b"<html>\n<title> - AGENCY RESPONSE TO CYBERSPACE POLICY REVIEW</title>\n<body><pre>[House Hearing, 111 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n                           AGENCY RESPONSE TO\n                        CYBERSPACE POLICY REVIEW\n\n=======================================================================\n\n                             JOINT HEARING\n\n                               BEFORE THE\n\n               SUBCOMMITTEE ON TECHNOLOGY AND INNOVATION\n\n                                AND THE\n\n             SUBCOMMITTEE ON RESEARCH AND SCIENCE EDUCATION\n\n                  COMMITTEE ON SCIENCE AND TECHNOLOGY\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED ELEVENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             JUNE 16, 2009\n\n                               __________\n\n                           Serial No. 111-34\n\n                               __________\n\n     Printed for the use of the Committee on Science and Technology\n\n\n     Available via the World Wide Web: http://www.science.house.gov\n\n                                 ______\n\n\n\n\n\n\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n50-171 PDF                WASHINGTON : 2010\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC \narea (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC \n20402-0001\n\n\n\n\n\n\n                  COMMITTEE ON SCIENCE AND TECHNOLOGY\n\n                   HON. BART GORDON, Tennessee, Chair\nJERRY F. COSTELLO, Illinois          RALPH M. HALL, Texas\nEDDIE BERNICE JOHNSON, Texas         F. JAMES SENSENBRENNER JR., \nLYNN C. WOOLSEY, California              Wisconsin\nDAVID WU, Oregon                     LAMAR S. SMITH, Texas\nBRIAN BAIRD, Washington              DANA ROHRABACHER, California\nBRAD MILLER, North Carolina          ROSCOE G. BARTLETT, Maryland\nDANIEL LIPINSKI, Illinois            VERNON J. EHLERS, Michigan\nGABRIELLE GIFFORDS, Arizona          FRANK D. LUCAS, Oklahoma\nDONNA F. EDWARDS, Maryland           JUDY BIGGERT, Illinois\nMARCIA L. FUDGE, Ohio                W. TODD AKIN, Missouri\nBEN R. LUJAN, New Mexico             RANDY NEUGEBAUER, Texas\nPAUL D. TONKO, New York              BOB INGLIS, South Carolina\nPARKER GRIFFITH, Alabama             MICHAEL T. MCCAUL, Texas\nSTEVEN R. ROTHMAN, New Jersey        MARIO DIAZ-BALART, Florida\nJIM MATHESON, Utah                   BRIAN P. BILBRAY, California\nLINCOLN DAVIS, Tennessee             ADRIAN SMITH, Nebraska\nBEN CHANDLER, Kentucky               PAUL C. BROUN, Georgia\nRUSS CARNAHAN, Missouri              PETE OLSON, Texas\nBARON P. HILL, Indiana\nHARRY E. MITCHELL, Arizona\nCHARLES A. WILSON, Ohio\nKATHLEEN DAHLKEMPER, Pennsylvania\nALAN GRAYSON, Florida\nSUZANNE M. KOSMAS, Florida\nGARY C. PETERS, Michigan\nVACANCY\n                                 ------                                \n\n               Subcommittee on Technology and Innovation\n\n                      HON. DAVID WU, Oregon, Chair\nDONNA F. EDWARDS, Maryland           ADRIAN SMITH, Nebraska\nBEN R. LUJAN, New Mexico             JUDY BIGGERT, Illinois\nPAUL D. TONKO, New York              W. TODD AKIN, Missouri\nDANIEL LIPINSKI, Illinois            PAUL C. BROUN, Georgia\nHARRY E. MITCHELL, Arizona               \nGARY C. PETERS, Michigan                 \nBART GORDON, Tennessee               RALPH M. HALL, Texas\n                 MIKE QUEAR Subcommittee Staff Director\n        MEGHAN HOUSEWRIGHT Democratic Professional Staff Member\n            TRAVIS HITE Democratic Professional Staff Member\n         HOLLY LOGUE PRUTZ Democratic Professional Staff Member\n             DAN BYERS Republican Professional Staff Member\n                  VICTORIA JOHNSTON Research Assistant\n                                 ------                                \n\n             Subcommittee on Research and Science Education\n\n                 HON. DANIEL LIPINSKI, Illinois, Chair\nEDDIE BERNICE JOHNSON, Texas         VERNON J. EHLERS, Michigan\nBRIAN BAIRD, Washington              RANDY NEUGEBAUER, Texas\nMARCIA L. FUDGE, Ohio                BOB INGLIS, South Carolina\nPAUL D. TONKO, New York              BRIAN P. BILBRAY, California\nPARKER GRIFFITH, Alabama                 \nRUSS CARNAHAN, Missouri                  \nBART GORDON, Tennessee               RALPH M. HALL, Texas\n               DAHLIA SOKOLOV Subcommittee Staff Director\n            MARCY GALLO Democratic Professional Staff Member\n           MELE WILLIAMS Republican Professional Staff Member\n                    BESS CAUGHRAN Research Assistant\n\n\n\n\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n                             June 16, 2009\n\n                                                                   Page\nWitness List.....................................................     2\n\nHearing Charter..................................................     3\n\n                           Opening Statements\n\nStatement by Representative David Wu, Chairman, Subcommittee on \n  Technology and Innovation, Committee on Science and Technology, \n  U.S. House of Representatives..................................    