[House Hearing, 108 Congress]
[From the U.S. Government Printing Office]




                                 of the


                               before the

                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED EIGHTH CONGRESS

                             FIRST SESSION


                             JULY 22, 2003


                           Serial No. 108-18


    Printed for the use of the Select Committee on Homeland Security

 Available via the World Wide Web: http://www.access.gpo.gov/congress/


98-150 PDF                WASHINGTON : 2005
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512-1800  
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001


                 CHRISTOPHER COX, California, Chairman

JENNIFER DUNN, Washington            JIM TURNER, Texas, Ranking Member
C.W. BILL YOUNG, Florida             BENNIE G. THOMPSON, Mississippi
DON YOUNG, Alaska                    LORETTA SANCHEZ, California
Wisconsin                            NORMAN D. DICKS, Washington
W.J. (BILLY) TAUZIN, Louisiana       BARNEY FRANK, Massachusetts
DAVID DREIER, California             JANE HARMAN, California
DUNCAN HUNTER, California            BENJAMIN L. CARDIN, Maryland
SHERWOOD BOEHLERT, New York            New York
LAMAR S. SMITH, Texas                PETER A. DeFAZIO, Oregon
CURT WELDON, Pennsylvania            NITA M. LOWEY, New York
CHRISTOPHER SHAYS, Connecticut       ROBERT E. ANDREWS, New Jersey
DAVE CAMP, Michigan                    District of Columbia
LINCOLN DIAZ-BALART, Florida         ZOE LOFGREN, California
BOB GOODLATTE, Virginia              KAREN McCARTHY, Missouri
PETER T. KING, New York              BILL PASCRELL, JR., New Jersey
JOHN LINDER, Georgia                 DONNA M. CHRISTENSEN,
JOHN B. SHADEGG, Arizona               U.S. Virgin Islands
MARK E. SOUDER, Indiana              BOB ETHERIDGE, North Carolina
MAC THORNBERRY, Texas                CHARLES GONZALEZ, Texas
JIM GIBBONS, Nevada                  KEN LUCAS, Kentucky
KAY GRANGER, Texas                   JAMES R. LANGEVIN, Rhode Island
PETE SESSIONS, Texas                 KENDRICK B. MEEK, Florida

                      JOHN GANNON, Chief of Staff

         UTTAM DHILLON, Chief Counsel and Deputy Staff Director

               DAVID H. SCHANZER, Democrat Staff Director

                    MICHAEL S. TWINCHEK, Chief Clerk



                    MAC THORNBERRY, Texas, Chairman

PETE SESSIONS, Texas, Vice Chairman  ZOE LOFGREN, California
LAMAR SMITH, Texas                   ROBERT E. ANDREWS, New Jersey
CURT WELDON, Pennsylvania            SHEILA JACKSON-LEE, Texas
DAVE CAMP, Michigan                  DONNA M. CHRISTENSEN,
ROBERT W. GOODLATTE, Virginia          U.S. Virgin Islands
PETER KING, New York                 BOB ETHERIDGE, North Carolina
JOHN LINDER, Georgia                 CHARLES GONZALEZ, Texas
MARK SOUDER, Indiana                 KEN LUCAS, Kentucky
JIM GIBBONS, Nevada                  JAMES R. LANGEVIN, Rhode Island
KAY GRANGER, Texas                   KENDRICK B. MEEK, Florida


                            C O N T E N T S



The Honorable Mac Thornberry, Chairman, Subcommittee on 
  Cybersecurity, Science, and Research and Development, and a 
  Representative in Congress From the State of Texas.............     1
The Honorable Christopher Cox, Chairman, Select Committee on 
  Homeland Security, and a Representative in Congress From the 
  State of California
  Oral Statement.................................................     3
  Prepared Statement.............................................     4
The Honorable Dave Camp, a Representative in Congress From the 
  State of Michigan
The Honorable Donna M. Christensen, a Delegate in Congress From 
  the U.S. Virgin Island.........................................    45
The Honorable Bob Etheridge, a Representative in Congress From 
  the State of North Carolina....................................    43
The Honorable James R. Langevin, a Representative in Congress 
  From the State of Rhode Island.................................    37
The Honorable Sheila Jackson-Lee, a Representative in Congress 
  From the State of Texas
  Oral Statement.................................................    48
  Prepared Statement.............................................     5
The Honorable Zoe Lofgren, a Representative in Congress From the 
  State of California............................................     1
The Honorable Ken Lucas, a Representative in Congress From the 
  State of Kentucky..............................................    47
The Honorable Pete Sessions, a Representative in Congress From 
  the State of Texas.............................................    34


Steven Bellovin, Ph.D., Technical Leader and Fellow, AT&T 
  Oral Statement.................................................    17
  Prepared Statement.............................................    19
Shankar Sasry, Ph.D., Chairman, Department of Electric 
  Engineering and Computer Systems, University of California, 
  Oral Statement.................................................     6
  Prepared Statement.............................................     8
Mr. Daniel G. Wolf, Information Assurance Director, National 
  Oral Statement.................................................    21
  Prepared Statement.............................................    24



                         Tuesday, July 22, 2003

                     U.S. House of Representatives,
            Subcommittee on Cybersecurity, Science,
                      and Research and Development,
                     Select Committee on Homeland Security,
                                                   Washington, D.C.
    The subcommittee met, pursuant to call, at 10:05 a.m., in 
Room 2118, Rayburn House Office Building, Hon. Mac Thornberry 
[chairman of the committee] presiding.
    Present: Representatives Thornberry, Sessions, Camp, Cox 
[ex officio], Lofgren, Jackson-Lee, Christensen, Etheridge, 
Lucas, and Langevin.
    Mr. Thornberry. The hearing will come to order. This 
oversight hearing of the Subcommittee on Cybersecurity, 
Science, and Research and Development will hear today on the 
topic of ``Cybersecurity--Getting It Right.'' This is the next 
in a series of hearings that this subcommittee has had on 
cybersecurity. We have had virtually unanimous recommendations 
from previous witnesses that, among other things, research and 
development is a key role for the Federal Government. And we 
are here today to hear from some outstanding witnesses to help 
guide us in that research and development for the future.
    Before proceeding further, let me turn to the distinguished 
Ranking Member of this subcommittee, the gentlelady from 
California, for any opening comments she would like to make.
    Ms. Lofgren. Thank you, Chairman Thornberry, for scheduling 
this hearing today and for your wonderful leadership of this 
    When the subcommittee was formed back in February, Chairman 
Thornberry and I met to discuss our common agenda and 
priorities. And at that meeting we both agreed that the 
subcommittee should spend considerable time studying incredibly 
complex sets of issues surrounding cybersecurity, and we 
decided to embark on a mission to educate and inform the 
members of the subcommittee. We felt the need to establish a 
knowledge base before we attempted to tackle any possible 
policy directives or legislative initiatives.
    Soon after our initial meeting, we began this educational 
process. At our first meeting, we heard from Dr. Charles 
McCreary on the work being done within the Science and 
Technology Directorate at the Department of Homeland Security. 
Soon after that, we began a series of hearings on the 
cybersecurity issue. First, we looked into threats, 
vulnerabilities, and possible responses to cyber attacks. Last 
week, we heard from industry leaders on their experiences.
    In addition to these hearings, we have held several 
briefings on cyber issues, including a classified briefing on 
cyber threats. Chairman Thornberry and I have also had 
individual meetings with academics, business leaders, and 
public policy experts. All of these meetings and hearings have 
been quite informative, and helped the members of this 
committee to get a handle on the scope of the issues we face. I 
believe that this subcommittee is beginning to have a solid 
understanding of the cyber question, and I am sure we are going 
to build on this foundation today.
    Today, we will explore the research agenda that will help 
us to better secure cyberspace. Our panelists represent 
academia, the national security community, and industry, and 
all are well-versed on cyber issues. Scientific research and 
innovative technology may hold some of the most promising 
solutions to our IT vulnerabilities, and I believe that we can 
stay one step ahead of hackers and cyber terrorists if 
government works in a coordinated way with the private sector.
    I look forward to learning more about the advanced 
technology programs that currently exist and the ones that need 
to receive higher priority and funding. I want to hear about 
the current efforts to share information between the private 
sector, the government, and academia. Government, and this 
subcommittee in particular, should play a role in helping these 
diverse entities work together to reduce all our 
vulnerabilities and better secure cyberspace.
    I am looking forward to hearing from all of our witnesses 
today, but I especially want to welcome and thank Dr. Shankar 
Sastry, Chairman of the Electrical Engineering and Computer 
Sciences Department at UC-Berkley. I have had the pleasure of 
discussing these issues with Dr. Sastry before, and I 
appreciate you coming all the way to be with us here today.
    Finally, as I mentioned in my opening statement at last 
week's hearing, I have great concerns about the Bush 
administration's cybersecurity program. In the last 6 months, 
the most senior Bush administration cyber officials have left 
the government. These individuals include Richard Clark, the 
Special Advisor to the President for Cybersecurity; Howard 
Schmidt, the Vice Chair of the President's Critical 
Infrastructure Board and Clark's replacement; Ron Dick, the 
Chairman of the NIPC; and John Tritak, Director of CIAO. The 
last two organizations are part of the National Cybersecurity 
Division at DHS which was created on June 6th of this year. To 
date, no director has been named for this division. The NCSD is 
located within the DHS Information Analysis and Infrastructure 
protection directorate, reporting to the Assistant Secretary 
for Infrastructure Protection. Some cybersecurity-related R&D 
activities, however, will take place within the DHS Science and 
Technology Directorate.
    I believe that this situation where it is buried within the 
bureaucracy is questionable, and that once a person is finally 
chosen to lead the division, he or she may not receive the 
high-level access to Secretary Ridge and the White House that 
is warranted.
    The House is going to adjourn at the end of this week for 
the summer district work period, and when we return in the 
fall, I look forward to hearing directly from the Department of 
Homeland Security on their cybersecurity agenda.
    I thank Chairman Thornberry for scheduling this hearing, 
and I thank him for his leadership and for working so well and 
honestly with me. And I thank you, too, our witnesses, for 
their testimony, and finally to the committee staff for their 
outstanding work.
    Mr. Thornberry. Let me thank the gentlelady, and express 
agreement with the concerns that she has raised. We will be 
hearing from the Department of Homeland Security when we 
return, and this committee as well as the full committee, I 
know, will be certainly engaged with them.
    The Chair is going to yield his time for an opening 
statement to the distinguished chairman of the full committee, 
the gentleman from California, Mr. Cox.
    Mr. Cox. I thank the Chairman and the Ranking Member. And I 
will be brief, because we have an excellent panel of witnesses 
today and I, like you, am anxious to hear from them. I want to 
thank you both for organizing today's hearing and for your 
continued diligence in examining the cyber threat, and for this 
subcommittee's focus on the Department of Homeland Security's 
mission to counter this new and worrisome threat. I would also 
like formally to thank our witnesses for making the time to be 
with us today.
    Just as our focus on science, including notably the 
Manhattan Project, contributed to our victories in World War II 
and in the Cold War, a similar comprehensive commitment to 
scientific inquiry, to basic research, and to the development 
of innovative technologies is necessary if we are going to win 
the current war on terrorism. For that reason alone, the cyber 
challenge in particular requires a mobilization of the American 
scientific community.
    As recently reported by the National Research Council, the 
United States information system vulnerabilities from the 
standpoint of both operations and technology are growing faster 
than the country's ability, if not willingness, to respond. 
This is a critical fault that we have got to address, because 
technology is at the center of our economy, our civilian and 
defense critical infrastructure, our communications systems, 
and indeed every aspect of our way of life.
    Superior technology will, therefore, be at the heart of our 
efforts to prevent and to deal with cyber attacks. We must 
leverage our superior research community resources to address 
risks and harden our critical physical and electronic 
    Under Chairman Thornberry's leadership, this subcommittee 
has held three hearings and a productive half-day workshop on 
this issue. During these hearings, representatives from 
industry, government, and academia have confirmed our 
understanding the gravity of the cybersecurity threat and of 
the importance of the Department of Homeland Security's role in 
addressing it.
    The workshop held yesterday morning, which was co-sponsored 
by the Congressional Research Service staff, not only 
accentuated the threat, but stressed the importance of the 
public-private partnership in developing solutions. Today's 
hearing will increase our appreciation for the research being 
done to address the cyber threat. Each of our witnesses today 
represents a different facet of the cyber research community.
    The Department of Homeland Security, to be effective in its 
analytic and policy mission, must have a clear understanding of 
the best research being done and where it is going. In 
exercising oversight, this committee will want to measure the 
Department's progress over time in coordinating governmentwide 
cyber programs, in advancing research and development efforts 
to reduce cyber vulnerabilities, in improving our capabilities 
to respond to attacks, and in accelerating our efforts to 
promote computer security awareness training across the 
    I look forward to hearing from our witnesses about research 
priorities, both in the Federal Government and in the private 
sector and in academia, and about ways that the Department of 
Homeland Security can support and capitalize on your efforts.
    Mr. Chairman, thank you again for your personal commitment, 
and also our Ranking Member for your personal commitment and 
for your exemplary performance and the performance of this 
subcommittee on this issue. I yield back.
    [The information follows:]


    I would like to thank Chairman Thornberry and Ranking Member 
Lofgren for organizing today's hearing, for their continued diligence 
in examining the cyber threat, and for their focus on the Department of 
Homeland Security's mission to counter this new and worrisome threat. I 
would also like to thank the witnesses for making the time to share 
their valuable insights with us today.
    As many of you know, the Manhattan Project, launched in 1942, 
marked the establishment of a sustained and successful U.S. nuclear 
science program that grew stronger and stronger in subsequent years. 
This focus on science contributed to our victory in World War II and in 
the Cold War. The current War on Terrorism requires a similar 
comprehensive commitment to scientific inquiry, to basic research, and 
to the development of innovative technologies.
    Today, the cyber challenge in particular requires a similar 
mobilization of the American scientific community. Technology is at the 
center of our economy, our critical infrastructure, our communication 
systems, and our way of life. Superior technology will be at the heart 
of our efforts to prevent a cyber attack. We must leverage our superior 
research community resources to address risks, and harden our critical 
physical and electronic infrastructure.
    Under Chairman Thornberry's leadership, this Subcommittee has held 
three subcommittee hearings and a productive half-day workshop on this 
issue. During these hearings, representatives of the industry, 
government and academia have confirmed our understanding of the gravity 
of the cybersecurity threat and of the importance of the Department of 
Homeland Security's role in assessing it. The workshop held yesterday 
morning, which was cosponsored by the Congressional Research staff, not 
only accentuated the threat, but stressed the importance of the public-
private partnership in developing the solution.
    Today's hearing will increase our appreciation for the research 
being done to address the cyber threat. Each of our witnesses today 
represents a different facet of the cyber research community. The 
Department of Homeland Security, to be effective in its analytic and 
policy mission, must have a clear understanding of the best research 
being done and where it is going. In exercising oversight, the Select 
Committee will want to measure the Department's progress over time in 
coordinating government-wide cyber programs, in advancing research and 
development efforts to reduce cyber vulnerabilities, in improving our 
capabilities to respond to attacks, and in accelerating our efforts to 
promote computer security awareness training across the country.
    I look forward to hearing from our witnesses about research 
priorities, and about ways that the Department of Homeland Security can 
support your efforts. Mr. Chairman, thank you again for your personal 
commitment and for the exemplary performance of your subcommittee on 
this issue.


    Mr. Chairman and Mr. Ranking Member, I thank you for convening this 
hearing today so that we can take another step toward securing our 
homeland. Today's hearing, ``Cybersecurity: Getting It Right,'' gives 
the Members of this Subcommittee another opportunity to explore the 
difficult and ever-changing technology sector, and to hear more 
invaluable testimony on protecting our information infrastructure.
    A common question in our cybersecurity efforts is the issue of 
information sharing. The technology industry is highly competitive and 
also highly lucrative. Technology companies that develop innovative 
ideas can earn millions, if not billions, of dollars. Therefore, there 
is a substantial interest on the part of the corporation to keep the 
innovation for themselves and reap all of the financial benefits. In 
the general market for software and hardware development, research and 
development secrecy is an expected part of our capitalist economy. In 
the national cybersecurity arena, however, failure to share information 
may result in our information infrastructure being more vulnerable to 
cyber attacks. It is imperative to national security that the 
technology sector shares the information that will protect our 
information infrastructure. It is equally imperative that the Members 
of Congress pass legislation that promotes information sharing while 
protecting the intellectual property of our technology companies.
    In order for innovations to be shared the innovations must be 
developed. The research and development aspect of national 
cybersecurity must be fostered to protect our homeland. As the 
capabilities of the Internet and the remainder of our information 
infrastructure expands, so too do the capabilities of cyber-terrorists. 
The complexity of recent computer viruses and the speed with which they 
spread across our information infrastructure illustrates the formidable 
task our country faces combating cyber-terrorists. Developing the 
technologies to counter cyber attacks will be an on-going endeavor. 
Each advancement in computer technology will bring advancements in the 
capabilities of cyber-terrorists. New technological defense methods 
will be required through research and development in order to 
adequately protect our information infrastructure.
    Research and development will also be needed to detect and 
apprehend those responsible for cyber-terrorist attacks. The nature of 
the information infrastructure allows criminal actors to operate 
anonymously. Often the perpetrators of cyber-crimes are not located and 
are left free to attack our information infrastructure again in the 
future. If America's cyberspace is to be protected we must be able to 
locate the perpetrators of cyber-attacks and also develop intelligence 
methods to detect attacks before they occur. Our national research and 
development efforts will also be critical to stopping cyber-crimes 
before they occur.
    Mr. Chairman and Mr. Speaker, the task before this Subcommittee is 
great. Achieving full cybersecurity for our Nation's critical 
information infrastructure is important for the full operation of our 
education system, federal, state, and local governments, our financial 
system, our travel system and every other segment of our society. The 
Internet has become an integral portion of the daily operation of all 
of these segments. One successful cyber-attack could have devastating 
consequences. I look forward to hearing the testimony of our witnesses 
today, and I thank them for their attendance. I hope that their wisdom 
will bring us closer to securing our information infrastructure.

    Mr. Thornberry. The Chair thanks the gentleman, and would 
also join in thanking the Congressional Research Service, Eric 
Ficsher and his staff, and the folks who participated in 
yesterday's workshop. It really was an outstanding group.
    Now, again let me thank each of our witnesses for taking 
time to be with us today. We will first hear from Dr. Shankar 
Sastry, Chairman of the Department of Electrical Engineering 
and Computer Science from the University of California at 
Berkley. Thank you for being with us today, sir. And you are 
recognized for 5 minutes.

