b"<html>\n<title> - CYBER SECURITY R&D</title>\n<body><pre>[House Hearing, 111 Congress]\n[From the U.S. Government Publishing Office]\n\n\n \n                           CYBER SECURITY R&D \n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                      SUBCOMMITTEE ON RESEARCH AND\n                           SCIENCE EDUCATION\n\n                  COMMITTEE ON SCIENCE AND TECHNOLOGY\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED ELEVENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             JUNE 10, 2009\n\n                               __________\n\n                           Serial No. 111-31\n\n                               __________\n\n     Printed for the use of the Committee on Science and Technology\n\n\n     Available via the World Wide Web: http://www.science.house.gov\n\n                               ----------\n                        U.S. GOVERNMENT PRINTING OFFICE \n\n49-966 PDF                       WASHINGTON : 2009 \n\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; \nDC area (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, \nWashington, DC 20402-0001 \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                  COMMITTEE ON SCIENCE AND TECHNOLOGY\n\n                   HON. BART GORDON, Tennessee, Chair\nJERRY F. COSTELLO, Illinois          RALPH M. HALL, Texas\nEDDIE BERNICE JOHNSON, Texas         F. JAMES SENSENBRENNER JR., \nLYNN C. WOOLSEY, California              Wisconsin\nDAVID WU, Oregon                     LAMAR S. SMITH, Texas\nBRIAN BAIRD, Washington              DANA ROHRABACHER, California\nBRAD MILLER, North Carolina          ROSCOE G. BARTLETT, Maryland\nDANIEL LIPINSKI, Illinois            VERNON J. EHLERS, Michigan\nGABRIELLE GIFFORDS, Arizona          FRANK D. LUCAS, Oklahoma\nDONNA F. EDWARDS, Maryland           JUDY BIGGERT, Illinois\nMARCIA L. FUDGE, Ohio                W. TODD AKIN, Missouri\nBEN R. LUJAN, New Mexico             RANDY NEUGEBAUER, Texas\nPAUL D. TONKO, New York              BOB INGLIS, South Carolina\nPARKER GRIFFITH, Alabama             MICHAEL T. MCCAUL, Texas\nSTEVEN R. ROTHMAN, New Jersey        MARIO DIAZ-BALART, Florida\nJIM MATHESON, Utah                   BRIAN P. BILBRAY, California\nLINCOLN DAVIS, Tennessee             ADRIAN SMITH, Nebraska\nBEN CHANDLER, Kentucky               PAUL C. BROUN, Georgia\nRUSS CARNAHAN, Missouri              PETE OLSON, Texas\nBARON P. HILL, Indiana\nHARRY E. MITCHELL, Arizona\nCHARLES A. WILSON, Ohio\nKATHLEEN DAHLKEMPER, Pennsylvania\nALAN GRAYSON, Florida\nSUZANNE M. KOSMAS, Florida\nGARY C. PETERS, Michigan\nVACANCY\n                                 ------                                \n\n             Subcommittee on Research and Science Education\n\n                 HON. DANIEL LIPINSKI, Illinois, Chair\nEDDIE BERNICE JOHNSON, Texas         VERNON J. EHLERS, Michigan\nBRIAN BAIRD, Washington              RANDY NEUGEBAUER, Texas\nMARCIA L. FUDGE, Ohio                BOB INGLIS, South Carolina\nPAUL D. TONKO, New York              BRIAN P. BILBRAY, California\nPARKER GRIFFITH, Alabama                 \nRUSS CARNAHAN, Missouri                  \nBART GORDON, Tennessee               RALPH M. HALL, Texas\n               DAHLIA SOKOLOV Subcommittee Staff Director\n            MARCY GALLO Democratic Professional Staff Member\n           MELE WILLIAMS Republican Professional Staff Member\n                    BESS CAUGHRAN Research Assistant\n\n\n\n\n\n\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n                             June 10, 2009\n\n                                                                   Page\nWitness List.....................................................     2\n\nHearing Charter..................................................     3\n\n                           Opening Statements\n\nStatement by Representative Daniel Lipinski, Chairman, \n  Subcommittee on Research and Science Education, Committee on \n  Science and Technology, U.S. House of Representatives..........     9\n    Written Statement............................................    10\n\nStatement by Representative Vernon J. Ehlers, Ranking Minority \n  Member, Subcommittee on Research and Science Education, \n  Committee on Science and Technology, U.S. House of \n  Representatives................................................    11\n    Written Statement............................................    12\n\nPrepared Statement by Representative Eddie Bernice Johnson, \n  Member, Subcommittee on Research and Science Education, \n  Committee on Science and Technology, U.S. House of \n  Representatives................................................    12\n\n                               Witnesses:\n\nDr. Seymour E. Goodman, Professor of International Affairs and \n  Computing; Co-Director, Georgia Tech Information Security \n  Center, Georgia Institute of Technology\n    Oral Statement...............................................    13\n    Written Statement............................................    15\n    Biography....................................................    17\n\nMs. Liesyl I. Franz, Vice President, Information Security and \n  Global Public Policy, TechAmerica\n    Oral Statement...............................................    17\n    Written Statement............................................    19\n    Biography....................................................    22\n\nDr. Anita D'Amico, Director, Secure Decisions Division, Applied \n  Visions, Inc.\n    Oral Statement...............................................    23\n    Written Statement............................................    24\n    Biography....................................................    33\n\nDr. Fred B. Schneider, Samuel B. Eckert Professor of Computer \n  Science, Department of Computer Science, Cornell University\n    Oral Statement...............................................    33\n    Written Statement............................................    34\n    Biography....................................................    40\n\nMr. Timothy G. Brown, Vice President and Chief Architect, CA \n  Security Management\n    Oral Statement...............................................    41\n    Written Statement............................................    43\n    Biography....................................................    49\n\nDiscussion.......................................................    49\n\n              Appendix: Answers to Post-Hearing Questions\n\nDr. Seymour E. Goodman, Professor of International Affairs and \n  Computing; Co-Director, Georgia Tech Information Security \n  Center, Georgia Institute of Technology........................    68\n\nMs. Liesyl I. Franz, Vice President, Information Security and \n  Global Public Policy, TechAmerica..............................    73\n\nDr. Anita D'Amico, Director, Secure Decisions Division, Applied \n  Visions, Inc...................................................    76\n\nDr. Fred B. Schneider, Samuel B. Eckert Professor of Computer \n  Science, Department of Computer Science, Cornell University....    80\n\nMr. Timothy G. Brown, Vice President and Chief Architect, CA \n  Security Management............................................    87\n\n\n                           CYBER SECURITY R&D\n\n                              ----------                              \n\n\n                        WEDNESDAY, JUNE 10, 2009\n\n                  House of Representatives,\n    Subcommittee on Research and Science Education,\n                       Committee on Science and Technology,\n                                                    Washington, DC.\n\n    The Subcommittee met, pursuant to call, at 10:04 a.m., in \nRoom 2318 of the Rayburn House Office Building, Hon. Daniel \nLipinski [Chairman of the Subcommittee] presiding.\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n                            hearing charter\n\n             SUBCOMMITTEE ON RESEARCH AND SCIENCE EDUCATION\n\n                  COMMITTEE ON SCIENCE AND TECHNOLOGY\n\n                     U.S. HOUSE OF REPRESENTATIVES\n\n                           Cyber Security R&D\n\n                        wednesday, june 10, 2009\n                         10:00 a.m.-12:00 p.m.\n                   2318 rayburn house office building\n\n1. Purpose\n\n    The purpose of this hearing is to explore the state of federal \ncyber security research and development (R&D). The Subcommittee will \nreceive testimony from a panel of outside experts about priorities and \nexisting gaps in the cyber security research portfolio as well examine \nthe adequacy of cyber security education and workforce training \nprograms.\n\n2. Witnesses:\n\n<bullet>  Dr. Seymour Goodman, Professor of International Affairs and \nComputing and Co-Director, Georgia Tech Information Security Center, \nGeorgia Institute of Technology\n\n<bullet>  Ms. Liesyl Franz, Vice President, Information Security and \nGlobal Public Policy, TechAmerica\n\n<bullet>  Dr. Anita D'Amico, Director, Secure Decisions Division, \nApplied Visions, Inc.\n\n<bullet>  Dr. Fred Schneider, Samuel B. Eckert Professor of Computer \nScience, Department of Computer Science, Cornell University\n\n<bullet>  Mr. Timothy Brown, Vice President and Chief Architect, CA \nSecurity Management\n\n3. Overarching Questions:\n\n<bullet>  Does the federal cyber security R&D portfolio adequately \naddress existing security concerns as well as new and emerging threats? \nIf not, what are the research gaps? Do the existing priorities for \nfederal research investment reflect any risk assessment of current and \nfuture threats? Is the cyber security R&D portfolio appropriately \nbalanced between long-range, game changing research, and research \ntargeted toward incremental improvement?\n\n<bullet>  How can the Federal Government facilitate effective public-\nprivate partnerships and increase private sector engagement in \naddressing common research needs for cyber security? How can the \nFederal Government ensure that stakeholder outreach and the process for \ninput into cyber security R&D planning are adequate?\n\n<bullet>  Is the ``human factor'' sufficiently integrated into the \ncyber security R&D strategy? If not, what new and continuing areas of \nbasic research in the social and behavioral sciences could \nsignificantly improve our ability to design more effective \ntechnologies?\n\n<bullet>  What is the state of cyber security education? Are future \ncyber security professionals being adequately trained by colleges and \nuniversities to meet the demands of the private sector? What role can \nthe Federal Government play in supporting formal cyber security \neducation and training, and in educating the general public about \nprotecting themselves and their networks against cyber threats?\n\n4. Background\n\n    Information technology (IT) has evolved rapidly over the last \ndecade, leading to markedly increased connectivity and productivity. \nThe benefits provided by these advancements have lead to the widespread \nuse and incorporation of information technologies across major sectors \nof the economy. This level of connectivity and the dependence of our \ncritical infrastructures on IT have also increased the vulnerability of \nthese systems. Reports of cyber criminals and nation-states accessing \nsensitive information and disrupting services have risen steadily over \nthe last decade, heightening concerns over the adequacy of our cyber \nsecurity measures. For example, in 2008 the payment processors of an \ninternational bank were penetrated allowing fraudulent ATM \ntransactions. In 2007, a U.S. retailer was the victim of a cyber attack \nand the personal information of 45 million credit and debit card \nholders was compromised.\n    According to Symantec's Government Internet Security Threat Report, \nthe telecommunications infrastructure was the predominant target of \ncyber attack in 2008. Some estimate that the number of cyber attacks is \nactually much higher because companies avoid reporting incidents due to \nfear over plummeting stock prices and the possibility of further \nattack. Firms that are subject to cyber attack typically observe a \ndecline of one to five percent in their stocks, which translates into a \nloss of between $50 and $200 million for large companies.\n    In January 2008, the Bush Administration established through a \nseries of classified executive directives the Comprehensive National \nCybersecurity Initiative (CNCI). While the details of the CNCI are \nlargely classified, the goal of the multi-faceted initiative was to \nsecure federal systems.\\1\\ A number of security experts have expressed \nconcern that the classified nature of the CNCI has prohibited active \nengagement with the private sector despite the fact that 85 percent of \nthe Nation's critical infrastructure is owned and operated by private \nentities. While experts are concerned by the lack of transparency and \npublic-private cooperation under the CNCI, they have also urged \nPresident Obama to build upon the existing structure rather than \nstarting from scratch. In February 2009, the Obama Administration \ncalled for a 60-day review of the national cyber security strategy. The \nPresident's review required the development of a framework that would \nensure that the CNCI was adequately funded, integrated, and coordinated \nwith the private sector and Congress.\n---------------------------------------------------------------------------\n    \\1\\ The objectives of the CNCI have been assembled from various \npress releases and media reports. An overview of the CNCI is available \nin the CRS report entitled, ``Comprehensive National Cybersecurity \nInitiative: Legal Authorities and Policy Considerations.''\n---------------------------------------------------------------------------\n    On May 29, 2009, the Administration released its 60-day review of \ncyberspace policy. The review team acknowledged the difficult task of \naddressing cyber security concerns in a comprehensive fashion due to \nthe wide array of federal departments and agencies with cyber security \nresponsibilities and overlapping authorities. According to the review, \ncyber security leadership must come from the top. To that end, the \nPresident plans to appoint a ``cyber czar'' who will oversee the \ndevelopment and implementation of a national strategy for improving \ncyber security. The appointee will report to both the National Security \nCouncil and the National Economic Council and will chair the \nInformation and Communications Infrastructure Interagency Policy \nCouncil (ICI-IPC), an existing policy coordinating body to ensure ``a \nreliable, secure and survivable global information and communications \ninfrastructure.'' The review also emphasizes the need for the Federal \nGovernment to partner with the private sector to guarantee a secure and \nreliable infrastructure. Furthermore, it highlights the need for \nincreased public awareness, the education and expansion of the IT \nworkforce, and the importance of advancing cyber security research and \ndevelopment. The review contains the following action items that are \nrelevant to the Committee's work.\n\nNear-Term Action Items:\n\n        1.  Initiate a national public awareness and education campaign \n        to promote cyber security.\n\n        2.  In collaboration with other Executive Office of the \n        President entities, develop a framework for R&D strategies that \n        focus on game-changing technologies that have the potential to \n        enhance the security, reliability, resilience, and \n        trustworthiness of digital infrastructure; provide the research \n        community access to event data to facilitate developing tools, \n        testing theories, and identifying workable solutions.\n\nMid-Term Action Items:\n\n        1.  Expand support for key education programs and R&D to ensure \n        the Nation's continued ability to compete in the information \n        age economy.\n\n        2.  Develop a strategy to expand and train the workforce, \n        including attracting and retaining cyber security expertise in \n        the Federal Government.\n\n        3.  Develop a set of threat scenarios and metrics that can be \n        used for risk management decisions, recovery planning, and \n        prioritization of R&D.\n\n        4.  Encourage collaboration between academic and industrial \n        laboratories to develop migration paths and incentives for the \n        rapid adoption of research and technology development \n        innovations.\n\n        5.  Use the infrastructure objectives and the R&D framework to \n        define goals for national and international standards bodies.\n\nCyber Security R&D\n    Cyber security related activities are conducted across the Federal \nGovernment, but three key agencies, NSF, DHS and DOD (specifically \nDARPA) fund the majority of cyber security R&D.\n    The task of coordinating unclassified cyber security R&D has been \nassigned to the Networking and Information Technology Research and \nDevelopment (NITRD) program. The NITRD program, which consists of 13 \nfederal agencies, coordinates a broad spectrum of IT R&D activities, \nbut includes an interagency working group and program component area \nfocused specifically on cyber security and information assurance (CSIA) \nR&D. The NITRD agencies have requested a total of $343 million for CSIA \nR&D in FY 2010.\n    In 2006, the interagency working group produced a federal plan for \ncyber security R&D. The recommendations of the working group were that \nfederal CSIA agencies: should explore high-impact threats; should \nassess the security implications of emerging technologies; should \nexamine ways to build security in from the beginning; and should create \nmetrics for assessing cyber security. The working group also \nrecommended sustained interagency coordination and collaboration; \nindividual agency as well as interagency prioritization of cyber \nsecurity R&D; the targeting of R&D investments into strategic needs; \nstrengthened partnerships, including international partners; and more \neffective coordination with the private sector. Finally, the working \ngroup recommended the development of a subsequent roadmap or \nimplementation document, which to date has not been produced. There is \nconcern that while the NITRD program provides a mechanism for \ncoordination and collaboration among agencies, a lack of strong \nleadership by the Office of Science and Technology Policy will result \nin a patchwork of mission-driven objectives that fail to advance a \ncomprehensive cyber security R&D strategy. These concerns may be \nmediated by the release of the 60-day review and the President's pledge \nto make cyber security one of his key management priorities.\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\nAgency Roles in Cyber Security R&D\n\n            NSF\n    With a budget of $127 million for FY 2010, NSF is the principal \nagency supporting unclassified cyber security R&D and education. NSF's \nrequest is an 8.6 percent increase above FY09 levels.\n    NSF's cyber security research activities are primarily funded \nthrough the Directorate for Computer & Information Science & \nEngineering (CISE). CISE supports cyber security R&D through a targeted \nprogram, Trustworthy Computing, as well as through a number of its core \nactivities in Computer Systems Research, Computing Research \nInfrastructure, and Network and Science Engineering. The cyber security \nportfolio supports both theoretical and experimental research.\n    The Trustworthy Computing program, funded at $67 million for FY \n2010, is an outgrowth of NSF's Cyber Trust program, which was developed \nin response to the Cyber Security R&D Act of 2003. The program supports \nresearch into new models, algorithms and theories for analyzing the \nsecurity of computer systems and data components. It also supports \ninvestigation into new security architectures, methodologies that \npromote usability in conjunction with protection, and new tools for the \nevaluation of system confidence and security.\n    In addition to its basic research activities, NSF's Directorate for \nEducation & Human Resources (EHR) manages the Scholarship for Service \nprogram which provides funding to colleges and universities for the \naward of two-year scholarships in information assurance and computer \nsecurity fields. Scholarship recipients are required to work for two \nyears in the Federal Government, upon completion of their degree. EHR \nalso supports the development of cyber security professionals through \nthe Advanced Technological Education (ATE) program, which focuses on \nthe education of technicians for high-technology fields.\n\n            DHS\n    Cyber security research in DHS is planned, managed, and coordinated \nthrough the Cyber Security Research and Development Center. The center \nnot only supports the research efforts of the Homeland Security \nAdvanced Research Projects Agency (HSARPA), but helps to coordinate the \ntesting and evaluation of technologies, as well as technology \ntransition. The FY 2010 budget includes $37.2 million for cyber \nsecurity R&D at DHS; this is an increase of $6.6 million over FY 2009.\n    In addition to conducting R&D, DHS has an operational and \ncoordination role in securing cyber space. The National Cyber Security \nDivision (NCSD) is the operational arm of DHS's cyber security group \nand handles a host of tasks, including the analysis of cyber threats, \nthe dissemination of cyber threat warnings, the facilitation of cyber \nsecurity exercises, and the reduction of software vulnerabilities. The \nbudget request for the NCSD is $400 million, an increase of $87 million \nabove FY 2009. Within NCSD, The United States Computer Emergency \nReadiness Team (US-CERT) is tasked with monitoring federal non-\nclassified computer systems and issuing warnings to both federal \nagencies and the public when an attack occurs. Recent GAO reports have \ncriticized US-CERT, citing a lack of a national strategy, an absence of \noperational relationships with other key cyber security groups, both \nfederal agencies and private entities, and an insufficient level of \naction in response to a cyber attack.\n\n            DARPA\n    DARPA is the principal R&D agency of the DOD; its mission is to \nidentify and develop high-risk, high-reward technologies of interest to \nthe military. DARPA's cyber security activities are conducted primarily \nthrough the Strategic Technology Office and the Information Assurance \nand Survivability project, which is tasked with developing technologies \nthat make emerging information systems such as wireless and mobile \nsystems secure. The budget request for the Information Assurance and \nSurvivability project is $113.6 million in FY 2010. The project \nincludes a variety of targeted programs, for example the Intrinsically \nAssured Mobile Ad-Hoc Network (IAMANET) program is tasked with \ndesigning a tactical wireless network that is secure and resilient to a \nbroad range of threats, including cyber attacks, electronic warfare and \nmalicious insiders. The budget request for IAMANET is $14.5 million. \nThe goal of the Trustworthy Systems program, with a budget request of \n$11.1 million, is to provide foundational trustworthy computer \nplatforms for Defense Department systems. DARPA is also examining \npotential supply chain vulnerabilities in the Trusted, Uncompromised \nSemiconductor Technology program (TrUST) by developing methods to \ndetermine whether a microchip manufactured through a process that is \ninherently ``untrusted'' (i.e., not under our control) can be \n``trusted'' to perform just the design operations and no more. The \nbudget request for TrUST is $33.5 million.\n    Finally, DARPA is developing the National Cyber Range (NCR). The \nNCR will provide a revolutionary environment for research organizations \nto test the security of information systems. The NCR will be capable of \nsupporting multiple, simultaneous, segmented tests in realistically \nconfigured or simulated testbed environments and will produce \nqualitative and quantitative assessments of the security of various \ncyber technologies and scenarios. According to DARPA officials, the \nintent is have the NCR available for both classified and unclassified \nresearch. The budget request for the NCR is $50 million for FY 2010.\n\n            NIST\n    NIST conducts limited cyber security research to identify \nimprovements in the development of standards and maintains a checklist \nof security settings for federal computers. Cyber security activities \nare conducted through NIST's Information Technology Laboratory which \nhas a budget request of $72 million for FY 2010, including $15 million \nin support of the CNCI and $29 million for CSIA R&D. NIST's primary \nmission in cyber security is to protect the federal information \ntechnology network by creating cyber security standards for federal \nnon-classified computer systems, identifying methods for assessing the \neffectiveness of security requirements, and conducting tests to \nvalidate security in information systems. These tasks were appointed to \nNIST in the Computer Security Act of 1987. The federal standards for \ncomputing systems help establish a base level of protection against \nintrusion, disruption and theft.\n\n5. Questions for Witnesses:\n\nDr. Goodman and Dr. Schneider\n\n        <bullet>  Does the current range of federally supported \n        research adequately address existing cyber security threats as \n        well as new and emerging threats? If not, what are the research \n        gaps, and how would you prioritize federal research investments \n        in cyber security?\n\n        <bullet>  How can the Federal Government foster effective \n        partnerships between academia and the private sector?\n\n        <bullet>  What is the state of cyber security education? Are \n        future cyber security professionals being adequately trained by \n        colleges and universities to meet anticipated demands of the \n        private sector? If not, what kind of cyber security training is \n        appropriate and necessary for institutions to develop, and for \n        what kinds of students?\n\n        <bullet>  What role can the Federal Government play in \n        educating the general public about protecting themselves and \n        their networks against cyber threats?\n\nDr. Anita D'Amico\n\n        <bullet>  How can the behavioral and social sciences contribute \n        to the design and evaluation of more secure information \n        technologies? What new and continuing areas of basic research \n        in the social and behavioral sciences could significantly \n        improve our ability to design more effective technologies in \n        cyber security? Are there promising research opportunities that \n        are not being adequately addressed?\n\n        <bullet>  What is the nature of interactions and collaborations \n        between behavioral and social scientists, and computer \n        scientists and engineers? Is the Federal Government playing an \n        effective role in fostering such collaboration?\n\n        <bullet>  Does the current range of federally supported \n        research adequately address existing cyber security needs of \n        industry as well as new and emerging threats? If not, what are \n        the research gaps, and how would you prioritize federal \n        research investments in cyber security?\n\n        <bullet>  How does the private sector provide input regarding \n        its research needs into the process by which the federal \n        research portfolio is developed? Do you believe your needs are \n        adequately addressed by the federal research agenda? How can \n        the Federal Government more effectively partner with the \n        private sector to address common research needs?\n\nMs. Franz and Mr. Brown\n\n        <bullet>  Does the current range of federally supported \n        research adequately address the cyber security needs of \n        industry as well as new and emerging threats? If not, what are \n        the research gaps, and how would you prioritize federal \n        research investments in cyber security?\n\n        <bullet>  How does the private sector provide input regarding \n        its research needs into the process by which the federal \n        research portfolio is developed? Do you believe your needs are \n        adequately addressed by the federal research agenda? How can \n        the Federal Government more effectively partner with the \n        private sector to address common research needs?\n\n        <bullet>  What is the state of cyber security education? Are \n        future cyber security professionals being adequately trained by \n        colleges and universities to meet anticipated demands of the \n        private sector? If not, what kind of cyber security training is \n        appropriate and necessary for institutions to develop, and for \n        what kinds of students?\n\n        <bullet>  What role can the Federal Government play in \n        educating the general public about protecting themselves and \n        their networks against cyber threats?\n    Chairman Lipinski. This hearing will come to order.\n    Good morning, and I welcome you to today's hearing entitled \n``Cyber Security R&D.''\n    Welcome to the Research and Science Education Subcommittee \nhearing on cyber security research and development. Information \ntechnology is an integral part of our daily lives. Computers, \ncell phones and the Internet have greatly increased our \nproductivity and connectivity. Unfortunately, this connectivity \nand the dependence on our critical infrastructures on \ninformation technologies have increased our vulnerabilities to \ncyber attacks. For example, last year the Pentagon reported \nmore than 360 million attempts to break into its networks, and \njust two weeks ago, a cyber attacker accessed the design plans \nfor the $300 billion Joint Strike Fighter project.\n    But it is not just the Pentagon that needs to worry about \ncyber security. Cyber crime is a problem for businesses large \nand small, and for every single American. The FCC estimates \nthat identity theft costs consumers about $50 billion annually, \nand even more alarmingly, it is the fastest-growing type of \nfraud in the United States. These are not just individual \ncrimes or individual criminals. Increasingly, globalization and \nthe Internet mean that sophisticated organized crime groups can \nmine information, selling it both nationally and \ninternationally.\n    In 2007, nearly 50 million credit card records were taken \nwhen cyber criminals broke into computer systems used by the \nretailer TJ Maxx. Some analysts put the total cost of the \nbreach at over $4 billion, and the stolen card data was used to \ndefraud retailers nationwide. As a result of this, Walmart lost \nalmost $8 million to fraudulent gift cards. Ultimately, 11 \npeople were indicted including three U.S. citizens, two \nindividuals from China, one from Belarus, one from the Ukraine \nand one from Estonia. This is what cyber attacks are about. It \nis a worldwide challenge to law enforcement and it can affect \nany American.\n    Improving the security of cyberspace is of the utmost \nimportance and it will take the collective effort of the \nFederal Government, the private sector, our scientists and \nengineers, and every American to be able to accomplish this.\n    In order to realize the full benefits of information \ntechnology, we need advances in cyber security R&D. Cyber \nthreats are constantly evolving and cyber security R&D must \nevolve in concert through a combination of near-term fixes and \nlong-term projects that build a more secure foundation.\n    People are perhaps the most important part of our IT \ninfrastructure, and according to experts, they are also the \nweakest link in many systems. Better cyber security education \nfor both the general public and for current and future IT \nprofessionals is vital. However, there is still a lot we don't \nknow about how humans interact with technology. Therefore, more \nresearch into social and behavioral sciences has the potential \nto significantly improve the security of our IT systems.\n    Today we will hear from witnesses who are actively engaged \nin efforts to improve the security of our digital \ninfrastructure. I look forward to the witnesses providing \nvaluable insight into the challenges we face in tackling this \ncomplex issue and the role of cyber security R&D and education \nin any comprehensive solution.\n    The Science and Technology Committee has a key role to play \nin improving cyber security, and to that extent, we are holding \na series of hearings to examine various aspects of this issue. \nAfter we focus on R&D and education, next week our subcommittee \nwill hold a joint hearing with the Technology and Innovation \nSubcommittee to hear how federal agencies are responding to the \nAdministration's 60-day cyberspace policy review. And later \nthis month, the Technology and Innovation Subcommittee will \nhold a hearing to assess the efforts of DHS and NIST.\n    There is no doubt that our use of the Internet and other \ncommunication networks is continuing to grow and evolve, and \nthat threats from individual hackers, criminal syndicates and \neven other governments are growing and evolving too. I am glad \nthe President is taking an active role, and there is no doubt \nin my mind that Administration leadership will help better \ndefine and prioritize cyber threats, coordinate the federal \nresponse and develop effective partnerships with the private \nsector. As chairman of this subcommittee, I look forward to \nworking with my colleagues and the Administration to ensure the \ndevelopment of a strong cyber security strategy.\n    I want to thank all of our witnesses for taking the time to \nappear before the Subcommittee this morning and I look forward \nto your testimony.\n    Now the Chair will recognize Dr. Ehlers for an opening \nstatement.\n    [The prepared statement of Chairman Lipinski follows:]\n             Prepared Statement of Chairman Daniel Lipinski\n    Good morning. Welcome to this Research and Science Education \nSubcommittee hearing on cyber security research and development.\n    Information technology is an integral part of our daily lives. \nComputers, cell phones, and the Internet have greatly increased our \nproductivity and connectivity. Unfortunately, this connectivity and the \ndependence of our critical infrastructures on information technologies \nhave increased our vulnerability to cyber attacks. For example, last \nyear the Pentagon reported more than 360 million attempts to break into \nits networks. Just two weeks ago, a cyber attacker accessed the design \nplans for the $300 billion Joint Strike Fighter project.\n    But it's not just the Pentagon that needs to worry about cyber \nsecurity. Cybercrime is a problem for businesses large and small, and \nfor every single American. The FTC estimates that identity theft costs \nconsumers about $50 billion annually, and that even more alarmingly, \nit's the fastest growing type of fraud in the United States. These \naren't just individual criminals. Increasing globalization and the \nInternet means that sophisticated organized crime groups can mine \ninformation, selling it both nationally and internationally.\n    In 2007, nearly 50 million credit card records were taken when \ncyber criminals broke into computer systems used by the retailer TJ \nMaxx. Some analysts put the total cost of the breach at over $4 \nbillion, and the stolen card data was used to defraud retailers nation-\nwide. Walmart lost almost $8 million to fraudulent gift cards. \nUltimately 11 people were indicted, including three U.S. citizens, two \nindividuals from China, one from Belarus, one from the Ukraine, and one \nfrom Estonia. This is what cyber-attacks are about: it's a world-wide \nchallenge to law enforcement, and it can affect any American.\n    Improving the security of cyberspace is of the utmost importance \nand it will take the collective effort of the Federal Government, the \nprivate sector, our scientists and engineers, and every American to be \nable to accomplish this.\n    In order to realize the full benefits of information technology we \nneed advances in cyber security R&D. Cyber threats are constantly \nevolving and cyber security R&D must evolve in concert through a \ncombination of near-term fixes and long-term projects that build a more \nsecure foundation.\n    People are perhaps the most important part of our IT \ninfrastructure, and according to experts, they are also the `weakest \nlink' in many systems. Better cyber security education for both the \ngeneral public and for current and future IT professionals is vital. \nHowever, there's still a lot we don't understand about how humans \ninteract with technology; therefore, more research into the social and \nbehavioral sciences has the potential to significantly improve the \nsecurity of our IT systems.\n    Today, we will hear from witnesses who are actively engaged in \nefforts to improve the security of our digital infrastructure. I look \nforward to the witnesses providing valuable insight into the challenges \nwe face in tackling this complex issue and the role of cyber security \nR&D and education in any comprehensive solution.\n    The Science and Technology Committee has a key role to play in \nimproving cyber security, and to that end, we are holding a series of \nhearings to examine various aspects of this issue. After we focus today \non R&D and education, next week our subcommittee will hold a joint \nhearing with the Technology and Innovation Subcommittee to hear how \nfederal agencies are responding to the Administration's 60-day \ncyberspace policy review. And later this month, the Technology and \nInnovation Subcommittee will hold a hearing to assess the efforts of \nDHS and NIST.\n    There is no doubt that our use of the Internet and other \ncommunication networks is continuing to grow and evolve, and that \nthreats from individual hackers, criminal syndicates, and even other \ngovernments are growing and evolving too. I am glad that the President \nis taking an active role, and there is no doubt in my mind that \nAdministration leadership will help better define and prioritize cyber-\nthreats, coordinate the federal response, and develop effective \npartnerships with the private sector. As Chairman of this subcommittee, \nI look forward to working with my colleagues and the Administration to \nensure the development of a strong cyber security strategy.\n    I want to thank all of our witnesses for taking the time to appear \nbefore the Subcommittee this morning and I look forward to your \ntestimony.\n\n    Mr. Ehlers. Thank you, Mr. Chairman. Almost a decade ago, I \nwas serving as a rapporteur for the NATO Parliamentary Assembly \nCommittee on Science and was charged with the responsibility \nfor writing a position paper on cyber security, and that was a \nreal eye-opener to me. I had never investigated and obviously \nhad to do a great deal of work to prepare the paper. We were of \ncourse dealing with more than just the commercial cyber \nsecurity concerns, which are largely the concern today. We were \ndealing not only with people trying to find out what was on the \nfederal cybernet but also how people could do damage to our \nentire cyber superstructure in the United States through \nvarious nefarious schemes. That was a real eye opener to me and \ntoday continues my education on this program.\n    Cyber security is of great concern to both the Federal \nGovernment and private industry, and that is quite a change \nfrom a decade ago when it was considered entirely the concern \nof the Federal Government. But this is an especially timely \nhearing since a little over a month ago the House passed a \nmeasure reauthorizing the Networking and Information Technology \nResearch and Development Act of 2009, better known as NITRD. As \nyou know, the NITRD program is responsible for the coordination \nof all the unclassified federal research and development \nefforts in federal security. However, cyber security efforts \nare only a small part of the overall NITRD mission, and I am \nglad that this hearing will focus special attention on this \nsubject.\n    As we become more dependent on virtual information and \nservices, security becomes more and more challenging to \nmaintain. Fostering trust between the public and private sector \nwill allow for the type of research partnerships necessary to \nkeep our information secure and exchanging information between \nstakeholders is critical. I am also particularly interested in \nlearning how we are supporting the education and training of \nstudents in this rapidly changing field and whether the current \nmechanisms are adequate to ensure our national cyber security \ninterests.\n    I look forward to learning from our witnesses today about \ntheir experiences in cyber security research, development and \neducation and how we can strengthen our federal efforts in this \narea. I certainly thank you for your attendance and I am hoping \nto learn much more than I learned a decade ago when I first got \ninvolved in this field.\n    Thank you much for being here and I look forward to your \ntestimony. I yield back.\n    [The prepared statement of Mr. Ehlers follows:]\n         Prepared Statement of Representative Vernon J. Ehlers\n    Cyber security is of great concern to both the Federal Government \nand private industry. This is a timely hearing, since a little over a \nmonth ago the House passed the measure reauthorizing the Networking and \nInformation Technology Research and Development Act of 2009 (NITRD). As \nyou know, the NITRD program is responsible for the coordination of all \nthe unclassified federal research and development efforts in cyber \nsecurity. However, cyber security efforts are only a small part of the \noverall NITRD mission and I am glad that this hearing will focus \nspecial attention on this subject.\n    As we become more dependent on virtual information and services, \nsecurity becomes more and more challenging to maintain. Fostering trust \nbetween the public and private sector will allow for the type of \nresearch partnerships necessary to keep our information secure, and \nexchanging information between stakeholders is critical. I am also \nparticularly interested in learning how we are supporting the education \nand training of students in this rapidly changing field, and whether \nthe current mechanisms are adequate to ensure our national cyber \nsecurity interests.\n    I look forward to learning from our witnesses today about their \nexperiences in cyber security research, development and education, and \nhow we can strengthen our federal efforts in this area. Thank you for \nyour attendance.\n\n    Chairman Lipinski. Thank you, Dr. Ehlers, and I always \nlearn a great deal from you. It is always great to have you \nhere. You always have better stories to tell.\n    Mr. Ehlers. Just remember they are stories.\n    Chairman Lipinski. If there are Members who wish to submit \nopening statements, your statements will be added to the record \nat this point.\n    [The prepared statement of Ms. Johnson follows:]\n       Prepared Statement of Representative Eddie Bernice Johnson\n    Good morning, Mr. Chairman and Ranking Member.\n    Cyber security is an area that is worthy of federally-funded \nresearch.\n    I appreciate you holding today's hearing. Members will be \ninterested to know the status of research in this area as well the \nareas where there are knowledge gaps.\n    Consider the amount of communication and business that is done \nusing computers and the Internet.\n    E-mail, music, social networking, shopping, and banking: all of \nthese activities are conducted online.\n    Air traffic control is done using computers. Software manages \nelectronic patient records. Imagine the chaos that would occur if part \nof that information was altered or otherwise compromised.\n    Our daily lives are so different from even twenty years ago. \nInternet security attacks can happen on a large scale and with serious \nconsequences.\n    For example, in 2007, a U.S. retailer was victimized by a cyber \nattack. As a result, 45 million credit and debit card holders were \ncompromised.\n    This past February, the Obama Administration called for 60-day \nreview of the national cyber security strategy.\n    The review will require the development of a framework to ensure \nthat the Comprehensive National Cybersecurity Initiative is adequately \nfunded and coordinated.\n    The review has since been released, and some of the action items in \nit fall under the purview of the Science Committee.\n    Cyber security research is funded through several federal agencies, \nincluding the Defense Advanced Research Projects Agency (DARPA) and \nNational Science Foundation.\n    This subcommittee will be interested to know whether the current \nrange of federally-funded research is sufficient to understand and \nprepare for cyber security threats.\n    Members will also be interested to know whether there exists a \nstrong pipeline of educated people to study cyber security.\n    If not, the Committee will want to know what federal programs are \nbest suited to cultivate a next generation of cyber security analysts \nand researchers.\n    I would like to welcome today's witnesses.\n    The Committee values the depth of expertise represented on this \npanel and looks forward to your testimony.