In the area of automated building control systems, work is \naddressing the hardening of a host of complex systems that control \nlighting, ventilation, fire alarm and other critical systems. NIST is \nworking with industry to develop security enhancements for building \ncontrol systems and also with the General Services Administration to \nimplement security features in government buildings.\n\n4. Biometrics\n\n    The United States visa issuance and border entry-exit systems are \nrequired to use biometrics to prevent unauthorized persons from \nentering the U.S. through nearly 400 air, sea, and land ports of entry. \nBiometrics are automated methods of recognizing a person based on \nphysical or behavioral characteristics.\n    In response to mandates in the USA PATRIOT Act and the Enhanced \nBorder Security and Visa Entry Reform Act, NIST helped develop a report \nto Congress, submitted jointly by the Departments of Justice and State \nand NIST, on February 4, 2003, in which NIST recommended that at least \ntwo fingerprints and a face image be used as the required biometrics. \nThis recommendation was made as a result of biometric tests that used \nhundreds of thousands of samples of real-world data obtained from the \nState Department, the Immigration and Naturalization Service (INS), the \nTexas Department of Public Safety, and the Federal Bureau of \nInvestigation (FBI).\n    NIST has also obtained a system that models the FBI's Integrated \nAutomated Fingerprint Identification System (IAFIS) and has tested this \nsystem. The results provide accuracy measurements of the FBI \nfingerprint matching system, which is also mandated in the PATRIOT Act. \nThese measurements are crucial for determining how to best perform \nbackground checks of foreign nationals applying for visas.\n    NIST has also been working on standards development for biometrics \nto provide inter-operability among different biometric vendors. NIST \ndeveloped and spearheaded the adoption of a standard for inter-\noperability and exchange of fingerprint and facial image information. \nThis standard is mandatory for data exchange between the FBI and state \nlaw enforcement organizations. Working through biometrics standards \ncommittees, NIST is developing image-based standards for face, finger, \nand iris that will lead to inter-operability. NIST is also submitting \nits biometric evaluation methodology as a testing standard to the \nInternational Committee for Information Technology Standards. Finally, \nNIST's testing results are being used to formulate the U.S. position on \nbiometrics with the International Civil Aviation Organization (ICAO), \nwhich establishes international passport standards.\n\n5. Forensics\n\n    Law enforcement officials and cyber security experts need to sort \nthrough the reams of files on computers in a timely manner to find \nevidence of terrorist and other criminal activities and to find \nevidence of cyber security events. Moreover, once digital evidence is \nuncovered, it is in danger of not being accepted in the U.S. court \nsystem. In order to enable the investigation and the subsequent \nprosecution in court, computer forensics must be based on sound, \nscientific practices that are produced and validated by neutral third \nparties.\n    In response to this need, NIST, working in partnership with the \nNational Institute of Justice, the FBI, the U.S. Secret Service, the \nU.S. Customs Service, the DOD, and many State and local agencies, has \ndeveloped two computer forensics products: the National Software \nReference Library (NSRL) and the Computer Forensics Tool Testing (CFTT) \nProgram. These products are used daily to help solve thousands of \ncases, including terrorism investigations.\n    Besides helping solve crimes, the products also help defend digital \nevidence that is introduced in court by prosecutors. The first high \nprofile case to address this is the case of alleged terrorist Zacarias \nMoussaoui. As summarized by CNN, ``The (prosecutor's) highly technical \nreport on the computers and e-mail search followed a request by court-\nappointed defense attorneys assisting Moussaoui that computer evidence \nbe authenticated.'' The ``highly technical report,'' filed by the \nGovernment, relies heavily on NIST and specifically references the CFTT \nproject.\n    Cyber security experts outside of law enforcement are also using \nthese tools. The MIT computer security researchers who set out to prove \nthat significant confidential information can be found on discarded \ncomputers used the NSRL as part of their process. They found over 5000 \ncredit card numbers, medical records and a year of ATM transactions. \nSee http://www.msnbc.com/news/859843.asp?cpl=l\n\n6. Network Security\n\n    NIST's efforts in Internet security research are focused on both \nnear-term objectives of expediting significant improvements to the \nsecurity and integrity of today's Internet technologies, and longer-\nterm objectives such as exploring the use of quantum information theory \nto develop ultra-secure networking technologies of the future.