[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]



                           AGENCY RESPONSE TO
                        CYBERSPACE POLICY REVIEW

=======================================================================

                             JOINT HEARING

                               BEFORE THE

               SUBCOMMITTEE ON TECHNOLOGY AND INNOVATION

                                AND THE

             SUBCOMMITTEE ON RESEARCH AND SCIENCE EDUCATION

                  COMMITTEE ON SCIENCE AND TECHNOLOGY
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED ELEVENTH CONGRESS

                             FIRST SESSION

                               __________

                             JUNE 16, 2009

                               __________

                           Serial No. 111-34

                               __________

     Printed for the use of the Committee on Science and Technology


     Available via the World Wide Web: http://www.science.house.gov

                                 ______







                  U.S. GOVERNMENT PRINTING OFFICE
50-171 PDF                WASHINGTON : 2010
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001






                  COMMITTEE ON SCIENCE AND TECHNOLOGY

                   HON. BART GORDON, Tennessee, Chair
JERRY F. COSTELLO, Illinois          RALPH M. HALL, Texas
EDDIE BERNICE JOHNSON, Texas         F. JAMES SENSENBRENNER JR., 
LYNN C. WOOLSEY, California              Wisconsin
DAVID WU, Oregon                     LAMAR S. SMITH, Texas
BRIAN BAIRD, Washington              DANA ROHRABACHER, California
BRAD MILLER, North Carolina          ROSCOE G. BARTLETT, Maryland
DANIEL LIPINSKI, Illinois            VERNON J. EHLERS, Michigan
GABRIELLE GIFFORDS, Arizona          FRANK D. LUCAS, Oklahoma
DONNA F. EDWARDS, Maryland           JUDY BIGGERT, Illinois
MARCIA L. FUDGE, Ohio                W. TODD AKIN, Missouri
BEN R. LUJAN, New Mexico             RANDY NEUGEBAUER, Texas
PAUL D. TONKO, New York              BOB INGLIS, South Carolina
PARKER GRIFFITH, Alabama             MICHAEL T. MCCAUL, Texas
STEVEN R. ROTHMAN, New Jersey        MARIO DIAZ-BALART, Florida
JIM MATHESON, Utah                   BRIAN P. BILBRAY, California
LINCOLN DAVIS, Tennessee             ADRIAN SMITH, Nebraska
BEN CHANDLER, Kentucky               PAUL C. BROUN, Georgia
RUSS CARNAHAN, Missouri              PETE OLSON, Texas
BARON P. HILL, Indiana
HARRY E. MITCHELL, Arizona
CHARLES A. WILSON, Ohio
KATHLEEN DAHLKEMPER, Pennsylvania
ALAN GRAYSON, Florida
SUZANNE M. KOSMAS, Florida
GARY C. PETERS, Michigan
VACANCY
                                 ------                                

               Subcommittee on Technology and Innovation

                      HON. DAVID WU, Oregon, Chair
DONNA F. EDWARDS, Maryland           ADRIAN SMITH, Nebraska
BEN R. LUJAN, New Mexico             JUDY BIGGERT, Illinois
PAUL D. TONKO, New York              W. TODD AKIN, Missouri
DANIEL LIPINSKI, Illinois            PAUL C. BROUN, Georgia
HARRY E. MITCHELL, Arizona               
GARY C. PETERS, Michigan                 
BART GORDON, Tennessee               RALPH M. HALL, Texas
                 MIKE QUEAR Subcommittee Staff Director
        MEGHAN HOUSEWRIGHT Democratic Professional Staff Member
            TRAVIS HITE Democratic Professional Staff Member
         HOLLY LOGUE PRUTZ Democratic Professional Staff Member
             DAN BYERS Republican Professional Staff Member
                  VICTORIA JOHNSTON Research Assistant
                                 ------                                

             Subcommittee on Research and Science Education

                 HON. DANIEL LIPINSKI, Illinois, Chair
EDDIE BERNICE JOHNSON, Texas         VERNON J. EHLERS, Michigan
BRIAN BAIRD, Washington              RANDY NEUGEBAUER, Texas
MARCIA L. FUDGE, Ohio                BOB INGLIS, South Carolina
PAUL D. TONKO, New York              BRIAN P. BILBRAY, California
PARKER GRIFFITH, Alabama                 
RUSS CARNAHAN, Missouri                  
BART GORDON, Tennessee               RALPH M. HALL, Texas
               DAHLIA SOKOLOV Subcommittee Staff Director
            MARCY GALLO Democratic Professional Staff Member
           MELE WILLIAMS Republican Professional Staff Member
                    BESS CAUGHRAN Research Assistant











                            C O N T E N T S

                             June 16, 2009

                                                                   Page
Witness List.....................................................     2

Hearing Charter..................................................     3

                           Opening Statements

Statement by Representative David Wu, Chairman, Subcommittee on 
  Technology and Innovation, Committee on Science and Technology, 
  U.S. House of Representatives..................................    10
    Written Statement............................................    10

Statement by Representative Adrian Smith, Ranking Minority 
  Member, Subcommittee on Technology and Innovation, Committee on 
  Science and Technology, U.S. House of Representatives..........    11
    Written Statement............................................    12

Statement by Representative Daniel Lipinski, Chairman, 
  Subcommittee on Research and Science Education, Committee on 
  Science and Technology, U.S. House of Representatives..........    12
    Written Statement............................................    13

Statement by Representative Vernon J. Ehlers, Ranking Minority 
  Member, Subcommittee on Research and Science Education, 
  Committee on Science and Technology, U.S. House of 
  Representatives................................................    13
    Written Statement............................................    14

Prepared Statement by Representative Harry E. Mitchell, Member, 
  Subcommittee on Technology and Innovation, Committee on Science 
  and Technology, U.S. House of Representatives..................    14

                               Witnesses:

Ms. Cita M. Furlani, Director, Information Technology Laboratory, 
  National Institute of Standards and Technology (NIST), U.S. 
  Department of Commerce
    Oral Statement...............................................    15
    Written Statement............................................    16
    Biography....................................................    20

Dr. Jeannette M. Wing, Assistant Director, Computer and 
  Information Science and Engineering Directorate, National 
  Science Foundation (NSF)
    Oral Statement...............................................    21
    Written Statement............................................    23
    Biography....................................................    27

Dr. Robert F. Leheny, Acting Director, Defense Advance Research 
  Projects Agency (DARPA)
    Oral Statement...............................................    28
    Written Statement............................................    30
    Biography....................................................    37

Dr. Peter M. Fonash, Acting Deputy Assistant Secretary, Office of 
  Cybersecurity and Communications, National Protection and 
  Programs Directorate, U.S. Department of Homeland Security 
  (DHS)
    Oral Statement...............................................    37
    Written Statement............................................    40
    Biography....................................................    45

Discussion.......................................................    46

              Appendix: Answers to Post-Hearing Questions

Ms. Cita M. Furlani, Director, Information Technology Laboratory, 
  National Institute of Standards and Technology (NIST), U.S. 
  Department of Commerce.........................................    68

Dr. Jeannette M. Wing, Assistant Director, Computer and 
  Information Science and Engineering Directorate, National 
  Science Foundation (NSF).......................................    70

Dr. Peter M. Fonash, Acting Deputy Assistant Secretary, Office of 
  Cybersecurity and Communications, National Protection and 
  Programs Directorate, U.S. Department of Homeland Security 
  (DHS)..........................................................    74

 
              AGENCY RESPONSE TO CYBERSPACE POLICY REVIEW

                              ----------                              


                         TUESDAY, JUNE 16, 2009

                  House of Representatives,
         Subcommittee on Technology and Innovation,
                                   jointly with the
            Subcommittee on Research and Science Education,
                       Committee on Science and Technology,
                                                    Washington, DC.

    The Subcommittees met, pursuant to call, at 2:47 p.m., in 
Room 2318 of the Rayburn House Office Building, Hon. David Wu 
[Chairman of the Subcommittee on Technology and Innovation] 
presiding.


                            hearing charter

               SUBCOMMITTEE ON TECHNOLOGY AND INNOVATION

                            JOINTLY WITH THE

             SUBCOMMITTEE ON RESEARCH AND SCIENCE EDUCATION

                  COMMITTEE ON SCIENCE AND TECHNOLOGY

                     U.S. HOUSE OF REPRESENTATIVES

                           Agency Response to

                        Cyberspace Policy Review

                         tuesday, june 16, 2009
                          2:00 p.m.-4:00 p.m.
                   2318 rayburn house office building

Purpose

    On Tuesday, June 16, 2009, the Subcommittee on Technology and 
Innovation and the Subcommittee on Research and Science Education will 
convene a joint hearing to review the response of the Department of 
Homeland Security (DHS), the National Institute of Standards and 
Technology (NIST), the National Science Foundation (NSF), and the 
Defense Advanced Research Projects Agency (DARPA) to the findings and 
recommendations in the Administration's 60-day Cyberspace Policy 
Review.

II. Witnesses

Ms. Cita Furlani is the Director of the Information Technology 
Laboratory at the National Institute of Standards and Technology.

Dr. Jeannette Wing is the Assistant Director of the Directorate for 
Computer & Information Science & Engineering at the National Science 
Foundation.

Dr. Robert Leheny is the Acting Director of the Defense Advanced 
Research Projects Agency at the Department of Defense.

Dr. Peter Fonash is the Acting Deputy Assistant Secretary for the 
Office of Cyber Security Communications at the Department of Homeland 
Security.

III. Overview

    In January 2008, the Bush Administration established, through a 
series of classified executive directives, the Comprehensive National 
Cybersecurity Initiative (CNCI). While the details of the CNCI are 
largely classified, the goal of the multi-faceted initiative was to 
secure federal systems.\1\ A number of security experts have expressed 
concern that the classified nature of the CNCI has inhibited active 
engagement with the private sector despite the fact that 85 percent of 
the Nation's critical infrastructure is owned and operated by private 
entities. While experts are concerned by the lack of transparency and 
public-private cooperation under the CNCI, they have also urged 
President Obama to build upon the existing structure. In February 2009, 
the Obama Administration called for a 60-day review of the national 
cybersecurity strategy. The President's review required the development 
of a framework that would ensure that the CNCI was adequately funded, 
integrated, and coordinated among federal agencies, the private sector, 
and State and local authorities.
---------------------------------------------------------------------------
    \1\ CNCI objectives have been assembled from various media reports. 
Comprehensive National Cybersecurity Initiative: Legal Authorities and 
Policy Considerations, http://apps.crs.gov/products/r/pdf/R40427.pdf
---------------------------------------------------------------------------
    On May 29, 2009, the Administration released its 60-day review of 
cyberspace policy. The review team acknowledged the difficult task of 
addressing cybersecurity concerns in a comprehensive fashion due to the 
large number of federal departments and agencies with cybersecurity 
responsibilities and overlapping authorities. According to the review, 
cybersecurity leadership must come from the top. To that end, the 
President plans to appoint a ``cyber czar'' who will oversee the 
development and implementation of a national strategy for improving 
cybersecurity. The appointee will report to both the National Security 
Council and the National Economic Council. The report suggests that the 
appointee should also chair the Information and Communications 
Infrastructure Interagency Policy Council (ICI-IPC), an existing policy 
coordinating body to ensure ``a reliable, secure and survivable global 
information and communications infrastructure.'' The review team also 
emphasized the need for the Federal Government to partner with the 
private sector to guarantee a secure and reliable infrastructure. 
Furthermore, it highlighted the need for increased public awareness, 
the education and expansion of the Information Technology (IT) 
workforce, and the importance of advancing cybersecurity research and 
development.

IV. Issues and Concerns

    The Cyberspace Policy Review includes a number of near-term and 
mid-term action plans that are relevant to the Committee's work on the 
issue. (Please see the appendix for a complete list.) The review 
uniformly calls for increased coordination and integration of current 
efforts among all federal departments and agencies. The Committee is 
interested in how information is shared across the diverse array of 
coordinating bodies, which models of coordination are the most 
effective, and why the current mechanisms have been inadequate.

Research and Development
    In the near-term, the review team recommends the development of a 
framework for research and development (R&D) strategies that focus on 
game-changing technologies that have the potential to enhance the 
security, reliability, resilience, and trustworthiness of the digital 
infrastructure.
    In the mid-term, the review team recommends that the agencies 
expand support for R&D to ensure the Nation's continued ability to 
compete in the information age economy.
    Unclassified federal cybersecurity R&D is inventoried under the 
interagency Networking and Information Technology R&D (NITRD) Program. 
The NITRD agencies have requested a total of $343 million for the Cyber 
Security and Information Assurance (CSIA) R&D in FY 2010. A report\2\ 
by the Center for Strategic and International Studies (CSIS) on 
cybersecurity stated that ``a $300 million R&D investment is 
inadequate.'' Additionally, a 2007 National Research Council (NRC) 
report\3\ on cyberspace indicated that cybersecurity research funding 
was too low for researchers to pursue their promising ideas and 
sustained funding was necessary to increase the number of researchers 
examining cybersecurity topics, however, neither report offers guidance 
on the appropriate level of funding.
---------------------------------------------------------------------------
    \2\ Securing Cyberspace for the 44th Presidency, Center for 
Strategic and International Studies, http://www.csis.org/component/
option,com-csis-pubs/task,view/id,5157/type,0/
    \3\ Toward a Safer and More Secure Cyberspace, National Research 
Council, http://www.nap.edu/catalog.php?record-id=11925
---------------------------------------------------------------------------
    The task of coordinating unclassified cybersecurity R&D falls to 
CSIA interagency working group under NITRD, and to date, there have 
been no suggestions that another group should assume this 
responsibility. However, the federal plan for cybersecurity R&D 
developed by the working group in 2006 has been heavily criticized. The 
various reports2x-83 and groups indicate that the 
plan is just an aggregate of agency R&D activities, and they have 
called for the development of a set of national research objectives and 
funding priorities as well as a roadmap to achieve those objectives. 
Experts have also expressed concern that the CSIA R&D portfolio is 
inappropriately weighted toward short-term projects rather than long-
term, potentially transformative research. Additionally, private sector 
stakeholders, including witnesses at the June 10th hearing, have 
suggested that NITRD is requesting input on the R&D agenda too late in 
the process for the input to be properly considered. The Committee is 
interested in the development of a national cybersecurity strategy with 
clear R&D objectives that is fully informed by academic and industry 
stakeholders.
    The review team also recommended that the agencies provide the 
research community access to event data to facilitate developing tools, 
testing theories, and identifying workable solutions. Some in the 
research community have expressed concern that much of the realistic 
data necessary for the modeling and evaluation of cybersecurity 
technologies is classified or proprietary and therefore unavailable to 
them. DARPA is in the process of developing a large-scale testbed, the 
National Cyber Range (NCR), which will provide ``an environment for 
realistic, qualitative and quantitative assessment of potentially 
revolutionary cyber research and development technologies.'' According 
to DARPA officials, the intent is to have the NCR available for both 
classified and unclassified research, but it remains to be determined 
if adequate firewalls can be built into the system to make this a 
viable goal. Related to that, the Committee is interested in exploring 
to what extent the academic research community will be involved in the 
design of NCR and whether NCR will meet their needs assuming they are 
granted access.

Education
    There is general agreement that there are significant unmet needs 
for both public education and formal education and training for 
information technology students and professionals. The Administration's 
review team called for the evaluation and possible expansion of 
existing education programs, and specifically mentioned three programs: 
Pathways to Revitalized Undergraduate Education in Computing (CPATH), 
Scholarship for Service, and the National Centers for Academic 
Excellence in Information Assurance Education and Research.
    CPATH is an NSF sponsored program that seeks to increase the number 
of students with computational thinking skills by providing those types 
of learning opportunities in core computing classes and in other fields 
of study. The CPATH program receives $10 million annually.
    The Scholarship for Service program is sponsored by NSF and DHS and 
it provides two-year scholarships to students who are interested in 
pursuing a degree in information assurance and computer security. 
Scholarship recipients are required to work for two years in the 
Federal Government upon completion of their degree. The Scholarship for 
Service program is funded at $10.3 million for FY 2009, and to date, 
970 scholars have been placed in federal agencies.
    The National Centers for Academic Excellence in Information 
Assurance Education and Research, which have been in place since 1998, 
are sponsored by the National Security Agency (NSA) and DHS. 
Institutions must meet specific requirements prior to designation as a 
center for excellence and they must go through re-certification every 
five years. There are currently 94 institutions across 38 states and 
the District of Columbia. A number of institutions have expressed 
concern that the certification requirements do not accurately reflect 
the rigorousness of the information assurance or computer security 
degree offered by the institution, and therefore have chosen to let 
their certification lapse.

Standards and Metrics
    Throughout its recommendations, the review team highlights the need 
for the increased use of metrics to guide strategies and to make key 
planning decisions. They recommend the development of a formal program 
assessment framework that would guide departments and agencies in 
defining the purpose, goal, and success criteria for each program. This 
framework could then be used as a basis for implementing a performance-
based budgeting process, setting priorities for research and 
development initiatives, and assisting in development of the next-
generation networks.
    The review team also stresses the importance of developing 
standards for incident reporting, for both the Federal Government and 
private industry. Current reporting policies vary by federal department 
and agency based on their statutory authorities, privacy concerns, and 
historical practices. The consolidation of reporting policies in the 
Federal Government and expansion into the private sector would allow 
for more reliable and timely responses to cyber attacks.
    When developing cybersecurity standards and guidelines, NIST 
monitors standards from international bodies such as the International 
Organization for Standardization (ISO). The review team, along with a 
report\4\ from the Government Accountability Office (GAO), recommends 
that the Federal Government not only adopt appropriate standards 
developed by international bodies, but actively work with them to 
develop standards that will provide solidarity across international 
borders.
---------------------------------------------------------------------------
    \4\ National Cybersecurity Strategy: Key Improvements Are Needed to 
Strengthen the Nation's Posture, Government Accountability Office, 
http://www.gao.gov/new.items/d09432t.pdf

Cybersecurity Operations and Information Coordination
    The review team calls for assessments of many of the cybersecurity 
programs in DHS and for an increased level of coordination among the 
federal departments and agencies, as well as the private sector. 
Although the report highlights coordination and partnership as a key 
element in cybersecurity strategy, it concedes that private industry 
may be reluctant to give information on cyber attacks due to concerns 
about reputational harm and liability. The Federal Government limits 
shared information based on the need to protect sensitive intelligence 
sources and the privacy rights of individuals. For programs like DHS's 
National Cyber Alert System to function as intended, guidelines must be 
established to enable all parties to effectively distribute cyber 
attack information and respond appropriately.

V. Background

    In the current system, responsibilities for the security of federal 
network systems fall to many different agencies. NSA is responsible for 
all classified network systems. The Department of Defense (DOD) is 
responsible for military network systems and DHS is responsible for all 
federal civilian network systems. Additionally, DHS is responsible for 
communicating information on cyber attacks to other federal agencies. 
NIST develops and promulgates standards to help secure the federal 
civilian network systems, along with their other roles that will be 
discussed below. The Office of Management and Budget (OMB) implements 
and enforces the standards set by NIST. Three key agencies, NSF, DHS 
and DOD (specifically DARPA) fund the majority of cybersecurity R&D.

Department of Homeland Security

    As tasked in Homeland Security Presidential Directive (HSPD) 7, 
DHS, ``. . . shall be responsible for coordinating the overall national 
effort to enhance the protection of the critical infrastructure and key 
resources of the United States. The Secretary shall serve as the 
principal federal official to lead, integrate, and coordinate 
implementation of efforts among federal departments and agencies, State 
and local governments, and the private sector to protect critical 
infrastructure and key resources.'' As a response to HSPD-7, DHS 
created the National Cyber Security Division, detailed below. In 2008, 
HSPD-23, which was mostly classified, called for a central location to 
gather all of the cybersecurity information on attacks and 
vulnerabilities. DHS created the National Cyber Security Center to meet 
this need.

National Cyber Security Division

    The National Cyber Security Division (NCSD) is the operational arm 
of DHS's cybersecurity group and handles a host of tasks: they detect 
and analyze cyber attacks, disseminate cyber attack warnings to other 
Federal Government agencies, conduct cybersecurity exercises, and help 
reduce software vulnerabilities. The budget request for the NCSD is 
$400 million, an increase of $87 million above FY 2009.

          United States Computer Emergency Readiness Team
           Within NCSD, the U.S. Computer Emergency Readiness Team (US-
        CERT) monitors the federal civilian network systems on a 24/7 
        basis and issues warnings to both federal agencies and the 
        public through the National Cyber Alert System when cyber 
        attacks occur.

           EINSTEIN--The EINSTEIN program is an intrusion detection 
        system which US-CERT uses to monitor the federal civilian 
        network connections for unauthorized traffic.

          National Cyber Response Coordination Group
           The National Cyber Response Coordination Group (NCRCG), 
        composed of US-CERT and the cybersecurity groups of DOD, 
        Federal Bureau of Investigation (FBI), NSA, and the 
        intelligence community, coordinates the federal response to a 
        cyber attack. Once an attack is detected, a warning is issued 
        through the NCRCG to all federal agencies and the public.

          Cyber Storm
           Cyber Storm is a biennial cybersecurity exercise that allows 
        participants to assess their ability to prepare for, protect 
        from, and respond to cyber attacks that are occurring on a 
        large-scale and in real-time. Cyber Storm exercises have taken 
        place in 2006 and 2008, with five countries, 18 federal 
        agencies, nine U.S. states, and over 40 private sector 
        companies.

          Software Assurance Program
           The Software Assurance Program maintains a clearinghouse of 
        information gathered from federal and private industry 
        cybersecurity efforts, as well as university research, for 
        public use. The Program has established Working Groups focused 
        on specific software areas and holds regular forums to help 
        encourage collaboration.

National Cyber Security Center

    The National Cyber Security Center (NCSC) was created in 2008 to 
act as a coordinating group for consolidating, assessing and 
disseminating information on cyber attacks and vulnerabilities gathered 
from the cybersecurity efforts of DOD, DHS, NSA, FBI, and the 
intelligence community. By collecting information from all of these 
departments, the NCSC was established to provide a single source of 
critical cybersecurity information for all public and private 
stakeholders. Funding for NCSC in FY 2010 is $4 million.

Cyber Security Research and Development Center

    Cybersecurity research within DHS is planned, managed, and 
coordinated through the Science and Technology Directorate's Cyber 
Security Research and Development Center. This center supports the 
research efforts of the Homeland Security Advanced Research Projects 
Agency (HSARPA), coordinates the testing and evaluation of 
technologies, and manages technology transfer efforts. The FY 2010 
budget includes $37.2 million for cybersecurity R&D at DHS; this is an 
increase of $6.6 million over FY 2009.

National Institute of Standards and Technology

    NIST is tasked with protecting the federal information technology 
network by developing and promulgating cybersecurity standards for 
federal civilian network systems (Federal Information Processing 
Standard [FIPS]), identifying methods for assessing effectiveness of 
security requirements, conducting tests to validate security in 
information systems, and conducting outreach exercises. These tasks 
were appointed to NIST in the Computer Security Act of 1987. In the 
Federal Information Security Management Act of 2002, OMB was tasked to 
develop implementation plans and enforce the use of the FIPS developed 
by NIST. Cybersecurity activities are conducted through NIST's 
Information Technology Laboratory which has a budget request of $72 
million for FY 2010, including $15 million in support of the CNCI and 
$29 million for CSIA R&D.

Computer Security Division

    The Computer Security Division (CSD) within the Information 
Technology Laboratory houses the cybersecurity activities of NIST and 
is divided into four groups.

          Security Technology
           The Security Technology group focuses on cryptography and 
        online identity authentication. These areas enable federal 
        civilian network system users to access information both in the 
        office and remotely in a secure manner using technologies such 
        as: cryptographic protocols and interfaces, public key 
        certificate management, biometrics, and smart tokens.

          Systems and Network Security
           The Systems and Network Security group maintains a number of 
        databases and checklists that are designed to assist public and 
        private network users in configuration of more secure systems. 
        The group also conducts research in all areas of network 
        security technology to develop new standards and transfer 
        technologies to the public.

                 National Checklist Program--This program helps develop 
                and maintain checklists to guide network users to 
                configure network systems with basic security settings.

                 National Vulnerability Database--This database 
                contains information on known vulnerabilities in 
                software and fixes for these vulnerabilities.

                 Federal Desktop Core Configuration--This program 
                supplies security configurations for all federal 
                civilian network systems using either Microsoft Windows 
                XP or Vista. By supplying a standard configuration, 
                this program enables security professionals to default 
                to a known secure configuration for all new desktop 
                computers and when experiencing a cyber attack.

          Security Management and Assistance
           This group extends information security training, awareness 
        and education programs to both public and private parties.

                 Federal Agency Security Practices (FASP)--This web 
                site provides information on cybersecurity best 
                practices for public, private, and academia use. It 
                contains implementation guides for education programs 
                and a contact list of FASP staff for consultation.

                 Information Security and Privacy Advisory Board 
                (ISPAB)--This board advises NIST, the Secretary of 
                Commerce, and OMB on information security and privacy 
                issues pertaining to federal civilian network systems. 
                They also review proposed standards and guidelines 
                developed by NIST.

                 Small Business Corner--This program provides workshops 
                for small business owners to learn how to secure 
                business information on small networks in a practical 
                and cost-effective manner.

          Security Testing and Metrics
           The Security Testing and Metrics group develops methods and 
        baselines to test security products and validate products for 
        government use.

National Science Foundation

    NSF's cybersecurity research activities are primarily funded 
through the Directorate for Computer & Information Science & 
Engineering (CISE). CISE supports cybersecurity R&D through a targeted 
program, Trustworthy Computing, as well as through a number of its core 
activities in Computer Systems Research, Computing Research 
Infrastructure, and Network and Science Engineering. The cybersecurity 
portfolio supports both theoretical and experimental research. NSF 
cybersecurity research and education activities are funded at $127 
million for FY 2010.

          Trustworthy Computing Program
           The Trustworthy Computing program, funded at $67 million for 
        FY 2010, is an outgrowth of NSF's Cyber Trust program, which 
        was developed in response to the Cybersecurity R&D Act of 2003. 
        The program supports research into new models, algorithms, and 
        theories for analyzing the security of computer systems and 
        data components. It also supports investigation into new 
        security architectures; methodologies that promote usability in 
        conjunction with protection; and new tools for the evaluation 
        of system confidence and security.

          Scholarship for Service
           In addition to its basic research activities, NSF's 
        Directorate for Education & Human Resources (EHR) manages the 
        Scholarship for Service program which provides funding to 
        colleges and universities for the award of two-year 
        scholarships in information assurance and computer security 
        fields. Scholarship recipients are required to work for two 
        years in the Federal Government, upon completion of their 
        degree. EHR also supports the development of cybersecurity 
        professionals through the Advanced Technological Education 
        (ATE) program, which focuses on the education of technicians 
        for high-technology fields.

Defense Advanced Research Projects Agency

    DARPA is the principal R&D agency of DOD; its mission is to 
identify and develop high-risk, high-reward technologies of interest to 
the military. DARPA's cybersecurity activities are conducted primarily 
through the Strategic Technology Office and the Information Assurance 
and Survivability project, which is tasked with developing technologies 
that make emerging information systems such as wireless and mobile 
systems secure. The budget request for the Information Assurance and 
Survivability project is $113.6 million in FY 2010.

          Intrinsically Assured Mobile Ad-Hoc Network
           The Intrinsically Assured Mobile Ad-Hoc Network (IAMANET) 
        program is tasked with designing a tactical wireless network 
        that is secure and resilient to a broad range of threats, 
        including cyber attacks, electronic warfare and malicious 
        insiders. The budget request for IAMANET is $14.5 million.

          Trustworthy Systems & TrUST
           The goal of the Trustworthy Systems program, with a budget 
        request of $11.1 million, is to provide foundational 
        trustworthy computer platforms for Defense Department systems. 
        DARPA is also examining potential supply chain vulnerabilities 
        in the Trusted, Uncompromised Semiconductor Technology program 
        (TrUST) by developing methods to determine whether a microchip 
        manufactured through a process that is inherently ``untrusted'' 
        (i.e., not under our control) can be ``trusted'' to perform 
        just the design operations and no more. The budget request for 
        TrUST is $33.5 million.