                      CALIFORNIA, BERKELEY

    Mr. Sastry. Thank you very much, honorable Chairman 
Thornberry, honorable Ranking Member Lofgren, and distinguished 
members of the Subcommittee on Cybersecurity, Science, and 
Research. Thank you very much for the opportunity to testify 
    I would like to testify about areas for investment in 
cybersecurity, science, research and development, some priority 
areas for funding, and the role of university, industry, the 
venture community, and government partnerships in bringing 
secure and trusted systems to the marketplace.
    By way of background, I should say that I served as 
Director of the Information Technology Office at DARPA from 
September 1999 to February 2001. My areas of research are in 
embedded and autonomous software, complex infrastructure 
systems, and secure network embedded systems.
    Let me start with my perceptions of the current funding of 
cybersecurity research. The most sustained funding for 
cybersecurity research to date has been through the Department 
of Defense. In DOD, the largest pool for funding for research 
has been through DARPA, though there have been some important 
research initiatives also through the National Security Agency.
    The programs have been in three generations. The first 
generation is to prevent intrusions, and there have been a 
number of successes that have come out of this, including 
several sets of cryptographic tools, access control, and 
multiple levels of security.
    In the second generation, if intrusions happen, how does 
one detect them and how does one limit damage? Examples of 
successful products that came out of this: firewalls, boundary 
controllers, intrusion detection systems, virtual private 
networks, and a public key infrastructure.
    In the third generation, which we are now in the midst of, 
the goal is to operate through attacks. And these goals are 
intrusion tolerance and graceful degradation. In my opinion, 
this is the space that we need to be in to be able to have 
critical infrastructure systems that can weather attacks.
    From its high watermark of close to $100 million of 
research funding per year for information assurance and 
survivability research, IA&S, in 2000 the funding for 
unclassified IA&S research has decreased significantly in the 
following years. While it is understandable that there are 
important other priorities in DOD for more focused efforts on 
command and control networks and other sensitive DOD networks, 
I feel that, given the scope and magnitude of research that 
remains to be done, it is critical that the burden of 
supporting cybersecurity research be picked up by other 
    Of course, I also feel that, given the newest generations 
of manned and unmanned and autonomous systems in the DOD such 
as the UCAV and in Future Combat Systems and so on, it would 
also be in the interest of DOD not to scale back its 
unclassified programs a great deal.
    The National Science Foundation. I feel the NSF has been 
proactive in taking steps to boost funding for cybersecurity 
research by setting up new programs in trusted computing, and 
in secure network embedded systems, which is under planning, 
networking research, and more recently test beds for 
    Department of Homeland Security. It is our understanding 
that the Science and Technology Directorate is planning an 
initiative in cybersecurity and is organizing program 
management structures for cybersecurity research centers. The 
Congress and the administration should be lauded for having 
taken the visionary step of having formed the Homeland Security 
Advanced Research Projects Agency, HSARPA, along the DARPA 
model. In addition, I feel that the idea of having HSARPA work 
with procurement and operational branches of the DHS to 
evangelize the adoption of new cyber secure software and 
systems is a very attractive one. If such a model was 
successful, it would be useful in reforming possible changes in 
procurement and operational concept transformation in DOD as 
well. The community has felt a great deal of enthusiasm about 
this potential outcome. The outcome we feel would be best 
achieved if the research centralized in the S&T Directorate at 
HSARPA interacted directly with the procurement and operational 
needs of the IAIP, Border and Transportation Security, and the 
Emergency Preparedness Directorates.
    However, a necessary condition for an outcome is an 
adequate outlay of funds for research and development coupled 
with acquisitions. In my opinion, the level of investment needs 
to be somewhere in the range of 100 to $200 million per year, 
and we base this number on a road map for research and 
cybersecurity which we have developed and is present in the 
full testimony. In the interest of time, I will just talk a 
little bit about a few highlights of the funding gaps in 
research priorities for cybersecurity.
    The technology needs may be classed into the following 
categories: unsolved difficult research problems and 
information assurance and survivability--and a number of these 
are taken from the so-called Infotech Research Council hard 
problems list, and they are listed in my testimony.
    The second one is about technologies for strong security 
with strong privacy. The technology needs for strong privacy 
are completely compatible with the technology needs for strong 
security. So some examples are selective revelation, where the 
goal is to minimize revelation of personal data while 
facilitating analysis through the approach of partial 
incremental revelation of data. Others include strong audit. 
And also, rule processing technologies for checking compliance 
with privacy rules.
    In addition, I feel that the emerging infrastructure of the 
future will be based on wired and wireless network devices 
ubiquitously embedded in the environment to provide so-called 
sensor webs of information for monitoring and controlling 
infrastructure. We need to take steps today to start securing 
    And, finally, the last set of problems comes in under the 
title of validated modeling, simulation and visualization of 
critical infrastructures and their interdependencies.
    Mr. Chairman, am I out of time? Or--.
    Mr. Thornberry. The gentleman's 5 minutes has expired. The 
Chair is somewhat lenient with time, however. The gentleman may 
proceed and conclude his remarks.
    Mr. Sastry. Thank you very much, Mr. Chairman. Perhaps in 
the interest of time, let me sort of say--to go to the last 
part of my testimony and talk a little bit about a model for 
public-private partnerships for rapid technology transfer in 
    I think there is clearly a need for cybersecurity research 
and development, but even more immediate and pressing is the 
need for transitioning this. The most common complaints that 
one hears from vendors and service providers are as follows: No 
one pays for security. Will the Federal Government play the 
role of market maker in the early adoption of security 
products? Is there sufficient demand to stimulate new companies 
around new ideas in cybersecurity? Who will provide road maps 
to help the investment by established companies and the venture 
community in cybersecurity products?
    So a fundamental organizational problem that exists today 
is the lack of mechanisms for filling in the gap between the 
end of successful Federal projects. And I feel that a lot of 
the Federal investment to date has indeed been a success, but 
there is a problem in transitioning from the end of a 
successful Federal project to the venture community and 
industry in the form of products.
    Research prototypes need to be hardened, tested on large-
scale test beds, informed and customized by the customer base 
before we get these into the marketplace. And I feel that the 
role of public-private partnerships and perhaps the nonprofit 
sector is in filling this gap between the end of a successful 
research program and industry and venture update.
    And let me just conclude by saying that there are exemplars 
of successful such partnerships which have been formed by the 
legislation of this Congress, and so those are in the 
semiconductor industry. In the semiconductor industry, both the 
SIA, the Semiconductor Industry Association, and the SRC, the 
Semiconductor Research Consortium, have facilitated both the 
funding of rapidly transitioned research to the semiconductor 
industry and led the continual development of road maps for the 
electronics industry. DOD funding, both from OSD and DARPA from 
the earliest days of this research, has been instrumental in 
maintaining a strategic national component both for 
competitiveness as well as for maintaining U.S. superiority in 
a vital sector.
    My own sense is that nonprofits are the same ilk as the SIA 
and SRC. With the same kind of partnership, DHS and DOD could 
play an important role in developing a mechanism for rapid 
transition of focused research and road mapping for industry in 
the investment community.
    Thank you very much, Mr. Chairman, for your indulgence. 
Thank you very much for the opportunity to testify. We are 
really delighted as a community to see your attention to all of 
these important issues. Thank you very much.
    [The statement of Dr. Sastry follows:]


    Honorable Chairman Thornberry, Honorable Ranking Member Lofgren, 
and members of the subcommittee on Cybersecurity, Science, and 
Research, thank you for the opportunity to testify today, regarding 
areas for investment in cybersecurity research and development, 
priority areas for funding, and the role of university-industry-
venture-government partnerships in bringing secure and trusted systems 
to the market place. By way of background, I should say that I am 
currently the Chairman of Electrical Engineering and Computer Sciences 
at the University of California, Berkeley where I have been a professor 
for over 20 years. I have also served on the faculties of the 
Massachusetts Institute of Technology (1980-1982), where I began my 
academic career as an Assistant Professor, and Harvard University where 
I was a Gordon Mc Kay chaired professor in 1993-1994. From November 
1999 to March 2001, I served as the Director of the Information 
Technology Office (ITO) of the Defense Advanced Research Projects 
Agency (DARPA) in the DoD. The responsibilities of this office included 
planning and managing the investment in all areas of information 
technology, including the information assurance and survivability 
portfolio of programs. My areas of research are embedded and autonomous 
systems and software, complex infrastructure systems, secure networked 
embedded systems, and high confidence systems and software. I have 
recently led the organization of a collaborative multi-university 
cybersecurity research consortium named, and a testbed for network 
defense called the national cyber Defense Technology Experimental 
Research network (DETER).

To answer the questions asked by you, I will divide my testimony into 
the following areas:
        1. Current Funding of Cybersecurity Research,
        2. Research Gaps and Funding Priorities for Cybersecurity 
        3. A collaborative university research program in Ubiquitous 
        Secure Technologies led by Berkeley partnered with Stanford, 
        Cornell, Vanderbilt, Carnegie Mellon, and San Jose State 
        Universities, and Smith College,
        4. Testbeds for Cybersecurity,.
        5. A model for public-private partnerships for rapid technology 
        transfer in Cybersecurity

              1 Current Funding of Cybersecurity Research

There has been Federal funding of Cybersecurity research thus far 
primarily by the Department of Defense and the National Science 
Foundation, though there has also been some research funded by NIST, 
Department of Energy and NASA as well. The community has followed with 
interest the testimony given by the DARPA Director, the NSF Director 
and Undersecretary for Science and Technology at DHS to the House 
Science Committee. The community feels grateful to the House Science 
Committee, its staff and its Chairman, the Honorable Mr. Bohlert, as 
well as this Subcommittee on Cybersecurity, Science and Research and 
Development, its Chairman, the honorable Mr. Thornberry and ranking 
member the Honorable Ms. Lofgren for their close attention to the needs 
of cybersecurity research. I will limit my own remarks to the 
perceptions of the community and also my own experience with helping to 
manage the cybersecurity portfolio at DARPA.
Department of Defense. The most sustained funding for cybersecurity 
research to date has been through DoD. In DoD, the largest pool of 
funding for research has been through DARPA, though there have been 
important research initiatives that have been managed by the National 
Security Agency. Some very important University Research Initiatives in 
Critical Infrastructure Protection (CIP-URI) were funded through DDR&E 
as five-year programs primarily in 2001. Modest 6.1 core programs in 
cybersecurity research at AFOSR, ARO and ONR also exist. The 
Information Assurance and Survivability (IA&S) programs at DARPA are 
the largest and most successful Federal investment to date. This suite 
of programs has gone through three generations listed below with some 
exemplars of successful outcomes:
        1. 1st Generation (Prevent Intrusions): Trusted Computing Base, 
        Access Control, Cryptographic Tools, Multiple Levels of 
        2. 2nd Generation (Detect Intrusions, Limit Damage): Firewalls, 
        Boundary Controllers, Intrusion Detection Systems, Virtual 
        Private Networks, Public Key Infrastructure
        3. 3rd Generation (Operate Through Attacks) Goals are Intrusion 
        Tolerance, Graceful Degradation, Big Board View of Attacks, 
        Security Tradeoffs and Metrics, and hardening of the core 

The first generation was aimed at preventing intrusions as much as 
possible, the second generation with detecting intrusions when they 
occur and limiting the amount of damage that they cause. The third 
generation of programs, which is most critical to critical 
infrastructure protection, consists of developing the ability to 
operate through attacks without failing catastrophically. A very large 
number of existing security solutions were developed by companies 
either as spin-offs of DARPA research or as an integral part of DARPA 
research programs in Generations 1 and 2. We are currently in the 3rd 
generation of programs and a research and development base has been 
energized to address what remain as difficult technical problems in 
IA&S. From its high watermark of close to $ 100M of funding for IA&S in 
2000, the funding for unclassified IA&S research at DARPA has decreased 
significantly in following years. The DARPA investment has also had the 
extremely desirable effect of involving the Service Laboratories (such 
as AFRL and Navy SPAWAR), and the services operational commands in 
bringing their requirements to the community. While it is 
understandable that there are other important priorities in the DoD for 
more focused efforts in IA&S for command and control and other 
sensitive DoD networks, given the scope and magnitude of research that 
remains to be done in cybersecurity, it is critical that the burden of 
supporting cybersecurity research be picked up by other agencies. In 
addition, given the important strategic nature of IA&S research for new 
and emerging DoD systems, including the newest generations of unmanned 
and autonomous systems (such as the UCAV and in Future Combat Systems), 
it would not be in the interests of DoD to scale back its unclassified 
programs a great deal.

National Science Foundation NSF has been proactive in taking steps to 
boost funding for cybersecurity research by setting up new programs in 
Trusted Computing and in Secure Network Embedded Systems (under 
planning), networking research, and testbeds for cybersecurity. These 
investments, primarily in the Directorate of Computer and Information 
Science and Engineering (CISE) have been timely and strategic. 
Nonetheless it is the perception of the community that the level of 
funding for cybersecurity and Critical Infrastructure Protection could 
be greater. A point about the synergy between funding between DARPA and 
NSF is in order here. From the early days of networking when NSF picked 
up the ARPA net and helped fund it while it grew into the modern 
Internet, and early DARPA funding on high performance computing was 
sustained by NSF funding, there has been a rich legacy of cooperation 
in funding information technology research between the two agencies on 
Fairfax Avenue in Arlington, Virginia. It would be extremely desirable 
to have this synergistic relation continue in the area of 

Department of Homeland Security. It is our understanding that the 
Science and Technology Directorate of DHS is planning its initiative in 
cybersecurity and is organizing program management structures for 
cybersecurity research centers. The Congress and the administration 
should be lauded for having taken the visionary step of having formed 
the Homeland Security Research Projects Agency along the DARPA model. 
In addition, the idea of having HSARPA work along with procurement and 
operational branches of the DHS to evangelize the adoption of new 
cybersecure software and systems is a very attractive one. Such a 
model, if successful, would be very useful in informing possible 
changes in procurement and operational concept transformation at the 
DoD as well. The community has felt a great deal of enthusiasm about 
this potential outcome. The outcome would be best achieved if research 
centralized in the Science and Technology Directorate, at HSARPA, 
interacted directly with the procurement and the operational needs of 
each of the Information Analysis and Infrastructure Protection (IAIP), 
Border and Transportation Security, and the Emergency Preparedness 
Directorates. There are some synergies to be gained for example by 
engaging with the research needs of the National Communication Systems, 
with road-mapping activities for cybersecurity, or by using secure 
sensor webs for border patrol and monitoring programs

However, a necessary condition for such an outcome is an adequate 
outlay of funds for basic research and development coupled with 
acquisitions. In my opinion the level of investment needs to be 
somewhere in the range of $100-200 M per year. I base this number on a 
roadmap for research in cybersecurity, which we have developed (details 
are included in the next section of this testimony). I feel that the 
DARPA model is an especially appropriate model for funding research and 
development in cybersecurity. Once again HSARPA may wish to involve 
groups in the other directorates the way DARPA involves service 
laboratories and commands as ``agents'' for contracting the work and 
thereby helping the transition of research into products. Thus, one 
could view customers in the IAIP Directorate helping program managers 
in HSARPA shape the programs for their needs. While HSARPA will need to 
have programs that have short term and intermediate term payoff, one 
can visualize the role of the NSF in helping HSARPA as an executive 
agent in its early years while it is being fully configured. In the 
steady state a relationship between HSARPA and NSF along the lines of 
the DARPA-NSF model would be highly desirable, with NSF providing 
longer term sustained funding.

Other Agency Funding for Cybersecurity. Since the needs of different 
mission agencies in cybersecurity are somewhat different it would be 
important to have funding from NASA, DoE, and other mission agencies 
for their own needs. Additionally the role of the National Institute of 
Standards and Technology (NIST) could be an important one in managing 
testbeds, whetting and developing cybersecurity standards and best 
practices. NIST has also been an important executive agent for managing 
DoD programs and could continue to do so for DHS.

        2 Funding Gaps and Research Priorities for Cybersecurity

        The technology recommendations for suggested areas of funding 
        given here were developed by a group of researchers, industry 
        participants and the venture community over the last two years 
        in a series of workshops, meeting and studies:
        1. 25th June 2002, Meeting with a large sample of participants 
        from Venture firms, DoD; OSD, DARPA, ONR, NSA, the President's 
        Critical Infrastructure Protection Board, large industry 
        participants such as IBM, HP, Oracle, Symantec, Microsoft, 
        Intel, non profits such as SRI, I3P, hosted by me in Palo Alto
        2. 18th September 2002, Meeting with industry leaders and Mr. 
        Richard Clarke Head of the President's Cyber Security 
        Protection Board on the details of the Presidential 
        Cybersecurity Plan held at Palo Alto.
        3. 19-20 September 2002. Sztipanovits (Vanderbilt), Stankovic 
        (Virginia), and I ran the NSF/OSTP workshop on New Technologies 
        for Critical Infrastructure Protection and Cybersecurity in 
        Leesburg, Virginia with technology recommendations for the 
        White House Office of Science Technology and Policy. OSTP 
        report of this workshop will be released shortly.
        4. October 7-8 Workshop on Testbeds for Security, Squires 
        (Chief Scientist of HP) led a meeting on networking research 
        5. August 2001, NSF Workshop on New Directions in Security, 
        Doug Tygar, Berkeley
        6. August 2002, DARPA Information Sciences and Technology study 
        on Security with Privacy, Doug Tygar.
While the whole list of participants is too long to list, I would 
especially like to acknowledge the help of former colleagues at DARPA, 
Terry Benzel, Doug Tygar, and Ruzena Bajcsy of the University of 
California Berkeley, Janos Sztipanovits of Vanderbilt University, Jack 
Stankovic of the University of Virginia, Teresa Lunt of PARC (formerly 
Xerox PARC), Pat Lincoln and Victoria Stavridou of SRI, Patrick Scaglia 
and Steven Squires of HP, Robert Morris of IBM, David Tennenhouse of 
Intel, Jerry Fiedler of Windriver Systems for their help in developing 
these recommendations.

Computer trustworthiness continues to increase in importance as a 
pressing scientific, economic, and social problem. The last decade has 
seen a rapid increase in computer security attacks at all levels, as 
more individuals connect to common networks and as motivations and 
means to conduct sophisticated attacks increase. In today's environment 
there is heightened awareness of the threat of well-funded professional 
cyber hackers and the potential for nation-state sponsored cyber 
warfare. Cyber attacks are increasingly motivated by the financial gain 
and global politics. A parallel and accelerating trend of the last 
decade has been the rapidly growing integration role of computing and 
communication in critical infrastructure systems, such as financial, 
energy distribution, telecommunication and transportation, which now 
have complex interdependencies rooted in information technologies. 
These overlapping and interacting trends force us to recognize that 
trustworthiness of our computer systems is not an IT issue anymore; it 
has a direct and immediate impact on our critical infrastructure. 
Security is often a collective enterprise, with complicated 
interdependencies and composition issues among a variety of 
participants. This poses a challenge for traditional competitive 
economic models. Clearly there is an acute need for developing much 
deeper understanding of and scientific foundation for analyzing the 
interaction between cyber security, critical infrastructure systems and 
economic policy.