\n    Our near-term research is directed at working with industry and \nother government agencies to improve the inter-operability, scalability \nand performance of new Internet security systems and to expedite the \ndevelopment of Internet infrastructure protection technologies. NIST \nstaff is actively working with the Internet Engineering Task Force \n(IETF) to design, develop, standardize and test new protocols that will \nmake authentication, confidentiality and integrity services inherent \ncapabilities of all networks based upon Internet technologies. NIST has \ntaken leadership roles within the IETF in the specification of public \nkey infrastructure, network layer security and key management \ntechnologies. Working shoulder to shoulder with industry, NIST is \ncontributing technical specifications, modeling and analysis results, \nresearch prototypes and test and measurement tools to the IETF \ncommunity to expedite the standardization of ubiquitous Internet \nsecurity services and to foster the rapid development of commercial \nproducts.\n    Another area of focus for the near-term efforts is the research and \ndevelopment of technologies to protect the core infrastructure of \nInternet. NIST is working with the IETF and other government agencies \nto devise means to protect the control protocols and infrastructure \nservices that underlie the operation of today's Internet. NIST's \nresearch and standardization efforts in this area include: extensions \nto the Domain Name System (DNS) to add cryptographic authentication to \nthis most basic Internet service, and the design and analysis of \nprotection and restoration mechanisms to improve failure resilience of \ncore switching and routing infrastructures. NIST's future work in this \narea will focus on improving security and resilience of core Internet \nrouting protocols.\n    Looking further into the future, NIST sees the potential for new \ncomputational paradigms to threaten the mathematical underpinnings of \ntoday's cryptographic systems. In response, NIST is conducting research \nin the use of quantum information theory to devise ultra-secure network \ntechnologies that are not dependent upon today's cryptographic \ntechniques. NIST is collaborating with other government agencies in the \ndesign and evaluation of quantum information network technologies, \nranging from physical devices capable of operating on single photons of \na high speed optical link, to next generation quantum key distribution \nprotocols capable of exploiting these physical links to devise provably \nsecure cryptographic techniques.\n\n7. Public Key Infrastructure (PKI)\n\n    In the past NIST has done research on PKI, primarily on effective \nrevocation strategies and strategies for building large heterogeneous \nPKIs; however, today efforts are primarily focused on devising \neffective assurance tests for PKI components and clients. Assurance \ntesting is an important research topic because assurance tests that are \nrepeatable and meaningful provide a means for vendors to improve the \nsecurity quality of their products. NIST is attempting to develop \nspecific pass/fail tests and techniques for PKI assurance testing based \non specific test requirements, and thus streamlining PKI security \ntesting as compared to ad hoc conventional security assurance \nevaluation testing that requires a great deal of product-specific \ndesign analysis. There has been some success with this in Certificate \nIssuing and Management Components (CIMC) protection profile, for \ntesting certification authorities, which breaks new ground in several \nareas. Work is now extending into client testing, which is more \nchallenging and technically complex.\n    NIST also hosts and cosponsors, along with Internet2, an annual PKI \nresearch conference. Recently, informal collaborations were begun with \ninvestigators at the Korean Information Security Agency (KISA). We are \nseeking to invent a secure authenticator for sensitive personal \ninformation in PKI certificates to enable the subject to authenticate \npersonal information if he or she chooses to divulge it.\n\n8. Quantum Information Systems and Quantum Cryptography\n\n    NIST is working on a scalable quantum information network test-bed \nfor research in quantum computing and cryptography. While current \ncryptosystems are extremely hard to break, quantum cryptography has the \npotential to provide truly unbreakable codes. A quantum information \nnetwork is built to exploit the laws of quantum mechanics. Present day \nengineering of computational systems (e.g., clock speed for a \nprocessor, maximum size of memory) and implementation of algorithms \n(including cryptographic algorithms) are limited by the laws of \nclassical mechanics. The results provided by quantum mechanics point \nout the potential for capabilities for computing and communication \nbeyond that theoretically possible with the known laws of classical \nmechanics. This is the reason that quantum computation and quantum \ncommunication have become prime areas of research for applications for \nquantum mechanics.