          National Cyber Range
           The goal of the NCR is to provide a revolutionary 
        environment for research organizations to test the security of 
        information systems. The budget request for the NCR is $50 
        million for FY 2010.
    Chairman Wu. This hearing will now come to order. Welcome 
everyone to this afternoon's hearing on the Administration's 
Cyberspace Policy Review. This is the second of three hearings 
the Science and Technology Committee is holding on 
cybersecurity. Last week the Research and Science Education 
Subcommittee held a hearing on the research needs for improved 
cybersecurity, and next week my Technology and Innovation 
Subcommittee will hold a hearing on the cybersecurity 
activities of the National Institute of Standards and 
Technology (NIST) and the Department of Homeland Security 
(DHS).
    I have been long concerned by the lack of attention given 
to cybersecurity by the Federal Government and by the private 
sector. Previously, federal efforts were output oriented-
focused on things like the number of programs, funds spent, or 
numbers of interagency working groups--rather than outcome 
driven. I am pleased that the new Administration has made 
cybersecurity a top priority and is focusing efforts on 
achieving outcomes such as fewer breaches of federal systems, 
fewer cases of identity theft, and the security of smart grid 
systems and health IT systems.
    In order to achieve these very, very important results, it 
is essential to first conduct a review of our federal 
cybersecurity structure and efforts. The Administration's 
cyberspace review does not make any brand new recommendations. 
However, it is valuable as a frank assessment of current 
federal activities and a roadmap for what needs to be fixed. In 
general, the recommendations suggest improving interagency 
coordination and coordination with the private sector, 
modernizing the research agenda, and enhancing public education 
on cybersecurity.
    By addressing each of these recommendations we are laying 
the building blocks for our new, outcomes-based approach to 
federal cybersecurity. The four agencies appearing before the 
Committee today have a significant role to play in creating 
that foundation. During today's hearing, I hope to learn how 
each agency intends to improve its current cybersecurity 
efforts in response to the Administration's review. This 
information will help guide the Committee's ongoing efforts to 
protect our nation's data, computer systems and its citizens.
    [The prepared statement of Chairman Wu follows:]
                Prepared Statement of Chairman David Wu
    I want to welcome everyone to this morning's hearing on the 
administration's cyberspace policy review. This is the second of three 
hearings the Science and Technology Committee is holding on 
cybersecurity. Last week the Research and Science Education 
Subcommittee held a hearing on the research needs for improved 
cybersecurity, and next week my Technology and Innovation Subcommittee 
will hold a hearing on the cybersecurity activities at the National 
Institute of Standards and Technology and the Department of Homeland 
Security.
    I have long been concerned by the lack of attention given to 
cybersecurity by the Federal Government. Previously, federal efforts 
were output oriented-focused on things like the number of programs, 
funds spent, or numbers of interagency working groups--rather than 
outcome driven. I am pleased that the new Administration has made 
cybersecurity a top priority and is focusing efforts on achieving 
outcomes such as fewer breaches of federal systems, fewer cases of 
identity theft, and the security of smart grid systems and health IT 
systems.
    In order to achieve those important results, it was essential to 
first conduct a review of our federal cybersecurity structure. The 
Administration's cyberspace review does not make any brand new 
recommendations. However, it is valuable as a frank assessment of 
current federal activities and a roadmap for what needs to be fixed. In 
general, the recommendations suggest improving interagency coordination 
and coordination with the private sector, modernizing the research 
agenda, and enhancing public education on cybersecurity.
    By addressing each of these recommendations we are laying the 
building blocks for our new, outcomes-based approach to federal 
cybersecurity. The four agencies appearing before the Committee today 
have a significant role to play in creating that foundation. During 
today's hearing, I hope to learn how each agency intends to improve 
their current cybersecurity efforts in response to the Administration's 
review. This information will help guide the Committee's ongoing 
efforts to protect our nation's data and citizens.

    Chairman Wu. I want to thank our witnesses for appearing 
before us today, and now I would like to recognize 
Representative Smith for his opening statement.
    Mr. Smith. Thank you, Chairman Wu, and thank you for 
holding this hearing today to review the Administration's 
efforts to strengthen cybersecurity as outlined specifically in 
the White House's recently released Cyberspace Policy Review. 
While federal efforts to increase network security date back 
several years, they were brought to the forefront in early 2008 
when President Bush formally established the Comprehensive 
National Cyber Security Initiative to deal with widespread and 
successful cyber attacks on federal networks. President Obama 
has committed to fully continue this effort under his 
Administration and emphasized its importance in a recent 
speech.
    It seems the continuity across the Bush and Obama 
Administrations, as well as the increased attention being given 
to this issue in Congress, provide indication of a small but 
important advantage of where we were just a couple of years 
ago. Awareness of this problem and the need for action is now 
nearly universal. There is broad agreement on the seriousness 
and magnitude of our cybersecurity vulnerabilities and the 
complexity of the technical and policy changes that must be 
addressed to overcome them.
    However, while there is a consensus on the problem, we are 
still at the earliest stages of identifying and implementing 
solutions, and we are working through relatively unchartered 
policy territory as we do so. Accordingly, I hope both Congress 
and the Administration will work to balance the pressure to act 
quickly and aggressively on cybersecurity with the need for 
thorough and deliberate consideration of all possible courses 
of action.
    To this end, as we hold these hearings and consider 
legislative options later this summer, I hope to focus on three 
broad areas of cybersecurity policy: (1) R&D. Are we investing 
enough in R&D given its importance as the primary driver of 
increasing security over the long-term? (2) DHS-led efforts to 
secure the dot-gov domain. Are we confident that the reported 
$30 billion price tag of this initiative is appropriately 
focused, and is its centerpiece program EINSTEIN going to 
provide effective and lasting security? And (3) private sector 
critical infrastructure. What is the best approach to improving 
the security of these networks? Do new regulations or liability 
protections make sense or could they be counterproductive to 
our security goals?
    I hope today's hearing will serve to begin the process of 
answering these questions. I thank the witnesses for being 
here, and I certainly look forward to a productive discussion. 
I yield back.
    [The prepared statement of Mr. Smith follows:]
           Prepared Statement of Representative Adrian Smith
    Mr. Chairman, thank you for holding this hearing today to review 
the Administration's efforts to strengthen cybersecurity, as outlined 
specifically in the White House's recently released Cyberspace Policy 
Review.
    While federal efforts to increase network security date back 
several years, they were brought to the forefront in early 2008, when 
President Bush formally established the Comprehensive National 
Cybersecurity Initiative to deal with widespread and successful 
cyberattacks on federal networks. President Obama has committed to 
fully continue this effort under his administration and emphasized its 
importance in a recent speech.
    It seems this continuity across the Bush and Obama 
Administrations--as well as the increased attention being given to this 
issue in Congress--provide indication of a small but important 
advantage over where we were just a couple of years ago: awareness of 
this problem and the need for action is now nearly universal. There is 
broad agreement on the seriousness and magnitude of our cybersecurity 
vulnerabilities, and the complexity of the technical and policy 
challenges that must be addressed to overcome them.
    However, while there is a consensus on the problem, we are still at 
the earliest stages of identifying and implementing solutions, and 
we're working through relatively un-chartered policy territory as we do 
so. Accordingly, I hope both Congress and the Administration will work 
to balance the pressure to act quickly and aggressively on 
cybersecurity with the need for thorough and deliberate consideration 
of all possible courses of action.
    To this end, as we hold these hearings and consider legislative 
options later this summer, I hope to focus on three broad areas of 
cybersecurity policy: (1) R&D--Are we investing enough in R&D given its 
importance as the primary driver of increasing security over the long-
term?; (2) DHS-led efforts to secure the dot-gov domain--are we 
confident that the reported $30 billion price tag of this initiative is 
appropriately focused, and is its centerpiece program EINSTEIN going to 
provide effective and lasting security?; and (3) private sector 
critical infrastructure--what is the best approach to improving the 
security of these networks--do new regulations or liability protections 
make sense, or could they be counterproductive to our security goals?
    I hope today's hearing will serve to begin the process of answering 
these questions. I thank the witnesses for being here and I look 
forward to a productive discussion.

    Chairman Wu. Thank you very much, Mr. Smith. And now I 
would like to recognize Representative Lipinski, Chairman of 
the Research Subcommittee, for his opening statement.
    Chairman Lipinski. Good afternoon. I would like to thank 
Chairman Wu for joining me in holding this hearing. I look 
forward to working with him and other Members of this committee 
on the critical issue of cybersecurity.
    Last week my Research and Science Education Subcommittee 
held a hearing on the state of cybersecurity R&D, and several 
of our witnesses emphasized the need for better partnerships 
and information sharing between the Federal Government and the 
private sector. We also discussed the challenges facing 
incentivizing agencies, companies, and individuals, especially 
those that don't face an immediate or obvious threat to adopt 
established best practices and to disclose breaches in 
security, and the expert panel echoed recent reports regarding 
concerns over lack of prioritization in the federal R&D 
portfolio.
    One additional issue we discussed in last week's hearing 
was the importance of education. The panel emphasized that our 
IT workforce needs to be taught the skills necessary to 
incorporate security into software and systems from the 
beginning. But IT professionals are not the only ones who need 
to be better educated. The panel agreed that increasing the 
public's awareness of the risks and consequences of poor 
security practices is also essential. People are the 
beneficiaries of IT but also the weakest link in IT security, 
and computer scientists need to team with social scientists to 
gain a better understanding of how humans interact with and 
utilize technology.
    We need a cultural change in the ways that Americans 
practice their computer hygiene.
    Now, today I look forward to hearing from our witnesses 
about their agency's responses to the cyberspace policy review. 
As I said, this is a critical issue, and I am very happy that 
the Administration has focused in on it and we are doing so 
here on the Committee.
    A secure and resilient cyberspace is vital not only for the 
Federal Government, but for businesses large and small and for 
every single American. This goal can only be realized through 
our combined efforts and a multi-disciplinary approach to the 
problem. So all of our witnesses and their agencies will play a 
key role in maintaining this vital cyberspace. I want to thank 
the witnesses for taking the time to appear before us this 
afternoon, and I look forward to your testimony.
    [The prepared statement of Chairman Lipinski follows:]
             Prepared Statement of Chairman Daniel Lipinski
    Good afternoon. I'd like to thank Chairman Wu for joining me in 
holding this hearing, and I look forward to working with him on this 
critical issue of cybersecurity.
    Last week, my Research & Science Education Subcommittee held a 
hearing on the state of cybersecurity R&D. Several of our witnesses 
emphasized the need for better partnerships and information sharing 
between the Federal Government and the private sector. We also 
discussed the challenges faced in incentivizing agencies, companies, 
and individuals--especially those that don't face an immediate or 
obvious threat--to adopt established best practices and to disclose 
breaches in security. And the expert panel echoed recent reports 
regarding concerns over a lack of prioritization in the federal R&D 
portfolio.
    One additional issue we discussed in last week's hearing was the 
importance of education. The panel emphasized that our IT workforce 
needs to be taught the skills necessary to incorporate security into 
software and systems from the beginning. But IT professionals are not 
the only ones who need to be better educated. The panel agreed that 
increasing the public's awareness of the risks and consequences of poor 
security practices is also essential. People are the beneficiaries of 
IT but also the weakest link in IT security, and computer scientists 
need to team with social scientists to gain a better understanding of 
how humans interact with and utilize technology. We need a ``cultural 
change'' in the ways that Americans practice ``computer hygiene.''
    I look forward to hearing from our witnesses today about their 
agencies' responses to the Cyberspace Policy Review. As I said, this is 
a critical issue. A secure and resilient cyberspace is vital not only 
for the Federal Government, but for businesses--large and small--and 
for every single American. This goal can only be realized through our 
combined efforts, and a multi-disciplinary approach to the problem. So 
all of you and your agencies will play a key role in maintaining a 
vital cyberspace.
    I want to thank the witnesses for taking the time to appear before 
us this afternoon and I look forward to your testimony.

    Chairman Wu. Thank you, Chairman Lipinski. And now I would 
like to recognize Mr. Ehlers for his opening statement, the 
Ranking Member of the Research Subcommittee.
    Mr. Ehlers. Thank you, Mr. Chairman. As the last and 
probably least, I will try to keep my comments very short.
    The security of our information is vitally important to all 
Federal Government entities and that includes the House of 
Representatives. Many of my colleagues are aware that our own 
networks are targeted daily by people and governments who would 
like to do harm to us, our government, or to find out personal 
information that has been provided to us by our constituents or 
other friends in other countries.
    It takes strategic planning and organization to avoid and 
address these attacks. When considering the impacts of 
information security on policy development related to 
electronic health records, national defense and technology 
development, for example, it quickly becomes obvious how 
important trusted networks are to the public and to 
legislators.
    All of the federal agencies testifying at the witness table 
today play a critical role in protecting the security of our 
systems while maintaining the necessary freedom to exchange 
unfettered communication.
    I look forward to your comments on how the agencies are 
advancing the national cybersecurity efforts, and I expect to 
learn a great deal from each one of you today. Thank you very 
much.
    [The prepared statement of Mr. Ehlers follows:]
         Prepared Statement of Representative Vernon J. Ehlers
    The security of our information is vitally important to all Federal 
Government entities, including the House of Representatives. Many of my 
colleagues are aware that our own networks are targeted daily by people 
who would like to do harm to our government, and it takes strategic 
planning and organization to avoid and address these attacks. When 
considering the impacts of information security on policy development 
related to electronic health records, national defense, and technology 
development, for example, it quickly becomes obvious how important 
trusted networks are to the public and to legislators.
    All of the federal agencies testifying at the witness table today 
play a critical role in protecting the security of our systems while 
maintaining the necessary freedom to exchange unfettered communication. 
I look forward to their comments on how the agencies are advancing our 
national cybersecurity efforts.

    Chairman Wu. Thank you, Dr. Ehlers. If there are other 
Members who wish to submit opening statements, your statements 
will be added to the record at this point.
    [The prepared statement of Mr. Mitchell follows:]
         Prepared Statement of Representative Harry E. Mitchell
    Thank you, Mr. Chairman.
    As the world becomes increasingly connected through the Internet, 
it is critical to ensure that we have an effective and secure 
cyberspace policy.
    Today we will discuss the findings and recommendations of the Obama 
Administration's 60-day Cyberspace Policy Review.
    We will also review the response of the Department of Homeland 
Security (DHS), the National Institute of Standards and Technology 
(NIST), the National Science Foundation (NSF), and the Defense Advanced 
Research Projects Agency (DARPA)'s response to the Administration's 
policy review.
    I look forward to hearing more from our witnesses on what steps 
need to be taken to establish a more comprehensive cyberspace policy 
that will improve our cybersecurity.
    I yield back.

    Chairman Wu. And now it is my pleasure to introduce our 
witnesses. Ms. Cita Furlani is the Director of the Information 
Technology Laboratory at the National Institute of Standards 
and Technology. Dr. Jeannette Wing is the Assistant Director at 
the Directorate for Computer & Information Science & 
Engineering at the National Science Foundation. Dr. Robert 
Leheny is the Acting Director of the Defense Advanced Research 
Projects Agency, and Dr. Peter Fonash is the Acting Deputy 
Assistant Secretary at the Office of Cyber Security 
Communications at the U.S. Department of Homeland Security.
    The witnesses will have five minutes for spoken testimony, 
and your written testimony will be included in the record in 
their entirety. And when you complete you testimony, we will 
begin with questions. Each Member will have five minutes to 
question the panel. Ms. Furlani, please proceed.

    STATEMENT OF MS. CITA M. FURLANI, DIRECTOR, INFORMATION 
  TECHNOLOGY LABORATORY, NATIONAL INSTITUTE OF STANDARDS AND 
         TECHNOLOGY (NIST), U.S. DEPARTMENT OF COMMERCE

    Ms. Furlani. Thank you, Chairman Wu and Chairman Lipinski, 
Ranking Members Smith and Ehlers, and Members of the 
Subcommittees. I appreciate the opportunity to appear before 
you today to discuss our role in cybersecurity and our 
perspective on the Administration's Cyberspace Policy Review.
    Through our work in information technology, NIST 
accelerates the development and deployment of information and 
communication systems that are reliable, usable, inter-
operable, and secure. It advances measurement science through 
innovations in mathematics, statistics, and computer science 
and conducts research to develop the measurements and standards 
infrastructure for emerging information technologies and 
applications.
    Many of our vital programs impact national security, such 
as improving the accuracy and inter-operability of biometrics 
recognition systems, and facilitating communications among 
first responders.
    Research activities range from innovations in identity 
management and verification, to metrics for complex systems, to 
development of practical and secure cryptography in a quantum 
computing environment, to automation of discovery and 
maintenance of system security configurations and status, and 
to techniques for specification and automation of access 
authorization in line with many different kinds of access 
policies.
    As you are aware, beginning in the early 1970's, NIST has 
developed standards to support federal agencies' information 
assurance requirements. Through the Federal Information 
Security Management Act, or FISMA, Congress again reaffirmed 
NIST's leadership role in developing standards for 
cybersecurity. FISMA provides for the development and 
promulgation of Federal Information Processing Standards, or 
FIPS, that are compulsory and binding for federal computer 
systems. NIST's mission in cybersecurity is to work with 
federal agencies, industries, and academia to research, develop 
and deploy information security standards and technology to 
protect information systems against threats to the 
confidentiality, integrity, and availability of information and 
services.
    Consistent with this mission and with the recommendations 
of the President's Cyberspace Policy Review, NIST is actively 
engaged with private industry, academia, non-national security 
federal departments and agencies, the intelligence community, 
and other elements of the law enforcement and national security 
communities in coordination and prioritization of cybersecurity 
research, standards development, standards conformance 
demonstration, and cybersecurity education and outreach.
    The national security community, a number of state 
governments, and major private sector organizations are also 
adopting the risk management framework and cybersecurity 
controls designed by NIST for the Federal Government. NIST is 
engaging industry to harmonize product assurance requirements 
to align with industry business models and system development 
practices.
    We play a leading security role in supply chain risk 
management, health care information technology, the Smart Grid, 
biometrics and face authentication, next generation voting 
systems, and cloud computing. We work with the intelligence and 
counterterrorism communities to facilitate cross sector 
information sharing among federal, State and local government 
organizations. We team with the Department of Justice and the 
Small Business Administration in extending cybersecurity 
education and training beyond the Federal Government into the 
private sector.
    For the first time, and as part of the ongoing initiative 
to develop a unified information security framework for the 
Federal Government and its contractors, NIST has included 
security controls in its catalog for both national security and 
non-national security systems. The updated security control 
catalog incorporates best practices in information security 
from the United States Department of Defense, the intelligence 
community, and civil agencies to produce the most broad-based 
and comprehensive set of safeguards and countermeasures ever 
developed for information systems.
    Under the provisions of the National Technology Transfer 
and Advancement Act, NIST is also tasked with the key role of 
encouraging and coordinating federal agency development and use 
of voluntary consensus standards and coordinating the public-
private sector development of standards and conformity 
assessment activities through consensus standards 
organizations. NIST will continue to conduct the research 
necessary to enable and provide cybersecurity specifications, 
standards, assurance processes, training, and technical 
expertise needed for securing the U.S. Government and critical 
infrastructure information systems to mitigate the growing 
threat. NIST will continue to closely coordinate with domestic 
and international private sector cybersecurity programs and 
national security organizations.
    Thank you for the opportunity to testify today on NIST's 
work in the cybersecurity arena and our views on the 
President's Cyberspace Policy Review. I will be happy to answer 
any questions you may have.
    [The prepared statement of Ms. Furlani follows:]
                 Prepared Statement of Cita M. Furlani

Introduction

    Chairmen Wu and Lipinski, Ranking Members Smith and Ehlers, and 
Members of the Subcommittees, I am Cita Furlani, the Director of the 
Information Technology Laboratory (ITL) at the Department of Commerce's 
National Institute of Standards and Technology (NIST). Thank you for 
the opportunity to appear before you today to discuss our role in 
cybersecurity and our perspective on the Administration's 60 Day 
Cyberspace Policy Review.
    As one of the major research components within NIST, our 
information technology work accelerates the development and deployment 
of information and communication systems that are reliable, usable, 
inter-operable, and secure; advances measurement science through 
innovations in mathematics, statistics, and computer science; and 
conducts research to develop the measurements and standards 
infrastructure for emerging information technologies and applications. 
NIST accomplishes these goals through collaborative partnerships with 
our customers and stakeholders in industry, government, academia, and 
consortia. Based on input from these customers and stakeholders, we 
have focused our R&D agenda on eight broad program areas: complex 
systems; cyber and network security; enabling scientific discovery; 
identity management systems; information discovery, use and sharing; 
pervasive information technologies; trustworthy information systems; 
and virtual measurement systems.
    Many of our vital programs impact national security, such as 
improving the accuracy and inter-operability of biometrics recognition 
systems and facilitating communications among first responders. The 
combination of our mission and legislation such as the Federal 
Information Security Management Act (FISMA) the Computer Security 
Research and Development Act, the USA PATRIOT Act, the Enhanced Border 
Security Act, and the Help America Vote Act lead to rich programmatic 
diversity.
    As you are aware, beginning in the early 1970s with enactment of 
the Brooks Act, NIST has developed standards to support federal 
agencies' information assurance requirements for many years. Through 
FISMA, Congress again reaffirmed NIST's leadership role in developing 
standards for cybersecurity. FISMA provides for the development and 
promulgation of Federal Information Processing Standards (FIPS) that 
are ``compulsory and binding'' for federal computer systems. The 
responsibility for the development of FIPS rests with NIST, and the 
authority to promulgate mandatory FIPS is given to the Secretary of 
Commerce. Section 303 of FISMA states that NIST shall:

          have the mission of developing standards, guidelines, 
        and associated methods and techniques for information systems;

          develop standards and guidelines, including minimum 
        requirements, for information systems used or operated by an 
        agency or by a contractor of an agency or other organization on 
        behalf of an agency, other than national security systems; and

          develop standards and guidelines, including minimum 
        requirements, for providing adequate information security for 
        all agency operations and assets, but such standards and 
        guidelines shall not apply to national security systems.

    NIST's mission in cybersecurity is to work with federal agencies, 
industry, and academia to research, develop and deploy information 
security standards and technology to protect information systems 
against threats to the confidentiality, integrity and availability of 
information and services. Consistent with this mission and with the 
recommendations of the President's recent 60 Day Cyberspace Policy 
Review, NIST is actively engaged with private industry, academia, non-
national security federal departments and agencies, the intelligence 
community, and other elements of the law enforcement and national 
security communities in coordination and prioritization of 
cybersecurity research, standards development, standards conformance 
demonstration and cybersecurity education and outreach activities. 
Research activities range from innovations in identity management and 
verification, to metrics for complex systems, to development of 
practical and secure cryptography in a quantum computing environment, 
to automation of discovery and maintenance of system security 
configurations and status, to techniques for specification and 
automation of access authorization in line with many different kinds of 
access policies.
    NIST addresses cybersecurity challenges throughout the information 
and communications infrastructure through its cross-community 
engagements. Enabled by Congressional funding increases in 2002 and in 
response to FISMA legislation, NIST is responsible for establishing and 
updating, on a recurring basis, the Federal Government risk management 
framework and cybersecurity controls. The national security community, 
a number of State governments and major private sector organizations 
are also adopting the risk management framework and cybersecurity 
controls designed by NIST. NIST is engaging industry to harmonize 
product assurance requirements to align with industry business models 
and system development practices. NIST is also playing a leading 
security role in supply chain risk management, health care information 
technology (HCIT), the Smart Grid, biometrics/face authentication, next 
generation voting systems, and cloud computing. NIST is working with 
the intelligence and counterterrorism communities to facilitate cross 
sector information sharing among Federal, State and local government 
organizations. NIST teams with the Department of Justice and the Small 
Business Administration in extending cybersecurity education and 
training beyond the Federal Government into the private sector.
    Recognizing the importance of security-related standards beyond the 
Federal Government, NIST leads national and international consensus 
standards activities in cryptography, biometrics, electronic 
credentialing, secure network protocols, software and systems 
reliability, and security conformance testing.
    Under the provisions of the National Technology Transfer and 
Advancement Act (P.L. 104-113) and OMB Circular A-119, NIST is tasked 
with the key role of encouraging and coordinating federal agency use of 
voluntary consensus standards and participation in the development of 
relevant standards, as well as promoting coordination between the 
public and private sectors in the development of standards and in 
conformity assessment activities. NIST works with other agencies to 
coordinate standards issues and priorities with the private sector 
through consensus standards organizations such as the American National 
Standards Institute (ANSI), the International Organization for 
Standardization (ISO), the Institute of Electrical and Electronic 
Engineers (IEEE), the Internet Engineering Task Force (IETF), and the 
International Telecommunication Union (ITU).
    Key contributions NIST has made include:

          Development of the current federal cryptographic and 
        cybersecurity assurance standards that have been adopted by 
        many State governments, national governments, and much of 
        industry;

          Development of the identity credentialing and 
        management standard for federal employees and contractors (also 
        becoming the de facto national standard);

          Development of the standard and conformance test 
        capability for inter-operable multi-vendor fingerprint minutia 
        capture and verification;

          Development and demonstration of quantum key 
        distribution;

          Establishment of a national cyber vulnerability 
        database; and

          Establishment and oversight of an international 
        cryptographic algorithm and module validation program. (This 
        Cryptographic Module Validation Program (CMVP) achieved a 
        significant milestone on August 15, 2008, by issuing the 
        program's 1,000th certificate.)

    NIST hosts the Information Security Automation Program (ISAP), 
which formalizes and advances efforts to enable the automation and 
standardization of technical security operations, including automated 
vulnerability management and policy compliance evaluations. The NIST 
National Vulnerability Database (NVD) is the United States Government 
repository of standards-based vulnerability management reference data. 
The NVD makes available information on vulnerabilities, impact 
measurements, detection techniques, and remediation assistance. It 
provides reference data that enable the ISAP's security automation 
capabilities. NIST's security automation program is based on the NIST 
Security Checklist program and the Security Content Automation Protocol 
(SCAP) activity. The SCAP Validation Program performs conformance 
testing to ensure that products correctly implement SCAP. NVD also 
plays a pivotal role in the Payment Card Industry (PCI) in their 
efforts to mitigate vulnerabilities in credit card systems. The PCI has 
mandated that NVD's vulnerability severity scores be used for measuring 
the risk to payment card servers world-wide and for determining which 
vulnerabilities must be fixed.
    Included in the scope of NIST cybersecurity activities are the 
usability of systems such as voting machines and software interfaces; 
research in mathematical foundations to determine the security of 
information systems; the National Software Reference Library, computer 
forensics tool testing, software assurance metrics, tools, and 
evaluation; approaches to balancing safety, security, reliability, and 
performance in SCADA and other Industrial Control Systems used in 
manufacturing and other critical infrastructure industries; 
technologies for detection of anomalous behavior, quarantines; 
standards, modeling, and measurement to achieve end-to-end security 
over heterogeneous, multi-domain networks; biometrics evaluation, 
usability, and standards (fingerprint, face, iris, voice/speaker, 
multi-modal biometrics) and initiating an international competition for 
a next generation Secure Hash Algorithm (SHA-3). NIST and the National 
Science Foundation are co-funding a workshop in July on usability 
issues associated with security. Among the topics to be investigated 
are methods to inform individual users of actions they take that could 
imperil their systems also providing informative justifications, 
methods and tools to assist administrators of systems in the 
configuration of their systems to provide secure operation, and 
forensic tools to help administrators deal with the aftermath of 
attacks.
    Recognizing the value of interagency coordination of research as 
well as of standards development, NIST actively contributes to the 
Networking and Information Technology Research and Development (NITRD) 
program and the development of the NITRD five-year strategic plan. 
Within the past year, as provided in the America COMPETES Act (P.L. 
110-69), the NITRD Program has assumed expanded responsibilities for 
coordination of federal cyber R&D and NIST is well represented in, and 
leverages, these activities. In addition, NIST collaborates with 
academia, e.g., individual institutions such as Purdue, and consortia, 
such as the Institute for Information Infrastructure Protection (or 
I3P).
    NIST works with other members of the Cyber Security and Information 
Assurance Interagency Working Group in establishing priorities for 
research and development to prevent, resist, detect, respond to, and/or 
recover from actions that compromise or threaten to compromise the 
availability, integrity, or confidentiality of computer- and network-
based systems. These systems provide both the basic infrastructure and 
advanced communications in every sector of the economy, including 
critical infrastructures such as power grids, emergency communications 
systems, financial systems, and air-traffic-control networks. These 
systems also support national defense, national and homeland security, 
and other vital federal missions, and themselves constitute critical 
elements of the IT infrastructure. Broad areas of concern which NIST 
research addresses include Internet and network security; 
confidentiality, availability, and integrity of information and 
computer-based systems; new approaches to achieving hardware and 
software security; testing and assessment of computer-based systems 
security; and reconstitution and recovery of computer-based systems and 
data.