\n\n    Chairman Lipinski. At this time I would like to introduce \nour witnesses. First, Dr. Seymour Goodman is a Professor of \nInternational Affairs and Computing and Co-Director of the \nGeorgia Tech Information Security Center at the Georgia \nInstitute of Technology. Ms. Liesyl Franz is the Vice President \nof Information Security and Global Public Policy at \nTechAmerica. Dr. Anita D'Amico is the Director of the Secure \nDecisions Division at Applied Visions Inc. Dr. Fred Schneider \nis the Samuel B. Eckert Professor of Computer Science in the \nDepartment of Computer Science at Cornell University. And \nfinally, Mr. Timothy Brown is the Vice President and Chief \nArchitect for Security Management at CA Incorporated. As our \nwitnesses should know, you will each have five minutes for your \nspoken testimony and your written testimony will be included in \nthe record for the hearing. When you have all completed your \nspoken testimony, we will begin with questions and each Member \nwill have five minutes to question the panel, and right now it \nis about 10:15. We are expecting votes at about 11:15, so we \nwould appreciate if the panelists could stick to that five-\nminute timeframe and we will have a good amount of time then \nfor questions.\n    So we will start here with Dr. Goodman. Dr. Goodman.\n\nSTATEMENT OF DR. SEYMOUR E. GOODMAN, PROFESSOR OF INTERNATIONAL \n AFFAIRS AND COMPUTING; CO-DIRECTOR, GEORGIA TECH INFORMATION \n        SECURITY CENTER, GEORGIA INSTITUTE OF TECHNOLOGY\n\n    Dr. Goodman. Thank you, Mr. Chairman, Ranking Member \nEhlers, distinguished Members and staff of the Subcommittee. In \naddition to my academic positions at Georgia Tech, I also serve \nor have recently served as Chair of the National Research \nCouncil Committee that authored ``Towards a Safer and More \nSecure Cyberspace,'' and as Vice Chair of the Institute for \nInformation Infrastructure Protection--a research consortium of \n27 universities, national labs and federally funded non-\nprofits--and as the principal investigator of Georgia Tech's \nNSF-funded Scholarship for Service Program.\n    A large fraction of the American people, its businesses and \ngovernment institutions have become increasingly dependent on \nnetwork information technologies. We are at risk because these \ninfrastructures are riddled with vulnerabilities and cannot be \nfully trusted, and there are malicious people greatly enabled \nby network connectivity seeking to exploit those \nvulnerabilities. Like auto safety or public health, cyber \nsecurity should be viewed as a broad societal issue requiring \ncontinued improved responses to dynamically changing \ncircumstances.\n    These responses will require better, larger and more agile \neducation and research programs and the effective and broad \ndeployment of the output of those programs in timely ways. \nTechnical progress will be of extreme critical importance but \nnot in itself sufficient. Policy, economic and behavioral \nissues must also be addressed. In particular, market forces \nhave failed to provide the Nation with a level of cyber \nsecurity adequate for its needs. An authoritative, \ninterdisciplinary study of how this may be changed would be of \nenormous benefit to the Nation.\n    I would like to raise two other specific subjects of both \nnear- and long-term urgency and importance. The first is what I \nfear is a coming tsunami of insecurity due to the spread of \ncellular telephones and other mobile devices. The second \nconcerns educating a professional workforce.\n    The ubiquitous spread of cell phones and other small \nincreasingly powerful computers with wireless connections is \nlikely to result in unprecedented opportunities for criminals, \nstalkers, industrial spies, foreign intelligence agencies and \nother unfriendly actors. Cell phone users number over 3.5 \nbillion, already a majority of the world's population and \nvastly outnumber traditional Internet users. This is leading to \nincreased possibilities for information insecurity, not least \nbecause of the huge increase in the number of connected \npotential malicious actors and potential victims. Attacks \nemployed against other computers will be deployed against the \nmobile devices, especially as they become primary means of \naccess to the Internet. There are many additional \nvulnerabilities because of battery limitations, the use of \nairwaves instead of wires, the ease with which devices and the \ninformation on them may be lost or stolen, particular forms of \ndenial of service attacks and new target applications such as \ndigital wallets.\n    The vulnerability of mobile devices potentially affects \nalmost every American citizen and organization. Its \ninternational dimensions are without precedent. Research, \ndevelopment and deployment efforts to improve security will \nnecessitate a solution to a large number of interdependent \ntechnical and business problems, and require researchers from \nmultiple disciplines, and will depend on strong forms of \ninvolvement with the private sector and international \ninstitutions to ensure effective and widespread implementation.\n    A safer and more secure cyberspace will also demand many \nmore professionals in the workforce on the front-lines \ndefending organizations and infrastructures. This will require \nnew faculty and curricula at a wide range of educational \ninstitutions.\n    I conclude by drawing your attention to one of the few \nefforts to grow this workforce on a national scale, the NSF \nScholarship for Service Program. It provides scholarship \nsupport to U.S. citizens who must start their careers in the \nFederal Government. The results of this modestly funded program \non the order of about $10 million per year have been \nimpressive. Since 2003, 970 mostly Master's-level professionals \nfrom 34 universities across the country have been placed in \nagencies. Many of them would not have chosen to study cyber \nsecurity or work for the Federal Government without it. The \ngovernment has done well in establishing this program. It \nshould be continued and carefully augmented to have a more \nextensive impact.\n    Thank you for inviting me to testify. I will be happy to \ntry to answer any questions that you have.\n    [The prepared statement of Dr. Goodman follows:]\n                Prepared Statement of Seymour E. Goodman\n    Mr. Chairman, Ranking Member Ehlers, and distinguished Members of \nthe Subcommittee: Thank for you for the opportunity to appear before \nyou today to discuss the subjects of Cyber Security R&D and Education.\n    I am Professor of International Affairs and Computing at Georgia \nTech, where I Co-Direct two centers: the Georgia Tech Information \nSecurity Center and the Center for International Strategy, Technology, \nand Policy. I also serve, or have recently served, as chair of the \nNational Research Council Committee that authored Toward a Safer and \nMore Secure Cyberspace in 2007; as Vice Chair of the Institute for \nInformation Infrastructure Protection (I3P), a research consortium of \n27 universities, national labs, and federally funded non-profits; and \nas the Principal Investigator for Georgia Tech's NSF-funded Scholarship \nfor Service Program.\n    A large fraction of the American people, its businesses, and \ngovernment institutions have become increasingly dependent on networked \ninformation technologies. We are at risk because these infrastructures \nare riddled with vulnerabilities and cannot be fully trusted, and there \nare malicious people who are greatly enabled by network connectivity \nseeking to exploit those vulnerabilities. Cyber security must be viewed \nas a broad societal issue, in part because vulnerabilities in the \ngeneral commercial or home computing environments have profound \nconsequences for the vulnerability of many prominent or critical \ntargets. It must also be recognized that cyber protection will be an \nongoing need, requiring continually improved responses to dynamically \nchanging circumstances.\n    These responses will require better and larger education and \nresearch programs, and the effective and broad deployment of the output \nof those programs in timely ways. Technical progress will be of \ncritical importance, but not in itself sufficient. Policy, economic, \nand behavioral issues must also be addressed. In particular, as \ndiscussed in the NRC report, market forces have failed to provide the \nNation with a level of cyber security adequate for its needs. An \nauthoritative interdisciplinary research study on how this may be \nchanged could be of enormous benefit to the Nation. We must also ensure \nthat federally supported research has a broad impact on current and \nfuture security challenges. The 2007 NRC report, and the recently \nreleased NRC report Technology, Policy, Law, and Ethics Regarding U.S. \nAcquisition and Use of Cyberattack Capabilities both note that much of \ncyber security research is classified, and thus unlikely to have much \nimpact in improving civilian security.\n    I would like to address two particular subjects of both near- and \nlong-term urgency and importance. The first is what I fear is a coming \ntsunami of insecurity due to the spread of cellular telephones and \nother mobile devices that contain substantial computing capabilities. \nThe second addresses difficulties and progress with efforts to build \nthe capacity to educate a professional workforce that is necessary to \nhelp achieve a safer and more secure cyberspace.\n    The ubiquitous spread of cell phones and other small, increasingly \npowerful computers with wireless connections is likely to result in \nunprecedented opportunities for criminals, hackers, terrorists, \nindustrial spies, foreign intelligence agencies, and other unfriendly \nactors. Cell phone users currently number over 3.5 billion, a majority \nof the world's population, and vastly outnumber traditional Internet \nusers, especially in developing nations. And cell phone use is growing \nfaster than Internet use. In the next five to ten years, most of the \npeople on the planet will likely be using powerful mobile devices for \nmore personal and professional functions. And these devices may \nsupplant desktop and laptop computers as the primary form of access to \na much larger Internet.\n    This is leading to increased possibilities for information \ninsecurity, not least because of the huge increase in the number of \nconnected potential malicious actors and potential victims. Forms of \nattack currently employed against desktops and laptops will be deployed \nagainst mobile devices. In addition, there are many vulnerabilities \nmore specific to them, because of battery limitations, the use of \nairwaves instead of wires, the ease with which they and the information \non them may be lost or stolen, particular forms of denial of service \nattacks, and new and attractive target applications like digital \nwallets and pocket ATMs.\n    The vulnerability of mobile devices potentially affects almost \nevery American citizen and organization. Its international dimensions \nare without precedent. Any research, development, and deployment effort \nto improve security will necessitate solutions to a large number of \ninterdependent technical and business problems, will require \nresearchers from multiple disciplines, and will depend on strong forms \nof involvement with the private sector and international institutions \nto ensure effective and widespread implementation.\n    So we have warning of looming security problems in a rapidly \nexpanding domain. We have lots of experience and mistakes with the \nInternet. This time, will we be able to get ahead of the problem and \nmake the world of mobile cyberspace safer and more secure before the \nTsunami forms, builds momentum, and hits us?\n    A safer and more secure cyberspace will also require many more \nprofessionals in the workforce on the front lines defending \norganizations and infrastructures. To produce these people, we need to \nincrease the capacities of a wide spectrum of educational institutions, \nadding capable faculty and extensive new curricula, neither of which \ncan be created overnight.\n    I want to draw your attention to one of the few efforts to grow \nthis workforce on a national scale: the National Science Foundation \nScholarship for Service Program (SFS). This program provides some \nsupport for universities to build their faculty and curriculum to \nenable the offering of concentrations in information security and \nassurance. It primarily provides up to two-year scholarship support to \nU.S. citizens in the best of these programs who must (although most see \nit as an opportunity, rather than an obligation) work in the Federal \nGovernment for at least the same number of years as they were supported \nby the scholarship. For embryonic information security programs many \nuniversities find that these students help provide a critical mass for \nenrollments for several early years. Graduates help improve the \nsecurity of the government's information systems and the agencies that \ndepend on them, but more broadly these programs, once established, \ngraduate others who work elsewhere to improve security postures.\n    The results of this modestly funded program (recently on the order \nof $10 million per year) have been impressive. Since 2003, 970 mostly \nMS-level professionals from 34 universities across the country have \nbeen placed in agencies. Many programs at these universities may not \nhave become viable without the NSF support, and the majority of the \nscholarship students would not have chosen to study cyber security and \nwork for the Federal Government without the visibility and inducements \nof the program. Some of these universities have become assets to other \nregional educational institutions, including schools for law \nenforcement and two-year colleges.\n    Most of the curriculum being developed and offered is in the form \nof computer science courses. These are necessary, but not sufficient, \nto the educational needs. There is a need for multi-disciplinary \ncourses that introduce important matters relating to management, law, \npolicy, human behavior, and the international dimensions of cyber \nsecurity. Only a small number of universities have serious courses of \nthis kind. They should be designed with the intention of facilitating \nexport to many institutions since few have faculty in positions to work \non these aspects at this time. Perhaps an NSF program might help \naddress such needs?\n    The government has done well in establishing this program, to its \nown direct benefit and the country's more generally. It should be \ncontinued and carefully augmented to have a more extensive impact. \nThoughts along those lines might include the range of degrees supported \nwith the scholarships, and the range of employment options permitted, \nfor example, teaching at two-year colleges or in parts of the country \nwith particular needs.\n    A major capacity building bottleneck that affects all levels of \neducational and research needs is the production of Ph.D.s in this \narea. Today, at most levels of tertiary education, a Ph.D. is a \nnecessary credential for a long-term career. Many who are working these \nproblems as researchers and educators are recent additions to the \nranks, as newly minted Ph.D.s or converts from other fields. Building \nthe doctoral ranks takes time and others who can provide close \nsupervision. However the task is not insurmountable; it will take a \nconcerted effort that should be pursued with national-level vigor.\n    This concludes my statement. I will provide some additional written \nmaterial to the Subcommittee's staff.\n    Thank you for inviting me to testify. I would be happy to try to \ntake any questions you have.\n\n                    Biography for Seymour E. Goodman\n    Seymour (Sy) E. Goodman is Professor of International Affairs and \nComputing at the Sam Nunn School of International Affairs and the \nCollege of Computing, Georgia Institute of Technology. He also serves \nas Co-Director of the Center for International Strategy, Technology, \nand Policy and Co-Director of the Georgia Tech Information Security \nCenter.\n    Prof. Goodman studies international developments in the information \ntechnologies and related public policy issues. In this capacity, he has \nover 200 publications and served on many academic, government and \nindustry advisory, study, and editorial committees. He has been the \nInternational Perspectives editor for the Communications of the ACM for \nalmost 20 years, and has studied computing on all seven continents and \nin about 90 countries. He recently served as Chair of the Committee on \nImproving Cybersecurity Research in the United States, National \nResearch Council, Computer Science and Telecommunications Board, \nNational Academies of Science and Engineering.\n    Immediately before coming to Georgia Tech, Prof. Goodman was the \nDirector of the Consortium for Research in Information Security and \nPolicy (CRISP), jointly with the Center for International Security and \nCooperation and the School of Engineering, Stanford University. He has \nheld appointments at the University of Virginia (Applied Mathematics, \nComputer Science, Soviet and East European Studies), The University of \nChicago (Economics), Princeton University (The Woodrow Wilson School of \nPublic and International Affairs, Mathematics), and the University of \nArizona (MIS, Soviet and Russian Studies, Middle Eastern Studies).\n    Prof. Goodman was an undergraduate at Columbia University, and \nobtained his Ph.D. from the California Institute of Technology where he \nworked on problems of applied mathematics and mathematical physics.\n\n    Chairman Lipinski. Thank you, Dr. Goodman.\n    The Chair now recognizes Ms. Franz.\n\n STATEMENT OF MS. LIESYL I. FRANZ, VICE PRESIDENT, INFORMATION \n         SECURITY AND GLOBAL PUBLIC POLICY, TECHAMERICA\n\n    Ms. Franz. Chairman Lipinski, Ranking Member Ehlers and \ndistinguished Members and staff of the Subcommittee, thank you \nfor the opportunity to testify and to provide the technology \nindustry's perspective on cyber security research and \ndevelopment and on the cyber workforce. I respectfully submit \nmy written statement for the record.\n    As innovators of technologic solutions as well as critical \ninfrastructure owners and operators, the private sector is a \nkey stakeholder and partner in improving our cyber security \nposture. While there are many things we collectively need to do \non a real-time operational basis, we also need to be working on \nlonger-term strategic initiatives that will ensure our cyber \nsecurity posture and leadership for the future. R&D and \neducation for a skilled workforce are precisely those areas \nthat are strategic in nature and require immediate and \nsustained attention. I will address both in my testimony today.\n    Currently, we expect about two-tenths of the Federal \nGovernment's 2009 budget to go towards cyber security R&D. That \namounts to about $300 million, which in today's highly \nnetworked and highly interdependent environment is deemed by \nmost to be inadequate. We welcome the Comprehensive National \nCybersecurity Initiative's R&D efforts under the Cyber Leap \nYear project to identify the most promising game-changing ideas \nto reduce vulnerabilities and we look forward to the results of \nthat process. We also welcome the R&D focus in President \nObama's Cyberspace Policy Review. We are very pleased with the \nreport's inclusion of R&D, its acknowledgment of the need for \npublic-private collaboration and we view this new impetus for a \nframework as an opportunity to pursue greater cooperation.\n    Companies conduct R&D all the time to develop products and \nservices needed in the marketplace. On the more strategic side, \nmany companies also participate in partnership efforts to \nassess and mitigate risk to the IT sector including R&D under \nthe National Infrastructure Protection Plan partnership \nframework. However, there is no institutionalized mechanism for \nproviding input into the federal R&D portfolio development but \nthrough increased collaboration we are enhancing the mutual \nunderstanding on R&D efforts between industry and government. \nIncreased coordination is crucial to identify gaps and fill \nthem and to avoid unnecessary duplication between the projects \nthat industry might undertake and those that the government \nmight undertake. That is why we recommend a more formal \nmechanism be put in place for industry's input, and \nimportantly, for public-private collaboration where necessary \nand feasible--and especially in projects that are national in \nnature and will reset the paradigm.\n    Another interesting concept is a national clearinghouse to \nserve as an intermediary between government, industry, and \nother stakeholders on dialogue and collaboration for R&D and \nrelated projects.\n    I would like to take my remaining time to focus on the \ncyber security workforce. The adoption of technology has far \nout-paced our education and training capabilities for \ndeveloping a pool of skilled IT security professionals, so we \nare short everywhere. Interestingly, on the way home from work \nyesterday I was behind a city bus in D.C. and there was an \nadvertisement for a job fair for IT professionals for DISA and \nJTFGNO, the DOD joint taskforce global network operations. \nBelieve me, that is something I never thought I would see on \nthe back of a bus, but it is one example of active government \nrecruiting efforts in this area.\n    Existing federal cyber-related education and service corps \nprograms like the one that Dr. Goodman mentioned are laudable \nones but they are not without their own challenges. Recruitment \nand retention are both difficult. We need to continue efforts \nto improve our university and existing job programs and develop \na relevant government career path to help meet and retain the \ndemand. In addition, we cannot rely only on a university \neducation to help shore up our personnel resources for the \nfuture. We need to adjust our national education curriculum for \nthe K through 12 years to reflect the new environment as well. \nKids today are much more computer savvy than we ever dreamt of \nbeing so we need to match and magnify that capability for our \nfuture.\n    In sum, we have much to do but we welcome recent efforts \nand are optimistic about the opportunity to work together to \nleverage the momentum and make progress.\n    Thank you for the opportunity to appear before you today \nand express industry's perspective on this important issue, and \nI will try to answer any questions you may have.\n    [The prepared statement of Ms. Franz follows:]\n                 Prepared Statement of Liesyl I. Franz\n    Chairman Gordon, Chairman Lipinski, Ranking Member Ehlers, and \ndistinguished Members of the Subcommittee, my name is Liesyl Franz, and \nI am Vice President for Information Security and Global Public Policy \nat TechAmerica. Thank you for giving us the opportunity to testify \ntoday and to provide the technology industry's perspective on Cyber \nSecurity Research and Development.\n    TechAmerica is a trade association with the strongest advocacy \nvoice for the technology industry in the U.S. formed by the January \n2009 merger of four major technology industry associations--the \nInformation Technology Association of America (ITAA), AeA (formerly the \nAmerica Electronics Association), the Government Electronics and IT \nAssociation (GEIA), and the Cyber Security Industry Alliance (CSIA). \nThe new entity brings together over 1,500 member companies in an \nalliance that spans the grass roots--with operations in nearly every \nU.S. state--and the global with relationships with over 70 national IT \nassociations around the globe. The U.S. technology industry is the \ndriving force behind productivity growth and jobs creation in the \nUnited States and the foundation of the global innovation economy. \nTechAmerica's members are the very companies--both hardware and \nsoftware manufacturers--that serve as the foundation of our national \ndigital infrastructure, as well as those that are providing systems \nintegration services, enterprise IT and management solutions, and a \nwide variety of information security solutions for small, medium, and \nlarge companies, consumers, and government agencies.\n    I am here today to highlight the critical role of technology, \nresearch and development, and science education in helping to secure \ncyberspace--one we share with our government partners, our customers \nand users around the world. As critical infrastructure owners and \noperators, the private sector is a key stakeholder--and partner--in \nimproving our cyber security posture. While there are many things we \ncollectively need to do on a real-time, operational basis, we also need \nto be working on longer-term, strategic initiatives that will ensure \nour cyber security posture and leadership for the future. Research and \nDevelopment and education for a skilled work force are precisely those \nareas that are strategic in nature and require immediate and sustained \nattention. I will address both in my testimony today.\n    TechAmerica, or formerly ITAA, has been very engaged in cyber \nsecurity effort from the beginning. We served as the IT sector \ncoordinator and founder of the IT Sharing and Analysis Center (IT-ISAC) \nduring the Clinton Administration, and we have been a leading industry \nvoice since. We actively advocated for the Cyber Security Research and \nDevelopment Act of 2002. We played a significant role for industry in \nthe development of the National Strategy to Secure Cyberspace and the \nCyber Security Summit that followed in 2003. We played a leading role \nin the establishment of the IT Sector Coordinating Council (IT SCC) \nunder the National Infrastructure Protection Plan (NIPP), and I am \nhonored to serve as the current Secretary. We have a long-standing and \nrobust Information Security Committee that works on all manner of cyber \nsecurity policy issues, and we are happy to provide our input today.\n\nThe State of Cyber Security Research and Development Funding\n\n    In 2002, the Congress passed, and President Bush signed into law \nthe Cyber Security Research and Development Act, which provided for \nover $900 million over five years in cyber security R&D funding for the \nNational Science Foundation (NSF) and the National Institute for \nStandards Technology (NIST). That funding was sorely needed at the time \nand has contributed to the body of knowledge that we have today to \naddress the kinds of threats we face in cyberspace.\n    Today, we understand that the Federal Government plans to spend \nabout $143 billion in 2009 on R&D. The Center for Strategic and \nInternational Studies' (CSIS) Commission of Cyber Security for the 44th \nPresidency noted that of that amount, two-tenths, or about $300 \nmillion, would go to cyber security. ``Given the important of cyber \nsecurity to all aspects of our national defense and economy coupled \nwith the more sophisticated cyber threats we face,'' the report stated, \n``a $300 million R&D investment is in adequate.'' \\1\\\n---------------------------------------------------------------------------\n    \\1\\ Securing Cyberspace for the 44th Presidency: A Report of the \nCSIS Commission on Cybersecurity for the 44th Presidency, Center for \nStrategic and International Studies; page 74; http://www.csis.org/\nmedia/csis/pubs/081208<INF>-</INF>securingcyberspace<INF>-</INF>44.pdf\n---------------------------------------------------------------------------\n    The CSIS Report acknowledges the introduction of the Comprehensive \nNational Cybersecurity Initiative (CNCI) and its recognition of the \nshortfalls in cyber security related R&D funding, along with its \nrelated efforts. The CNCI calls for increased cyber security R&D \nfunding in the future and has embarked on a consultative process under \nthe Networking Information Technology Research and Development (NITRD) \nprogram's Cyber Leap Year project to ``identify the most promising \ngame-changing ideas with the potential to reduce vulnerabilities to \ncyber exploitations.'' \\2\\ Currently in its third phase, the NITRD \nrequest for information (RFI) process for Cyber Leap Year has canvassed \nthe cyber security community for ideas, is holding workshops to explore \nthe best ideas presented, and will publish its findings on game-\nchanging ideas, technical strategies for needed research, \nproductization and implementation of capabilities, and recommendations \nfor success, including funding.\\3\\ We look forward to the results of \nthe NITRD process.\n---------------------------------------------------------------------------\n    \\2\\ http://www.nitrd.gov/leapyear/\n    \\3\\ http://www.nitrd.gov/leapyear/NCLY<INF>-</INF>RFI-3.pdf\n---------------------------------------------------------------------------\n    Most recently, President Obama released his Cyberspace Policy \nReview on May 29, 2009. In addition to his welcome announcement that he \nwould appoint a cyber security coordinator in the White House, the \nPresident also committed his Administration to ``invest[ing] in the \ncutting-edge research and development necessary for the innovation and \ndiscovery we need to meet the digital challenges of our time.'' \\4\\ The \ncyber review itself recommended that R&D frameworks should be linked to \ninfrastructure development and called about the Federal Government to \n(1) work with industry to ``develop migration paths and incentives for \nthe rapid adoption of research and technology development, including \ncollaboration between academic and industrial laboratories,'' and (2) \n``in collaboration with the private sector and other stakeholders . . . \nuse the infrastructure objectives and the R&D Framework to help define \ngoals for national and international standards bodies.'' In its \nrecommended near-term action plan, the report called for the \ndevelopment of ``a framework for research and development strategies \nthat focus on game-changing technologies that have the potential to \nenhance the security, reliability, resilience, and trustworthiness of \ndigital infrastructure; provide the research community to event data to \nfacilitate developing tools, testing theories, and identifying workable \nsolutions.'' \\5\\ We were very pleased with the call for working with \nindustry on these efforts.\n---------------------------------------------------------------------------\n    \\4\\ http://www.whitehouse.gov/\nthe<INF>-</INF>press<INF>-</INF>office/Remarks-by-the-President-on-\nSecuring-Our-Nations-Cyber-Infrastructure/\n    \\5\\ Cyberspace Policy Review: Assuring a Trusted and Resilient \nInformation and Communications Infrastructure, p. 37, The White House; \nhttp://www.whitehouse.gov/assets/documents/Cyberspace--Policy--Review--\nfinal.pdf\n---------------------------------------------------------------------------\n    Industry itself has coalesced its efforts around cyber security \nresearch and development efforts that seek to affect the greater needs. \nOf course, individual companies conduct R&D all the time on the \nproducts and services it needs to drive market solutions and meet the \ndemands of their customers. In fact, the overwhelming bulk of cyber \nsecurity R&D is provided by private sector entities seeking to develop \nthe most innovative solutions to meet the broad market requirements. \nWhile the protection of our national critical infrastructures relies on \nthese efforts, there are gaps in cyber security capabilities for which \nthere is such limited market demand or the lack of market awareness. \nThe Cyber Leap Year project under the CNCI and other efforts \ndemonstrate the Federal Government's understanding that such a gap \nexists and we need to work together or fill it. Further, federal R&D \nwill result in technology that can improve the Nation's security if \nthat technology is transferred to industry--in accordance with existing \nfederal technology transfer policies--for further development and \nintegration into cyber infrastructures.\n    In addition to discrete company R&D projects, the IT industry has \nbeen working together on the strategic side of R&D planning in the IT \nSCC's Research and Development Committee. The R&D Committee is charged \nwith conducting annual reviews of R&D initiatives in the IT Sector and \nrecommending updates to industry priorities based on changes in \ntechnology, threats, vulnerabilities, and risk. The sector has come a \nlong way in the last three years informing the process of R&D \nprioritization through a risk assessment process. This process \nidentifies the cyber risks in our IT infrastructure and evaluating what \nprotective programs exist to cover those risks. R&D is leveraged to \nevaluate innovative ways to cover gaps in the protective programs and \nevolve programs with the risk. This R&D prioritization process is a \ncollaborative one between IT Sector and our Government counterparts. \nAdditionally, the IT risk assessment, protective programs, and R&D \nefforts are coordinated across all critical infrastructure and key \nresource sectors (CI/KR) through the Cross-Sector Cyber Working Group \n(CSCSWG).\n    Until recently, this coordination has been limited to the \nDepartment of Homeland Security (DHS) as the Sector Specific Agency \n(SSA) for the IT SCC; however, through joint collaborative success, the \nIT SCC has started coordinating prioritization with the Interagency \nWorking Group (IWG) on Cyber Security and Information Assurance (CSIA). \nThe purpose of this collaboration is to highlight the role of the \nprivate sector in cyber security R&D and reduce duplication of \ninvestment in private and public sector. The IT SCC R&D Committee has \ndeveloped a cyber security R&D information sharing framework that \nhighlights those risk areas that receive less private sector emphasis \ndue to the limited market need for the investment. With an overwhelming \namount of market R&D investment addressing commercially viable \nconcepts, there are those risks that are of greater interest and need \nhigher prioritization in government. The IT-SCC facilitates this \ninformation sharing between the private sector and the CSIA to help \nagencies better prioritize individual agency R&D spending, as well as \nproject selection as well as coordinate cross-agency spending on risks \nthat will receive less attention from private sector entities. As an \nexample, through the IT-SCC R&D Committee work we have learned that \nthere is not much private sector R&D on cyber forensics as it relates \nto law enforcement evidence trail. As such, this area of investment \nappears to be de-prioritized in the private sector and may need to be \nprioritized by government R&D programs to garner the innovation \nnecessary to align with the need for the ability to analyze cyber \nincidents. We have also learned that there are cases in which \ngovernment has undertaken R&D in areas where the private sector is \nalready making a significant investment, so the increased dialogue is \nimportant to avoid such duplication.\n    There is no institutionalized mechanism for the private sector to \nprovide input into the process by which the federal research portfolio \nis developed. It is the vision of the IT-SCC R&D Committee to provide a \ncollaborative, partnered environment that allows both government and \nprivate sector to break down existing barriers and promote \ncollaboration in IT Sector security R&D. The goal is to better inform \nboth government and industry about existing and prospective work--and \nneeds--so that resources are allocated and used more efficiently and \ngovernment can leverage the already existing commercial investment such \nthat it can better target the limited R&D resources. While we believe \nthese efforts are making a difference in the coordination and dialogue \nbetween industry and government, we strongly recommend a more formal \nmechanism be put in place for such input and collaboration. Such a \nmechanism should include all the elements of the R&D life cycle: \nidentification of current and prospective R&D in the industry; \ndetermination of the gaps in the market that need to be filled by \ngovernment efforts; and, where necessary and feasible, joint industry \nand government collaboration on R&D projects. Collaboration should also \ntake place with our global partners in government and industry so that \nwe can leverage, rather than duplicate, efforts.\n    As we note, there is discrete R&D occurring in industry and in \ngovernment, respectively. Presumably these are geared toward new \nproduct development or solutions to problems in the existing \nenvironment. However, we believe there is now an opportunity for a more \nstrategic public private partnership in research and development for \ngreater cyber security into the future. We have yet to create a \nmechanism for true government-industry collaboration on specific \nprojects, particularly those that will re-set the paradigm. That will \ntake some effort to define, fund, and implement, but it will be crucial \nfor addressing longer-term challenges and cyber security measures for \nthe future.\n    Another notion that could be explored in order to help achieve \ngreater coordination and collaboration is the creation and funding for \na national clearinghouse to serve as an intermediary between government \nand industry on dialogue and collaboration for R&D and, even, other \npertinent projects such as building a reference resource for standards, \nbest practices, and collaboration opportunities. Notionally, such an \nentity could be created through a partnership between academia, \nindustry and government and be administered by a broad based national \nnonprofit organization meeting such appropriate criteria as substantive \nexpertise and a distributed network with operations in most states.\n\nThe State of Cyber Security Education\n\n    The exponential growth in the use of information technology for \njust about every aspect of our society and economy today has yielded \nremarkable results in innovation, efficiencies, productivity, and new \nbusiness models for new product services. However, that growth has far \nout-paced our education system and training capabilities for developing \na pool of skilled information technology--and information security--\nprofessionals. So, we are short, both in industry and in government.\n    Certainly there have been efforts to incent universities to build \nrobust information security programs, such as the National Centers for \nAcademic Excellence in Information Assurance Education (CAEIAE) \nsponsored jointly by the National Security Agency (NSA) and DHS.\\6\\ \nCurrently 93 universities have met the criteria for a national center, \nand students that graduate from these programs are eligible to apply \nfor scholarships and grants through the Department of Defense \nInformation Assurance Scholarship Program and the Federal Cyber Service \nScholarship for Service Program. The Federal Cyber Service Scholarship \nfor Service Program\\7\\ is a unique program designed to increase and \nstrengthen the cadre of federal information assurance professionals \nthat protect the government's critical information infrastructure. This \nprogram provides scholarships that fully fund the typical costs that \nstudents pay for books, tuition, and room and board while attending an \napproved institution of higher learning. Additionally, participants \nreceive stipends of up to $8,000 for undergraduate and $12,000 for \ngraduate students. The scholarships are funded through grants awarded \nby the National Science Foundation (NSF), and recipient students must \nserve at a federal agency in an information assurance position for a \nperiod equivalent to the length of the scholarship or one year, \nwhichever is longer.\n---------------------------------------------------------------------------\n    \\6\\ http://www.nsa.gov/ia/academic<INF>-</INF>outreach/\nnat<INF>-</INF>cae/index.shtml\n    \\7\\ https://www.sfs.opm.gov/\n---------------------------------------------------------------------------\n    These are laudable programs, but they are not without their own \nchallenges. For example, designation as a national center does not \nguarantee grant funding, and students in the ``cyber corps'' program do \nnot always find relevant, open positions in the government on a timely \nbasis. An additional challenge for government cyber security \nprofessionals is that there is not a clear career path that includes \ntraining and advancement opportunities for cyberspace specialists in \nthe Federal Government. Inevitably, skilled, trained, cyberspace \nprofessionals seek jobs in the private sector. While that is not bad \nfor companies who are constantly looking for skilled cyber security \npersonnel, it reflects an imbalance in the system and still sees \nshortages for everyone.\n    We cannot rely only on university education to help shore up our \npersonnel resources for the future. We need to adjust our national \neducation curriculum for K-12 years to reflect the new environment as \nwell. Yes, it is science and math, certainly, and we welcome President \nObama's new commitment to education in science in math as part of a \n``national campaign to promote cyber security awareness and digital \nliteracy from our boardrooms to our classrooms, and to build a digital \nworkforce for the 21st century.'' \\8\\ Specifically, the President's \nCyber Policy Review recommends, as part of its mid-term action plan, \nexpanded support for key education programs (and R&D) and the \ndevelopment of a strategy to expand and train the workforce, including \nattracting and retaining cyber security expertise in the Federal \nGovernment.\\9\\ We welcome the recommendations, and industry looks \nforward to working with the government to help meet those objectives.\n---------------------------------------------------------------------------\n    \\8\\ http://www.whitehouse.gov/\nthe<INF>-</INF>press<INF>-</INF>office/Remarks-by-the-President-on-\nSecuring-Our-Nations-Cyber-Infrastructure/\n    \\9\\ Cyberspace Policy Review: Assuring a Trusted and Resilient \nInformation and Communications Infrastructure, p. 38, The White House; \nhttp://www.whitehouse.gov/assets/documents/\nCyberspace<INF>-</INF>Policy<INF>-</INF>Review<INF>-</INF>final.pdf\n\nConclusion\n\n    In sum, there are some key areas for short- and longer-term work on \ncyber security R&D and education and training needs.\n    We commend the Congress for its early focus on cyber security \nissues and this subcommittee for convening this panel today as part of \nyour cyber security series. This congressional session provides a \nsignificant opportunity to make progress, and we look forward to \nworking with you and your colleagues to develop proposals for \nmeaningful change.\n    Thank you for the opportunity to appear before you today and \nexpress industry's perspective on this important issue. I would be \nhappy to answer any questions you may have.\n\n                     Biography for Liesyl I. Franz\n    Liesyl Franz is Vice President for Information Security and Global \nPublic Policy at TechAmerica, working with industry and government \nleaders on such issues as cyber security, critical infrastructure \nprotection and Internet Governance. In this role she leads \nTechAmerica's strategic and tactical efforts on public policy in these \nareas with the Administration, Congress, and international \norganizations. In addition, she represents TechAmerica in the \nInformation Technology Sector Coordinating Council (IT SCC) under the \nNational Infrastructure Protection Plan (NIPP), where she currently \nserves as Secretary.\n    Liesyl joined TechAmerica (previously ITAA) from the Department of \nHomeland Security, where she served as Deputy Director for Outreach and \nAwareness and Director for International Affairs and Public Policy at \nthe National Cyber Security Division (NCSD). She led programs in the \nareas of global affairs, public policy, communications and messaging as \nwell as stakeholder outreach, including building international \npartnerships, coordinating public relations for key events such as the \nCyber Storm National Cyber Exercise and conferences, and managing \nevents for National Cyber Security Awareness Month held annually in \nOctober.\n    Prior to her service at DHS, Liesyl was Director for Global \nGovernment Affairs at EDS Corporation working on cyber security, \nprivacy, financial services, and trade issues, and she worked with the \nCoalition of Service Industries where she managed industry's \nparticipation and input into services trade negotiations in the World \nTrade Organization (WTO).\n    Liesyl was recognized in 2005 by the Women's High Tech Coalition \nwith the Women in Cyber Security Award for her contribution to public-\nprivate partnerships and international collaboration in cyber security. \nShe holds a BA in Political Science from the University of Texas at \nAustin and an MA from the Elliott School of International Affairs at \nGeorge Washington University.\n\n    Chairman Lipinski. Thank you, Ms. Franz.\n    The Chair now recognizes Dr. D'Amico.\n\n  STATEMENT OF DR. ANITA D'AMICO, DIRECTOR, SECURE DECISIONS \n                DIVISION, APPLIED VISIONS, INC.\n\n    Dr. D'Amico. Thank you, Mr. Lipinski and Mr. Ehlers and the \nSubcommittee. I am the Director of Secure Decisions, a division \nof Applied Visions, which is a small business in New York. We \nspecialize in improving the situational awareness of cyber \ndefenders. We help them understand what is going on in the \nnetwork, find suspicious activity and figure out what to do \nabout it.