\n    NIST seeks to develop an extensible quantum information testbed and \nthe scalable component technology essential to the practical \nrealization of a quantum communication network. Quantum cryptographic \nsystems are the first products of quantum computing research to advance \nto the commercial stage, with two products currently on the market. \nThis market is expected to continue to grow, producing products for \nboth government and commercial use. The testbed will demonstrate \nquantum communication and quantum cryptographic key distribution with \nhigh data rate. This testbed, once developed, will provide a \nmeasurement and standards infrastructure that will be open to the \nscientific community and will enable wide-ranging experiments on both \nthe physical- and network-layer aspects of a quantum communication \nsystem. The infrastructure will be used to provide calibration, \ntesting, and development facilities.\n    Quantum cryptography offers several advantages over traditional \nmethods, including stronger security, eavesdropping detection, and the \nability to generate and distribute large amounts of keying material \nmore efficiently than conventional key distribution infrastructures. \nNIST has developed a hybrid authentication protocol for quantum \nnetworks, combining conventional and quantum methods. Authentication is \ncritical for commercially viable quantum key distribution. In addition, \nthis research has led to the discovery of serious vulnerabilities in \nmany proposed quantum cryptographic protocols. Lessons learned from \nthis research will assist quantum protocol developers in improving \nsecurity, and provide the basis for incorporating quantum cryptographic \nmodule testing into the NIST Cryptographic Module Validation Program \nfor the FIPS 140-2 standard.\n\n9. Wireless Mobile Device Security\n\n    With the trend toward a highly mobile workforce, the acquisition of \nhandheld devices such as Personal Digital Assistants (PDAs) is growing \nat an ever-increasing rate. These devices are relatively inexpensive \nproductivity tools and are quickly becoming a necessity in today's \nbusiness environment. Most handheld devices can be configured to send \nand receive electronic mail and browse the Internet. However, as \nhandheld devices increasingly retain sensitive information or provide \nthe means to obtain such information wirelessly, they must be \nprotected.\n    NIST's efforts to date have focused on improving several aspects of \nsecurity: user authentication, policy enforcement, and wireless \ncommunications. For user authentication NIST has developed a framework \nfor multi-mode authentication that allows more than one authentication \nmechanism to contribute to the verification of a user's identity. For \nexample, a biometric, such as voice input, may be required in \ncombination with a security token, such as a smart card, before a user \nis permitted to access the contents of a device. In addition, NIST has \ninvented a visual means of authentication that not only is easier than \npasswords for users to authenticate, but also significantly more \npowerful, and has contributed updates to an open source code initiative \nthat allow smart cards to be used on certain handheld devices.\n    For policy enforcement, NIST has developed a system that requires \nusers to present a policy certificate to a device, as a means of moving \nfrom a restricted processing environment to one in which the privileges \naccorded a user via the policy certificate are enabled. Policy rules \ngovern such things as application usage, file access, and \ncommunications interfaces, including wireless communications. This \nmechanism allows organization policy controls to be asserted on \nhandheld devices, which typically are at the fringes of an \norganization's influence, and was designed to tie in with emerging \nPublic Key Infrastructures.\n    For wireless communications, NIST has developed a highly-regarded \npublication on Wireless Network Security, aimed at reducing the risks \nassociated with 802.11 wireless local area networks and Bluetooth \nwireless networks that are commonly used with handheld devices. In the \nsix months since its publication, the guideline has been downloaded \nover 120,000 times by users in over 50 countries.\n    Additionally, NIST is actively supporting the standards community \nin moving towards stronger, more robust security by integrating \nstronger, more secure cryptographic algorithms and their associated \nmodes of operation into the next generation of the relevant standards. \nTwo of the NIST 2001 Critical Information Protection Grants were \nawarded in the wireless security area to the University of Pittsburgh \nand the University of Maryland.