60-Day Cyberspace Policy Review

    We concur in the findings of the 60-Day Cyber Review relative to 
the increasingly serious and pervasive threat posed by breaches of--or 
threats to--our cyber systems, and relative to the need to strengthen 
the capability of the Executive Office of the President to coordinate 
the Federal Government's response to that threat. We also concur in the 
report's observation that it is our total national information 
infrastructure, not just the federal information infrastructure that is 
faced with the aforementioned threat. We agree that a coordinated 
response is necessary to prevent catastrophic consequences for those 
critical infrastructures which integrate information systems into their 
operations.
    While agreeing that it is necessary to integrate the responses of 
national security organizations and those of federal organizations that 
do not have a primarily national security mission, we observe that the 
intelligence community, the other elements of the national security 
community, and NIST are, in response to the Federal Information 
Security Management Act of 2002, actively coordinating their standards 
and processes for cybersecurity. This effort is producing a single set 
of requirements, rather than the past's three independent sets of 
requirements (Intelligence community, national security systems and 
NIST) for consumers and providers of information processing and 
interchanges resources.
    On June 3rd, NIST announced the release of the final public draft 
of Special Publication 800-53, Revision 3, Recommended Security 
Controls for Federal Information Systems and Organizations. The final 
public draft of Special Publication 800-53, Revision 3, is historic in 
nature.
    For the first time, and as part of the ongoing initiative to 
develop a unified information security framework for the Federal 
Government and its contractors, NIST has included security controls in 
its catalog for both national security and non-national security 
systems. The updated security control catalog incorporates best 
practices in information security from the United States Department of 
Defense, Intelligence Community, and civil agencies, to produce the 
most broad-based and comprehensive set of safeguards and 
countermeasures ever developed for information systems.
    We are encouraged to observe that the 60-Day Cyberspace Policy 
Review recognizes that cybersecurity strategies and solutions must be 
structured in a manner that accommodates commerce, economic growth, 
scientific collaboration, and individual liberties. The report reflects 
the notion that we are not looking for ``lockdown solutions'' that 
achieve security at the expense of robust commerce, essential services 
or civil liberties.
    Recognizing the economic impact of cyberspace, NIST is working to 
provide measurement techniques to facilitate offsetting the cost of 
both public sector and private sector security solutions by decreases 
in losses or cost of insurance or increases in business due to 
increases in trust. Meeting the cyber threat to our national 
infrastructure would be accelerated by both the public and private 
sectors if new measurement techniques can demonstrate that increased 
security is good business sense. We note that not all of these measures 
need to be technical or regulatory in nature. Some simple, relatively 
inexpensive, procedural steps can have a materially positive effect on 
security. One example is the financial sector's having introduced a 
delay into the conversion of electronically transferred funds into 
tangible assets, a delay sufficient to permit invocation of fraud 
detection processes.
    We were particularly encouraged by the report's recognition of the 
role of international standards in protecting our information 
infrastructure. Our infrastructure is inextricably integrated into a 
complex of global networks. NIST's role in documentary standards has 
long been established in law and executive direction. We are actively 
working with our sister agencies on improving our common understanding 
of how we can collectively participate, in cooperation with the private 
sector, in fostering international standards and protocols that are 
conducive to a free and safe information processing and interchange 
environment.
    NIST and the National Telecommunications and Information 
Administration (NTIA) are working with the Internet Corporation for 
Assigned Names and Numbers (ICANN) and VeriSign on an initiative to 
enhance the security and stability of the Internet. The parties are 
working on an interim approach to deployment, by year's end, of a 
security technology--Domain Name System Security Extensions (DNSSEC)--
at the authoritative root zone (i.e., the address book) of the 
Internet. There will be further consultations with the Internet 
technical community as the testing and implementation plans are 
developed. In collaboration with the Department of Homeland Security 
Science and Technology Directorate, NIST has been an active participant 
within the international community in developing the DNSSEC protocols 
and has collaborated with various U.S. agencies in deploying DNSSEC 
within the .gov domain.
    We, at the NIST and the larger Department of Commerce, recognize 
that we have an essential role to play in realizing the vision set 
forth in the 60-Day Cyberspace Policy Review. We look forward to 
working with our Federal Government partners, with our private sector 
collaborators, and with our international colleagues to establish a 
comprehensive set of technical solutions, standards, guidelines, and 
procedural measures necessary to realizing this vision.

Conclusion

    NIST will continue to conduct the research necessary to enable and 
to provide cybersecurity specifications, standards, assurance 
processes, training and technical expertise needed for securing the 
U.S. Government and critical infrastructure information systems to 
mitigate the growing threat. NIST will continue to closely coordinate 
with domestic and international private sector cybersecurity programs 
and national security organizations. Finally, consistent with the NIST 
Three-Year Planning Report, NIST plans to expand its focus on 
cybersecurity challenges associated with health care IT, the Smart 
Grid, automation of federal systems security conformance and status 
determination, and cybersecurity leap-ahead research.
    Thank you for the opportunity to testify today on NIST's work in 
the cybersecurity arena and our views on the President's 60-Day 
Cyberspace Policy Review. I would be happy to answer any questions you 
may have.

                     Biography for Cita M. Furlani
    Cita M. Furlani is Director of the Information Technology 
Laboratory (ITL). ITL is one of nine research Laboratories within the 
National Institute of Standards and Technology (NIST) with an annual 
budget of $85 million, 335 employees, and about 150 guest researchers 
from industry, universities, and foreign laboratories.
    Furlani oversees a research program designed to promote U.S. 
innovation and industrial competitiveness by advancing measurement 
science, standards, and technology through research and development in 
information technology, mathematics, and statistics. Through its 
efforts, ITL seeks to enhance productivity and public safety, 
facilitate trade, and improve the quality of life.
    Furlani has several leadership responsibilities in addition to 
those at NIST. Currently, she is Co-Chair of the Interagency Working 
Group on Digital Data, Co-Chair of the Subcommittee on Quantum 
Information Science, and Co-Chair for Strategic Planning for the 
Subcommittee on Networking and Information Technology Research and 
Development, all under the auspices of the National Science and 
Technology Council. She also serves as Co-Chair of the Technology 
Infrastructure Subcommittee of the Interagency CIO Council.
    Furlani has served as the Chief Information Officer (CIO) for NIST. 
As CIO, Furlani was the principal adviser to the NIST Director on the 
planning, execution, evaluation, and delivery of information technology 
services and support.
    Furlani also served as Director of the National Coordination Office 
for Networking and Information Technology Research and Development. 
This office, reporting to the White House through the Office of Science 
and Technology Policy and the National Science and Technology Council, 
coordinates the planning, budget, and assessment activities for the 12-
agency Networking and Information Technology R&D Program.
    Previously, Furlani was Director of the Information Technology and 
Electronics Office within the Advanced Technology Program (ATP) at 
NIST. Before joining ATP, Furlani served as Chief of the Office of 
Enterprise Integration, ITL, NIST, coordinating Department of Commerce 
activities in the area of enterprise integration. Furlani also served 
as special assistant to the NIST Director in the Director's role as 
Chair of the Committee on Applications and Technology of the 
Administration's Information Infrastructure Task Force. Previously, 
Furlani was on detail as technical staff to the Director of NIST in the 
position of Senior Program Analyst. Prior to August 1992, she managed 
research and development programs within the NIST Manufacturing 
Engineering Laboratory, applying information technology to 
manufacturing since 1981.
    She earned a Master of Science degree in electronics and computer 
engineering from George Mason University and a Bachelor of Arts degree 
in physics and mathematics from Texas Christian University. She was 
awarded two Department of Commerce Bronze Medal Awards in 1985 and 1993 
and the Department of Commerce Silver Medal Award, in 1995.

    Chairman Wu. Thank you, Ms. Furlani. Dr. Wing, please 
proceed.

    STATEMENT OF DR. JEANNETTE M. WING, ASSISTANT DIRECTOR, 
 COMPUTER AND INFORMATION SCIENCE AND ENGINEERING DIRECTORATE, 
               NATIONAL SCIENCE FOUNDATION (NSF)

    Dr. Wing. Thank you very much. Good afternoon, Chairman Wu 
and Chairman Lipinski, Ranking Members Smith and Ehlers, and 
Members of the Subcommittees. I am Jeannette Wing, and I am the 
Assistant Director of the Computer and Information Science and 
Engineering Directorate at the National Science Foundation.
    I am delighted to have the opportunity to speak with you 
today about NSF's support for cybersecurity research at the 
frontiers of knowledge, investments that capitalize on the 
intellectual capacity of the best and the brightest in our 
nation's colleges and universities, as well as their many 
partners in the private sector. The research outcomes generated 
with NSF support will undoubtedly contribute to the security, 
stability and integrity of our global cyber infrastructure for 
many years to come.
    To begin, I would like to emphasize that many cybersecurity 
measures deployed today build upon the fundamental research 
outcomes generated decades ago. Thus, as the recent 60-Day 
Cyberspace Policy Review concludes, a national strategy to 
secure cyberspace in both the near- and the long-term must 
include investments in fundamental, unclassified, long-term 
research.
    Allow me to share with you just a few important fundamental 
research contributions made to date by the open research 
community, many originally developed with applications other 
than security in mind.
    Cryptographic schemes and cryptographic-based 
authentication, enabling today's Internet commerce, such as 
online banking.
    Program analyses and verification techniques, enables early 
detection of software vulnerabilities, thereby often preventing 
cyber attacks such as phishing, worms and botnets.
    Machine learning and data mining approaches are now used in 
filtering spam and detecting credit card fraud.
    CAPTCHAs, the distorted text that only humans, not 
machines, can decipher, ensuring that it is indeed a human, not 
a bot, who is buying a ticket online.
    These and many other research results developed with NSF 
funding are being used routinely in numerous corporations 
today. Moreover, NSF-funded projects have spawned start-up 
companies that bring critical technologies to the marketplace, 
creating new jobs, expanding the economy, and helping to secure 
cyberspace.
    This year, NSF will invest almost $137 million in cutting-
edge research on the science and engineering of trustworthy 
systems. Our interdisciplinary Trustworthy Computing Program, 
is a significant component of this investment and supports more 
than 800 principal investigators, co-principal investigators, 
and graduate students.
    We contribute to the Comprehensive National Cyber Security 
Initiative, CNCI, through this program with the focus on three 
vital areas, the scientific foundations of trustworthiness, 
privacy, and usability.
    NSF coordinates its cybersecurity research and planning 
activities with other agencies primarily through the Networking 
and Information Technology Research and Development program, 
NITRD, and the InfoSec Research Council. We play a leadership 
role in both activities.
    NSF and the academic community greatly appreciated the 
opportunity to contribute to the 60-Day Cyberspace Policy 
Review. We are pleased that the review recognizes the 
importance of investments in both fundamental unclassified 
cybersecurity research, the kind of research NSF supports, and 
cybersecurity education. The review also recognizes the 
importance of a strong academia-industry-government partnership 
in which NSF plays a central enabling role.
    For example, the NSF Science and Technology Center, called 
TRUST, and three Cyber TRUST Centers, all work directly with 
industry partners to speed the transition of research outcomes 
into products and services.
    Looking ahead, there are several areas ripe for industry-
university collaboration. First, industry has data that are 
otherwise unavailable to academics. Providing access to real 
data, appropriately sanitized, anonymized, and scrubbed, based 
on real adversaries and real users of operational systems and 
networks will allow researchers to test their theories and to 
gain new insights.
    Second, industry has problems looming on the horizon that 
they just don't have time to solve or they can't even imagine 
because they are so focused on the present. These are exactly 
the kinds of problems academic researchers can work on, 
anticipating the threats of tomorrow so that when they arrive, 
solutions will be ready.
    In my testimony today, I have provided examples of the ways 
in which NSF works with its partners in the Federal Government, 
the private sector, and academe to catalyze research advances 
in cybersecurity.
    With robust sustained support for research in both the 
executive and legislative branches, we have a unique 
opportunity to increase our nation's investments in 
fundamental, open, long-term cybersecurity research. Investing 
now for the future means a more secure future.
    This concludes my remarks. Thank you very much.
    [The prepared statement of Dr. Wing follows:]
                Prepared Statement of Jeannette M. Wing
    Good afternoon, Chairman Wu and Chairman Lipinski, Ranking Members 
Smith and Ehlers, and Members of the Subcommittees. I am Jeannette 
Wing, and I am the Assistant Director of the Computer and Information 
Science and Engineering Directorate at the National Science Foundation.
    I am delighted to have the opportunity to talk with you today about 
NSF's support for cybersecurity research at the frontiers of 
knowledge--investments that capitalize on the intellectual capacity of 
the best and the brightest in our nation's colleges and universities, 
as well as their many partners in the private sector. The research 
outcomes generated with NSF support will undoubtedly contribute to the 
security, stability and integrity of our global cyberinfrastructure for 
many years to come.
    To begin, it is essential that I note that many cybersecurity 
measures deployed today capitalize on fundamental research outcomes 
generated decades ago. Thus, as the recent 60-Day Cyberspace Policy 
Review concludes, a national strategy to secure cyberspace in both the 
near- and the long-term must include investments in fundamental, 
unclassified, open, long-term research. Investments in such research 
will allow our society to continue to benefit from a robust, secure, 
dependable cyberinfrastructure that supports all application sectors, 
including those on which our lives depend.
    Allow me to share with you just a few important fundamental 
research contributions made to date by the open research community, 
many developed with applications other than security in mind and long 
before situations arose that demanded their use.
    The basic research community developed:

          Cryptographic schemes and cryptographic-based 
        authentication, enabling today's Internet commerce, supporting 
        secure digital signatures and online credit card transactions, 
        and providing some of the building blocks needed for the safe, 
        secure and private exchange of electronic health records;

          Program analyses and verification techniques, 
        enabling the early detection of software vulnerabilities and 
        flaws, thereby often preventing cyber attacks such as phishing, 
        worms and botnets;

          Innovative machine learning and data mining 
        approaches now used in spam filtering, and methods for 
        detecting attacks such as those involving credit card fraud; 
        and the final example,

          CAPTCHAs, the distorted text that only humans--not 
        machines or hots--can decipher, to ensure that it is indeed a 
        human, and not a bot, who is buying a ticket online or setting 
        up an e-mail account.

    These research outcomes and many others developed with NSF funding 
are being used in numerous corporations including Amazon, Apple, e-Bay, 
Google, Intel, Microsoft, and Yahoo!. Moreover, NSF-funded projects 
have spawned start-up companies that bring critical technologies to the 
marketplace, creating new jobs, expanding the economy, and helping to 
secure cyberspace.

Please summarize the current range of National Science Foundation 
supported cybersecurity research, including associated funding.

    NSF has been investing in cybersecurity research for many years.\1\ 
In FY 2009, we will invest almost $137 million in fundamental research 
in the science of trustworthiness and related trustworthy systems and 
technologies. This includes $20 million from the American Recovery and 
Reinvestment Act. Approximately one half of this $137 million is 
allocated to our interdisciplinary Trustworthy Computing program, which 
in FY 2009 is funded at a level of $65 million and supports more than 
800 principal investigators, co-principal investigators, and graduate 
students. In addition to the Trustworthy Computing program, we continue 
to make cybersecurity investments in the core scientific sub-
disciplines of the computing and human sciences, including the 
foundations of communications and information, networking technology 
and systems, algorithmic foundations, information integration and 
informatics, and in the social and economic implications of developing 
secure, trustworthy systems.
---------------------------------------------------------------------------
    \1\ FY 2005: $68.81M, FY 2006: $76.73M, FY 2007: $96.70M, FY 2008: 
$106.90M, FY 2009 estimate: $136.70M (including $20M ARRA), FY 2010 
Request: $126.70M
---------------------------------------------------------------------------
    The totality of NSF investments supports a broad range of topics in 
trustworthy systems and applications. NSF supports foundational 
research in: cryptography, including key management, conditional and 
revocable anonymity; defense mechanisms against large-scale attacks 
such as worms, viruses, and distributed denial of service; formal 
models and methods for specifying, verifying, and analyzing system 
security; hardware enhancements for security, such as virtualization 
and trusted platform modules; metrics, especially for risk-based 
measurement; privacy, including privacy-preserving data-mining, 
location privacy, and privacy in RFID networks; network security, 
including for wireless and sensor networks and pervasive computing; and 
testbeds to run scalable experiments and to analyze anonymized network 
traffic data. NSF-funded research also addresses cybersecurity in the 
context of many application areas, including critical infrastructure 
(including the power grid), health records, voice over IP, geospatial 
databases, digital media, electronic voting, and federated systems.
    The relentless pace of innovation in information technology and 
related services leads inevitably to new research questions, 
opportunities and challenges. For example, increasing interest in 
``cloud computing'' leads to new opportunities but also raises new 
research challenges in security and privacy, and innovations in 
service-oriented architectures raise new research challenges in 
resiliency and verification. In the longer-term, new computing 
paradigms such as quantum computing will raise new research questions 
in cryptography and computational complexity.
    As you may know, FY 2009 represents the first full year of the 
interagency Comprehensive National Cybersecurity Initiative--CNCI. 
NSF's contributions to the CNCI include a specific focus on three 
critical areas:

          The scientific foundations of trustworthiness, so 
        that new trustworthy systems, technologies, and tools can be 
        developed and understood from first principles. New models, 
        logics, algorithms, and theories are being explored for 
        analyzing and reasoning about all aspects of trustworthiness--
        security, privacy, reliability, and usability--about all 
        communication, control, and data components of systems and 
        their composition. Researchers are exploring the fundamentals 
        of cryptography, inventing new specification and programming 
        languages and techniques to prevent or detect security 
        vulnerabilities in software and hardware, defining new security 
        architectures for system design, and exploring new computing 
        models that have potential to improve trustworthiness and our 
        ability to reason with different aspects of trustworthiness.

          The essential systems property of protecting privacy. 
        NSF is supporting the exploration of new scientific and 
        computational models, methods, logics, algorithms, and software 
        tools to define and reason about privacy, to detect and resolve 
        conflicts among privacy policies, to safeguard information of 
        individuals wherever it may digitally reside, and to explore 
        the interplay among privacy, security and legal policies. One 
        major technical challenge is identity management, especially 
        for federated systems that may be beyond the control of any one 
        organization; academic researchers are exploring attack-
        resistant methods and protocols for identity management, 
        commensurate with application requirements to preserve privacy 
        and with security and legal requirements to provide 
        accountability.

          Usability--the methods, tools and techniques that 
        make it easy for people to use computing systems while 
        protecting both people and systems from unforeseeable attacks 
        on their security and privacy. Users range from individuals 
        concerned about their home computers to administrators 
        responsible for large enterprises. Incorporating 
        trustworthiness into a system should not place undue demands on 
        human users or impact human or system performance. Since people 
        can be the weakest link in security, striking a balance between 
        control and convenience is a key challenge. Researchers are 
        developing new approaches to integrating and balancing 
        different system functionalities, understanding human 
        perception of trust including privacy, informing users of 
        potential pitfalls, and predicting the impact of user 
        decisions. New methods are needed, supported by automation, to 
        promote usability and provide users with security controls they 
        can understand. An especially active area of research is 
        digital forensics, where new automated methods will help all 
        users respond effectively in the aftermath of a security 
        incident.

How is NSF coordinating its own cybersecurity research and planning 
activities with other relevant federal agencies?

    At NSF, we coordinate our cybersecurity research and planning 
activities with other federal agencies, including the Departments of 
Defense (DOD) and Homeland Security (DHS) and the agencies of the 
Intelligence Community, through the following ``mission-bridging'' 
activities:

          NSF plays a leadership role in the interagency 
        Networking and Information Technology Research and Development 
        (NITRD) Program. The National Science and Technology Council's 
        NITRD Sub-Committee, of which I am Co-Chair, has played a 
        prominent role in the coordination of the Federal Government's 
        cybersecurity research investments. For example,

                  The NITRD Senior Steering Group (SSG) for 
                Cyber Security is overseeing the unclassified research 
                and development component of the CNCI. We recently 
                established the National Cyber Leap Year during which 
                we asked our research leaders in government, academia, 
                and industry, to propose ``game-changing'' concepts for 
                securing cyberspace. Our next step is to hold focused 
                meetings with the community to pursue some of the more 
                promising ideas, toward an integrated private-public 
                approach that considers technical, social, and economic 
                factors in cybersecurity. This work is immediately 
                responsive to one of the near-term action 
                recommendations published recently in the 60-Day 
                Cyberspace Policy Review.

                  The NITRD CyberSecurity and Information 
                Assurance Interagency Working Group (CSIA IWG) 
                coordinates cybersecurity and information assurance 
                research and development across the thirteen member 
                agencies, including DOD, the Department of Energy (DOE) 
                and the National Security Agency (NSA). In 2006, the 
                CSIA IWG published a national research and development 
                agenda for strengthening the security of the Nation's 
                cyberinfrastructure. This report continues to inform 
                our investments today.

          NSF also plays a leadership role in the multi-agency 
        Infosec Research Council (IRC), whose members include the DOD, 
        agencies representing the Intelligence Community and a number 
        of other federal agencies and entities (e.g., DOE, National 
        Institute of Standards and Technology, and National Library of 
        Medicine). The IRC provides a forum for the discussion of 
        critical scientific and technical issues in cybersecurity, 
        serves as a catalyst for the establishment of new programs and 
        technical emphases, and helps minimize duplication of effort. 
        In the past several years, IRC members have hosted a number of 
        academic-industry-government workshops, such as the recent 
        workshop on the Science of Security Workshop, which identified 
        new principles and methodologies in support of a more 
        foundational approach to security. This workshop was co-funded 
        by NSF, the Intelligence Advanced Research Project Activity 
        (IARPA), and NSA.

    These and other interagency settings, both formal and informal, 
provide a range of opportunities for interagency coordination and 
collaboration.

In particular, how is NSF coordinating its (unclassified) research and 
planning activities with Department of Defense or other federal 
classified research and research infrastructure, including cyber test 
beds?

    Jointly sponsoring workshops, such as the one I just cited, is 
representative of the types of interactions that take place between 
agencies supporting classified and/or unclassified components of the 
federal cybersecurity research portfolio. There is, of course, a rather 
significant classified component in the CNCI. Coordination between the 
larger classified component and the more modest unclassified component 
is achieved through the engagement of individuals who participate in 
both. These individuals share and promulgate knowledge generated in the 
unclassified component with those participating in the classified 
component.
    Through some of the coordinating mechanisms I have just described, 
NSF also works with its sister agencies in the deployment of 
cybersecurity testbeds. For example, the cyber-DEfense Technology 
Experimental Research Environment project (DETER)--a testbed that 
supports research on next-generation cybersecurity technologies--has 
been supported jointly by DHS and NSF. In another example, the 
Wisconsin Advanced Internet Laboratory (WAIL), which is supported by 
NSF, the Defense Advanced Research Project Agency (DARPA)\2\ and DHS, 
allows networking and distributed systems researchers to recreate end-
to-end instances of the real Internet, thereby permitting realistic 
network testing in support of security. As we look to the future, the 
DARPA National Cyber Range (NCR) is envisioned as a testbed that will 
allow researchers to perform qualitative and quantitative assessments 
of the security of cyber technologies and scenarios. Among the many 
experimental testbeds that have been developed, DARPA is considering 
DETER and WAIL as starting points for the NCR--demonstrating the value 
of ``mission-bridging'' from NSF's basic research mission to the quite 
focused application needs of other agencies. If the NCR is opened to 
unclassified research, then NSF would welcome the opportunity to 
coordinate with DARPA to provide academic researchers with an 
opportunity to run their experiments on this testbed.
---------------------------------------------------------------------------
    \2\ DARPA does not provide funding for the Wisconsin Advanced 
Internet Laboratory as indicated in the written testimony. NSF noted 
this error on June 19, 2009.

What changes, if any, does NSF plan to make to its research portfolio, 
planning, or interagency coordination efforts in response to the 
findings and recommendations in the Administration's 60-day federal 
---------------------------------------------------------------------------
cybersecurity review?

    NSF and the academic community very much appreciated the 
opportunity to contribute to the 60-day Cyberspace Policy Review. As I 
stated in my opening remarks, the Review clearly recognizes the 
importance of investments in fundamental, unclassified research, in 
support of which NSF plays a significant role.
    The Review also recognizes the importance of cybersecurity 
education. Besides our support of research, NSF plays an increasingly 
important role in the preparation of current and future generations of 
computing professionals and of a scientifically-literate national 
workforce. We are grateful that the Review recognizes the important 
role of several of our education programs, most notably the Pathways to 
Revitalized Undergraduate Education in Computing, and the Scholarships 
for Service programs.
    NSF's current portfolio of investments spans the many important 
topics highlighted in the Review. Further, our interdisciplinary reach 
to the broad academic community, and beyond into the private sector, 
provides an unparalleled opportunity to establish bold, new ``game-
changing'' directions in long-term cybersecurity research that are 
informed both by social and economic needs and by national security 
requirements. Our aspirations for the Trustworthy Computing program, 
which takes a holistic, interdisciplinary approach to establishing the 
science of trustworthiness and its embodiment in the engineering of 
trustworthy computing systems and technologies, are consistent with the 
review's recommendations.
    NSF will continue to support interagency workshops that promote 
interagency collaboration and coordination. Workshops are planned on 
how to measure success in security-related research activities, on 
developing metrics to assess the security and privacy of complex 
systems, and on how to achieve security in the financial 
infrastructure. This last workshop will be coordinated with the 
Department of the Treasury.
    NSF and its many partners in academe, industry, and government 
stand ready to respond to the national imperative to secure cyberspace, 
both today and for the foreseeable future. We welcome the opportunity 
to collaborate with our partners in creating a comprehensive response 
to the recommendations expressed in the review.

To what extent is NSF's cybersecurity research portfolio shaped by the 
cybersecurity needs and related research priorities of the private 
sector? How is NSF soliciting input from the private sector regarding 
its research portfolio?

    In the academia-industry-government ecosystem, organizations and 
individuals in all three sectors bear a responsibility for shaping a 
future cyberinfrastructure that is usable, secure, dependable, and 
resistant to attack, for the benefit of science, our economy, and our 
society. The recent Cyberspace Policy Review clearly recognizes the 
value of a healthy academia-industry-government ecosystem in 
strengthening our nation's cybersecurity posture.
    At a strategic level, NSF's research investments are shaped by 
advice provided by private sector representatives serving on the 
National Science Board and NSF Advisory Committees.
    NSF also catalyzes the formation of strong partnerships between 
academia and the private sector by providing programmatic incentives 
that encourage both sectors to work together, thereby speeding the 
transition of research and education outcomes into products and 
services. For example, the NSF Team for Research in Ubiquitous Security 
Technology (TRUST) Science and Technology Center works with a number of 
industry partners who 1). help define the Center's strategic intent and 
research and education priorities through the Center's External 
Advisory Board, and 2). interact directly with faculty and students on 
individual research projects. Industry partners include Cisco, Deloitte 
and Touche, eBay, GE, HP, ING, Intel, Microsoft, Nortel Networks, 
Oracle, Qualcom, Raytheon, Silicon Valley Bank, Sun Microsystems, 
Symantec, and Visa.
    NSF's Cyber Trust program also supports three Centers with strong 
industry partnerships. For example, the Trustworthy Cyber 
Infrastructure for the Power grid (TCIP) center, which also receives 
support from DHS and DOE, works with its industry partners to create 
cybersecurity research advances that will make the Nation's power grid 
more secure, reliable and safe. Industry and other partners in this 
venture include ABB, Amerren, Areva, California ISO, Cisco, Entergy, 
EPRI, Exelon, GE, Gerhrs, Instep, ISIsoft, Kema, Multili, Open Systems 
International, Pacific Northwest National Laboratory, Power World 
Corporation, Siemens, and Starthis.
    In addition to academic-industry partnerships encouraged through 
NSF programmatic incentives, many NSF-supported faculty and students 
have informal connections with industry, and many students in computing 
fields do summer internships in industry. Using these informal 
mechanisms, research results from NSF investments in cybersecurity also 
often find their way into industry products and services. For example, 
a team of researchers from UC-Berkeley, Stanford, and University of 
Maryland College Park developed an open source version of their static 
analysis tools for finding software vulnerabilities. These tools have 
been adapted by Microsoft and other large software developers and 
incorporated into their products.
    Looking to our cybersecurity future, there are several areas ripe 
for industry-university collaboration. First, industry has data that 
are otherwise unavailable to academics. Providing access to real data--
appropriately sanitized, anonymized, and otherwise scrubbed--based on 
real adversaries and real users of operational systems and networks is 
essential. This access enables researchers to test whether their 
theoretical ideas play out in practice. Do they scale? What are the 
edge cases? Furthermore, researchers gain new insights by examining 
real data. Patterns and anomalies emerge from looking at real data that 
would not from synthetic data. These discoveries in turn raise new 
scientific questions. Second, industry has problems looming in the 
horizon that they just don't have time to solve or problems they can't 
even imagine because they are so focused on the present; those are 
exactly the kinds of problems academic researchers can work on: 
anticipating the threats of tomorrow so that when they arrive, 
potential solutions will be available. Moreover, academics are freer to 
think out of the box and thus may come up with creative solutions that 
while impractical today, may be quite practical in the future.
    In my testimony today, I've tried to provide examples of the ways 
in which NSF works with its partners in the Federal Government, in the 
private sector, and in academe to catalyze long-term research advances 
in cybersecurity. In his May 29 speech on the roll-out of the 60-day 
Cyberspace Policy Review, the President stated that ``America's 
economic prosperity in the 21st century will depend on cybersecurity'' 
and the Administration ``will continue to invest in the cutting-edge 
research and development necessary for the innovation and discovery we 
need to meet the digital challenges of our time.'' Your Subcommittees 
also clearly recognize the importance of research advances in 
cybersecurity to the Nation's future.
    With robust sustained support for fundamental research in both the 
executive and legislative branches, we have a unique opportunity to 
increase our nation's investments in fundamental cybersecurity 
research, thereby securing our nation's future for many decades to 
come.
    This concludes my remarks. I would be happy to answer any questions 
at this time.