The fundamentals of reliable infrastructure have not been adequately 
worked out for complex networks of highly interacting subsystems, such 
as the power grid and the airspace-aircraft environment. These are 
complex, often dynamically reconfigured, networks. The primary 
challenge for future generations of these systems is to provide 
increasingly higher efficiency, while assuring joint physical and 
logical containment of adverse effects. Increasingly, autonomous but 
cooperative action is demanded of constituent elements. Examples 
include the technology needed to support aircraft in high-capacity 
airspace, enabling the execution of parallel landing patterns under 
terminal area control. A deregulated power grid draws new market 
participants. These new players may produce highly variable efficiency, 
potentially adverse environmental effects, and they may pose hazards to 
system-wide stability. This trend towards autonomous, cooperative 
action will continue, with the demands of current and next-generation 
systems for open, interoperating, and cooperating systems. The 
achievement of a satisfactory level of interoperable functionality is 
both enabled by, and dependent upon, advances in information and 
control infrastructure for coordinated operation. Furthermore, entirely 
new capabilities, such as networks of devices for pervasive sensing and 
actuation are becoming viable, and the control and communication 
technologies for their effective use must be fully developed and 
integrated into distributed infrastructure systems.

Although reference frequently is made to the next generation of 
technologies as ``intelligent agent'' systems or self-healing or self-
reconfiguring or autonomic systems, this terminology conceals a complex 
of carefully integrated systems and software concerns. There is no 
panacea; services must be carefully engineered from the ground up in 
order to safely support a facade of highly autonomous action. Advances 
in software and information technology have improved the potential for 
a better substrate for future, more reliable infrastructures. The 
technology needs may be classed into the following categories:

1. Unsolved Difficult Research Problems in Information Assurance and 
Survivability. The areas of research highlighted here are:
        a. Intrusion and Misuse Detection: methods need to be 
        automatic, predictive, have a low false alarm rate, and 
        possibly identify the adversary.
        b. Intrusion and Misuse Response: methods should provide a 
        shared situational awareness, automatic attack assessment, a 
        dynamic reconfiguration of the system and possibly an automated 
        counter attack.
        c. Security of foreign and malicious code: desired attributes 
        for systems that protect against malicious mobile code include 
        confinement of access and capability and encapsulation of the 
        d. Controlled sharing of information: the ability to 
        dynamically authorize the sharing of information and automated 
        data tagging.
        e. Distributed Denial of Service (DDoS) and Worm Defense: 
        solutions are needed for modeling, measurement and analysis of 
        attacks, detection of the attacks, attribution, dissipation of 
        the attack, and possible retribution.
        f. Secure Wireless Communications
        g. New and Emerging Challenges
                i. Peer to peer computing
                ii. Security in ubiquitous and nomadic computers
                iii. Human factors and ergonomics in security
                iv. Networks surveillance and hygiene
                v. Insider threat detection, monitoring and response

2. Technologies for Strong Security with Strong Privacy
        a. Selective Revelation: the goal here is to minimize 
        revelation of personal data while facilitating analysis through 
        the approach of partial, incremental revelation of data.
        b. Strong Audit: the goal here is to protect abuse by watching 
        the watchers: everyone is subject to audit, there is cross-
        organizational audit, and usage records are tamper proof. 
        Possible new technologies include encrypted searches and 
        c. Rule processing technologies: there is need for a formal 
        language for expressing privacy rules and tools for automated 
        checking of compliance, a privacy toolbar for helping users. A 
        related technology is the one needed for digital rights 

3. Secure Network Embedded Systems. The emerging infrastructure of the 
future will be based on wired and wireless networked devices 
ubiquitously embedded in the environment to provide ``sensor-webs'' of 
information for monitoring and controlling infrastructure networks. The 
embedded software, which will be present in these complex systems, 
needs to have the following attributes:
        a. Automated Design, Verification and Correctness by 
        Construction. A large number of infrastructures suffer from 
        being difficult to configure correctly and the resulting 
        glitches are frequently as serious as cyber attacks. In 
        addition they need to be fault tolerant: such systems are 
        referred to as High Confidence Systems.
        b. Layered Security for Embedded Systems: the defenses need to 
        be in depth to protect from attacks from the physical layer up 
        through the applications layer:
                i. Physical Layer: protection from attacks like jamming 
                and tampering
                ii. Link Layer: protection from unfairness and over 
                frequent collisions of packets
                iii. Networks and Routing Layer: protects from attacks 
                due to greed, homing, misdirection and black holes.
                iv. Transport Layer protection from attacks such as 
                flooding and desynchronization.

4. Validated Modeling, Simulation and Visualization of Critical 
Infrastructures and their Interdependencies
        a. Tools for the assessment of the level of risk
        b. New modeling and simulation tools for complex systems
        c. Development of simulation testbeds for teaming exercises, 
        response preparation and assessment.

  3 A Collaborative University Research Program in Ubiquitous Secure 

Here I describe a sample collaborative university research program that 
is focused at research problems in many of the areas described above. 
It is important to note that activities of this scale need to be 
engaged in by the scientific community in groups rather than as 
individual institutions. At Berkeley we have found it important to 
build such partnerships and consortia for research and development. We 
have put together a team of some of the strongest research universities 
led by Berkeley and including Stanford University, Vanderbilt 
University, Cornell University, Carnegie Mellon University, along with 
San Jose State University, Smith College, Fiske University to develop a 
Team for Research in Ubiquitous Secure Technology (TRUST) to radically 
transform the ability of organizations (software vendors, operators, 
local and federal agencies) to design, build, and operate trustworthy 
information systems for our critical infrastructure. TRUST will bring 
together a research team with proven track record in relevant areas of 
computer security, systems modeling and analysis, software technology, 
economics, and social sciences. The research team will be advised and 
supported by vendors of information technology and critical 
infrastructure (utility, telecommunication, finance, and 
transportation) protection providers and stakeholders.

                     3.1 Technical Research Program

Our multidisciplinary approach allows solutions to emerge from an 
integrated of view of computer security; software technology, analysis 
of complex interacting systems, and economic policy in the following 

Composition and computer security--Computer security attacks today 
occur on a minute-by-minute basis. Organizations producing individual 
components, such as routers or central office switches, have 
increasingly devoted energy to protecting those components against 
attack. However, protection of individual components does not always 
result in protection of the entire systems: different machines and 
different systems running on a single network often have complex 
interdependencies--and a malicious attacker can exploit those 
interdependencies for example in denial of service attacks, inter-
machine authentication failures, and routing disruptions. Attackers can 
attack systems where different software programs must interact on a 
single operating system (examples include e-mail with attachments 
leading to e-mail worms, buffer-overflow problems caused by unexpected 
use of software function libraries, and windowing systems displaying 
bogus, malicious systems messages.) Modularization can increase the 
problem: when common IT components are integrated with specialized 
applications and embedded systems, deep knowledge of the underlying 
computational model is needed to avoid vulnerability. TRUST will bring 
together an integrated scientific approach to composition and computer 

Privacy--As a large amount of commercial and communication activity has 
moved to the Internet and World Wide Web, privacy concerns have 
increased both for individual users and organizations. Users perceive 
they have little control over information, and often those perceptions 
are correct--organizations are unable to accurately describe policy 
procedures and privacy-information crimes such as identity theft have 
increased sharply. Even disclosure of apparently innocuous information, 
such as an e-mail address, leads to unsavory activities, such as spam, 
which in turn can grow to a magnitude that can cause systemic problems. 
Organizations also have a need for privacy--not only to protect their 
customers, but also in cross-organizational exchanges including 
auctions and communications. Privacy is a challenging problem because 
when information is shared (laterally, between organization, or 
vertically, between different subsystems) each of the individual 
components involved in the sharing, the mechanism for sharing, and the 
consequences of the sharing, all present opportunities for invading 
privacy. Issues related to privacy emerge as a result of interaction 
between technology and economic policy, such as in online bidding on 
energy markets or dynamic allocation of the frequency spectrum. To 
tackle privacy, TRUST will develop solutions to the complex tradeoff 
between technology, economic policy and security. This will require a 
new look at the fundamental underpinnings of information management, 
storage, and retrieval.

Critical infrastructure protection--Critical infrastructure systems are 
large networks that move energy, information and material. Information 
technology is used to monitor, control and manage these systems by 
means of vast networks of computing equipment. Faults caused by natural 
disasters or malicious attacks can cause these networks to completely 
fail, leading to widespread damage. Critical infrastructure protection 
requires making systems that are highly robust and available in the 
presence of hostile attacks. TRUST will approach computer security from 
a holistic systems view, considering a union of concerns including 
physical design, performance, power consumption, reliability and 
others. For example, we don't just consider secure and highly available 
communication between sensor devices and SCADA (Supervisory Control And 
Data Acquisition) centers, TRUST will consider the potential impact of 
feasible security attacks on the power distribution network, and the 
impact of signal encryption on feedback control loops. Anecdotal 
evidence and the findings of more systematic red team activities such 
as the Joint Chiefs' Eligible Receiver program, strongly suggest that 
the United States is highly vulnerable to attacks on its critical 
infrastructure--including key utilities (gas, water, and energy), 
communications services, finance, transportation, medical coordination, 
government services, and emergency services. Even in a single 
organization, such as a national telecom service provider, critical 
infrastructure protection is difficult, because these systems are 
highly complex and involve so many components that even their designers 
cannot understand all the interactions. The interaction of different 
critical infrastructure systems, and their interaction with public 
(critical or non-critical) systems, creates complex dependencies and 
control paths. Today, we have no good way of detecting these 
interdependencies, although hackers have proven themselves highly 
capable of finding attack opportunities and exploiting subtle 

TRUST will take a systems view which raises a broad set of trust 
questions: they range from protecting individual privacy to protecting 
large complex interacting critical infrastructure, from embedded 
systems to networks, and they have a strong focus on security problems 
arising from composition. Not only is a large effort necessary to take 
the broad view--and to anchor this view in the context of large-scale 
operational environments - but this work requires strength from a wide 
variety of disciplines both inside computer science (cryptography, 
programming languages, distributed systems, networking, human-computer 
interfaces, logic and model checking, configuration, software 
engineering, etc.) and outside computer science (economics, policy, 
law, statistics).

           3.2 Economics, Public Policy, Societal Challenges

Solutions to today's problems are an essential requirement to 
fulfilling the vision of ubiquitous computing. Many of today's security 
vulnerabilities in networked embedded systems and SCADA are very 
specialized and hence visible to only a few. However, as society 
increasingly employs the use of software agents to control and organize 
multiple aspects of day-to-day life these security vulnerabilities will 
become impediments to their widespread adoption. A vision for the 
future of information technology in society, implies that the presence 
of ubiquitous computing will bring with it access to interfaces that 
will become part of every day interchange for a wide class of citizens.

Investigations need to be directed so as to lend maximum benefit to 
social questions such as those in the area of economics and incentives. 
These are particularly pressing as questions of liability and insurance 
are moved up in the nations business and legislative agenda. Issues of 
liability have become an important topic given the cost of security 
incidents. Economic and legal analysis suggests that a due care 
standard provides appropriate incentives, but how should the standard 
be set in practice? Without a clear understanding of sufficient 
standards or best practices, insurance companies do not have a clear 
basis on which to offer insurance policies covering security incidents. 
The interaction between liability, insurance, and care has been 
examined extensively in the law and economics literature. However, new 
questions that arise in the context of information security as 
"accidents" are often deliberate attacks. Hence an analysis of the 
incentive of attackers must be better understood and modeled. In 
addition to these incentive problems, there are also a number of purely 
economic issues that need to be better understood. How can one quantify 
the benefits and costs from various security policies? How do public 
and private security policies interact? What are the nature and size of 
``transactions costs'' associated with security? TRUST will address 
these questions in the course of our effort. It is anticipated that the 
research results will provide a solid basis for the establishment of 
policies, procedures and eventually case law for industry and 
government in managing the risk of computer security incidents.

                       3.3 Education and Outreach

American prosperity in the new millennium and increasing national 
security concerns make it important to increase the number of students 
who will join the nation's technical enterprise as researchers. This is 
crucial in the cyber security space as there is currently a severe 
shortage of trained scientists (and almost no women and minorities) in 
the information security field. Additional need arises from our 
concerns about the ``weakest link'' of security. If even one user makes 
a serious error, it can endanger all the systems connected to his or 
her machines. We have a need to raise the level of security awareness 
of all people who use computers and depend on their results--namely, 
all citizens. TRUST brings a strong focus on educational outreach 
activities through its members many activities. Educational activities 
will be integrated with TRUST research, through graduate programs, 
summer programs and directed research projects with under represented 
educational institutions.

                           4 Testbed Research

As discussed earlier, over the past ten years,there has been an 
increasing investment in research aimed at developing cyber security 
technologies, by government agencies (NSF, DARPA, DoD) and by industry. 
However, the Nation still lacks large-scale deployment of security 
technology sufficient to protect our vital infrastructure. One 
important reason is the lack of an experimental infrastructure for 
developing and testing next-generation cyber security technology. 
Neither existing research network infrastructures (Abilene, vBNS) nor 
the operational Internet meet this need, due to the inherent risks of 
testing malicious behavior in operational networks. New security 
technologies have been tested and validated only in small- to medium-
scale private research laboratories, which are not representative of 
large operational networks or of the portion of the Internet that might 
be involved in a security attack.

To fill this critical gap, we will build an experimental infrastructure 
network to support the development and demonstration of next-generation 
information security technologies for cyber defense. This cyber Defense 
Technology Experimental Research Network (DETER Network) funded jointly 
by the National Science Foundation under its Networking Research 
Program in Computer and Information Sciences and Engineering (CISE) 
directorate and the DHS Science and Technology Office will provide the 
necessary infrastructure networks, tools, methodologies and supporting 
process--to support national-scale experimentation on emerging security 
research and advanced development technologies. .

Once again, we at Berkeley have led in putting together a broad based 
coalition of partners including the University of California Davis, 
University of Southern California-Information Systems Institute, 
Network Associates Laboratories, SRI, Menlo Park, the Pennsylvania 
State University, Purdue University, Princeton University, University 
of Utah, and industrial partners Juniper Networks, CISCO, Intel, IBM, 
Microsoft, and HP. The DETER project will create, operate, and support 
a researcher- and vendor-neutral experimental infrastructure that is 
open to a wide community of users. Furthermore, the DETER project will 
apply scientific benchmarks and measurements to both the creation of 
the experimental infrastructure itself and to validation of the 
experimental results. Two important defenses that we will develop on 
this testbed are:

1. Distributed Denial of Service Attacks--One major objective of the 
DETER network is to make scientific advancements in 1) understanding 
the effects of sophisticated, large-scale DDoS attacks and 2) defending 
against them. Techniques and software capable of disabling large 
portions of the Internet for hours or days could be developed 
relatively easily today by sophisticated hackers or nation states. 
However, because such an attack has never been observed ``in the 
wild'', the scientific and operational communities' understanding of 
the underlying scientific phenomenon is at best fragmentary and 
speculative. Internet infrastructure components that are pushed to 
their limits by such attacks may exhibit non-linear or unstable 
behaviors that diverge from predictions derived from models, 
simulations, overlay networks, and scaled down demonstrations. As a 
result, we cannot accurately predict the impact of a large-scale attack 
on different points in the Internet topology. We plan to conduct 
experiments to improve understanding of the scientific phenomenon of a 
sophisticated large-scale DDoS attack. with special attention paid to 
the following factors:
         Detection--What kinds of DDoS attacks can the 
        mechanism detect, how accurately, and under what conditions?
         Mitigation--What kinds of DDoS attacks can the 
        mechanism mitigate (via blocking or rate limiting), how 
        effectively, at which locations in the networks, and under what 
         Autonomy vs. Coordination--To what extent does the 
        mechanism's effectiveness depend on deployment in multiple 
        locations with communication and coordination across locations, 
        and how effective can the mechanism be if such coordination is 
        not possible?
         Collateral Damage--To what extent does the mechanism 
        impede benign traffic, and under what conditions, i.e., does it 
        do more harm than good?

2. Worm Defenses--Worms present a substantial and growing threat to the 
Internet and to large government and commercial enterprise networks. 
The recently released SQL Slammer (Sapphire) worm provided a stark 
illustration of the dramatic speed and potential impact of a simple 
worm, spreading to more than 75,000 hosts within ten minutes and 
causing ATM failures, airline flight cancellations, and widespread 
network outages. The DETER Network can play a crucial role in 
supporting study of the behavior of these worms and evaluation of new 
worm defense technologies. Worm behavior is currently only poorly 
understood. Through testbed experimentation, researchers can study 
different models of worm propagation (e.g., random scanning, target-
list, coordinated, hybrid) and their effects on propagation rates in a 
realistic network environment. They can further study effects of the 
network congestion caused by worm propagation through a large network, 
determining how such congestion affects legitimate applications and the 
worm itself as infection spreads.

5 A Model for Public-Private Partnerships for Rapid Technology Transfer 
                            in Cybersecurity

The issues in transitioning cybersecurity research and development are 
immediate and pressing. There has arguably been a market failure in 
bringing cybersecurity technologies to the market. The most common 
complaint that one hears from vendors and service providers run 
something like: ``No one will pay for security.'' or ``Security is 
every one's second most favorite priority'', or ``Security products 
suffer from the paradox of the common good''. ``Will the Federal 
government play the role of market maker in early adoption of secure 
products?'' ``Is there sufficient demand to stimulate new companies 
around new ideas in cyber-security'' ``Who will provide roadmaps to 
help the investment by established companies and the venture community 
in cyber-security products?'' However, there is reason to feel optimism 
for change, provided that some steps are taken immediately. Experience 
gained from the national response to the potential perils of the Y2K 
conversion are worth revisiting in the context of cybersecurity, with 
especial attention to the role of the mandatory SEC filings for 
corporations to explain their Y2K strategy.

A critical issue for cybersecurity is the ability to quickly transition 
products from the laboratory and the research community to industry. A 
fundamental organizational problem that exists today is the lack of 
mechanisms for filling in the gap between the end of a successful 
Federal research program and the investment by the venture community 
and industry in products. Research prototypes need to be hardened, 
tested on large scale test beds, informed, customized and modified in 
response to the needs of a diverse set of customers before they can 
attract capital to allow them to be integrated into products. In 
addition industry, especially systems integrators and the larger IT 
companies would benefit from roadmaps informed by this technology 
transition. The term public-private partnerships is used to describe 
the need for cooperative arrangements among academia, industry, venture 
capital, and government with individual stake holders in the 
infrastructures to bring the newest products to the market place and 
then to the infrastructure stake holders. It is important for the 
research and development community to play a role in developing the 
relevant non-profits and trade groups to pursue transfer of ubiquitous 
secure technology. It is important for us to continue to hold focused 
workshops and seminars on particular topics relating to infrastructure 
protection and cyber-security. Research and Development will need to 
learn and evolve with results, using an iterative investigate-develop-
educate-apply cycle. It is critical to develop science, technology and 
proof of concept prototypes that will be tested through models that 
emerge from a series of analytical and case studies, experimentation 
and simulations. For example, through participation with the Secret 
Service's New York City and San Francisco Electronic Crimes Task Force 
it has been possible for the cybersecurity research community to 
develop an understanding of the needs of cybersecurity for the 
financial community.