\n    I would like you to note the name of my division, Secure \nDecisions. As a psychologist, I wanted the name to reflect the \nimportance of human decisions of security professionals. I have \nsince learned we need to improve the decisions of a lot of \npeople, not just security professionals. We must teach \nprogrammers to make secure design decisions that build security \ninto software from the beginning and not just tacked on at the \nend. Home users need to be educated about the risks of their \nInternet decisions before they click on the interesting ad. \nStudents need to learn the ethics of using computers for \nentertainment and online socializing. We need to change the \nculture to make good security second nature to all of us and \nnot something that we try to avoid.\n    But this change in culture is not going to be achieved by a \nbunch of smart engineers designing new intrusion detection \nsystems. This cultural shift requires the expertise of those \nwho understand how to change minds, that is, the social \nsciences. So my first take-away to this committee is that cyber \nsecurity education is not just for security wonks. We need to \nbroaden the base of those we teach and involve the social \nsciences in the education of this larger audience.\n    My second take-away is that we have to get better at \ntraining the people whose job is computer security. New \ngraduates with information security degrees have little \nopportunity to learn by doing as prior generations had to do. \nYoung soldiers in particular have little time to become \nproficient before rotating out to their next assignment. How do \nwe improve this? First, we need to formalize the mentorship of \nthe new generation. Before the old guard retires, they need to \nshare their knowledge with the newbies but mentorship is not \nsomething that comes naturally to everyone and that is where \nthe social sciences can help.\n    Second, we need better ways for security practitioners to \nshare information with their own peers. New collaboration \ntechniques developed with social scientists can make a \ndifference.\n    Third, we need to train professionals on realistic yet safe \ntraining networks where they can practice their skills without \nbringing down eBay. This is also needed for researchers to test \nout their new technologies. And speaking of research, few \nresults of federally funded cyber R&D ever make it into the \nreal-world operations. As a taxpayer, I find this disturbing. \nLittle research funding is directed at technology transition. \nOnce the paper is published, many researchers and government \nprogram managers feel their job is done. The rest of the work, \nmaking the technology affordable and usable, is abandoned in \nthe hope that someone else will pay for it. Furthermore, \nacademicians are judged by their publication history but few \nscientific journals consider technology transition worthy of \ntheir attention.\n    And finally, computer scientists are often just not into \nthe softer side of security, that is, how people use the \ntechnology, yet studying how people use cyber security \ntechnology is exactly what is needed to improve technology \ntransition. We need to study the usability of systems and to \ntest them in operational environments where real people get to \ntry them out. So my third take-away to the Committee is that \nthe government should fund projects through the technology \ntransition phase and should use transition to evaluate both \nresearchers and the government program managers.\n    My last message is about how little input the private \nsector has in the federal research portfolio. With the \nexception of a few ISACs, the private sector has no voice. \nFurthermore, the private sector cannot easily tap into the \nresults of the federally funded research. I believe the \ngovernment should require researchers to publish their results \nin the trade magazines and the online forums where security \nprofessionals communicate, not just in the scientific journals.\n    In closing, please keep in mind what information security \nexperts often say: Cyber security is about people, processes \nand technology. As educators and researchers, we must look at \nall three of these things, not just technology. I am one of the \nfew psychologists actively engaged in cyber security R&D. I am \nsurrounded by computer scientists and engineers, but I hope \nwith this committee's support that in the future my position as \na psychologist in cyber security will just be a bit less \nlonely. Thank you.\n    [The prepared statement of Dr. D'Amico follows:]\n                  Prepared Statement of Anita D'Amico\n\nIntroduction\n\n    Thank you Chairman Lipinski, Ranking Member Ehlers, and Members of \nthe Subcommittee for the opportunity to testify on this important \ntopic.\n    I am the Director of the Secure Decisions division of Applied \nVisions, Inc. I was educated as an experimental psychologist; applied \nmy skills as a human-factors psychologist in maritime ship operations, \nmanned spacecraft and surveillance aircraft; and for more than 15 years \nhave been involved in various aspects of cyber R&D. For the past nine \nyears I have been directing the Secure Decisions division of AVI to \nenhance the situational awareness of those defending our critical \ncomputing infrastructure.\n    As a small business engaged in custom software development, Applied \nVisions recognized over a decade ago the frailty of our country's IT \ninfrastructure and the importance to our country of instilling and \nmonitoring good cyber security practices. AVI invested in a new \ndivision dedicated to improving the situational awareness of those \nresponsible for defending our critical IT infrastructure. In under ten \nyears the Secure Decisions division has become, even as a small \nbusiness, a leader in cyber situational awareness R&D.\n    We perform R&D sponsored by the Department of Defense, the \nIntelligence Community, and the Department of Homeland Security. And \nfrom my perspective one of our most valuable contributions is when we \ntransfer that R&D into usable products for use in both DOD and in \nindustry. We publish research results--those that we are permitted to \ndisseminate--in peer-reviewed journals. We partner with large companies \nlike Raytheon and ITT, universities including Johns Hopkins and George \nMason, and other small businesses.\n    We owe our continued growth in cyber security research in part to \nthe U.S. Government's Small Business Innovation Research (SBIR) \nprogram. Our company is a testimony to the valuable role that SBIRs \nplay in transforming cyber security research into operationally usable \nsoftware systems and products. Unlike many federally-funded R&D \nprograms that have little accountability for the ultimate operational \nutility of their research, the SBIR structure holds us accountable \nfor--and rewards--the transition from early stage innovative concepts \nto prototype development and technology transition planning, all within \na typical SBIR lifespan of three years.\n\nThe Human Element in Cyber Security\n\n    We named our division ``Secure Decisions'' to recognize the \nimportance of human decisions in cyber security. As a psychologist \nworking in a field predominated by computer scientists, I chose a name \nthat reflected our goal to enhance the situational awareness and \ndecision-making of cyber security practitioners. Of course, security \npractitioners are not the only individuals whose decisions make our \ncritical computing infrastructure more or less secure. Many others, \nincluding home-users of computers, policy-makers, cyber lawyers, \nsoftware developers, and educators, make us all more or less secure \nthrough their individual actions.\n    The current emphasis in cyber security R&D has been technological: \ncreating or improving tools to enforce security. While this is indeed \nnecessary, there is a significant human element to the problem that \ncannot be ignored. As researchers and educators, we must address all \nthe many different roles that we humans play in cyber security, beyond \njust the security practitioner who administers firewalls, tunes \nintrusion detection systems, and monitors networks. We must also \neducate the software developer, lawyer, policy-maker, and all of us \nusers who are unwitting accomplices of the attacker. The \nrecommendations in the Cyberspace Policy Review just issued by the \nWhite House\\1\\ recognize this.\n---------------------------------------------------------------------------\n    \\1\\ Cyberspace Policy Review (2009); http://www.whitehouse.gov/\nassets/documents/\nCyberspace<INF>-</INF>Policy<INF>-</INF>Review<INF>-</INF>final.pdf\n---------------------------------------------------------------------------\n    Let's look at the software developer as one example of the need for \nenhanced security education. From the very start of the software life \ncycle--creating the software itself--software developers are \ninadequately schooled in how to program securely; security is often \nadded on afterwards. Rewards are given for speed to market, not for \ncreating secure software. For example, just two programming errors \nresulted in more than 1.5 million web site security breaches during \n2008.\\2\\ And all too often, the developer's initial response to the \ndiscovery of a vulnerability is something akin to ``gee, we never \nthought a user would do that with it.'' We must change the way that \nprogrammers go about understanding the needs and behaviors of us as \nusers, and in creating the software that we use.\n---------------------------------------------------------------------------\n    \\2\\ SANS Security Leadership Essentials for Managers: Experts \nAnnounce Agreement on the 25 Most Dangerous Programming Errors--And How \nto Fix Them, January 12, 2009; http://www.sans.org/top25errors/\n?utm<INF>-</INF>source=web&utm<INF>-</INF>medium=text-\nad&utm<INF>-</INF>content=Announcement<INF>-</INF>Bar<INF>-</INF>2009011\n1&utm<INF>-</INF>campaign=Top25&ref=37029\n---------------------------------------------------------------------------\n    Technical solutions must be easily deployable and usable. Gaining a \ndeeper understanding of how people use technology by bringing together \ncomputer science and the behavioral sciences can make our technological \nbreakthroughs actually useful and relevant to society.\n    We then must educate the cyber policy-makers and legal \nprofessionals in the fundamentals of confidentiality, integrity, and \navailability of information systems so that they understand the context \nin which they regulate and prosecute. The law generally has lagged far \nbehind technology; we need technology-savvy courts to keep pace with \nthe changing landscape. Few lawyers are sufficiently schooled in \ntechnology and security issues to be able to understand the problem \nwell enough to decide whether or not proposed solutions to the problem \nare legal--and as a result, the usual answer is ``no.''\n    And finally, we must educate the rest of us--the teeming masses who \nactually use the software and cyber infrastructure of the Nation--in \nhow to better understand the risks associated with that use, and how to \nmake better decisions.\n    The cornerstone to this good security decision-making is our \nunderstanding of risk. Like most of life, security is about making \ndecisions and choosing between options--making trade-offs between \nsecurity and convenience, risk and comfort, safety and freedom. \nOverall, we're not bad at making security trade-offs.\\3\\ The problem we \nhave right now is that our understanding of risk, our basis for making \nthese choices about security; is still based primarily on our physical \nenvironment and life as it has been for thousands of years. Our ability \nto understand, evaluate, and react to risks has not yet acclimated to \nour current environment, meaning the realities of the 21st century and \ncyberspace. Our perceived risk and the actual risk do not match, and we \noften make the wrong decisions as a result.\n---------------------------------------------------------------------------\n    \\3\\ Schneier, Bruce. (2008) The Psychology of Security. http://\nwww.schneier.com/essay-155.html, Published Online.\n---------------------------------------------------------------------------\n    Therefore, part of raising the awareness of our citizens is to \neducate them in the actual, rather than the perceived, risks of \ntraveling through cyberspace.\n\nThe State of Cyber Education\n\n    The current approach to cyber education falls far short of \nadequately preparing this universe of developers, practitioners, and \nusers for life in the cyber world. Current education is focused on \ntraining security practitioners and educating computer scientists, but \nlittle is being done for all of the other roles: security practitioner, \nhome user, business owner, software and hardware designer/developer, \npolicy-makers, legal professionals, and even young students using the \nInternet.\n\nEmphasis on Technology and Not People\n\n    Information security is often said to be about ``people, process, \nand technology.'' Technological change can almost be taken for granted, \ngiven the natural inclination of engineers and technologists to \nconstantly improve things. Instead, changing how people think and the \nprocess by which we go about doing things should be our primary \nconcern. We should be developing a new breed of multi-disciplinary \ncyber security experts educated in the areas of people, such as \npsychology and organizational behavior, and processes, such as \nmanagement, business process, and the law.\n    There has indeed been an increase in the number of academic \ninstitutions offering undergraduate and graduate degrees related to \ncyber and information security, but the majority of these programs are \nstill technology-focused: computer science, computer engineering, \nelectrical engineering, and so forth. This is not enough. Technology \ncan shore up our defenses, but an emphasis on the social sciences can \nchange the way we look at things: how we as a society view the risks \nand trade-offs in the digital world, and how we make those day-to-day \ndecisions that have such a significant impact on the safety of our \ntravels in cyberspace.\n    Unfortunately, there are not many examples of the collaboration \nbetween the social sciences and the computer sciences required to \nachieve this shift in education. Conferences like the Workshop on the \nEconomics of Information Security and the 2008 Workshop on Security and \nHuman Behaviour are initiating a dialogue between technologists and \nsocial scientists, and we are beginning to see encouraging signs of \nthis collaboration at the educational level. In addition, a workshop \nnext month at the National Academy of Sciences, Usability, Security, \nand Privacy of Information Systems, is focused on identifying new \nresearch areas in ``usable security'' and will influence the research \nagendas of both NSF and NIST, which are sponsoring the workshop.\n    Visionary leadership is needed to achieve these changes in \neducational philosophy. As long as technology is viewed as the end-all \nof cyber security research and education, the focus will remain on \nproblems in that area. And even if technology development remains the \nfocus of our cyber security research and education, we have several \nmajor hurdles to overcome. One hurdle is the shortage of U.S. citizens \nwho are acquiring the requisite math and science skills needed to teach \nand conduct hard research in cyber security.\\4\\ This leaves many of the \nhard technology questions unanswered by our own citizens. Another \nhurdle--and this one I feel very strongly about--is the limited \ntransfer of research findings into real-world use. Advanced education \nprograms (such as for a Ph.D. in Computer Science or Information \nSystems) emphasize publication rather than transfer of findings into \nreal practice. The system of grants that fund the work of students and \ntheir professors places more value on prior publications than practical \nresults. We need to transition the research into the everyday world of \nInformation Technology.\n---------------------------------------------------------------------------\n    \\4\\ Zweben, Stuart. Computing Degree and Enrollment Trends, from \nthe 2007-2008 CRA Taulbee Survey, 2008, at 4, www.cra.org/taulbee/\nCRATaulbeeReport-StudentEnrollment-07-08.pdf\n---------------------------------------------------------------------------\n    There are encouraging examples of such visionary leadership in \ninterdisciplinary security. New York University, for example, recently \nmerged with Brooklyn Polytechnic University, and quickly set out to \nbuild bridges between their engineering and social science communities. \nThey now have a program combining Economics with Computer Science. \nGeorgia Tech Information Security Center (GTISC) also recognizes the \nimportance of interdisciplinary studies, and has launched a cooperative \neffort between their College of Computing and the Sam Nunn School of \nInternational Affairs. Despite these forward-thinking programs, there \nare few if any educational opportunities in cyber security that combine \npsychology, anthropology, or sociology with computer science.\n\nEducational Challenges in the Military\n\n    The military is also wrestling with this problem, although from a \ndifferent perspective: they see the need for cross-disciplinary \neducation to incorporate the social sciences into cyber operations in \norder to better understand the impact of cyber operations on both \nfriend and foe--a form of ``battle damage assessment'' for cyber \nwarfare. This interdisciplinary approach needs to become the norm \nrather than the exception: cross-disciplinary education needs to be not \nonly encouraged, but required.\n    The DOD faces other educational challenges that are somewhat unique \nto their organizational model. In fact, there are two characteristics \nof the DOD model that work together to make things quite difficult: \nincoming technical staff are more often chosen by aptitude than by \nexperience, so that training must start at the most rudimentary level. \nAnd, the military tends to rotate people through posts on a regular \nbasis, so that once they achieve some level of competency in cyber \nsecurity they are likely to be transferred to some other discipline. \nThis is further exacerbated by the fact that technical positions--such \nas Computer Network Defense--are not known to be a path to advancement \n(as opposed to traditional combat roles), and hence suffer high \nturnover.\n    Conti and Surdu\\5\\ cite these challenges, among others, in their \nrationale for creating a fourth branch of the service--a peer to Army, \nAir Force, and Navy--to take on Cyberspace. This has cultural \nsignificance. They propose that top-notch cyber talent will clamor to \njoin a service where cyber excellence is viewed as a path to \nadvancement, and where just being a member of that service is a point \nof pride (as the Marines have achieved with their image as ``The Few, \nThe Proud . . .''). They observe that many young technically-talented \nindividuals make critical decisions in their formative years that \ninfluence the direction of their lives. Perhaps the most important \ndecision made by these rising cyber stars is whether or not to engage \nin illegal activity, like hacking. Creating an elite cyber \norganization, complete with positive role models, will give these \npeople a chance to make the right choices in their lives.\n---------------------------------------------------------------------------\n    \\5\\ Conti, Lt. Col. Gregory and Surdu, Col. John ``Buck.'' ``Army, \nNavy, Air Force, and Cyber--Is it Time for a Cyberwarfare Branch of the \nMilitary?'' IA Newsletter, Vol. 12 No. 1, Spring 2009, http://\niac.dtic.mil/iatac\n\nEducating the Practitioners\n\n    Security practitioners have traditionally been trained rather than \neducated: the emphasis has been on the practical application of tools \nand techniques to defend the network, rather than on gaining \nunderstanding of the principles and behaviors that inform cyber \nsecurity. The ``old guard'' practitioners learned about computer \nsecurity after their formal education was completed, through a form of \non-the-job-training as they ``wrote the book'' on security best \npractices in the early years. Current practitioners may have had some \nformal education or training, perhaps a degree in computer science or a \nfew courses that led them to obtain some certification, but most of \ntheir real learning still happens on-the-job. What neither group \nrealizes is that much of that on-the-job training--which they view as \n``learning the ropes'' with tools and techniques for security--is in \nfact teaching them about the behavioral and social characteristics of \ntheir adversaries. The newest; upcoming generation is indeed getting \nmore formalized education--for example, an MS in Information Security \nis now an option at many universities--but they lack the context for \nthat education. Without real-world experience, and without including \nbehavioral and social sciences in their education, they too will not \ngain a real understanding of the problems or of their adversaries until \nthey have been on the job for a while.\n    A few years ago we had an opportunity to conduct a formal Cognitive \nTask Analysis of nearly eighty information assurance analysts in the \nDOD and the Intelligence Community.\\6\\<SUP>,</SUP>\\7\\ We learned from \nthat analysis that mentorship of network defenders is very important. \nRapidly transferring corporate knowledge typically acquired through \nyears of experience from old guard to new guard will be particularly \nimportant in the coming years as the first generation of network \ndefenders retires. One area ripe for research is how to improve this \nmentorship to maximize the value of learning from the more-experienced \nto the less-experienced practitioner. Social science work on learning, \nmentorship, and collaboration can serve this need.\n---------------------------------------------------------------------------\n    \\6\\ D'Amico, A. & Whitley, K. (2005). Achieving cyber situational \nawareness: A cognitive task analysis of information assurance analysts. \nIn Proceedings of the Human Factors and Ergonomics Society 49th Annual \nMeeting, Orlando, FL, pp. 229-233.\n    \\7\\ D'Amico, A. & Whitley, K. (2007). The real work of computer \nnetwork defense analysts: The analysis roles and processes that \ntransform network data into situation awareness. In Proceedings of the \nWorkshop on Visualization for Computer Security, Springer-Verlag Berlin \nHeidelberg, pp. 19-37.\n---------------------------------------------------------------------------\n    We also learned that the personality characteristics of entry-level \nnetwork defenders are perceived by experts as equally or more important \nthan their technical education. Such characteristics as curiosity, \nperseverance, assertive questioning, and good communication skills were \nconsidered strong markers of future success of an entry level defender. \nHow do we select for and train these characteristics in our future \ncyber workforce to ensure that our defenses are as strong as possible? \nThis is answered by the social sciences as much as by the technical \ndisciplines.\n\nEducating the Developers\n\n    The emphasis on ``securing the perimeter'' of networks is a side-\neffect of a more fundamental issue: security is all too often an \nafterthought. We build flawed software and then expend countless \nresources trying to patch the cracks and shore up the defenses. And \nwhen we do build flawed software products, the pressure to bring these \nproducts to market causes many to be released before adequate security \ntesting has taken place. All of this raises questions about current \nsoftware engineering pedagogy.\n    We need to teach secure coding practices--and, more importantly, we \nneed to convey a fundamental understanding of the importance of \nsecurity--from the very start, in high school computer science classes. \nMost of our computer science programs in higher education teach \nstudents the fundamentals of developing software and systems, and \nculminate with students building some hardware or software object, but \nlittle attention is generally given to the design and implementation of \nsecurity within these objects.\n    Systems sometimes fail because the engineers considered a very \nnarrow range of threats; again, the issue is a lack of understanding of \nthe actual risks in the modern world. Information security needs to be \nan integral part of the core curriculum of computer science for both \nprogrammers and engineers. We must teach software developers and \nsystems engineers how to go beyond just functional requirements in the \ndesign phase. They need to understand and anticipate all of the ways \nthat experts and non-experts may use their systems. Usability and \nsecurity testing needs to be performed side-by-side with functional and \nperformance testing during development; students need this as part of \ntheir basic education.\n\nEducating the Users\n\n    The most difficult audience to get a handle on, but one that \ndesperately needs more education, is ``the rest of us''--all of us who \nuse these technologies, who suffer the consequences of failed security, \nand who all-too-often serve as unwitting accomplices to an attack.\n\nWe Need Realistic Test Data\n\n    Another challenge relevant to the whole educational and research \nspectrum is the need for more realistic testing and evaluation of cyber \ntechnologies and processes. In most disciplines some form of real-world \nexperimentation eventually becomes practical and necessary; for \nexample, psychologists can evaluate human subjects and compare the \nresults against control groups. In the cyber world this is \nexceptionally difficult: one cannot perform security experiments on an \noperational network (let alone on the Internet), yet ``simulating'' \nsuch an environment is a huge challenge. Many researchers have built \nsmall-scale simulated networks in the lab, but the human element--real \npeople using the network for real tasks--is completely missing and \nquite difficult to simulate. Realistic training and test data that can \nscale to the size of large networks is needed to add operational \nrealism to training and research, and to increase the applicability to \nreal world conditions and the potential transfer to implementation. \nWith this sort of realistic simulation and test data we can properly \nprepare practitioners and developers to operate in the cyber world; \nwithout it, they have no other choice but to ``learn by doing'' in the \n``real world,'' with risks and inefficiencies that implies.\n\nThe Contribution of Social Sciences to Computer Security\n\n    The social and behavioral sciences can play a valuable role in \nstudying and changing the various cultures--software developers, \ncollege students, and especially home computer users--so that \nindividuals and societies engage in secure practices almost without \never thinking about them.\n    We need to understand why our perception of security risk does not \nmatch reality. Risk perception is critical to helping us understand how \nto motivate secure behavior, make better decisions, and create policies \nthat discourage destructive or invasive behavior through real \nconsequences.\n    We need to apply what we know about cultural influence to creating \ncultures that are supportive of secure and private computing.\n\nCollaborative Techniques\n\n    Human collaboration is an important means for analyzing information \nabout potential attacks. There are numerous instances where one \ngovernment agency or commercial organization was aware of a serious \nattack but did not have the authority, means or motivation to share \nthat information.\n    One group working to bridge this gap at the organizational level is \nthe Information Sharing and Analysis Centers (ISAC) Council. There are \nseveral individual member councils that focus on various areas of \ncritical infrastructures, such as Communications and Information \nTechnology, but this group and its members represent the exception, not \nthe norm, and information-sharing is particularly problematic within \nthe government.\n    But we also must foster collaboration at the individual level, and \nthis is where the social sciences can help bring about positive change. \nIndividual network defenders and law-enforcement agents struggle every \nday to find attackers. Often, several individuals are working at the \nsame time in pursuit of the same perpetrator, but they have no idea of \neach other's existence or of their common goal. And worst of all, they \ndon't know that each of them holds a different piece of the puzzle that \ncarries the answer. If they had an effective means of communication, \nwhether through online collaboration or shared visualizations, and if \nthey have the understanding that they do not have to--and should not--\nsolve this problem alone, they would be able to work together more \neffectively. It is at that individual collaboration level that \npsychology and sociology can play a significant role.\n    So in addition to all of the effort that is currently being applied \nto getting organizations to collaborate more effectively (as described \nin the President's Cyberspace Policy Review), we must also work just as \nhard to improve the ability of individuals to collaborate effectively \nwithin and across organizational boundaries. Assuming that policies \nallow for information sharing, we need to have media in place for \ncollaboration and shared situational awareness.\n\nUsability to Enhance Security\n\n    There is a never-ending tug-of-war between security and usability. \nThe more protections that are built into our systems, the harder they \nare to use. Apple famously lampooned Microsoft's attempts at improving \nthe security of Windows Vista by asking users to ``cancel or allow'' a \nwide range of what users perceive as ``normal'' activities. And human \nnature being what it is, users do their utmost to find ways of \ncircumventing these controls so they can get on with their work, \nincluding developing a knee-jerk response to ``allow'' everything that \ncomes along.\n    A lot of attention is being paid to usability of computing systems \nin general--making applications or web-sites more ``user friendly,'' \nfor example--yet the concept is often ignored when security controls \nare designed in. Think of the most basic problem of remembering \npasswords. More stringent passwords, requiring nonsensical strings of \nnumbers, letters and special characters, are at odds with people's \ninnate ability to remember short, meaningful sequences of information. \nAs a result, people simply write them down on post-it notes and stick \nthem to their monitors for all to see. There are some encouraging \nsparks of innovation in this area: for example, graphical passcodes\\8\\ \nfor user authentication. These new types of password, which use \npictorial elements, take advantage of people's visual memory recall and \nare remembered better than meaningless strings of alphanumerics.\\9\\ \nThis sort of forward-thinking research needs to be applied across the \nentire security problem.\n---------------------------------------------------------------------------\n    \\8\\ http://www.passfaces.com\n    \\9\\ Johnson, K. & Werner, S. (2008) Graphical user authentication: \nA comparative evaluation of composite scene authentication vs. three \ncompeting graphical passcode systems. In Proceedings of the 52nd Annual \nMeeting of the Human Factors and Ergonomics Society. New York, NY.\n\nNeed for Research on How People Value Information\n\n    The crux of information security is securing information that has \nbeen designated as valuable. Nevertheless, we have little understanding \nof what makes information valuable to people. Security practitioners \ntend to ``guard the perimeter,'' treating everything within the \nboundaries as if it is of equal value. Yet all information assets \nbehind a firewall are not equal. Some workstations or servers are more \nvaluable than others--perhaps because of the role of its user, the \ncontent of its storage device, or the service it provides to the \nenterprise. People want to protect the most valuable information; yet \nthere are no metrics or even basic insights into how the value of \ninformation is determined.\\10\\\n---------------------------------------------------------------------------\n    \\10\\ Stevens, J. (2005) Information Asset Profiling. Pittsburgh, \nPA, Carnegie Mellon University.\n---------------------------------------------------------------------------\n    If we knew how to measure the value of information, we would be \nable to apply security measures that follow the high-value information, \neven as it moves through a network. Just as the President's bodyguards \nfollow him as he moves, so too should security be able to move along \nwith important information. If U.S. network defenders can provide \ngreater protection to the most valued assets, adversaries may be \ndeterred by the extra time and resources required to break into well-\nprotected cyber assets. Of course, this requires the defender to know \nwhich information systems contain high-value information--something \nthat is difficult without methods to value information and the means to \nlocate where the high-value information currently resides in a dynamic \nnetwork configuration.\n    If we better understood how people placed value on information, we \nwould be able to use that valuation to motivate individuals to comply \nwith security practices and change the culture of security. We could \nalso use that understanding of information value to support the \ncalculation of the Return on Investment of security. The ability to \nrecognize and quantify the value of information resident on a network \nwill help security practitioners better secure and protect information \nand network assets, allow cyber defenders to prioritize their defensive \nactions by focusing on the most critical net-work assets, and allow \nbusiness owners to immediately assess the impact of an attack on those \nassets.\n    Understanding the relative value of information underlies all of \nthese decisions. But there is no current methodology used in the DOD \nfor assigning an actual value to information. Current \nwork\\11\\<SUP>,</SUP>\\12\\ on cyber information valuation within DOD has \nadvanced the theoretical discussion but remains only conceptual. \nMetrics are not usable unless they have been validated against real-\nworld observations.\n---------------------------------------------------------------------------\n    \\11\\ Grimaila, M.R. and L.W. Fortson. (2007) Towards an Information \nAsset-Based Defensive Cyber Damage Assessment Process, Computational \nIntelligence in Security and Defense Applications.\n    \\12\\ Hellesen, D. (2008) An Analysis of Information Asset Valuation \n(IAV) Quantification Methodology for Application with Cyber Information \nMission Impact Assessment (CIMIA), Master's thesis, AFIT.\n---------------------------------------------------------------------------\n    Research is needed to better understand how people place value on \ninformation, to identify the most promising metrics for valuing \ninformation, to apply those metrics to information observed in a real-\nworld environment, and to determine whether or not the conceptual \nmetrics are verifiable in real data.\n\nThe Private Sector's Role in the Cyber Security Research Agenda\n\n    Security practitioners in the private sector are on the front line \nof cyber defense. These individuals write the security policies, deploy \nthe technologies, and attempt to compute ROI for security expenditures. \nThey have direct influence on the security practices of individual U.S. \nworkers and business owners whose inattention to security could have \ncascading effects on our country's computing infrastructure. Security \npractitioners deal with the people side of security, far more than any \nof today's educators or researchers. Yet the security practitioners \nhave virtually no influence on the cyber security research agenda and \nonly indirect influence on the curriculum of computer science programs.\n    The government does not actively solicit input from the private \nsector in crafting its R&D or education agenda, nor does the government \nactively promote dissemination of the research results to media and \nforums usually consulted by private security practitioners. As a \nmember, Board Director, and Advisor of the New York Metropolitan \nChapter of the Information Systems Security Association (ISSA), I \nregularly meet with hundreds of chapter members who are security \nprofessionals in New York-based businesses. We have never been asked \nfor input into a national research agenda. Our membership has been \ngenuinely surprised when they've heard about the results of my own work \nsponsored by DHS, IARPA, the Air Force, and DARPA. Furthermore, these \nmembers of the private sector are willing to participate in the \ntechnical transition of the R&D--but they are rarely asked to do so.\n    Additionally, the ISACs and other organizations, such as the \nNational Academy of Sciences, could be tapped as conduits for \ncollaboration between the private sector and government in developing \nthe cyber security research agenda.\n\nConclusion\n\n    Effective cyber security is often said to be about ``people, \nprocess, and technology.'' Although ``people'' come first in this \ndescription, the emphasis in federally funded cyber security education \nand research has been on the development of technology within the \nacademic environment of computer science and electrical engineering. \nThis needs to change.\n\nBroaden the Base of Those Receiving Cyber Security Education\n\n    The current approach to cyber security education falls far short of \nadequately preparing the universe of people who every day take actions \nthat make our computing infrastructure more or less secure. We must \noffer information to--and influence the behavior of--software \ndevelopers, business owners, soldiers maintaining network-centric \nsystems, policy-makers, lawyers, students, and home-users. The source \nof this education must go beyond college computer science courses. The \neducation and training of security awareness, good practices, and cyber \nethics should start in our elementary schools and extend beyond the \nacademic environment into the training programs offered by professional \norganizations.\n    Schools of law and law enforcement must not only teach cyber law \nand policy, but teach the foundations of the Internet and computer \nusage that underlie the laws and policies.\n    Social science experts in cultural influence should be consulted on \nhow to raise our national awareness of cyber risks and change the \nsecurity practices of average Americans.\n    Experts in learning should advise the retiring old guard security \npractitioners on how to effectively mentor new security professionals \nand expedite the transfer of their corporate knowledge.\n    Computer science curricula must include building security into the \nentire life cycle of software development.\n    We must increase the number of U.S. citizens who master the math \nand science needed to advance cyber security technologies, and who \nenroll in advanced degrees in information security.\n\nUse Interdisciplinary Approaches to Make the Cyber Culture More Secure\n\n    Changing how people value security and behave with computer systems \nand networks should be a primary concern of our cyber education and \nresearch. It is clear that technological change will happen; it already \ndoes. But safe and ethical behavior is not keeping pace with the \npervasiveness of computing for work, entertainment, and socializing. \nInterdisciplinary approaches, which combine computer science with the \nmore people-centric disciplines of psychology, sociology and \nanthropology, can extend our understanding of how to create a more \nsecure computing culture.\n    We need research on how people value information. Understanding how \npeople place value on information will help security professionals to \nmotivate compliance with security practices; it will inform the \nsecurity architects on where to place the greatest defense; and it will \nform the foundation for security metrics.\n    Security must be more usable. Interdisciplinary approaches to \nusability can make it easier for practitioners to install and tune \nsecurity technology, and for users to comply with security policies and \npractices.\n    Human factors psychologists with expertise in collaborative media \nshould work with computer network defenders to develop effective means \nfor timely information sharing needed to rapidly detect cyber attacks \nwithin and across organizations.\n    The disciplines of economics, business administration, and \ninformation systems must study the interdependencies of computing \nassets and business processes so that accurate ROI for security \ninvestment can be computed, and data-driven plans for continuity of \noperations can be developed.\n\nFoster Technology Transition of Cyber Security Research\n\n    The existing research agenda, framed by and for computer \nscientists, emphasizes publication of research results above technology \ntransition. Little current research and education funding is directed \nto the operational implementation of the advanced technologies. The \nproblems encountered in getting a technology to work in the real \nworld--accreditation, affordability, usability--are not deemed worthy \nof peer-reviewed publications and are therefore dismissed by many \nprofessors, students, and funding agencies who measure their \nachievements through publication history.\n    There is a short supply of U.S. citizens with security-related \nadvanced degrees who can transition technology into the DOD where \nsecurity clearances are required. Non-academic research institutions \nwho have U.S. citizens to transition technology, such as research \ncontractors or government laboratories, do not have the streamlined \nInstitutional Review Board processes required for technology evaluation \nstudies involving people; hence the human element is all too often left \nout of the research.\n    To increase the likelihood of technology transition we must take \nseveral steps:\n\n        <bullet>  Realistic, scalable test data must be provided to the \n        researchers by the funding agencies.\n\n        <bullet>  Funding agencies should include measures of \n        technology transition in their evaluation of grants and \n        research contracts.\n\n        <bullet>  Funds should be available for crossing the chasm from \n        prototype to operational deployment. This includes funding for \n        accreditation and usability evaluations.\n\n        <bullet>  The government should foster collaboration between \n        university researchers and nonacademic research organizations. \n        The universities can use their Institutional Review Boards to \n        guide corporations anal government laboratories in testing new \n        technologies with human subjects. Research companies with \n        personnel who have security clearances can assist universities \n        with technology transition into DOD sites that are not \n        ordinarily accessible to university students and professors.\n\nIncreased the Private Sector's Voice in Cyber Security Education and \n                    Research\n\n    The private sector, which is a conduit both for attacks on our \ncritical information infrastructure as well as the prevention of those \nattacks, has no significant influence on the federal R&D agenda in \ncyber security. Security practitioners in the private sector, where \nthey can influence U.S. workers and businesses, are neither consulted \non the national agenda nor given easy access to the results of \nfederally sponsored R&D. This can be addressed in several ways:\n\n        <bullet>  The sponsors of cyber security R&D should conduct \n        outreach activities to professional societies of security \n        practitioners including ISSA, ISACA (Information Systems Audit \n        and Control Association), and (ISC)2 (International Information \n        Systems Security Certification Consortium).\n\n        <bullet>  Researchers must be encouraged by the sponsors of \n        their research to publish the results of their work in trade \n        magazines and on-line forums where private security \n        professionals communicate.\n\n        <bullet>  The government should incentivize the private sector \n        to bring interns from academia into their IT infrastructure to \n        gain on-the-job experience prior to their graduation.\n\n        <bullet>  ISACs should be used as a medium for connecting \n        private sector needs with federally funded research.\n\n    In sum, there are many substantive ways in which the social \nsciences can assist us in improving cyber security. My thanks to the \nCommittee for allowing me an opportunity to share my viewpoints.\n\nAcknowledgements\n\n    I would like to acknowledge the contributions of Laurin Buchanan \nand Frank Zinghini of AVI, and Geoff Mumford of the American \nPsychological Association, to the preparation of this testimony.