10\n    Written Statement............................................    10\n\nStatement by Representative Adrian Smith, Ranking Minority \n  Member, Subcommittee on Technology and Innovation, Committee on \n  Science and Technology, U.S. House of Representatives..........    11\n    Written Statement............................................    12\n\nStatement by Representative Daniel Lipinski, Chairman, \n  Subcommittee on Research and Science Education, Committee on \n  Science and Technology, U.S. House of Representatives..........    12\n    Written Statement............................................    13\n\nStatement by Representative Vernon J. Ehlers, Ranking Minority \n  Member, Subcommittee on Research and Science Education, \n  Committee on Science and Technology, U.S. House of \n  Representatives................................................    13\n    Written Statement............................................    14\n\nPrepared Statement by Representative Harry E. Mitchell, Member, \n  Subcommittee on Technology and Innovation, Committee on Science \n  and Technology, U.S. House of Representatives..................    14\n\n                               Witnesses:\n\nMs. Cita M. Furlani, Director, Information Technology Laboratory, \n  National Institute of Standards and Technology (NIST), U.S. \n  Department of Commerce\n    Oral Statement...............................................    15\n    Written Statement............................................    16\n    Biography....................................................    20\n\nDr. Jeannette M. Wing, Assistant Director, Computer and \n  Information Science and Engineering Directorate, National \n  Science Foundation (NSF)\n    Oral Statement...............................................    21\n    Written Statement............................................    23\n    Biography....................................................    27\n\nDr. Robert F. Leheny, Acting Director, Defense Advance Research \n  Projects Agency (DARPA)\n    Oral Statement...............................................    28\n    Written Statement............................................    30\n    Biography....................................................    37\n\nDr. Peter M. Fonash, Acting Deputy Assistant Secretary, Office of \n  Cybersecurity and Communications, National Protection and \n  Programs Directorate, U.S. Department of Homeland Security \n  (DHS)\n    Oral Statement...............................................    37\n    Written Statement............................................    40\n    Biography....................................................    45\n\nDiscussion.......................................................    46\n\n              Appendix: Answers to Post-Hearing Questions\n\nMs. Cita M. Furlani, Director, Information Technology Laboratory, \n  National Institute of Standards and Technology (NIST), U.S. \n  Department of Commerce.........................................    68\n\nDr. Jeannette M. Wing, Assistant Director, Computer and \n  Information Science and Engineering Directorate, National \n  Science Foundation (NSF).......................................    70\n\nDr. Peter M. Fonash, Acting Deputy Assistant Secretary, Office of \n  Cybersecurity and Communications, National Protection and \n  Programs Directorate, U.S. Department of Homeland Security \n  (DHS)..........................................................    74\n\n \n              AGENCY RESPONSE TO CYBERSPACE POLICY REVIEW\n\n                              ----------                              \n\n\n                         TUESDAY, JUNE 16, 2009\n\n                  House of Representatives,\n         Subcommittee on Technology and Innovation,\n                                   jointly with the\n            Subcommittee on Research and Science Education,\n                       Committee on Science and Technology,\n                                                    Washington, DC.\n\n    The Subcommittees met, pursuant to call, at 2:47 p.m., in \nRoom 2318 of the Rayburn House Office Building, Hon. David Wu \n[Chairman of the Subcommittee on Technology and Innovation] \npresiding.\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n                            hearing charter\n\n               SUBCOMMITTEE ON TECHNOLOGY AND INNOVATION\n\n                            JOINTLY WITH THE\n\n             SUBCOMMITTEE ON RESEARCH AND SCIENCE EDUCATION\n\n                  COMMITTEE ON SCIENCE AND TECHNOLOGY\n\n                     U.S. HOUSE OF REPRESENTATIVES\n\n                           Agency Response to\n\n                        Cyberspace Policy Review\n\n                         tuesday, june 16, 2009\n                          2:00 p.m.-4:00 p.m.