A success story in public private partnerships, which has all the 
hallmarks that would be desirable for cybersecurity, is in the area of 
semiconductor manufacturing. The Semiconductor Industry Association 
(SIA) and Semiconductor Research Consortium (SRC) are fine examples of 
non-profit organizations, which have facilitated both the funding of 
rapidly, transitioned research to the semi-conductor industry and led 
the continual development of roadmaps for the electronics industry. DoD 
funding, both from the OSD and DARPA, from the earliest days of this 
research has been instrumental in maintaining a strategic national 
component both for competitiveness and also for maintaining US 
superiority in a vital industry sector. My own sense is that non-
profits of the same ilk as the SIA and SRC, with the same kind of 
partnership with DHS and DoD, could play an important role for 
developing both a mechanism for rapid transition of focused research 
and road mapping for industry and the investment community. Once again, 
I feel here that for strategic national security reasons that DoD 
partner with DHS in co-funding such ventures.

                          6 Concluding Remarks

Thank you Mr. Chairman and Committee members for the opportunity to 
provide this testimony to the House Subcommittee on Cybersecurity, 
Science, Research and Development, of the Committee on Homeland 
Security. We laud you for holding this very important set of hearings 
and for engaging in a matter of deep national and homeland security. 
The research community offers the Subcommittee our full support and 
cooperation, and every success in your deliberations.

    Mr. Thornberry. I thank the gentleman. And I neglected to 
say at the outset that each of your full statements will be 
made part of the record. And also, let me compliment each of 
you on your full written statements, because they did a very 
good job of directly addressing the questions in which this 
subcommittee is interested, and I appreciate that very much.
    Let me now turn to our next witness. Dr. Steve Bellovin is 
a member of the National Academy of Engineering at the National 
Research Council. He is also a technical leader and fellow from 
AT&T Laboratory. Dr. Bellovin, thank you for being with us. And 
you are now recognized for 5 minutes.

                    FELLOW, AT&T LABORATORY

    Mr. Bellovin. Thank you, Mr. Chairman, Ms. Lofgren, and 
members of the committee. I am delighted to come to help you.
    I should add, one of my other roles, I am Security Area 
Director for the Internet Engineering Task Force, which is the 
group responsible for most of the standards used on the 
Internet today.
    We face a very serious cybersecurity problem. Usually we 
can protect an individual high-value system, though it is hard. 
I run my own personal computers as tightly as I know how to; in 
the last 2 years, probably there were a dozen different ways 
that, if someone sent me the right message at the right time, 
they could have taken over this system. And this is run about 
as tightly as anything can be and still be connected to public 
    We cannot protect all of the machines, and we simply don't 
know how to. We don't even know what the magnitude of the 
threat is even from ordinary hackers, let alone nation states 
and possible cyber terrorists. The available data on what kinds 
of attacks, on the number of attacks, is simply lacking. We 
need more research to help us understand what is going on, 
because you need different defenses against cyber terrorists 
than you do against ordinary hackers.
    Most of the security problems we see today are caused by 
buggy software. Buggy software is probably the oldest unsolved 
problem in computer science. I have no reason to think it is 
going to be solved in my professional lifetime. If we design a 
software correctly, though, we can restrict our attention to 
the crucial pieces for security and probably get those rights. 
Software reliability has improved. It is no longer unusual to 
see a server that has been up for a year or more. But we have 
to design software with that sort of division in mind. We know 
somewhat of how to do that, but not nearly enough.
    We need new mathematical formal frameworks for assessing 
and measuring the security of a system. A locksmith can tell 
you how long a safe can resist an attack with certain kinds of 
tools. A computer scientist can't do the same.
    Pure research on cryptography, basic research on 
cryptography is probably not a priority. It is not that 
cryptography is not important--I have done a lot of 
cryptographic research myself--but we have far more science 
there than we have currently applied. We need a great deal of 
effort on technology transfer from the theoreticians to the 
practitioners; and on engineering, taking the cryptographic 
mechanisms and actually engineering them to be used on deployed 
    I would note that open standards are better for this 
because they promote diversity. The lack of cyberdiversity, 
like the lack of biodiversity, leaves us very vulnerable to a 
single infection vector, a single attack vector. This is a very 
serious issue in the computer industry today, because many 
other trends push towards one source rather than many.
    If we have all the security technologies, it is often too 
hard to use. We need to do a lot of work on the human factors 
of computer security. Most people don't configure the systems 
securely because, frankly, it is too hard to do so. I find it 
hard sometimes myself, and I am a professional in this field, 
trying to understand some of the messages and prompts that I 
    We need incentives for vendors to develop more secure 
systems. That is, both security features and more reliable, 
less buggy software. And we need incentives for end users to 
use these secure systems and these secure features.
    We need to improve systems administration. This isn't a 
sexy area, but most actual penetrations are caused by failure 
to apply available patches to correct known vulnerabilities. It 
is once the patch comes out that most of the activity takes 
place. Not always, but that is the large, vast majority of 
system penetrations. But no responsible system administrator 
will patch a production system without testing it. System 
administration is not a prime area for research; it seems too 
mundane. Nevertheless, if we can have better tools for 
automating the administration, for testing systems, and, by the 
way, for improving the resources available to system 
administrators both in government and in industry, this has got 
the potential for a very large payoff. This is some low-hanging 
    Security also depends on authentication. Authentication is 
a subtle business. It is hard to get right. If you get it 
wrong, you may have a system failure, you also violate 
individual privacy. It is important to pay attention to both of 
these factors when designing systems.
    There are no simple answers to the cybersecurity problem. 
There is no one technology that is going to solve it for us. 
There are a number of areas, however, that if we put in the 
appropriate resources, I think we can make a lot of progress 
and get systems not absolutely secure--there is no such thing--
but markedly more secure than they are today.
    Thank you, Mr. Chairman, Ms. Lofgren, members of the 
    Mr. Thornberry. Thank you, Doctor.
    [The statement of Mr. Bellovin follows:]


                      Cybersecurity Research Needs

1. Introduction
    It is quite clear that cybersecurity is vital to our nation's 
safety. A wide variety of National Research Council reports, summarized 
in Cybersecurity Today and Tomorrow--Pay Now or Pay Later [1], have 
illustrated the threat in no uncertain terms.
    Although there are things that the information technology 
profession--software vendors, network operators, and end user sites--
can and should do today to improve computer security, the simple fact 
is that there are limits on how good a job it can do. Even with 
unlimited financial resources, and the best will, we could not do an 
adequate job. Quite simply, we do not know how to mount an adequate 
defense. It is usually possible to protect an arbitrary resource; it is 
not currently possible to protect all critical resources.

2. Threats
    The types of defenses that are necessary depend on the nature of 
the likely attacker. Schemes that will keep out the stereotypical 
``hacker''-- i.e., the bored teenager with too much time and too few 
morals--are not very effective against a nation-state. The former 
typically use tools downloaded from someone more competent; the latter 
could develop its own custom tools, and combine them with physical 
world techniques such as ``the three B--bribery, blackmail, and 
burglary''--or terrorist attacks.
    We do not have an adequate categorization of the threat model. Too 
little research has been done on who launches what kind of attacks. It 
isn't an easy thing to do; apart from the fact that most attacks are 
never detected, many organizations are reluctant to disclose their 
vulnerabilities. But we need to know the attackers' capabilities if we 
are to devise adequate defenses.

3. Basic Research Questions
    Most computer security problems are caused by buggy software [3]. 
It would be naive to assume that the problem was solvable now, when it 
hasn't been solved despite efforts stretching for more than 50 years. 
Nevertheless, we must continue to focus effort on it. If nothing else, 
the need now is to solve a subtly different problem: making a small 
subset of software correct, rather than software as a whole. We may be 
able to achieve it; today's operating systems are far more reliable 
than those used a generation ago.
    However, if we are to focus our efforts on the critical software, 
we must learn how to divide up systems appropriately. We have long 
known how to do that for operating systems, but many of today's 
problems come from faulty applications. More generally, we must learn 
how to build secure systems from insecure components, just as we can 
produce highly reliable computer systems from unreliable electronic 
    We need new formal frameworks for analyzing the security of a 
system, and for specifying its security behavior. We do not have 
adequate tools for understanding how ``strong'' a computer system is; 
at best, we can say that some system can more or less Do certain things 
reliably. By contrast, civil engineers can tell you how much weight a 
bridge can hold, while locksmiths can tell you how long it will take to 
break into a safe using a specified set of tools.
    Formal, mathematical statements have proved to be powerful tools in 
some areas of computer science. We need to be able to apply them to 
computer security issues.
    Although basic cryptographic research is important and should be 
continued, it is not a high priority. As noted, most penetrations 
cannot be prevented by cryptographic means. It is more important to do 
a better job using the cryptographic science we have. Note that I say 
this as one who has published more than a dozen cryptographic research 
    Most basic research work is done at universities. But it is not 
possible to scale up the amount of basic security research very 
quickly. There are not that many professors who are capable of doing 
such work; there is a limit to how much money each one can profitably 

4. The Need for Engineering
    Although, as noted, there is a need for more basic research, a 
great deal of prior research has not yet been translated into practice. 
For example, we have far more cryptographic science than we have 
network protocols that use this science. We need to support technology 
transfer to industry groups and standards organizations; we cannot 
protect our infrastructure with theoretical constructs. (I note that 
open standards are better; apart from the ``many eyes'' notion, with 
open standards there can be multiple independent implementations of the 
same function. The National Research Council noted that the lack of 
diversity in platforms was a major risk factor [3].)
    More subtly, much security technology is not employed because it's 
too hard to use. We need research in the human factors of security 
    Assuming that industry does the necessary cryptographic and human 
factors engineering, the results must be translated into practice. This 
may require incentives for software vendors to develop the code, and 
for end users to employ it.
    As noted earlier, most security holes are due to buggy code. That 
is bad enough; what is worse is that most penetrations exploit bugs for 
which patches are available but have not yet been applied. The cause is 
not laziness or incompetence by systems administrators; rather, it's 
reflective of the immense difficulty of the systems administration 
task. Patches have a higher bug rate than base code, and may thus be 
more likely to create new security holes; beyond that, a remarkable 
amount of code functions because of an implicit reliance on some 
underlying bug that was present on the development systems. Fixing a 
bug may, as a side-effect, disable essential applications. No 
responsible systems administrator will install a patch on a production 
system without extensive testing, but this behavior leaves the machine 
vulnerable. We need research to solve this dilemma. Systems 
administration is not a typical research topic; nevertheless, it is the 
area with the biggest potential payoff for a relatively modest 
    It is worth noting that systems administration is often a high 
stress, low status job. Administrators often struggle to perform basic 
tasks because of inadequate resources. Measures to improve systems 
administration, in industry and government, would likely have a 
significant effect on practical computer security.
5. Privacy
    Often, computer security depends on proper authentication of 
authorized users. Authentication technologies, ranging from passwords 
to biometrics, are subtle and difficult to use properly. Beyond simple 
issues of correctness, any authentication technology can be used in 
ways that violate personal privacy [2]. Both research on cybersecurity 
and deployment of technology should protect privacy to the extent 
6. Conclusions
    There are no simple answers to the problem of cybersecurity. What 
is needed is a combination of basic research, technology transfer, and 
applications of new and previously known techniques. We, as a nation, 
cannot afford to neglect the issue.

[1] Computer Science and Telecommunication Board, editor. Cybersecurity 
Today and Tomorrow--Pay Now or Pay Later. National Academies Press, 
[2] Stephen T. Kent and Lynette I. Millett, editors. Who Goes There?: 
Authentication Through the Lens of Privacy. National Academies Press, 
[3] Fred B. Schneider, editor. Trust in Cyberspace. National Academies 
Press, 1999.

    Mr. Thornberry. There are several areas that you mentioned 
we will certainly come back to in questions.
    Finally, we have Mr. Dan Wolf, Director of Information 
Assurance at the National Security Agency. Members will 
remember that Mr. Wolf has helped us before. Really, the first 
activity of this subcommittee was kind of a Members-only 
workshop on cybersecurity which Mr. Wolf put on for us.
    Welcome back, and we appreciate your being here. You are 
now recognized for 5 minutes.


    Mr. Wolf. Thank you, Chairman Thornberry, and members of 
the subcommittee. My name is Daniel Wolf, and I am NSA's 
Information assurance director.
    NSA's Information Assurance Director is responsible for 
providing information assurance technologies, services, 
processes, and policies to protect national security 
information systems. We are also responsible for conducting 
research and development.
    In regards to your theme for this hearing, Cybersecurity--
Getting It Right--
    Mr. Thornberry. Excuse me, Mr. Wolf. Would you pull that 
microphone just a little closer to you? Some of us are having 
trouble hearing, including me. There you go. Thank you.
    Mr. Wolf. In regards to your theme for this hearing, 
``Cybersecurity--Getting It Right,'' I am not sure that NSA has 
all the answers or we have always got it right, but I am quite 
confident during our 50 years of deploying communications, and 
now cybersecurity products, we have learned quite a few 
lessons. Some people want to keep NSA in a box labeled ``for 
classified information only.'' They say that NSA's perspective 
is too narrowly focused on national security systems. However, 
I believe quite to the contrary. It has been my experience that 
there is little difference between the cybersecurity that is 
required for a system processing top secret military 
information and one that controls a segment of the Nation's 
critical infrastructure.
    The information management principle within the national 
security community has always been the concept of need to know, 
but the fundamental information principle for homeland security 
is need to share. Because the threat always rolls downhill; 
that is, our adversaries will always attack the weakest link. 
Information must be protected across the entire system. A 
three-sided castle is not very safe. The entire community must 
share the same standards if we are to protect everyone on all 
four sides of the castle.
    Your invitation to this committee outlined a number of 
areas where you wanted some specific comments and answers. The 
first was in technical approaches to optimize cybersecurity. I 
believe that the highest payoff for optimizing cybersecurity 
would be creation of an interoperable authentication system 
deployed widely throughout the Federal, national security, 
first responder, and critical infrastructure community. This 
authentication system also forms the basis for all of the other 
cybersecurity services.
    It is also important to note here that the most critical 
infrastructures like this PKI should be built using U.S. 
technology. I have concerns with foreign software, unknown 
trust and quality, being integrated into critical U.S. systems.
    My next priority to cybersecurity is effective border 
protection. Just like our national borders or the perimeters of 
our buildings, we need to protect our cyber borders. Effective 
border protection includes many different technologies, 
including firewalls, virtual private networks, high-assurance 
guards, and of course intrusion detection.
    It has also been estimated that over 90 percent of all 
successful attacks on DOD systems are against known 
vulnerabilities. System operators struggle to keep up with all 
the patches that are issued each month. A system left unpatched 
soon becomes a target like an unlocked sports car with the keys 
in the ignition. Therefore, we need an automated patch 
management system.
    Your second question dealt with advanced technologies and 
should they be pursued to outpace attacks. Today, most of the 
information coordination during a cyber attack occurs at the 
speed of humans. Code Red infected 50,000 machines in an hour. 
We need the ability for networks to work together automatically 
to weather such an attack.
    Another significant research topic is attack attribution, 
the capability to geolocate and identify the source of attacks. 
Without confident knowledge of who and where an attack was 
mounted, it is impossible to decide on the appropriate 
response. A rapid and reliable capability that separates 
nuisance hackers from more serious threats could increase the 
overall effectiveness of every cybersecurity practitioner in 
both the government and the private sector.
    Areas needing higher priority and funding. There is little 
coordinated effort today to develop tools and techniques to 
effectively and efficiently examine either source or executable 
software in large applications. We need a national software 
assurance center to pull together representatives from 
academia, industry, Federal Government, national labs, the 
national security community, sharing techniques to solve this 
growing threat. It could liken us to the Manhattan Project that 
was mentioned earlier. This is a significant problem, I 
    In today's environment, the need is particularly acute for 
ways to counter security vulnerabilities found in popular 
commercial operating systems. While many of these 
vulnerabilities can be fixed by properly configuring the 
system, the goal is to configure these systems to be as secure 
as possible right out of the box. I am happy to learn from your 
last hearing that some equipment vendors are now offering the 
security standards as the default configurations.
    NSA, working with DISA, NIST, the NIPC, the former NIPC, 
the FedCert, SANS, CIS, developed a set of consensus benchmark 
security standards. These standards provide a sort of, if you 
want to call it, preflight checklist of security settings. The 
benchmark standards represent an effective model based on 
agreement between and among security experts. NSA is proud to 
be part of this project and will continue to support the 
community in establishing security standards.
    The fourth area was in the role of transfer among 
government, academia, and industry. NSA requirements for 
cybersecurity products for national security uses are identical 
to the requirements found in other mission-critical systems; 
for example, homeland security and a critical infrastructure 
protection. We have developed a number of programs leveraging 
commercial information technology. My written statement 
provides the details, but let me just highlight a few of these 
    The National Information Assurance Partnership, or NIAP, is 
a U.S. Government initiative designed to meet security testing, 
evaluation, and assessment needs of both information technology 
producers and consumers.
    Another is the NSTISSP 11. This is a national security 
community policy requiring the acquisition of information 
assurance products that have been validated in accordance with 
either common criteria or other approved methods.
    Another is the Centers of Academic Excellence in 
Information Assurance Education. This program promotes higher 
education and information assurance, and produces a growing 
number of professionals with IA expertise in various 
disciplines. Fifteen universities have been designated as 
centers of academic excellence to date. We need this type of 
program for our workforce development. We must invest in our 
future, our people's future.
    And the next area is perspective on leveraging national 
security standards for homeland security. The key to success 
for protecting the homeland is secure interoperability. NSA has 
created a number of secure interoperability standards for 
national security use that are directly applicable for homeland 
security and public safety. Some sectors are already adopting 
these standards. If we are going to share information, these 
things are extremely important.
    In conclusion, it has been my pleasure to share the work of 
my agency with the committee today. I believe that much of the 
research and development initiated by NSA for use in the 
national security community is directly transferrable to the 
needs of homeland security. We must change our fundamental 
assumptions from ``need to know'' to ``need to share.'' We must 
share policies and processes across the community. 
Cybersecurity products and technologies have been the focus of 
my remarks today, but technology alone will never be good 
enough to protect us. It is ultimately getting cybersecurity 
right is more about what you do than what you buy.
    Thank you for the opportunity to speak to you today.
    [The statement of Mr. Wolf follows:]