\n\n                      Biography for Anita D'Amico\n    Dr. D'Amico is the Director of Secure Decisions, a division of \nApplied Visions, Inc. She is a human factors psychologist and an \ninformation security specialist, with interests in improving \nsituational awareness of information security analysts through \nvisualization and cognitive analysis. Her most recent work has been in \nthe area of combining geographic information with network security and \nnetwork management information to improve security and preserve \ncontinuity of operations.\n    Dr. D'Amico joined Applied Visions in 2000 to help create and grow \nthe Secure Decisions division, building upon information visualization \ntechnology developed by Applied Visions under an Air Force research \ncontract. The Secure Decisions division of Applied Visions is now \nrecognized as a leading provider of information visualization research \nand technology development to the Department of Defense, the \nIntelligence Community, and the Department of Homeland Security.\n    Prior to joining Applied Visions, Dr. D'Amico ran the Information \nWarfare Group for Northrop Grumman, where she was responsible for \ndeveloping that new business area. In the years before that she had \napplied her human factors and psychology training to a variety of \ndomains, all centered about the interaction between humans and \nmachines, including such disparate domains as aircraft design and ship \nhandling.\n    Dr. D'Amico has published widely on the topic of cyber security, \nparticularly from the perspective of human factors and the impact of \nsituational awareness on the effectiveness of cyber security \npractitioners. She is a frequent keynote speaker on the topic at \nindustry conferences, and she chaired the 2003 Forum on Information \nWarfare, presented by the Management Information Systems Training \nInstitute, Washington, DC. Recently, she conceived and conducted a \njoint industry/government workshop on understanding and determining the \nimpact of cyber security breaches on organizational mission.\n    Dr. D'Amico received a B.A. from the University of Pennsylvania, \nand an M.S. and Ph.D. in psychology from Adelphi University. She served \nfive years as a member of the Board of Directors of the New York Metro \nchapter of the Information Systems Security Association (NYMISSA).\n\n    Chairman Lipinski. Thank you, Dr. D'Amico.\n    Dr. Schneider.\n\nSTATEMENT OF DR. FRED B. SCHNEIDER, SAMUEL B. ECKERT PROFESSOR \n OF COMPUTER SCIENCE, DEPARTMENT OF COMPUTER SCIENCE, CORNELL \n                           UNIVERSITY\n\n    Dr. Schneider. Thank you for inviting me here to testify \ntoday. In the few minutes I have, I want to summarize the key \npoints in my written testimony.\n    I start with the observation that computing systems we \ndeploy today are not as trustworthy as they could be, and we \ndon't know how to make them as trustworthy as they need to be. \nAs the United States increases our dependence on these systems, \nthey become ever more attractive to attackers. Our defenses \ndon't keep up so we operate in a reactive mode and we improve \ndefenses only after they have been penetrated. We thus prepare \nto fight the last battle rather than the next one. We need to \nmove beyond this reactive stance to a proactive one. In short, \nwe must build systems whose trustworthiness derives from first \nprinciples. This proactive approach requires having a science \nbase for cyber security. We don't have one and we need to \ndevelop one. Doing that will require making significant \ninvestments in research and the investments will have to be \nmade on a continuing basis. Cyber security will never be a \nsolved problem. We are not going to find a magic bullet \nsolution. We have accepted this reality for medical research \nand for defense. The same reality applies to cyber security.\n    The analogy with public health and medical research \nhighlights two disconnects between cyber security research \ntoday and what is really needed. The first was the lack of \nscience base I just discussed. The second disconnect concerns \nthe policy part of the picture. Technology solutions that \nignore policy questions risk irrelevance as do policy \ninitiatives that ignore the limits and capabilities of \ntechnology. This means that we should also be supporting \nresearch in policy and research that aims to bridge the gap \nbetween technology and policy.\n    Let me make two further observations about cyber security \nresearch. First, when the work is classified, it cannot engage \nmany of the country's top researchers. It necessarily receives \nless scrutiny by a diverse community of experts and it will be \nslow to impact the civilian infrastructure on which we \nincreasingly depend. Second, cyber security research once was \nfunded by a diverse ecology of agencies. This was valuable \nbecause different agencies have different needs, goals, \ncultures, styles and criteria for reviewing proposals; but that \ndiversity has been eroding. Getting that diversity restored \nshould be a priority and it would undoubtedly bring better \nvalue per research dollar spent.\n    I earlier made the observation that today's systems are not \nas trustworthy as they could be. There are many reasons for \nthis, and university education certainly has an important role \nto play in the solution here. With significant increases in \nresearch funding, more faculty will be working on system \ntrustworthiness so more faculty will be available to teach \nthese subjects, and that is crucial; but understand that like \nany new discipline, this field is in flux. There is not yet a \nwidespread agreement on the core, so we would be ill advised to \nbe legislating what gets taught. We would also be ill advised \nto be legislating that everyone be taught. Only a fraction of \nthe students that our computer science department teaches end \nup in system-building jobs. Also, many who are building our \nnation's critical infrastructures were not computer science \nmajors. What I think we need is a new graduate professional \ndegree program. Lawyers, doctors, teachers and most other \nprofessionals in our society are a good model. We need a post-\nBachelor's degree for systems trustworthiness professionals. On \nthe university side, this would mean developing courses, texts \nand other teaching materials, and outside the university it \nwould mean creating a force field so people are compelled to \ninvest the time and money to pursue this new degree.\n    In closing, let me say how encouraged I am by all the \nrecent interest and activity at the federal level regarding \ncyber security; but let me caution, long-term activities that \nwill require long-term investments are the only way to get a \nlong-term solution to this problem. We need to be making long-\nterm investments in research, and we need to be making long-\nterm investments in education.\n    Thank you. I look forward to your questions.\n    [The prepared statement of Dr. Schneider follows:]\n                Prepared Statement of Fred B. Schneider\n    Good morning Mr. Chairman and Members of the Committee. I \nappreciate this opportunity to comment on cyber security research and \neducation. I am Fred B. Schneider, a Computer Science professor at \nCornell University and Chief Scientist of the NSF-funded TRUST\\1\\ \nScience and Technology Center, a collaboration involving researchers at \nU.C.-Berkeley, Carnegie-Mellon University, Cornell University, Stanford \nUniversity, and Vanderbilt University.\n---------------------------------------------------------------------------\n    \\1\\ Team for Research in Ubiquitous Secure Technology.\n---------------------------------------------------------------------------\n    I have been a Computer Science faculty member since 1978, actively \ninvolved in research, education, and in various advisory capacities for \nboth the private and public sectors. Besides teaching and doing \nresearch at Cornell, I today serve as member of the Dept. of Commerce \nInformation Security and Privacy Advisory Board (ISPAB), as a member of \nthe Computing Research Association's board of directors, and as a \ncouncil member of the Computing Community Consortium. I also co-chair \nMicrosoft's TCAAB external advisory board on trustworthy computing.\n    Our nation's increasing dependence on computing systems that are \nnot trustworthy puts individuals, commercial enterprises, the public \nsector, and our military at risk. If anything, this dependence will \naccelerate with new initiatives such as the ``smart grid'' and \nelectronic health care records. Increased data, increased networking, \nand increased processing all mean increased exposure. These systems \nneed to work as we expect--to operate despite failures and despite \nattacks. They need to be trustworthy.\n    The growth in attacks we are seeing today should not be surprising. \nThe more we depend on a system, the more attractive a target it becomes \nto somebody intent on causing disruption; and the more value that is \ncontrolled by a system, the more attractive a target it becomes to \nsomebody seeking illicit gain. But more disturbing than the growth in \nattacks is that our defenses can't keep up. The core of this problem is \nthe asymmetric nature of cyber security:\n\n        <bullet>  Defenders are reactive; attackers are proactive. \n        Defenders must defend all places at all times, against all \n        possible attacks (including those not known about by the \n        defender); attackers need only find one vulnerability, and they \n        have the luxury of inventing and testing new attacks in private \n        as well as selecting the place and time of attack at their \n        convenience.\n\n        <bullet>  New defenses are expensive to develop and deploy; new \n        attacks are cheap. Defenders have significant investments in \n        their approaches and business models, while attackers have \n        minimal sunk costs and thus can be quite agile.\n\n        <bullet>  The effectiveness of defenses cannot be measured; \n        attacks can. Since we cannot currently quantify how a given \n        security technology or approach reduces risk from attack, there \n        are few strong competitive pressures to develop defenses. So \n        vendors frequently compete on the basis of ancillary factors \n        (e.g., speed, integration, brand development, etc.). Attackers \n        see their return-on-investment and have strong incentives to \n        improve their offerings.\n\n    The result has been a cyber security mentality and industry built \naround defending against known attacks. Our defenses improve only after \nthey have been successfully penetrated. And this is a recipe to ensure \nsome attackers succeed--not a recipe for achieving system \ntrustworthiness. We must move beyond reacting to yesterday's attacks \n(or what attacks we predict for tomorrow) and instead start building \nsystems whose trustworthiness derives from first principles.\n    Yet today we lack the understanding to adopt that proactive \napproach; we lack a ``science base'' for trustworthiness. We understand \nthat the landscape includes attacks, defense mechanisms, and security \nproperties. But we are only now starting to characterize the lay of the \nland in terms of how these features relate--answers to questions like: \nWhat security properties can be preserved by a given defense mechanism? \nWhat attacks are resisted by a given mechanism? How can we overcome the \ninevitable imperfections in anything we might build, yet still resist \nattacks by, for example, forcing attackers to work too hard for their \nexpected pay-off. Having a science base should not be equated with \nimplementing absolute security or even concluding that security \nrequires perfection in design and implementation. Rather, a science \nbase should provide--independent of specific systems--a principled \naccount for techniques that work, including assumptions they require \nand ways one set of assumptions can be transformed or discharged by \nanother. It would articulate and organize a set of abstractions, \nprinciples, and trade-offs for building trustworthy systems, given the \nrealities of the threats, of our security needs, and of a broad new \ncollection of defense mechanisms and doctrines. And it would provide \nscientific laws, like the laws of physics and mathematics, for \ntrustworthiness.\n    An analogy with medicine can be instructive here. Some maladies are \nbest dealt with in a reactive manner. We know what to do when somebody \nbreaks a finger, and each year we create a new influenza vaccine. But \nonly after significant investments in basic medical sciences are we \nstarting to understand the mechanisms by which cancers grow, and \ndeveloping a cure seems to require that kind of deep understanding. \nMoreover, nobody believes that disease will some day be a ``solved \nproblem.'' We make enormous strides in medical research yet new threats \nemerge and old defenses (e.g., antibiotics) are seen to lose their \neffectiveness.\n    Like medicine and disease, system trustworthiness is never going to \nbe a ``solved problem''. There will be no ``magic bullet'' \ntrustworthiness solution, just as there is not going to be a miracle \ncure for all that ails you. We must plan to make continuing \ninvestments, because the problem will continue evolving:\n\n        <bullet>  The sophistication of attackers is ever growing, so \n        if a system has vulnerabilities then they will find it. Any \n        assumption made when building a system does, in fact, \n        constitute a vulnerability, so every system will have \n        vulnerabilities of one sort of another. And with enough study, \n        attackers will find these vulnerabilities and find ways to \n        exploit them.\n\n        <bullet>  The technology base used by our systems is rapidly \n        changing. Systems are replaced on a three- to five-year time \n        span, not because computers or software wear out but because \n        newer software and hardware offers improved functionality or \n        better performance (which is then leveraged into new \n        functionality). New systems will work differently, will involve \n        different assumptions, and therefore will require new defenses.\n\n        <bullet>  The settings in which our computing systems are \n        deployed and the functionality they provide is not static. With \n        new settings come new opportunities for attack and disruption, \n        whether it is creating a blackout by attacking the ``smart \n        grid'' or stalking somebody by planting a virus on a GPS-\n        equipped cell phone.\n\n    We can expect to transcend the constant evolution only through the \nunderstanding that a science base provides. A science base is also our \nonly hope for developing a suite of sound quantitative trustworthiness \nmeasures, which in turn could enable intelligent risk-management \ndecisions, comparisons of different defenses, and incentivize \ninvestments in new solutions.\n    A science base for trustworthiness would not distinguish between \nclassified and unclassified systems, nor would it distinguish between \ngovernment and private-sector systems. The threats and trade-offs might \nbe different; the principles are going to be the same. But even an \nunderstanding of how to build trustworthy systems for the private \nsector would by itself be useful in military and government settings, \nsimply because so-called COTS (commercial off the shelf) technologies \nthat are developed by the private sector for the private sector are \nwidely used within the government too.\n    Many equate cyber security research with investigations solely into \ntechnical matters. This oversimplifies. Achieving system \ntrustworthiness is not purely a technology problem. It also involves \npolicy (economic and regulatory). Technological solutions that ignore \npolicy questions risk irrelevance, as do policy initiatives that ignore \nthe limits and capabilities of technology. So besides investing in \ndeveloping a science base for trustworthiness, we must also invest in \nresearch that bridges the technical and the non-technical. We need to \nunderstand when we might get more traction for trustworthiness from a \npolicy solution than from a technology one. For example, identifiers--\nyour mother's maiden name, your credit card number, your bank account \nnumber, and your social security number--are not a good basis for \nauthentication because they will be known to many. So regulation that \nprohibits the use of identifiers as authenticators might more \neffectively defend against identity theft than new technology could. As \nanother example, there is talk about making the Internet more secure by \nadding the means to trace packets back to their senders. But the \nInternet is as much a social construct as a technological one, and we \nneed to understand what effects proposed technological changes could \nhave; forgoing social values like anonymity and privacy (in some sense, \nanalogous to freedom of speech and assembly) in order to make the \nInternet more-trustworthy might significantly limit the Internet's \nutility to some, and thus not be seen as progress.\n    Investments in cyber security research are best accompanied by \ninvestments in cyber security education, because this provides an \nefficient path for the research to reach industry where it can be \napplied. In particular, research undertaken in academia not only \nengages some of our nation's best and brightest researchers but because \nthese researchers are also teachers, new generations of students can be \nexposed to the latest thinking from the people who understand it best. \nAnd when these students graduate and move into the workplace, they will \nbring this knowledge and understanding with them. Moreover, faculty in \nthis dual role of researchers and teachers have incentives to write \ntextbooks and prepare other teaching materials that allow dissemination \nof their work to a very wide audience, including teachers elsewhere.\n\nQuestion: Does the current range of federally supported research \nadequately address existing cyber security threats as well as new and \nemerging threats? If not, what are the research gaps, and how would you \nprioritize federal research investments in cyber security?\n\n    Federal expenditures for unclassified cyber security research do \nnot match the severity of the threat. IT security expenditures are \nestimated to reach $79 billion annually by 2010.\\2\\ According to the \nNITRD Networking and Information Technology Research and Development \nProgram,\\3\\ $342.5M is being requested for FY 2010 ``Cyber Security & \nInformation Assurance.'' This means federal budget requests for \nunclassified research in system trustworthiness total roughly .4 \npercent of the expenditures that might be leveraged by the research. \nMoreover, anecdotal information about specific funding programs at \nvarious key federal agencies suggests that only a portion of the \n$342.5M is spent on academic research in cyber security. It then comes \nas no surprise to find the recent National Research Council CSTB report \nToward a Safer and More Secure Cyberspace\\4\\ stating that funding \nlevels for cyber security research are low, preventing researchers from \npursuing their promising research ideas. And this echoes the findings \nin the President's Information Technology Advisory Committee's \nindependent report Cyber Security: A Crisis of Prioritization\\5\\ which \nstated that (i) cyber security solutions would emerge only from a \nvigorous and well funded program of research and (ii) that levels of \nfunding were dangerously low to solve problems or to sustain a \ncommunity of researchers.\n---------------------------------------------------------------------------\n    \\2\\ Information Security Products & Services--Global Strategic \nBusiness Report, Global Industry Analysts, Inc., July 2007.\n    \\3\\ The Networking and Information Technology Research and \nDevelopment Program. Report by the Subcommittee on Networking and \nInformation Technology Research and Development, May 2009. Page 21. \nhttp://www.nitrd.gov/Pubs/2010supplement/FY10Supp-FINAL-Preprint-\nWeb.pdf\n    \\4\\ Toward a Safer and More Secure Cyberspace. S. Goodman and H. \nLin (eds.), National Academies Press, Washington, DC, 2007. Appendix \nB.6. http://books.nap.edu/catalog.php?record<INF>-</INF>id=11925\n    \\5\\ Cyber Security: A Crisis of Prioritization. President's \nInformation Technology Advisory Committee, Feb. 2005. http://\nwww.nitrd.gov/pitac/reports/20050301<INF>-</INF>cybersecurity/\ncybersecurity.pdf\n---------------------------------------------------------------------------\n    The NRC CSTB report also states that, excepting the National \nScience Foundation (NSF), federal funding agencies predominantly target \nshort-term problems rather than addressing the harder, longer-term \nchallenges that constitute our only hope to win this war. A culture \nthat targets easily quantifiable progress is particularly dangerous, \nbecause it discourages funding research efforts that, being more \nforward-looking, could provide the real pay-offs.\n    The PITAC report also noted damage being caused by the lack of \ncontinuity in cyber security funding and by the inadequate oversight \nand coordination exerted by Federal Government over its cyber security \nresearch programs. For example, a lack of funding continuity stymies \nthe development of a research community, because younger faculty and \ngraduate students are disinclined to enter fields where future funding \nis uncertain. This, in turn, leads to a national shortage in cyber \nsecurity expertise.\n    PITAC argued, in vain, for a significantly increased investment in \n``fundamental research in civilian cyber security,'' noting that \ncivilian systems comprise the lion's share of our nation's critical IT \ninfrastructure, and that the government and military rely in large \nmeasure on civilian hardware and software components and systems. \nMoreover, expenditures by the private sector for long-term cyber \nsecurity research have historically been quite small, probably because \nreturn on such investments is expected to be low. If the Federal \nGovernment doesn't make these investments then nobody else will, and we \nall miss the opportunity for the revolutionary advances that are \nunlikely to result from the current regime of funding evolutionary \nsteps. By the same token, the existence of a healthy IT-security \nindustry suggests that the private sector does make investments in \nshort-term research; so there is a less-compelling reason for federal \ninvestments here.\n    There is a disconnect between research being funded and what is \nneeded. Federal research funding has been too focused on a few \nestablished technical battle-fronts (e.g., firewalls, anti-virus, \nintrusion detection, buffer overflows, etc.). In some cases, this focus \nreflects views held by researchers; in other cases, the focus comes \nfrom program management in the funding agencies. Whichever it is, this \nmindset is a decade or more out of step with the reality of our current \nadversaries. We need to re-imagine the scope of the cyber security \nproblem itself and refocus our attention the same way our adversaries \nhave refocused. We cannot afford simply to develop technologies that \nplug holes faster; we need to think of security research more \nholistically, determining how most efficiently to block, disrupt, or \ndis-incentivize opponents.\n\n        <bullet>  We must establish a goal of developing a science base \n        for trustworthiness, as discussed in detail above. Such a \n        science base is crucial for understanding how to build systems \n        that are trustworthy.\n\n        <bullet>  We must investigate mechanisms--both operational and \n        forensic--for better attributing cyber-attacks to the actors \n        behind them, because this is essential for applying virtually \n        all other instruments of policy, from law enforcement to \n        diplomacy. This approach might well be a last resort, invoked \n        only after defenses to prevent attacks have failed. So it needs \n        to be an option, despite being technically quite challenging as \n        well as raising non-technical questions ranging from privacy \n        all the way to international law.\n\n        <bullet>  We must consider not merely hypothetical opponents, \n        but the real attackers we face today and those we expect to \n        encounter tomorrow. The military does not train against a \n        hypothetical adversary with hypothetical resources, strategies \n        and interests, nor should cyber security researchers \n        investigate defenses absent that information.\n\n        <bullet>  We must prioritize developing better quantitative \n        measures around cyber security risk, efficiency, and value. The \n        government and the private sector cannot invest arbitrary \n        amounts in securing our systems without better understanding \n        the return on this investment.\n\n        <bullet>  We must invest in research that bridges policy \n        (regulation and economics) with technology. To do research in \n        technology without knowledge of policy or vice versa risks \n        irrelevance.\n\n        <bullet>  We must better understand the human element in our \n        systems. Too often system security is synonymous with \n        inconveniencing users. And users are inclined to circumvent \n        security controls they find inconvenient, defeating a system's \n        defenses even before it is attacked.\n\n        <bullet>  We must continue to invest in research concerned with \n        building software systems: operating systems, networks, \n        programming languages, formal methods, database systems, etc. \n        Ultimately, the things that undermine a system's \n        trustworthiness will be traced to errors in design, \n        implementation, requirements, or assumptions--subjects that are \n        studied by software researchers. And we must continue making \n        research investments in the relevant theoretical areas, such as \n        logics and cryptography.\n\n    While there is certainly both a role and need for undertaking \nclassified research in trustworthy systems, there are significant \nlimitations that come with the secrecy. Classified research does not \nengage many of the most capable cyber security researchers, is \nnecessarily less likely to receive broad scrutiny by a diverse \ncommunity of experts, and does not contribute to educating the next \ngeneration of cyber security researchers and practitioners. Classified \nresearch programs are also slow to impact the civilian cyber-\ninfrastructure and its equipment, on which so much of our nation's \ncritical infrastructure depends.\n    Having an Ecology of Federal Agencies is Valuable. There once was a \ndiverse ecology of funding sources for the various styles and topics \nthat trustworthiness research spans, but that ecosystem has been \neroding as funding agencies have redefined their priorities. Some of \nthese decisions are difficult to defend, given the central role that \nsystem trustworthiness plays in the missions these agencies are suppose \nto support.\n    Funding from a single agency (NSF) now dominates unclassified \nfederal cyber security research. In the past, DARPA had been a \nsignificant source of funding for university researchers doing work in \nsystems and security, but for the last eight years DARPA has not been \nmaking those investments. DHS has funded work in cyber security, but at \nsignificantly lower levels and focusing on problems with a short-term \nhorizon. DOD, through AFOSR, ARO, and ONR, does fund some fundamental \nresearch in security, but the number of projects supported is \nrelatively small and some of the funding is for special one-time \ninitiatives (i.e., the MURI program). IARPA inherited from its \npredecessor organizations a small but strong trustworthiness research \nprogram. That, however, is being terminated, and new programs to take \nits place have been slow to get started. Also, the funding philosophy \nat IARPA appears to be oriented more toward production of quantifiable \nresults than toward open-ended curiosity-driven explorations.\n    This ecology of different government agencies with their different \nneeds, goals, and cultures, could yield a robust and diverse research \nclimate. However, many of the potential benefits have not materialized, \nboth because the interagency coordination has been voluntary and \nbecause tight budgets led some of the participants to reduce their \ncyber security research investments and/or to focus those expenditures \non short-term work, which they saw as better suited for their missions.\n    Today, NSF is the only natural home for fundamental research in \ncivilian cyber security. They not only fund single-investigators doing \nmore-theoretical work, but they also fund larger-scale multi-\ninvestigator efforts that involve prototyping non-trivial systems. \nNSF's Trustworthy Computing (formerly Cyber Trust) program, the likely \nagent for funding investigations that will have high payoff, is \nwoefully under-resourced. In the past, what had been DARPA's style \ncomplemented NSF's style by supporting larger groups (three to five \ninvestigators) to work for relatively longer periods (five to ten \nyears) in order to take a game-changing idea to a demonstrable \nembodiment. The NSF and former DARPA styles are complementary, and both \nought to be supported. Another point of contrast between the different \nstyles concerns the manner they review and select proposals for \nfunding. External peer-review by the research community leads to \nfunding work having a different character from internal review (where \nprogrammatic goals play a role in project selection).\n    There is a tension between maintaining a diverse ecology of federal \nagencies to fund trustworthiness research and allowing each individual \nfunding agency the autonomy to alter its priorities. So we must be \nmindful: seemingly local decisions within an agency actually can have a \nbroader impact by changing the federal portfolio of trustworthiness \nresearch (as well as changing the total amount of federal expenditures \nfor trustworthiness research). This tension would be resolved if a \ncoordinating body were to monitor such decisions and offset their \nimpact on the federal portfolio by allocating additional resources and \nrecreating the now-absent styles at agencies electing to continue \nfunding trustworthiness research.\n    Finally, it is worth noting that new initiatives in energy (e.g., a \n``smart grid''), transportation, and electronic medical records will \nalmost certainly require solving new trustworthiness research \nquestions. A failure to engage the community early in such initiatives \nis a mistake. This kind of trustworthiness research is not done well in \na vacuum from applications; there is no substitute for direct \nexperience with the application area. Thus, part of these new \ninitiatives should be to involve the trustworthiness research \ncommunity, so they can help ensure that the inter-networked systems \nrequired will be ones we can depend on.\n\nQuestion: What is the state of cyber security education? Are future \ncyber security professionals being adequately trained by colleges and \nuniversities to meet anticipated demands of the private sector? If not, \nwhat kind of cyber security training is appropriate and necessary for \ninstitutions to develop, and for what kinds of students?\n\n    The University Landscape. Cyber security professionals are today \nnot being adequately trained to meet the needs of either the private \nsector or the public sector.\n\n        <bullet>  Part of the problem is resources. University Computer \n        Science (CS) departments lack the faculty to offer the relevant \n        courses. Few faculty members have the necessary expertise to \n        offer courses in this area. And even if a CS department has \n        managed to hire a few cyber security specialists, they will \n        likely also be involved in teaching the large complement of \n        other classes that need to be covered by a department giving \n        undergraduate and graduate CS degrees.\n\n        <bullet>  Part of the problem is content. The field is \n        relatively young and fast moving. There is not yet widespread \n        agreement about what technical content must be covered, which \n        makes this an exciting time to be teaching cyber security at \n        the university level. But it also means that textbooks and \n        other teaching materials have short lives unless they are \n        frequently revised, which is a disincentive to some authors. So \n        there are fewer good textbooks than would be found in a more \n        mature subject. Yet, creating agreement on content by \n        legislating a curriculum would be a serious mistake at this \n        point, because it would retard the dissemination of new ideas \n        to students and it would discourage faculty from writing texts \n        that reflect improvements in our understanding of the field.\n\n    A Cyber Security Professional Degree. I believe that a well trained \ncyber security professional needs to have exposure to a broad variety \nof topics. One would expect to see courses that cover technical topics, \nsuch as computer security principles, distributed systems and \nnetworking, systems reliability, software engineering, cryptography, \nand user interfaces and human factors. But I also strongly advocate \nexposure to non-technical topics, including cyber-law (intellectual \nproperty law, communications law, privacy law), ethics, economics of \ncomputing and networking, business strategy, and human relations (i.e., \nmanagement of people). This broad education would enable a cyber \nsecurity professional to use all conceivable technical and policy tools \nfor achieving trustworthiness. It would also ensure that solutions \ncould be evaluated in a broader societal context, so that risk-\nmanagement and trade-offs between different social values (such as \nprivacy versus accountability) can be contemplated.\n    There is likely more than one year's worth of content past today's \nCS BS degree, but there is probably less than three years of course \nmaterial. This would argue for creating some sort of graduate, \nprofessional degree program. It would be designed so that its students \nwould learn both the technical and the non-technical topics needed to \ndefine and develop trustworthy computing systems, manage them, and \noversee their deployment, use, and evolution.\n    Undergraduate Education. Computer Science departments today educate \nstudents to pursue a rather diverse set of careers. And, in particular, \nnot all undergraduate Computer Science majors are headed for system-\nbuilding careers. Thus, it would be inappropriate to impose a cyber \nsecurity requirement on all graduates from a Computer Science \ndepartment. The more sensible model would be for universities to offer \na programme of study for system trustworthiness, analogous to pre-law \nor pre-med. Such a program is typically not associated with a single \nuniversity department but rather offered in conjunction with a various \nmajors; it prescribes a set of courses for the electives available in \nthat department's major. The courses would cover the subjects outlined \nabove in connection with the cyber security professional degree. And it \nshould be open to students in the various relevant majors.\n    Finally, it certainly seems reasonable that students destined to \nbuild systems--no matter what their major--should have exposure to the \nbasic ideas needed for making those systems trustworthy. This means \nthat they need exposure to basic cyber security, software engineering, \nand various systems topics (operating systems, networking, etc.). Such \nstudents will be found enrolled in various majors. So while the CS \ndepartment is the obvious place to offer these courses, the courses \nwill not be populated only by CS majors. And this has implications \nconcerning what pre-requisites can be assumed.\n\n                    Biography for Fred B. Schneider\n    Fred B. Schneider is Samuel B. Eckert Professor of Computer Science \nat Cornell University. He joined the Cornell faculty in Fall 1978, \nhaving completing a Ph.D. at Stony Brook University, preceded by a B.S. \nin Engineering from Cornell in 1975. Schneider currently also serves as \nthe Chief Scientist for the NSF-funded TRUST Science and Technology \nCenter, which brings together researchers at U.C.-Berkeley, Carnegie-\nMellon University, Cornell University, Stanford University, and \nVanderbilt University.\n    Schneider's research has focused on various aspects of trustworthy \nsystems--systems that perform as expected, despite failures and \nattacks. His early work concerned formal methods to aid in the design \nand implementation of concurrent and distributed systems that satisfy \ntheir specifications; he is author of two texts on that subject: On \nConcurrent Programming and A Logical Approach to Discrete Mathematics \n(co-authored with D. Gries). He has also known for his research in \ntheory and algorithms for building fault-tolerant distributed systems. \nFor example, his paper on the ``state machine approach'' for managing \nreplication brought an SOSP ``Hall of Fame'' award for seminal \nresearch. More recently, his interests have turned to system security. \nHis work characterizing what policies can be enforced with various \nclasses of defenses is widely cited, and it is seen as advancing the \nnascent science base for security. He is also engaged in research \nconcerning legal and economic measures for improving system \ntrustworthiness.\n    Schneider was elected Fellow of the American Association for the \nAdvancement of Science in 1992, the Association of Computing Machinery \nin 1995, and the Institute of Electrical and Electronics Engineers in \n2008. He was named Professor-at-Large at the University of Tromso \n(Norway) in 1996, and was awarded a Doctor of Science honoris causa by \nthe University of NewCastle-upon-Tyne in 2003 for his work in computer \ndependability and security.\n    Schneider has served since Sept. 2006 as a member of the \nInformation Security and Privacy Advisory Board (ISPAB), which advises \nNIST, the Secretary of Commerce, and the Director of OMB on information \nsecurity and privacy issues pertaining to Federal Government \nInformation Systems. He chaired the National Academies CSTB study on \ninformation systems trustworthiness that produced the 1999 volume Trust \nin Cyberspace. He also served as a member of CSTB from 2002-2008 and \nfrom 2004-2007 on the CSTB study committee for improving cyber security \nresearch. Schneider was a member of the NSF CISE advisory committee \n2002-2006. And in Fall 2001, he chaired the United Kingdom's pentennial \nexternal review of research funding for academic Computer Science.\n    In 2007, Schneider was elected to the Board of Directors of the \nComputing Research Association (CRA) and appointed to the steering \ncommittee of CRA's Computing Community Consortium. CRA is an \nassociation of more than 200 North American academic departments of \ncomputer science, computer engineering, and related fields; part of \nit's mission is to strength research and advanced education in the \ncomputing fields and to improve public and policy-maker understanding \nof the importance of computing and computing research in our society.\n    Schneider is a frequent consultant to industry, believing this to \nbe an efficient means of implementing technology transfer as well as \nlearning about the real problems. He is Co-Chair of Microsoft's \nTrustworthy Computing Academic Advisory Board, which comprises outside \ntechnology and policy experts who meet periodically to advise Microsoft \nabout products and strategy. He also provides technical expertise in \ncomputer security as well as more broadly to a variety of firms, \nincluding: BAE Systems, Fortify Software, Lockheed Martin, and \nMicrosoft.\n\n    Chairman Lipinski. Thank you, Dr. Schneider.\n    I now recognize Mr. Brown.\n\n  STATEMENT OF MR. TIMOTHY G. BROWN, VICE PRESIDENT AND CHIEF \n               ARCHITECT, CA SECURITY MANAGEMENT\n\n    Mr. Brown. Good morning, Chairman Lipinski, Ranking Member \nEhlers and the Members of the Subcommittee. My name is Timothy \nBrown. I am the Vice President and Chief Architect for Security \nManagement for CA Incorporated. I will testify today on behalf \nof CA, and I will draw in several instances upon the positions \nof the Business Software Alliance, of which CA is an active \nmember. I appreciate the opportunity to testify today on cyber \nsecurity and R&D. I commend you for your focus on these issues \nwhich are of great importance to CA and the cyber security of \nthe Nation.\n    The threats to our security are real and ever changing. The \ndays of the hobbyist hacker are long past. Today most threats \nare posed by organizations for profit, groups which run very \nmuch like businesses except their business plan is to steal \ndata, identities, credit card numbers and other valuable \ninformation and convert them into profit. My job at CA is to \nhelp stop these bad actors. We develop tools that individuals \nand businesses can use to protect themselves, but the threats \nare ever changing. For example, we have an immense and recent \ngrowth in social networking sites like Twitter and Facebook. \nThis is a good development, but the cyber criminals look at \nthese developments as simply new business models.\n    So, what can we do about all this? We believe the solution \nrequires a multi-prolonged and smart approach consisting of \nfour elements. Industry and government need to work together, \nset comprehensive goals that meet the full range of threats and \ndevelop rapid and effective responses. As a country, we need to \ninvest more in basic research. The science must advance for us \nto develop the tools we need to address the threat and we need \nto make sure that those advances in the laboratory are quickly \nturned into the products people and companies need to protect \nthemselves and maintain their security. We need more and better \neducated security specialists. We have made some advances in \nthis area but our universities must be encouraged to devote \nmore resources to supplying the security professionals of \ntomorrow.\n    Finally, we must ensure the public is fully aware of the \nthreats they face. Today, too many Internet users fail to take \nthe needed steps to ensure their data and valuable information \nis safe and secure. One of these elements stands out. We \nbelieve the indispensable element of addressing the security \nthreats is ensuring our country continues to invest in basic \nresearch into the ever-changing information-sharing \nenvironment. In my written testimony, I set these points out in \ngreat detail. I would now like to highlight a few of the \ntechnology changes that will create new opportunities for cyber \ncriminals.\n    First, increased bandwidth and connectivity to laptops and \nsmartphones is very important to our economic recovery and key \nto our long-term growth, but this trend also poses new \nchallenges to security by pushing our existing security \ntechnology to its limits. Second, demand for data storage and \ncomputing power are ever increasing. Over the coming years we \nexpect these demands to increase sharply. More data means more \ncyber criminals have more opportunity to do harm. Third, as I \nhave mentioned already, the emergence of social networking has \nhappened very fast and is transforming the way the Internet is \nused both at home and work through increased collaboration and \ninformation sharing, but the security systems used by social \nnetworks need to get much better very quickly. Fourth, today \nbusinesses collaborate and share data. They no longer operate \nindependently, and this is good. For example, hospitals \ncollaborate with other hospitals, universities, health care \nproviders, but more collaborations create more vulnerabilities. \nFinally, the source of risk is also changing. Too often today, \nthe threats come from within an organization rather than from \nmalicious outsiders trying to infiltrate systems. To date we \nhave not given enough attention to these insider threats.\n    To address these problems, we recommend the following ways \nfederal support for advanced research can help: developing test \ntools and products that can identify vulnerabilities, logical \ninconsistencies and inappropriate back doors; ways to ensure \nsecurity measures can keep pace with data being used by \nhundreds, sometimes thousands of people simultaneously; new \nidentity management technology and business models that are \nacceptable to consumers and industry, models enabling people to \ncollaborate and interact securely; research into insider threat \ndetection and advanced data leakage protection. But this is not \nenough. Colleges and universities have made great progress and \nsecurity courses are now mandatory in many programs. However, \nthe security knowledge tends to focus more on secure coding \npractices and less on implementation and design of secure \nsystems. We need simply more security professionals well \ntrained in areas such as identity and access management, threat \ndetection and response, and cryptographic systems.