                    Biography for Jeannette M. Wing
    Dr. Jeannette M. Wing is the President's Professor of Computer 
Science in the Computer Science Department at Carnegie Mellon 
University. She received her S.B. and S.M. degrees in Electrical 
Engineering and Computer Science in 1979 and her Ph.D. degree in 
Computer Science in 1983, all from the Massachusetts Institute of 
Technology. Currently on leave from CMU, she is the Assistant Director 
of the Computer and Information Science and Engineering Directorate at 
the National Science Foundation.
    Professor Wing's general research interests are in the areas of 
specification and verification, concurrent and distributed systems, 
programming languages, and software engineering. Her current interest 
is on the foundations of trustworthy computing where by trustworthy she 
includes reliability, security, privacy, and usability. Her current 
projects are on specifying and verifying privacy policies.
    She has published extensively in top journals and major conferences 
and has given nearly 300 invited, keynote, and distinguished lectures. 
She was or is on the editorial board of twelve journals, including the 
Journal of the ACM and the Communications of the ACM.
    Professor Wing has been a member of many advisory boards, 
including: the Networking and Information Technology (NITRD) Technical 
Advisory Group to the President's Council of Advisors on Science and 
Technology (PCAST), the National Academies of Sciences's Computer 
Science and Telecommunications Board, the DARPA Information Science and 
Technology (ISAT) Board, NSF's CISE Advisory Committee, Microsoft's 
Trustworthy Computing Academic Advisory Board, the Intel Research 
Pittsburgh's Advisory Board, Dartmouth's Institute for Security 
Technology Studies Advisory Committee, and the Idaho National 
Laboratory and Homeland Security Strategic Advisory Committee. She was 
a Member-at-Large on ACM Council and served on the ACM Kanellakis Award 
Committee and the ACM Karlstrom Outstanding Educator Award Committee. 
She was on the Microsoft New Faculty Fellowship Selection Committee and 
the Sloan Research Fellowships Program Committee. She was the Co-Chair 
of the Technical Symposium of Formal Methods '99, co-organizer of the 
UW-MSR CMU 2003 Software Security Summer Institute, and Co-Chair of the 
First International Symposium on Secure Software Engineering.
    Administratively at Carnegie Mellon, she served as Head of the 
Computer Science Department during 2004-2007, overseeing 90 faculty. 
She was Associate Dean for Academic Affairs for five years, overseeing 
the operations of the educational programs offered by the School of 
Computer Science, including at the time: ten doctoral programs or 
specializations, ten Master's programs, and the Bachelor's program. She 
also served as Associate Department Head for nine years, running the 
Ph.D. Program in Computer Science.
    She was on the Computer Science faculty at the University of 
Southern California and has worked at Bell Laboratories, USC/
Information Sciences Institute, and Xerox Palo Alto Research 
Laboratories. She spent sabbaticals at MIT in 1992 and at Microsoft 
Research 2002-2003. She has consulted for Digital Equipment 
Corporation, the Mellon Institute (Carnegie Mellon Research Institute), 
System Development Corporation, and the Jet Propulsion Laboratory. She 
is a member of AAAS, ACM, IEEE, Sigma Xi, Phi Beta Kappa, Tau Beta Pi, 
and Eta Kappa Nu. She was elected an ACM Fellow in 1998, IEEE Fellow in 
2003, and AAAS Fellow in 2007.

    Chairman Wu. Thank you very much, Dr. Wing. Dr. Leheny, I 
am going to get you started, and Chairman Lipinski is going to 
take over for a while. Dr. Leheny, please proceed.

  STATEMENT OF DR. ROBERT F. LEHENY, ACTING DIRECTOR, DEFENSE 
            ADVANCE RESEARCH PROJECTS AGENCY (DARPA)

    Dr. Leheny. Mr. Chairman, Subcommittee Members and staff, 
thank you very much for this opportunity to discuss DARPA's 
programs, information assurance, and cybersecurity.
    As I believe you are already aware, DARPA's mission is to 
invest in high-risk, high-reward technologies that create new 
capabilities for our military. And information assurance and 
cybersecurity are important elements in our current portfolio 
of programs. Let me begin today by commenting on the 
significance of robust secure self-forming networks to the 
defense department.
    Like many commercial enterprises, the department is 
transforming to network centric operations, so DARPA's programs 
are focused on ensuring that these networks can operate 
independently in a robust and secure manner. We are interested 
in two types of networks, strategic high-speed optical and 
satellite based global networks, networks relying on commercial 
hardware technologies for the most part. For these types of 
networks, our focus is largely on operations, survivability 
under attack, and security.
    At the other extreme are practical, largely wireless 
networks, networks directly supporting the war fighter on the 
front lines. Wireless networks present both hardware and 
software challenges. They must be agile and adaptive, capable 
of operating in any environment, as well as be able to manage, 
defend, and heal themselves at speeds beyond human 
capabilities. And they must be self-forming without recourse to 
the infrastructure or cell towers of the commercial provider.
    As network capabilities become ever more essential to 
operations, these networks above all else must be secure. We 
will spend about $127 million on information assurance and 
cybersecurity in the current fiscal year, and we are requesting 
an increase of more than 14 percent to $164 million for 2010. 
While most of these investments are targeted to software 
architecture and protocol issues, to ensure networks are secure 
from the ground up, their underlying hardware must also be 
secure. So in what is truly a DARPA hard problem, we are 
investing in a program we call TRUST, oddly enough the same 
name that the NSF has for one of its programs, but we are doing 
something completely different. What we are doing is 
investigating methods for detecting malicious features inserted 
into semiconductor chips during their design, manufacture, and 
programming. All of these efforts focus on the department 
challenges, but we believe our successes, as has been the case 
in the past, will eventually impact commercial network 
technologies as well.
    At this time, perhaps our most visible program, one of 
particular interest to this committee which we took on as part 
of the Comprehensive National Cyber Initiative, is our program 
to develop a National Cyber Range. Recognizing that scientific 
progress has always been paced by advances in our ability to 
observe, test and perform rigorous experiments, we are 
designing this range to be a vehicle for a significantly 
advancing progress in cyber understanding and capabilities, to 
be a tool for rapid, realistic, and quantitative simulation 
assessment of cyber technologies. Researchers will be able to 
operate at either the classified or unclassified levels and 
with many more nodes than current cyber test ranges with highly 
automated tools and regiment techniques, they will have access 
to revolutionary research capabilities, capabilities that will 
allow rapid network simulation under real-world conditions, 
enabling efficient development and testing of information 
assurance and cybersecurity strategies.
    The program has three phases. In the current first phase, 
we began by seeking ideas from multiple sources which after a 
government panel review resulted in our placing seven teams 
under contract to develop competing designs for delivery later 
this summer. At that time, the government team will evaluate 
and select the best among these designs to continue into a 
Phase II program to produce a limited number of prototype 
ranges. In a third phase, the most capable prototype range will 
be further developed into the operational range to be completed 
in 2012. DARPA is managing the National Cyber Range 
development, but we will transition the completed range to 
another organization for operation. The details are a work in 
progress. Presently two government working groups are studying 
the issues. One is developing a technical vision and business 
model for the range operations. The other is focused on 
security issues for accrediting the range for use by all 
agencies across the government. In the end, I believe the range 
will operate like other national research assets with a panel 
to review and prioritize user proposals and an administrator to 
maintain facilities and facilitate research or access.
    Regarding how we coordinate our research with other 
agencies, I can assure you that we actively coordinate our 
efforts. Two specific examples include the multi-agency 
participation in the development of the National Cyber Range, 
and our teaming with the NSF to organize two cybersecurity 
workshops this summer. But in general, in the process of 
developing new programs, our program managers routinely engage 
with their counterparts in other agencies to scope out the best 
way forward to achieve a specific research goal. Regarding the 
60-Day Cyberspace Policy Review, this high-level document 
ranges over a wide variety of policy issues, but I note that it 
specifically recognizes the importance of innovation in 
achieving cybersecurity, explicitly calling out the supply 
chain threat which our TRUST program is addressing and the 
importance of modeling and simulation capabilities that the NCR 
will enable.
    In conclusion, as the department expands its net-centric 
operation, information assurance remains a critical concern. In 
dealing with this concern, we are committed to working with 
organizations across the government to contribute to the 
national goals for a secure cyberspace, and when the new DARPA 
Director is in place, refining our plans, programs and budgets 
for cybersecurity will be high on our agenda.
    I would be pleased to answer your questions.
    [The prepared statement of Dr. Leheny follows:]
                 Prepared Statement of Robert F. Leheny
    Mr. Chairman, Subcommittee Members and staff: I am Bob Leheny, 
Acting Director of the Defense Advanced Research Projects Agency 
(DARPA). I am pleased to appear before you today to discuss DARPA's 
ongoing work in cybersecurity, or what we in the Department of Defense 
(DOD) call ``information assurance.''
    I'd like to set the context for my remarks today by briefly 
describing DARPA's mission and how we work.
    DARPA's mission is to prevent technological surprise for us and to 
create technological surprise for our adversaries. DARPA conducts this 
mission by searching for revolutionary high-payoff ideas and sponsoring 
research projects that bridge the gap between fundamental discoveries 
and their military applications. Stealth aircraft, developed at DARPA 
more than 25 years ago, is one among many important examples of how we 
create technological surprise.
    To understand DARPA's role in DOD's science and technology (S&T) 
establishment, consider an investment timeline that runs from ``near'' 
to ``far,'' indicative of the time required for an investment to be 
incorporated into an acquisition program. The ``near side'' represents 
investments that characterize much of the work of the Department's 
other S&T organizations, which tend to gravitate to the near-term 
because they emphasize investments in capabilities required to meet 
today's mission requirements. These investments are excellent S&T and 
are crucial to DOD because they continuously hone U.S. military 
capabilities, e.g., improving the efficiency of jet engines and making 
existing radios more reliable. This S&T is usually focused on known 
systems and problems.
    At the other end of the investment timeline--the ``far side''--are 
the smaller basic research investments made by various federal agencies 
and the Military Services that support fundamental discoveries, where 
new science, ideas, and radical concepts typically first surface. 
Investigators working on the far side generate ideas for entirely new 
types of devices or new ways to put together capabilities in a 
revolutionary manner, but often find that obtaining funding is 
difficult, if not impossible.
    DARPA was created to bridge the gap between these two groups. The 
Agency finds the people and ideas on the far side and accelerates those 
ideas to the near side for transition to the DOD S&T and acquisition 
communities as quickly as possible. DARPA's work is high-risk and high-
payoff precisely because it bridges the gap between fundamental 
discoveries and their military use.
    DARPA's success depends heavily on the freedom of its program 
managers to pursue the far side ideas that other S&T organizations 
overlook or, for a variety of reasons, decide not to consider. DARPA 
hires program managers for limited terms of four to six years, which 
ensures a steady input of new energy and ideas. Given their relatively 
short tenure, these program managers focus their time on quickly 
generating ideas and starting new programs. DARPA's senior leadership 
provides an overall technical vision and oversees the organizational 
coordination and collaboration activities required of any DOD 
organization, thus freeing the program managers to focus on their 
programs. This approach has enabled DARPA to pursue the ideas and 
programs that have benefited DOD for more than 50 years.
    DARPA's strategy for accomplishing its mission is embodied in a set 
of strategic thrusts that guide its investments. The current strategic 
research thrusts that DARPA emphasizes today are:

          Robust, Secure, Self-Forming Networks

          Detection, Precision ID, Tracking, and Destruction of 
        Elusive Targets

          Urban Area Operations

          Advanced Manned and Unmanned Systems

          Detection, Characterization, and Assessment of 
        Underground Structures

          Space

          Increasing the Tooth-to-Tail Ratio

          Bio-Revolution

          Core Technologies, which span investments in quantum 
        science and technology, bio-info-micro, materials, power and 
        energy, microsystems, information technology, mathematics, 
        manufacturing science and technology, and lasers.

    Today, I will discuss DARPA's vision for DOD's Robust, Secure, 
Self-Forming Networks and the investments in information assurance to 
secure those networks.

Robust, Secure, Self-Forming Networks

    DOD is in the middle of a transformation to network-centric 
operations, which has as its goal turning information superiority into 
a distinct advantage so U.S. forces can operate far more effectively 
than any adversary. Network-centric operations fuse the typically 
separate functions of intelligence and operations to dramatically speed 
up the observe-orient-decide-act (OODA) loop.
    At the core of this concept are robust, secure, self-forming 
networks. These networks must be at least as reliable, available, 
secure, and survivable as the weapons and forces they connect. They 
must distribute huge amounts of data quickly and precisely across a 
battlefield, a theater, or the globe, delivering the right information 
at the right place at the right time. The networks must form, manage, 
defend and, when disrupted, heal very quickly.
    Military network technology requirements are divided according to 
their application into either tactical or strategic networks. Tactical 
networks are largely wireless and directly support units and their 
equipment on the front lines. They must be agile, adaptive and 
versatile, and connect units and their equipment that are operating 
together, sometimes with different communication equipment, at local 
area ranges in all environments, including urban areas. Strategic 
networks are largely optical wired and/or satellite-based, are often 
operated by commercial suppliers, and provide broadband links between 
overseas command centers and the United States. Strategic networks 
globally link air, ground, and naval forces for operational maneuver 
and strategic strike and enable the distribution of knowledge, 
understanding, and supply throughout the force.
    Network-centric operations require connectivity between the 
strategic and tactical echelons so they can rapidly and effectively 
share information. Technology advancements now provide the opportunity 
to connect these two families of networks. DARPA is bridging strategic 
and tactical operations with high-speed, high-capacity communications 
networks. The DOD strategic, high-speed fiber optic network--the Global 
Information Grid (GIG)--is an integrated network with a data rate of 
hundreds to thousands of megabits per second. To reach deployed 
elements, data on the GIG must be converted into a wireless format for 
reliable transmission to the various units within theater. This creates 
problems in the timely delivery of information.
    To connect the tactical warrior to the GIG, DARPA is developing 
high-speed network technology that can robustly disseminate voice, 
video, text, and situation awareness information to the various 
military echelons and coalition forces. To accomplish this, the high 
data rate capability of optical communications is being combined with 
the high reliability and adverse-weather performance of radio frequency 
(RF) communications.
    The goal of DARPA's Optical RF Communications Adjunct (ORCA) 
program is to create a high data rate backbone network via several 
airborne assets that nominally fly at 25,000 feet and up to 200 
kilometers apart and provide GIG services to ground elements up 50 
kilometers away from any one node. ORCA provides billions of 
information bits per second, error-free on an optical link and, at 
radio frequencies, hundreds of millions of information bits per second 
when clouds block the optical link.
    For applications at sea, DARPA is working to bridge strategic and 
tactical maritime operations with a revolutionary new capability for 
submarine communications based on a blue laser efficient enough to make 
submarine laser communications at depth and speed a near-term reality. 
If successful, it will dramatically change how submarines communicate 
and greatly improve their operations and effectiveness, enabling 
submarines to become truly persistent nodes for network-centric 
operations at sea.
    At the tactical ground level, radio inter-operability has plagued 
DOD for decades. To connect tactical ground, airborne, and satellite 
communications platforms and terminals together, the Network-Centric 
Radio System (NCRS) program has developed a mobile, self-healing, ad 
hoc network gateway that provides total radio/network inter-operability 
among these platforms moving in any terrain. NCRS builds inter-
operability into the network itself--rather than into each radio--
allowing any radio to communicate with any other radio. Now, previously 
incompatible legacy tactical radios can link seamlessly among 
themselves and to more modern systems, including military and 
commercial satellite systems. DARPA is taking this technology and 
working on commercial components and practices to make NCRS more 
affordable at low rate initial production quantities. A follow-on 
program, Mobile Ad hoc Information Network GATEway (MAINGATE), is 
focused on providing this capability at a low unit cost ($60,000 each) 
in small volumes (1,000 units).
    Another wireless challenge is frequency spectrum; it is scarce and 
valuable. DARPA's NeXt Generation (XG) Communications technology is 
making up to 10 times more spectrum available by taking advantage of 
spectrum assigned to others, but unused at a particular place and time. 
XG technology senses the spectrum being used and dynamically makes use 
of the spectrum that is not busy. Recently, XG conducted a series of 
successful experiments and demonstrations at several military 
locations, and various organizations within DOD are planning to 
transition XG technology broadly into current and existing wireless 
communication systems.
    DARPA is developing communication networks specifically for the 
kind of urban environments our troops are encountering today. As is the 
case for civilian wireless networks, urban clutter can create multiple 
signals from diverse reflections (``multipath'') of the initial signal, 
and the result is weak or fading communications. This problem is being 
turned into an opportunity through the DARPA Mobile Networked Multiple-
Input/Multiple-Output (MNM) program, which is actually exploiting 
multipath phenomena to improve communications between moving vehicles 
in cities without using a fixed communications infrastructure. MNM has 
demonstrated reliable non-line-of-sight communications during on-the-
move field trials in urban environments. The program successfully 
exploited multipath to increase information throughput and reliability 
while maintaining high data rates. It also demonstrated reliable 
communications in the face of interference by enabling multiple signals 
to simultaneously occupy the same frequency band, resulting in 
increased capacity of that channel.
    Building on XG, MNM, and other technologies, the Wireless Network 
after Next (WNaN) program is developing an affordable communication 
system for reaching to the ``tactical edge.'' The WNaN low-cost, highly 
capable radio will allow the military to communicate with every 
warfighter and every fielded device at all operational levels. WNaN 
technology will exploit high-volume, commercial components and 
manufacturing techniques so DOD can affordably evolve the capability. 
The radio cost will be low enough so that they can be refreshed after a 
few years of use with updated, more capable radios--as are today's 
commercial cell phones. DARPA is working with the Army to make a ``low 
cost hand-held networking radio'' for about $500 apiece a reality. In 
fact, we recently signed a memorandum of agreement that could lead to 
the Army buying large numbers of units for military use.

Information Assurance for DOD Networks

    The vision for DOD's networks covers great scope and depth, 
starting with the building blocks of component hardware and software, 
ranging from smaller networks for individual systems and tactical use 
to huge global networks; from wired to wireless; from mobile to fixed; 
and many combinations in between. These networks give the U.S. military 
significant advantages, which make them a very attractive, high value 
target for any adversary. The United States must assume its adversaries 
will seek ways to destroy, disrupt, distort, or infiltrate DOD's 
networks.
    Those networks must be reliable in any environment for extended 
periods and protected against cyber threats. As technologies are 
developed and deployed to successfully block overt cyber attacks, 
adversaries will likely attempt to insert malicious code to disrupt the 
networks. DOD, with some of the most sophisticated and complex networks 
and facing the most sophisticated attacks, must rigorously protect its 
networks or suffer terrible consequences. The ever-growing 
sophistication of these threats has surpassed the ability of current 
commercial markets to provide DOD with rapid and robust solutions.
    While many threats and problems are common to most types of 
networks--private, civilian government, and military--and many private 
and non-DOD researchers are addressing them, DARPA's efforts are 
focused on technologies to solve the Defense Department's information 
assurance operational challenges. Funding for our information assurance 
research is primarily contained in two places in our budget: an applied 
research budget project called ``Information Assurance and 
Reliability'' and a program element called ``Cyber Security 
Initiative,'' which covers the National Cyber Range. The total in these 
for FY09 is about $127M, and we are requesting about $164M in FY10. The 
details on these requests may be found in our budget, which is 
available online at www.darpa.mil/budget.html.
    Critical to DOD's transformation to network-centric operations are 
the wireless networks known as Mobile Ad Hoc NETworks (MANETs), which 
are designed to fluidly and automatically connect moving vehicles and 
dismounts as needed without a static network infrastructure. A rough 
analogy is a cell phone network made up only of cell phones--without 
cell towers or a telephone company. For example, a television ad for a 
telecommunications company shows a large crowd of people standing 
behind its network. MANETs must operate without this support, yet 
remain fully functional networks while being vigorously attacked.
    The DARPA Intrinsically Assurable Mobile Ad Hoc Network (IAMANET) 
program is aimed directly at building DOD MANETs that are secure from 
the ground up. IAMANET is developing network architectures and 
protocols to authenticate and authorize all traffic on a MANET, 
quarantine problems so they don't spread, and prevent data from 
corruption and unauthorized exfiltration. In contrast, the current 
Internet does not deny unauthorized traffic by default and violates the 
``principle of least privilege,'' where a user is given no more 
privilege than required to perform a given task. Existing protocols are 
not resistant to malicious acts that can produce faulty outputs and 
inconsistent behavior. IAMANET technology will provide a smart router 
technology for ad hoc network environments that will not forward 
malicious traffic, preventing infections from spreading through the 
network and securing information within the network.
    IAMANET builds on earlier DARPA research from the Dynamic 
Quarantine of Worms (DQW) program. DQW technology creates an integrated 
system that automatically detects and responds to worm-based attacks 
against military networks, provides advanced warning to other DOD 
networks, studies and determines the worm's propagation, and 
automatically immunizes the network against these worms. The system 
quickly quarantines so-called ``zero-day worms'' to limit the number of 
machines affected and restores the infected machines to an 
uncontaminated state in minutes, rather than hours and days. The 
Marines are now conducting tests of DQW-protected systems.
    MANETs are of such significance to DOD that DARPA is sponsoring 
basic research to develop Information Theory for Mobile Ad Hoc Networks 
(ITMANET) to provide a more powerful theory for mobile wireless 
networks. The ITMANET program is motivated in part by a major 
scientific accomplishment of the last century: Claude Shannon's 
information theory, which provides a mathematical foundation for 
understanding information capacity in wired, point-to-point networks. 
This theory is an essential foundation for today's information 
revolution, but is incomplete when dealing with wireless MANETs. 
ITMANET is extending Shannon's classic description of information 
capacity to the more complex mobile ad hoc network case. Stanford 
University and the University of Texas are leading two research teams 
in this effort, which involves 24 faculty members from several 
universities. Important program results are being reported in peer-
reviewed professional journals, and, based on this research, a popular 
science magazine is planning a tutorial article on MANETs to popularize 
the concepts among a wider audience. While this work may not seem to be 
strictly information assurance, DARPA researchers believe it will help 
us understand the limits of what can and cannot be done in MANETs and 
inform the design of MANETs that are more secure.
    DARPA's information assurance programs for wired networks will 
likely yield results that could be useful to a wide range of users 
beyond DOD.
    The Trustworthy Systems program is developing innovative methods to 
detect unusual traffic in networks. These methods promise to be orders 
of magnitude more effective than traditional approaches by leveraging 
recent advances in statistical physics, information theory, and 
thermodynamics. The goal is to detect 99 percent of attacks launched 
with no more than a single false alarm per day--all at gateway speeds, 
in the gigabits-per-second range.
    The Self-Regenerative Systems (SRS) program is developing 
techniques to allow networks to work through attacks and automatically 
adjust themselves to provide critical functions in the presence of 
attacks. Over time, SRS will ``learn'' their own vulnerabilities and 
how to correct them, even protecting against incorrect or improper 
actions by authorized users. Started in 2004, the SRS program involves 
several universities and research firms and is advancing four key cyber 
defense technologies: automated software diversity, scalable 
redundancy, insider threat mitigation, and self-healing. The current 
phase of the program will move SRS technologies from the laboratory to 
an actual DOD system to show that the system can automatically heal 
itself from expert attack, while maintaining a viable level of service.
    The DARPA Application Communities (AC) program is building an 
automatic cyber defense infrastructure for large deployments of similar 
applications in many places, for example, the same web browser running 
simultaneously on many separate computers. As a network comes under 
attack, continued comparison across the network permits the online 
construction of a universal software patch for all affected machines. 
The core technology for the AC program was developed at MIT and will be 
demonstrated in the current phase of the program in conjunction with 
MIT's commercial partner.
    All networks rely on hardware, and to work properly that hardware 
must be secure. With much of the microelectronics used in DOD and other 
systems manufactured off-shore, the question naturally arises, ``How do 
we know we are getting what we asked for in the microelectronics and 
only what we asked for?'' The integrity of the hardware components is 
commonly not addressed when considering cybersecurity and networks, but 
it is a key issue in DOD information assurance. To the extent DOD 
systems use microelectronics purchased from several vendors, including 
foreign sources, they are at risk.
    DARPA's Trusted, Uncompromised Semiconductor Technology (TRUST) 
program, a major information assurance program, is directly tackling 
this issue. Pursuing a series of complementary technologies and 
techniques to ensure that DOD's microelectronics will do only what they 
are supposed to do and nothing more, TRUST program research addresses 
the full production cycle of microelectronics, including design and 
fabrication. The program is studying ways to determine whether 
malicious features have been inserted during the design or fabrication 
of application-specific integrated circuits or during the programming 
of field programmable gate arrays. DARPA is at the forefront of 
research in this area, confronting these issues in a comprehensive 
manner for the first time with expected results that will enhance and 
ensure the trustworthiness of microelectronics--regardless of where 
they have been manufactured.

National Cyber Range

    DARPA's most prominent information assurance program is the 
National Cyber Range (NCR) project, which is part of the Comprehensive 
National Cybersecurity Initiative (CNCI). DARPA was selected to run 
this program because we have some experience in the area of 
cybersecurity testing.
    The NCR will result in a testbed on which researchers and 
developers can simulate and measure technologies and their performance 
in a realistic environment, allowing cybersecurity technology testing 
under real-world conditions and across a variety of network types.
    DARPA believes the NCR will accelerate the development of leap-
ahead cybersecurity technology for the larger research community. The 
fundamental idea underlying the rationale to develop a large-scale 
cyber test range is the recognition that scientific progress is often 
paced by advances in the instrumentation available to observe and test 
new phenomena and to run rigorous experiments to verify the 
significance of these observations and theoretical insights they 
stimulate. Just as developments in microscopes and telescope 
technologies opened new worlds to scientific exploration and 
revolutionized our understanding of nature, the NCR, if successful, 
will provide the same opportunity for the cybersecurity research 
community.
    The design goal for the NCR is to enable researchers to rapidly 
create network architectures under a variety of conditions, from high 
operational demand to aggressive cyber attack, and develop responses 
based on the collected data. Simulations conducted with the highly 
automated cyber range will allow a variety of user and network 
behaviors, providing researchers insight and deeper understanding of 
how cybersecurity and situational awareness tools function in complex 
environments.
    When completed, the NCR will allow realistic, quantifiable tests 
and assessments of cybersecurity scenarios and defensive technologies, 
revolutionizing cybersecurity testing by offering vastly improved cyber 
testing capabilities in terms of:

          Scope. The NCR will allow unclassified and classified 
        testing on the same facilities, including wired and wireless 
        networks, MANETs, supervisory control and data acquisition 
        systems, and other features to simulate an extremely large 
        variety of networks. It will allow defensive technologies to be 
        tested against realistic offensives and greatly improve and 
        accelerate researchers' abilities to produce solutions and 
        rapidly deploy them.

          Scale. The NCR will have orders of magnitude more 
        nodes than currently available test ranges, providing a much 
        more realistic and valid test environment.

          Flexibility Through Automation. Under software 
        control, the NCR will be able to quickly set up a wide variety 
        of test networks and permit multiple, independent experiments 
        on the same infrastructure. A graphical user interface will 
        allow test directors to use a drag-and-drop feature to quickly 
        lay out a network architecture, its hosts, system latency, 
        environmental characteristics, and other pertinent test 
        qualities and requirements. Once this infrastructure is 
        created, it will be ready for testing immediately; the impact 
        will be to dramatically change the time required to create a 
        test environment from months to minutes.

          Efficiency. The NCR's state-of-the-art 
        instrumentation and forensics technology will enable far better 
        use of test time.