    Thank you Chairman Thornberry and the members of the Subcommittee. 
I am honored to be here and pleased to have the opportunity to speak 
with your committee to discuss cybersecurity research from the point of 
view of the National Security Agency as we conduct our mission to 
address threats to the security of critical U.S. Government information 
    I also would like to thank the Chairman and other members of the 
Subcommittee for their strong interest and attention to this vital 
area. In my opinion, your leadership is important for raising awareness 
of the serious security challenges we all face in our age of 
interconnected, inter-dependent digital information networks.
    My Name is Daniel Wolf and I am NSA's Information Assurance 
Director. NSA's Information Assurance Directorate is responsible for 
providing information assurance technologies, services, processes and 
policies that protect national security information systems. We are 
also responsible for conducting the research and development of 
information assurance technologies and systems.
    I would like to note that NSA's Information Assurance Directorate 
and its predecessor organizations have had technical and policymaking 
responsibility regarding the protection of national security 
telecommunications and information processing systems across the 
Executive Branch since 1953.
    In regards to your theme for this hearing: ``Cybersecurity--Getting 
It Right.'' I am not sure that NSA has all of the answers or that we 
always have gotten it right--but I am quite confident that during our 
50 years of deploying communications and now cyber security products we 
have learned quite a few lessons. We have had tremendous successes and 
our share of failures. We also have gained a deep understanding and 
respect for the challenges the nation must overcome to begin to tame 
    Some in government and industry want to keep NSA in a box labeled 
``for classified information only.'' They suggest that NSA's 
perspective is much too narrow due to our focus on the stringent 
requirements of national security systems. However, I believe quite the 
contrary. It has been my experience--and my testimony will soon 
address--that there is little difference between the cybersecurity that 
is required for a system processing top-secret military information and 
one that controls a segment of the nation's critical infrastructure.
    Both systems require the element of assurance or trust. Trust that 
the system was designed properly. Trust that it was independently 
evaluated against a prescribed set of explicit security standards. 
Trust that it will maintain proper operation during its lifetime, even 
in the face of malicious attacks and human error. It has been my 
experience that effective cybersecurity must be baked into information 
systems starting at the R & D phase. Trust cannot be sprinkled over a 
system after it is fielded.
    Homeland security presents another reason to suggest that 
cybersecurity requirements must converge. The information management 
principle within the national security community has always been the 
concept of need-to-know. But the fundamental information principle for 
homeland security is need-to-share. With need-to-share we must develop 
technical solutions for secure interoperability that may be called on 
to tie top-secret intelligence systems to a local first responder 
    Because the threat always rolls downhill, that is to say, 
adversaries always attack the weakest link. Information must be 
protected across the entire system. A three-sided castle is not very 
safe. Therefore, I contend that in almost all cases the cybersecurity 
requirements found in national security systems are identical to those 
found in e-commerce systems or critical infrastructures. It follows 
then that the research challenges, security features and development 
models are also quite similar.
    With these similarities in mind, NSA has been working hard to 
converge these cybersecurity markets through a series of programs and 
research initiatives. Our goal is to leverage our deep understanding of 
cyber threat and vulnerability in a way that lets us harness the power 
and innovation provided by the information technology industry. We 
believe that the resulting cybersecurity solutions will protect all 
critical cyber systems, regardless of the information they process.
    I think it will be useful for me to provide a brief description of 
NSA's cybersecurity responsibilities and authorities. I will then turn 
to the specific questions you asked me to answer in your invitation.
NSA Information Assurance Background
    When I began working at NSA some 36 years ago, the ``security'' 
business we were in was called Communications Security, or COMSEC. It 
dealt almost exclusively with providing protection for classified 
information against disclosure to unauthorized parties when that 
information was being transmitted or broadcasted from point to point. 
We accomplished this by building the most secure ``black boxes'' that 
could be made, employing high-grade encryption to protect the 
information. In the late 1970s, a new discipline we called Computer 
Security, or COMPUSEC, developed. It was still focused on protecting 
information from unauthorized disclosure, but it brought with it some 
additional challenges and threats, e.g., the injection of malicious 
code, or the theft of large amounts of data on magnetic media.
    With the rapid convergence of communications and computing 
technologies in the early 1980s and especially with the explosion of 
the personal computer, we soon realized that dealing separately with 
COMSEC on the one hand, and COMPUSEC on the other, was no longer 
feasible, and so the business we were in became a blend of the two, 
which we called Information Systems Security, or INFOSEC. The 
fundamental thrust of INFOSEC continued to be providing protection 
against unauthorized disclosure, or confidentiality, but it was no 
longer the exclusive point of interest.
    The biggest change came about when these computer systems started 
to be interconnected into local and wide area networks, and eventually 
to Internet Protocol Networks, both classified and unclassified. We 
soon realized that in addition to confidentiality, we needed to provide 
protection against unauthorized modification of information, or data 
integrity. We also needed to protect against denial-of-service attacks 
and to ensure data availability. Positive identification, or 
authentication, of parties to an electronic transaction had been an 
important security feature since the earliest days of COMSEC, but with 
the emergence of large computer networks, data and transaction 
authenticity became an even more important and challenging requirement.
    Finally, in many types of network transactions it becomes very 
important that parties to a transaction cannot deny their 
participation, so that data or transaction non-repudiation joined the 
growing list of security services often needed on networks.
    Because the term ``security'' had been so closely associated, for 
so long, with providing confidentiality to information, we adopted the 
term Information Assurance, or IA, within the Department of Defense to 
encompass the five security services of confidentiality, integrity, 
availability, authenticity and non-repudiation. I should emphasize here 
that not every IA application requires all five security services, 
although most IA applications for national security systems--and all 
applications involving classified information--continue to require high 
levels of confidentiality.
    Another point worth noting is that there is an important dimension 
of Information Assurance that is operational in nature and often time-
sensitive. Much of our work in IA is found in providing an appropriate 
mix of security services that are not operational or time-sensitive, 
e.g., education and training, threat and vulnerability analysis, 
research and development, assessments and evaluations, and tool 
development. However, in an age of constant probes and attacks of 
networks, an increasingly important element of protection deals with 
operational responsiveness in terms of detecting and reacting to these 
time-sensitive events. This defensive operational capability is closely 
allied with and synergistic with traditional IA activities, but in 
recognition of its operational nature is generally described as 
Defensive Information Operations, or DIO. NSA's responsibilities in 
this area have grown considerably since the late 1990's.
    To meet this DIO challenge, NSA's National Security Incident 
Response Center (NSIRC) provides real-time reporting of cyber attack 
incidents, forensic cyber attack analysis, and threat reporting 
relevant to information systems. Through round-the-clock, seven-days-a-
week operations, the NSIRC provides the Departments of Defense, the 
Intelligence Community, Federal Law Enforcement, Department of Homeland 
Security and other Government organizations with information valuable 
in assessing current threats or defining recent cyber intrusions.
    NSA's responsibilities and authorities in the area of information 
assurance are specified in, or derived from, a variety of Public Laws, 
Executive Orders, Presidential Directives, and Department of Defense 
Instructions and Directives. The Secretary of Defense is the Executive 
Agent for National Security Telecommunications and Information Systems 
Security. The Director of NSA has broad responsibilities in providing 
for the security of national security \1\ telecommunications and 
information systems processing national security information, 
    \1\ The Computer Security Act of 1987 defines national security 
systems as telecommunications and information systems operated by the 
US Government, its contractors, or agents, that contain classified 
information or, as set forth in 10 USC Section 2315, that involves 
intelligence activities, involves cryptologic activities related to 
national security, involves command and control of military forces, 
involves equipment that is an integral part of a weapon or weapon 
system, or involves equipment that is critical to the direct 
fulfillment of military or intelligence missions.

         Evaluating systems vulnerabilities
         Acting as the focal point for cryptography and 
        Information Systems Security
         Conducting Research and Development
         Reviewing and approving security standards and 
         Conducting foreign liaison
         Assessing overall security posture
         Prescribing minimum security standards
         Contracting for information security products provided 
        to other Departments and Agencies
         Coordinating with the National Institute of Standards 
        and Technology (NIST); providing NIST with technical advice and 
    While protecting the confidentiality of classified information via 
extremely strong cryptographic systems was a major part of NSA's 
mission in the past, our mission has changed emphasis considerably over 
the last ten years. We now spend the bulk of our time and resources 
engaged in research, development and deployment of a full spectrum of 
IA technologies for systems processing all types of information. NSA's 
days of just building ``crypto for classified'' are long gone.

Specific Issues Related to Cybersecurity R&D
    Your invitation outlined a number of areas where you wanted 
specific comments and answers.

1. Technical approaches to optimize cybersecurity.
    I believe that the highest payoff for optimizing cybersecurity is 
the creation of an interoperable authentication system deployed widely 
throughout the federal, national security, first responder and critical 
infrastructure community. The typical approach used is a public-key-
infrastructure (PKI) system with a smart card that contains your cyber 
credentials. This is the type of system that NSA and DISA have built 
for DoD. A national PKI system is required that allows for strong 
authentication in cyberspace for homeland security.
    If we have this national system in the future--then when a first 
responder connects to a DHS website to access information or upload a 
report--we will know exactly who they are. We can then assign various 
privileges according to the role that the person is assuming for that 
specific information transaction. This authentication system also forms 
the basis for all of the other cybersecurity services from protecting 
the control of Supervisory Control and Data Acquisition (SCADA) systems 
to encrypting your email and passwords.
    It is also important to note here that the most critical 
infrastructures, like a PKI, should be built using U.S. technology. I 
have concerns with foreign software of unknown trust and quality being 
integrated into critical U.S. systems.
    My next priority for cybersecurity is effective border protection. 
Just like our national borders or the perimeters of our buildings, we 
need to protect our cyber borders. Effective border protection includes 
many different technologies.
         The most important technology is a firewall. Firewalls 
        help networks resist attacks by establishing a strong but 
        resilient border between our protected network and the external 
         We also need encrypted tunnels, also called virtual 
        private networks or VPN's. These devices sit between critical 
        networks to protect the information as it moves between secure 
        networks over unprotected pipes.
         Another necessary border security technology is called 
        a ``guard''. A guard is used when we need to share information 
        between security domains. Consider the case of an intelligence 
        report that is created on a top-secret network. It must be 
        sanitized to unclassified and then sent to a local police 
        department. It would be dangerous to allow this information to 
        move between security domains without review. High assurance 
        ``guards'' are designed to automatically and safely allow 
        certain information packets to flow between systems but stops 
        all others.
         Finally, effective borders require the ability to 
        detect and respond to intrusions. Just like a security camera 
        on a bank, cyber intrusion detection systems monitor the flow 
        of information around your border and detect suspicious 
    The best way to protect a system from attack is to eliminate its 
vulnerabilities. The best way to eliminate vulnerabilities is to 
improve the way we write software. High on my research priority list is 
the need for assured software design tools and development techniques. 
We also need to improve computer operating systems by including 
functionality to enhance their ability to defend themselves from 
    The elimination of vulnerabilities is the goal but the reality is 
that we are a long way from achieving this goal. Attacks are common and 
vulnerabilities are discovered daily. It has been estimated that over 
90 percent of all successful attacks on DoD systems are based on 
vulnerabilities that are already known and that have an updated 
software fix or ``patch'' available. The rare system operator can keep 
up with all of the ``patches'' that are issued each month. A system 
left un-patched soon becomes a target like an unlocked sports car with 
the keys in the ignition. Therefore, another way to optimize 
cybersecurity is with an automated patch management system.
    This system would also use strong authentication as provided by a 
PKI but the software producer would sign the new application instead of 
a person. The patch would be automatically and safely sent to your 
system. The PKI guarantees that it is comes from an authentic source 
and has not been corrupted.

2. What areas of advanced technology should be pursued to outpace 
    Research is required to improve a cybersecurity system's ability to 
modify itself on-the-fly. New attacks are constantly emerging and new 
vulnerabilities are discovered even in the most carefully designed 
systems. The ability to update must be safely executed and as 
transparent to the user as possible.
    NSA is working on a multi-year, nearly $3B development program 
called Cryptographic Modernization (CM) that has some of these 
features. There are over 1.3 million cryptographic devices in the U.S. 
inventory. Over 75% of these systems will be replaced during the next 
decade. Future security systems are being designed to use the network 
to safely program and reprogram their operating characteristics 
automatically and transparently to the user.
    Research is also needed to learn how to build cybersecurity systems 
that can continue to operate even while under attack. Resilient 
systems, like those being investigated by DARPA and others will be 
needed in the future. The goal is to have a system that degrades 
gracefully instead of causing a cascade of insecurity.
    I would also suggest that considerable research is needed to 
effectively coordinate information during a cyberattack. Today, most of 
this coordination occurs at the speed of humans. But attacks are 
carried out in seconds and are often carried out automatically.
    The CODE RED attack in 2001 infected 50,000 machines per hour, 
ultimately causing billions of dollars in damage. We need a capability 
for our networks to work together automatically to weather an attack. 
Incident information formats, automatic remediation algorithms, the 
ability to learn attack specifics from intrusion detection devices and 
other network sensors and then share this info with other networks 
without human intervention are high priority requirements.
    Another significant research topic is the ability to enhance attack 
identification methods. Most intrusion detection or system misuse 
systems today rely on patterns or signatures to identify the bad 
behavior. This works well for known attacks but is useless against 
novel attacks. The ability to detect attacks and misuse from anomalous 
behavior is needed.
    The ability to detect suspicious or anomalous behavior is also 
useful to identify insider attacks. Studies have estimated that 50 
percent of the most damaging attacks come from insiders. An insider is 
unlikely to use sophisticated attacks because they already have an 
account on the system--but the ability to monitor system use during off 
hours or track users accessing unusual accounts provides vital clues 
for detecting insiders.
    Continuing with the cyber attack theme--I believe that one of the 
hardest problems we must solve in cybersecurity is attack attribution. 
That is the capability to geolocate and positively identify the source 
of attacks on the Internet. Without confident knowledge of who and 
where an attack was mounted, it is impossible to decide on the 
appropriate response. A rapid and reliable capability that separates 
nuisance hackers from more serious threats would increase the overall 
effectiveness of every cybersecurity practitioner in both government 
and the private sector. Effective attribution by law enforcement 
leading would also deter the casual hacker and allow resources to spent 
on more serious cases.

3. Suggest advanced technology programs needing higher priority & 
    A significant cybersecurity improvement over the next decade will 
be found in enhancing our ability to find and eliminate malicious code 
in large software applications. Beyond the matter of simply eliminating 
coding errors, this capability must find malicious software routines 
that are designed to morph and burrow into critical applications in an 
attempt to hide. There is little coordinated effort today to develop 
tools and techniques to examine effectively and efficiently either 
source or executable software. I believe that this problem is 
significant enough to warrant a considerable effort coordinated by a 
truly National Software Assurance Center. This center should have 
representatives from academia, industry, federal government, national 
laboratories and the national security community all working together 
and sharing techniques to solve this growing threat.
    We also need the ability to trust the hardware platforms we use for 
critical applications. Most microelectronics fabrication in the USA is 
rapidly moving offshore. NSA is working on a Trusted Microelectronics 
Capability to ensure that state-of-the-art hardware devices will always 
be available for our most critical systems.
    The DoD is currently undertaking a major program called 
transformational communications. This program is developing the 
military communications infrastructure of the future and it will be 
delivering high-bandwidth, secure, multi-faceted digital capabilities 
across the defense enterprise and down to the individual warfighter. 
Many new cybersecurity requirements are being generated by this 
initiative and they will require significant R&D resources. For 
example, additional key management infrastructure capabilities, 
techniques for multi-level security networks, and ultra-high bandwidth 
encryption are a few of the new technologies being driven by this 
requirement. It is important to note that the results of this program 
will be dual-use. The technology being developed will have application 
for solving many of the same challenges that are found in homeland 
security systems.
    In today's Information Technology environment, the need is 
particularly acute for ways to counter security vulnerabilities found 
in popular commercial operating systems and applications. While many of 
these vulnerabilities can be fixed by properly configuring the system, 
the goal is to configure these systems to be as secure as possible 
``right out of box.'' Building on the hugely popular security 
configuration guides for Windows 2000, NSA, working with Defense 
Information Systems Agency, the National Institute of Standards and 
Technology, the FBI's National Infrastructure Protection Center (now at 
DHS), the General Services Administration's FedCert, the SANS 
Institute, the Center for Internet Security and vendors--developed a 
set of consensus benchmark security standards. These standards provide 
a sort of "preflight checklist" of security settings.
    The benchmark standards represent an effective model based on 
agreement between security experts, system operators and software 
vendors. A number of standards for the most popular technologies are 
being adopted by many government and private sector CIOs.
    I am happy to learn from your last hearing that some equipment 
vendors are now offering the security standards as the default 
configuration. I also understand from your hearing last week that 
industry gave high marks to the great work being done by the Center for 
Internet Security. NSA is proud to be a part of this project and will 
continue to support the community in establishing security standards. 
This consensus approach may not eliminate every vulnerability, but by 
working together, we can harden our systems against common attacks.