\n    Finally, we believe we need to significantly increase our \nnational effort to raise public awareness about cyber security. \nThis would decrease the likelihood that consumers will become \nvictimized as well as decrease the likelihood that the \ncomputers would be hijacked to serve as launching pads for \nlarger attacks. We simply need to develop a national cyber \nsecurity public awareness and education strategy.\n    I would be happy to answer any questions you may have for \nme. Thank you.\n    [The prepared statement of Mr. Brown follows:]\n                 Prepared Statement of Timothy G. Brown\n    Good morning Chairman Lipinski, Ranking Member Ehlers, and Members \nof the Subcommittee. My name is Timothy Brown. I am the Vice President \nand Chief Architect for Security Management for CA, Inc. I will testify \ntoday on behalf of CA. However, in several instances, I will also draw \nupon the cyber security policy positions of the Business Software \nAlliance (BSA), an association representing the world's commercial \nsoftware industry and its hardware partners. CA is a member of BSA and \nwe actively participated in the development of those positions.\\1\\\n---------------------------------------------------------------------------\n    \\1\\ The Business Software Alliance (www.bsa.org) is the foremost \norganization dedicated to promoting a safe and legal digital world. BSA \nis the voice of the world's commercial software industry and its \nhardware partners before governments and in the international \nmarketplace. Its members represent one of the fastest growing \nindustries in the world. BSA programs foster technology innovation \nthrough education and policy initiatives that promote copyright \nprotection, cyber security, trade and e-commerce. BSA members include \nAdobe, Apple, Autodesk, Bentley Systems, CA, Cisco Systems, CNC \nSoftware/Mastercam, Corel, CyberLink, Dassault Systemes SolidWorks \nCorporation, Dell, Embarcadero, HP, IBM, Intel, Intuit, McAfee, \nMicrosoft, Minitab, Quark, Quest Software, Rosetta Stone, SAP, Siemens, \nSybase, Symantec, and The MathWorks.\n---------------------------------------------------------------------------\n    CA (www.ca.com) is one of the world's largest information \ntechnology management software providers, providing software and \nexpertise support to more than 99 percent of Fortune 1000\x04 companies, \nas well as United States Federal, State and local government entities, \neducational institutions and thousands of other companies and \ngovernmental organizations worldwide. Founded in 1976, CA is a global \ncompany with headquarters in the United States, 150 offices in more \nthan 45 countries, and more than 5,300 developers worldwide. To \nstrengthen relationships among research communities and our company, we \nestablished CA Labs in 2005. CA Labs works closely with universities, \nprofessional associations and government on various projects that \nrelate to CA products, technologies and methodologies. The results of \nthese projects include research publications, best practices, and new \ndirections for products. We also work with many universities to enable \nand promote innovation--including funding university research projects \nin specific areas, working with faculty to enhance curriculum, and \nproviding opportunities to interact with CA research and development \nexperts.\n    I appreciate the opportunity to testify today on cyber security \nresearch and development (R&D), cyber security in higher education, and \npublic education and awareness of cyber security. These three issues, \nwhich you raise in the questions you have asked that I answer, are of \ngreat importance to CA and to the cyber security of our nation, and I \ncommend you, Mr. Chairman, and Ranking Member Ehlers, for focusing on \nthem. They correspond to three key aspects of cyber security: R&D is \ncentral to our capacity to provide innovative and secure information \ntechnology products and services; university-level education directly \nimpacts our workforce's ability to both develop and operate secure \ninformation technology products and services; and public awareness \ncontributes to a sound foundation of technology and security savvy \nusers.\n\nINDUSTRY AND THE FEDERAL CYBER SECURITY RESEARCH AGENDA\n\n    I would like to start by addressing the issue of the role of the \nprivate sector in setting the federal cyber security research agenda. \nSpecifically, you asked the following question:\n\nHow does the private sector provide input regarding its research needs \ninto the process by which the federal research portfolio is developed? \nDo you believe your needs are adequately addressed by the federal \nresearch agenda? How can the Federal Government more effectively \npartner with the private sector to address common research needs?\n\n    As a prelude, let me first say that the recently released \nCyberspace Policy Review, announced by President Obama on May 29, \nreflects cyber security concerns understood by virtually all \ninformation security professionals. The state of cyber security today \nclearly shows that we need to deliver game-changing security \ninnovations and practices. Cyber criminals, State and non-State actors, \nand other cyber adversaries move rapidly and adeptly to exploit \nweaknesses and vulnerabilities in systems, networks, applications and \npractices. They are successful at taking control of machines and \nstealing data. Their motivation may be monetary gain or broader, more \nsinister goals, but they all have the luxury of picking and choosing \nboth targets and methods to take advantage of the weakest links \navailable. They are increasingly sophisticated and technically adept. \nSo today's reality is that we are in a very tactical arms race with our \nadversaries.\n    The software industry has raised the bar considerably in the past \nfew years. We have implemented mature, responsible vulnerability \ndisclosure practices, internal secure code training, penetration \ntesting, and code inspection tools. Large software vendors now have \nsecurity as one of the major architectural components of any software \nthey build and have made important changes to their development \nprocesses based on the demand of their corporate customers. The \nindustry has also worked to simplify security and make it more user-\nfriendly.\n    However, we need to supplement these tactical successes with \nstrategic ones. We face increasing cyber security risks emerging from \nfactors such as the extension of the enterprise externally to partners \nand customers, the rapid pace of technology adoption, the integration \nof physical devices into a networked environment, and increasingly \nsophisticated threats. Industry's research efforts are typically \ndirected to product feature development and relatively short-term \nobjectives that have a high probability of success in the marketplace. \nGame changing, strategic research is a difficult investment because of \nfinancial risk and unclear return on investment. Because of this, \nfederal research programs can and should look to longer-term research \nrequirements that prepare us not for the past or present, but for the \nfuture, a research agenda that will focus on strategic, systemic and \nstructural cyber security issues not addressable by short-term, \ntactical solutions.\n    The federal research agenda is laid down in the Federal Plan for \nCyber Security and Information Assurance Research and Development \n(hereafter ``the CSIA plan''). I will now address the shortcomings of \nthis plan and of the process by which it was developed. I will also \npropose solutions to make this agenda more inclusive of the needs of \nindustry. In doing so, I will draw upon the positions of the BSA.\n    First, while it identifies many worthy cyber security R&D \npriorities, the CSIA plan does not propose national-level objectives. \nRather, it is an aggregation of the cyber security R&D objectives of \nthe federal agencies that fund or conduct cyber security R&D. While it \nis appropriate for these agencies, in support of their individual \nmissions, to have specific cyber security R&D objectives, their \naggregation does not produce a cohesive picture of the Nation's overall \nR&D needs.\n    CA and BSA recommend that the objectives of the CSIA plan be \nestablished on the basis of a truly comprehensive and holistic view of \nthe cyber security needs of the Nation. Once a set of comprehensive, \nnational objectives has been identified with the input of government, \nindustry and academia, then the plan can determine what entities--\ngovernment, industry and academia, whether by themselves or in \npartnerships--are, or should be, pursuing each of them. The Office of \nScience and Technology Policy is responsible for coordinating the \nFederal Government's efforts surrounding cyber security R&D, and should \nensure that federal R&D actually supports the Nation's strategic cyber \nsecurity goals. President Obama announced on May 29, 2009 the future \nappointment of a Cyber Security Coordinator in the White House. CA and \nBSA recommend that the Cyber Security Coordinator provide joint \noversight and direction to this effort, alongside OSTP. Once a national \nframework for R&D has been established, individual agencies should be \nassigned R&D projects within their areas of expertise.\n    Second, for the CSIA plan to reflect the cyber security R&D needs \nof the Nation, a wide community of stakeholders needs to play an \nintegral role in the creation of the plan and the identification of its \nobjectives. CA and BSA recommend that stakeholders, and in particular \nthe owners and operators of critical cyber infrastructure and \ndevelopers of critical cyber technology, be involved from the earliest \nstages of the process and throughout the creation of the plan, as well \nas when the plan's objectives and implementation activities are \nreviewed. The IT industry is a key stakeholder not only because it owns \nand operates the critical infrastructure of cyberspace and develops its \nunderlying technology, but also because it invests tens of billions of \ndollars each year in R&D.\n    Another important avenue for identifying cyber security research \ngaps is via industry-government partnership initiatives organized \njointly by the Department of Homeland Security and industry \norganizations such as the Information Technology-Information Sharing \nand Analysis Center (IT-ISAC) and the Information Technology Sector \nCoordinating Council (IT-SCC).\n    An extremely timely example of such an initiative is the IT Sector \nBaseline Risk Assessment, a major report that will be released soon, \nwhich results from a multi-year partnership between the IT-SCC, IT-\nISAC, industry subject matter experts and DHS. The IT Sector's Baseline \nRisk Assessment is intended to provide a cyber and all-hazards risk \nprofile that IT Sector partners can use in particular to inform \nresource allocation for security research and development in core IT \nfunctions. Those key functions include producing and providing IT \nproducts and services; incident management capabilities; domain name \nresolution services; identity management and associated trust support \nservices; Internet-based content, information and communications \nservices; and Internet routing, access and connection services. With a \npowerful methodology for assessing risks and identifying necessary \nmitigation requirements, the Baseline Risk Assessment can serve as a \nfoundation and industry-supported model for developing a strategic \ncyber security R&D agenda and plan of action.\n    I believe the inclusiveness is very much in line with the recently \nreleased conclusions of the White House Cyberspace Policy Review, which \nstates that ``the Federal Government should greatly expand coordination \nof [NITRD and other R&D-related] strategies with industry and academic \nefforts.''\\2\\\n---------------------------------------------------------------------------\n    \\2\\ Cyberspace Policy Review, pp. 32-33.\n---------------------------------------------------------------------------\n    Third, in addition to contributing to the identification of the \noverall objectives of the national cyber security R&D plan, companies \ncan play a role downstream in the definition of specific R&D projects \nthat will contribute to reaching those national objectives. CA and BSA \nbelieve that it would be appropriate to facilitate federal support for \nspecific research topics or projects that were not conceived originally \nby a federal agency, but rather pro-actively suggested to an agency by \na company. In such a situation, the company is awarded funding as a \n``sole source.'' We believe a mechanism should be found that would make \nit easier for agencies to act upon such suggestions. Today, such a \nprocess is insufficiently used, because of legitimate concerns \nregarding the fairness of the award process. CA and BSA's goal is to \nencourage more companies to suggest promising avenues for cyber \nsecurity innovation to the Federal Government. Naturally, projects pro-\nactively suggested by private industry should be closely related to the \nnational R&D plan, as well as to the particular part of that plan that \nwas delegated to the agency to which the idea was suggested.\n    We would like to make it clear that we do not in any way oppose the \nmechanism by which companies receive federal funding because they \nsubmitted proposals in response to a competitive federal solicitation. \nIn fact, CA and other companies actively review and respond to such \nproposals, and we believe it should continue to represent a large part \nof the federal R&D funding. We merely want to find a way to ensure \nthat, in addition to this reactive role, companies can play a more pro-\nactive role in the definition of R&D projects.\n    Fourth, I would like to address the issue of short-term vs. long-\nterm R&D. We believe it is appropriate to include both. As a general \nrule, however, CA and BSA recommend that the government focus on long-\nterm and basic cyber security research. We believe it is appropriate \nfor the government to be involved in applied R&D if: the technological \nsolution that is sought is not commercially available; and its absence \ncreates a measurable security gap.\n    In most cases, when government agencies seek to develop specific \ntechnologies, we are concerned that they do not check beforehand \nwhether commercially available solutions provide the same or an \nequivalent capability. We recommend requiring federal agencies to \nascertain whether or not commercial solutions exist--or could be \nreadily adapted--before they invest in an R&D project to develop \nequivalent capabilities. This would allow the government to better \nleverage its limited resources. Importantly for industry, it would also \nensure that the federal effort focuses more on research that may bring \nbreakthroughs of considerable importance to the cyber security of our \nnation's infrastructure in the long run, but lacks demonstrated short- \nor medium-term commercial viability. Commercial companies rarely \nundertake such research by themselves, but it is an ideal topic for \nfederal research. This recommendation aligns with the White House \nCyberspace Policy Review's emphasis on R&D in ``game-changing \ntechnologies that will help meet infrastructure objectives.'' \\3\\\n---------------------------------------------------------------------------\n    \\3\\ Cyberspace Policy Review, p. 32.\n---------------------------------------------------------------------------\n    We note, however, that cyber security research is underfunded when \ncompared to other research programs. For example:\n\n         ``. . . the President's fiscal year 2009 budget requests $29.3 \n        billion for life science research, $4.4 billion for earth and \n        space sciences, $3.2 billion for the Advanced Energy \n        Initiative, $2.0 billion for the Climate Change Science \n        Program, and $1.5 billion for nanotechnology. The National \n        Information Technology R&D (NITRD) programs will receive $3.5 \n        billion. Cyber security will receive about $300 million.'' \\4\\\n---------------------------------------------------------------------------\n    \\4\\ From ``Securing Cyberspace for the 44th Presidency: A Report of \nthe CSIS Commission on Cyber security for the 44th Presidency,'' \nDecember 2008, page 74. This report is available at http://\nwww.csis.org/media/csis/pubs/\n081208<INF>-</INF>securingcyberspace<INF>-</INF>44.pdf\n\n    In order to increase cyber security for the Nation, funding for \nfundamental and applied research in cyber security is required. Keeping \ncurrent funding levels will result--at best--in maintaining the current \nlevel of progress and therefore the current inadequate level of cyber \nsecurity.\n    Companies have an important role to play in fostering greater \nengagement with academic institutions and government. For example, CA \ntoday works with universities in a number of ways. Through the CA \nAcademic Initiative, colleges and universities can get free access to \nselect CA products, faculty education, professional courseware and \ntechnical support. CA also has a strong partnership with Universities \nfor research. For example, CA is working with the University of \nCalifornia Davis and Pacific Northwest National Laboratory on insider \nthreat research and with Dartmouth University on determining the \nbenefits seen by organizations in the deployment of security software. \nCA is also working with Carleton University in Canada on data leak \nprevention research. This research is partially funded through the \nCanadian government's NSERC Strategic Network Grant.\n    Finally, for federal cyber security R&D to best address the needs \nof industry, it is important that we facilitate the migration path of \ntechnologies developed through federal R&D, so that they can more \nquickly and widely contribute to improving our nation's cyber security. \nThis is another issue on which our recommendations are consistent with \nthe direction advocated by the White House in its Cyberspace Policy \nReview.\\5\\ CA and BSA propose two avenues to ease technology transition \nonto the marketplace. First, provide greater incentives for industry to \nparticipate in federally funded cyber security R&D by looking at the \nstatus of the intellectual property (IP) it generates. We recommend \nthat Congress explore ways to make such industry participation more \nappealing through improved IP ownership or licensing, similar to what \nCongress did for small businesses, non-profits and universities through \nthe Bayh-Dole Act in 1980. Second, the Federal Government should \nimprove its sharing of the innovations generated by cyber security R&D \nconducted by federal agencies. Too often, those innovations are not \nshared with industry, where they could benefit the Nation as a whole \nthrough productization, even with licensing conditions that \nappropriately reward the agency in question.\n---------------------------------------------------------------------------\n    \\5\\ Cyberspace Policy Review, p. 33: ``To enhance U.S. \ncompetitiveness, the Federal Government should work with industry to \ndevelop migration paths and incentives for the rapid adoption of \nresearch and technology development.''\n\nSPECIFIC CYBER SECURITY R&D TOPICS\n\n    The second issue that you asked that I discuss in my testimony is \nthat of specific topics and gaps in federal cyber security R&D:\n\nDoes the current range of federally supported research adequately \naddress existing cyber security needs as well as new and emerging \nthreats? If not, then what are the current research gaps and \npriorities?\n\n    As I discussed above, we need a long-term, strategically-focused, \nnational research agenda developed in partnership between the Federal \nGovernment and industry. As we look to the future, we see a number of \ntrends that will impact both the cyber infrastructure as well as \nspecific cyber functionalities. An understanding of these trends can be \nuseful in informing research planning and prioritization. What are some \nof these important trends?\n\n        <bullet>  Increased bandwidth and connectivity to a virtually \n        unlimited number of devices. The number of devices connecting \n        to the cyber infrastructure continues to grow: desktops, \n        laptops, smart phones, GPS devices, cars, houses and many more \n        to come. The available bandwidth continues to grow both in the \n        cellular environment, the wireless environment and the wired \n        environment. Managing cyber security risks in this new world \n        will push our existing security technology beyond its limits \n        given the sheer scale of networked devices and speed of \n        communications.\n\n                <bullet>  CA recommends federal support for advanced \n                research in the area of threat detection, systems \n                management and security management allowing security \n                controls to scale to this emerging cyber generation.\n\n        <bullet>  Huge amounts of storage and computing power will be \n        present in the home, in the enterprise and in the network. More \n        sensitive data in huge volumes will be stored and shared among \n        businesses, government agencies and consumers. The technical \n        disciplines of digital rights management, data leakage \n        protection, and data classification are in their infancy from a \n        technology perspective. Digital rights management is the \n        process of embedding and managing access control within data. \n        Data leakage protection refers to the identification and \n        control of sensitive data. Data classification refers to the \n        process of tagging data to indicate it is sensitive, owned by \n        an individual or part of a larger system, and to associate it \n        with controlling policies.\n\n                <bullet>  CA recommends federal support for advanced \n                research to move these technologies into the mainstream \n                where data can be tagged appropriately and managed in \n                accordance with policy-driven rules, under the control \n                of the entity or individual responsible for its care.\n\n        <bullet>  Greater expectations for managing identity risks. The \n        exponential growth of interconnected applications and systems \n        will require advances in identity management technology. \n        Today's user name and password model is inadequate. Stronger \n        forms of authentication are available, but their acceptance and \n        adoption have been slow. Similarly, the lack of a monetization \n        model for strongly validated identities has limited their \n        commercial success.\n\n                <bullet>  CA recommends federal support for advanced \n                research to help with the development of new technology \n                and new business models that are acceptable to \n                consumers and industry.\n\n        <bullet>  Emergence of new, interactive social networking \n        applications. Social networking continues to go through many \n        changes.\n\n                <bullet>  CA recommends federal support for advanced \n                research to develop models enabling people to \n                collaborate safely and securely, both to share the data \n                they wish to share and to maintain anonymity as needed.\n\n        <bullet>  Universal business connectivity, collaboration and \n        partnerships. Businesses no longer operate independently; it is \n        necessary for them to collaborate and share data as well as \n        establish enforceable security policies. For example, a small \n        hospital with 5,000 employees typically has 50,000 people in \n        its user directories and collaborates with other hospitals, \n        universities and health care providers. Today's technology can \n        support these business and clinical relationships, but more \n        advanced technology is necessary to truly enable a secure and \n        auditable infrastructure as the collaborative environment \n        expands almost exponentially.\n\n                <bullet>  CA recommends federal support for advanced \n                research to enable a federated model where security and \n                responsibility are technically manageable at the scales \n                we expect to occur.\n\n        <bullet>  User manageability and interaction. It is becoming \n        more and more difficult for someone to live an unconnected \n        life. Although technology has provided amazing capabilities, \n        the device-human interfaces used to connect and interact with \n        context and applications have not fundamentally changed.\n\n                <bullet>  Although browsers have greatly improved and \n                are now being embedded in personal devices, as we look \n                to the future CA recommends federal support for \n                advanced research into flexible and manageable \n                technical interfaces, displays and supporting \n                instrumentality that incorporate seamless \n                understanding, manageability and security functionality \n                for users in many different environments and contexts.\n\n        <bullet>  Increasingly sophisticated cyber adversaries. As I \n        said at the beginning of this testimony, our cyber adversaries \n        are sophisticated, they move rapidly and adeptly to exploit \n        weaknesses and vulnerabilities.\n\n                <bullet>  CA recommends federal support for advanced \n                research to create test tools and products that can \n                identify vulnerabilities, logical inconsistencies and \n                inappropriate ``back doors.'' A new generation of tools \n                would give application builders the ability to identify \n                and fix vulnerabilities as well as meet industry \n                security certifications more quickly and reliably.\n\n        <bullet>  The growing focus on insider threats. As industry \n        reacts to threats, cyber adversaries look for alternative \n        business models. The insider is one of the most effective.\n\n                <bullet>  CA recommends federal support for advanced \n                research into insider threat detection and advanced \n                data leakage protection.\n\n    Let me now briefly turn to the final two questions you have raised.\n\nCYBER SECURITY IN HIGHER EDUCATION\n\nWhat is the state of cyber security education? Are future cyber \nsecurity professionals being adequately trained by colleges and \nuniversities to meet anticipated demands of the private sector? If not, \nwhat kind of cyber security training is appropriate and necessary for \ninstitutions to develop, and for what kinds of students?\n\n    My comments focus on the education of the technical workforce that \nwill be responsible for the engineering of our applications, the \nimplementation of our systems and the processes necessary to run these \nsystems. Security is an important element to each one of these areas.\n    Cyber security education should consist of courses in secure coding \npractices, security architectures and security of complex systems. \nColleges and universities have made great progress and security courses \nare mandatory in many programs. While still inconsistently deployed, \nthere is also a movement within universities to incorporate secure \ncoding practices into programming courses.\n    The level of security knowledge for graduates has greatly \nincreased, but in many cases it lacks real world experience. The \nsecurity knowledge tends to focus more on secure coding practices and \nless on implementation and system design. In order to fill the gap \nlarge software vendors have implemented programs to reinforce security \ndesign and secure software development practices to their existing and \nnew employees.\n    Separate from the issue of developing secure systems is that of \ndeveloping security systems and architectures. In this latter case \nstudents require more specialized knowledge of security, such as \nidentity and access control, authentication, threat detection and \nresponse, cryptographic systems such as public-key cryptography, etc. \nKnowledge at this level tends to be obtained at the graduate level, and \ncan be broadly categorized as operationally focused (typically the \nMaster's level degrees) and research focused (doctoral degrees).\n    The National Security Agency has a history of supporting security \neducation through their National Centers of Academic Excellence in \nInformation Assurance Education program, where they certify programs \nthat meet a minimum set of requirements. These programs produce \nstudents who have a broad understanding of security and who can perform \noperational roles ranging from being responsible for the information \nsecurity of an organization to understanding functional requirements \nfor security-related software.\n    At the doctoral level, the focus is on longer-term research in \norder to improve the cyber security field. This requires not only \nstudents who are interested in cyber security research, but also \nfaculty who are active in this field. Government support at this level \nconsists of providing support for students (e.g., through National \nScience Foundation grants and scholarship-for-service programs) and of \nsupporting faculty research. Such programs should be strengthened.\n\nPUBLIC AWARENESS AND EDUCATION\n\n    Allow me to turn to the last topic that you had asked me to \naddress, that of cyber security awareness of the general public. \nSpecifically, your question was:\n\nWhat role can the Federal Government play in educating the general \npublic about protecting themselves and their networks against cyber \nthreats?\n\n    To address the need to increase public awareness of cyber security, \nI will draw upon the position of the BSA. CA and BSA believe we need to \nincrease our national efforts to educate and raise awareness of the \npublic about their cyber risks, and how they can protect themselves \nonline, for two reasons. First, to decrease the likelihood that they \nwill become victims of identity theft, and other harms that may befall \nthem online. Second, to decrease the likelihood that consumers' \ncomputers will be hijacked to serve as launching pads for larger \nattacks against businesses, the infrastructure and our government--the \nbotnet phenomenon.\\6\\\n---------------------------------------------------------------------------\n    \\6\\ A bot is a computer that has been infected by a cyber \ncriminal--known as a bot-master--so that the bot-master can control it \nremotely and use it, along with many other hijacked bot computers, to \ncarry out various types of large cyber attacks, from sending out spam \nand phishing e-mails, to disseminating to malicious code, to performing \ndistributed denial of service (DDOS) attacks against banks or \ngovernment IT systems. The largest networks of botnets (networks of \nbots) can number in the hundreds of thousands, if not millions.\n---------------------------------------------------------------------------\n    CA and BSA agree with the White House's Cyberspace Policy Review's \nrecommendation that the Federal Government, in partnership with \neducators and industry, should develop a national cyber security public \nawareness and education strategy. Its objective should be to educate \nabout the threat as well as about changing public attitudes online, \ntowards greater cyber security as well as digital safety and ethics, to \npromote a responsible and ethical use of the Internet.\\7\\ There are \nmany such efforts: the National Cyber Security Alliance is a \npartnership between the Department of Homeland Security (DHS), the \nMulti-State Information Sharing and Analysis Center (MS-ISAC), \ncorporate and non-profit partners to promote cyber security awareness \nfor home users, small and medium size businesses, and in primary and \nsecondary education. Information about their year-round campaigns, \nwhich culminate in National Cyber Security Awareness Month every \nOctober--and I note that Congress has for several years now recognized \nthe October campaign in a resolution of support--can be found at \nwww.staysafeonline.org I also want to mention the www.onguardonline.gov \neffort led by the Federal Trade Commission, as well as the \nwww.playitcybersafe.com campaign of BSA, which offers tools and \neducational material for children, parents and educators about how to \nuse the Internet safely and responsibly.\n---------------------------------------------------------------------------\n    \\7\\ Cyberspace Policy Review, pp. 13-14.\n---------------------------------------------------------------------------\n    One final comment: educational programs will be most effective when \ntargeted to specific age groups. For example online activities may be \nvery different for five- to ten-year-olds, 10- to 13-year-olds, 13- to \n17-year-olds and people over 18. Each age group has specific needs and \nshould have appropriate messaging and education. The non technical \ncommunity in all age groups is moving to cyber platforms at an \nunprecedented rate, and all need to understand the rules and the risks \nin the context of their work, social and academic life, and \nenvironment. This is another area where partnership initiatives are \nvitally important.\n    Mr. Chairman, Ranking Member Ehlers and Members of the \nSubcommittee, I appreciated the opportunity to appear before you to \nshare some thoughts on cyber security R&D, cyber security education, \nand public education and awareness of cyber security. CA shares the \nSubcommittee's goal of helping to enhance cyber security, and we would \nbe happy, together with the Business Software Alliance, to work with \nyou towards this goal.\n    I would be happy to answer any questions you may have for me.\n    Thank you.\n\n                     Biography for Timothy G. Brown\n    Timothy G. Brown is the Vice President and Chief Architect for \nSecurity Management for CA, Inc. He has overall technical direction and \noversight responsibilities for the CA security products. This includes \nIdentity Management, Server Security, Data Leakage Protection, Web \nAccess Management and Single Sign On.\n    With over 20 years of information security expertise, Brown has \nbeen involved in many areas of security including compliance, threat \nresearch, vulnerability management, consumer and enterprise identity \nand access management, network security, encryption and managed \nsecurity services. In his career, Brown has worked with many companies \nand government agencies to implement sound and practical security \npolicies and solutions.\n    Prior to joining CA, Brown spent 12 years at Symantec's CTO office, \nwhere he was responsible for company-wide technical architecture, \nintegration, gap analysis and technical strategy. Prior to joining the \nSymantec CTO office, Brown focused on Symantec's enterprise security \narchitecture and the collection, correlation and prioritization of \nsecurity data. Brown joined Symantec through the company's acquisition \nof Axent Technologies. At Axent he was responsible for the Identity \nManagement, Single Sign On and multi-factor authentication products.\n    Brown is an avid inventor with 14 filed patents in the security \nfield. He is active in promoting cross industry initiatives and has \nparticipated on a number of standards boards.\n    Brown earned a Bachelor of Science degree in computer science from \nMCLA and has participated in the Wharton School of Business Executive \nEducation program.\n\n                               Discussion\n\n    Chairman Lipinski. Thank you, Mr. Brown. I thank all our \nwitnesses for their testimony. At this point we are going to \nbegin our first round of questions, which is the real fun point \nof these, so I am going to save my questions for the end and I \nam going to recognize Mr. Tonko for five minutes.\n    Mr. Tonko. Thank you, Chairman. It was made mention that we \nneed to constantly update curriculum and make certain that we \nare creating state-of-the-art education for our cyber security \nprofessionals.\n    Dr. Schneider, you and I claim New York as our base of \noperations, and we have a wealth of community colleges. Is \nthere potential to draw in the infrastructure of our community \ncolleges and develop some earlier investment in cyber security \nprofessionals? And I would throw out, into the question I would \nmake the statement of the unusual glut that seems to be \nemerging in terms of professionals from outside our borders \nthat are addressing this field, this arena, and we are not \ngrowing and cultivating domestically the talent we require.\n    Dr. Schneider. Yes. Thank you for the question, and I \ncompletely agree with the premise that we need to employ a \nbroad-spectrum educational approach to the problem. We are not \ngoing to solve this problem only with Ph.D.s or only with \nBachelor's graduates. There are jobs that are suitable for \nsomebody educated at the level of a community college, and \nthere is life, which means people educated at the level of K \nthrough high school--and actually those of us who have \ngraduated long ago and need to exist for some years to come--\nneed to have a much more sophisticated view of what is going \non. So I believe there is going to be a broad spectrum of jobs \navailable, some of which we would do best to train people at \nthe community college level for, and I believe the community \ncollege will become more and more sophisticated as we get a \nbetter understanding of some of the cyber security challenges.\n    Mr. Tonko. Are there others on the panel--and by the way, \nlet me thank the panelists. Your information is very helpful. \nIs there anyone else that would like to respond to that? Dr. \nD'Amico.\n    Dr. D'Amico. I think you raise a very interesting point \nabout the role of community colleges, and I fully agree with \nyou that there are not enough U.S. citizens who are being \ntrained in this area. I think community colleges can \nparticipate in the training of security professionals because \nas we have learned, this is not all about academic education. \nThere is a lot of learning by doing, and I think that we should \nincentivize the private sector to bring the community college \nstudents into internships. I sit on the Board of Directors of \nthe Metro chapter of ISSA, which is the second-largest chapter \nof security professionals in the world right in New York City. \nWe have people who want to bring in interns from places like \ncommunity colleges to work with them, so I think this is part \nof structuring a mentorship program.\n    Mr. Tonko. Thank you.\n    Dr. Goodman.\n    Dr. Goodman. Let me return to the Scholarship for Service \nprogram for a moment and talk about one of the offshoots of \nthat effort. Having these students, by the way, has enabled \nquite a number of departments--computer science departments or \nMIS departments around the country--to build their own \ncapacity, and several of them use that greater capacity to seek \nroles in trying to develop curriculum and educate students \nregionally in other institutions, particularly community \ncolleges and law enforcement schools in their areas. I mention \nin particular Mississippi State University and the University \nof Tulsa. And there is a very strong feeling among most people \nwho are very seriously concerned about developing a workforce \nand an educated user community that this effort must be \nextended far more broadly than just the universities in this \ncountry, and I would also again endorse the idea of programs \nthat specifically are geared to do that.\n    Mr. Tonko. Thank you.\n    Ms. Franz.\n    Ms. Franz. Thank you. I would only like to add the notion \nthat as we discuss a broad spectrum of the kinds of education \nand skills that can contribute to resolving the problem that we \ndon't then funnel all of our students into very rigid, specific \nrequirements for cyber security professionals. The \nmultidisciplinary nature, the multi-faceted types of education \nthat can contribute to resolving the problem is something we \nneed to retain. Imagine that those that might be working in the \ncyber security field now did not get a college degree and yet \nthey are doing--they are big contributors. If they were shut \nout of the ability to provide that, that would be a detriment.\n    Mr. Tonko. Thank you.\n    Thank you, Mr. Chair.\n    Chairman Lipinski. Thank you, Mr. Tonko, for your \nquestions.\n    The Chair now recognizes Dr. Ehlers for five minutes.\n    Mr. Ehlers. Thank you, Mr. Chairman. It is a little hard to \nknow where to start. It has been very rich testimony and very, \nvery helpful. Several of you testified there needs to be better \ninteraction between the government and the private sector with \nregard to cyber security, and by the way, these questions are \ngoing to be for everyone because I picked up ideas from all of \nyou.\n    And Ms. Franz, I believe, testified a more formal mechanism \nneeds to be put in place for private sector input and \ncollaboration, and so one of the questions I am asking is, what \nhas your involvement been with NITRD or any of the mission \nagencies to initiate such interactions or discussion? Have you \nbeen rebuffed or have you been accepted, and if you have been \naccepted, how have the conversations gone?\n    Dr. Goodman, you also note in your testimony that market \nforces have failed to provide the Nation with a level of cyber \nsecurity adequate for its needs, and this seems to imply that \ngovernment regulation or other significant intervention is \nrequired to achieve adequate cyber security, but it seems to me \nthe government hasn't done that good a job itself in governing \nits own needs, and so the question is, can the government \nreally provide the leadership you need or it is just the money \nyou need, or how can we reach the point that you and I both \nseem to want to get to?\n    One other aspect as some of you mentioned, it is hard to \nrecruit people for security jobs, and it wasn't clear to me \nwhether it is because these jobs are not particularly \nappealing. Perhaps computer experts would rather be programming \nrather than playing cops-and-robbers. I don't know. Or maybe \nyou have to appeal to cops-and-robbers people and provide them \nwith appropriate cyber security training. But I am just \nwondering if the cyber security jobs are just not appealing \nenough to the people that you are trying to get. So it is a \npotpourri of questions but I think you are all sort of focusing \nin that same area.\n    So, Dr. Goodman, if you would kick it off, and we will just \ngo down the line.\n    Dr. Goodman. Thank you, Mr. Ehlers. I think a fundamental \nproblem out there that is largely behind the statement that I \nmade is that for a variety of reasons, cyber security has \nfrankly not been taken as seriously as it should be in putting \nall of these systems out there that are simply so vulnerable. \nSecurity has not been a major design consideration. It has not \nbeen a major driver for the businesses who are out there in \ncyberspace doing whatever they do in cyberspace. There has been \nno pressure on them, and when things go wrong, they usually are \nnot the people who suffer the consequences. I am a believer \nthat, as is the case with lots of other security and safety \nissues and other infrastructural domains, that some \nrequirement, if you would like, needs to be made on those who \nare in the best position to mitigate risk to do so; and that \nmay in fact require regulation, may require certain kinds of \nlaws that for example heighten liability; it may benefit from \ncoming up with the kind of technology that is so easy to use \nand so cheap to use and so easily integratable with what we \nhave out there now that you just cannot not use it. \nNevertheless, we have a situation where much of cyber defense \nis pushed on the end users, you and me and all the other \ncitizens and organizations that are out there. This is partly \nbuilt into the architecture of the Internet and other things, \nand we are increasingly incapable of defending ourselves \nagainst increasingly capable attacks and attackers. So an \neffort must be made to get those people who are in the best \nposition to mitigate risk to do so, and I think what should be \ndone and it has been done in other areas, industry and \ngovernment need to get together and they need to get together \nunder some perhaps formal form or other kind of institutional \nmechanism with the mandate that they come up with greater \nsecurity in cyberspace. It is as simple as that. There are \nagain other--most recently this seems to have produced some \nresults in the electric power industry where there has been \ngreat concern about how vulnerable increasingly IT-controlled \nelectric power generation and distribution may be to outside \nattacks or to other forms of failure, and FERC, the Federal \nEnergy Regulatory Commission, got together with the industry \nassociations and basically came up with mandated standards for \nthe systems that they use to generate and distribute power, and \nI fear something like that will have to be necessary, \nparticularly with regard to mobile telephony but elsewhere as \nwell.\n    Mr. Ehlers. Thank you. Good comments.