    I think that NCR could operate much like other major National 
research assets and laboratories. A number of potential operating 
models exist, including the DOD's High Performance Computing 
Modernization Program, which has been run by the DOD since the early 
1990s and makes high performance computing facilities available to 
Defense researchers for both classified and unclassified projects.
    I believe, for example, that NCR could have a panel that reviews 
and prioritizes proposals submitted by potential users for time on the 
range. One of their guiding principles would be to ensure that the 
portfolio of research fulfills the mission of the range. Such a panel 
would then schedule who gets access to the range and when, and what 
they can do on the range. An administrator would facilitate users' 
access and use of the range and ensure their individual research goals 
on the range are met. I am sure that other possible operating models 
exist.
    Two primary technical challenges must be tackled to achieve NCR's 
goals: (1) How are large-scale, highly heterogeneous networks simulated 
realistically, and what is the scale and scope needed for realistic 
experiments?; and (2) What instruments can be created to monitor 
performance during experiments to provide the greatest meaningful 
understanding of the results, even providing quantitative measures of 
performance? Real-world cybersecurity events are taking place all the 
time, but existing network administration techniques provide little 
insight into their cause without considerable effort. The point of the 
NCR is to incorporate highly sophisticated, fast, flexible, and 
efficient instrumentation and administration technologies, in a 
controlled environment, to enable full understanding of such phenomena 
rapidly and with little effort.
    In November 2007, DARPA released an unclassified Request for 
Information where we solicited the community for ideas to improve cyber 
testing. In May 2008, DARPA released a Broad Agency Announcement and 
conducted a two-day unclassified industry day soliciting solutions from 
the community and answering questions posed by the community. A 
government-wide source selection process selected the best of breed 
from those proposed. The NCR program is in its first phase. During this 
phase, there are seven teams of defense contractors, universities, 
small businesses, vendors, and service providers working on competing 
designs to be completed and delivered this summer. The next phase will 
be to take several selected design teams forward to build small-scale 
prototypes. We expect that selection and build phase to be completed in 
fall of next year, and then move on to completion and operation of the 
range.
    DARPA will not own or operate the NCR when completed. Historically, 
DARPA facilities and institutional interests have been held to an 
absolute minimum, allowing the Agency to be open to new ideas. To 
remain consistent with this management philosophy, DARPA will not own 
or operate the NCR once it is built.
    The NCR is an integral part of the CNCI, and within NCR are two key 
working groups. The NCR Joint Working Group is a stakeholders' panel 
headed by DARPA that is developing the technical vision and business 
model for the NCR. This work informs the technical capabilities needed 
and provides options on how the NCR will operate. Many issues are being 
studied, including who will manage the NCR, how it will be funded, who 
will have access, and conditions for use. Working group members 
represent DOD; the Intelligence Community; Departments of Homeland 
Security, Energy, and Treasury; National Science Foundation; Federal 
Bureau of Investigation; National Institute of Standards and 
Technology; the New York State Governor's Office; and the New Jersey 
State Police. They are invited to participate in all the steps from 
concept development to performer selection and periodic program 
reviews.
    A separate working group focuses on the crucial issue of NCR 
security requirements. The range will have to be certified to run 
classified and unclassified testing, and the various agencies have 
different security requirements and nomenclatures. This working group 
seeks security protocols that will allow the NCR to be properly 
accredited by agencies from across the Government.

Coordination of Research

    Much of the coordination of DARPA research with other government 
agencies occurs as a bottom-up process within technical communities. 
DARPA program managers are hired from government, industry, and 
academia in large measure because they are world-class technical 
experts with extensive knowledge of the research being done in their 
technical areas. In the last eight years, roughly one-third of DARPA 
program managers have come from industry, one-third from other parts of 
DOD, one-quarter from academia, and one-tenth from elsewhere. More than 
95 percent of DARPA's program managers have advanced degrees and are 
subject matter experts from a wide variety of backgrounds. DARPA's 
policy of rotating program managers after four to six years ensures a 
steady stream of new people bringing fresh ideas to the Agency.
    Because DARPA conducts none of its research in-house, its program 
managers look externally for ideas and research performers. During the 
process of starting programs, they seek good ideas wherever those ideas 
can be found, frequently by hosting workshops attended by researchers 
and other government experts. Engaging a wide spectrum of experts in a 
field through this extensive outreach effort is how DARPA coordinates 
ideas and research.
    With that overall process in mind, let me give you some examples of 
how we have worked with the National Science Foundation (NSF) in 
information assurance.
    DARPA co-funded three projects through the NSF Cybertrust Program 
(led by Stanford, University of Texas, and Princeton) dealing with 
fundamental software techniques for high assurance and security. NSF 
administered these grants to university researchers after their 
selection through the Foundation's standard, community-based, merit 
review process.
    This summer, DARPA and NSF will co-sponsor two research workshops 
related to cybersecurity. Both workshops will bring together key 
thought leaders from universities, National Institute of Standards and 
Technology, Department of Homeland Security, National Science 
Foundation, and DARPA. The first workshop is in clean slate security 
architectures, which will identify paths to fundamentally redesigning 
computers for modern threats. The second workshop is meant to begin re-
thinking the Internet. As you know, DARPA played a key role in 
developing the Internet, and our interest in the future Internet design 
workshop is to identify fundamental new network concepts that are far 
more resistant to attack than the current Internet.

60-Day Cyberspace Policy Review

    The report that came out of the 60-day Cyberspace Policy Review is 
a high-level document covering a very wide variety of policy issues, 
including leadership, organization, legal, education and training, and 
operations and incident response. With respect to research issues, the 
area of DARPA's expertise, the review clearly recognizes the centrality 
of innovation to our national cybersecurity capabilities. In 
particular, it contains a discussion of the supply chain threats that 
we are addressing in our TRUST program--a problem that may not be 
widely appreciated outside the national security community. It also 
discusses the need for modeling and simulation, capabilities that could 
be provided by the NCR when it is completed. In general, between the 
game-changing technology we are promoting and the new tools and 
facilities of the NCR, DARPA will be able to make a significant 
contribution to the innovation goals of the Cyberspace Policy Review.
    We are at the early stages of what will come out of the 60-day 
review, but having senior leadership at the White House looking hard at 
cybersecurity across the Federal Government will keep it high on the 
national agenda and stimulate progress throughout the field. As this 
process moves forward and we get a new Director at DARPA, we will be 
sure to continue to evaluate our own plans, programs and budgets for 
cybersecurity. We have been a leader in promoting cybersecurity 
research, and we look forward to continuing our role promoting radical 
innovation for national security as the implications of 60-day review 
develop more fully.
    The DOD's move toward network-centric operations means that 
information assurance will remain a crucial and long-standing concern. 
I hope my testimony today has given you a sense of DARPA's plans and 
ambitions.
    I would be pleased to answer your questions.

                     Biography for Robert F. Leheny
    Dr. Robert F. Leheny was named Acting Director of the Defense 
Advanced Research Projects Agency (DARPA) February 20, 2009. He 
continues to serve as Deputy Director of DARPA, a position he has 
occupied since June 2, 2003.
    DARPA is the principal Agency within the Department of Defense for 
research, development, and demonstration of concepts, devices, and 
systems that provide highly advanced military capabilities.
    Prior to assuming his current positions, Dr. Leheny served as 
Director of DARPA's Microsystems Technology Office. He joined DARPA in 
October 1993 as a Program Manager in the area of optoelectronics.
    Prior to joining DARPA, from 1987 to 1993, Dr. Leheny was an 
Executive Director for Network Technology Research in the Applied 
Research Laboratory of Bell Communications Research, Inc. (Bellcore, 
now known as Telcordia Technologies, Inc.), Red Bank, NJ. In this 
position he was responsible for managing an organization researching 
materials and device designs for communication systems. From 1984 to 
1987, he was Director of the Electronic Device Research Group in the 
same Laboratory at Bellcore. From 1967 to 1983 he was a member of 
technical staff in Electronics Research Lab at Bell Laboratories, Inc., 
Holmdel, NJ. From 1962 to 1967, he was a graduate student at Columbia 
University and from 1960 to 1962, he was employed as a Radar Systems 
Engineer with the Sperry Gyroscope Co., Great Neck, NY.
    Dr. Leheny received his BS from the University of Connecticut in 
1960 and a Doctor of Engineering Science Degree from Columbia 
University in 1966. In 1983, he was named a Bell Labs Distinguished 
Member of Technical Staff and in 1992 he was named a Distinguished 
Graduate of the University of Connecticut School of Engineering. In 
2003, Dr. Leheny was presented with the DOD Distinguished Civilian 
Service Award, the highest award the Department of Defense can give to 
career civil servants. He has published over 70 papers, co-edited a 
book and authored four book chapters. He is a Fellow of the IEEE and a 
member of the American Physical Society, American Association for the 
Advancement of Science, and the New York Academy of Sciences.

    Chairman Lipinski. [Presiding] Thank you, Dr. Leheny. I now 
recognize Dr. Fonash for five minutes.

   STATEMENT OF DR. PETER M. FONASH, ACTING DEPUTY ASSISTANT 
SECRETARY, OFFICE OF CYBERSECURITY AND COMMUNICATIONS, NATIONAL 
    PROTECTION AND PROGRAMS DIRECTORATE, U.S. DEPARTMENT OF 
                    HOMELAND SECURITY (DHS)

    Dr. Fonash. Good afternoon, Chairman Wu, Chairman Lipinski, 
and Members of the Subcommittees. Thank you for the opportunity 
to discuss the White House's recently released Cyber Policy 
Review as it relates to the Department of Homeland Security's 
ongoing efforts to secure the federal, civil, executive branch 
networks and information systems and to coordinate activities 
focused on securing the Nation's critical infrastructure.
    One of the greatest threats facing our nation is a cyber 
attack to the critical infrastructure on which we depend. Our 
society relies on technology and telecommunications to support 
our economy and critical government functions. The cyber 
threats to these systems are real, growing, and evolving. They 
are large, diverse and range from independent, unsophisticated, 
opportunistic hackers to technically competent adversaries and 
nation states.
    The Nation must be vigilant, proactive and innovative as it 
addresses and mitigates the service disruptions. The 
Department's National Cyber Security Division, or NCSD, serves 
as the national focal point for cybersecurity on behalf of DHS. 
It works with the private sector and Federal, State, local, 
tribal and international governments to assess and mitigate 
cyber risk and prepare for, prevent, and respond to cyber 
incidents.
    The Cyberspace Policy Review assesses the current state of 
U.S. cybersecurity policies and structures. Based on this 
assessment, future decisions will be made regarding U.S. 
cybersecurity policy and appropriate structures to execute it. 
It is anticipated that those decisions will focus on the 
following five key areas outlined in the Review which build 
upon existing programs and activities: (1) developing a new, 
comprehensive strategy to secure America's information and 
communications infrastructure; (2) ensuring an organized and 
unified response to future cybersecurity incidents; (3) 
strengthening public, private, and international partnerships; 
(4) investing in cutting-edge research and development; and (5) 
beginning a national campaign to promote cybersecurity 
awareness and digital literacy and to build a digital workforce 
for the 21st century.
    Within those areas, a series of near- and mid-term actions 
are set forth. DHS and NCSD, working with interagency partners, 
are actively engaged in advancing these actions. As many of 
them align with current NCSD activities, such as cybersecurity-
related information sharing with federal, State, local and 
private sector partners, supply chain risk management, cyber 
workforce development, and the promotion of cybersecurity 
through national public awareness and education efforts, NCSD's 
fiscal year 2010 budget request provides further justification 
details on how DHS tends to grow and support these and other 
cybersecurity activities necessary to protect the Nation from 
cyber threats.
    Before I address some of NCSD's current initiatives, let me 
emphasize that privacy and civil liberty considerations are at 
the center of our efforts. Protecting the privacy of Americans 
and their personal information is not just a priority, it is 
required by law and we take it very seriously.
    DHS leads a multi-agency approach to coordinate the 
security of federal, civil, executive branch networks. The 
United States Computer Emergency Readiness Team, or US-CERT, 
serves as a central federal information security incidence 
center and is the focal point for the security of federal civil 
executive branch networks. Agencies report instances to US-
CERT, and it guides agencies on enhancing detection 
capabilities and works with them to mitigate information 
security incidence. US-CERT compiles and analyzes incident 
information, shares the information with the operators of 
federal information systems. US-CERT provides products ranging 
from current and potential information security threats to 
alerts about vulnerabilities.
    In addition, US-CERT is improving its capabilities to 
protect the federal enterprise in response to growing cyber 
threats, in large part to ramp up the current activities due to 
the Comprehensive National Cybersecurity Initiative, or CNCI. 
Over the last year, DHS has led the CNCI effort to establish a 
front-line defense for federal executive branch. As part of 
this effort, DHS works with the Office of Management and Budget 
to reduce federal executive branch's external connections 
through the Trusted Internet Connection, or TIC, program. 
Consolidating such connections is the first step to creating 
front-line defense. As we reduce external connections, we will 
deploy EINSTEIN, an intrusion detection system, at trusted 
Internet connections which will allow us to more effectively 
analyze malicious activity across federal executive branch 
networks. We also work with federal agencies to develop 
additional capabilities to detect and eventually prevent 
intrusions. Such collaboration will help inform the products 
necessary to provide actionable information to our critical 
infrastructure community.
    In addition to coordinating the security of federal civil 
branch networks, we work with industry and government partners 
to secure the Nation's critical infrastructure networks. The 
vast majority of the Nation's cyber infrastructure is owned by 
the private sector. As such, cybersecurity is not exclusively a 
federal responsibility, and the key to our assured success is 
protecting cyber infrastructures' collaboration with the 
private sector. It is for this reason DHS will continue to 
strengthen and build upon a public-private partnership 
framework created under the National Infrastructure Protection 
Plan, or NIPP. The NIPP was used for one of the CNCI 
initiatives whose focus is on improving protection of privately 
owned critical network infrastructure through public-private 
partnership. It is often referred to as Project 12.
    State, local, tribal governments and international 
communities also play crucial roles in improving cybersecurity. 
Recognizing the contributions that can be made by leveraging 
such partnerships, DHS works with all levels of government and 
in the international community to help them increase awareness. 
DHS also works with other agencies to develop a plan for 
retaining a skilled, trained workforce. We need to build the 
next generation of our cybersecurity workforce that will help 
us maintain a competitive advantage. Over the coming years, we 
will focus resources on the education and training of our 
current workforce and developing and recruiting new talent. DHS 
is also encouraging university programs and provides 
scholarships to promising students.
    In conclusion, as a nation becomes ever more dependent upon 
cyber networks, we must address cybersecurity strategically. 
Overcoming new cybersecurity challenges is a difficult task 
requiring a coordinated, focused approach to better secure the 
Nation's technology communications infrastructure. President 
Obama's Cyberspace Policy Review reaffirms that cybersecurity 
is among the most significant issues facing the Nation's 
economic and national security and it solidifies the priority 
that the Administration places on improving cybersecurity.
    Thank you for your time today. I appreciate the opportunity 
to discuss the Department's efforts in advancing our 
cybersecurity posture. I would be happy to answer any questions 
from the Subcommittee.
    [The prepared statement of Dr. Fonash follows:]
                 Prepared Statement of Peter M. Fonash

Introduction

    Good afternoon, Chairman Wu, Chairman Lipinski and Members of the 
Subcommittees. Thank you for the opportunity to speak about the 
Department of Homeland Security's (DHS) ongoing efforts to secure the 
Federal Executive Branch civilian networks and information systems, the 
White House's recently released Cyberspace Policy Review, as well as 
coordinating activities focused on securing portions of the Nation's 
critical infrastructure.
    One of the greatest threats facing our nation is a cyber attack to 
our critical infrastructure and key resources (CIKR), on which our 
nation depends. Our information communications technology systems are 
integral to our daily lives. Our society relies on technology and 
telecommunications to support our economy and business operations, and 
also support critical functions of government. An attack could cause 
disruption to any or all of our key sectors and could jeopardize not 
only the private sector, but the government's ability to provide 
critical services to the public. Such an attack could also create 
cascading effects throughout the country due to the integrated and 
global nature of business today.
    The cyber threats to these systems are very real, growing, and 
evolving. The Nation must be vigilant, proactive, and innovative in its 
efforts to address and mitigate disruptions of service. What makes this 
endeavor ever more challenging is the volume and composition of these 
threats. They are large and diverse and range from independent 
unsophisticated opportunistic hackers to very technically competent 
adversaries and nation states.
    Our adversaries--both criminal and nation states--have become 
increasingly sophisticated in their methods and ability to coordinate 
malicious activities. The United States Government is aware of, and has 
responded to, malicious cyber activity directed at its civilian and 
military systems and networks over the past few years. We continue to 
remain concerned that this activity is growing more sophisticated, more 
targeted, and more prevalent.
    I am here to underscore the Department's resolve to collaborate and 
share actionable information with stakeholders to mitigate known 
threats. Engagement, however, cannot be a one-way information flow with 
the goal of simply relaying information. We must create a two-way 
dialogue and facilitate continuous feedback that helps us improve 
notification products, such as informational notices and situational 
awareness reports.
    Information sharing is an essential part of cybersecurity and we 
must continue to increase our current public/private information 
sharing and coordination efforts via the National Infrastructure 
Protection Plan (NIPP) framework. Using the NIPP framework, DHS has 
built robust working channels to exchange and integrate information 
with and among our partners in industry. Our efforts in this area have 
already begun. Through the Cross-Sector Cyber Security Working Group 
(CSCSWG), we have convened an Information Sharing Subgroup to look at 
ways to facilitate the bi-directional sharing of cyber information, 
indications, and warnings through the operational capabilities within 
and across the sectors and government. Specifically, we are looking at 
how to better share cyber threat and vulnerability information with 
those in industry who need it, understanding that some of this 
information is very sensitive. We are also developing plans on how to 
work with industry partners to obtain greater situational awareness on 
the status of CIKR networks.
    As you know, DHS is the lead agency in a multi-agency approach in 
coordinating the security of Federal Executive Branch civilian 
networks. In large part, activities currently under way are due to the 
creation of the Comprehensive National Cybersecurity Initiative (CNCI), 
which is designed to further protect federal networks and explore new 
ways to assist industries in securing their infrastructure. There is 
wide agreement that the CNCI moved the ball in the right direction. 
However, more needs to be done. President Obama's call for, and 
subsequent completion of, the White House Cyberspace Policy Review 
reaffirms that cybersecurity and cyber threats are among the most 
significant issues facing the economic and national security of our 
nation.
    At DHS we have been focused on three main areas as part of the 
CNCI:

        1)  Establishing a front line of defense;

        2)  Seeking ways to defend against a full spectrum of threats 
        through intelligence and supply chain security; and

        3)  Taking cybersecurity to the next level through workforce 
        education.

    Over the last year, DHS has been leading the effort to establish a 
front line of defense by reducing vulnerabilities and preventing 
network intrusions in the Federal Executive Branch civilian networks. 
We are improving our cybersecurity posture in this area by focusing 
government efforts on reducing external connections through the Trusted 
Internet Connection program and deploying EINSTEIN, our intrusion 
detection system. DHS is also working in close coordination with our 
interagency partners to develop additional capabilities and capacity to 
detect and eventually prevent intrusions. Such collaboration with our 
federal partners will also help to inform the products necessary to 
provide actionable information to our CIKR community.
    The Department is also seeking ways to better protect Federal 
Executive Branch civilian information systems and networks from the 
full spectrum of threats, such as from malicious code embedded in 
hardware or software products. This requires improving our global 
supply chain defense through increased awareness of threats, 
vulnerabilities, and consequences as well as collaborating with the 
National Institute of Standards and Technology in the development of 
standards, policies and best practices across the federal civilian 
enterprise. In conjunction with the Department of Defense (DOD), DHS is 
working to increase the capabilities of all federal departments and 
agencies to ensure the protection of their supply chains as well as 
their ability to mitigate risks.
    A strong workforce is also necessary to ensure the continual 
advancement of our cybersecurity posture. Successful detection and 
mitigation of threats requires us to maintain a workforce at a high 
skill level. For the safety of our information systems and networks, 
now and in the future, DHS is focusing its resources on building the 
next generation cyber workforce by improving workforce training and 
education, recruiting new talent, and providing funding for college and 
university scholarships.
    In addition, we are working with industry and government partners 
to secure the Nation's critical infrastructure networks. As you well 
know, the Federal Government does not own the Nation's information 
technology networks or communication infrastructures. The vast majority 
of the Nation's cyber infrastructure is in the hands of the private 
sector. For this reason, cybersecurity is not exclusively a federal 
responsibility, and as I mentioned earlier, collaboration with the 
private sector is essential.
    The Department's National Cyber Security Division (NCSD) serves as 
the national focal point for cybersecurity on behalf of the Department. 
The NCSD works in concert with the DHS Science and Technology 
Directorate to cohesively develop technologies that address current and 
future technology gaps. The NCSD also works with the private sector and 
Federal, State, local, tribal and international governments to assess 
and mitigate cyber risk and prepare for, prevent, and respond to cyber 
incidents. The Department maintains a strong and positive relationship 
with the National Security Agency (NSA). NSA has provided a number of 
senior level detailees to the Office of Cybersecurity and Communication 
(CS&C) and the National Cyber Security Division (NCSD) within CS&C. 
These personnel assist in the execution of CNCI and provide integral 
technical and operational expertise to the Department as we build our 
capacity and capabilities. It is a true team effort. More broadly, NCSD 
through United States Computer Emergency Readiness Team (US-CERT) 
coordinates and shares incident information with law enforcement, the 
intelligence community, as well as other key stakeholders.
    DHS is committed to advancing the resiliency of the government's 
cyber posture to better secure Federal Executive Branch civilian 
systems. DHS has a number of initiatives under way that I will discuss 
with you today. Before I move onto the initiatives, let me emphasize, 
for the record, privacy and civil liberties considerations are at the 
center of our efforts. Protecting privacy and ensuring the proper use 
of personally identifiable information is not just a priority; it is 
required by law and something we take very seriously.

Securing Our Federal Networks

    US-CERT has been identified by the Office of Management and Budget 
(OMB) as the central federal information security incident center 
required by the Federal Information Security Management Act of 2002 
(FISMA) and serves as the operational center for the security of 
cyberspace of Federal Executive Branch civilian networks and CIKR 
networks. Agencies report incidents to US-CERT, including the 
identification of malicious code, denial of service, improper usage, as 
well as incidents that involve Personally Identifiable Information 
(PII). Operating a 24/7/365 operations center, the US-CERT is the lead 
entity in the national effort to provide timely technical assistance to 
operators of agency information systems regarding cybersecurity 
incidents. In this capacity the US-CERT guides agencies on detecting 
and handling information security incidents, compiles and analyzes 
information about incidents that threaten information security, and 
informs operators of agency information systems about current and 
potential information security threats, and vulnerabilities.
    US-CERT, working with OMB, is building additional capacity to 
fulfill its responsibilities under FISMA, as well as to better protect 
the Federal Executive Branch civilian systems and networks or ``.gov.'' 
As a means of securing these networks, DHS is focused on implementing 
the Trusted Internet Connection (TIC) Initiative, which is led by the 
Office of Management and Budget. In addition, DHS is enhancing its 
EINSTEIN system, an intrusion detection capability, and deploying it at 
TICs across the Federal Government and at Networx Managed Trusted 
Internet Protocol Service (MTIPS) locations. Both of these programs 
support the efforts of the US-CERT--our 24/7/365 operations center that 
provides early watch, warning, and detection capabilities that enable 
us to more swiftly to identify and respond to malicious activity and to 
coordinate with our public and private sector partners.
    The TIC initiative is a multi-faceted program which seeks to 
improve the U.S. Government's cybersecurity posture and build capacity 
to respond to incidents by reducing and consolidating the number of 
external connections which Federal Executive agencies have to the 
Internet. The multitude of external access points gives our adversaries 
too many avenues to seek out vulnerabilities and exploit potential 
security gaps in our networks. By limiting the number of entranceways 
into our networks to a smaller number, we can better monitor traffic 
entering and exiting the network and more rapidly identify when it is 
penetrated by an attacker.
    During this process, the U.S. Government has learned a great deal 
about the federal networks. We initially identified more than 4,500 
external access points, including Internet points of presence, across 
the Federal Government. Over the past year, departments and agencies 
have reduced that number. While it is important for the government to 
reduce external access points, we also must ensure configuration 
management of the technical architecture. Through the DHS-led multi-
agency TIC technical working group, comprised of TIC Access Providers, 
we are working to develop and implement a standard technical 
architecture for perimeter security which is tested through the DHS TIC 
compliance validation process.
    Consolidating external connections and configuration management are 
the first step to creating a front line of defense. As we reduce 
external connections, we will deploy the EINSTEIN system at those TIC 
locations. This will allow us to more effectively analyze activity 
across Federal Executive Branch civilian networks. The EINSTEIN system 
helps to identify unusual network traffic patterns and trends that 
signal unauthorized network activity, allowing US-CERT to identify and 
respond to potential threats. DHS installed the first TIC on its own 
network and deployed the upgraded EINSTEIN 2 system. We will be using 
the lessons learned from our implementation process to assist other 
departments and agencies as we continue to build more TIC locations and 
install more EINSTEIN 2 systems.
    In addition to installing the EINSTEIN 2 system on DHS's network, 
we created the National Cybersecurity Protection System (NCPS) to 
create the framework under which EINSTEN 2 and future upgrades will be 
developed and deployed. NCPS is part of the overall formal acquisition 
program developed to enable the acquisition of technology that supports 
the NCSD mission including US-CERT and CNCI-related tasking.
    NCPS supports the acquisition and deployment of EINSTEIN 2. We have 
created a plan for EINSTEIN 2 deployment that includes four phases each 
with the following status:

          Phase 1--DHS Deployment: Deployment is complete and 
        operating at initial operating capability.

          Phase 2--Deployment at five selected Departments or 
        Agencies: Deployment has been completed and DHS expects initial 
        operating capability at these locations in June 2009. Technical 
        discussions for deployment and installation of the EINSTEIN 2 
        system at the final Phase 2 location are ongoing.

          Phase 3--Deployment at Networx/MTIPS Vendor Sites: 
        Conducted technical discussions with each of the Networx/MTIPS 
        contract awarded vendors. As the vendors complete their 
        technical architectures, DHS is providing the EINSTEIN 2 
        capability and working with departments and agencies on 
        implementation. DHS has commenced installation activities with 
        one MTIPS awarded vendor.

          Phase 4--Deploy to remaining Single Service TIC 
        Access Provider Departments or Agencies: Technical discussions 
        have begun with some of the remaining agencies. Deployments 
        will occur as these agencies become more technically stable in 
        their TIC implementations.

    In the future, NCPS will provide US-CERT analysts with an automated 
capability to better aggregate, correlate, and visualize information. 
In addition, DHS envisions developing an Intrusion Prevention System, 
EINSTEIN 3, for Federal Executive Branch networks and systems. The 
system once fully deployed will provide the government with an early 
warning system and situational awareness, near real-time identification 
of malicious activity, and a more comprehensive network defense.
    Together, TIC's reduction of Internet access points and EINSTEIN's 
situational awareness capabilities are examples of two of DHS's key 
initiatives designed to secure federal networks. The eventual expansion 
of the EINSTEIN system, to include intrusion prevention, will create an 
environment that will make it more difficult, more time-consuming, and 
more expensive for our cyber adversaries to reach our federal networks.
    US-CERT is also taking additional steps to improve its capabilities 
and better protect the federal enterprise in response to the growing 
threat. We recently hired additional personnel to advance US-CERT's 
capacity to improve information sharing and help government and 
industry analyze and respond to cyber threats and vulnerabilities. This 
will further enable us to respond more rapidly and mitigate damage when 
attacks do occur. Work is also ongoing to improve collaboration with 
federal departments and agencies. For example, US-CERT recently 
developed the Joint Agency Cyber Knowledge Exchange (JACKE) to improve 
situational awareness and recommend actions for federal agency security 
operation centers. We are actively looking to expand the participation 
of the JACKE program to include all 26 major departments and agencies.
    Working with the National Institute of Standards and Technology, 
DHS has established the U.S. National Vulnerability Database, the 
government's repository of standard reference data on computer 
vulnerabilities. Its data is built upon the NIST Security Content 
Automation Protocol which enables NVD data to be used by commercial 
products for standardization and automation of vulnerability 
management, measurement, and technical policy compliance checking.

Defending Against a Full Spectrum of Threats

    Globalization of the commercial information and communications 
technology marketplace provides increased opportunities for those bent 
on doing the United States harm by penetrating our supply chain and 
poisoning critical software and hardware. We need to make sure that 
products do not contain malicious code embedded in hardware or software 
that could compromise our systems and help our adversaries gain 
valuable national security information or disrupt our networks. Thus, 
it is imperative that we work towards a stronger supply chain defense 
to reduce the potential for adversaries to manipulate our information 
technology and communications products before they are installed.
    Protecting U.S. Government networks through global supply chain 
risk management requires a multi-pronged approach. DHS and the DOD have 
formed a partnership to coordinate supply chain risk management (SCRM) 
activities in the government. DHS has taken responsibility for non-
national security related systems, while DOD is responsible for 
national security systems. Addressing this risk requires greater 
awareness of threats, vulnerabilities, and consequences. It will also 
require sound acquisition policies and practices, and will require the 
adoption of supply chain and risk managements standards and best 
practices. We are working with the National Institute of Standards and 
Technology and several other agencies towards the long-term goal of 
enhancing Federal Government skills and capabilities, and to provide 
departments and agencies with the necessary tool sets to better manage 
and mitigate supply chain risk.
    The DHS SCRM Program will improve our capabilities through 
conducting SCRM pilots and establishing formal working groups within 
the government and private sector to inform program activities. The 
program is structured to meet requirements through testing, 
counterintelligence risk methodologies, best practices, controls, and 
other elements of supply chain risk management. Finally, enhancing our 
public-private partnership is essential, as the Federal Government 
cannot by itself ensure the integrity of the supply chain.