\n                   2318 rayburn house office building\n\nPurpose\n\n    On Tuesday, June 16, 2009, the Subcommittee on Technology and \nInnovation and the Subcommittee on Research and Science Education will \nconvene a joint hearing to review the response of the Department of \nHomeland Security (DHS), the National Institute of Standards and \nTechnology (NIST), the National Science Foundation (NSF), and the \nDefense Advanced Research Projects Agency (DARPA) to the findings and \nrecommendations in the Administration's 60-day Cyberspace Policy \nReview.\n\nII. Witnesses\n\nMs. Cita Furlani is the Director of the Information Technology \nLaboratory at the National Institute of Standards and Technology.\n\nDr. Jeannette Wing is the Assistant Director of the Directorate for \nComputer & Information Science & Engineering at the National Science \nFoundation.\n\nDr. Robert Leheny is the Acting Director of the Defense Advanced \nResearch Projects Agency at the Department of Defense.\n\nDr. Peter Fonash is the Acting Deputy Assistant Secretary for the \nOffice of Cyber Security Communications at the Department of Homeland \nSecurity.\n\nIII. Overview\n\n    In January 2008, the Bush Administration established, through a \nseries of classified executive directives, the Comprehensive National \nCybersecurity Initiative (CNCI). While the details of the CNCI are \nlargely classified, the goal of the multi-faceted initiative was to \nsecure federal systems.\\1\\ A number of security experts have expressed \nconcern that the classified nature of the CNCI has inhibited active \nengagement with the private sector despite the fact that 85 percent of \nthe Nation's critical infrastructure is owned and operated by private \nentities. While experts are concerned by the lack of transparency and \npublic-private cooperation under the CNCI, they have also urged \nPresident Obama to build upon the existing structure. In February 2009, \nthe Obama Administration called for a 60-day review of the national \ncybersecurity strategy. The President's review required the development \nof a framework that would ensure that the CNCI was adequately funded, \nintegrated, and coordinated among federal agencies, the private sector, \nand State and local authorities.\n---------------------------------------------------------------------------\n    \\1\\ CNCI objectives have been assembled from various media reports. \nComprehensive National Cybersecurity Initiative: Legal Authorities and \nPolicy Considerations, http://apps.crs.gov/products/r/pdf/R40427.pdf\n---------------------------------------------------------------------------\n    On May 29, 2009, the Administration released its 60-day review of \ncyberspace policy. The review team acknowledged the difficult task of \naddressing cybersecurity concerns in a comprehensive fashion due to the \nlarge number of federal departments and agencies with cybersecurity \nresponsibilities and overlapping authorities. According to the review, \ncybersecurity leadership must come from the top. To that end, the \nPresident plans to appoint a ``cyber czar'' who will oversee the \ndevelopment and implementation of a national strategy for improving \ncybersecurity. The appointee will report to both the National Security \nCouncil and the National Economic Council. The report suggests that the \nappointee should also chair the Information and Communications \nInfrastructure Interagency Policy Council (ICI-IPC), an existing policy \ncoordinating body to ensure ``a reliable, secure and survivable global \ninformation and communications infrastructure.'' The review team also \nemphasized the need for the Federal Government to partner with the \nprivate sector to guarantee a secure and reliable infrastructure. \nFurthermore, it highlighted the need for increased public awareness, \nthe education and expansion of the Information Technology (IT) \nworkforce, and the importance of advancing cybersecurity research and \ndevelopment.\n\nIV. Issues and Concerns\n\n    The Cyberspace Policy Review includes a number of near-term and \nmid-term action plans that are relevant to the Committee's work on the \nissue. (Please see the appendix for a complete list.) The review \nuniformly calls for increased coordination and integration of current \nefforts among all federal departments and agencies. The Committee is \ninterested in how information is shared across the diverse array of \ncoordinating bodies, which models of coordination are the most \neffective, and why the current mechanisms have been inadequate.\n\nResearch and Development\n    In the near-term, the review team recommends the development of a \nframework for research and development (R&D) strategies that focus on \ngame-changing technologies that have the potential to enhance the \nsecurity, reliability, resilience, and trustworthiness of the digital \ninfrastructure.\n    In the mid-term, the review team recommends that the agencies \nexpand support for R&D to ensure the Nation's continued ability to \ncompete in the information age economy.