4. Role of technology transfer among government, academia, and 
    NSA is motivated by a sincere belief that the requirements for 
cybersecurity products and services for national security uses are 
identical to the requirements found in other mission critical systems 
e.g., homeland security and critical infrastructure protection. We have 
developed a number of programs and policies targeted leveraging the 
commercial information technology.
         The National Information Assurance Partnership (NIAP) 
        is a U.S. Government initiative designed to meet the security 
        testing, evaluation, and assessment needs of both information 
        technology producers and consumers. NIAP is collaboration 
        between the National Institute of Standards and Technology and 
        the NSA in fulfilling their respective responsibilities under 
        the Computer Security Act of 1987. The partnership, originated 
        in 1997, combines the extensive security experience of both 
        agencies to promote the development of technically sound 
        security requirements for IT products and systems and 
        appropriate metrics for evaluating those products and systems. 
        The long-term goal of NIAP is to increase the level of trust 
        consumers have in their information systems and networks 
        through the use of cost-effective security testing, evaluation, 
        and assessment programs. NIAP continues to build important 
        relationships with government agencies and industry in a 
        variety of areas to help meet current and future IT security 
        challenges affecting the nation's critical information 
         NIAP also produces cybersecurity specifications, 
        called protection profiles that have already been developed for 
        low and medium assurance applications and are periodically 
        updated. The profiles are available on the NIAP website for 
        anyone to use to describe the features needed for cybersecurity 
         NSTISSP #11 (National Security Telecommunications and 
        Information Systems Security Policy #11) is a national security 
        community policy governing the acquisition of information 
        assurance products. The policy mandates, effective 1 July 2002, 
        that departments and agencies within the Executive Branch shall 
        acquire, for use on national security systems, only those 
        products that have been validated in accordance with the either 
        the Common Criteria, or other approved methods. Additionally, 
        NSTISSP #11 notes that departments and agencies may wish to 
        consider the acquisition of validated COTS products for use in 
        information systems that may be associated with the operation 
        of critical infrastructures as defined in the Presidential 
        Decision Directive on Critical Infrastructure Protection Number 
         The Information Assurance Technical Framework Forum 
        (IATFF) is a NSA sponsored outreach activity created to foster 
        dialog between U.S. government agencies, industry, and academia 
        seeking to provide their customers solutions for information 
        assurance problems. The ultimate objective of the IATFF is to 
        agree on a framework for information assurance solutions that 
        meet customers' needs and foster the development and use of 
        solutions that are compatible with the framework. The forum 
        serves to increase awareness of available security solutions 
        and allows attendees to establish contacts with other 
        individuals and organizations dealing with similar problems. 
        The Information Assurance Technical Framework document, 
        currently in its third revision that provides over 500 pages of 
        technical guidance for protecting information and information 
         The Centers of Academic Excellence in Information 
        Assurance Education Program is an outreach effort designed and 
        operated by NSA in the spirit of Presidential Decision 
        Directive 63. The program goal is to reduce vulnerability in 
        our National Information Infrastructure by promoting higher 
        education in information assurance, and producing a growing 
        number of professionals with IA expertise in various 
        disciplines. Fifty universities have been designated as Centers 
        of Academic Excellence to date. NSA has also been using the 
        skills found at the service academies in a number of 
        interesting ways. One exciting program is the service academies 
        competition for attacking and defending networks. We also 
        sponsor visiting professors in IA. We need this type of program 
        for our workforce development - we must invest in our future.
         NSA is also working to transfer techniques to 
        cybersecurity service providers. One of the services that NSA 
        offers under this authority is system security assessment. 
        Since NSA has limited resources to meet the ever-growing demand 
        for INFOSEC Assessments, a training and certification program 
        was developed as a partnership between NSA and private INFOSEC 
        Assessment providers.
         NSA also created the INFOSEC OUTREACH Program to 
        combine the substantial Information Systems Security talents of 
        government and industry partners. The program provides insight 
        into secure design, security evaluation, and the security 
        considerations of system certification. Working together, the 
        partnership of government and industry can meet the increasing 
        demands for state-of-the-art secure telecommunications and 
        information systems.
         NSA and the International Information Systems Security 
        Consortium (ISC)2 developed a new Information Systems Security 
        Engineering Professional credential for information security 
        professionals who want to work on national security systems. 
        The new certification will serve as an extension of the 
        Certified Information Systems Security Professional, offered by 
        (ISC)2 for information security.

5. How are research priorities and programs determined in the national 
security area?
    We base our priority decisions on a number of factors. The first 
factor is determined by the technologies and systems most used by our 
customers. For example, we recently started a comprehensive R&D program 
to enhance the security of PDA's and wireless 802.11 networks over the 
last two years because of the explosion of the use of these systems by 
our DoD customers.
    We also maintain a large number of cooperative research agreements 
with many of the most important technology vendors to help us keep 
ahead of their development cycles. We also work with small firms 
ensuring that their innovative technologies are fully informed by our 
cybersecurity expertise. This insight allows us to program for 
anticipated cybersecurity enhancements of our systems, or in the best 
case, influence our industrial partners, large and small, to add 
additional IA features during development.
    Our researchers also participate in R&D agenda setting panels and 
boards with the NSF, DARPA, National Laboratories, and industry 
associations. We collaborate with the R&D functions in our customer's 
organizations. All of this information is used in making an R&D 
priority and programming decision.
    NSA is also unique in that we have considerable insight into the 
threat presented by various adversaries from our intelligence 
activities. Threat profiles are developed and these, in part, drive our 
research agendas.
6. Share your perspectives on leveraging national security standards 
for homeland security needs?
    National security standards are developed for--and are intended to 
be leveraged for all critical cybersecurity requirements.
         In order to promote secure interoperability between 
        wired and wireless systems NSA initiated an industry and 
        government consortium to agree on a common signaling plan 
        called the future narrowband digital terminal (FNBDT). Although 
        in reality it is not just narrow band anymore but a broad 
        specification, FNBDT includes a common voice processing 
        capability, a common signaling protocol, a common crypto-
        algorithm base, and a common key management process. FNBDT has 
        become the primary security standard for cell phones, military 
        radios and many emerging public safety communications devices 
        intended to serve homeland security missions and first 
        responders all around the world.
         We also created the High Assurance IP Interoperability 
        Specification (HAIPIS), which will ensure interoperability with 
        all future generations of IP network encryptors. The IP, or 
        Internet protocol, is the backbone of the worldwide Internet. 
        This new cybersecurity specification has become extremely 
        popular and new products, based on this specification are being 
        released regularly.
         Many of the technologies that we are suggesting for 
        homeland security requirements were developed to support 
        coalition military warfare. These systems were designed to 
        cost-effectively support a highly mobile and constantly 
        changing set of information sharing partners. We are confident 
        that they are exactly what many homeland security applications 

    It has been my pleasure to share the work of my agency with the 
committee today. I believe that much of the research and development 
initiated by NSA for use in the national security community is directly 
transferable to the needs of homeland security. We all need to work 
together to shape the demand side of the market. Everyone needs 
trustworthy technology. We cannot afford to cut corners.
    We must change our fundamental assumption from need-to-know to 
need-to-share. We must share policies and processes across the 
community. Cybersecurity products and technologies have been the focus 
of my remarks today but the technology alone will never be good enough 
to protect us because--ultimately--getting cybersecurity right is more 
about what you do than what you buy.
Thank you for the opportunity to speak before the subcommittee today.