Leveraging/Partnerships

    Key to succeeding in protecting our cyber infrastructure is 
collaboration with the private sector. As previously noted, most of our 
critical infrastructure and the Nation's cyber networks are owned and 
operated by private industry. Thus, a comprehensive, holistic 
cybersecurity strategy cannot be successful without an intensive 
engagement and collaboration with the private sector. Both government 
and private sectors have much to gain from working and sharing 
information with one another. The creation of a strong partnership 
between these two sectors will help greatly in securing our cyber 
systems.
    One of the initiatives under the CNCI was dedicated to improving 
protection of privately owned critical network infrastructure through 
public private partnership (Project 12). This is one of the ways DHS is 
trying work with the private sector to improve and institutionalize 
information sharing. As a part of this initiative, we are also looking 
to increase our public-private information sharing and coordination 
efforts and are engaging in discussions with the private sector to 
encourage collaboration with the business community nationwide. These 
discussions serve as information forums for businesses to better 
understand the cyber threats identified by government and for 
government to understand better the private sector's prodigious 
cybersecurity capabilities. This bi-directional information flow is 
crucial. DHS is also working to leverage the good work that DOD has 
done with the defense industrial base sector to increase actionable bi-
directional information sharing of real and usable information with 
other sectors.
    State, local, tribal governments and international communities also 
play crucial roles in improving the U.S. cybersecurity posture. 
Recognizing the contributions that can be made by leveraging such 
partnerships, DHS is working with all levels of government across the 
Nation to help increase awareness regarding cybersecurity and related 
preparedness and response issues. Specifically, DHS provides technical 
and operational assistance to State cybersecurity partners to assist in 
planning and executing cyber exercises. To expand this effort, NCSD is 
developing a repeatable cyber exercise assistance program that will be 
deployed to assist states with their cyber exercise needs. This program 
will include background and educational materials, the potential for a 
``train the cyber exercise trainer'' program, staff and technical 
assistance with developing and executing exercises, as well as tools 
and resources to build upon past exercise efforts, and to integrate 
into future efforts such as the Cyber Storm Exercise series.
    Cyber threats do not stop at traditional physical boundaries, so 
DHS collaborates with the international community to manage global 
cyber risk. In coordination with the our federal partners, we are 
engaging both with multilateral organizations and in multilateral 
forums, such as the European Union, the Group of 8, and the Meridian 
Conference, to enhance information sharing and situational awareness, 
improve incident response capabilities and coordinate on strategic 
policy issues.

Cybersecurity Workforce Education: Improving and Maintaining Our 
                    Workforce

    In addition to being responsible for advances in our cybersecurity 
posture, DHS is working with other agencies to develop a plan for the 
retention of a skilled, trained workforce. Our adversaries are skilled 
and motivated, requiring us to constantly stay one step ahead of their 
actions. In order to address cybersecurity challenges, we need to build 
the next generation of our cybersecurity workforce that will help us 
develop a competitive advantage. Thus, we are focusing our resources on 
education and training of our current workforce, as well as recruiting 
new talent in order to develop a world-class workforce. DHS is also 
encouraging university programs and providing scholarships to promising 
students.
    DHS believes that workforce development is critically important to 
our cybersecurity mission. DHS is actively recruiting and looking to 
fill new cybersecurity positions at NCSD. These positions range from 
entry level to management. For example, increases to US-CERT's staff, 
as DHS's watch and warning center, greatly enhance its ability and 
capacity for preparedness and response activities. We are actively 
recruiting for these open positions in order to improve our 
capabilities and expand our core leadership team.
    Beyond the government domain, DHS is focusing its efforts on 
providing individuals within the cybersecurity sector of private 
industry with a baseline set of cyber skills. To achieve this, DHS 
worked across the public and private sector to develop the first 
Information Technology Security Essential Body of Knowledge to provide 
the cybersecurity community with the baseline skills and knowledge all 
information technology security professionals should possess to 
successfully perform their jobs. Cybersecurity is the responsibility of 
us all. Thus, we are striving to minimize our cyber gaps and 
vulnerabilities through both top-down and bottom-up approaches.
    As part of our shared responsibility, we cannot simply focus on the 
present. We must also look to the future. This requires us to not only 
shape the workforce, but the community of computer users as well. 
Cybersecurity and cyber safety are learned behaviors, and we need to 
teach children how to be secure online. Here we are building from the 
ground up. By teaching children skills at a young age, we are laying 
the foundation from which our future cybersecurity workforce will come, 
while simultaneously improving our cyber defense. DHS is working with 
the National Cybersecurity Alliance (NCSA) to make this vision a 
reality. In addition to ongoing work with the K-12 community, the NCSA 
recently launched its Cybersecurity Awareness Volunteer Education (C-
SAVE) Project. This program encourages security professionals to put 
their knowledge and expertise to work in their local schools and help 
fill a tremendous gap in educating young people to use the Internet 
securely and safely. We are very pleased to be working with the NCSA on 
this program as this is a crucial endeavor to ensure the continued 
success and advancement of our cybersecurity mission.

White House Cyberspace Policy Review

    On February 17, 2009, President Obama initiated a White House 
Cyberspace Policy Review of cybersecurity policies and issues affecting 
the Nation. On May 29, 2009, the results of that review were published 
by the White House in a report entitled Assuring a Trusted and 
Resilient Information and Communications Infrastructure. The review 
solidified the priority that the Administration places on improving the 
Nation's cybersecurity, and DHS will continue to have a key role as the 
lead agency for securing Federal Executive Branch civilian networks and 
collaborating with the private sector to enhance the cybersecurity of 
non-Federal CIKR networks.
    DHS will have a significant role in several near-term actions 
outlined in the report, including updating the national strategy, 
strengthening international partnerships, increasing public awareness, 
and preparing a national response plan for cyber incidents. These near-
term actions will enable DHS in collaboration with its government and 
industry partners to continue to address the growing and evolving cyber 
threat. Additionally, the operational goals of the comprehensive 
national strategy will include better coordination, response, recovery, 
and mitigation capacity across all stakeholder communities.

Conclusion

    The cyber threat is rapidly growing and evolving. As the Nation 
becomes ever more dependent upon cyber networks, we must address 
cybersecurity swiftly and surely. Overcoming new cybersecurity 
challenges is a difficult task requiring a coordinated, focused 
approach to better secure the Nation's information technology and 
communications infrastructures. Accordingly, DHS is actively working 
with its federal partners to secure the ``.gov'' domain by implementing 
a holistic strategy for securing our civilian networks and systems.
    Through government-wide programs such as TIC and EINSTEIN, we are 
enhancing the government's cybersecurity posture by reducing the number 
of external connections, including connections to the internet, while 
improving our detection and response capabilities. We are also striving 
to create a strong supply chain defense and develop an enduring, robust 
workforce.
    It cannot be over-emphasized that, while DHS is focused on 
developing the necessary analytical, response, and technical 
capabilities to create a comprehensive network defense to secure the 
Nation's CIKR, we are not in this alone. A truly comprehensive cyber 
strategy requires an open partnership with the private sector, and it 
is in this arena that we are continually working to advance our 
mission. Everyone plays a role in cybersecurity, from the Federal, 
State, local, tribal and international governments to the private 
sector to the citizens who access computers for personal use. DHS is 
committed to its cybersecurity mission and will continue to reach out 
to these parties to promote cyber awareness, identify best practices, 
mitigate risks and improve its ability to respond to cyber incidents. 
The Department is also actively pursuing avenues to further 
collaboration and information sharing with these partners. The 
developments DHS has made in strengthening federal systems, enhancing 
our operational cyber response capabilities, and strengthening the 
public-private partnership have been significant, but we are committed 
to doing more.
    Thank you for your time today. I appreciate the opportunity to 
discuss the Department's efforts in advancing our cybersecurity posture 
and increasing our security of federal networks. I will be happy to 
answer any questions from the Subcommittees.

                     Biography for Peter M. Fonash
    Dr. Peter M. Fonash is currently the Chief Technology Officer for 
the Department of Homeland Security's Assistant Secretary for CS&C. He 
assumed the additional duty of Acting Director of NCSD on 16 March 
2009. He has been a member of the Senior Executive Service since 1998.
    Prior to this appointment, Dr. Fonash was Deputy Manager and 
Director of the National Communications System (NCS), serving nine 
months as the acting Deputy Manager, and then becoming the full-time 
Director in April 2005. From 1998 until July 2004, Dr. Fonash was 
Chief, NCS Technology and Programs Division. He managed priority 
communications services technology development, network modeling and 
analysis, specialized telecommunications research and development, and 
priority services standards.
    Before arriving at the NCS, Dr. Fonash served as the Chief with the 
Defense Information System's Agency Joint Combat Support Applications 
Division, providing technical software integration services to the 
functional communities and guiding functional applications' compliance 
with the standard common operational environment. He also worked for 
the Office of the Assistant Secretary of Defense for Command, Control, 
Communications and Intelligence, and was responsible for Defense 
communications infrastructure policy and program oversight. He was also 
Chairman of the Office of the Secretary of Defense Information 
Technology (IT) Architecture Council
    From 1986 to 1994 Dr. Fonash held various Defense Information 
Systems Agency (DISA) technical positions, including Director of 
Technology, and Chief of the Advanced Technology Office. He wrote 
DISA's strategic plan and managed the development of the Technical 
Architecture for Information Management--the forerunner of today's 
Enterprise Architecture.
    Before joining the Federal Government, Dr. Fonash worked for AT&T 
and the Burroughs Corporation (Unisys).
    Dr. Fonash has a Bachelor of Science in Electrical Engineering and 
a Master of Science from the University of Pennsylvania, a Master of 
Business Administration from the University of Pennsylvania Wharton 
School, and a Doctor of Philosophy in Information Technology and 
Engineering from George Mason University. His Ph.D. dissertation was on 
software reuse metrics.

                               Discussion

    Chairman Lipinski. Thank you, Dr. Fonash. We will now move 
onto questions. Chairman Wu is down there. I am not sure if you 
want to take back the Chair here or lead off with questions or 
shall I go?
    Chairman Wu. Go ahead.
    Chairman Lipinski. Okay. This Chair will recognize himself 
for five minutes to lead off with the questions. Dr. Wing, you 
know, I was there yesterday at NSF and met with Dr. Bement and 
the AD's. Some of these things that I am going to ask about are 
not going to be a surprise to you or anyone actually who knows 
my background as a social scientist. I brought up in my opening 
statement that one of the most important things that I think is 
often overlooked and probably the weakest link that we have 
right now for cybersecurity is the general population.
    Now, I want to lead off by asking, what is NSF doing right 
now in terms of research? What research is being funded by the 
NSF or where are you trying to search out for research that 
involves social science aspects of cybersecurity and 
facilitating collaboration between social scientists and 
computer scientists?
    Dr. Wing. Thank you for your question. It gives me an 
opportunity to speak about the Trustworthy Computing program 
which is one of the things I wanted to do when I got to the 
National Science Foundation, was to actually broaden the scope 
of what we were doing in cybersecurity to make sure to include 
topics like privacy and usability, which absolutely includes 
understanding social science and how humans behave, how 
organizations behave.
    And so one of the things we specifically did was to broaden 
the scope of our Cyber TRUST Program to include privacy and 
usability, to work with our social science colleagues to make 
sure that, for instance, we have reviewers from their 
communities looking at proposals that speak directly to these 
kinds of issues. In fact, cybersecurity is of course not just 
security, reliability, privacy, and usability. It is not just 
the technical issues that all of us scientists and engineers 
like to address, but there are much broader issues like legal 
and ethical which, if you look at the whole problem, we really 
need expertise from both the scientific and engineering 
communities as well as these less-technical communities.
    So we are very much keen at the National Science Foundation 
in looking at the broader picture.
    Chairman Lipinski. Thank you, Dr. Wing. I want to throw out 
a general question for each one of you actually going along 
these lines to tell me what rules do you have at your agency, 
what type of education do you do for your employees so that 
they do not wind up practicing bad computer hygiene at the 
agency? So we will start with Ms. Furlani. Tell me if there is 
anything that you do along those lines for your employees.
    Ms. Furlani. Well, of course, because we write the 
standards for the Federal Government, we expect our employees 
to live up to a higher standard. So we do work very diligently 
with our Chief Information Officer to ensure the understanding 
of what needs to be accomplished to protect the systems and the 
citizens that are interacting with us are deployed 
appropriately into the staff. It is something that we pay a lot 
of attention to in probably a more unique situation than 
others.
    Chairman Lipinski. Actually, I have a friend who works for 
NIST who was going around to places where you can get your 
pictures printed up. He was trying to get to see where he could 
find a certain--I don't know if it was a virus or what exactly 
it was, but he was trying to find places where he could pick 
that up because he knew that this was going around to just get 
a better handle on all of this. Thank you. Dr. Wing.
    Dr. Wing. Yes, at NSF we have a Secure Information 
Technology Awareness Program. Every single NSF employee is 
required to go through a training every year, and it covers all 
the topics from how to choose a good password to shutting down 
your machine to make sure that screens with confidential 
information are not displayed and so on. And there are policy 
documents about this thick that everyone is expected to read. 
So we have a very serious--we take security very seriously, and 
everyone goes through this training program.
    Chairman Lipinski. Dr. Leheny.
    Dr. Leheny. DARPA is a relatively small agency with under 
200 government employees. We have a large number of contractors 
that work within our environment. We have no formal training 
program with regard to computer security, but as an agency 
within the Defense Department, our computers are a part of a 
larger enclave that is monitored very closely. We have a very 
robust information resource directorate that is available to 
help people work their way through problems they might be 
having with their computers. And so far we have been successful 
in locking large numbers--as you might imagine, our computer 
system is regularly under attack, and we have had good success 
at preventing those attacks from having any adverse affect on 
the operations of our computers.
    Chairman Lipinski. Thank you, Dr. Leheny. Dr. Fonash.
    Dr. Fonash. Yes, sir. Thank you. First of all, we follow 
all the FISMA best practices, and we closely follow FISMA. Our 
CIO is the person responsible for making sure those things are 
implemented across our department. We also are very much into 
security awareness training, and we annually require people to 
take security awareness. In fact, I have to take that tonight 
when I get home.
    We also have to sort of eat our own dog food in the sense 
of what we do is again, I mentioned the TRUST Internet 
connections, and we actually have two TRUST Internet 
connections and we are moving to have all our network traffic 
go through those trusted Internet connections. And we have a 
close relationship between our security operations center and 
our US-CERT. Thank you.
    Chairman Lipinski. Thank you. My time is expired. I will 
now recognize Mr. Smith.
    Mr. Smith. Thank you, Mr. Chairman. For Dr. Fonash, if we 
could maybe discuss a little bit the prioritization of the 
defenses, and with the deployment of EINSTEIN I know that 
approximately five agencies right now have already been 
deployed with EINSTEIN, is that correct?
    Dr. Fonash. We have deployed. The systems are not 
operational yet. We are actually right now in the process of--
there are several agreements that have to be set up. There is 
the service-level agreement, there is a memorandum of 
understanding. So those have to go through legal reviews, and 
in particular we have to address privacy issues. So we actually 
physically have those things established at those locations, 
but we are working the legal issues at this point in time.
    Mr. Smith. And then following will be eventually all 
agencies?
    Dr. Fonash. Well, the idea is we are doing it in phases. 
What we are doing, first of all, is we are doing it at DHS, and 
that is one of the five agencies I included. And then we are 
working now with Justice, Department of Agriculture, and State 
Department and NASA in terms of deploying trusted Internet 
connections, actual, the physical EINSTEIN devices to those 
locations. We have also worked with GSA, and we actually put on 
contract, we actually made contract modifications working with 
GSA on the networks contract, and now agencies can go to the 
networks contract and get those services, trusted Internet 
connection services, from the networks contract vehicle. And so 
we are actually working with the carriers right now, AT&T, 
Sprint, Verizon to get them so that they can provide the 
capabilities. For example, they have to have a secure facility 
to do this trusted Internet connection. So right now the 
carriers are working those particular instances of what 
equipment they need to put in place so they can offer those 
services.
    So that will be available to any agency that wants to do 
that. And then our next phase would deploy at 25 additional 
agencies and then the rest at some future point in time.
    Mr. Smith. And so can you speak to the prioritization and 
perhaps the need to deploy with every single agency?
    Dr. Fonash. I think that clearly the larger the agency and 
the more--you know, beauty is in the eye of the beholder, sir. 
So let me say that. So each agency has to make its own 
determination how important it feels its need to get this 
trusted Internet connection. We clearly at DHS have moved 
forward and actually have installed trusted Internet 
connections. In addition to that, we believe that State and 
Justice and NASA and Department of Agriculture, key locations 
that needed those trusted Internet connections, and then we 
have made available to anyone who feels that they have the need 
to immediately move to those contract vehicle. Those contract 
vehicles will be available and actually the services will be 
offered to use those capabilities through the networks 
contract, and that is the determination by those individual 
agencies as they want to move toward that capability.
    And then we have a list of 25 other agencies that we can 
provide to you if you wish in terms of what we feel are the top 
25----
    Mr. Smith. Okay. Thank you.
    Dr. Fonash.--beyond that.
    Mr. Smith. Relating to privacy, I appreciate the fact that 
the President said, with emphasis, that he would seek not to 
include monitoring the private sector networks or Internet 
traffic. Then in the New York Times last Saturday stated that 
senior Administration officials have admitted those assurances 
may be challenging to guarantee and practice and that some 
Administration officials have begun to discuss whether laws or 
regulations must be changed to allow law enforcement, military 
or intelligence agencies greater access to networks or Internet 
providers when significant evidence of a national security 
threat was found. So I mean, maybe it is easier said than done 
to say that no private sector networks or Internet traffic 
would be included in this.
    How would you respond?
    Dr. Fonash. What we do is because of the capabilities that 
we have with EINSTEIN we are actually able to--we do not track 
the individual personal part of the messages. What we do is we 
drop that and what we do is we track information, what is 
called header information, basically the information, where it 
came from, where it is going to, and we also will look at--if 
we also recognize code, we will have patterns. A particular 
code, a particular program has certain pattern, a bit pattern 
in it, so you are able to actually recognize for example 
malware. So if you have Conficker traffic or some type of 
malicious code going past, you can actually recognize what is 
called the signature of that and pick that up. But for example, 
we wouldn't get into the privacy of a person's e-mail unless 
there was some issue, a national security issue, or something 
like that. But clearly what you can do is protect the privacy 
by looking at the header information, and there will be issues 
about PKI capture as we go forward, but we will address that. 
We will make sure we are doing that linked up with the privacy 
people, you know, making sure we are protecting the privacy of 
the individual.
    Mr. Smith. And do you suggest any legislative or regulatory 
changes?
    Dr. Fonash. I think that is something that needs to be 
addressed as we go forward. At this point in time, I cannot 
recommend it.
    Mr. Smith. You do not recommend it?
    Dr. Fonash. I would not be one to say yes or no at this 
point in time. I think that is an issue that needs further 
study.
    Mr. Smith. Okay. Thank you.
    Chairman Wu. The gentleman from New Mexico, recognized for 
five minutes.
    Mr. Lujan. Mr. Chairman, thank you very much. I know that I 
read a lot in the testimonies about the need for coordination. 
If you could briefly touch upon how you were together, how the 
coordinating is working. If it is not working, what suggestions 
you may have, and also if any of you worked directly with any 
of the expertise that we have within any of our NNSA 
laboratories.
    Dr. Wing. So let me take that question on coordination. The 
coordination happens at all levels, and the best coordination 
happens in fact at the lowest level or with the technical 
people, at different agencies working together, informing each 
other about what each agency does in terms of what we fund, 
what we actually do. So we have program directors who talk to 
each other at the different agencies, and we coordinate things 
like running joint workshops to reach the academic community, 
the private sector jointly, and that coordination works 
beautifully from my perspective.
    We also have more formal techniques for coordination. For 
instance, NITRD, Networking Information Technology Research and 
Development Program, and specifically we have been overseeing 
the senior steering group of the CNCI, the National Cyber Leap 
Year that is happening right now, and we are working very well 
together on that.
    Let me also say as far as NSF goes, in working with other 
agencies like DHS and DARPA, we are actually working together 
on deploying cybersecurity testbeds. A couple of the testbeds 
that we jointly support with the other agencies, like DHS and 
DARPA, are actually starting points for DARPA's cyber range. So 
I think we coordinate quite well together.
    Mr. Lujan. Dr. Wing, do you work at all with any of the 
expertise at any of our NSA laboratories, that you are aware?
    Dr. Wing. They contribute to NITRD.
    Mr. Lujan. To which?
    Dr. Wing. NITRD.
    Mr. Lujan. And what is NITRD?
    Dr. Wing. The Networking Information Technology Research 
and Development program.
    Mr. Lujan. Okay.
    Dr. Wing. It is a coordination--an organization that 
coordinates over 13 federal agencies on networking information 
technology and research and development.
    Mr. Lujan. Okay.
    Dr. Leheny. I would support Dr. Wing's comments about how 
coordination occurs largely at the program manager working 
level. As you may be aware, DARPA is an agency that does almost 
all of its research activities outside the Agency by contract. 
Over 90 percent of our budget goes out as contracts to 
industry, academia and federal laboratories. Specifically, 
Sandia, for example, is an active participant in many of our 
programs including the National Cyber Range Development that I 
spoke about in my oral testimony. I would like to point out 
that innovation and creativity in research is an individual 
property or characteristic of individuals, and it is not a type 
of activity that works well when it is driven from above. I 
like to characterize DARPA as a bottoms-up organization. It is 
not the case that I wake up in the morning and come into work 
and ask my secretary to send me a program manager to manage 
great ideas I had overnight. Rather, it is the case that I 
arrive at work, open my e-mail and find that one of my program 
managers is trying to get on my calendar to come and tell me 
about his or her great idea. And it is in that way that new 
ideas, new programs, are created.
    Of course, in order to support the argument for creating a 
program, a program manager has to reach out to other workers in 
their particular field in order to be able to put together a 
case for why a particular program should be started and 
executed, relying solely on their own internal creation of the 
program idea. It is usually not a good way to make a convincing 
case. You want to draw on as wide a body of people familiar 
with the technology and the challenges that the program is 
going to address that you possibly can in order to make the 
strongest case that you can.
    Mr. Lujan. Thank you, Mr. Chairman. As my time expires, I 
want to see if I may be available, if time permits, for a 
second round of questions. I would like to still look a little 
bit more into the true collaboration with the NNSA 
laboratories. Not too long ago we did include an amendment to 
NITRD to include our national laboratories because there was a 
concern that maybe we weren't using the coordination as much as 
we should have been in the past. And so I would like to explore 
a little bit more and specifically pin down to the expertise 
that does exist within NSA with the attacks that they 
experience on a regular basis and then a few other questions I 
may have. So thank you very much, Mr. Chairman.
    Chairman Wu. Very good. We will come back to the gentleman.
    Now, the gentleman from Michigan, Dr. Ehlers, is recognized 
for five minutes.
    Mr. Ehlers. Thank you, Mr. Chairman. And I have a question 
for Dr. Wing, although any of you could try to answer it if you 
wish. But I was surprised to discover approximately six months 
ago that the number of students in colleges and universities 
deciding to major in computer science has gone down 
dramatically and also that there is not that much interest in 
high schools in getting involved. Everyone likes to play with 
their computer, but not very many are saying I would like to do 
this and build a better computer some time in my life. Since 
you are at NSF, you have access to all this data. What is 
happening? Is the enrollment continuing to be down? I raise 
this in the context of this hearing because if we are not 
producing the right people, we are not going to get anywhere 
with our discussions on cybersecurity, and particularly 
implementation of new ideas and new approaches. Could you 
enlighten me on that?
    Dr. Wing. Yes, thank you very much for that question. It is 
a concern, of course, at the National Science Foundation and my 
directorate about the decline in enrollments in the computer 
science undergraduate level. We had seen a decline for the past 
few years, primarily because of the dot-com bust and other 
worries. But fortunately, this past year we actually saw an 
uptick, and the community at large is much more optimistic now 
about seeing the enrollments go back up. So we are crossing our 
fingers and hoping that that will be a trend, a positive trend.
    I do share your concern that we are not producing enough 
trained and educated students in computing, not just because 
they are likely the ones to be designing and building next 
generation information technology systems that we are all going 
to enjoy using on a daily basis, but we are working as a 
community to try to increase the pipeline to increase--to 
improve how it is we project what computer science is so that 
we can attract the best and brightest to the field.
    Mr. Ehlers. I hope you are successful. It looks like Dr. 
Leheny would like to make a comment, too.
    Dr. Leheny. Yes. Thank you very much for this opportunity. 
DARPA has no specific charter to advance undergraduate or below 
education. However, we have two programs that I would like to 
inform you about that I think are attempting to overcome some 
of the issues that you raise.
    The first program is one we call Computer Science Study 
Group. It is a program targeted to untenured, young faculty 
members in computer science, and it is a three-year program. 
Over the period of three years the support level for the 
individual in the program could reach as much as a million 
dollars, and as part of the program, we bring these individuals 
onto military installations and expose them to specific areas 
of interest to the Defense Department in the hope that we can 
encourage them to think about their research agenda in terms of 
solving the kinds of problems that the Defense Department has 
to deal with.
    Currently, with the three-year program, as I mentioned, we 
bringing in about ten untenured faculty into the program each 
year. We currently have about 30 in the program. As you may be 
aware, a few years ago, we ran a series of what we called grand 
challenges which were targeted to demonstrate the ability of 
unmanned automobiles to navigate through difficult terrain. We 
found that there was an enormous amount of interest among 
students in that program and in participating in that program. 
And so we asked in our budget last year for a modest amount of 
funds, on the order of a couple million dollars, to create a 
special program that would reach out to high school students, 
particularly students interested in things like robotics in an 
attempt to stimulate interest among students and the kinds of 
problems that we have to deal with. Thank you.
    Mr. Ehlers. Also the robotics FIRST program is----
    Dr. Leheny. Yes, that is one of the groups that we expect 
to be supporting.
    Mr. Ehlers. Dr. Wing, you have something else?
    Dr. Wing. Yes, Mr. Ehlers. I forgot to mention one of the 
programs that my directorate runs is called CPATH, and it was 
recognized in fact by the 60-Day Cyberspace Policy Review as a 
way to again address a problem that you are concerned about, 
attracting the best and the brightest to computer science. And 
the whole notion of the program is to really revitalize the 
undergraduate curriculum in computer science. And one of the 
things I am very keen on doing is to actually do outreach to 
the K through 12 level because I do believe that it is 
increasing the pipe even before they get to college to explain 
what computing is all about and to get them into the field. So 
I wanted to mention the CPATH program. Thank you.
    Mr. Ehlers. Well, that is good. Thank you. And I try to do 
my part. As members of Congress, we get invited to speak in 
schools regularly, and whenever I speak in high schools I 
always tell the students they have to choose their subjects 
very carefully and they should not overlook math and science 
because when they get out and start looking for a job, they 
will discover that they will either be a nerd or work for a 
nerd and ask which they would prefer doing. And of course, they 
don't believe that, and then I simply ask them who is the 
richest man in the world? And finally the light starts to dawn 
a bit.
    But you know, they just haven't heard this. They don't 
realize it. They don't understand the possibilities. They may 
love to play with their computer, even to do esoteric things 
with it. But the thought of doing that as a career doesn't 
always cross their mind, probably because they don't have a 
contact with people who do that on a regular basis.
    Thank you very much. I yield back.
    Chairman Wu. Thank you, Dr. Ehlers. The National Science 
Foundation has data that indicates you are having success in 
your efforts.
    The gentleman from New York, recognized for five minutes.
    Mr. Tonko. Thank you, Mr. Chair. Dr. Wing, the investments 
that are made long-term wise in cybersecurity research by our 
Federal Government and certainly by the private sector can bear 
great benefits. How do you see us or NSF facilitating and 
encouraging the transfer of research from academia into that 
equation?
    Dr. Wing. Well, this a very good question because it is 
specifically relevant for cybersecurity, obviously. Academics 
can do their research, write their papers, produce students, 
and so on, but what really matters in the end is protecting and 
securing our cyberspace. And if the private sector owns most of 
that, then there has to be this more engagement between the 
academic community and the private sector.
    NSF, as I mentioned, through the Science and Technology 
Centers that we run here and the Cyber TRUST Centers that NSF 
supports, has direct connections to industry. There are 
industrial partners who serve on the advisory boards on all of 
these centers and also--so they are formal mechanisms that we 
have. Even the large awards that we grant through the PIs or 
our normal programs, often those PIs will have connections to 
industry.
    It goes without saying that a lot of the researchers, 
especially in cybersecurity, want to see that their research 
ideas are relevant and can help. And so they have a personal 
motivation to actually work with industry. Some of the 
techniques just get out there immediately. So for instance, one 
of the results recently has been in developing secure web 
browsers. And so now one of the open source web browsing 
companies has picked up those techniques immediately. A part of 
it is because many of the researchers have personal contacts in 
industry, and these kinds of things transfer informally but 
quickly.
    Another mechanism that is not formal but very useful is 
many of the students, graduate students, that are funded 
through NSF often take summer internships at companies like 
Google and Microsoft and Yahoo and so on, and one of the 
reasons that they do that is in fact how they can get access to 
real data. So there is great incentive to actually do that. 
Plus it is a very good opportunity for students to see what it 
is like to do research in an industrial setting.
    So there is a lot of free flow of information in that way, 
and it is easy for academics to talk to industry and get ideas 
out there.
    Mr. Tonko. On the flip side, how do you envision the 
private sector having the greatest influence or impact on 
creating the research agenda for NSF? Do they have a way to 
influence that agenda?
    Dr. Wing. Well, our agenda is officially--it is actually 
very much like what Dr. Leneny was saying. We are a very 
bottom-up organization as well, and it is the academic 
community that speaks to us as far as where they see the 
frontiers of research going, where the frontiers of science 
going, what the challenging science questions are, and they 
come to us with brilliant ideas and say, well, this is where 
the field is going. And in those conversations, we are always 
engaging industry. So whenever we run these planning workshops, 
industry is as invited as the academic community. So even from 
the very beginning, we try to engage the private sector in 
these kinds of strategic, agenda-setting programs, processes. 
We of course have the National Science Board where there is 
industry input through the Science Board. That helps the 
Foundation, helps us set priorities. And then as I mentioned 
before, some of the larger centers that we fund, like the TRUST 
Center, and we actually have four Cyber TRUST Centers, have 
industrial members on the advisory boards.
    So there are formal and informal mechanisms that industry 
can use to provide input into the academic research agenda.
    Mr. Tonko. And is there room for a lot more participation 
from the private sector or do you think that the awareness is 
out there and it has been pretty much heightened in the last 
couple of years, or do you think there is room for improvement 
in that?
    Dr. Wing. I actually think there is a heightened interest, 
so I have gotten specific queries from IBM, AT&T labs, besides 
the usual IT companies like Microsoft, Google, and so on. We 
interact with them very closely on all sorts of reasons. But 
specifically, I have been hearing from some of these companies 
that they would like to participate more in telling the 
academics what the real problems are and what they should be 
working on, and the academics, you know, can listen.
    The other mechanism I forgot to mention is of course in our 
review process, through the panel reviews, through the 
committee of visitors that we have. We always have industry 
representatives there to help with the reviews so that they can 
give some sanity check. Well, that is an interesting problem, 
but it is not relevant for industry. They can also help in the 
committee of visitors and provide input on the portfolio of 
investments that we make.
    So there are a lot of ways in which industry, either 
informally or formally, provides input to NSF.
    Mr. Tonko. Thank you. Thank you, Chair.
    Chairman Wu. Thank the gentleman. Mr. Smith, recognized for 
five minutes.
    Mr. Smith. I am inclined to ask about the use and 
application of sanity checks, but maybe there is not enough 
time here. I am just teasing.
    Dr. Fonash, if you wouldn't mind further discussion here, 
when it comes to public-private partnerships, I was pleased 
that the President did say that the Administration will not 
dictate security standards for private companies but will 
instead collaborate with industry to find technology solutions. 
Is that your take on his comments, briefly?
    Dr. Fonash. Yes, sir, I believe that is correct. What we 
need to do is, you know, our mission right now is predominantly 
focused on protecting the Federal Government and protecting the 
dot-mil domain and then working with our private partners, and 
in particular, our critical infrastructures and making sure 
that they are aware of the situation so we do a lot of 
information sharing, so we are working on information sharing 
programs so they are aware of the threat and so that they take 
the appropriate measures to protect the network. And I think it 
is the issue of the--appropriate level of security for the 
infrastructure which depends upon if you are dealing with a 
critical defense contractor who has critical national security 
information and is protecting that versus Walmart protecting 
the latest sales price on their network. So it is a relative 
issue. It is an issue that is somewhat based on the business 
case, you know, in terms of what is the risk, and you have to 
do risk mitigation.
    Mr. Smith. Right.
    Dr. Fonash. And so you put the appropriate investment in 
based on risk.
    Mr. Smith. In your testimony you mentioned public-private 
partnership objectives as being key. Could you elaborate on 
that and you know, really maybe define how we go about that? I 
mean, I know that we want to take care of government and then 
the private sector, but I think we need to acknowledge that 
already there is a great degree of overlap there and already 
public-private partnerships do exist, and there is transfer of 
information across the Internet between government and the 
private sector. So how do we sort through that and especially 
with the broadened use of the key objective being public-
private partnerships?
    Dr. Fonash. So the Federal Government clearly does not 
operate in a vacuum. We do our business. You know, the critical 
infrastructure that we even actually use on our own networks is 
actually owned by the ISPs or commercial carriers such as 
Verizon or AT&T. So we heavily rely on the public 
infrastructure to provide us services, to provide us 
communications, for us to do our business. And so what we do is 
we actually have under national infrastructure protection, have 
set up a process where we work with the critical 
infrastructures in terms of protecting those critical 
infrastructures. And we, the National Cyber Security Division, 
are actually the sector lead for the IT infrastructure. And 
then within cybersecurity and communications is the sector for 
cybersecurity and communications is the national communications 
system, and that is actually the sector lead for 
communications. So the two critical communications and IT 
sectors are within that authority, and we work closely with 
industry to develop risk mitigation. We are actually developing 
right now an IT risk mitigation process, and we will publish 
that in the near future so there is actually a process where 
they can actually look at the IT sector and determine, you 
know, how they do risk mitigation. That is actually a process 
that we actually developed with industry.
    Going back to the R&D, we actually work with industry. 
There is a government sector committee and there is actually a 
public industry sector community. And within that industry 
sector committee, there is actually a group that works with us 
on the R&D portion. And they actually provide us what they 
believe are the IT R&D requirements and the communications R&D 
requirements which we then pass on to the R&D community through 
our S&T directorate and also through attendance of their 
appropriate meetings.
    So we work that way. We also work from an operational point 
of view. We work for the US-CERT which provides the information 
sharing, and information security center that we run for the 
Federal Government. But we make that information available to 
our private partners in terms of the warnings. And we also are 
building upon something the Defense Department started was 
Defense Industrial Base, if you are familiar with the Defense 
Industrial Base. What that is is through the contracting 
process at DOD----
    Mr. Smith. We can maybe get into that. I just have limited 
time here, and I was just wondering, you talked a little bit 
about critical infrastructure protection. Can you perhaps 
indicate whether or not there is any intent to take the 
critical infrastructure off of the so-called Internet grid as a 
means of protection?
    Dr. Fonash. At this point in time, there are no plans to 
make it off the grid because for the most part, there are two 
reasons. First of all, the cost in terms of trying to make the 
government and private sector a private network. The cost is 
very large. It wouldn't be robust in many ways because--for 
example, because you have a separate network, you wouldn't have 
the robustness of the public network, and so I don't think 
there would be any--and then also from a security point of 
view, since you are really all using the same network--when you 
talk about the Internet, you are really talking about AT&T, 
Verizon and Sprint. And so everyone uses those networks. So it 
is a common carrier perspective here. So it is very difficult 
to take it off grid. So what we have to do is work together 
with industry in making sure it is secure, and you can have 
portions of it that are more secure. So for example looking at 
DNSSEC is something that we're looking at and going toward and 
going on the trusted Internet connection so that certain 
enclaves are more secure than others.
    Mr. Smith. Okay. Thank you.
    Chairman Wu. Thank you. Mr. Lujan, recognized for five 
minutes.
    Mr. Lujan. Thank you very much, Mr. Chairman. Ms. Furlani, 
I will begin with you. I have a few questions about the role 
that NIST pays with the payment card industry, if you can help 
me understand that and the coordination with that and what 
requirements maybe NIST has established for PCI.
    Ms. Furlani. What we have is the national vulnerability 
database which works with industry and with government to 
provide data on what the vulnerabilities are. And the PCI, the 
payment card industry, decided to use that database as their 
mechanism to determine whether their companies meet certain 
criteria. We don't tell them what to do, but we provide the 
resources that they can measure against and understand whether 
their criteria are being met before they issue a payment card.
    Mr. Lujan. So let me see if I understand that correctly. 
NIST does not mandate or prescribe any standards if you will 
that PCI has to follow? They utilize your database as a tool, 
but there is no requirement that NIST provides for them, is 
that correct?
    Ms. Furlani. We are not a regulatory agency except for the 
standards for the Federal Government to use in their 
cybersecurity.
    Mr. Lujan. Are you aware of any organization that has 
standards that the credit card industry has to follow in 
protecting consumer information against cybersecurity crimes?
    Ms. Furlani. I am not.
    Mr. Lujan. And Ms. Furlani, I am not, either. I have looked 
into this. I just thought maybe there is something out there. 
The reason I bring it up, Mr. Chairman, if there is no 
objection, I would like to submit an article from the National 
Journal 2/7/09, The Cybercrime Wave, into the record, that 
maybe we could review which outlines some of the alarming rates 
of crime, security breaches that are increasing year to year, 
money lost, Mr. Chairman, and I would make this available to 
the Committee and make sure we get a copy for the record if 
there is no objection, Mr. Chairman.
    Chairman Wu. No objection, so ordered.
    [The information follows:]
    