\n    The University of Pittsburgh's research is studying interaction \nbetween the survivability and security of wireless information \narchitectures. As part of this research, techniques for evaluating the \nsurvivability of wireless networks were developed, secure wireless \narchitectures were designed, and strategies for meeting survivability \nand security requirements were examined. The impact of security \nservices on performance, energy consumption, speed, and bandwidth were \nalso simulated. The researchers demonstrated the interaction of \nsurvivability and security and proposed methods for measuring and \noptimizing both of these requirements. These results are expected to \nultimately be applied to the design of critical wireless \ninfrastructures.\n    The University of Maryland research is focused on a secure wireless \ntestbed. There are several goals of the Secure Wireless LAN/MAN \nInfrastructure testbed. First, the testbed is testing the secure inter-\noperation between a multitude of different wireless equipment--both \ncommercial and developmental. Second, the testbed supports research \ndesigned to address integration issues arising from the new draft \nsecurity architecture for IEEE 802.11 (Enhanced Security Network), as \nwell as security and management issues surrounding scalability, naming, \nand fraud control in wireless metropolitan networks. Finally, the \ntestbed serves as a wireless security training apparatus for students, \nfaculty, and other collaborators\n\n10. Access Control\n\n    One of the basic tenets of IT security is controlling access to \nvital IT resources. NIST has been actively researching for many years \nmore cost-effective and efficient ways to administer access to critical \nsystem resources. In effect, NIST is answering the question ``who is \nallowed to do what?'' Access control mechanisms can take on many forms. \nRecognizing the inadequacies of traditional, labor-intensive, and \nerror-prone approaches to controlling user access to sensitive \ninformation and the security benefits that could be gained via \nbreakthroughs in access control technology, a NIST research team \ncreated a new approach to controlling user access, called Role-Based \nAccess Control (RBAC). What is most striking about RBAC is its rapid \nevolution from a theoretical model to commercial implementation and \ndeployment. An independently conducted NIST-sponsored economic impact \nstudy, conducted by RTI, estimated that the team's work will soon be \nused by some 30 millions users for access to sensitive information \ncontrolled using this technology. RBAC's productivity advantages alone \nare often sufficient to justify its deployment. An outside study by RTI \nestimated that RBAC technology saved U.S. industry $671 million, and \nthat NIST was responsible for 44 percent of the savings giving the \ntaxpayer a 10,900 percent return on investment.\n\n11. Security Guidelines and Standards\n\n    NIST continues to develop standards and guidelines in support of \nits federal responsibilities. Many of these are also used, on a \nvoluntary basis, by organizations in the private sector. Hundreds of \nthousands of copies of NIST guidelines have been downloaded from the \nNIST Computer Security Resource Center. For example, over 400,000 \ncopies of NIST's Contingency Planning Guide for Information Technology \nhave been downloaded since its publication less than a year ago. In \n2002-2003, NIST published the following security guidelines:\n\n        <bullet> Use of the Common Vulnerabilities and Exposures (CVE) \n        Vulnerability Naming Scheme;\n\n        <bullet> Federal S/MIME V3 Client Profile;\n\n        <bullet> Wireless Network Security: 802.11, Bluetooth, and \n        Handheld Devices;\n\n        <bullet> Security Guide for Interconnecting Information \n        Technology Systems;\n\n        <bullet> Security for Telecommuting and Broadband \n        Communications;\n\n        <bullet> Guidelines on Electronic Mail Security;\n\n        <bullet> Guidelines on Securing Public Web Servers;\n\n        <bullet> Systems Administration Guidance for Windows 2000 \n        Professional;\n\n        <bullet> Guidelines on Firewalls and Firewall Policy;\n\n        <bullet> Procedures for Handling Security Patches;\n\n        <bullet> Contingency Planning Guide for Information Technology \n        Systems; and\n\n        <bullet> Risk Management Guide for Information Technology \n        Systems.\n\n    See http://csrc.nist.gov/publications/nistpubs/index.html\n\n    NIST has also published the following draft guidelines for review \nby federal departments and agencies as well as other interested \norganizations and individuals concerning:\n\n        <bullet> Guidelines for the Security Certification and \n        Accreditation of Federal Information Technology Systems;\n\n        <bullet> Building an Information Technology Security Awareness \n        and Training Program;\n\n        <bullet> Recommendation on Key Establishment Schemes;\n\n        <bullet> Recommendation on Key Management;\n\n        <bullet> Security Metrics Guide for Information Technology \n        Systems;\n\n        <bullet> Recommendation for Block Cipher Modes of Operation: \n        the RMAC Authentication Mode;\n\n        <bullet> Guide to Selecting IT Security Products;\n\n        <bullet> Guide to IT Security Services;\n\n        <bullet> Security Considerations in Federal Information \n        Technology Procurements; and\n\n        <bullet> Guideline on Network Security Testing.