    Mr. Thornberry. I thank the gentleman, and all the 
witnesses, for their testimony. It is rather remarkable to me 
how much consistency there is really between among all three of 
    At this time, I would yield to the gentlelady from 
California for questions.
    Ms. Lofgren. Thank you, Mr. Chairman. And as I have in past 
hearings, I am really struck by how fortunate we are in this 
subcommittee to be able to really call on some of the smartest 
people in the whole country, and then they come and share with 
us. So it is a delight to listen to each of you.
    I have many questions, but let me just start in with Dr. 
Sastry, because one of the concerns I have, you mentioned 
HSARPA as an encouraging element of the new Department and one 
with great promise. Before you were leading the Department at 
Berkeley, you ran the technology, the cyber part for DARPA. And 
I am wondering if you can reach back to that part of your 
experience and give us some advice on what we might do to 
actually get HSARPA up and running.
    Right now there is, I believe, a recently hired deputy 
director, and that is it. I mean, it was last month you 
couldn't even call the division because there wasn't a phone 
number or an office. And there is no director, there is no 
employees. If you were the czar, what would you do to jump-
start that effort so it could be as productive for the country 
as DARPA was?
    Mr. Sastry. Thank you very much, the Honorable Ms. Lofgren. 
I had the good fortune to serve under the deputy directorship 
of Jane Alexander, who is now the Deputy Director of HSARPA; 
she was the Deputy Director of DARPA. So I think we are 
fortunate to have some leadership with experience in the DARPA 
    The way I would configure HSARPA is perhaps quite 
substantially along the lines of the DARPA model with a few 
differences. The way DARPA programs are organized are they are 
mission-oriented in the sense that they are 3-to 5-year 
programs with very definite outcomes. And so even in the 
information assurance and survivability suite of programs, we 
had one on secure systems, we had one on fault tolerant 
networks, we had one on coalitions. And each one of those was 
separately organized, bite-sized pieces of research. And in 
addition, the way those were informed by the needs of the 
services and the needs of the service labs was to have the 
service labs be the individual CTARs of the technical 
contractors for executing the contracts.
    So I feel that the IAIP Directorate, the Board of Security 
Directorate, and the Emergency preparedness directorate could 
provide staff to be the executors of the contracts that come 
out of HSARPA, very much in that model.
    Now, the questions about how one ramps up quickly to this 
is a very important one, and I think it will take some time to 
hire the right program managers and to have adequate turnover, 
the way DARPA does, so as to keep new ideas coming into the 
agency. One suggestion is to actually use existing mechanisms 
of partnership with NSF the way DARPA does, or with DARPA 
itself in the short run, to be able to ramp up to such a state 
where it has its own program managers.
    The one thing I do differently from DARPA is, because there 
are sort of short-and intermediate-term needs which have to be 
met in the other directorates, I think I would really have a 
separate office which concentrates on the technology transition 
issue. And the technology transition issue would be about 
setting up the correct structures to make sure that, as the 
programs mature, those get taken up. And I alluded to some 
mechanisms that I thought were useful.
    Ms. Lofgren. Mr. Wolf expressed concern about foreign 
software or software developed offshore and its reliability. Do 
you, Dr. Bellovin and Dr. Sastry, share that concern?
    Mr. Bellovin. I am concerned about all software's 
reliability and correctness. I am not in the position to 
understand how much greater the threat is when it is coming 
from elsewhere, but we are dealing with a screen door, not a 
vault door in a lot of the software.
    Patching systems--I was asked this question leading up to 
Y2K. A lot of the Y2K intermediation work was done offshore. I 
was asked if I was concerned about that, and my answer was, I 
am concerned about anybody patching systems regardless of who 
they are, because patches have a much higher bug rate, hence, 
vulnerability rate, than base code.
    So I think if we had the technology to examine any code, no 
matter where it was, for security and assurance, or vendor back 
doors which sometimes are put in for maintenance purposes, we 
would be in a lot better shape. And I would leave to 
professionals to understand how much greater the threat is from 
    Mr. Sastry. If I could amplify on that, I fully agree with 
Dr. Bellovin. I think that one has to be worried about all 
software. And one of the problems about these complex systems 
has been that even though one can trust individual pieces, when 
you put them together, the overall systems tend to suffer from 
all kinds of problems. So I think that there are some glints of 
hope. But I think that the technologies for guaranteeing that 
software, whether it is written overseas or in the United 
States, is in fact more or less correct by construction, are in 
their infancy.
    One specific one that has come out of Carnegie-Mellon is 
called proof-carrying code. And this is the notion of providing 
code which comes with its own certificate so one can 
independently prove to one's self that it works the right way. 
The drawback has been that it is not scalable to large systems.
    Now, I think that there is an area of research about how 
you compose and put together large systems. And this is perhaps 
what we have to do on the fly today to reduce vulnerabilities. 
And so I guess there are no easy answers.
    Mr. Wolf. If I could add a comment to that. Really, there 
are two pieces to that. One is certainly the quality of the 
code. And as was referenced earlier, certainly there is a lot 
of buggy code out there. But the other is the trust factor. And 
when you think about the globalization of IT and the people 
that are writing code offshore now, there is a wide variety, 
many of whom you can say that we trust, and there are others 
that you might not have so much trust in.
    And frequently my organization is asked, for example, by 
law enforcement to look at code and say, is there a back door 
in this? Is there something malicious in it? That is a very 
difficult problem, and the tools aren't necessarily there to do 
that right now. And so that is the reason that we have talked a 
lot about the idea of a national lab that looks at software. 
Certainly, you know, the goal would be that you write codes so 
that up front the code is good and you have trusted code 
trusted modules. But in many cases we don't have that luxury. 
And if you think about the critical infrastructure of Wall 
Street or the power grid in the east coast, and you look at who 
wrote some of that code, you might be a little concerned.
    Ms. Lofgren. I am intrigued by this, and I don't know if we 
will have time for a second round. But I am wondering whether 
some of the research--I don't think that is a function you 
would want the Federal Government to provide, and yet it might 
work nicely with the research that is being discussed, maybe 
the test bed research that was referenced in the testimony, so 
that you might have--I mean, the last thing you want is the 
heavy hand of the Federal Government on the creative element, 
and yet we might want some way to examine and have a test bed 
research component for critical elements of the infrastructure.
    Is that sort of what the two doctors are proposing?
    Mr. Sastry. So, I think test bed research is really a lot 
of what is needed to take ideas from the research stage into 
systems that work. So, the specific kinds of test beds that I 
alluded to certainly for network defense, distributed denial of 
service and worm attacks, are coming in with an increased 
frequency. There are a lot of different solutions that the 
research community is putting out, but very few service 
providers have faith in them simply because they haven't been 
tried out on systems of adequate magnitude. So also in this 
software verification the questions of how much faith you can 
put in proof-carrying code, which is a piece of code that you 
add to a piece of software to check whether it is actually 
meeting the functions that it was supposed to and whether or 
not it has back doors.
    So I think that a test bed activity is one of the things 
that is needed to fill the chasm between research and what 
comes out of a university or what comes out of other research 
agencies, research groups, and products.
    And then the questions about the regulations. I think that 
while it is true that it is not completely clear whether one 
ought to be heavy-handed in the regulation, I do think that as 
in the Y2K case, the Federal Government had a very, very 
important role in 1997 by the SEC asking for companies to file 
their plans for what they were doing with Y2K.
    Ms. Lofgren. If I may. I don't disagree that the Federal 
Government must play some role. The question is, what is that 
role? And I think we have discussed many times, and I think 
there seems to be consensus among most of the members of the 
subcommittee, that a heavy-handed regulatory role is probably 
not the optimal role for the government to play, but there is a 
role for the government to play.
    Mr. Bellovin. There is a need for test beds. The 
fundamental problem of software is scale. We can do small 
things well, both developing and testing; we can't do large 
things well. That is where a test bed, an opportunity to try 
certain things at scale in an experimental setting would be 
very, very useful. And there are some things where it is easier 
than others. Network technology, it works better.
    Software. Most of the large software systems are developed 
by industry. A mass--a software project by definition is very 
many people over many years with real users and real changes 
over the life span. That is hard to put into a test bed. 
Nevertheless, an industry/government/academia cooperation is 
useful, because industry has the software that everybody is 
relying on, including the Defense Department. We are all 
running commercial off-the-shelf software for the most part, 
and we have to get this right to secure the critical 
    Ms. Lofgren. I think I have more than used up my time, and 
I would like to thank the Chairman for his courtesy and yield 
    Mr. Thornberry. The gentlelady is asking some very good 
    The Vice Chair of the subcommittee, the gentleman from 
    Mr. Sessions. Thank you, Mr. Chairman.
    On behalf of this committee, as you have heard us say, we 
appreciate all three of you being before us today. I think this 
is an important exercise for this subcommittee and for our own 
    Mr. Wolf, I think I would like to direct my question to 
you, but I am not sure it would be limited to you. You speak 
very forthrightly and clearly about effective border 
protection. And, quite honestly, that makes my mind race. I am 
a free trader. I believe in goods and services and information 
flowing back and forth between countries. And I believe one of 
the most powerful parts about the World Wide Web is its 
availability to people for commerce and other activities. 
However, the need of this great Nation to protect itself and 
its intellectual property, its secrets, and other things that 
emanate from that is important also. And in my mind, I 
understand--I think I understand border, but I am not sure that 
I do, and it is because I really don't have a concept of where 
all these nodes are that bring traffic into this country to 
where they share our information.
    And standards body. When I was at Bell Labs, we were a part 
of a standards body organization for switch manufacturers.
    I would like for you, if you could, to perhaps go through 
in a detailed way about what you see as this border or cyber 
border. And are there things that we as this country should be 
doing, just like trade agreements, to say--or just like Customs 
would be at an airport in a foreign country or visitors coming 
to this country. Should we place a burden upon knowing who is 
coming here and where they came from? And I know this is hard 
on a real-time basis. Or even if just information that would 
travel with that packet that would comment about where someone 
originated. I think you see where I am coming from. Can you 
address that?
    Mr. Wolf. Okay. And I guess let me start by saying when 
they talk about border protection, you are really talking about 
protecting--if I can start, say, with your computer at home, in 
terms of having a firewall such that you can control in terms 
of who comes into your computer, who has access to the 
computer, the kinds of things that come in and go out of your 
computer. So that is not restricting you from going to anywhere 
in the world, okay, to look at something on the Internet. But 
it is meant to stop a hacker, for example, from coming into 
your computer and stealing your tax information. So we talk 
about firewalls. And firewalls have a set of privileges that 
you can identify with them in terms of how strict and how high 
up you want to put the wall, if I can say it that way.
    We also talk about intrusion detection systems. So now if 
you go a little further out from, say, your home computer and 
you want to develop a profile of what kind of activities are 
coming across that boundary, looking for hackers, for example, 
that is kind of what we would call border protection. In terms 
of looking for malicious activity, threats, hackers, whether 
that is a terrorist, a nation state, state, whatever. So you 
are, if you will, protecting your computer environment, 
protecting cyberspace.
    Now, if you take that a little further to the borders of 
the United States, that would be a very difficult task to put 
up, if you will, some kind of protection around the United 
States, and probably not necessarily a good investment. But you 
certainly would want to put sensors maybe on the periphery of 
the U.S. again to look at hackers, to look at people trying to 
come in to do malicious things to you, and to look also at 
maybe data that is leaving the U.S. the idea of--and I talk 
sometimes, and I think in my testimony talk a little bit about 
the insider. You know, is there information leaving a facility 
that you wouldn't want to leave? Is somebody on the inside 
pushing information out to another entity?
    So when we talk about border protection, we are really 
talking about how do you protect your enterprise, what kind of 
protections do you put around it so that somebody can't come in 
and do something malicious to your enterprise? So, not really 
restricting in terms of, you know, the Internet as a whole, but 
it is more the protections that you want to put in to make sure 
that somebody isn't doing something malicious to you.
    Mr. Sessions. So the border could mean any individual 
computer as opposed to in the border I was describing as the 
United States of America?
    Mr. Wolf. Yes. So we are not necessarily talking 
geographic. In DOD, we have something called ``defense in 
depth,'' and we talk about the enterprise level, the 
information backbone. There are several levels that we talk 
about in terms of doing protections. So it is not necessarily a 
physical boundary in terms of around the United States. 
Although there may be something in terms of implementing a 
network of sensors to look for hackers, to look for kinds of 
activities, malicious activity. That may be something that we 
want to do.
    Mr. Sessions. Okay. Any of the other gentlemen choose to 
    Mr. Bellovin. Yeah. I am in favor of border protection to 
the extent it is possible; I was the author of the first book 
on firewalls in 1994. But it is a much more challenging problem 
today than it was in 1994, because the amount of 
interconnection has increased tremendously. A modern 
corporation will have hundreds to thousands of external links 
that penetrate its firewall to its outsource functions, to its 
joint venture partners, to its customers, to its suppliers. All 
of this is done electronically, and all of this is done by 
means of mechanisms that bypass the firewall, go through the 
    In other words, we have many more border crossings than we 
do today. The virtual private network technology that lets me 
work from my hotel room exactly as if I was inside my office at 
AT&T works very well; but if the same employee who is 
telecommuting via VAN is using that same computer to surf the 
Internet individually, we have a problem because we don't have 
an effective border. We are moving more towards a motel rather 
than a hotel model. In the hotel, there are one or two 
entrances and everyone is walking past the front desk. In the 
motel, every room has got its own door to the outside. It is a 
lot harder to secure that, and we are moving more towards that 
ladder. We have to find a scalable solution to let us protect 
all of these doors.
    I would note that tracing things, where they are coming 
from outside the country, is a lot harder. The hackers don't 
use their own computers for the most part. They use their own 
computers to hack an easy target, maybe in a university 
someplace or a small company, and use those to hack a few more. 
Five levels away, that is where they will launch the attack 
from. The attack may be coming from inside or the outside, but 
you don't know where the controlling messages came from. And 
that is what makes it so hard to trace back these things. 
Authentication credentials, they are stealing the credentials 
identity today. It would be very hard to fundamentally 
reengineer things to get around that.
    Mr. Sastry. I share you sentiments about being open enough 
to, A, have IT products come into the country, and also for us 
to be able to sell IT products in other parts of the world. And 
so I think that open standards, which I think is one of your 
concerns, are in fact better than standards where one erects 
    But having said that, I think that one does need to have 
the sense of being able to dial up and down security so that 
even if you did have this motel model and sometimes--and 
physical security with different threat levels and being able 
to dial up and down security depending on your perception of 
how threatening the environment around you is, the questions of 
how to do this are I think are open research issues.
    Also, I think that the questions about being able to trust 
software, I think it is easy to trust individual pieces of 
software and to be able to test individual pieces of software 
regardless of where they are written.
    On the other hand, the problems are about what happens when 
you try to compose them. And the biggest single problem is when 
you put together complex systems--and people inevitably build 
complicated systems for reasons of functionality--that is when 
we really don't have guarantees both in security and also in 
privacy because of the kinds of data sharing that occurs across 
large systems.
    So coming back, I think in the earlier parts of our 
testimony both Steve and I, Steve Bellovin and I, agreed that 
really sort of the bottleneck problem is to be able to compose 
secure systems so as to guarantee that the overall system 
works. And I think that the way to do that is not actually to 
stop people from sending software in or for us to be able to 
sell overseas.
    Mr. Wolf. And if I could add one more comment. We talk 
about border protection and firewalls. You also need to think 
about what functions you want somebody to be allowed to do on 
your computer. So it is not just put a border up and protecting 
it, but it is what do you want them to do. Do you want them to 
be allowed to look at Web pages? Do you want them to be able to 
move files around? So there is a whole set of things to go 
along with that. So it is sort of the motel model in terms of 
defining what you can do in the motel.
    Mr. Sessions. I appreciate that, gentleman. That obviously 
led me right to what Mr. Wolf was talking about, and that is 
our own systems is our border. And I appreciate the discussion. 
I yield back.
    Mr. Thornberry. I thank the gentleman.
    The gentleman from Rhode Island, Mr. Langevin, is 
    Mr. Langevin. Thank you, Mr. Chairman. I want to thank 
members of the panel for being here, and your testimony, and 
really some of the questions I have prepared you have 
addressed. But I would like to give the opportunity to expand 
on them a little more. And I will start with asking if you can 
discuss whether there is sufficient information sharing taking 
place between researchers who discover most vulnerabilities and 
the companies who created the products and the DHS. And also, 
how could the government help to foster an environment where 
researchers and companies could better work together?
    Mr. Langevin. And then, expanding on that point, what do 
you see as government's role in terms of increasing security 
and standards setting? Should it be fostered through 
partnerships and purchasing criteria, or should we take a more 
active role? I know you discussed this a bit already, but if 
you can expand upon that. And basically would government-
mandated standards, such as the common criteria, be a baseline 
or hindrance for future innovations? If you could take a crack 
at those, I would appreciate it.
    Mr. Bellovin. When it comes to vulnerability reporting, 
there is pretty good cooperation between the people who find 
the holes and the vendors. There is sometimes an unrealistic 
expectation of how soon a problem can be resolved. More 
responsiveness, at least acknowledgment, would certainly help. 
I think it is cases of people getting frustrated at reports 
being ignored. In general that is a path that works well.
    Sometimes people have unrealistic expectations about what 
can be done. You know, the problems are generally subtle, or 
they wouldn't be there in the first place.
    For standard setting, I would suggest the procurement model 
is much better. We don't know exactly what we are doing. There 
is a saying, if we know what we were doing, it wouldn't be 
called research. And to try to mandate certain things is 
probably premature given the state of the art. The Common 
Criteria is a useful step forward. As an NRC report a few years 
ago pointed out, it doesn't really address a lot of the 
software models we are dealing with today. It is also extremely 
expensive to produce software that meets these criteria and can 
continue to meet these criteria over the life cycle of the 
hardware and software platform.
    This has tended to make such systems slower, much less 
modern, and much more expensive than the commercial off-the-
shelf alternatives, which has generally led people to buy the 
commercial off-the-shelf alternatives, because they don't 
perceive the threat, there is no particular push back, no 
incentives, as I said earlier, for people to install the more 
secure software in most situations.
    Mr. Langevin. Okay.
    Mr. Sastry. I share a lot of the comments made by Dr. 
    Let me talk a little bit about the information-sharing, 
which is one of your questions. I think that information-
sharing is an important step. The ISACs are certainly an 
attempt to try to get information-sharing across industry 
    My perception is that there is a lot of concern in industry 
about sharing this information, partly because there isn't a 
lot of sensitivity about how this information would be 
protected by FOIA requests. Of course, there are ways, there 
are other transactions, authorities and other procurement 
mechanisms by which this information could be protected. I 
think industry needs to be sensitized to the fact that they 
can, in fact, share this information without its being open to 
public scrutiny.
    My sense also is that there is a certain amount of funding, 
and I think the Federal role in being able to smooth this 
information-sharing is not to be underestimated. I think that 
there is a sense that a lot of especially small companies feel 
that they are sort of doing that on their own dime. So I think 
that if they had a greater sense of feeling protected when they 
shared the information, and also they were given some help, 
some financial help, for sharing this, I think this would go a 
long ways to where it is helping the ISACs.
    Mr. Langevin. Could you expand on that. How we do that? How 
we foster that?
    Mr. Sastry. I think there are mechanisms inside DHS, and I 
think there are questions of appropriation of a certain amount 
of resources simply for the ISACs. And the other transaction 
authority is simply the contractual mechanism that can be--that 
can be chosen to be exercised by the Department of Homeland 
Security to actually protect the information from FOIA 
    I think they have the--I do think that they have the OTA 
authority to do so. The telecom--and the telecom folks that we 
talked to at BellSouth and others were really quite concerned 
about being sort of reassured about this, partly because this 
OTA is not a well-known contracting instrument, and people 
don't know all of its possibilities, I guess.
    Mr. Langevin. Thank you.
    Mr. Wolf. A major part of my mission, if you look at my 
mission statement, is to discover vulnerabilities, because my 
job is to provide secure systems for the national security 
sector. So we put a lot of effort into discovering 
vulnerabilities. And we work very closely with industry. We 
work very closely with academics in terms of how we do that.
    We have various reach agreements such that--with various 
companies, they are called CRADAs, cooperative research 
agreements, so that we get access, for example, to source code, 
and again, with the idea of how do you improve the source code 
to improve the security. When we find a problem, we go back to 
the company, we explain what the problem is, and in many cases 
provide them some of the technology to help improve their 
product, because, again, we are trying to build product.
    That is my main goal is to get product out there for the 
national security sector. Of course, the byproduct of that is 
it is dual-use technology. So anything I provide to national 
security in many cases can be applied other places.
    So I would say there is a very close relationship in terms 
of working with industry on that. I can probably go through 
many, many examples of successes that we have had in that area.
    You mentioned about security settings and benchmarking. I 
think that is a very, very important thing. I mentioned that in 
my testimony in terms of how do you configure things out of the 
box so that they are very secure. And we are very active in 
that particular area. Common criteria is something that we 
strongly support. We put a lot of effort into common criteria.
    Common criteria, what it does is it is really, I will say, 
raising the bar, if you will, in terms of information 
assurance. It is not the ultimate answer, it doesn't make it 
perfect, but what it does is it does put products through a 
fairly rigorous testing for certification, so that given a set 
of functions that the product is supposed to do, that you have 
demonstrated that it does do those functions under certain 
    Now, again, it doesn't solve all of problems, but it does 
raise the bar. And common criteria probably needs common 
criteria 2, some additional things to common criteria. And I 
share the comments and agree that common criteria can be a 
little expensive for companies, and that is something we are 
also trying to work in terms of how we can improve either the 
timeliness of things getting through the process, or how we can 
do something in terms of helping in terms of financially. But 
that is a difficult problem to resolve.
    We have reached out to homeland security, in particular Bob 
Liscouski in the IP, and have talked to him about working with 
us in NIAP and how we can leverage the kinds of things that he 
needs to do with the national security sector. So together what 
we do is we come to the table with a larger, if you will, 
market share. If we just looked at the national security 
sector, that is not a big sector in terms of many of these 
products. So in terms of getting the things through common 
criteria through NIAP, if there is homeland security and 
national security, that makes it a much larger market, and 
makes it more cost-effective in terms of a company going 
through that and getting that process done.
    I guess the other question was about mandated standards. I 
don't believe we should mandate standards. We should establish 
standards. We should sort of recommend standards. But I think, 
you know, one of the problems with standards, and I certainly 
see it in my sector, we have everything from a small military 
installation with a small requirement to some large network 
like the SIPRNET, and to try to mandate one standard in those 
two extremes is very, very difficult for anybody to meet.
    So I think you want to establish a set of standards, 
recommended standards, and do it that way rather than make it 
mandatory, because one size does not fit all.
    Mr. Bellovin. Let me echo that. It if was that simple to 
ship a secure system, Microsoft and Sun Microsystems and 
everyone else would have done it years ago. How you use, how 
you configure a network or system depends on its purpose. A 
laptop that is used for text editing and e-mails has very 
different configuration requirements than a software 
development machine, which is very different than a Web server, 
which is very different than a database server and so on.
    There are about as many different uses of computers and 
configurations as there are computers, and one size does not 
fit all.
    Mr. Sastry. If I may just respond to your question of 
partnerships. And now I will sort of take the academic. I think 
the problems, the research problems and the development 
problems, are really too large for just about any group in this 
Nation. So I think it is especially important for research 
groups to work in teams. And at Berkeley we have really found 
it very, very important to collaborate with large numbers of 
research groups across the length and breadth of the Nation.
    The questions are then about what facilitates this 
collaboration is really at the academic, at the research level, 
that we have open standards where we don't use IP protections 
inside universities for protecting the kinds of software and 
systems research that we do, but at the same time we allow for 
industry partners to be able to uptake that information and 
take it out of the open source development, and then take it 
and encapsulate it into their products. And so, for instance, 
in sort of a research center and trust, which we are doing with 
Stanford, Carnegie Mellon, Cornell and Vanderbilt, we have 
found it very important that we voluntarily have adopted an 
open source IP policy amongst ourselves, while making sure that 
the companies, the industrial partners, can actually take the 
open source materials that are created, the secure trusted 
systems that are created, and then go take it into their 
proprietary products. That is sort of something that I think 
that the research sector can do in this particular space.
    Mr. Wolf. One of the exciting things that is happening in 
NSA right now is that--.
    Mr. Thornberry. The gentleman from Rhode Island elicited a 
host of interesting responses, which we certainly may want to 
pursue, but in the interests of time, let me turn to other 
Members, because we have gone well over double the 5 minutes.
    Mr. Langevin. I thank the Chairman for his latitude in 
allowing the panel to answer.
    Mr. Thornberry. I appreciate the gentleman's questions. 
Excellent questions.
    Does Chairman Cox wish to ask questions at this time?
    Mr. Cox. I do. Thank you, Mr. Chairman. I wonder if I could 
ask Dr. Sastry and Mr. Wolf whether you agree with the 
statement made by Dr. Bellovin in his testimony that when it 
comes to cyber, most basic research is being done in our 
universities. Is that your opinion as well?
    Mr. Wolf. I would--
    Mr. Sastry. I am sorry?
    Mr. Cox. If you could not hear the question, I am asking 
whether you agree with Dr. Bellovin's assessment that when it 
comes to cyber, most basic research is being done in our 
Nation's universities?
    Mr. Sastry. I would say so, even though there are pockets 
of excellence in industrial research labs as well, such as Dr. 
Bellovin's group itself.
    Mr. Wolf. I would disagree. I would say it is done in many 
places. Cybersecurity covers--there are many facets to that. I 