\n    Unclassified federal cybersecurity R&D is inventoried under the \ninteragency Networking and Information Technology R&D (NITRD) Program. \nThe NITRD agencies have requested a total of $343 million for the Cyber \nSecurity and Information Assurance (CSIA) R&D in FY 2010. A report\\2\\ \nby the Center for Strategic and International Studies (CSIS) on \ncybersecurity stated that ``a $300 million R&D investment is \ninadequate.'' Additionally, a 2007 National Research Council (NRC) \nreport\\3\\ on cyberspace indicated that cybersecurity research funding \nwas too low for researchers to pursue their promising ideas and \nsustained funding was necessary to increase the number of researchers \nexamining cybersecurity topics, however, neither report offers guidance \non the appropriate level of funding.\n---------------------------------------------------------------------------\n    \\2\\ Securing Cyberspace for the 44th Presidency, Center for \nStrategic and International Studies, http://www.csis.org/component/\noption,com<INF>-</INF>csis<INF>-</INF>pubs/task,view/id,5157/type,0/\n    \\3\\ Toward a Safer and More Secure Cyberspace, National Research \nCouncil, http://www.nap.edu/catalog.php?record<INF>-</INF>id=11925\n---------------------------------------------------------------------------\n    The task of coordinating unclassified cybersecurity R&D falls to \nCSIA interagency working group under NITRD, and to date, there have \nbeen no suggestions that another group should assume this \nresponsibility. However, the federal plan for cybersecurity R&D \ndeveloped by the working group in 2006 has been heavily criticized. The \nvarious reports<SUP>2<SUP>x-8</SUP>3</SUP> and groups indicate that the \nplan is just an aggregate of agency R&D activities, and they have \ncalled for the development of a set of national research objectives and \nfunding priorities as well as a roadmap to achieve those objectives. \nExperts have also expressed concern that the CSIA R&D portfolio is \ninappropriately weighted toward short-term projects rather than long-\nterm, potentially transformative research. Additionally, private sector \nstakeholders, including witnesses at the June 10th hearing, have \nsuggested that NITRD is requesting input on the R&D agenda too late in \nthe process for the input to be properly considered. The Committee is \ninterested in the development of a national cybersecurity strategy with \nclear R&D objectives that is fully informed by academic and industry \nstakeholders.\n    The review team also recommended that the agencies provide the \nresearch community access to event data to facilitate developing tools, \ntesting theories, and identifying workable solutions. Some in the \nresearch community have expressed concern that much of the realistic \ndata necessary for the modeling and evaluation of cybersecurity \ntechnologies is classified or proprietary and therefore unavailable to \nthem. DARPA is in the process of developing a large-scale testbed, the \nNational Cyber Range (NCR), which will provide ``an environment for \nrealistic, qualitative and quantitative assessment of potentially \nrevolutionary cyber research and development technologies.'' According \nto DARPA officials, the intent is to have the NCR available for both \nclassified and unclassified research, but it remains to be determined \nif adequate firewalls can be built into the system to make this a \nviable goal. Related to that, the Committee is interested in exploring \nto what extent the academic research community will be involved in the \ndesign of NCR and whether NCR will meet their needs assuming they are \ngranted access.\n\nEducation\n    There is general agreement that there are significant unmet needs \nfor both public education and formal education and training for \ninformation technology students and professionals. The Administration's \nreview team called for the evaluation and possible expansion of \nexisting education programs, and specifically mentioned three programs: \nPathways to Revitalized Undergraduate Education in Computing (CPATH), \nScholarship for Service, and the National Centers for Academic \nExcellence in Information Assurance Education and Research.\n    CPATH is an NSF sponsored program that seeks to increase the number \nof students with computational thinking skills by providing those types \nof learning opportunities in core computing classes and in other fields \nof study. The CPATH program receives $10 million annually.\n    The Scholarship for Service program is sponsored by NSF and DHS and \nit provides two-year scholarships to students who are interested in \npursuing a degree in information assurance and computer security. \nScholarship recipients are required to work for two years in the \nFederal Government upon completion of their degree. The Scholarship for \nService program is funded at $10.3 million for FY 2009, and to date, \n970 scholars have been placed in federal agencies.