    
    

    Mr. Lujan. The reason I say that, Mr. Chairman, is as we 
look at this, I couldn't agree more with some of our 
colleagues. Coordination must take place from a public and 
private perspective to be able to protect consumers' 
information when they are getting hit at enormous rates. I 
think the average that an individual gets hit back to 2007 
anyway that was measured according to the article is, depending 
on the type of crime, between $3,000 and $3,500, but just 
depending on what it may hit. We all know that we are trying to 
help people out more and more today, Mr. Chairman, that are 
sometimes getting taken advantage of. And this is an area where 
I think we could truly coordinate to provide some of those 
needed protections. One of the things, Mr. Chairman, that 
vendors, as an example, are required to do is to actually keep 
the data and back it up. And those are some of the areas where 
the largest breaches occur. The article highlights a breach 
that most of us are familiar with, at TJMaxx where I think it 
was 90 million records were actually taken advantage of. To see 
truly what the requirement of the merchants are, vendors are, 
as we are looking at this cybersecurity loophole or lapses 
sometimes that take place to see what we can learn from there 
to be able to help individuals out. This is something that we 
touched on a little bit in our Homeland Security Committee 
hearing not too long ago, Mr. Chairman. I thought it was 
important to bring up.
    Lastly, Mr. Chairman, the reason that I asked the question 
about the coordination is the first item in the report says 
that we need to improve interagency coordination. And so I know 
that we read about this, and what I would ask, Mr. Chairman, if 
our witnesses today are able to provide us with any thoughts or 
ideas, whether they support that point that was brought up or 
if they have suggestions on what can be brought up. Ms. 
Furlani, before I go, I would just like to highlight the point 
I was trying to make earlier, Mr. Chairman, around the 
expertise that we have within some of our NNSA laboratories who 
have to deal with cyber attacks on a daily basis. Not only do 
they have the sophistication from a technological perspective 
on some of the data sets that they have compiled with how we 
can combat some of these attacks, but they have an interface 
with the Government and private sector as well, especially 
because of the nature of them being classified and also being 
civilian organizations because of how they have been created 
and that we look to them to see how we could utilize that 
expertise. And with the time remaining, Mr. Chairman, I would 
go to Ms. Furlani.
    Ms. Furlani. I would like to specifically mention the 
interagency coordination that has led to our new draft Special 
Publication 800-53 which recommends security controls for low-, 
medium-, or high-risk systems and the agreement with the 
Director of National Intelligence CIO, the DOD, the Committee 
on National Security Systems, and of course, NIST, so there is 
one base line for all the Federal Government which will enable 
vendors to sell into the government much more easily. Then 
other agencies that have much higher security requirements than 
what NIST normally promulgates can set their standards higher. 
This was just recently released, and it is a true outcome of 
the coordination, particularly in response to the Cyber 
Security Review.
    Chairman Wu. Thank you very much, and I want to thank you 
all for appearing before the Committee this afternoon. The 
record will remain open for two weeks for additional statements 
from Members and for answers to any follow-up questions the 
Committee may ask of witnesses. The witnesses are excused, and 
the hearing is now adjourned.
    [Whereupon, at 4:05 p.m., the Subcommittee was adjourned.]
                               Appendix:

                              ----------                              


                   Answers to Post-Hearing Questions




                   Answers to Post-Hearing Questions
Responses by Cita M. Furlani, Director, Information Technology 
        Laboratory, National Institute of Standards and Technology 
        (NIST), U.S. Department of Commerce

Questions submitted by Chairman David Wu

Q1.  The Cyberspace Policy Review recommends an increased collaboration 
with international standards bodies and the private sector to foster 
international standards and cyber-crime protocols. What are your 
current international cybersecurity standards activities and how will 
you change them to meet this recommendation?

A1. NIST is actively participating with industry in international 
standards bodies, including the Internet Engineering Task Force (IETF), 
the Institute of Electrical and Electronics Engineers (IEEE), the 
International Standards Organization (ISO), and, in coordination with 
the State Department, the International Telecommunication Union's 
Telecommunication Standardization Sector (ITU-T). NIST participation 
includes leadership positions in the IETF, IEEE, and ISO in addition to 
its technical contributions. NIST's security standards activities are 
primarily focused on preemptive measures to enhance the security of 
systems and network protocols, but we are also supporting the 
development of standards for exchange of information about security 
incidents. In response to the recommendations of the Cyberspace Policy 
Review, NIST will work closely with other agencies, the private sector 
and international standards bodies to ensure that our leadership and 
technical efforts focus on the highest priority activities.

Q2.  The Cyberspace Policy Review calls for increased collaboration 
with the private sector to create cybersecurity standards and 
guidelines. Witnesses at the Subcommittee's June 25 hearing also 
specifically recommended that NIST develop consensus standards for 
private industry with industry collaboration. How will you improve your 
collaborative efforts to implement these recommendations?

A2. While NIST's statutory authority makes Federal Information 
Processing Standards (FIPS) mandatory only for federal agencies, we 
always strive for broad, but voluntary, adoption of NIST standards. To 
promote convergence, NIST works collaboratively with industry in open 
standards forums (e.g., IETF, IEEE, and ISO) on many initiatives. We 
reference consensus standards in NIST publications where possible. In 
the rare cases where consensus standards are not the foundation, the 
NIST standards development process is an open process and always 
affords opportunities for public review and comment. Many standards 
efforts include public workshops to ensure the public, including 
industry, is informed about NIST standards activities and has early 
opportunities to provide input. In response to the Cyberspace Policy 
Review, NIST will work with the private sector to form new national 
standards bodies (e.g., within ANSI) as needed, to address additional 
cybersecurity requirements. In addition, NIST will increase its efforts 
to work with additional industry associations in the cybersecurity 
arena.

Q3.  The Cyberspace Policy Review also recommends increased interagency 
coordination. How you will change your current efforts to meet this 
recommendation?

A3. NIST works closely with many federal agencies both formally and 
informally. NIST maintains the Computer Security Resource Center (CSRC) 
to distribute security standards and guidelines and encourage broad 
sharing of information security tools and practices. The Computer 
Security Program Managers Forum provides a mechanism for NIST to share 
information directly with federal agency information security program 
managers. As with industry, all agencies are provided the opportunity 
to review and comment on NIST standards before final publication and 
are invited to participate in our public workshops. NIST participates 
in cross-agency committees such as the Committee on National Security 
Systems (CNSS) and the CIO Council and its Information Security and 
Identity Management Committee (ISIMC). NIST is an active participant in 
the National Science and Technology Council's (NSTC) Networking and 
Information Technology Research and Development (NITRD) Subcommittee 
and the NITRD Cyber Security Information Assurance Interagency Working 
Group, as well as in the NSTC Subcommittee on Biometrics & Identity 
Management. NIST also participates in the Information and 
Communications Interagency Policy Committee and related subcommittees 
to share information security technical expertise as national security 
and economic policies are developed for cyberspace. NIST works actively 
with State and local governments to promote adoption of NIST's security 
standards. To increase coordination in response to the Cyberspace 
Policy Review, NIST will reach out to additional multi-agency working 
groups to identify gaps and requirements for new capabilities to 
benefit all agencies.
                   Answers to Post-Hearing Questions
Responses by Jeannette M. Wing, Assistant Director, Computer and 
        Information Science and Engineering Directorate, National 
        Science Foundation (NSF)

Questions submitted by Chairman Daniel Lipinski

Q1.  Witnesses at the June 10th hearing emphasized the importance of 
understanding human behavior to improve cybersecurity. What is NSF's 
current investment in the social aspects of cybersecurity and how is 
NSF facilitating collaboration between social scientists and computer 
scientists? Do we need new models for such collaborations?

A1. Cybersecurity must be addressed not just from a technical 
viewpoint, but also from social, economic, legal, and policy 
viewpoints. In FY09, NSF deliberately broadened the scope in its 
Trustworthy Computing Program to include privacy and usability, 
encouraging computer scientists to work with social scientists on these 
topics. NSF also supports research on economic models, including game 
theory, for network security. Here are some examples of projects NSF 
supports that address the socio-technical aspects of cybersecurity:

          A team from Stanford and New York University composed 
        of computer scientists and social scientists developed a novel 
        ``Contextual Integrity Model,'' which considers social values 
        and legal constraints in characterizing and evaluating the flow 
        of information in organizations. The team has applied the 
        Contextual Integrity Model to privacy policies such as Health 
        Insurance Portability and Accountability Act (HIPAA), 
        Children's Online Privacy Protection Act (COPPA), and Sarbanes-
        Oxley (SOX).

          Behavioral scientists and security researchers from 
        the University of Massachusetts Lowell and Carnegie Mellon are 
        working together to identify the factors that influence a 
        user's trust in computer systems in general, and in robot 
        systems in particular.

          Through the multi-disciplinary NSF Team for Research 
        in Ubiquitous Secure Technology (TRUST), a lawyer, working with 
        computer science colleagues, investigates how technology and 
        the law interact. She spearheaded the California law that 
        requires companies who lose individuals' personal information 
        to disclose to the individuals impacted by the loss.

          A team at the NSF Cyber Trust Internet Epidemiology 
        and Defenses Center at the University of California, San Diego 
        and the University of California, Berkeley, is modeling the 
        cyber underground economy, a glowing concern because there is 
        significant criminal activity using the Internet. Of particular 
        interest as a ``metric'' is what bots cost on the open market 
        since there is as entire community that engages in bartering 
        for such machines.

    NSF facilitates collaborations between social scientists and 
computer scientists through these mechanisms: Direct funding of regular 
awards and Centers that support multiple principal investigators (PIs) 
from different disciplines (as in all the above examples); co-funding 
of awards between the Computer and Information Science and Engineering 
(CISE) Directorate and the Social, Behavioral, and Economics Sciences 
(SBE) Directorate; joint programs between CISE and SBE (e.g., Social-
Computational Systems); Dear Colleague Letters joint with SBE (e.g., 
Research on Data Confidentiality) and/or with private foundations such 
as the Alfred P. Sloan and the Ewing Marion Kauffman Foundations (e.g., 
Creating New Cyber-Enabled Data on Innovation in Organizations, which 
has a specific focus on privacy); and workshops that bring together 
different communities (e.g., the National Academies' July 2009 
Usability, Security, Privacy Workshop, co-sponsored by NSF and NIST). 
The NSF-wide Cyber-enabled Discovery and Innovation investment also 
provides an opportunity for collaboration between computer and social 
scientists. All these mechanisms, i.e., models of engagement, are 
extremely successful ways to foster collaborations between computer 
scientists and social scientists and they suffice to achieve the multi-
disciplinary challenges of cybersecurity. For the future, we envision 
strengthening ties between the two communities as both recognize that 
cybersecurity is a multi-faceted problem: technical solutions are not 
sufficient, understanding human behavior is critical, and policy-makers 
must be informed of what is or is not technically feasible.

Q2.  A major recommendation of the Administration's Cyberspace Policy 
Review is to increase cybersecurity education. The review specifically 
mentioned two NSF programs, Scholarship for Service and CPATH, in 
addition to those, how does NSF plan to change or expand its programs 
to address the education needs identified in the review? Specifically, 
how can NSF address cybersecurity education at the K-12 level?

A2. In FY09, NSF challenged the computing community in its CISE 
Pathways to Revitalize Undergraduate Education in Computing (CPATH) 
Program to focus on teaching ``computational thinking,'' the concepts 
underlying computer science, not just computer programming. Concepts 
such as algorithms, data structures, State machines, and invariants, 
which are driven by computational questions of efficiency and 
reliability are useful to everyone, regardless of one's field of study 
and regardless of one's eventual career or profession. To test out this 
view, the National Academies is conducting two workshops on 
``Computational Thinking for Everyone''; the first workshop was held in 
February 2009 and the second will be in early 2010. The focus of these 
workshops is particular for computational thinking in early grades, K-
6.
    The CPATH program also reaches out beyond the undergraduate level. 
Specifically, in the FY09 solicitation, we wrote ``. . . CISE 
encourages the exploration of new models that extend from institutions 
of higher education into the K-12 environment; activities that engage 
K-12 teachers and students to facilitate the seamless transition of 
secondary students into Computational Thinking-focused undergraduate 
programs are particularly encouraged.''
    NSF is also expanding its Broadening Participation in Computing by 
supporting efforts which bring the two thrusts of computational 
thinking and K-12 together. For example, NSF is working with the 
College Board to revisit the Computer Science Advanced Placement course 
and exam; this multi-year effort will hopefully result in a novel CS 
sequence of courses that will stress computational concepts early and 
depict a rich and in-depth view of computer science to high school 
students.
    For the future, we intend to promote a focus on computational 
concepts that would benefit everyone's analytical skills and a focus on 
outreach to K-12, through programs from across the Foundation.
    Specific to cybersecurity, let's consider three populations of 
people: users of computing technology, developers of computing 
technology, and deployers of computing technology. Users of computing 
technology need to have some basic awareness of security hygiene; for 
example, not to open e-mail attachments in messages received from 
people one does not know. Through our Cyber Trust Centers and the TRUST 
Center (cited above), and even through our regular awards, we can 
leverage the participating institutions' reach into local communities 
to expand cybersecurity hygiene education. An example of such a project 
is MySecureCyberspace (https://www.mysecurecyberspace.com/), developed 
at Carnegie Mellon and partially funded by NSF. It is a portal for all 
age ranges, from children to seniors, who need to know the basics of 
safe and secure interaction for oneself and with others on the 
Internet.
    Developers of computing technology are responsible for designing 
systems, especially software-intensive systems, with security in mind 
from the very beginning. They need to understand and be able to apply 
principles of software engineering, state-of-the-art tools to support 
secure coding, advanced programming languages that avoid entire classes 
of security vulnerabilities, and security architectures that derive 
from threat modeling. These technical topics are already covered in 
specific courses at most colleges and universities that offer computer 
science degree programs. Those who major in computer science will 
encounter these course offerings; non-majors who plan a career in 
software development should be encouraged to take such courses as well. 
To highlight the importance of these kinds of courses (for majors and 
non-majors), NSF is currently engaging the computer science community 
in a discussion on cybersecurity education at the undergraduate level.
    Deployers of computing technology, for example, system 
administrators, are the front line defense in today's cybersecurity 
battlefield. They benefit most from programs such as Scholarship for 
Service and certification programs offered by professional 
organizations and industry. NSF's Education and Human Resources (EHR) 
Directorate will continue to support the Scholarship for Service 
program.

Questions submitted by Representative Ben R. Lujan

Q1.  The Cyberspace Policy Review recommends an increased level of 
interagency coordination and a renewed emphasis on cybersecurity 
research and development. Per the Administration's recommendation, what 
will NSF change in its current interagency activities? How is NSF 
leveraging the expertise of the National Labs and the Federally Funded 
Research and Development Centers?

A1. Through leadership positions, NSF already actively engages in 
interagency cybersecurity activities through these formal mechanisms:

          Networking and Information Technology Research and 
        Development (NITRD) Program. The NSF CISE Assistant Director 
        serves as the Agency Co-Chair of NITRD. NITRD has 13 member 
        agencies.

                  The NITRD Senior Steering Group (SSG) is composed of 
                senior representatives of agencies with national 
                cybersecurity leadership positions. The NSF CISE AD 
                serves as a co-chair for SSG. The SSG provides overall 
                leadership for cybersecurity research and development 
                (R&D) coordination, serving as a conduit between 
                agencies and budget officials, between classified and 
                unclassified federal R&D, and among government, 
                academia, and industry. An example activity is the 
                National Cyber Leap Year, as part of the Comprehensive 
                National Cybersecurity Initiative (CNCI), which is 
                identifying ``game-changing'' concepts for securing 
                cyberspace.

                  The NITRD Cyber Security and Information Assurance 
                Interagency Working Group (CSIA IWG) coordinates the 
                efforts of NITRD agencies' cybersecurity programs, 
                ensuring complementary and completeness (to the extent 
                possible) in coverage of the cybersecurity R&D needs of 
                the Nation. NSF program directors are active 
                participants in CSIA IWG.

          The INFOSEC Research Council (IRC) consists of U.S. 
        Government sponsors of information security research from the 
        Department of Defense, the Intelligence Community, and Federal 
        Civil Agencies. An NSF program director co-chairs the IRC. 
        Discussions are both technical and strategic.

    As there is heightened and growing interest by the Federal 
Government in R&D for cybersecurity, NSF expects to work in the future 
with other agencies more closely and in more and more activities, both 
informal and formal. NSF's deep and broad reach into the academic 
computer science community puts NSF in a unique position: to bring the 
attention of the academic community to nearer-term and/or mission-
specific R&D cybersecurity needs of other federal agencies and to 
introduce federal agencies to the problem-solving capability, research 
results, and trained workforce of the academic community. As one 
example of how NSF's interactions have grown in just FY09, here is a 
list of cybersecurity workshops NSF has been instrumental in helping to 
foster, host, and coordinate with other agencies:

                  Science of Security Workshop, co-funded by NSF, NSA, 
                and IARPA (November 16-18, 2008). Goal: To deliberate 
                on making security into a science with measurable 
                metrics, inspired by established sciences and theories, 
                such as biology, control theory, and reliability 
                theory.

                  Usability, Security, Privacy Workshop, hosted by the 
                National Academies' Computer Science and 
                Telecommunications Board (CSTB), co-funded by NSF and 
                NIST (July 21-22, 2009). Goal: To advance objectives in 
                usable security and privacy, taking into account the 
                broad class of users, security administrators and 
                services, and explore research opportunities and 
                potential roles for the Federal Government, academia, 
                and industry and ways to embed usability considerations 
                in research, design, and development of secure systems.

                  Workshop on Clean-Slate Security Architecture, 
                hosted by NSF, co-funded by NSF and DARPA. (July 28, 
                2009). Goal: To frame a new security architecture that 
                could be the basis for new host, network and 
                applications.

                  Workshop on Security Research for the Financial 
                Infrastructure. Co-run with Treasury and co-funded by 
                NSF and DHS (October 28-29, 2009). Goal: By bringing 
                together the financial sector and academia, to gain a 
                better understanding of the security problems faced by 
                the financial sector and how the research community can 
                help solve those problems.

    Looking ahead, a possible outcome of holding such joint workshops 
is the creation of one or more joint programs between NSF and other 
agencies.
    Through NITRD, NSF formally coordinates with national laboratories, 
including the Department of Energy's National Nuclear Security Agency 
(NNSA). NSF also participated in a joint workshop with DHS and IARPA, 
co-organized by MIT and Sandia National Laboratory in November 2007. 
This ``NCDI (National Cyber Defense Initiative) Workshop-grass roots 
effort towards defining a cyber research agenda for the Nation'' was a 
precursor to CNCI. Through the ``DOE Workshops to Assess the Technology 
to Cope with Attacks to DOE systems, such as the Power Grid,'' held 
between 2007 and 2009 and organized by the Pacific Northwest National 
Laboratory, NSF presented research projects it funds on a more secure 
power grid, highlighting the Cyber Trust Trustworthy Computing 
infrastructure for the Power Grid (TCIP) Center at the University of 
Illinois, Urbana-Champaign. Finally, NSF funds academic researchers who 
themselves may directly collaborate with National Labs; for example, we 
recently funded a CAREER awardee at the University of New Mexico who 
collaborates with investigators at Sandia and Los Alamos on developing 
quantitative models of Internet censorship.
    NSF supports researchers who can tap into the expertise of 
Federally Funded Research and Development Centers. In particular, NSF 
funds the Cyber Trust Situational Awareness for Everyone (SAFE) Center 
at Carnegie Mellon, whose researchers potentially can interact with the 
Carnegie Mellon Software Engineering Institute (SEI), which is an 
FFRDC. The SEI houses the Computer Emergency Response Team (CERT) 
Coordination Center, which collects data about security vulnerabilities 
and coordinates responses to security breaches.
    Academic researchers funded by NSF often cannot interact more 
closely with members of the National Labs and FFRDCs if the systems of 
interest are classified, such as those within National Labs, or data 
are proprietary, such as that collected by CERT.
                   Answers to Post-Hearing Questions
Responses by Peter M. Fonash, Acting Deputy Assistant Secretary, Office 
        of Cybersecurity and Communications, National Protection and 
        Programs Directorate, U.S. Department of Homeland Security 
        (DHS)

Questions submitted by Chairman David Wu

Q1.  The Cyber Space Policy Review calls for increased collaboration 
with the private sector. How will you improve your collaboration 
efforts to implement this recommendation?