would point to DARPA, I would point to NSF, I would point to 
some of the things that NSA is doing. I would point to the 
national labs. There is some very interesting work being done 
in the national labs in cybersecurity. Again, some of that is 
classified research, so everybody doesn't necessarily get to 
view that.
    Certainly in the academic areas, there is lots of work 
being done, and we partner with the academics, so it is being 
done in many places. I don't think there is one area that--one 
organization that you can point to, one entity, and say that 
they are doing most of it.
    Mr. Cox. Well, I ask the question not because I think that 
Dr. Bellovin would disagree with anything that you just said, 
but because I think, Dr. Bellovin, one of the points that you 
are making is that it is--that we know essentially where the 
researchers are, and that it is difficult to scale up; that we 
can throw a lot of money at this, but we also have to spend 
just as much time thinking about which direction we are going, 
because we can't make it up on volume. We are not going to be 
able to reproduce all of this. Is that a fair statement of your 
point, Dr. Bellovin?
    Mr. Bellovin. Yes, that is it basically. I am not saying 
there is no basic research. There is certainly a very large 
need for applied research which does go on very many places. 
But university research can't be scaled up, basic research 
can't be scaled up by too much, because there aren't the people 
to do it yet.
    Of course, these are the people who are training the future 
generations of researchers. So it is very important that we 
encourage this, because it is not a problem that is going to go 
away any time soon.
    Mr. Cox. Well, taking that point, as supplemented and 
augmented by Mr. Wolf's comments, and we are well aware that we 
have the Federal piece, some of it is not public, so maybe our 
estimates of whether majorities here or there might even be a 
little soft, we are going to--I am going to infer from this, 
and this is the premise of my next question, that we are going 
to need to rely on our Nation's universities for some of the 
big objectives that we are attempting to tackle here, that this 
is going to be a partnership, and the Federal Government is 
going to partner with our universities.
    And then that takes me to, Mr. Wolf, your next point, and 
our Ranking Member Ms. Lofgren also questioned you about this a 
little bit, and that is our need to focus on U.S. technology, 
and whether this is possible if we have open standards, if we 
have a lot of people participating, if we are using the private 
sector as well as universities, it is not all in a black 
program in the Federal Government; is it realistic to assume 
that this is possible?
    Mr. Wolf. Well, I think it would be difficult to say that 
we would use all U.S. That wasn't my point. My point was really 
that there are certainly critical areas where you want to have 
a good control of, you know, your hardware and your software, 
maybe in a critical infrastructure, certainly in the national 
security sector.
    So if you have a system, you may want to look at certain 
areas and put better controls over the--I will say both the 
quality and the trustworthiness of the software. My comment 
about, you know, national software assurance laboratory, that 
may be a way of taking software, wherever it is written, and be 
able to validate it and say, yes, this is trusted software. The 
world right now, we are--IT is globalizing. Lots of work is 
going offshore. The U.S. cannot do everything. As I say, it is 
    So it is a matter of how do you look at software code. How 
do you validate it? How do you say you trust it? So whether it 
is U.S. or foreign written, it is really a question of trust. 
How do you establish trust in the software to make sure that it 
really does what it says it does? So it is not only the 
quality, but also the trusthworthiness.
    Mr. Cox. To the extent that our focus is on firewalls, or 
at least on that genre of technology that is meant to help 
networks resist attacks, an additional reason besides our own 
homeland security that we need to be concerned about theft, 
about penetration of these programs is that other nation states 
who are wary of the Internet, don't want their citizens using 
it, and who are using black boxes and firewalls to prevent 
their citizens form having access to the outside world would be 
thrilled to lay their hands on the most sophisticated 
technology that we have developed at taxpayer expense in order 
either to prevent their citizens from having access to the Web, 
or to trace the behavior of their citizens so that when they 
are doing things on the Internet that the government doesn't 
approve of, they can land them in jail.
    What can we do, therefore, to focus on security of the 
tough measures that we are trying to develop in our own 
country? And for this purpose I include both cybersecurity and 
physical security. And I address that to all three members. My 
time has expired. I thank the Chairman.
    Mr. Sastry. So your question is really quite interesting. 
Let me first talk about security and privacy. So the questions 
about building in privacy with--strong privacy with strong 
security, my own sense is that the kinds of technology 
solutions that help foster strong privacy include things like 
audit, include things like watching the watchers to try to 
determine who is watching what; also, these questions of 
selective revelations, which means that queries are answered 
narrowly so as to selectively reveal information little by 
little rather than have access to a lot more than is asked for; 
and then finally the questions about being able to understand 
if certain privacy standards are being met, and there are a 
host of new technologies, such as encrypted queries, crypto 
protocols is what they are called, for being able to enforce 
    So I think that in terms of taking worldwide leadership, I 
think we can really build in strong privacy into our strong 
security solutions. And then, of course, the questions of how 
this may be used overseas, of course those are much more 
complicated ones, but nonetheless we will have products which 
have strong privacy safeguards build into it. So, I think that 
this is one thing that we can do to sort of foster our ideals, 
while providing strong security.
    And I think that this message is somehow a little different 
from a message which says that you have to give up privacy in 
order to get security, because the technology indicators are 
all that--in fact, they are mutually reinforcing, rather than 
one at the expense of the other.
    Mr. Wolf. Not necessarily a complete answer to your 
question, but certainly one of the things is--at the national 
security sector is that we do have levels of protection that 
you put into various systems. So, for example, levels of 
encryption, where you have the--I will say the high-grade 
encryption, which is for the most significant and the most 
sensitive communications, where you may have over levels of 
encryption that aren't quite as good, but are still adequate to 
protect the information.
    So you can think of that in terms of the products that we 
are putting out. You may have a higher level of protection in 
terms of protecting the power grid in a product than maybe the 
general product that would be available that would be sold 
overseas. So there are ways that you can do them.
    Mr. Bellovin. The firewall technology, one of the 
criticisms of firewalls is that they assume that everyone on 
the inside is a good guy, is following the rules. This is a 
problem in industry as well. But in terms of the model you 
speak of, with repressive governments trying to isolate their 
citizens from the Internet, in that case it is the people on 
the inside who are actively trying to get around the firewall 
technology. And firewalls are not very good at that. There are 
some that do better than others.
    We are better off with strong firewall technology to 
protect ourselves with multiple overlapping layers of defense 
in depth to prevent people from the outside getting in, using 
overt mechanisms to provide insider behavior, ones that don't 
scale to a whole country, whereas outbound traffic is 
relatively unrestricted, and you rely on internal auditing. 
That, I think, would not pose nearly as much of a threat of 
being used by repressive governments to keep their own citizens 
from accessing the Internet. So I don't think there is any 
particular conflict there.
    Mr. Cox. Well, I am happy to hear that.
    Thank you, Mr. Chairman.
    Mr. Thornberry. Thank the Chairman.
    The gentleman from North Carolina.
    Mr. Etheridge. Thank you, Mr. Chairman. And let me thank 
you and the Ranking Member for this meeting, and for our 
distinguished guests for being here today. It has been very 
interesting thus far, and I appreciate that.
    Gartner, Incorporated, a respected IT consulting 
organization, has estimated that about 90 percent of the cyber 
intrusions could be avoided if individuals and companies 
consistently maintained the security of their computer systems 
by monitoring use and installing software patches to identify 
security flaws.
    Number one, do you agree with that? And, number two, do you 
believe that software vendors could make security maintenance a 
little more user-friendly? If each one of you would just touch 
on that.
    Mr. Bellovin. I would guess that it is more like 95 to 98 
percent than 90 percent. I very much agree with that statement. 
But, as I indicated in my written testimony, patching systems, 
especially production systems, is a much more challenging thing 
than it should be. I will not update my PC after about April 
1st until I have filed my taxes, because I can't take the risk 
of some unrelated change disabling the tax preparation software 
I use. And you have got that problem in spades if you are 
running a corporate Web server, a major corporate or government 
database and so on.
    As Dr. Sastry has indicated, the composition of systems, 
the components of complex systems working together properly is 
a very, very difficult and unsolved problem. We don't know how 
to do this. This is why patching is so hard. It is not that the 
administrators are irresponsible, or that the vendors haven't 
supplied good tools, it is that we don't know how to do it 
easily, reliably and without breaking something else.
    Mr. Sastry. Mr. Etheridge, if you were like me, when you 
are installing a computer and you have all of these queries 
which say, will you do this, will you do this? I think 
everybody's tendency is just to press, yes, yes, yes, or no, 
no, no randomly. So I think what you are alluding to is a big, 
big hot-button item.
    So people talking about human computer interaction. So I 
think the notion of human computer interaction for security to 
make it easier for people to actually understand what they are 
doing and be able to configure their systems is--I think is a 
vast and rather untapped area of research in cybersecurity. If 
anything is needed right away, it is one of those for the--and 
I agree with your statistics, too.
    Mr. Wolf. Operationally my organization does red-teaming, 
which is an organization that tries to penetrate networks. So 
we have customers in DOD that ask us to go look at their 
networks and to see if we can get into them. And I can verify 
that your 90 percent is probably correct. It is the networks 
that haven't been properly patched, configured properly. We 
look for those kinds of things. That is usually the door that 
we get in.
    If I look at the statistics that come out of the defense--
of the DOD networks, that come out of the JTF-CNO, I think 
their statement is it is about 90 some percent of the attempts 
to hacks are really trying to get at things that haven't been 
patched properly.
    In my testimony I talked about automatic patching and how 
that is a significant research agenda item. I believe that 
needs to be done. How do you make patching much easier for the 
system administrators? They are overwhelmed with the number of 
patches and problems and configuration settings that they have 
to do every day. And the idea of having preconfigured systems 
coming out of the box that are security-conscious in terms of 
here are the right settings, I think, is also another step 
    Mr. Etheridge. As you have noted before, and others before 
us, that the government, universities and the industry need to 
encourage more students to get into math, science and all of 
the science areas of technology in order to produce more 
graduates who can deal not only with cybersecurity, but with 
this whole issue of technology that we are dealing with.
    And let me go to each one of you on this one, starting with 
you, Dr. Sastry. Is the academic community acting in a way in 
retaining the number of scientists needed in the research area 
as it relates to cybersecurity as we look down the road, and, 
more specifically, making these systems more user-friendly? 
Because I think that is the key to getting the security.
    Mr. Sastry. Sir, it has been recognized that human computer 
interactions for cybersecurity is something that we need to 
focus on. The realization has kind of surprisingly recently. So 
in some ways the work is only now beginning.
    The questions about training the workforce, I think these 
are very, very--this is a really a very important item for us, 
because security, of course, depends on making sure that the 
entire populace is educated about all the needs of 
cybersecurity, because, of course, it is only as strong as the 
weakest link. I think that there has been in the last 2 years a 
shift in enrollments. I am in an electrical engineering 
computer science department. So there has been a shift away 
from computer science towards computer engineering, which in 
some ways is encouraging, because it does encourage people to 
now start thinking about information technology as a technology 
that is woven into the fiber of our everyday life and into our 
societal scale systems.
    But other disturbing trends are that the percentage of 
women that are coming into electrical and computer engineering, 
we have actually given up the advances that we made in the mid-
1990s in the last 4 or 5 years. That indeed is subject for 
concern; so also with other segments of the population. So at 
Berkeley, we have actually started going out and visiting high 
schools to try to get them thinking about cybersecurity already 
in high school, and certainly in Oakland and San Jose and all 
of the neighboring schools. So your remarks are really on 
target for our priorities.
    Mr. Etheridge. Thank you, sir. I see that I am out of time. 
But I would be intrigued, because I think it is important in 
every area of industry as well.
    Mr. Bellovin. I don't have anything to add on that.
    Mr. Wolf. I was just going to comment on our outreach 
program to educational institutions. We have the Centers of 
Excellence. We have 15 universities have an IA curriculum. We 
work with the service academies. We are currently starting to 
do some things at the community college level, sort of what you 
were saying in terms of kind of moving up through the lower 
levels up through the universities. We clearly need to make 
more people aware of IA in terms of things that need to be 
    Mr. Etheridge. Thank you.
    Mr. Thornberry. Thank the gentleman.
    The gentlelady from the Virgin Islands, Dr. Christensen.
    Mrs. Christensen. Thank you, Mr. Chairman. I don't expect 
that--I want to thank you for this hearing as well. I am 
becoming better informed on the area of cybersecurity, although 
I am still far from being an expert. My questions are going to 
be a little different.
    Dr. Sastry, in your testimony, you talked about whether the 
Federal Government would play the role of market maker and 
asked was there sufficient demand to stimulate new companies 
around ideas. It would seem to me that a fairly sizable demand 
would be in the private sector, and incorporations for security 
and for cybersecurity.
    We recently did Bioshield to encourage and expedite the 
development of countermeasures for bioterrorism agents, which 
will involve a significant expenditure on the Federal 
Government's part. Do you foresee in the area of cybersecurity 
that the Federal Government would have to provide most of the 
funding, or do you see that there is really a sufficient demand 
in the private sector that there would be more cost-sharing on 
the private side, and there would seem more diverse use, other 
than for homeland security, for government use in these kind of 
    Mr. Sastry. Thank you very much for your question. I think 
that the big market, of course, is in the private sector. And 
the big market is in the infrastructures which are certainly 
not owned by the Federal Government, which are privately owned.
    The question, of course, has been about jump-starting this 
market. So, just to give you an example, there has been a big 
buzz in the venture community about investing in security for 
the last 2 years. But, on the other hand, a number of the 
portfolio companies that come out of the venture community 
actually have not had a stream of revenue in secure products. 
So our sense is that since the Department of Homeland Security 
itself is committed to, in its Border and Security 
Directorates, IAIP Directorates and the Emergency Protection 
Directorates, to buy secure products, our sense is that having 
this--having this sort of as a badge to distinguish these 
products will actually jump-start the market in the private 
    I think my own expectation is that that would not--it is 
not something that one ought to or perhaps could subsidize. On 
the other hand, I think that if one--when I said a market 
maker, it was just a question of jump-starting the market by 
adopting certain sets of secure products in the beginning.
    I think the same--and the model, again, is a little bit 
like the DOD model. So the Internet actually grew from the 
ARPANET being used for certain DOD applications, and then sort 
of everybody else sort of jumped onto it, and so also for high-
performance computing, which resulted in PCs. So that is sort 
of the market-maker analogy that I was using.
    Mr. Bellovin. I would agree that much of the funding and 
energy has to come from industry. The Government's role is to 
create the appropriate incentives. If you look at the history 
of, say, cryptography, there is 100 to 150 years' worth of 
experience of people saying, I have got a really cryptographic 
solution and then going bankrupt because nobody wanted to buy 
it, because they didn't appreciate that they actually needed 
this technology.
    We are sometimes seeing the same thing in the computer 
security community today. There are solutions that have not 
been adopted by corporations that don't perceive the threat. It 
is only in the last few years that more than, say, the 
financial community and the military have really begun to 
realize that there is a real threat out there, and a real 
    I note in the last year or so Microsoft has finally gotten 
religion about security and started to take some very admirable 
projects and efforts, from what I have heard, internally, doing 
a very nice job. But it is going to take years for this to have 
an effect. But the real question, and this is the role for 
government, is to create incentives for corporations and 
government agencies to start thinking about security when they 
design systems and when they procure systems, creating the 
incentives for them to do so. That is a difficult problem, but 
that is a role for government.
    Mr. Wolf. I would agree with some of the things that have 
been said so far, but I would sort of focus a little bit on the 
global IT, the amount that is being spent in the U.S. 
Government on IT, the amount that is being spent on information 
assurance kinds of products.
    Mrs. Christensen. Can I just interrupt your answer to just 
add, that I understand that less than 1 percent of the science 
and the technology budget, or about $80 million, is being 
directed to cybersecurity and R&D. Is that adequate? Could you 
    Mr. Wolf. I am sorry. Say that again.
    Mrs. Christensen. I understand that about $80 million is 
directed to cybersecurity R&D in the Science and Technology 
Directorate budget. It seems like you were going to talk about 
the amount of government spending. This is in the Department of 
Homeland Security.
    Mr. Wolf. Okay. I am not--
    Mrs. Christensen. Could you also respond to whether that is 
    Mr. Wolf. I think we need to be spending more money in 
research really and in cybersecurity. I think there is a lot 
more things. I think we are underfunded in many areas.
    The comment that I was going to make is that, you know, we 
have tried to move from a demand--or a supply side to a demand; 
that customers are educated in terms of information assurance, 
in terms of cybersecurity, and they are looking for products 
and demanding products, that they actually need them.
    That is one piece. The other piece is the idea of maybe 
looking at insurance. If you look at a facility in terms of you 
evaluated it, is it certified, and then there is an insurance 
break that goes along with the corporation that, quote, has 
good system administrators, they have gone through some 
certification process, you have a reasonable architecture, that 
is a way in terms of--rather than overregulating or enforcing 
standards--that you indirectly, okay--you can create more of a 
demand for the products.
    Mrs. Christensen. Thank you.
    Thank you, Mr. Chairman.
    Mr. Thornberry. Thank the gentlelady.
    The gentleman from Kentucky Mr. Lucas.
    Mr. Lucas. Thank you, Mr. Chairman.
    This is a hypothetical, sort of a holistic, big picture 
question. I would ask each of you to comment on this. Let's 
assume for the moment that you have been put in charge of 
cybersecurity for the Federal Government, Homeland Security, 
and have you been asked to prepare a budget for that job, to do 
an adequate job, and that you submit this budget, and you get a 
third of that budget, one-third of the money that you think you 
need. I would ask you how would you prioritize what you would 
spend that money on, if you only got a third of the resources 
that you felt you needed to do the job. I would like for each 
of you to answer that.
    Mr. Bellovin. Well, if you are talking about operational 
networks, I would first put money into systems administration, 
because, as we said, 90 percent of the attacks are from known 
holes that haven't been patched. That would be my first 
priority, to improve the resources for system administration 
and what they need to do the job. Past that, for research 
funding, I would start to focus on composition of secure system 
    Mr. Sastry. I understood your question to be about research 
money. Of course, for the operational aspects, I would fully 
agree with getting systems administration to the fore and 
empowering systems administrators to be more involved in 
    For the research money, the way I see it, it is sort of a 
world of networks and systems. One has got to protect the 
systems of the computers, the networks on top of it, and then 
finally coalitions of systems on top of it. So I think that if 
the research money was cut in a third, I would make sure that 
there was coverage at every one of those levels, at the level 
of individual systems, at the level of networks, and then, of 
course, at coalitions, of groups of users.
    Having said that, I think then the question about a few 
areas to invest in, I think there the notion of how you build 
complicated systems which are trustable from pieces that can be 
trusted, which is the composition that we keep coming back to, 
needs to cut across all of these layers. Then I think the human 
computer interaction question that Mr. Ethridge raised, I think 
that is equally important to me.
    And finally, the third thing I would do would be the test 
beds to make sure that the research got out to companies that 
could then sort of produce product.
    So those are sort of a matrix. I would make sure that the 
network systems are all populated, and then the three areas--
those would be my three pet areas.
    Mr. Wolf. I would start, I agree with the operational 
aspects, to make sure that your operational pieces were secure. 
So it is the system administrators, it is the patches, it is 
the kinds of things that we have talked about so far.
    The second area that I think I would look at would be sort 
of my--I will call it my infrastructure. Given that I only have 
a third of the budget that I need, I would look at my 
infrastructure and try to build an infrastructure that I could 
then build on in the future, so--as you get your funding for 
the following years. So, if you want to call it--maybe it is 
the--I won't say the key management infrastructure, but it is 
the PKI, it is the kind of things that you could then build 
tools and techniques and products and services on in future 
years. That would be my second area.
    And the third, I think that I would take a step back, and I 
would look at all of my systems, my networks, my--whatever my 
operation is, and I would try to identify what are the most--I 
will call them the critical areas and apply the dollars to 
those as maybe the third venture there.
    And, of course, I would also put a piece to research, 
because I think a lot of times we are very short-sighted when 
funds are cut--I worked for the government for many years--that 
we tend to cut the research piece. If you tend to favor the 
operational piece, but the research piece is your investment in 
the future. If you don't put dollars towards that, then 5 years 
from now you will be dead in the water.
    Mr. Lucas. Thank you very much, Mr. Chairman. We have got a 
vote coming up, so I will stop there.
    Mr. Thornberry. The Chair appreciates the gentleman.
    Does the gentlelady from Texas have questions she would 
like to ask?
    Ms. Jackson-Lee. Thank you very much to the Chairman and 
the Ranking Member for holding this hearing.
    Mr. Chairman, I ask unanimous consent that my statement be 
submitted into the record.
    Mr. Thornberry. Without objection.
    Ms. Jackson-Lee. I appreciate the testimony of the 
witnesses and their indulgence. I am in a Science Committee 
mark-up that is going on simultaneously, and so I thank you 
very much for your patience.
    I just want to focus in one area very quickly. We do have 
votes on. That is the need for the prominence of cybersecurity 
issues under the Department of Homeland Security. And what we 
have noted is that the funding has not been where we would like 
it to be. A Director has not yet been appointed. It all 
suggests that we need to refocus our attention on this area.
    So if you would answer these questions quickly, I would 
appreciate it. One, my understanding is, or my sense, that as 
we are going into the 21st century, Y2K we were all focused on 
what technology, Internet, could do to this Nation. Literally 
we were in a panic about it being able to stop us in our 
tracks. After 9/11 we began to focus on some very real concerns 
about security.
    I don't know where we placed the need and the focus of 
security in this instance, cybersecurity, inasmuch as we are 
still in the same boat, that the--the attack on our security 
infrastructure, our technology infrastructure could bring this 
Nation to its knees. So my question to you is have we focused 
    The second part of it, with respect to research, have we 
expanded it enough? I believe we should start expanding our 
reach to universities around the Nation, research entities 
around the Nation, and as well make sure we include Hispanic-
serving institutions, historically black institutions, Native 
American-focused institutions, and others in areas that can 
address the questions of urban and rural security as relates to 
    And if you would answer those questions, I would appreciate 
it very much. And I thank the gentlemen for their testimony.
    Mr. Sastry. You have certainly hit the issues that are most 
important to the research community. Our sense, too, is that it 
would be useful to have a focused Federal effort in 
cybersecurity research, and a focused effort which, in fact, 
involves groups of institutions across the length and breadth 
of the Nation.
    There is a very, very substantial educational agenda, and 
the educational agenda does indeed need to reach out to every 
corner, as you have correctly pointed out. I am in complete 
    Now, the questions about--I do believe that DHS and HSARPA 
could be the place where cybersecurity research could be given 
marquis status and then be adequately funded and adequately 
managed. And I felt that the DARPA model was actually a pretty 
effective model for doing this. The Defense Advance Research 
Projects Agency, the DARPA model, was an executive model for 
managing--this is HSARPA.
    Ms. Jackson-Lee. You would encourage the creations of 
consortiums with joint working relationships with universities 
around the Nation?
    Mr. Sastry. Right. The coalitions, of course, could be 
created by the institutions themselves, or in the form of 
research programs in the DARPA model where you actually bring 
institutions together, and a program manager, a Federal program 
manager then sort of builds the bridges between those 
    Ms. Jackson-Lee. Do you see the need also for enhancing 
experts within the minority communities, because we are 
certainly limited in the Ph.D. candidates and Ph.D. graduates 
from those communities?
    Mr. Sastry. That is absolutely true. And that is true all 
the way from the high school level up all of the way through 
the graduate programs and the faculty as well.
    Ms. Jackson-Lee. Anyone else?
    Mr. Bellovin. A national research counsel panel I was on 
noted that--concluded that today there probably could not be a 
massive disaster caused by a pure cyberattack, something close 
to the scale of 9/11. It doesn't mean it can't happen in the 
future. As we become more networked, as industrial processes, 
so-called SCADA systems, controlled power lines and industrial 
processes and so on, as things become more networked, the 
danger will increase. We have a few years before we are there. 
We need to take precautions right now.
    And I would note that everybody's computers can be 
leveraged for launching attacks. There has been reports in the 
papers in the last few weeks about personal computers being 
hacked to serve spammers and pornographers and so on, which 
means that anybody's computer in every sector of the society, 
we need to learn how to secure these. And individuals need to 
learn how to protect things, too.
    Ms. Jackson-Lee. Thank you.
    Mr. Wolf. There is a long list of research topics that need 
to be done, and clearly we need to leverage everybody in terms 
of working on those topics. So the idea of having some sort of 
coordinated effort in terms of where research--who is doing 
what I think is needed. We have done a lot of outreach recently 
with DARPA, NSF, academics, et cetera, to try to understand 
where research is being done to leverage all of that.
    Second, we are going out to the academic institutions with 
our list to try to get some help in terms of doing the 
research, and that is all universities that are out there.
    And your other comment about the--sort of the threat. I am 
not sure we really understand the threat in terms of how 
serious an attack on the infrastructure of the U.S. could be. I 
think there needs to be some focus on that.
    Ms. Jackson-Lee. Thank you.
    Thank you, Mr. Chairman.
    Mr. Thornberry. I thank the gentlelady.
    As the witnesses know, we do have votes on. I am not going 
to ask you to stay during these votes. So, with each of your 
permission, what I would like to do is submit some additional 
questions in writing to you. I think there are a number of 
areas that you have touched on that I want to follow up, 
including this whole software verification issue, this issue of 
translating research into the real world, which I think is a 
major, important issue. The whole human factors things that you 
all have talked about, about government research and how it 
affects the private market, you don't have to write those down, 
we will send those to you in writing.
    Mr. Thornberry. But needless to say, you all have touched 
on a number of things that have been very helpful to us. I want 
to thank each of you for taking the time to be here and to be 
with us today, and with that, this hearing stands adjourned.
    [Whereupon, at 11:45 a.m., the subcommittee was adjourned.]