\n    The National Centers for Academic Excellence in Information \nAssurance Education and Research, which have been in place since 1998, \nare sponsored by the National Security Agency (NSA) and DHS. \nInstitutions must meet specific requirements prior to designation as a \ncenter for excellence and they must go through re-certification every \nfive years. There are currently 94 institutions across 38 states and \nthe District of Columbia. A number of institutions have expressed \nconcern that the certification requirements do not accurately reflect \nthe rigorousness of the information assurance or computer security \ndegree offered by the institution, and therefore have chosen to let \ntheir certification lapse.\n\nStandards and Metrics\n    Throughout its recommendations, the review team highlights the need \nfor the increased use of metrics to guide strategies and to make key \nplanning decisions. They recommend the development of a formal program \nassessment framework that would guide departments and agencies in \ndefining the purpose, goal, and success criteria for each program. This \nframework could then be used as a basis for implementing a performance-\nbased budgeting process, setting priorities for research and \ndevelopment initiatives, and assisting in development of the next-\ngeneration networks.\n    The review team also stresses the importance of developing \nstandards for incident reporting, for both the Federal Government and \nprivate industry. Current reporting policies vary by federal department \nand agency based on their statutory authorities, privacy concerns, and \nhistorical practices. The consolidation of reporting policies in the \nFederal Government and expansion into the private sector would allow \nfor more reliable and timely responses to cyber attacks.\n    When developing cybersecurity standards and guidelines, NIST \nmonitors standards from international bodies such as the International \nOrganization for Standardization (ISO). The review team, along with a \nreport\\4\\ from the Government Accountability Office (GAO), recommends \nthat the Federal Government not only adopt appropriate standards \ndeveloped by international bodies, but actively work with them to \ndevelop standards that will provide solidarity across international \nborders.\n---------------------------------------------------------------------------\n    \\4\\ National Cybersecurity Strategy: Key Improvements Are Needed to \nStrengthen the Nation's Posture, Government Accountability Office, \nhttp://www.gao.gov/new.items/d09432t.pdf\n\nCybersecurity Operations and Information Coordination\n    The review team calls for assessments of many of the cybersecurity \nprograms in DHS and for an increased level of coordination among the \nfederal departments and agencies, as well as the private sector. \nAlthough the report highlights coordination and partnership as a key \nelement in cybersecurity strategy, it concedes that private industry \nmay be reluctant to give information on cyber attacks due to concerns \nabout reputational harm and liability. The Federal Government limits \nshared information based on the need to protect sensitive intelligence \nsources and the privacy rights of individuals. For programs like DHS's \nNational Cyber Alert System to function as intended, guidelines must be \nestablished to enable all parties to effectively distribute cyber \nattack information and respond appropriately.\n\nV. Background\n\n    In the current system, responsibilities for the security of federal \nnetwork systems fall to many different agencies. NSA is responsible for \nall classified network systems. The Department of Defense (DOD) is \nresponsible for military network systems and DHS is responsible for all \nfederal civilian network systems. Additionally, DHS is responsible for \ncommunicating information on cyber attacks to other federal agencies. \nNIST develops and promulgates standards to help secure the federal \ncivilian network systems, along with their other roles that will be \ndiscussed below. The Office of Management and Budget (OMB) implements \nand enforces the standards set by NIST. Three key agencies, NSF, DHS \nand DOD (specifically DARPA) fund the majority of cybersecurity R&D.\n\nDepartment of Homeland Security\n\n    As tasked in Homeland Security Presidential Directive (HSPD) 7, \nDHS, ``. . . shall be responsible for coordinating the overall national \neffort to enhance the protection of the critical infrastructure and key \nresources of the United States. The Secretary shall serve as the \nprincipal federal official to lead, integrate, and coordinate \nimplementation of efforts among federal departments and agencies, State \nand local governments, and the private sector to protect critical \ninfrastructure and key resources.'' As a response to HSPD-7, DHS \ncreated the National Cyber Security Division, detailed below. In 2008, \nHSPD-23, which was mostly classified, called for a central location to \ngather all of the cybersecurity information on attacks and \nvulnerabilities. DHS created the National Cyber Security Center to meet \nthis need.