\n    Ms. Franz.\n    Ms. Franz. Thank you for your question on the partnership \nefforts. Most of the interaction that we have had with NITRD \nhas been through our increasing dialogue with the Interagency \nWorking Group on Cyber Security and Information Assurance, so \nwe have had more and more discussions in the work of the \nInformation Technology Sector Coordinating Council, or ITSCC, \nunder the NIT framework that I mentioned, and that has been \nincreasingly positive as well. However, I would like to say \nthat we would like to see that discussion and dialogue start at \nthe very beginning of a process rather than at the end, you \nknow, where a document may be presented for review and input \nbut at that point it is almost too late to do so, so the \ndialogue hasn't started in the beginning so you might see \noverlaps at a time that is too late. You might miss gaps in \nthings that needed to be done and weren't. And you might see \nareas where innovation might be stifled by the proposals that \nthe government may make. So I would say that in order to avoid \nall of those landmines, we would want that partnership to start \nearlier. But our dialogue has been increasingly positive and \nrich and we are finding out a lot more about what industry is \ndoing, what government is doing and where we can coalesce those \nefforts more productively.\n    Mr. Ehlers. So progress is being made but you would like it \nto be more formalized and proceed more rapidly?\n    Ms. Franz. Agreed. I mean, I think that a more formal \nprocess, a mechanism, as I mentioned, would enable that \ninteraction at the earliest stage and get the expertise of both \ngovernment and industry and other stakeholders in the room at \nthe table, perhaps with a blank document, as some have \nmentioned, rather than a fully fledged product.\n    Mr. Ehlers. Okay. Dr. D'Amico, what can you add?\n    Dr. D'Amico. Thank you. You have raised some interesting \nquestions. I would like to address the one about how we \nincrease the number of cyber security experts in the United \nStates. The thing that is keeping this from happening is not \nthe money. We know that they are well paid. In industry, the \naverage salary for a security manager is $108,000, in the \nFederal Government, it is $98,000, and in the state and local, \nit is $79,000. So it is not the money. I think it has to do \nwith three things. One is the availability of jobs, the second \nis the perceived status and the third is the lack of U.S. \ncitizens. There are not that many jobs available in industry, \nand I think it is because they don't see the return on \ninvestment. The only reason that people are really investing in \nsecurity is because of the compliance legislation, but from an \neconomic perspective, they don't see the ROI. In the military, \nthere is no real perceived status for being a techie in the \nmilitary. If you are in the cyber defense force, you are not on \nthe path to advancement and so you have to move out of that in \norder to advance in the military. And then with respect to U.S. \ncitizens, more and more of the advanced degrees in information \nsecurity and computer science are not granted at--not as many \nof them are granted to U.S. citizens as in prior years, and so \na lot of Bachelor's degrees are given to U.S. citizens. Only, I \nthink, eight percent of the degrees are to foreign nationals \nbut by the time you get to Ph.D.s, there 38, 39 percent are \ngiven to foreign nationals, so we need to change that around as \nwell.\n    Mr. Ehlers. Thank you. Dr. Schneider.\n    Dr. Schneider. If you want somebody to get to do something, \nthere is this basic dichotomy of the carrot versus the stick. \nThe only way industry that plays in cyberspace--not the cyber \nsecurity industry but companies that benefit by doing business \nover it--are going to build more-secure systems, is if they are \nsomehow incentivized to do that. Return on investment is the \ncarrot. Legislation is the stick. I am not an expert on \nsuggesting which way to go but I will point out that if there \nwas an incentive structure, then two problems would be solved. \nOne, there would be employment of experts and cyber security \nexperts might be technical and they might be policy oriented, \nand second, companies would be very anxious to facilitate tech \ntransitions from researchers into companies. You have only to \nlook back at the dot com era to notice that lots of good ideas \nwere being discovered in research and were very quickly being \nmonetized in the industry community. So there was an incentive \nstructure. It was a carrot in this case, and it moved. It is \nthe lack of incentive structure that in my opinion is what is \nholding things up.\n    Mr. Ehlers. Thank you. And finally, Mr. Brown.\n    Mr. Brown. It is one of the things when we look at research \ngaps and try to resolve some of those between industry and \ngovernment. You know, we look at these gaps, we identify these \ngaps. Industry today is focused, you know, primarily on \nsatisfying their customers' needs today. We prioritize those \nneeds. We staff for those needs. We make sure that we are \ncreating products that can meet those needs today. One of the \nmajor challenges industry has is, how can we prepare for things \nthat are going to happen five, six, seven years from now, how \ncan we set up that infrastructure that is really going to \nprepare us for that, and, you know, there is a challenge there \nthat says those investments are very high risk. You know, how \nmany of those investments are going to really be fruitful, and \nas we looked at the list of the research areas, when we see \nthose, we see that they are identified as areas but really \nplans are not put into place to say how we are going to address \nthose areas. Some of those areas are better left to research of \ngovernment. Some of those areas are better left to research for \npublic and private partnerships. Some of those research areas \nare better for university research. It is important that we lay \nout plans to address each one of those areas and stay to those \nplans.\n    Mr. Ehlers. Okay. Thank you very much, very useful.\n    Chairman Lipinski. Thank you, Dr. Ehlers, for your \nquestions, but now you know that you have used up your question \ntime for the next two hearings also, so----\n    Mr. Ehlers. That is fine.\n    Chairman Lipinski. No, that was very interesting and very \ngood questions and good answers, very interesting responses \nthere. I will now recognize myself for five minutes.\n    Some of the things that I was going to ask about, some of \nthe other Members have asked questions along those lines. I \nwant to follow a little bit more--I am not sure if there is \nmore we can learn or not but I just want to push a little bit \nmore on one of those questions Dr. Ehlers just asked. It seems \nlike one of the issues that we face with cyber security is that \neveryone thinks that it is not their problem, from individuals \nto companies, whether they have, you know, companies are \nproducing software or operating systems or companies that just \nhave data that is not protected. So I think that one of the \nissues--and I also think that there is not enough attention \npaid to this also. I am very happy that the Administration is \npaying attention to it because it is shining a light on this \nand what is going on and that is not just a political \nstatement. I am very happy to see that because I think that is \nreally needed in our country because a lot of people, they hear \ncyber security, they don't realize how much impact it is going \nto have on them. But just take an example. Yesterday Microsoft \nissued updates that patched 31 vulnerabilities in Windows and \nOffice programs including 18 bugs that they marked critical. \nYou know, just focusing on Microsoft there, yes, I do use an \nApple computer, a Macintosh operating system, always have, but \nnot just to pick on Microsoft. But where--how do we better \nincentivize? Like I said, you have all kinds of different \nindividual types of companies. How do we better incentivize \ntrying to get these, whether it is on software programs, how do \nwe keep data better protected? You touched a little bit on \nthis, but does anyone have anything to add on that right now? \nDr. Schneider.\n    Dr. Schneider. I think some sunlight would help. I think we \ndon't do a good job of informing the population about the risk \nor about the consequences. You have a good notion of what the \nchances of being burglarized if you walk in any part of this \ncity or probably the city you have come from. You don't have \nany notion of how often successful penetrations are occurring \nat banks or military installations or any of the attractive \ntargets. There are good reasons why these institutions don't \nmake this information public, yet if you look at the success of \nthe California breach legislation that is now spreading \nthroughout the Nation whereby when private information is \ndisclosed, the institution that leaked it is obligated to \ninform the potential victims. That has had a very interesting \neffect and raised the consciousness both of the owners of this \ndata and of people at large. So I see all this talk about \nraising public consciousness and public campaigns. I think if \nbusiness were more obligated to be candid about what was \nhappening, we would all understand and build a better model of \nthe risks, and once people are more concerned about it, I think \nthat is going to drive innovation and deployments.\n    Chairman Lipinski. Mr. Brown.\n    Mr. Brown. Yeah, in the past few years, you have to \nremember that the software industry is, you know, ever \nchanging. Our threats are ever changing. The adversaries we are \nup against are changing as well. So when we look at software \nvulnerabilities, you know, just four or five years no one had a \nplan in place to train their software professionals. Now I \ncan't think of any large software vendor that doesn't put their \ncoders through at least secure code training. So the level of \nawareness has raised to, you know, a very good extent. Now, we \nhave to deal with a lot of things from the past so software \nthat was written five years ago is still in place. Software \nslowly moves out of both industry and consumers, and, you know, \nthe industry has done better at announcing vulnerabilities and, \nyou know, they should be applauded for announcing \nvulnerabilities and working with--working in ways to patch \nthose vulnerabilities as quickly as possible. So overall, I \nthink the industry is getting better. Now, can we do more? \nAbsolutely. Should we have more trained people coming into our \norganizations? Yes. Should we have better, more trained \nprofessionals? Absolutely. But things are taking time but they \nare getting better. So we have to remember where we were three \nyears ago versus today.\n    Chairman Lipinski. Ms. Franz.\n    Ms. Franz. I would like to build on a couple of things that \nmy other distinguished panelists have mentioned. First, I think \nthere is still a great need for awareness or sunlight, as Dr. \nSchneider said, on what the issue is, and particularly there is \nonly a small community that knows what the threats are to them \nor what the activity is in cyberspace and so we have often \nasked for a mechanism that allows more information sharing \nbetween the government and industry on just what the problem is \nand what are the problems we are trying to solve. That \ncertainly needs to be done in as trusted environment as \npossible, so that goes back to the partnership mechanism, but \nthat information sharing and exchange is important.\n    I would like to touch upon the incentive piece from a \npositive side of the equation, more of a carrot and stick, I \nsuppose. Dr. Schneider mentioned the data breach notification \nlaws and certainly that is something TechAmerica has been \nactively engaged in, particularly looking at the requirement \nfor notification when there is a breach and providing for a \nsafe harbor for industry and companies or other organizations, \ngovernment or academic institutions if they have taken \nprotective steps to protect that data before it could even be \nbreached, to render that data unreadable, unusable, and so \nthere is a presumption of a lack of harm in that instance. And \nso on the one hand, it incentivizes companies and other \norganizations to take protective mitigative steps before hand \nand then makes the data unreadable, unusable if it is accessed. \nSo that is a positive incentive to look at sort of the carrot-\nand-stick approach. I also might suggest that we consider ways \nthat the tax structure could benefit efforts in R&D or other \ninvestments in cyber security efforts.\n    Chairman Lipinski. Thank you. I am over time, but I want to \nthrow one other part in here. Dr. D'Amico talked about how we \nneed a cultural shift here so that people understand that what \nthey are doing and the damage that can be caused, and I will \ngive the credit where it is due. John Veysey, who works for me, \nsitting behind me, said if I wanted to cause trouble, what I \nwould do would be to take some thumb drives and throw them out \nin the parking lot with a Trojan horse on there because almost \neveryone is going to pick it up, take it in the office and plug \nit into their machine just to even see who this might belong \nto, just things as simple as that. How do we change people's \nhabits and just automatic reactions that they have that can be \nvery dangerous and cause these vulnerabilities? How do we reach \nout to the general public to do that? Dr. D'Amico.\n    Dr. D'Amico. We need a marketing campaign, and Americans \nare very good at marketing and there is a lot of research on \nhow to market effectively to Americans. People want to be good \nU.S. citizens and we really need some kind of marketing \ncampaign for individuals and for companies that you too can \nmake a difference, engaging good computer hygiene so that \nbefore--they wouldn't touch a dirty object on the ground \nbecause of health considerations. They shouldn't touch a \npotentially dirty thumb drive on the ground because of computer \nhygiene considerations, and I think it is well within our \ncapability to engage in a public awareness campaign using \neverything we know about good marketing. I think the second \nthing, and this is much harder, is that we really need to \nunderstand what the impact is of any single failure. So if \nsomebody picks up that thumb drive and sticks it into the \ncomputer and they get some kind of infection, what are the \ncascading effects of that? We really don't know, and this \nreally is a ripe area for research. We don't know enough about \nthe interdependencies within an enterprise and across \nenterprise to be able to say you pick up that thumb drive, you \nput it into your computer, well, guess what? Somebody in a bank \naccount two states away from you is going to have some money \ntaken out of their account. We just don't know that and we need \nto study that.\n    Chairman Lipinski. Dr. Goodman.\n    Dr. Goodman. The problem of educating the public or making \nthe public really fear what might happen to them out there is \nvery, very difficult in this domain. We have a situation--I \nmean, in other domains usually there is some immediate physical \nthreat that gets public interest and arouses them to protect \nthemselves and to get help from others to protect them. This \nkind of threat for most users, not only in this country but \nespecially around the world, it is so remote, it is so \nabstract, they are connected to these systems. They see all the \ngood stuff that is going on out there. That is why they are \nspending so many hours at terminals, on their cell phones and \nwhat have you, and any kind of threat is out in oblivion \nsomeplace, okay, and physically it may well be out on the other \nside of the world. They don't see the immediacy. They don't \nsee--and it is very difficult to educate them to this, given so \nmany other things they have to think about. And we have again a \nsituation where even when the public has seen immediacy, for \nexample, in the world of automobile safety, those industries \nthat are in the best position to do something about it have had \nto have a great deal of government push to do something to \nprotect the public, and I don't think the public--each \nindividual out there can do things to help them as they do with \ntheir homes, with locks on their doors and what have you. That \nis not going to be enough, and the public doesn't fully \nappreciate it and I am not sure what kind of educational \nprogram will bring it home what kinds of risk they have out \nthere.\n    Chairman Lipinski. Thank you. I have gone way over time \nhere so I am going to conclude at that and recognize Mr. \nNeugebauer.\n    Mr. Neugebauer. Thank you, Mr. Chairman, and thank you for \ncalling this hearing. I think the first question, in most of \nyour testimony you indicate that a lot of the infrastructure \nfor cyberspace is in the private sector, and a lot of ideas \nhave kicked around of how to enhance the cyber security, and \none of those is to establish a rigorous regulatory regime to \nimpose on these private companies and I think the second one is \nto somehow give those companies some kind of liability \nprotection for maybe mandates that the government would impose \non those companies to do certain activities. So those are two \nideas. One of them sounds like more big government. You know, \nwhat are your thoughts on the current things that are being \ntalked about. And third is, are there better ideas that we need \nto be thinking about? I will throw that open to whoever wants \nto jump in.\n    Ms. Franz. I will take the first cut at that. I think that \ncertainly right now we see a lot of proposals for the kinds of \nthings that either regulatory or--the regulatory nature or with \nregard to practice requirements. The problem is, while the bulk \nof the information technology or cyber security or critical \ninfrastructure is owned and operated by the private sector, the \nissue is, it moves so quickly. We see transitions and \nevolutions in the technology at a very rapid pace and \nlegislation is not always the best way to address that, at \nleast not in very specific ways. It usually is a blunt hammer \nfor a very specific problem. So if there is a way to identify \nthe problem, and again, I would suggest doing that in a \ncollaborative sense, and then finding the best way to approach \nit, either through a standard or a best practice in many of the \ncollaborative bodies that we have, either standards bodies \nnationally and internationally. Again, it is also a global \nissue. We don't want to put into place a regime that is \nrestrictive, would be irrelevant in a very short period of time \nand then is either conflicting or provides--causes extra burden \non companies or other organizations that have national and \nmultinational operations. So it requires a really good robust \ndialogue on the best way for legislation to address the issue \nas well as other mechanisms.\n    Mr. Brown. Ms. Franz also brought up the point of \nstandards, and standards are extremely important when we look \nat adhering to--as software is developed, adhering to standards \nwill help us have more consistent and more secure \ninfrastructure across the board. So that is also an extremely \nimportant component of this. You know, the infrastructure \nplayers in the private sector are--you know, they are driven to \ndo the best that they can. You know, you see who is out there \nand who hasn't survived, and, you know, the bottom line is, if \nthey don't do their job, they don't do things securely, they \ndon't do things in high-bandwidth methods, then, you know, they \nwon't survive as a company. So there are a lot of incentives \nfor the private sector to do the right thing here.\n    Mr. Neugebauer. I agree with you, and I think that is one \nof the things that kind of concerns me about, you know, the \ngovernment stepping in. Sometimes when the government does \nthat, it leaves a false impression that oh, the government is \nwatching out for me now and so I don't have to be careful, I \ncan pick up that thumb drive, you know, and so I think we ought \nto--because most companies are very competitive business.\n    Mr. Brown. Absolutely.\n    Mr. Neugebauer. And, you know, they encourage you to buy \nfirewalls and virus software because they know that if you have \na disruption in your service, something that came over their \nnetwork, whether they could have, you know, prevented it or \nnot, there is problems to do that.\n    I want to move to another area, and that is with the huge \namount of growth in the use of PDAs and cell phones and \ntexting, you know, that has become a huge piece of our world. \nDr. Goodman, you kind of mentioned that in your testimony. What \nis going on as far as threats to my PDA and to my cell phone \nand what--I don't know. There may be virus software and \nfirewalls for PDAs but, you know, I am not aware of it. So can \nyou kind of update us on that?\n    Dr. Goodman. There is nothing in this world, I mean world, \nexpanding faster than cellular telephony and mobile devices \nmore generally, and to perhaps restate some of what I said \nearlier, I think before you came, the devices are becoming \nincreasingly powerful computers. Many are not yet around the \nworld but the trend is very much there, and as such, they have \nall of the vulnerabilities, particularly as they become the \nprincipal devices for most of the world to connect to the \nInternet, that you have such things as laptops and desktop \ncomputers. So everything that is seen as a vulnerability that \ncan be exploited with desktops and laptops will be coming with \nthose cellular devices. I can guarantee that. Plus, and I \nrattled off a number of other features that are associated with \nmobile devices, that are uniquely vulnerable to them such that \nthey use airwaves. They have very limited battery power and \nthere is a disinclination on the part of everybody, the \nproviders, the cell phone manufacturers and what have you to \nuse up some of that battery power for security kinds of \nfunctions. I could go on and on. The list is really very \nsubstantial. I believe, and I used the word ``tsunami'' in my \noral statement, that there is a tsunami of insecurity far \ngreater than what we are seeing now coming with those devices, \nokay, and it will be worldwide, and to make another point with \nregard to worldwide on a comment that you raised, Mr. \nRepresentative, there are limitations. You used the term \n``rigorous regulatory regime'' and I advocated more regulation \nor at least thinking about regulation. There are limitations to \nthat and everything else that everybody has raised here with \nregard to educating the American public and what have you and \nthat is, we are dealing with infrastructure to an extent like \nno other on this planet that is connected to the rest of the \nworld and you can regulate U.S. businesses, you can regulate \nU.S. users. Universities have been dropping. Our universities \nare not the best protected places on earth, I hate to say, but \nwhat sort of leverage does that regulation or law enforcement \nhave on the other 200 countries or semi-sovereign entities \nwhere the Internet and cellular telephony all come to ground \nand some real thought has to be given to that and I am afraid \nclose to no thought has been given to that except from a law \nenforcement standpoint around the world. And I will also say \nthat as a crime and punishment approach, you know, people who \nare doing things out there are almost safe from being caught \nand prosecuted. Real attention needs to be given to prevention \nand recovery, and the world as a whole, much even worse than \nthe United States, is giving very little thought to that.\n    Mr. Neugebauer. Just a quick follow-up, Mr. Chairman?\n    Chairman Lipinski. Thank you. We are going to have to--if \nwe have time, we can come back. We have a couple more members \nthat have questions to get in here. The Chair will now \nrecognize Mr. Carnahan for five minutes.\n    Mr. Carnahan. Thank you, Mr. Chairman, and welcome to the \npanel. I had a few questions I wanted to jump through, so I \nwill try to move this along.\n    First, I wanted to ask, what is in the panel's opinion the \nmost effective route for small innovative companies that have \nnew cutting-edge technologies to get visibility and \nconsideration within the Federal Government cyber security \narea? Yes?\n    Dr. D'Amico. Well, I am from a small business in New York \nand we do cyber security research, so I could say from \nexperience that the Small Business Innovation Research Program \nis one of the best vehicles for small businesses to become \ninvolved in cyber security. It is an excellent program and it \nrequires that the small businesses not just work in cyber \nsecurity and R&D but also transition the technology. So I think \nthat that is very important. One of the things that hurts small \nbusinesses and innovations is the common criteria certification \nthat is required on security products. In order to get a new \nsecurity product used in the Federal Government, one has to go \nthrough a very expensive common criteria certification. Entry-\nlevel price is about a quarter of a million dollars and very \nfew small businesses can afford that, so as a result you have \nsome of the most innovative ideas that really never get into \nthe Federal Government because of this certification \nrequirement.\n    Mr. Carnahan. Thank you. Anybody else on that? Ms. Franz.\n    Ms. Franz. I would like to touch upon two aspects. One is I \nthink building upon the awareness aspect. There are several \nmechanisms for making small business and other users more aware \nof the steps they can take to protect themselves, so looking at \nit from that perspective, what does a small business need to do \nvis-a-vis what a large company or individuals need to do, and \none great resource for that is the National Cyber Security \nAlliance, which is involved in a lot of awareness efforts and a \npartnership with the Department of Homeland Security. Those \nkinds of efforts certainly could be bolstered to have more of a \nmarketing campaign-like effect that Dr. D'Amico alluded to \nearlier and I think would be positive.\n    With regard to how they can take advantage of cyber \nsecurity efforts in the government, I just think it is a great \nawareness need, outreach need, a look at how procurement \nefforts can be undertaken to take those into consideration and \nmake it easier for them to participate.\n    Mr. Carnahan. Thank you. In the defense reauthorization \nbill, section 254, entitled ``Trusted Defense Systems,'' it \ncalls for an assessment of various methods of verifying the \ntrust of semiconductors procured by the Department of Defense \nfrom commercial sources for use on mission-critical components \npotentially vulnerable defense systems. How can the Federal \nGovernment better prepare and provide for these critical needs \nin a more comprehensive manner and a more timely schedule to \nmeet those critical semiconductor requirements today? Yes?\n    Dr. Schneider. So I think you are alluding to what is known \nas the supply chain problem wherein we are now purchasing \nsemiconductors, boards and software from abroad, either through \nU.S. companies or not, and using them in defense systems, and \nwe are using them also in private sector systems which are used \nin defense and which are controlling critical infrastructures \nthat are not used in defense. This is a big problem, and it \ndoes not have a short-term solution. It is a very difficult \nproblem involving probably five to ten years' worth of research \nbefore we will have some basic engineering approaches to solve \nit, and we should appreciate the severity of the threat and \nhope that the sophistication of our attackers is not at the \nlevel it could be.\n    Mr. Carnahan. Anyone else on that? Ms. Franz.\n    Ms. Franz. I would just like to highlight the notion that \nsuppliers, whether they be U.S. companies or otherwise, are \nvery aware of the vulnerabilities they have if something goes \nwrong. So they have taken steps in a number of ways to address \ntheir supply chain cycles and efforts in order to shore that up \nalong the way. Of course, there are always situations in which \nthat doesn't happen. Those measures aren't undertaken and not \nonly the company but others could possibly see the \nramifications of that, but before we do anything that disrupts \nthe economic model that many companies and governments are \nbenefiting from, we need to have a discussion about how best to \nconstruct that in a positive way. So again, that partnership is \nreally important to figure out exactly what is happening, what \nis industry doing, perhaps what it is and what the parts that \nneed to be addressed before we disrupt the system, and thereby \nrestrict the kinds of innovations that government can get in a \ntimely manner. Certainly the spectrum of sensitivity or \nclassification or criticality of a mission needs to be taken \ninto consideration as well, where do they need the most \ncritical, the most secure solutions and where might they be \nable to leverage a global marketplace better. So that \ndiscussion and consultation is necessary for that.\n    Mr. Carnahan. Let me just wrap up with the last question. \nThere was a recent article in the New York Times entitled \n``Contractors Vie for Plum Work Hacking for the U.S.'' that \nfocused in part on the growing demand for cyber warriors. How \ncan the government and our educational system ensure that we \nmeet the demands for these, not only meet the demand but also \nwin the cyber security race and stay ahead of the curve here?\n    Dr. D'Amico. I recall that article, and there are a few \nthings about it. One is that they mentioned that there are very \nfew people who have the security clearances that are needed to \nengage in some of that work. We need to have more U.S. citizens \nwho get advanced degrees in computer science, engineering and \nthe interdisciplinary areas that are related to computer \nsecurity. The second thing is that a lot of those people came \nout of the military. One of the reasons they came out of the \nmilitary is because of something that I alluded to before, that \nif you are a techie in the military, you don't get an \nadvancement. We really need to have in the military a way of \nrewarding those people who are cyber defenders, cyber warriors, \nand then you will grow them in the military, and then when they \nretire they will be there to help in those areas that were \nmentioned in the New York Times article.\n    Mr. Carnahan. Mr. Brown.\n    Mr. Brown. Yeah, I think one of the other things--so \neducation is definitely important. Educating people--you know, \na lot of our workforce is coming out of universities with \neducation on secure coding capabilities but not really secure \nsystems. Understanding how to design systems in a secure \nfashion is actually a lot more difficult than understanding how \nto code securely. A lot of the threats that we see are really \nmore systems threats. You know, you are using fine software \nthroughout your system but, you know, it has got a weak \npassword rule or those types of things are in place. So making \nsure that we have people that understand those and are coming \nup through the ranks of our universities that understand how to \ndesign secure systems. Now, we do have--you know, we have been \nproducing more of those professionals in the last few years but \nit is still just a growing field so we need to do more. It is \nalso important that we institute strong internship programs, \nstrong programs that link them with industry, link them with \ngovernment because the university environment only gives so \nmuch focus to the real world essentially. So a lot of our work \nwith universities today, we fund university research, but when \nwe see the researchers come in, a lot of those researchers, we \nare teaching them about the real world and trying to give them \nenough knowledge to have impact in other places.\n    Mr. Carnahan. Thank you all very much.\n    Chairman Lipinski. Thank you, Mr. Carnahan. Mr. Neugebauer \nhad a follow-up question so the Chair recognizes Mr. \nNeugebauer.\n    Mr. Neugebauer. Well, thank you. I was just going to go \nback to our conversation that Dr. Goodman was talking about in \nthe cell phone area, and we talked about the devices \nnecessarily may not be equipped to process some of the threats, \nbut I guess the question is, what is the industry doing I guess \nout there to make sure that, you know, their systems have \nintegrity because obviously a lot of people, it is big business \nso other panel members, if you have some knowledge on that, I \nthink it would be helpful for us as well.\n    Dr. Goodman. I will let Fred also respond, but from where I \nsit, I don't see--and it is big business. I mean, it is big \nbusiness worldwide, not just the providers of the service but \nthe makers of the devices and so on and so forth. So far I \ndon't see much. I would also like to say something hopefully \nencouraging in that we are at the beginning of what I perceive \nto be a very rapidly rising curve in this domain. We have a \ncertain amount of history with mistakes and not getting ahead \nof the game with regard to the Internet and all sorts of other \nsecurity areas. Right now most of the users of cell phones, \nmost of that 3.5, probably four billion people in the world now \nare using fairly weak devices that limit the kind of risk they \nare taking. That is going to be changing rapidly. Can we all of \nus, industry, government, governments around the world actually \nfor once get ahead of the curve on this and do something to \nmitigate these risks before it becomes the kind of tsunami that \nI am afraid is going to become?\n    Mr. Neugebauer. Mr. Brown? I thought you----\n    Mr. Brown. Yes. Thank you. So when we look at--you know, I \nagree. In some cases we are in infancy in the cell phone/PDA \nworld. We have opportunity to do a lot better in this world \nthan we have in the laptop/desktop world. The threats are going \nto be different here though as we open up new interfaces and \nnew capabilities to these phones. You know, Apple first put out \ntheir iPhone and they said a browser will be your only \ninterface. That was easy to secure. But guess what? Consumers \ndemanded that I have an application for everything, as the \nApple commercial says, and each one of those applications now \nhas increasing functionality. Each one of those applications \nhas potential vulnerabilities. You know, we have--they have \ndone a better job at securing things but there are more \nvulnerabilities, more opportunities to either socially engineer \nthreats, which is actually probably more of a threat than \nsoftware engineering of a threat. So we are at the point where \nwe can do more and not have the same problems that we had sort \nof in the desktop/laptop world.\n    Mr. Neugebauer. Dr. Schneider.\n    Dr. Schneider. Let me point out a few technical differences \nbetween the cell phone world and the desktop world and the way \nthey are evolving that might give you some reason to sleep at \nnight. First, there is no dominant producer of the operating \nsystem for cell phones. There are a fair number of producers. \nThat means there is not a monoculture so it is difficult for a \nsingle attack to attack all the processors. Second, early in \nthe evolution of cell phones, the phone companies established a \nmodel that they owned the software and that they would \nperiodically change your software without telling you when they \ndecided to make a change in feature or fix a bug. So the model \nthat we have for desktop software where Microsoft announces a \nbunch of patches for some vulnerabilities, notice they didn't \nannounce that they were successfully attacked. They were \npreempting that. But the model where it is the user's \nresponsibility to configure the system and it is the user's \nresponsibility to keep it up to date has been abandoned and at \nleast for the basic operating system of the cell phone, this is \nunder the control of the manufacturer. There is a possibility \nnow that everyone is going to be able to download their own \napplications and they will be responsible for that piece of the \npicture. That will be a problem. But if the cell phone \nmanufacturers retain the view that they manage your security, \nthen we might be better off.\n    Mr. Neugebauer. Thank you, Mr. Chairman.\n    Chairman Lipinski. Thank you. We keep pushing back. I am \nlooking at the TV screen here to see about when we are going to \nvote. I don't want to get into--we don't have much time so I \njust want to very briefly get into--throw out one more \nquestion. I was looking through my notes that I had made so I \nwill recognize myself for five minutes but hopefully we can \nkeep it to shorter than that. Dr. D'Amico talked about need to \nincentivize technology transfer and Dr. Schneider also talked \nabout needing to bridge the gap between the research and \npolicy. How do we do this? And this is always an issue that is \nfacing so many different areas in technology transfer. It is \nsomething I am very interested in because I think it is very \ncritical, getting that research, especially from our \nuniversities and getting them together with industry. How do we \ndo that in this instance? So Dr. D'Amico?\n    Dr. D'Amico. We really need to make the government program \nmanagers who are monitoring this federally funded research \naccountable for the technology transition and make the \nresearchers incentivized to do it. First of all, the programs \nthat are funded should include a technology transition phase \nand not stop at well, you have built a prototype, you have \ndemonstrated in a laboratory and now we are done and we write \nthe paper. It really has to go through usability testing and \noperational environment, and the money has to be there to do \nit. The second thing, and this is something I raised in my oral \ntestimony, is that I think that the researchers need to go out \nto the security professionals who are ultimately going to be \nusing the results of their work. So much of research is \nreally--so many researchers brief themselves or their \ncommunity. They publish papers within their community and they \nnever really go out and talk to the security practitioners, and \nwe need to have the results of the research brought out to \nthose security practitioners, write an article for information \nsecurity, see if you can turn your research into something that \nmakes sense to the practitioners, and it may change the way you \ndo your research. So those are two of the ideas that I have.\n    Chairman Lipinski. Thank you.\n    Dr. Schneider.\n    Dr. Schneider. Let me comment on two things. First, so I am \none of those researchers and I do get government grants. I run \na fairly big operation. Today if you want to get a grant, you \nare much better off being able to assert in the grant \napplication what your successful technology transitions were \nthan to list publications. At least in many of the funding \nagencies, there is a culture that people who succeed in having \na real impact are the ones they want to fund and publications \ndon't matter so much. The other question has to do with \nteaching policy and technology. I think academia may be a bit \nahead of the curve here but when I read places asserting we \nneed to teach all our students the list of common security \nholes and secure coding practices and the next step is to teach \nthem how to do secure designs, I think we need to teach them \nethics, I think we need to teach them law, because if they \ndon't understand these things, they are not going to know when \nthey can trade off between a technological solution and a \npolicy solution. If they don't have a good sense of ethics and \nsociology, then they won't understand how when they change the \nInternet so it is more secure, the fact that it became less \nusable makes it a less attractive place for all of its users \nand it gets ruined in another way, and so I think it is the \nresponsibility of universities and any educator to have a much \nbroader view than this kind of technology, and we shouldn't get \nrailroaded into believing that we should produce technologists \nto solve this problem because they will come up with solutions \nbut they are not going to be good solutions in the big picture.\n    Chairman Lipinski. Thank you.\n    Mr. Brown.\n    Mr. Brown. Just one quick comment. When you talk about \nmoving from research into products and applications, we have to \nunderstand that some of that takes a long time. You know, even \nif I come up with the greatest idea today within my company, \nwithin my position, I am a year and a half out before that idea \ngets into a product because we are mid-cycle in products, we \nare going to take that time. So patience and diligence, \ndiligence and follow-through is critical to get anything done. \nSo we have great ideas, we have great research. They take time \nto get implemented in products and they take time for people to \nimplement them in the commercial sector or in the government \nsector. So we need to have processes in place that are going to \nattract those that research that we are doing through its life \ncycle and not give up on it after a year or two years.\n    Chairman Lipinski. Thank you.\n    You have to be very brief, Dr. Goodman.\n    Dr. Goodman. Very brief, I guess. There is another side to \nthis. The implication in a lot of what has just been said is \nthat somehow the innovators, the people who do the research \nneed to push what they have done into the real world, and \nperhaps by offering things get policy changed or what have you. \nThere is the other side of things, and that is that people who \nare going to be the primary consumers of better security, \nwhether they are trying to manifest this through policy or \nthrough what they think will really help their products, their \ncommercial activities be more secure, they have got to send \nserious signals that there is a demand for certain kinds of \nresearch to solve certain kinds of problems, and that demand I \nthink will filter into the research community and with funding \nthey will get results. It is a two-way street to get things \nfrom ideas into useful practice.\n    Chairman Lipinski. Thank you, and I want to thank all of \nour witnesses for your testimony today. I certainly have \nlearned a tremendous amount, and as we move forward right now, \nwe have, as I said, two more hearings on cyber security. As we \nmove forward with legislation in this area, we are certainly \ngoing to take a lot of what you have said and any more follow-\nup that you may have for us, we would appreciate. The record \nwill remain open for two weeks for additional statements from \nMembers and for answers to any follow-up questions the \ncommittee may ask of the witnesses.\n    So again, I thank the witnesses for their testimony. I \nthank the Members for their participation, and the witnesses \nare excused and the hearing is now adjourned.\n    [Whereupon, at 11:42 a.m., the Subcommittee was adjourned.]\n                               Appendix:\n\n                              ----------                              \n\n\n                   Answers to Post-Hearing Questions\n\n\n<SKIP PAGES = 000>\n\n                   Answers to Post-Hearing Questions\nResponses by Seymour E. Goodman, Professor of International Affairs and \n        Computing; Co-Director, Georgia Tech Information Security \n        Center, Georgia Institute of Technology\n\nQuestions submitted by Chairman Daniel Lipinski\n\nQ1.  The Administration's Cyberspace Policy Review calls for the \ndevelopment of an R&D framework that focuses on game-changing \ntechnologies, but at the same time new threats that need immediate \nattention are constantly emerging. What is the appropriate balance \nbetween long-term, game changing research and research targeted toward \nincremental improvement?\n\nA1. It is easy to wish for R&D leading to ``game changing \ntechnologies.'' But it is much harder to identify promising ways to go, \nand to see them through to widespread and effective adoption, a \nnecessary condition if any game is really going to change. Identifying \ngood candidate possibilities must be done by exercising bold expert \nassessments of the possibilities, with an appreciation of what \nsuccessful pursuit of those R&D possibilities might mean for effective \nand comprehensive cyber security. There will not be many such \nproposals, but funding should be available to pursue the most promising \nto stages where they may prove their viability as serious game changing \ncandidates.\n    To that end, what might ``game changing'' technologies actually do? \nThe National Research Council committee and report that I recently \nchaired (Toward a Safer and More Secure Cyberspace, National Academies \nPress, 2007) proposed a Cybersecurity Bill of Rights that consisted of \n``10 basic provisions that the committee believes users should have as \nreasonable expectations for their online safety and security.'' I \nsuggest that new technologies, and policies for their implementation, \nleading to demonstrable progress towards making a significant part of \nthis vision a reality would constitute game changers.