A1. The National Cyber Security Division (NCSD) within the Department 
of Homeland Security (DHS) collaborates closely with the private sector 
on a wide variety of initiatives in line with the Cyberspace Policy 
Review, and has always engaged in a variety of activities designed to 
further this collaboration. Specifically, NCSD engages with public and 
private-sector partners through the Critical Infrastructure Partnership 
Advisory Council (CIPAC) within the National Infrastructure Protection 
Plan (NIPP) framework. Since 2007, NCSD and its private-sector partners 
have co-chaired the Cross-Sector Cyber Security Working Group (CSCSWG) 
under CIPAC. The CSCSWG's membership includes public and private-sector 
representatives from each of the 18 Critical Infrastructure and Key 
Resources (CIKR) sectors under the NIPP. The CSCSWG meets monthly and 
offers a mechanism for public-private collaboration on cybersecurity 
initiatives, such as improving information sharing, considering 
private-sector incentives for increased cybersecurity, and developing 
cybersecurity metrics that can be used by multiple CIKR sectors. The 
co-chairs of the CSCSWG have recently formed a Steering Committee to 
ensure that the agenda and work areas undertaken by the group meet the 
needs of all CIKR sectors.
    One area of focus for the CSCSWG in the near future will be 
development of a Cyber Incident Response Plan. This plan will be 
developed in collaboration with industry and government partners and 
will provide a much needed overall framework to significantly improve 
coordination in response to cyber incidents.
    Under CIPAC, NCSD will continue to expand its engagement with 
private-sector partners to address additional issues necessary to 
secure the Nation's cyber assets, networks, systems, and functions. 
Control systems security represents an area of cyber concern that will 
see a substantially increased level of collaborative efforts, including 
the continued expansion of the Industrial Control Systems Joint Working 
Group (ICSJWG) and the Industrial Control Systems Cyber Emergency 
Response Team (ICS-CERT). Both of these groups are based on a model of 
public-private partnership and represent a growing area of 
collaboration.
    NCSD, in conjunction with the National Communications System, can 
also leverage the National Coordinating Center for Communications 
(NCC). The NCC is a joint industry-government operation. It involves 
the U.S. telecommunications industry and Federal Government 
organizations that are involved in responding to the Federal 
Government's National Security and Emergency Preparedness (NS/EP) 
communications service requirements and supports planning for a more 
resilient national and international communications system to satisfy 
those requirements.
    The mission of the National Coordinating Center is to assist in the 
initiation, coordination, restoration and reconstitution of NS/EP 
telecommunications services or facilities. The NCC is the mechanism by 
which the Federal Government and the communications industry jointly 
respond to NS/EP telecommunications service requirements. It provides 
for the rapid exchange of information and expedites NS/EP 
communications responses. While the primary focus of the NCC is the NS/
EP telecommunication service requirements of the Federal Government, 
the NCC also monitors the status of all essential telecommunication 
facilities including public switched networks.
    In addition, DHS is partnering with the Department of Defense and 
the Office of the Director of National Intelligence to engage with 
senior leadership, at the Chief Executive Officer level, in the 
information technology and defense industrial base sectors, under the 
Enduring Security Framework. This CIPAC working group recently formed 
to address the risks and opportunities to the U.S. cyber infrastructure 
inherent in globalization.
    The Office of Intelligence and Analysis (I&A) has recently 
increased the production rate of cyber threat intelligence products 
intended for use by the private sector, State and local authorities, 
and federal civilian departments and agencies. These products are 
intended to provide awareness of the cyber threats and in some cases 
provide warnings so that the appropriate resources and actions can be 
implemented to counter these cyber threats.
    I&A also, in coordination with NPPD, provides cyber threat 
briefings (classified and unclassified) to private sector 
representatives. In August and September 2009, I&A has provided or is 
scheduled to provide cyber threat intelligence briefings to the 
American Petroleum Institute (API), the Oil and Natural Gas Sector 
Coordinating Council (SCC), the Chemical SCC, and the Nuclear SCC.
    In the area of cybersecurity research and development (R&D), DHS 
pursues collaboration with the private sector through participation in 
the Networking and Information Technology Research and Development 
(NITRD) program. A representative from the DHS Science and Technology 
Directorate co-chairs the NITRD Cyber Security and Information 
Awareness (CSIA) interagency working group and is a member of the NITRD 
Senior Steering Group for Cyber Security. During the past year, these 
groups have issued three Requests for Information through the Federal 
Register (garnering more than 230 private-sector white paper responses) 
and held a National Cyber Leap Year Summit with more than 100 private-
sector participants (participants reports summarizing Summit outcomes 
are available at www.nitrd.gov/NCLYSummitIdeas.aspx). The private 
sector will continue to be engaged in the development of a game-
changing cybersecurity R&D strategy.
    Finally, we continue to look for new and better ways to enhance our 
partnership with the private sector, on both an operational and policy 
level.

Q2.  The Cyber Space Policy Review also recommends increased 
interagency coordination. How will you change your current efforts to 
meet this recommendation?

A2. Overall Federal interagency cybersecurity policy coordination 
occurs through the Interagency Policy Committee (IPC) framework under 
the President's National Security Council system. The Information and 
Communications Infrastructure IPC serves as a focal point for 
cybersecurity matters and several Sub-IPCs are used to consider 
specific topics, such as incident response and information sharing.
    The National Cyber Security Division (NCSD) within the Department 
of Homeland Security (DHS) continually strives to identify additional 
methods to facilitate coordinated responses to cyber threats. NCSD 
maintains many, often multi-faceted, relationships with government 
agency partners to fulfill its cybersecurity mission, and as we add 
personnel to meet mission needs, we will enhance not only our 
effectiveness but our ability to work with other agencies. Our existing 
relationships include operational coordination, information sharing, 
and policy formulation. NCSD's United States Computer Emergency 
Readiness Team (US-CERT) is charged with providing response support and 
coordinating the defense against cyber attacks for the Federal Civil 
Executive Branch (.gov). US-CERT focuses on improved customer service 
and improved interagency coordination in a variety of ways. For 
example, the Joint Awareness Cyber Knowledge Exchange meets biweekly to 
provide a classified forum for federal departments and agencies to 
exchange cyber threat and defense information, with US-CERT providing 
regular briefings and updates on specific ongoing threats.
    Other NCSD programs also offer significant opportunities to improve 
agency coordination, and we continue to look for new and better ways to 
build partnerships. Through the Trusted Internet Connection (TIC) 
Initiative and deployment of the National Cybersecurity Protection 
System (NCPS), operationally known as EINSTEIN, NCSD has the ability to 
work with all federal civilian departments and agencies in a 
coordinated approach to reduce and consolidate external connections 
(access points) and implement or acquire security services. DHS 
coordinated with departments and agencies to create and refine TIC 
technical requirements and architecture, bringing technical expertise 
and issue awareness from early deployments to bear as additional 
departments and agencies are added to the program. DHS also meets 
quarterly with the TIC Interagency Working Group to address specific 
implementation challenges and provide definitions and clarification, as 
well as formal recommendations for TIC policy to the Office of 
Management and Budget. NCSD will continue to work with these groups to 
track TIC implementation progress, lessons learned, and recommendations 
for improvement. In addition, planned enhancements to NCPS will improve 
US-CERT's ability to share information about cyber incidents across the 
departments and agencies, thereby increasing interagency cybersecurity 
situational awareness.
    NCSD also engages with public and private-sector partners through 
the Critical Infrastructure Partnership Advisory Council (CIPAC) 
process within the National Infrastructure Protection Plan framework. 
Since 2007, NCSD and its private-sector partners have co-chaired the 
Cross-Sector Cyber Security Working Group (CSCSWG) under CIPAC. One 
area of focus for the CSCSWG in the near future will be development of 
a Cyber Incident Response Plan. This plan will be developed in 
collaboration with industry and government partners and will provide a 
much-needed overall framework--supported by sub-frameworks, concepts of 
operations, and operating procedures--to enable significantly improved 
coordination in response to cyber incidents. Under the CIPAC engagement 
framework, NCSD will continue to expand its engagement with private-
sector partners to address additional issues necessary to secure the 
Nation's cyber assets, networks, systems, and functions.
    In light of the Cyber Space Policy Review recommendations for 
increased interagency coordination, the Office of Intelligence and 
Analysis (I&A) will continue to strengthen its established 
relationships with the members of the Intelligence Community, the cyber 
intelligence elements of the Department of Defense, and law enforcement 
entities. I&A coordinates with interagency partners on its cyber 
products and participates in the interagency development of national 
level intelligence products. In the near-term, I&A will be striving to 
increase our interactions with the intelligence components of the Non-
Title 50 and Title 10 departments and agencies. I&A continues to 
participate in intelligence community interagency coordination and 
working groups to ensure effective intelligence information sharing on 
cyber threat actors and will seek out additional partnership 
opportunities to include embedding I&A analysts in sister intelligence 
community elements. I&A plays an active role in developing all-source 
collection requirements and information needs through interagency 
coordination and working groups across the community. To ensure 
increased coordination I&A will seek to further involve DHS component 
organizations Federal, State, local and Tribal (FSTL) governments and 
critical infrastructure and key resource (CIKR) partners both public 
and private with cyber or infrastructure protection missions into the 
requirements development process to insure information deemed relevant 
to the operational components is collected by the intelligence 
community and disseminated to FSTL and CIKR partners.
    In the area of cybersecurity research and development (R&D), DHS 
pursues collaboration across the federal landscape through 
participation in the Networking and Information Technology Research and 
Development (NITRD) program. A representative from the DHS Science and 
Technology Directorate co-chairs the NITRD Cyber Security and 
Information Awareness (CSIA) interagency working group and is a member 
of the NITRD Senior Steering Group for Cyber Security.

Questions submitted by Representative Adrian Smith

Q1.  You stated in your testimony that when this effort began, the 
Federal Government had more than 4,500 access points to the Internet. I 
understand that the original plan was to reduce this number to below 
100 to enable manageable deployment of EINSTEIN. Is this still the 
objective? If not, why not, and what is the new target number of TICS? 
How much does a change in the target number of TICS change the expected 
costs of the TIC initiative?

A1. The Comprehensive National Cybersecurity Initiative's Initiative 1 
(the Trusted Internet Connection [TIC] Initiative) currently has the 
following objectives: to reduce and consolidate external access points 
across the federal enterprise; to manage the security requirements for 
Network and Security Operations Centers (NOCs/SOCs); and to establish a 
compliance program to monitor department and agency (D/A) adherence to 
TIC policy. Working together, DHS and OMB are making progress towards 
meeting this initiative.
    NCSD, OMB, and the other Federal Department and Agencies, are 
constantly assessing the appropriate number of TICS required for the 
.gov domain.
    The primary cost driver in this initiative is the number of 
physical locations where sensors need to be deployed. Multiple access 
connections can go through a single location. Therefore, changes in the 
number of access connections would not greatly affect cost.

Q2.  Due to the geographical distribution of existing TICS, efforts to 
dramatically reduce Federal Government access points to the Internet 
presumably require a significant re-routing of traffic, which 
presumably adds additional cost to agencies' Internet Service Providers 
(ISPs). Is this correct, and if so, how (a) how significant are re-
routing costs; and (b) how will this additional expense be paid for? 
Are these additional costs accounted for in agency budgets and 
planning?

A2. The geographic distribution of Trusted Internet Connections (TICs), 
in general, is not a cost factor. The TIC program is a consolidation of 
agencies' connections to external networks, not new connections. The 
Internet Service Providers (ISPs) can automatically reroute traffic on 
their network to a designated location. Pricing for traffic on an ISP 
backbone is not distance sensitive. The price sensitivity is the number 
of connections and the bandwidth of the connection to the ISP by the 
agency. Consolidation has a long-term financial benefit--namely, the 
larger the connection bandwidth, the lower the cost per unit of 
traffic. In general, there are additional charges for access lines in 
rural or remote locations.
    An agency connection to an ISP has two cost elements: the cost of 
the dedicated access circuit and a service enabling device (SED) at the 
agency location (e.g., gateway router). The TIC program introduces the 
following additional access costs: capital cost and maintenance costs 
for the TIC equipment and facilities.
    There may be additional costs for rerouting traffic within an 
agency's enterprise network; however, those costs largely depend on how 
each agency chooses to implement the TIC initiative. Agencies 
designated as TIC Access Providers (TICAPs) that are building their own 
TIC locations may incur additional costs for rerouting circuits, but 
that will depend on the outcome of negotiation efforts with the 
carriers. An option for TICAP agencies is to use a ``hybrid'' approach 
combining a subscription to the Networx Managed Trusted IP Service 
(MTIPS) with agency-specific TICs to reduce rerouting circuit costs. 
Agencies not designated as TICAPs, or those considered as seeking 
service, may comply with the TIC mandate by subscribing to the Networx 
MTIPS directly.
    The MTIPS pricing contains three primary elements: a local 
dedicated access circuit, a SED at the agency location (e.g., a 
router), and the MTIPS Port. Only the local dedicated access circuit 
cost may be distance sensitive. If agencies are already using a Networx 
provider, there should not be a change to the cost per unit of traffic 
for the local circuit. If the agency chooses separate Networx 
contractors or MTIPS contractors, or has other agency-specific 
requirements, a new local dedicated access circuit or new SEDs may be 
required, increasing the cost.
    The guidance from the Office of Management and Budget was for 
agencies to cover any additional costs out of existing funding.

Q3.  What performance measures are associated with EINSTEIN and how 
will they be used to assess effectiveness and improve performance?

A3. The National Cyber Security Division (NCSD) within the Department 
of Homeland Security (DHS) has created performance goals under the 
Government Performance Reporting Act (GPRA) and applies Key Performance 
Parameter (KPP) performance measures to the National Cybersecurity 
Protection System (NCPS), operationally known as EINSTEIN.
    Consistent with our GPRA goals, NCSD measures the percentage of 
Trusted Internet Connections (TICs) covered by NCPS. This measure 
tracks the percentage of TICS where NCPS sensors are deployed. Tracking 
this coverage of approved Internet access points for the Federal 
Government demonstrates the extent of coverage of .gov traffic that 
NCPS is providing at any given time.
    KPPs are developed as part of the DHS acquisition review process. 
KPPs demonstrate the performance capabilities that will be purchased 
with requested funding. The KPPs are broken out by the Block 
capabilities--to match NCPS deployment plans--and each builds on the 
previous Block's capability. Additionally, each measure contains both a 
threshold and objective target. The threshold is the baseline ``what-
must-be-achieved'' measure; the objective is what the NCPS is 
attempting to achieve. The table below contains the Block KPPs and 
their thresholds and objectives:



Q4.  What if any traffic volume or throughput limitations exist 
associated with EINSTIEN? Are you confident that this system can 
provide the processing power necessary to effectively analyze traffic 
and ensure against significant network delays, especially as online 
communications (including those on government networks) increasingly 
transition to more data and video intensive applications? Has the 
system's capability been validated in practice?

A4. Capacity challenges were identified as a risk; however, a 
mitigation approach was built into its development. There are two steps 
to the mitigation approach. First, initial deployment meets immediate 
and near-term bandwidth requirements as reported by the Department and/
or Agency receiving EINSTEIN. Second, the commercially scalable 
platform and collection of technologies that make up EINSTEIN, as 
designed, allow for the seamless expansion of available computing 
resources as needs arise. This flexibility is best suited to meet 
today's bandwidth requirements and provides the ability to rapidly 
accommodate future increases.
    Developmental, integration, and operational testing have been 
successfully conducted and validated to ensure that EINSTEIN's 
processing power scalability meets the increasing bandwidth demands of 
the federal network enterprise. Such testing and evaluation are part of 
a continual process as the Department of Homeland Security's National 
Cyber Security Division implements a phased deployment of EINSTEIN.

Q5.  Given that cybersecurity is a cat-and-mouse problem where network 
defenders and attackers are both constantly changing their technologies 
and methods, how confident are you that the EINSTEIN system can remain 
effective over the medium- and long-term? Is it possible (or plausible) 
that, three to four years from now, our adversaries will be employing 
completely different technological means of penetrating networks that 
could render EINSTEIN obsolete? In other words, how adaptable is the 
EINSTEIN system to changing threats, technologies, and methods?

A5. We agree that attackers are constantly changing their technologies 
and methods, and therefore network defenders must quickly evolve their 
capabilities through continuous technology insertion and evolution. DHS 
is necessarily concerned both with today's threats and those unknown 
threats that are certain to surface and evolve. With the goal of 
addressing current and future threats firmly in mind, the National 
Cyber Security Division (NCSD) recently issued a Request for 
Information to identify new capabilities from industry. NCSD's goal is 
to deploy and operate today's cybersecurity technology while 
implementing the processes to ensure that EINSTEIN can address medium 
and long-term threat technologies and methods. The Department's Science 
and Technology Directorate (S&T) has substantial efforts, coordinated 
with NCSD, to identify and fund research and development (R&D) that 
would enable NCSD's future EINSTEIN capability to adopt to changing 
threats, technologies and methods. Additionally, the Office of 
Intelligence and Analysis continues to work with its intelligence 
community partners to understand the tactics, techniques and procedures 
of threat actors as they evolve. The Department believes we can achieve 
this goal and meet future cybersecurity challenges.

Q6.  You note in your testimony that EINSTEIN deployment has been 
completed at five agencies. Is it correct that the EINSTEIN system was 
originally intended to be deployed at all agencies? Is this still the 
case? If not, how is agency participation being determined-voluntarily 
by agencies or through a government-wide prioritization effort? Does 
the lack of participation by some agencies notably increase the 
vulnerability of intrusions and information breeches at participating 
agencies?

A6. The EINSTEIN program is designed under the Comprehensive National 
Cybersecurity Initiative to provide coverage to the federal civil 
agencies. The Administration is requiring all federal civil agencies to 
participate. Success of the program depends upon full participation. 
Lack of participation by some agencies could increase risk to all the 
others--including those that have deployed EINSTEIN--by slowing the 
identification of vulnerabilities and breaches and thereby increasing 
the likelihood of cascading effects within the .gov space.

Q7.  In response to a question about the privacy of data collected 
through EINSTEIN at the hearing, you stated that ``we wouldn't get into 
the privacy or a person's e-mail unless there was some issue, a 
national security issue, or something like that.'' How is ``national 
security'' defined in this context? What agency or official is 
responsible for making a national security determination that would 
authorize inspection of content traveling across federal networks, and 
what is the associated process for doing so?

A7. EINSTEIN 2 supports the Department of Homeland Security's (DHS's) 
critical information infrastructure protection mission as established 
by the Homeland Security Act, the Federal Information Security 
Management Act (FISMA), Homeland Security Presidential Directive 7 
(HSPD-7), National Security Presidential Directive 54/Homeland Security 
Presidential Directive 23, and related authorities. FISMA requires the 
Office of Management and Budget (OMB) to oversee and ensure the 
operation of a central federal information security incident center 
that provides departments and agencies with cyber detection, analysis, 
warning, and mitigation support. In 2004, OMB identified the United 
States Computer Emergency Readiness Team (US-CERT), which is the 
operational branch of DHS's National Cyber Security Division, to carry 
out these responsibilities.
    Under HSPD-7, DHS is ``responsible for coordinating the overall 
national effort to enhance the protection of the critical 
infrastructure and key resources of the United States.'' ``Critical 
Infrastructure'' is specifically defined in the USA PATRIOT Act to mean 
``systems and assets, whether physical or virtual, so vital to the 
United States that the incapacity or destruction of such systems and 
assets would have a debilitating impact on security, national economic 
security, national public health or safety, or any combination of those 
matters.'' Malicious cyber activity that threatens one or more of these 
elements establishes the context under which EINSTEIN 2 is used by US-
CERT.
    EINSTEIN 2 passively observes network traffic to and from 
participating Federal Civilian Executive Branch department and agency 
networks. No human being reviews any of this data via EINSTEIN 2 unless 
and until specific pre-defined signatures designed to detect identified 
patterns of network traffic that may affect the integrity, 
confidentiality, or availability of computer networks or information 
are triggered. Only if such risk factors are identified within the data 
will US-CERT be alerted of potential malicious network activity. Thus, 
US-CERT does not obtain the content of all electronic communications 
passing over the protected networks but rather receives the network 
traffic relevant to a specific signature, along with the network 
traffic that is reasonably related to, and associated with, the network 
connection that caused the alert. Moreover, when an alert does occur, 
US-CERT has adopted procedures for reviewing signatures and handling 
information collected to ensure that the privacy of individuals is 
protected.
    As discussed in greater detail in the DHS Privacy Impact Assessment 
(PIA) prepared for EINSTEIN 2,\1\ EINSTEIN is not programmed to 
specifically collect or locate PII. While future signatures might be 
developed in response to threats that use what appears to be PII, the 
purpose of these signatures is to prevent malicious activity from 
reaching federal networks, not to collect or locate PII. US-CERT also 
follows procedures to remove any personal information from its products 
so that only US-CERT would see the full details of any personal 
information in the flow records, alerts, and related network traffic. 
The PIA provides additional details on the minimization process and 
related US-CERT analyst training.
---------------------------------------------------------------------------
    \1\ Available at http://www.dhs.gov/xlibrary/assets/privacy/
privacy-pia-einstein2.pdf
---------------------------------------------------------------------------
    If it comes to DHS's attention that there may be a computer network 
event or incident that has ``national security'' implications, the 
proper entity with responsibility over that event would be notified in 
accordance with laws and policies.

Q8.  What oversight and accountability mechanisms are in place to 
ensure that only data traveling to and from federal networks is routed 
off of Internet Service Provider (ISP) systems and through to EINSTEIN?

A8. Internet traffic flows to an EINSTEIN sensor either through the use 
of a Managed Trusted Internet Protocol Service (MTIPS) provided by an 
Internet Service Provider (ISP) or to the EINSTEIN sensor located at a 
department or agency's Internet access point, referred to as a Trusted 
Internet Connection (TIC). Safety mechanisms are in place under either 
EINSTEIN option to ensure that only data traveling to and from federal 
networks is routed off of ISP systems and through to EINSTEIN. Both 
options require the relevant department or agency to work with its ISP 
to ensure that only data traveling to and from federal networks is 
routed through to EINSTEIN based on Internet Protocol (IP) ranges 
assigned to the department or agency. Because federal networks do not 
allow non-agency, commercial traffic to traverse their infrastructure, 
the restriction of EINSTEIN monitoring to these IP ranges should limit 
monitoring to traffic directed to or originating from government 
systems.

MTIPS
    With respect to a department or agency that contracts with an ISP 
for MTIPS, the contract contains a provision requiring the ISP to 
ensure that only data routed to or from the department or agency's IP 
addresses is routed to the EINSTEIN sensor. Specifically, the ISP's 
General Services Administration Networx MTIPS Statement of Work 
provides that:

         traffic collection and distribution supports the transport of 
        government-only IP traffic between Agency Enterprise WANs [Wide 
        Area Networks] and TIC Portals . . .. The TIC Portal . . . 
        monitoring and management systems shall be dedicated to the 
        management and monitoring of the subscribing agencies hosted by 
        the contractor's portal and shall be isolated from commercial 
        customers.

    The ISP further confirms its responsibility to isolate government 
traffic from that of its commercial customers through a memorandum of 
agreement (MOA) executed with the Department of Homeland Security 
(DHS), which references the Statement of Work provisions. A department 
or agency that is using MTIPS also executes an MOA with DHS. Pursuant 
to this MOA, the department or agency is responsible for ensuring, in 
conjunction with the MTIPS provider, that only department or agency IP 
traffic is routed through the TIC portal where the EINSTEIN sensor is 
located.

TIC
    A department or agency using a TIC would already have a contractual 
relationship in place with its ISP. Pursuant to that relationship, the 
ISP, in its ordinary course of business, would use routing tables to 
ensure that only traffic intended for the department or agency's IP 
addresses is routed to the department or agency's networks. In 
addition, a department or agency with an EINSTEIN sensor placed at a 
TIC also must sign an MOA with DHS. Pursuant to that MOA, the 
department or agency is responsible for ensuring that only traffic 
intended for, or originating from, that department or agency is routed 
through the EINSTEIN sensor.
    Because EINSTEIN collects net flow information for all traffic 
traversing a sensor, in the rare case that the contractual routing 
protections fail, net flow information would be collected. A US-CERT 
analyst may detect the error by doing flow analysis, but the volumes of 
traffic make this unlikely. EINSTEIN's intrusion detection system (IDS) 
would only alert an analyst if the mis-routed traffic triggers an 
EINSTEIN signature. In the event of an IDS alert, and upon further 
inspection and investigation with the department or agency receiving 
the incorrectly routed traffic, a US-CERT analyst would be able to 
identify an incorrectly routed traffic error. US-CERT would then work 
with the National Cyber Security Division's Network Security Deployment 
and Federal Network Security branches, the relevant department or 
agency, the ISP and, if necessary, the MTIPS vendor to remedy the 
routing problem. In the unlikely event that an ISP's routing tables 
mistakenly assign a government IP address to a commercial client, a 
routing loop would result and would be detected by the ISP in its 
ordinary course of business. This would signal to the ISP a need to 
correct the routing table.

Q9.  What performance measures or other assessment tools have been 
developed for the CNCI? What are the primary risks to the success of 
the initiative going forward?

A9. The Department of Homeland Security's (DHS's) National Cyber 
Security Division (NCSD) is the lead or co-lead for six of the 12 
initiatives within the Comprehensive National Cybersecurity Initiative 
(CNCI).
    Currently, DHS reports both weekly and quarterly to the Joint 
Interagency Cybersecurity Taskforce. This reporting includes both 
activities and performance metrics. Performance information is reported 
quarterly to the Executive Office of the President. In addition, we 
work closely with the Office of Management and Budget on Initiatives 1-
3.

Q10.  Some organizations are calling for using liability protection 
(such as that provided by the SAFETY Act) as a tool for incentivizing 
greater private efforts to address cybersecurity. Is this being 
discussed and considered as part of your effort to collaborate with the 
private sector?

A10. Yes, the National Cyber Security Division (NCSD) within the 
Department of Homeland Security (DHS) collaborates closely with the 
private sector on a wide variety of initiatives and has always engaged 
in a variety of activities designed to further this collaboration. 
Specifically with respect to incentives, NCSD has engaged with public 
and private-sector partners through the Critical Infrastructure 
Partnership Advisory Council (CIPAC) process within the National 
Infrastructure Protection Plan (NIPP) partnership framework. Since 
2007, NCSD and its private-sector partners have co-chaired the Cross-
Sector Cyber Security Working Group (CSCSWG) under CIPAC. The CSCSWG's 
membership includes public and private-sector representatives from each 
of the 18 critical infrastructure and key resources (CIKR) sectors 
under the NIPP. The CSCSWG, which meets monthly, offers a mechanism for 
public-private collaboration on cybersecurity initiatives, such as 
improving information sharing, considering private-sector incentives 
for increased cybersecurity, and developing cybersecurity metrics that 
can be used by multiple CIKR sectors. The co-chairs of the CSCSWG have 
recently formed a steering committee to ensure that the agenda and work 
areas undertaken by the group meet the needs of all CIKR sectors.
    Leveraging this public-private partnership, DHS solicited 
recommendations and advice from industry partners on a wide range of 
incentives--from leveraging federal procurement power, to cyber 
insurance, to ensuring inclusion of cyber investments in the utility 
rate base--for increased cybersecurity. One incentive considered by the 
working group concerns increased use of the SAFETY Act to address 
cybersecurity, including the issue of liability protection. The SAFETY 
Act Office is receiving and approving applications for cybersecurity 
technologies. These recommendations will be reviewed and considered by 
the appropriate members of the interagency and taken into consideration 
in light of the significant differences in business models and 
perspectives across the sectors.

Q11.  As an alternative to regulatory- or liability-based tools to 
address private sector critical infrastructure, some have proposed 
simply taking critical infrastructure ``off the Internet grid''--that 
is making the networks necessary for managing infrastructure such as 
the electricity grid completely closed, similar to how we operate our 
classified networks. Is this something the administration is looking 
at, and do you think it could help to eliminate the security 
vulnerabilities inherent to being connected to the Internet?

A11. The strategy of taking critical infrastructure ``off the Internet 
grid'' is not an option the Department of Homeland Security is pursuing 
due to the inherent complexities and feasibility problems associated 
with the concept. The Nation's critical infrastructure and related 
information technology systems and networks are interconnected, 
diverse, and unique, such that taking them off of the global Internet 
grid would generate a wide range of problems that make the task 
unfeasible on both strategic and practical levels. Many critical 
infrastructure networks were built with a specific architecture 
designed for Internet access. Their day-to-day communications and 
business operations require this access for functions ranging from 
inventory management to customer communications. Sequestering these 
networks behind barriers, in a manner similar to how classified 
networks operate, would result in multiple problems and logistical 
difficulties. This would require a complete revision of the design and 
function of critical infrastructure and key resources (CIKR) sector 
networks, as well as changes to the operations and business models of 
CIKR sector members. An example of this is the Financial Services 
Sector, which depends on the Internet to provide real-time 
communications and transfer of electronic payments and account 
information. Additionally, several other government agencies outside of 
the Department of Homeland Security have responsibilities or regulatory 
authorities related to CIKR sectors and would have their own views on 
this subject.