\n\n    See http://csrc.nist.gov/publications/drafts.html\n\n    In addition, numerous NIST Information Technology Laboratory (ITL) \nBulletins have been issued during the last year to provide guidance to \nagencies and others on a broad list of topics.\n\n    See http://www.itl.nist.gov/lab/bulletns/cslbull1.htm\n\n    NIST has also completed the Keyed-Hash Message Authentication Code \nas Federal Information Processing Standard (FIPS) 198 and provided \nthree new secure hashing codes in the enhanced FIPS 180-2. These new \nenhanced secure hashing codes are used to help users create more secure \ndigital signatures. While on the subject of cryptography, late in 2001, \nSecretary Evans approved the Advanced Encryption Standard (or AES) as a \nfederal security standard and it is being actively adopted by voluntary \nstandards bodies and implemented by vendors. In fact, over 70 \ncommercial implementations of the AES have already been validated \nthough NIST's Cryptographic Module Validation Program. See http://\ncsrc.nist.gov/publications/fips/index.html and http://csrc.nist.gov/\ncryptval/aes/aesval.html\n\n12. Reducing Vulnerabilities Through Security Testing\n\n    Both research and security testing can help reduce vulnerabilities \nin the commercial IT products used to support the Nation's critical \ninfrastructures.\n    Research on identifying and correcting information technology \nvulnerabilities is urgently needed. When new technologies are \nidentified that could potentially influence customers' security \npractices, NIST researches the technologies, their potential \nvulnerabilities and also work to find ways to apply new technologies in \na secure manner. The solutions that NIST develops are made available to \nboth public and private users. Some examples are methods for \nauthorization management and policy management, ways to compensate for \ndeficiencies in current wireless security standards, and ways to \nimplement cryptography. Research helps us find more cost-effective ways \nto implement and address security requirements.\n    Security testing complements security standards by providing \nconsumers with confidence that security standards and specifications \nare correctly implemented in the products that they buy. Implementing \ncryptography correctly and securely can be complicated. However, unless \nit is correctly implemented, it may provide no protection. Therefore, \nin conjunction with the Government of Canada's Communication Security \nEstablishment, NIST operates the Cryptographic Module Validation \nProgram, which helps ensure correct and secure implementation of NIST's \ncryptographic standards. The Cryptographic Module Validation Program \nhas now validated over 500 modules with another 100 or more expected \nwithin the next year. This successful program utilizes private-sector \naccredited laboratories to conduct security conformance testing of \ncryptographic modules against the cryptographic federal standards NIST \ndevelops and maintains. The testing by the laboratories and NIST's work \nwith Canada involves access to unclassified public algorithms and test \nsuites, and not to any Federal Government operational cryptographic \nkeys or classified information. Besides many organizations in the \nfinancial sector, two major U.S. corporations, Boeing and VISA, see \nsuch value to the benefits of the testing program that they now require \nCMVP-validated cryptographic modules to protect their sensitive \ninformation. The Government of the United Kingdom has also officially \nrecognized CMVP-validated modules for use in their agencies.\n    To give a sense of the quality improvement that the program \nachieves, consider that statistics from NIST's testing laboratories \nshow that 48 percent of the modules brought in for voluntary testing \nhad security flaws that were corrected during testing. In other words, \nwithout NIST's program, the Federal Government would have had only a \n50/50 chance of buying correctly implemented cryptography!\n    In addition, in recent years NIST has worked to develop the \n``Common Criteria'' (ISO/IEC 15408), which can be used to specify \nsecurity requirements. These requirements are then used by private-\nsector laboratories, accredited by NIST, for the voluntary evaluation \nof commercial products needed for the protection of government systems \nand networks. This work is undertaken in cooperation with the Defense \nDepartment's National Security Agency in our National Information \nAssurance Partnership (NIAP). You may be aware that the National \nStrategy to Secure Cyberspace calls for a review of the NIAP. Staff \ndiscussions have begun with NSA to identify ways that might improve the \nprocess, through research, process changes, and to understand the \nresources needed for NIAP to fully succeed.