\n    There is also a pressing need for effective and timely work on \nextremely important emerging problems. A prime example that I raised in \nmy oral testimony is comprehensive security for mobile devices, \nespecially cellular phones, with an eye toward getting ahead of the \nproblem and ``getting security right,'' or at least much better than is \nnow the case, as they become more powerful computing devices that will \nbe truly ubiquitous, including the likelihood that they will become the \nprimary vehicle everywhere in the world for access to the Internet. \nAnother may be ``cloud computing.'' Both have the promise for creating \nmassive new waves of cyber insecurity unless we can get ahead of the \ntechnology and diffusion curves. Some people might consider successful \nwork on these problems as ``game changing'' since they are so \nimportant, rapidly emerging, and would affect very large user \ncommunities. Certainly this would amount to much more than \n``incremental improvement.''\n    I believe an appropriate balance should be weighted towards \nproblems like these, with no more than about 20 percent devoted to \nfinding grander and more comprehensive ``game changing'' solutions, and \nno more than about 20 percent devoted to incremental improvement. I \nbelieve most of the latter should be done by industry, including \nfunding third party research and development people. If promising \ndirections towards ``game changers'' are clearly demonstrated, the \nfunding agencies should have the flexibility to redirect resources \ntoward their aggressive pursuit.\n    As stated in my oral testimony, I believe a fundamental issue for \nboth the near and long terms is effectively assigning responsibility \nfor exploiting the results of R&D and implementing security in the real \nworld of cyberspace. Right now this doesn't exist to anywhere near the \nextent it should. People and organizations who are most at risk of \nbeing victims are among the least capable of defending themselves and \ndoing what needs to be done to protect what might be called the ``cyber \ncommons.'' Analogies can be made with the histories of safety and \nsecurity in other infrastructures, e.g., with seat belts, shatter proof \nwindshields, air bags, traffic laws and police and courts (but we must \nbe careful of trying to make such analogies too close). One might argue \nthat responsibility needs to be with those who are in the best position \nto make cyberspace significantly more secure. I would argue that \nresolving this problem is both researchable--although not in the narrow \ncomputer science sense, and will require thinking about incentives, \nregulation and law, economics, the makeup of the IT industry, and \ntechnical feasibility--and a necessary precursor for any effective \n``game changer.''\n\nQ2.  Beyond the Scholarship for Service program, discussed in your \ntestimony, do you have any specific recommendations for existing \nfederal agency programs that should be expanded or new programs that \nmight be created to address cyber security education needs? Is there a \nspecific level of education that is in need of increased attention?\n\nA2. Two opposite ends of the education spectrum need much increased \nattention: the general user community and graduate level education. The \nfirst addresses people who are most vulnerable, and most defenseless \nagainst increasingly sophisticated threats. They need to understand \nmore about the risks they are subject to in cyberspace and what they \ncan do to decrease their vulnerabilities. My response to Rep. Hall's \nfourth question below addresses two important age brackets of the \ngeneral user community. My comments here are mostly concerned with the \nsecond, the post-graduate degree granting institutions.\n    People with graduate education are needed to professionally protect \norganizations, the ``cyber commons,'' and parts of the relatively \ndefenseless general user community. People with graduate education will \nbe necessary to do most of the research, development, and the \ndeployment of better technology and policies, and become the teachers \nof others. Presently, there are far too few to meet these needs.\n    Currently I would estimate that there are fewer than 50 \nuniversities each capable of graduating even a small, steady stream of \ngraduate level professionals in information security. For example, \nGeorgia Tech has one of the largest and most substantial programs, \nsustained by an unusual number of faculty members seriously concerned \nwith cyber security, but we graduate only about 30-40 new MS and Ph.D. \npeople a year in this area. And, again, we are one of the largest.\n    It is not easy to create more, as partially evidenced by the fact \nthat the capacity building track of the SFS program has not worked out \nparticularly well. And it is not easy to build up those schools that \nexist, e.g., because of internal competition from other areas for \nfaculty hiring and coverage, and enrollment problems in computer \nscience departments where most of this capacity resides. There is much \nless in information systems departments that are typically part of \nbusiness or public policy schools, and efforts must be made to get \ncyber security into their programs. A necessary condition for doing \nbetter is to build up the number of Ph.D. level faculty members, and \nthis takes time. One possible way of trying to deal with this might be \nto expand the SFS program to include more Ph.D. students, and to permit \nthem to satisfy their immediate service obligations through teaching \nand program development in a range of K-12 and post-secondary \neducational institutions, including universities and community \ncolleges.\n\nQuestions submitted by Representative Ralph M. Hall\n\nQ1.  Some experts have suggested that we should consider taking \ncritical infrastructure networks such as those that control electricity \ntransmission and distribution ``off the grid''--into a network \nphysically not connected to the public Internet, just as we do with our \nclassified military networks. Please comment on whether you think such \nan approach warrants further consideration, and if so what potential \nbenefits as well as challenges would accompany it.\n\nA1. If much of the risk to these networks arises through connectivity \nto the public Internet, then that risk must be mitigated. Until this is \neffectively done in ways that permit safe forms of connectivity, it \nmight be best to keep at least some of them disconnected, although \nconnectivity has become such that this may be harder to do than it \nsounds. In the discussions about balancing the risks of insecurity \nagainst other factors, e.g., profitability, efficiency, or convenience, \nsecurity usually seems to come up short.\n    But at least for the electric power distribution industry and \ninfrastructure, the regulator (the Federal Energy Regulatory \nCommission) seems to be trying to step up to the problem. For a \ndiscussion of this effort, and much more, I refer you to a recent paper \nby one of my colleagues at Georgia Tech: Stephen J. Lukasik, ``Reducing \nThreats to Users of the Global Cyber Commons,'' Center for Strategy, \nTechnology, and Policy, Georgia Institute of Technology, Atlanta, GA \n2009. A copy of this paper has been left with the Committee staff.\n    The positions that Dr. Lukasik has held over the years include \nDeputy Director and then Director of ARPA (now DARPA) when the ARPANET \nwas being conceived and first implemented, and the first Chief \nScientist of the Federal Communications Commission. In the spirit of \nthis question, and given the precarious state of cyber security more \ngenerally, Dr. Lukasik suggests, ``users should seriously revisit the \npremise that any two things are better connected than left \nunconnected.'' I would endorse that cautionary statement.\n\nQ2.  The comprehensive cyber security initiative that was created by \nPresident Bush and is continuing under President Obama focused on \nimproving cyber security coordination across government and on funding, \ngame-changing ``leap-ahead'' technologies. Do you agree with these \npriorities? If you had an additional $100 million to spend on cyber \nsecurity R&D, to what agencies and research areas would you devote it? \nIs there general agreement within the scientific community regarding \nsecurity research priorities?\n\nA2. Our 2007 NRC report, referenced in my response to Rep. Lipinski's \nfirst question, advocated a broad, defense in depth approach covering a \nnumber of important and complementary technologies. As also discussed \nin my response to that question, some effort to identify and develop \ngame changing, ``leap-ahead'' technologies should be pursued, but the \nproblems of cyber security are so extensive and complex that such \nsilver bullets may be hard to come by at best, and are unlikely to come \nquickly.\n    Some areas, like improving methodologies for designing and \nengineering or re-engineering of more fundamentally secure systems and \napplications, would underlie almost anything else that would be done. \nSo would research into architectures that would be fundamentally more \nsecure than what we now have. I believe there is fairly general \nagreement within the scientific community on these points, but less so \non many others. Again, I would place a large fraction on any new \nfunding on dealing with the security problems associated with very \nlarge and rapidly emerging new technologies, notably mobile phones and \nother devices, and cloud computing, and also on research that looks \ninto the problems of the timely, effective, and widespread \nimplementation of new security policies and technologies. Many of the \nlatter problems are at least as much matters of management, \norganization, and incentives as they are matters of technology. The \nproblem of effective, widespread adoption is so enormous and complex \nthat it might well negate good new technology if it is not given \nserious attention.\n    There are many agencies under the NITRD umbrella. I would hope that \nsome of them would see these problems as particularly relevant to their \nmission statements and eagerly step up to producing solutions.\n\nQ3.  The strategy of both the past and current administration has \nfocused most of our cyber security investment several billion dollars \nannually--on procuring and deploying intrusion detection systems. Due \nto the cat-and-mouse nature of cyber warfare and defense that several \nof you noted in your testimony, it seems that these systems are only \neffective against threats that we already know about and understand. \nGiven this reality, can this type of approach produce effective results \nover the medium- or even short-term? If not, is research on a new and \nfundamentally secure Internet architecture the only long-term answer?\n\nA3. Given the attention and investment over a long period in R&D for \nintrusion detection systems (IDS), I would suggest that it is time for \na serious assessment of its impact. This would provide a far better and \nmore constructive answer than what I might offer in this short \nresponse. I believe that most R&D in cyber security should be done as \nif application matters. In keeping with that, we must learn to do \nserious evaluations of progress towards a safer and more secure \ncyberspace, and IDS is a good place to start.\n    Are we able to detect almost all intrusions into almost all of our \ncomputers? Are we doing anything that is effective against emerging \nthreats? If so, what combination of technical R&D and deployment \nincentives and strategies made this possible? What has this gotten us \nin terms of safer and more secure computers? Have we been able to \nthwart the intents and limit the damage done by these intrusions? Are \nwe really limited to those threats that we failed to anticipate and \nprevent and ultimately learned about the hard way?\n    If not, then we need to understand why not before we pour billions \nof dollars and other resources more into IDS or something else. With \nmost of the well-educated professionals among the good guys, why can we \nnot pre-empt new forms of intrusions as they are happening or before \nthey happen? Do we have good technical solutions that are not being \nimplemented? Is the technology just not up to it, or are our systems so \nfundamentally insecure and there are so many threat possibilities that \nwe should not have unrealistic expectations here, or is part of the \nproblem apathy or resistance on the parts of the people and \norganizations in the best positions to implement and sustain these \nsolutions? If the latter is the case, what can change this?\n    Note that intrusion detection is largely a matter of computer \nsecurity. A ``new and fundamentally secure Internet architecture'' is \nmore about network security and some different kinds of forensics, \nalthough it might have some positive effect on computer security. It \nmay well be the necessary and best long term answer. There is no doubt \nthat we could do better producing a more secure architecture today than \nwas originally the case, but ``fundamentally secure'' is a very tall \norder, especially if it also is to be effective in protecting us from \ninsecure applications that could be put on the net. And ultimately \nthere is the massive and very difficult problem of the huge legacy \nInternet to be abandoned or moved to the new architecture. In this \nregard, we have not always been very successful on much smaller scales.\n\nQ4.  When this committee discusses a STEM education issue, we don't \njust focus on higher education: We start at the pre-K levels and extend \nbeyond post-graduate work. Most of the education-related testimony has \nfocused on our adult population either from an academic and workforce \nperspective, a behavioral perspective, or a public awareness \nperspective. What are your education recommendations for our children \nwhen it comes to cyber security in all of these areas?\n\nA4. Children and young people in the age range usually associated with \nprimary and high schools, roughly ages 5-18, are a particularly \nvulnerable and important category of general user. In the United \nStates, beyond the first few grades as a group they are probably coming \nincreasingly close to being almost 100 percent users of the Internet or \nmobile phones and other devices. And the Internet has become part of \nmany programs in K-12 educational institutions in this country, even if \njust as an augmentation to or substitute for traditional hard copy \nlibraries.\n    It is important to include the concept of ``safety'' in addition to \nthe common usages of ``security'' in discussing this age group. Some \nundesirable Internet enabled activities specifically involving children \nand teenagers range from the unauthorized use of credit cards (to \nparaphrase a classic New Yorker cartoon: ``on the Internet, nobody \nknows if you are a child''), to massive violations of the intellectual \nproperty of others, to risking their own privacy on an unprecedented \nscale, to hacking for sport, bragging rights, and profit, to enabling a \nhuge worldwide child pornography underworld, to providing unprecedented \nentries for people who physically or mentally prey on children. \nFurthermore, the naive or undereducated or malicious use of the \nInternet by children and teenagers may put others at risk.\n    But this is an age group that is almost totally accessible through \ntheir schools. Education covering the safe, secure, and ethical use of \ncyberspace is thus arguably a necessary and desirable addition to the \ncurriculum in the primary and secondary schools. More generally, I \nwould reflect a view expressed in the Association for Computing \nMachinery (ACM), the oldest and one of the largest professional \nassociations devoted to computing, that we should look for ways to \nintegrate grade-appropriate cyber security curriculum into existing \ncourses, but we also need to expand the teaching of core computing \nconcepts at the K-12 level. Computer science education is too often \nmissing from the K-12 education landscape. As computing becomes \nubiquitous through platforms such as hand-held or cellular devices and \nits role grows in society, it is imperative that students have a better \ngrasp of the fundamentals of computing. We can do this by making a \nrigorous and engaging computing education part of the core that \nstudents must know and by making safe, secure, and ethical use a \ncentral part of this education.\n    If a narrower focus is desired, many precedents exist for helping \nK-12 students to cope with some of the problems in the real world, for \nexample, for hygiene, nutrition, driver and sex education. But it will \nbe more difficult to deal with this subject since the risks are more \nabstract and usually not physically proximate. And the problems are \nmuch more dynamic and rapidly changing.\n    We also have much to do with regard to educating the educators, \ni.e., developing capable teachers and the materials for them to use. \nThis is not likely to be done well on a purely voluntary or local \nbasis. In some ways and locales it is likely to be controversial, and \ncare must be taken to get together material that is sensible, \ninteresting, well presented, and does not needlessly scare the wits out \nof children (or senior citizens, see below). As stated above, the \nsubject might be treated as a separate course, or distributed \nthroughout the computer-using curriculum. It would also need to be \nreinforced in other public domains such as libraries and Internet \ncafes. This is a difficult assignment that must be given to the \nDepartment of Education, with start-up help from the NSF. Other \nprofessional organizations could also be constructively involved. These \nmight include the ACM, the IEEE Computer Society, the Computer Science \nTeachers Association, the International Society for Technology in \nEducation, and some industry associations.\n    I have one final concern at the opposite end of the spectrum, with \nan adult age group that usually does not figure into the academic or \nworkforce discussions noted in the statement of this question. A \nsizable and growing fraction of senior citizens are users of the \nInternet, having been coerced and cajoled into doing so for what are \noften good reasons. But many do not take to computing as easily and \n``naturally'' as young people. I believe that seniors are particularly \nvulnerable to exploitation and accident, and to fraud in particular. \nSome thought and effort should be given to help them. The institutional \nmeans of broadly educating this group is much less obvious and more \ndiversified than is the case for children and teenagers. But there are \na large number of vehicles for ``lifelong learning'' in the United \nStates, and safe computing and computing more generally should be made \na much larger part of their curricula than is now the case. Again the \nprofessional associations, and the AARP in this case, might be \nconstructively engaged in dealing with this problem.\n                   Answers to Post-Hearing Questions\nResponses by Liesyl I. Franz, Vice President, Information Security and \n        Global Public Policy, TechAmerica\n\nQuestions submitted by Representative Ralph M. Hall\n\nQ1.  Some experts have suggested that we should consider taking \ncritical infrastructure networks such as those that control electricity \ntransmission and distribution ``off the grid''--onto a network \nphysically not connected to the public Internet, just as we do with our \nclassified military networks. Please comment on whether you think such \nan approach warrants further consideration, and if so what potential \nbenefits as well as challenges would accompany it.\n\nA1. There would be considerable impacts on the usability and innovation \nderived from critical infrastructure networks should they be ``taken \noff the grid'' and put onto a classified-like proprietary network. In \nfact, in many cases such separation would be incompatible with the \nvision for improved, data-driven efficiencies that motivates ``smart \ngrids.'' With regard to electricity transmission specifically, \nTechAmerica member companies cite such examples of pooling and analysis \nof real-time, end-devise power-consumption data that enables more \nefficient electricity generation and transmission. In addition, we \ncaution against policies that would adversely impact innovation in home \nnetworks or consumer products, either in inhibiting the very innovation \nthat helps drive our economic growth or in establishing one-size-fits-\nall cyber security requirements that stifle functionality and, in many \ncases, may not deliver greater security.\n    With regard to this question, specifically, I highlight two key \nprinciples: (1) Cyber security is not a one-size-fits-all endeavor, and \nno one solution will meet all the needs of any given client. Therefore \nit is imperative that government, industry, and even individual network \nowners and operators undertake a risk management approach to the \nsecurity of their operations. (2) As manufacturers and users of \ninnovative technological solutions consider ways to ensure inter-\noperability and security measures, they should engage in appropriate, \nand global, standards development organizations in order to meet the \nspecific needs of each product or service and involve all stakeholders.\n\nQ2.  The comprehensive cyber security initiative that was created by \nPresident Bush and is continuing under President Obama focused on \nimproving cyber security coordination across government and on funding \ngame-changing ``leap-ahead'' technologies. Do you agree with these \npriorities? If you had an additional $100 million to spend on cyber \nsecurity R&D, to what agencies and research areas would you devote it? \nIs there general agreement within the scientific community regarding \nsecurity research priorities?\n\nA2. The IT industry does support efforts to improve cyber security \ncoordination across government and on funding for the development of \n``leap ahead'' technologies. As such we support the intent of the R&D \nefforts that are part of the Comprehensive National Cyber Security \nInitiative (CNCI). However, we believe those efforts can only be \nsuccessful if they incorporate consultation and coordination with \nindustry and the science community on identifying priorities. The IT \nsector is undertaking efforts now to engage the U.S. Government and \nprovide suggestions and exchange information on R&D programs. The \nprimary goal of these efforts is to ensure support for allocation of \nfunds for projects that do not duplicate existing or ongoing work and \nhelp the government identify areas for research funding that lack a \nviable commercial market opportunity or incentives.\n    Implicit behind the premise of ``leap ahead'' research is the idea \nthat there may be problems too intractable to be addressed in a timely \nfashion through incremental research. At times, useful discoveries may \noccur from unanticipated multi- or cross-disciplinary investigations. \nThe creation of public/private partnership models to support \nrevolutionary (as opposed to evolutionary) research is an important \npart of a balanced national strategy for cyber security research and \ndevelopment.\n    Another important part of balanced approach to R&D is ensuring that \nthe benefits of that research are made available to others. Such \ntechnology transfer is the ultimate goal of industrial research \nprograms that bring the effect of research successes to the market and \nto product users. To the extent that government can streamline the \nenvironment for technology transfer the greater the benefit.\n    With regard to research areas where additional funding could be \napplied, we highlight two that have been part of recent discussions, \nincluding the recent Nation Cyber Leap Year Summit. First, given new \nchallenges to IT management as systems become more automatically \nadaptable or self-modifying in order to resist attacks, we may benefit \nfrom research into the management of adaptive systems. Second, research \ninto cyber security metrics is another area where there is significant \nopportunity for progress.\n    Lastly, whichever agency or agencies receive funding for such \nresearch and development efforts, we strongly urge requirements for \ncoordination and collaboration with other agencies and with the private \nsector and the academic community.\n\nQ3.  The strategy of both the past and current administration has \nfocused most of our cyber security investment--several billion dollars \nannually--on procuring and deploying intrusion detection system. Due to \nthe cat-and-mouse nature of cyber warfare and defense that several of \nyou noted in your testimony, it seems that these systems are only \neffective against threats that we already know about and understand. \nGiven this reality, can this type of approaches produce effective \nresults over the medium- or even short-term? If not, is research on a \nnew and fundamentally secure Internet architecture the only long-term \nanswer?\n\nA3. It is precisely the dynamic and evolving threat environment that \ncalls for taking a risk management and all-hazards approach to \nprotecting ourselves from cyber attacks, to include not only \ntechnology, but people and processes as well. Certain technologies will \naddress specific kinds of attacks, while a more sophisticated \nenterprise architecture will help defend against various kinds of \nintrusions. Each enterprise--or individual--needs to assess their \nspecific usage, system, and security needs and make their investments \naccordingly. While R&D on a new Internet architecture may be something \nto consider, such an approach must be evaluated with all the \nstakeholders at the table to ensure a thorough vetting of the \nobjectives, potential solutions, and intended and possibly unintended \nconsequences. In the meantime, however, we must continue to invest in \nkey cyber security R&D for both short and medium term innovative \nsolutions to today's challenges.\n\nQ4.  When this committee discusses a STEM education issue, we don't \njust focus on higher education. We start at the pre-K levels and extend \nbeyond post-graduate work. Most of the education-related testimony has \nfocused on our adult population either from an academic and workforce \nperspective, a behavioral perspective, or a public awareness \nperspective. What are your education recommendations for our children \nwhen it comes to cyber security in all of these areas?\n\nA4. At the most rudimentary level, we should be including ways to \nsensitize our children to cyber security considerations when they are \nlearning how to use a computer and the Internet, something which is \noccurring at very young ages today. We can take advantage of that early \nlearning to infuse good user practices that address safety (what \ninformation you put on the Internet about yourself), security (if you \nare learning how to download any number of ``fun'' applications, you \ncan also download anti-virus software and encrypt your wireless \nconnection), and ethics (consequences of cyber bullying or cyber \nfraud). Building such elements into the K-12 curriculum must recognize \nthe dynamic nature of the cyber medium and the threats it faces and, \ntherefore, be set up in a way that is flexible to be updated as \nnecessary, and to provide resources for educators and students about \nwhere they can go to get the most up-to-date information. One good \nsource for such information is www.staysafeonline.org, which is run by \nthe National Cyber Security Alliance (NCSA), a non-profit public-\nprivate partnership to build cyber security awareness with all user \ngroups.\n    At a more strategic level, we can be developing curriculum that \nlays the foundation for a workforce that is capable of designing secure \nsystems. Congress could call for a short-term task force that engages \nindustry, academia, the Department of Education, the Department of \nHomeland Security, and the Department of Commerce's National Institute \nfor Science and Technology (NIST) to make recommendations for \nestablishing such a foundation, evaluating and building upon any \nexisting efforts and/or developing new ones.\n\nQ5.  Ms. Franz, in your testimony you call for a ``true government-\nindustry collaboration on research projects.'' Please elaborate on this \nrecommendation. How would it be structured, and how would research \npriorities be identified? What agency or agencies do you think should \nfund such an effort?\n\nA5. In my testimony, I wanted to emphasize the need for collaboration \namong government-industry partners on equal footing. Such equal footing \ncould be achieved a number of ways, including through a structure that \nensures engagement with government and industry representatives at the \nvery beginning of any evaluation and prioritization process. In \naddition, a governance structure could ensure that each partner has \nequally weighted ``votes'' in the deliberation process. Too often one \npartner works on a process alone for so long that once the other \npartner is brought into the process, it is too late for a fully \ndeliberated discussion and prioritization. Finally, true collaboration \nwould include commensurate stakes and investment by each partner. For \nexample, should the government fund an effort, industry could provide \nexpertise that meets the need--and the stated level of partnership. \nSuch ``true'' collaboration would require a change in how government \nand industry each approach the R&D discussion today and bring them \ntogether at the beginning of the partnership process--even in how that \nprocess is conceived.\n    For funding a cyber security R&D collaborative effort, I believe \nany number of agencies could--and should be involved to maximize not \nonly the funding sources but also the expertise from various \nconstituencies and bring them--and their industry stakeholders--\ntogether for such a project.\n                   Answers to Post-Hearing Questions\nResponses by Anita D'Amico, Director, Secure Decisions Division, \n        Applied Visions, Inc.\n\nQuestions submitted by Chairman Daniel Lipinski\n\nQ1.  In your written testimony you indicate that good security \ndecisions are based on an understanding of risk. How is cyber security \nrisk assessed and are the current methods or tools adequate? If current \nmeasures of cyber security are not adequate, what research is needed to \nimprove cyber security risk assessment?\n\nA1. The methods and tools for measuring cyber security risk are not \nadequate. There is an excellent May 2009 publication entitled \n``Measuring Cyber Security and Information Assurance'' by the \nInformation Assurance Technology Analysis Center (IATAC) which is \navailable through the Defense Technical Information Center. It \nsummarizes the state-of-the-art of measuring cyber security, which is a \nprerequisite to understanding and measuring the actual risk associated \nwith the security state, and describes several measurement approaches. \nIt concludes: ``there are no universally recognized, reliable, and \nscalable methods to measure the security of [IT] assets.''\n    Even if the risk measurement tools and methods were scalable and \nreliable, their value for enhancing security state would be minimized \nwithout commitment by the decision-makers to consistently use the tools \nand methods. However, business managers have not yet committed to \nregular measurement and mitigation of the discovered risks. What will \nit take for risk measures to be embraced by corporate and military \nofficers?\n\n        <bullet>  Answer the ``Risk to what?'' question--The broad \n        usage of security risk measurement is more likely to occur if \n        the industry managers and military commanders understand the \n        impact of these risks to their specific mission, whether that \n        mission is to build a greater revenue stream or protect Afghani \n        citizens from terrorists. Risks must be put into the context of \n        the goals of the organization and the individual investing in \n        the risk measurement. A ripe research area is to identify \n        methods for automatically linking the availability, \n        confidentiality and integrity of IT assets to the specific \n        business processes or mission tasks that the organization or \n        individual must perform.\n\n        <bullet>  Establish the credibility of the risk measures--As \n        with any metric, it must be grounded in systematic observation \n        of lots of data. The data on which the metric is based must be \n        recognized as meaningful to the ultimate users of the metrics.\n\n        <bullet>  Make it easy to collect--Automated tools for \n        collecting relevant data from the network enterprise and \n        calculating the risk measures would decrease resources needed \n        to perform risk measurement. Research and technology \n        development is needed to determine the best methods for \n        collecting and calculating risk measures in real-time.\n\n        <bullet>  Make it easy to mitigate--The IATAC report cites a \n        need for research in ``self-healing'' measures in which an \n        automated response would be triggered when a threshold of risk \n        metric is reached. In addition to the automated mitigation \n        approaches, we need methods of presenting the outcome of risk \n        measurement in intuitive and actionable form.\n\n    Finally, most cyber security risk measurement is focused on wired \nnetworks, ignoring the ubiquity of wireless devices. Wireless access \npoints, wireless cards within laptops, and smart phones can be \nexploited by attackers to penetrate critical wired networks. Even \nthough wireless networks may be excluded by policy from many military \nand industry organizations, the mobile devices carried by the personnel \nhold high-value information which can be exploited by cyber criminals \nor foreign agents. Future research in risk measurement must factor the \nwireless landscape into the calculation of risk.\n\nQuestions submitted by Representative Ralph M. Hall\n\nQ1.  Some experts have suggested that we should consider taking \ncritical infrastructure networks such as those that control electricity \ntransmission and distribution ``off the grid''--onto a network \nphysically not connected to the public Internet, such as we do with our \nclassified military networks. Please comment on whether you think such \nan approach warrants further consideration, and if so what potential \nbenefits as well as challenges would accompany it.\n\nA1. I don't feel I have the background to respond to this question.\n\nQ2.  The comprehensive cyber security initiative that was created by \nPresident Bush and is continuing under President Obama focuses on \nimproving cyber security coordination across government and on funding \ngame-changing ``leap-ahead'' technologies. Do you agree with these \npriorities? If you had an additional $100 million to spend on cyber \nsecurity R&D, to what agencies and research areas would you devote it? \nIs there general agreement within the scientific community regarding \nsecurity research priorities?\n\nA2. I thought the NITRD Cyber Leap Year call for leap-ahead \ntechnologies was an innovative approach to exciting the cyber security \nresearch community. They reviewed 238 responses, and produced five \ncategories of technology that NITRD cited as critical areas for \nfunding:\n\n        <bullet>  Digital Provenance--basing trust decisions on \n        verified assertions\n\n        <bullet>  Moving-Target Defense--attacks only work once if at \n        all\n\n        <bullet>  Hardware-Enabled Trust--knowing when we've been had\n\n        <bullet>  Health-Inspired Network Defense--move from forensics \n        to real-time diagnosis\n\n        <bullet>  Cyber Economics--crime doesn't pay\n\n    I concur that all of these are important areas for future funding. \nHowever, there are a few areas that I believe warrant government \ninvestment such as the $100 million to which you referred:\n\n        <bullet>  Cascading effects of an attack--More work is needed \n        in understanding the interdependencies within the cyber \n        infrastructure, and between the cyber infrastructure and other \n        critical infrastructures. Other work is needed to understand \n        the dependencies of critical business operations on the IT \n        infrastructure and how a cyber attack can cascade to affect \n        several business operations within and across organizations.\n\n        <bullet>  Resiliency and recovery--Attackers will get into our \n        systems. The cascading effects of an attack will occur. How do \n        we continue to work through and fight through the attack?\n\n        <bullet>  Information value--The cascading effects of an \n        attack, and recovery decisions, are based in part on the value \n        of the information needed to maintain critical operations. \n        However, we have little understanding of what makes information \n        valuable to people and critical operations. If we knew how to \n        measure the value of information, we would be able to apply \n        security measures to follow the high-value information, even as \n        it moves throughout a network.\n\n        <bullet>  Attack attribution and legal response--Proving the \n        source of an attack remains difficult. Research is needed on \n        how to identify the attack source. Additional work on the legal \n        aspects of cyber crime must determine the appropriate level of \n        evidence needed for attack attribution, and the laws and \n        policies that will permit the collection of that evidence.\n\n        <bullet>  Security of socially connected wireless devices--The \n        steady rise of social networking, much of it performed with \n        mobile devices, poses threats to our cyber infrastructure as \n        well as potential opportunities for remediation. Research in \n        this area is still in its early stages, and should be continued \n        with greater investment.\n\n    A few minor criticisms of the Cyber Leap Year format for \nsolicitation:\n\n        <bullet>  There would have been more responses, particularly \n        from some of the large industrial R&D organizations, if NITRD \n        had made a provision for protecting proprietary approaches and \n        proposing classified ideas. The companies with the biggest \n        Internal R&D funding were unlikely to toss out their best ideas \n        for anyone on the Internet to review.\n\n        <bullet>  It is surprising that none of the 238 responses were \n        deemed of sufficient merit to warrant a topic-specific \n        workshop. The fact that no one got an invitation to a workshop \n        based on the merit of their response is likely to negate future \n        enthusiasm for such a program.\n\n    Regarding which agencies should receive the funding, I think the \ndecision should be guided in large part by which agencies are most \nlikely to transition the resulting technology into widespread \noperations, and are most likely to manage research that combines \nresearchers from various communities, i.e., academia, industry, \ngovernment, classified and unclassified. I believe that the service \nlaboratories (e.g., Army Research Laboratory, Air Force Research \nLaboratory, Naval Research Laboratory) and DHS Cyber Security R&D are \nin an excellent position to bring together academic, industry and \ngovernment researchers. NSF is largely biased toward academic \nresearchers. NSA requires clearances that many academicians don't have. \nThe service laboratories and DHS-CSRD also have the mindset and \ncontractual experience to handle classified and unclassified work and \naddress contract terms relevant to both academia and industry.\n    Perhaps most important, the service laboratories are in a position \nto help transition the technology into military and homeland security \nprograms.\n\nQ3.  The strategy of both the past and current administration has \nfocused most of our cyber security investment--several billion dollars \nannually--on producing and deploying intrusion detection systems. Due \nto the cat-and-mouse nature of cyber warfare and defense that several \nof you noted in your testimony, it seems that these systems are only \neffective against threats that we already know about and understand. \nGiven this reality, can this type of approach produce effective results \nover the medium, or even short, term? If not, is research on a new and \nfundamentally secure Internet architecture the only long-term answer?\n\nA3. Intrusion detection systems, while not the ultimate solution, can \nbe useful in the short term because they add a layer (albeit weak) of \ndefense that thwarts script kiddies and other amateurs. They also \ncreates a nuisance for more-sophisticated attackers, thereby increasing \nthe amount of time and effort they must expend in order to penetrate \nour systems. However, intrusion detection systems do not warrant \nsignificant government research funding, as the commercial companies \ndeploying them are incentivized by their sales to continue this work.\n    Government research does need to focus on the larger, game-changing \nissues in order to achieve real security. A new and fundamentally \nsecure Internet architecture is an excellent long-term goal. However we \nmust accept the fact that no system or architecture can achieve \ncomplete security without completely sacrificing openness. Therefore \nresearch needs to continue to focus on defensive techniques, but from \nthe new perspectives discussed earlier--not from the perspective of \njust making better intrusion detection systems.\n\nQ4.  When this committee discusses a STEM education issue, we don't \njust focus on higher education. We start at the pre-K levels and extend \nbeyond post-graduate work. Most of the education-related testimony has \nfocused on our adult population either from an academic and workforce \nperspective, a behavior perspective, or a public awareness perspective. \nWhat are your education recommendations for our children when it comes \nto cyber security in all of these areas?\n\nA4. Students need to acquire an understanding about computers and the \nInternet as basic elements of life in the digital age. Safe computing \nshould be a basic element of our K-12 curriculum, like math and \nreading, not an elective. Organizations such as the National Cyber \nSecurity Alliance are already working to support safe computing \neducation for K-12, but additional assistance and attention is needed.\n    Education of children is also the first step in a cultural shift \ntowards a more secure digital world and away from the current view of \ndigital information as a free-for-all. The ease with which information \ncan be shared, copied, pirated, and distributed has created a sense in \nthe current generation that the information itself has no real value. \nTeaching adults to fear the Internet and to be careful about \ndownloading may achieve behavioral change to some degree, but does not \naffect cultural change.\n    The younger generation is the driving force in this cultural shift: \nthey are the ones stealing music and movies, posting personal \ninformation on social networking sites, installing peer-to-peer \nsoftware on their computers without concern for the security risks, and \nin general treating their digital lives with the same carelessness with \nwhich they clutter their rooms. They do this because they can, and \nbecause they have not been taught that this is all wrong. This \nfundamental lesson of respect for information--its financial value, its \nprivacy implications, its intrinsic importance to their lives--must be \ningrained in them from the earliest days. From this will flow a \ncultural shift away from the information-wants-to-be-free attitude of \nthe early Internet days towards a more mature, and secure, digital \nworld.\n    The building of a culture of safety, respect and ethics in the \ndigital world should begin in early elementary school education. This \nshould start with awareness training in elementary school for cyber \nsafety and cyber security basics such as safe browsing and e-mail, \nidentity theft, and issues around social networking--think of it as \nhygiene lessons for the digital world--and should also instill the \nethics of information. Children need to learn that information has real \nvalue, and must be protected and respected just as much as physical \ntreasure. Most well-raised American children wouldn't even consider \nwalking into a Wal-Mart store and stealing a Nintendo game, yet \nmillions of them think nothing of downloading music illegally from Lime \nWire every day.\n    Cyber education should progress during the middle school years to \nmore advanced issues of cyber security and ethics such as data \nprotection, data sensitivity, privacy, and digital copyright. Digital \nprivacy issues should be emphasized in grades five through nine. \nCurrent middle-schoolers, though conscious of their privacy needs at \nhome, really have no sense of digital privacy--something that some \nadults unfortunately exploit. The kids cry ``invasion of privacy'' when \nMom cleans their room and finds some sort of contraband under the bed, \nyet they think nothing of installing bitTorrent on their iMac and \nopening their files for the entire world to see. They cringe if you put \ntheir class photo on the refrigerator, yet they gleefully post photos \nof their latest binge on Facebook.\n    By the time students reach high school, they should be prepared to \ndrive themselves in the digital world. The goals should be similar to \nthose of driver education: know how to operate the equipment, be \nknowledgeable of the laws and the repercussions of breaking them, and \nbe able to travel without injury to yourself or others. Those with even \ngreater interest can learn how to build, take apart and speed up the \ninformation technology--always with safety in the forefront.\n                   Answers to Post-Hearing Questions\nResponses by Fred B. Schneider, Samuel B. Eckert Professor of Computer \n        Science, Department of Computer Science, Cornell University\n\nQuestions submitted by Chairman Daniel Lipinski\n\nQ1.  In your written testimony you indicate that good security \ndecisions are based on an understanding of risk. How is cyber security \nrisk assessed and are the current methods and tools inadequate. If \ncurrent measures of cyber security are not adequate, what research is \nneeded to improve cyber security risk assessment?\n\nA1. Risk is usually defined as an ``expected value'' (in the \nstatistical sense) and, therefore, requires identifying all possible \nhazards and then estimating the cost and probability of each. Applying \nthis definition to a computing system would require calculating or \nestimating these costs and probabilities (as well as identifying all \nhazards), and that is far beyond the state of the art. Moreover, \nhistorical data, which works so well for writing life, health, and \nproperty insurance policies does not help for doing a cyber security \nrisk assessment: a system's internals (hence the system's \nvulnerabilities), where systems are being deployed (hence the \nconsequences and cost of a successful attack), and attacker \nsophistication (hence the likelihood of an attacker's success) change \ntoo rapidly for the past to be a good predictor of the future.\n    Given these inherent difficulties in measuring the constituents of \nthe ``expected value'' that defines cyber security risk, I believe we \nwould be better off focusing our research investments on science and \nengineering that helps ascertain a system's compliance with given \nbehavioral specification or properties. This is, in a sense, the flip \nside of cyber security risk, since risk involves the probability of a \nsystem's exhibiting behavior that departs from those specifications.\n    Examples of the kinds of research I am advocating can be found in \n(among others) the area of programming language design and the area of \nautomated tools for analyzing program execution--for instance, research \ninto rich type systems for programming languages and model checking for \nprogram verification. These technologies can help establish that a \nprogram's execution will exhibit certain properties and, as a side \neffect, enable tools to detect large classes of code vulnerabilities. \nWe should also invest in research that aspires (i) to developing a \nprincipled way for extracting ``trust assumptions'' in systems and (ii) \nto understanding how various security technology relocates ``trust \nassumptions'' from one component to another, since this is a way to \nsurface the risks in a system design.\n    Although this proposed research ignores the probabilities and costs \nof attacks, its fruit doesn't prevent individuals from using insights \nabout threats, system internals, or the circumstances of a system's \ndeployment when deciding how best to manage the risk of cyber attacks. \nHere, broadly disseminating information about attackers, successful \nattacks, and cost or consequences of attacks would be in everyone's \nbest interest, because system operators and their users all could then \nevolve a better understanding of the risks they face and have a basis \nto make more intelligent decisions. Therefore, I advocate putting in \nplace incentives for public reporting of successful attacks, attacker \ncapabilities, and their consequences as another key step toward being \nable to assess cyber security risk.\n\nQ2.  One of the near-term action items of the Administration's \nCyberspace Policy Review is to provide the research community with \nevent data. What is the quality event data currently utilized by the \nresearch community and is it a realistic representation of network \nactivity.\n\nA2. Event data is today not broadly available to the research \ncommunity. This means researchers do not have good data against which \nto evaluate solutions they develop nor do they have a way to gain the \nkind of first-hand experience that is often crucial for understanding \nthe real problem and inventing solutions.\n    Today we find that to avoid undermining public trust, information \nabout successful attacks is generally kept confidential. Information \nabout vulnerabilities is generally not made public until after a \ndefense has been widely deployed. And information about network traffic \nis not generally available from ISPs or from other network operators \nbecause it can reveal information about their cost and pricing models; \nit also can reveal users' private information.\n    Network traffic data sometimes is made available today to selected \nresearchers if they agree not to further disclose that data nor \ndisclose its attribution in publications that analyze the data. Such \ndata cannot be shared with other researchers, making comparative \nanalysis of work done in different labs impossible.\n    Various test-beds allow researchers to experiment ``at scale'' and \nsometimes it is possible to use those as a source of data. However, \nload (including attacks) in these testbeds is either generated \nartificially or (in the case of PlanetLab\\1\\ ) would depend on \nconcurrently executing experiments (hence is difficult to reproduce). \nIn short, today's testbeds are a poor substitute for experiments that \nuse real, operational, datasets.\n---------------------------------------------------------------------------\n    \\1\\ http://www.planet-lab.org/\n---------------------------------------------------------------------------\n    Recently, the Office if Science and Technology Policy invited the \nNational Science Foundation to organize a group of NSF-supported \ncomputing researchers and provide a white paper detailing specific \nkinds networking and cyber security data that would be useful for the \nacademic research community. Professor Nick Feamster (Georgia Tech) \ncoordinated that effort, and a short white paper is now available.\\2\\\n---------------------------------------------------------------------------\n    \\2\\ Jean Camp, Lorrie Cranor, Nick Feamster, Joan Feigenbaum, \nStephanie Forrest, Dave Kotz, Wenke Lee, Patrick Lincoln, Vern Paxson, \nMike Reiter, Ron Rivest, William Sanders, Stefan Savage, Sean Smith, \nEugene Spafford, Sal Stolfo. Data for Cybersecurity Research: Process \nand ``Wish List.'' June 10, 2009. Available at http://\nwww.cc.gatech.edu/\x0bfeamster/papers/data-wishlist.pdf\n\nQ3.  Do you have any specific recommendations for existing federal \nagency programs that should be expanded or new programs that might be \ncreated to address cyber security education needs? Is there a specific \n---------------------------------------------------------------------------\nlevel of education that is in need of increased attention?\n\nA3. I am aware of two federal programs in support of cyber security \neducation:\n\n        <bullet>  The Federal Cyber Service Scholarship for Service \n        (SFS)\n\n        <bullet>  National Centers of Academic Excellence in IA \n        Education (CAEIAE)\n\n    I have no direct experience with SFS.\n    I have some experience with CAEIAE. This program certifies whether \na college or university offers an educational program deemed by the \nNational Security Agency (NSA) to provide a suitable background for \nworking in information assurance. The criteria for CAEIAE designation \ninclude requirements about what is taught and about the qualifications \nof who does the teaching.\n    I decided not to pursue CAEIAE for Cornell because I did not find \ncurrent thinking about cyber security well represented in the \ncurriculum requirements for CAEIAE certification. And while the number \nof schools with CAEIAE certification is rather substantial, Cornell is \nhardly the only outsider. Only Carnegie Mellon University (CMU) of the \nfive universities in the NSF funded TRUST Science and Technology Center \npursued a CAEIAE certification, yet these five universities are among \nthe very top cyber security programs in the country; also only two (CMU \nand University of Illinois) of the top five ranked Computer Science \ndepartments are listed on the CAEIAE web site as having CAEIAE \ncertification. Recently, Purdue, which hosts the nationally known \nCenter for Education and Research in Information Assurance (CERIAS), \ndecided against renewing its CAEIAE certification. Professor Eugene \nSpafford, Director of CERIAS, contributed to creating the CAEIAE \nprogram in 1997; he details his reasons to now forgo CAEIAE \ncertification in his on-line blog.\\3\\\n---------------------------------------------------------------------------\n    \\3\\ http://www.cerias.purdue.edu/site/blog/post/\ncenters<INF>-</INF>of<INF>-</INF>academic<INF>-</INF>adequacy/\n---------------------------------------------------------------------------\n    The field is moving rapidly, and what we teach needs to keep pace \nwith what is known and with the needs of all the stakeholder \ncommunities; CAEIAE doesn't. Moreover, the dividing line between what \nconstitutes training and education is shifting, with various software \nproducers now taking an active role in training their workforces about \n(for example) secure coding and avoiding common vulnerabilities. What \ngets taught in the university should reflect those realities and not \nwaste time duplicating current industry-training efforts. Needless to \nsay, one way that I believe the Federal Government can help move cyber \nsecurity education forward is by not imposing constraints on content.\n    Second, our very best faculty, who typically are exploring new \napproaches to organizing and teaching cyber security, need incentives \nto spend that extra time and effort necessary for disseminating this \nwork (just as the academic culture today provides incentives that \nprompts the dissemination of research results). So, for example, \nprograms for funding cyber security education should endeavor to \nattract research-focused faculty at our Tier 1 institutions. And \nalthough funding is an important part of the picture, it is not the \nonly part--it is crucially important that opportunities for peer \nrecognition be present and that some means exist to surface evidence of \nnational impact from a faculty member's efforts to further cyber \nsecurity education.\n    I believe the greatest opportunities for having impact in cyber \nsecurity education--and ultimately on the workforce--hence the place to \nfocus increased attention, is in creating a new cyber security \nprofessional degree, analogous to what we have today in law and \nmedicine. The undergraduate major serves a broad set of needs and, as a \nresult, offers few opportunities for adding new content. Moreover, \nthere is simply not enough time for an undergraduate to get a broad \neducation in Computer Science and also be exposed to all the material \nthat a cyber security expert (or even an apprentice) should see. \nGraduate education, by contrast, allows the flexibility to require \nsubstantial course work in specialized areas.\n    Universities and students will not invest in a new degree unless \nthere is some clear benefit. Requiring some sort of credential for \ncyber security professionals is often suggested, just as lawyers and \ndoctors have their respective credentials. But if we are going to \npursue this, then we should first understand the options (since, \nlooking across the other professions, there are many possibilities) and \nbe clear about the consequences. Therefore, I would argue that before \nmandating a credential, we first commission one or more objective \nbodies, such as the National Research Council's Computer Science and \nTelecommunications Board (CSTB) and/or the Government Accountability \nOffice (GAO), to do a study that lays out the options. Inputs should be \nsolicited from researchers, educators, systems builders, and systems \noperators (private sector and the government). And the study should:\n\n        1.  Assess what (if any) benefits would come from imposing \n        liability-based and/or regulation-based incentives for \n        credentialing cyber security professionals. What would the \n        costs be?\n\n        2.  Identify practical structures for defining and evolving the \n        content that a cyber security credential covers, and consider \n        the various candidate examination instruments.\n\n    In parallel, we should make investments in community workshops, \nplanning grants, and curriculum development, as a way both to \nunderstand whether a new cyber security professional degree is workable \nand to facilitate building a community consensus for such a new degree \nprogram. Yes, there is a crucial and immediate need for better-educated \ncyber security experts and what I am proposing will take some time. But \na poorly thought-out credential and mandating the wrong content for our \nstudents is not going to improve matters (and might well set things \nback).\n\nQuestions submitted by Representative Ralph M. Hall\n\nQ1.  Some experts have suggested that we should consider taking \ncritical infrastructure networks such as those that control electricity \ntransmission and distribution ``off the grid''--onto a network \nphysically not connected to the public Internet, just as we do with our \nclassified networks. Please comment on whether you think such an \napproach warrants further consideration, and if so what potential \nbenefits as well as challenges would accompany it.\n\nA1. Separating the networks used by critical infrastructures from the \nInternet could entail a significant opportunity cost, and it would be \nvirtually impossible to enforce. I therefore think it would be unwise \nto pursue this approach.\n    The opportunity cost of separating the networks comes from the \npotential loss of services. First, certain Internet services could \nprovide important benefits to critical infrastructures; isolating the \nnetworks would make those services unavailable to those critical \ninfrastructures. Access to on-line weather predictions, for example, \ncould be useful in automatically controlling electric-generation \ncapacity, allowing new generators to spin-up in time to serve peak air-\nconditioning loads on a summer day. So-called network-guard technology \ncould be deployed here and connect the networks, but this sacrifices \nthe bullet-proof appeal of complete isolation. And the critical \ninfrastructure's network could not be designed under the assumption \nthat this network is completely isolated from the Internet, since \nattacks have been known to pass through guards.\n    Second, the Internet provides pervasive connectivity that would be \nquite costly to replicate. And there will be strong temptations to use \nthat connectivity in making our critical infrastructures more \nconvenient, more efficient, and more effective. For example, an \nengineer in charge of controlling a critical infrastructure might well \nprefer to make after-work unexpected adjustments from his home rather \nthan trekking into the office at odd hours, and an Internet connection \nto that critical infrastructure could be used for that--quite securely, \nif VPN (virtual private network) technology is employed. And a smart \ngrid might serve us better if homeowners could remotely control \nappliances, thermostats, or even the class of electric service being \npurchased to run the household at any time. But implementing this kind \nof functionality would mean sacrificing isolation because there would \nbe devices connected both to the Internet and to the network \ncontrolling a critical infrastructure.\n    Regarding the enforceability of a network-isolation mandate, it \ntakes but one person connecting a single computer to both networks for \nthe isolation to be destroyed. Likely this connection would be done as \na matter of convenience and, judging from past experience reported for \nthe public telephone network, the connection would be made by a low-\nlevel technician and without the consent or knowledge of management. \nDesktop machines running commercial operating systems are not known for \ntheir strong security guarantees, so we would be unwise to depend on \nthe desktop's security to provide isolation between the networks when \nboth are connected to the same machine.\n\nQ2.  The comprehensive cyber security initiative was created by \nPresident Bush and is continuing under President Obama focused on \nimproving cyber security coordination across government and on funding \ngame-changing ``leap-ahead'' technologies. Do you agree with these \npriorities? If you had an additional $100 million to spend on cyber \nsecurity R&D, to what agencies and research areas would you devote it? \nIs there general agreement within the scientific community regarding \nsecurity research priorities?\n\nA2. I am not knowledgeable about the details of CNCI, because the \ninitiative has been classified and, therefore, information about it has \nnot been generally available to the academic research community. I \nnevertheless can offer high-level comments about what seem to be the \nkey elements.\n    Better coordination of cyber-defense across government should be a \nnational priority. A cyber-defense is only as good as its weakest link. \nSo a coordinated defense, if overseen by a technically strong \norganization that has the power to compel federal agencies to deploy \nspecific cyber-defensive measures, is likely to decrease the chances \nthat any agency's computing system becomes such a ``weak link.'' The \nexistence of a central clearinghouse for information about attacks--on-\ngoing and past--also would be valuable for cyber-defense.\n    To deploy new cyber-defenses will require replacing and \nreconfiguring systems. I presume funding for these activities is a \nlarge part of the CNCI budget. We will want to be sure this money is \nspent wisely, and the absence of opportunities here for advice from the \nresearch community or from the private sector concerns me. Some \ngovernment agencies are well served being advised by the intelligence \ncommunity, with its strong track record of securing our nation's \nclassified systems. But other agencies are more like the commercial \norganizations found in the private sector, with different needs and a \ndifferent tolerance for risk. Such agencies might benefit more from \nadvisors outside the intelligence community. Finally, I should report \nthat the utility of various CNCI-proposed defenses has been questioned \nby cyber security experts in the private sector and in the research \ncommunity (albeit, people who did not receive classified briefings and \ntherefore have an incomplete understanding of the problem and \nsolution). This questioning suggests that any kind of central \ncoordination should be in conjunction with some sort of advisory board \nthat is populated by cyber security experts (technical and policy) from \nthe private sector and academia.\n    The CNCI emphasis on ``game-changing `leap-ahead' technologies'' \nseems well intentioned, but we should be careful about exactly how this \nis interpreted. For sure, if we continue with business as usual then we \nwill never get to the point of running networked information systems \nthat are trustworthy. But, as noted in my testimony, the way to be \nproactive and have the greatest chances of revolutionary advances--what \nI presume is meant by ``game-changing leap-ahead technology''--is to \nbuild a science base for trustworthiness. The science base must come \nfirst; an initiative that focuses on only the technologies would likely \nfail without a science base.\n    Second, the advances CNCI seeks are not going to come if we just \nconcentrate on developing new technologies and educating the workforce. \nEconomics and law play a significant role in determining what (if any) \ninvestments system builders and operators actually do make in support \nfor system trustworthiness. If we as a nation are not prepared to make \ngame-changing alterations to our values and policies, then business as \nusual will continue despite any game-changing technologies we might \ndevelop, because it is virtually certain that trustworthiness will be \nfar from free.\n    Finally, I note that we might ``leap-ahead'' but our attackers will \nsurely follow. Cyber security is not a game that can be won once and \nfor all. We must win it each day anew. Let nobody believe that we only \nneed one set of ``game-changing `leap-ahead' technologies.''\n    How to spend an additional $100M on cyber security research? Page 6 \nof my testimony gave a list of research areas. This list was based on \n(i) a consensus view of academic cyber security researchers NSF brought \ntogether earlier this year to provide input\\4\\ for Melissa Hathaway's \nWhite House 60-day Cyber-Policy review as well as (ii) a recent \nNational Research Council study\\5\\ on a cyber security research agenda; \nI was directly involved in both efforts.\n---------------------------------------------------------------------------\n    \\4\\ Notes for White House 60-day Cyber-Policy Review. Available on \nWWW at http://www.cs.cornell.edu/fbs/publications/SciPolicyNSFnotes.pdf\n    \\5\\ Toward a Safer and More Secure Cyberspace. S. Goodman and H. \nLin (eds.), National Academies Press, Washington, DC, 2007. Available \non WWW at http://books.nap.edu/catalog.php?record<INF>-</INF>id=11925\n---------------------------------------------------------------------------\n    NSF is the obvious agency to distribute additional cyber security \nresearch funding. Up to 200 additional researchers in cyber security \ncould be funded at $500K per year, and I would argue that an individual \nresearcher's funding needs to be at (or preferably above) that level if \nwe can have hopes of supporting enough graduate students to make in-\nroads into the demand for additional faculty and private sector \nexperts. But should all the money be sent to NSF? I have no basis for \njustifying a scheme to divide the funds among various funding agencies. \nFor example, there is now a new DARPA director, with indications that \nshe will return DARPA to its past role in funding cyber security \nresearch at universities. This would be a wonderful development, \nbecause DARPA-funded research has a very different character from the \nefforts that NSF supports; I have no idea whether this redirection of \neffort within DARPA would require additional funding. The Air Force, \nArmy, and Navy also have (modest) cyber security research programs that \nfund faculty; these have yet a different character from the DARPA and \nNSF programs, and they likely would make good use of additional funds.\n\nQ3.  The strategy of both the past and current administration has \nfocused most of our cyber security investment--several billion dollars \nannually--on procuring and deploying intrusion detection systems. Due \nto the cat-and-mouse nature of cyber warfare and defense that several \nof you noted in your testimony, it seems that these systems are only \neffective against threats that we already know about and understand. \nGiven this reality, can this type of approach produce effective results \nover the medium- or even short-term? If not, is research on a new and \nfundamentally secure Internet architecture the only long-term answer.\n\nA3. Despite the difficulty with intrusion detection that is noted in \nthe question statement, this approach does have defensive value if \nrelatively little time elapses between isolating the signature of a new \nattack and distributing that signature to intrusion detection \nsubsystems on hosts that have not yet been attacked. Some recent \nresearch results will help put this into context. Simulations of the \nInternet done by cyber security researchers at U.C.-San Diego (and \nelsewhere) have shown that a worm could spread though the Internet so \nquickly that having a human involved anywhere in the path from \nsignature-isolation to signature-distribution would introduce too much \ndelay for intrusion detection to be effective. That suggests intrusion \ndetection has limited value against attacks that propagate rapidly. But \ninvestigators at Microsoft Research designed and prototyped an \nautomated system that can detect a successful worm attack, \nautomatically generate filters and/or patches for that attack, and \ndisseminate those defenses to other systems ahead of the worm. Thus, \nthere are deployments that avoid direct human involvement on the \ncritical path for defense.\n    Virus scanners can be seen as a special case of intrusion \ndetection. And they have been quite effective at defending desktop \nsystems against malware, which to date has tended to propagate through \nthe Internet slowly. Even for malware that is not slowly propagating, \ndownloading a new signature file for a virus detector is usually faster \nand less likely to destabilize a production system than patching the \nvulnerability being exploited by that malware. So updating a virus \ndetector's signature file is often the fastest way to securely \nreconnect a system that had been vulnerable to Internet malware. \nHowever, new attacker technology, which obfuscates different copies of \na given virus differently, can make it impossible to create the \nmalware-signatures needed by today's virus scanners. Thus, virus \nscanners are likely to become less and less effective.\n    The design and deployment of a ``fundamentally secure Internet \narchitecture'' would be important step towards improving the \ntrustworthiness of our networked information systems. However, we \nshould be clear about what it involves and what would be its \nconsequences. It involves new research--various proposals for improved \nInternet architectures have been made, but there is much investigation \nand prototyping to be done before we might attempt to use these \nproposals as a basis for replacing the Internet. These investigations \nmight take a decade or more.\n    And having a ``fundamentally secure Internet architecture'' would \nnot mean the problem is solved. Today's networked information systems \ncomprise end-systems (desktops and servers) interconnected using the \nInternet. For example, the DNS service is part of the Internet \narchitecture but services (like Google and Amazon) and desktops \n(running Windows and Linux) are end-systems. Virtually all attacks \noriginate at the end-systems and most attacks are directed at the end-\nsystems today because the compromise of end-systems offers value to \nattackers and these end-systems are low-hanging fruit. Thus, having an \nInternet that is ``fundamentally secure'' only solves part of the \nproblem--to solve the entire problem, we must also have end-systems \nthat are ``fundamentally secure.''\n    It does seem clear that designing a new, secure, Internet \narchitecture is a crucial step towards supporting trustworthy networked \ninformation systems, and it seems equally clear that a new Internet \narchitecture (notably, one that supports stronger notions of provenance \nand accountability) would be a key enabler for building ``fundamentally \nsecure'' end-systems. Yet, leveraging accountability would also depend \non making progress on policy matters. New privacy questions would be \nraised and need to be resolved; and international agreements about \njurisdiction and extradition would need to be negotiated, since the \npremise of accountability is that attackers can be found and punished.\n\nQ4.  When this committee discusses a STEM education issue, we don't \njust focus on higher education. We start at the pre-K levels and extend \nbeyond post-graduate work. Most of the education related testimony has \nfocused on our adult population either from an academic and workforce \nperspective, a behavioral perspective, or a public awareness \nperspective. What are your education recommendations for our children \nwhen it comes to cyber security in all of these areas?\n\nA4. Our children use computers, so it is sensible to suggest that they \nought to be told something about actions they might take that could be \nrisky. And some risky behaviors are indeed simple enough to teach a \nchild about (e.g., don't play with matches and don't accept candy from \nstrangers). But other behaviors are not (e.g., don't attend movies with \nadult themes)--we as a society prevent such behaviors, not by educating \nthe child but instead with other safeguards. So the real issue is \nwhether we can devise guidance even a child can understand and that, if \nfollowed, would serve that child well when venturing in cyberspace.\n    I'm afraid the flexibility and universal nature of computers that \nis their strength is also the reason simple guidance is unlikely to be \nuseful in describing to children (or even to many adults) a large space \nof potentially unsafe behaviors. Unlike Smokey the Bear's exhortation \nabout the prevention of forest fires (``Only you can . . .''), vague \nexhortations about risky cyber security behaviors are hard to apply \nwhen defenses and attacks co-evolve, since what is risky periodically \nchanges.\n    For example, consider what we might tell a child concerning web \nsites he/she might visit or what actions might be ``safe'' when \nvisiting a web site. The browser interface changes every few years, and \nattacks seem to keep pace with the creation of defenses these \ninterfaces embody. In fact, ``human-computer interaction'' research \nstudies have now demonstrated that people taught about a browser \nsecurity icon (e.g., the ``key icon'' signifying an https connection) \nare still fooled by attackers who--knowing what these users have been \ntold--create a facsimile of the icon or fashion some message that \nconvinces users all is safe even with the icon absent. In general, as \neach defense fails, we as defenders create a new symbol or structure; \nattackers then find a way to spoof that, causing people who practice \nwhat we have previously preached to fall prey.\n    In light of this co-evolution of attacker and defender, we must \ndisseminate a message for each defense we deploy. And we have a choice \nabout that message:\n\n        <bullet>  If we disseminate messages that are general enough so \n        they don't have to be changed for each defense, then our \n        messages are likely to require sophistication to interpret and \n        act on. Children (and many adults) will not be well served by \n        such messages.\n\n        <bullet>  If we disseminate very specific messages that are \n        easy to interpret and act on, then the message must change for \n        each new generation of defense. Moreover, the different \n        messages might have to be inconsistent with each other. Again, \n        children (and many adults) will not be well served by such \n        messages.\n\n    What we really need first is good tools (i) for informing users \nwhat they can trust and (ii) for users to authenticate what is at the \nother end of an Internet connection. Until we have such tools, our \n``public education'' campaigns will have to be vague, hence have \nlimited effectiveness because they cannot be converted into advice that \na child can act on.\n\nQ5.  You testify that cyber security professionals are not being \nadequately trained to meet our needs citing lack of faculty resources \nand technical curriculum content as the major problems. Which of these \ndo you consider to be the biggest challenge and what recommendations do \nyou have to address both of these issues.\n\nA5. The number of cyber security faculty is the bottleneck for getting \nresearch done as well as for the development of the much needed \ncurriculum and the delivery of that content to undergraduates, masters \nstudents, and doctoral students. Moreover, the rate at which we can \ngraduate additional cyber security faculty will accelerate only if we \ncan increase the number cyber security faculty members who are teaching \nand actively engaged in research at Ph.D.-granting institutions.\n    How many cyber security faculty does the Nation need? Here is one, \nconservative, analysis. Approximately 250 faculty are today doing \nresearch in cyber security, judging from attendance levels at research \nconferences and numbers of grants made by agencies that fund this kind \nof work. Since there are approximately 125 Ph.D.-granting institutions, \nthat works out to approximately two researchers per institution. In \nreality, the distribution is skewed--the top-raked departments have \nmore (maybe three or four) because cyber security is today a hot \nresearch area.\n    The list of cyber security research topics is long enough to easily \njustify a community of 500 researchers, since that size would allow \napproximately five researchers per topic area (and anything smaller \ndoes not constitute a critical mass to form a community or make \nsignificant progress). So that would mean an average of four faculty \nper institution, which is also a reasonable number given the number and \nvariety of courses that should be covered.\n                   Answers to Post-Hearing Questions\nResponses by Timothy G. Brown, Vice President and Chief Architect, CA \n        Security Management\n\nQuestions submitted by Representative Ralph M. Hall\n\nQ1.  Some experts have suggested that we should consider taking \ncritical infrastructure networks such as those that control electricity \ntransmission and distribution ``off the grid''--onto a network \nphysically not connected to the public Internet, just as we do with our \nclassified military networks. Please comment on whether you think such \nan approach warrants further consideration, and if so what potential \nbenefits as well as challenges would accompany it.\n\nA1. Although there are instances where it may be desirable to segment \nnetworks completely, with no interconnection (for example, this \napproach is considered valuable for separating commercial aircraft \nflight control systems from passenger Internet access and entertainment \nsystems), as a practical matter effective management of networked \ninformation systems, including such critical infrastructure assets as \nelectrical generation and transmission systems facilities, require \ninterconnection to ensure effective management, administration, \nmaintenance and reliability. Internet connectivity is becoming \nincreasingly necessary, as we can see from new proposals for the \n``smart grid,'' which may require Internet communications from business \npremises and customer homes to help monitor electricity demand and \nother factors important to support national energy policy.\n    Even in the existing environment, companies have implemented \nSupervisory Control and Data Acquisition systems using the Internet to \nenable logins to remote sites to check systems and fix problems. \nWithout Internet access, the cost of taking these systems off-line and \nputting them on a private network would be enormous.\n    Related to this are the fact that for all practical purposes even \nseparate networks will rely on Internet Protocol (IP) technologies, \nstandards and products to operate and will require the assessment and \nmanagement of cyber security risks. In today's environment, even very \nsensitive government networks require some connectivity to the public \nInternet, but have in place very strong controls to mitigate known \nrisks.\n    The bottom line is that proposals to completely separate control \nsystems from the public Internet are typically not feasible. We do have \na responsibility, however, to treat our critical infrastructure \nnetworks differently. We should understand the risks and design systems \nand procedures that appropriately address these risks. In some rare \ncases this may require a dedicated network, but in most cases a mature \nwell designed system of processes and technology will suffice. Our \nfocus must be on effective cyber security risk management.\n\nQ2.  The comprehensive cyber security initiative that was created by \nPresident Bush and is continuing under President Obama focused on \nimproving cyber security coordination across government and on funding \ngame-changing ``leap-ahead'' technologies. Do you agree with these \npriorities? If you had an additional $100 million to spend on cyber \nsecurity R&D, to what agencies and research areas would you devote it? \nIs there general agreement within the scientific community regarding \nsecurity research priorities?\n\nA2. Many details related to CNCI are classified, and so it remains \ndifficult for private sector subject matter experts to assess the 12 \nCNCI components and their relative priorities in sufficient detail to \nunderstand how ``leap-ahead'' technologies development--technology is \nonly one of the CNCI focus areas--ranks in terms of dollars and \nimportance. To many external experts, the broad bias in the CNCI's \npublicly-available descriptions appears to be on the defense and \nresponse aspects of cyber security, such as reducing the number of \nInternet connections, intrusion detection, intrusion prevention systems \nand situational awareness.\n    The absence of designated components in the critical areas of \nidentity management, authentication, authorization, data leak detection \nand prevention, insider threats, and governance areas such as records \nmanagement and e-discovery does not mean they are not being addressed \nor given priority in the research and development initiative, but they \nare not given emphasis in public information. This reinforces the \npoints I made in my testimony about the need for much more trusted \ncollaboration between the government and industry in developing an \neffective national cyber security research and development agenda.\n    In terms of what to do with $100 million in cyber security R&D \nfunding, my response would be that a reasoned way to answer that \nquestion is to put into place the model which I advocated in my \ntestimony: a collaborative research agenda, reflecting tactical, mid-\nterm and strategic research investments, and an accountability system \nfor achieving results. Again, it is very important that our limited \nresearch dollars are not allocated using the current contracts and \ngrants model. That model must be improved.\n\nQ3.  The strategy of both past and current administration has focused \nmost of our cyber security investment--several billion dollars \nannually--on procuring and deploying intrusion detection systems. Due \nto the cat-and-mouse nature of cyber warfare and defense that several \nof you noted in your testimony, it seems that these systems are only \neffective against threats that we already know about and understand. \nGiven this reality, can this type of approach produce effective results \nover the medium- or even short-term? If not, is research on a new and \nfundamentally secure Internet architecture the only long-term answer?\n\nA3. As suggested in my previous response, an unbalanced focus on \nintrusion detection systems (IDS) overlooks the complexity of the cyber \nsecurity infrastructure and the multiple, interrelated areas of risk \nthat must be managed as part of a balanced cyber security risk \nmanagement program.\n    With respect to IDS specifically, in the academic arena IDS \nresearch has focused largely on anomaly detection, certainly an area of \npromise for detecting new attacks (unlike signature-based approaches). \nHowever the false positive rate is still far too high, and it is \npossible that funding of research might help over the medium-term. \nHowever, IDS, while important, can never be the complete solution. IDS \nis a known entity in cyber warfare and as a known entity, it can be \nsubverted. Therefore, we must address other critical areas of cyber \nsecurity risk, and I would focus long-term research in the areas which \nI listed in my testimony.\n    For the long-term, I am not convinced that a ``new and \nfundamentally security Internet architecture'' is possible. For \nexample, even in terms of advanced Internet protocols (which also have \nsecurity implications), we have not seen the widespread deployment of \nInternet Protocol Version 6 (IPv6), despite many operational benefits. \nAnd so the adoption of a completely new architecture would be more \nchallenging by an order of magnitude.\n    Perhaps a better approach is to fund research into how you can \nbuild accountability into systems, and what changes would be required \nto the current Internet to do that. Accountability may not be possible \nat the packet level, but it may be possible with changes in deployed \nsoftware and applications, which may contribute to some measure of \nimprovement to cyber security risk management.\n\nQ4.  When this committee discusses a STEM education issue, we don't \njust focus on higher education. We start at the pre-K levels and extend \nbeyond post-graduate work. Most of the education-related testimony has \nfocused on our adult population either from an academic and workforce \nperspective, a behavioral perspective, or a public awareness \nperspective. What are your recommendations for our children when it \ncomes to cyber security in all of these areas?\n\nA4. It cannot be repeated too often: cyber security risk management \nrepresents an unprecedented challenge for government, business and \nindividuals and the global society, and one of its many components is \nthe need to educate Internet users at all ages. As I noted in my \ntestimony, education must play its appropriate role and do its part to \nprovide cyber security awareness, knowledge, skills for our youngest \nstudents, and also contribute to the widespread adoption of ethical \nbehaviors and practices by our youngest technology users.\n    I believe educational programs should be developed to ensure that \nteachers and schools have the skills and resources they need to make \nthis possible and can tailor their programs to specific age groups, \nwhich have specific characteristics and needs, and must have age-\nappropriate content, messaging and approaches. Like cyber security \nitself, the programs need to address complicated subjects and issues, \nand an effective program will require a strong partnership and broad-\nbased partnership among many stakeholders: school boards, educators and \nadministrators, parents, and other communities. This is an area where \nwell-understood approaches to educating the very young can and must be \napplied in support of a national cyber security educational agenda. \nAgain, this is an area where collaboration and partnering among key \nstakeholders is critical.\n\nQ5.  You suggest in your testimony that it would be appropriate for a \ncompany to be awarded ``sole source'' federal funding for bringing a \nspecific new research idea or project to the attention of government. I \napplaud your proactive approach and agree that there are many research \nideas out there that will be conceived by the private sector and not by \none of our federal agencies. However, I also agree with you awarding \nthe company with the idea raises ``legitimate concerns about the \nfairness of the award process.'' How would you suggest we make this \nwork and encourage companies to participate, while at the same time \nensuring the integrity of competitive federal solicitations? Wouldn't \nthe government and the American taxpayer gain more by an open \nsolicitation process that would perhaps even stimulate better ideas?\n\nA5. As I indicated in my testimony, a sole source approach would not \nsupplant open solicitations, but would serve an important role in \naugmenting the current process. If my proposal for a jointly-developed, \npartnership-based cyber security research and development agenda were \nimplemented, it would make possible the identification of clear \ncategories and specific areas of research, a prioritized ranking based \non risk imperatives, and a new process for funding contracts and grants \nusing existing research funding agencies and programs. This national \ncyber security R&D strategy could also incorporate a category for \nnovel, unanticipated, breakthrough ideas that could be submitted via \nunsolicited proposals or that could be awarded by research funding \nagencies directly outside the competitive solicitation process.\n    Whether agency-identified or proposed by external research \nentities, the awards process would require that the sole source grant \nor contract be awarded transparently, be viewed within the frame of the \noverall national research strategy, and be subject to accountability \nand performance controls.\n    In effect, I am proposing an approach that injects greater speed \nand flexibility into the research grants and contracts process for \nproposals that align with national objectives, but are out of cycle \nwith the regular solicitation process or are extremely novel. I do not \nsee sole source awards as a major tranche of awards, but as a way to \naugment the current process.\n    Finally, I believe that this option, as part of a broader national \nR&D strategy and plan, would serve as a clear incentive for research \nfunding agencies to be more receptive to unsolicited proposals and see \nthem as valuable--and supportable.\n\n                                   \x17\n\x1a\n</pre></body></html>\n"