\n\n13. Security Awareness and Outreach\n\n    Timely, relevant, and easily accessible information to raise \nawareness about the risks, vulnerabilities and requirements for \nprotection of information systems is urgently needed. This is \nparticularly true for new and rapidly emerging technologies, which are \nbeing delivered with such alacrity by industry. NIST also hosts and \nsponsors information sharing among security educators, the Federal \nComputer Security Program Managers' Forum, and industry. NIST actively \nsupports information sharing through conferences, workshops, web pages, \npublications, and bulletins. Finally, NIST also has a guideline \navailable to assist agencies with their training activities and is an \nactive supporter of the Federal Information Systems Security Educators' \nAssociation.\n    NIST sponsors the web-based Computer Security Resource Center \n(CSRC) to provide a wide-range of security materials and information to \nthe community and link to the Federal Computer Incident Response Center \nat DHS and other emergency response centers. CSRC now has over 20 \nmillion ``hits'' annually. On CSRC, one of the most popular resources \nis the NIST-developed web-based tool known as ICAT that allows users to \nidentify (and then fix) known vulnerabilities for their specific \nsoftware. ICAT provides links to vendor sites at which the users can \nobtain patches to fix these vulnerabilities. This is important because \nmany computer break-ins exploit well known vulnerabilities. Over 5500 \nvulnerabilities are now catalogued in this NIST on-line database that \nreceives over 200,000 hits per month. See http://icat.nist.gov/icat.cfm\n\n14. Security Assessment Guideline and Automated Security Self-\n                    Evaluation Tool (ASSET)\n\n    The Chief Information Officers Council and NIST developed a \nsecurity assessment Framework to assist agencies with a very high level \nreview of their security status. The Framework established the \ngroundwork for standardizing on five levels of security and defined \ncriteria agencies could use to determine if the levels were adequately \nimplemented. By using the Framework levels, an agency can prioritize \nagency efforts as well as evaluate progress. Subsequently, NIST issued \na more detailed security questionnaire that most agencies used in 2001 \nto conduct their program and system reviews. Last year, in cooperation \nwith OMB, a PC-based automated version of the security questionnaire \nwas developed and made available for use by agencies in 2002 to collect \nthis information for annual agency security reporting to OMB.\n\n15. Federal Agency Security Practices Website\n\n    NIST recently inaugurated the Federal Agency Security Practices \n(FASP) website (http://csrc.nist.gov/fasp/), building upon past \nsuccessful work of the Federal CIO Council's Best Security Practices \npilot effort to identify, evaluate, and disseminate best practices for \nCIP and security. NIST was asked to undertake the transition of this \npilot effort to an operational program. As a result, NIST developed the \nFASP site, which contains agency policies, procedures and practices; \nthe CIO pilot best practices; and, a Frequently-Asked-Questions \nsection. Agencies are encouraged to share their IT security information \nand IT security practices and submit them for posting on the FASP site. \nOver 80 practices are now available via the site. Some practices have \nbeen modified so as not to identify the specific submitting agencies.\n    In accordance with tasking to NIST under FISMA, discussions are now \nunderway to develop a similar web-based service to share security \npractices from private-sector organizations.\n\n16. IT Product Security Configuration Checklists\n\n    The CSRDA tasked NIST with developing IT product security \nchecklists that provide settings and option selections that minimize \nthe security risks associated with each computer hardware or software \nsystem that is, or is likely to become, widely used within the Federal \nGovernment. In response, there are plans to hold a public workshop to \nfocus on developing a standardized checklist template to structure \nconfiguration and related information. Vendors, agencies, and other \nreputable sources can use the template to construct and submit \nchecklists that will populate a NIST public web-based repository. It \nshould be noted that because of vendors' unique expertise, experience, \nand understanding of the security of their products, voluntary \nparticipation by vendors in this effort will be particularly sought and \nvalued. The workshop will also serve to publicize NIST's plans to \nobtain checklists and make them available via the CSRC website. NIST \nwill also be crafting ground rules for the selection and rejection of \nsubmitted checklists. Discussions have already taken place with \nrepresentatives of DISA, NSA, NASA, and GAO regarding initial plans and \nto gain their valuable feedback. NIST hopes to hold the next checklists \npublic workshop later this summer and unveil this new service by the \nend of the year.\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\x1a\n</pre></body></html>\n"