\n\nNational Cyber Security Division\n\n    The National Cyber Security Division (NCSD) is the operational arm \nof DHS's cybersecurity group and handles a host of tasks: they detect \nand analyze cyber attacks, disseminate cyber attack warnings to other \nFederal Government agencies, conduct cybersecurity exercises, and help \nreduce software vulnerabilities. The budget request for the NCSD is \n$400 million, an increase of $87 million above FY 2009.\n\n        <bullet>  United States Computer Emergency Readiness Team\n           Within NCSD, the U.S. Computer Emergency Readiness Team (US-\n        CERT) monitors the federal civilian network systems on a 24/7 \n        basis and issues warnings to both federal agencies and the \n        public through the National Cyber Alert System when cyber \n        attacks occur.\n\n           EINSTEIN--The EINSTEIN program is an intrusion detection \n        system which US-CERT uses to monitor the federal civilian \n        network connections for unauthorized traffic.\n\n        <bullet>  National Cyber Response Coordination Group\n           The National Cyber Response Coordination Group (NCRCG), \n        composed of US-CERT and the cybersecurity groups of DOD, \n        Federal Bureau of Investigation (FBI), NSA, and the \n        intelligence community, coordinates the federal response to a \n        cyber attack. Once an attack is detected, a warning is issued \n        through the NCRCG to all federal agencies and the public.\n\n        <bullet>  Cyber Storm\n           Cyber Storm is a biennial cybersecurity exercise that allows \n        participants to assess their ability to prepare for, protect \n        from, and respond to cyber attacks that are occurring on a \n        large-scale and in real-time. Cyber Storm exercises have taken \n        place in 2006 and 2008, with five countries, 18 federal \n        agencies, nine U.S. states, and over 40 private sector \n        companies.\n\n        <bullet>  Software Assurance Program\n           The Software Assurance Program maintains a clearinghouse of \n        information gathered from federal and private industry \n        cybersecurity efforts, as well as university research, for \n        public use. The Program has established Working Groups focused \n        on specific software areas and holds regular forums to help \n        encourage collaboration.\n\nNational Cyber Security Center\n\n    The National Cyber Security Center (NCSC) was created in 2008 to \nact as a coordinating group for consolidating, assessing and \ndisseminating information on cyber attacks and vulnerabilities gathered \nfrom the cybersecurity efforts of DOD, DHS, NSA, FBI, and the \nintelligence community. By collecting information from all of these \ndepartments, the NCSC was established to provide a single source of \ncritical cybersecurity information for all public and private \nstakeholders. Funding for NCSC in FY 2010 is $4 million.\n\nCyber Security Research and Development Center\n\n    Cybersecurity research within DHS is planned, managed, and \ncoordinated through the Science and Technology Directorate's Cyber \nSecurity Research and Development Center. This center supports the \nresearch efforts of the Homeland Security Advanced Research Projects \nAgency (HSARPA), coordinates the testing and evaluation of \ntechnologies, and manages technology transfer efforts. The FY 2010 \nbudget includes $37.2 million for cybersecurity R&D at DHS; this is an \nincrease of $6.6 million over FY 2009.\n\nNational Institute of Standards and Technology\n\n    NIST is tasked with protecting the federal information technology \nnetwork by developing and promulgating cybersecurity standards for \nfederal civilian network systems (Federal Information Processing \nStandard [FIPS]), identifying methods for assessing effectiveness of \nsecurity requirements, conducting tests to validate security in \ninformation systems, and conducting outreach exercises. These tasks \nwere appointed to NIST in the Computer Security Act of 1987. In the \nFederal Information Security Management Act of 2002, OMB was tasked to \ndevelop implementation plans and enforce the use of the FIPS developed \nby NIST. Cybersecurity activities are conducted through NIST's \nInformation Technology Laboratory which has a budget request of $72 \nmillion for FY 2010, including $15 million in support of the CNCI and \n$29 million for CSIA R&D.\n\nComputer Security Division\n\n    The Computer Security Division (CSD) within the Information \nTechnology Laboratory houses the cybersecurity activities of NIST and \nis divided into four groups.\n\n        <bullet>  Security Technology\n           The Security Technology group focuses on cryptography and \n        online identity authentication. These areas enable federal \n        civilian network system users to access information both in the \n        office and remotely in a secure manner using technologies such \n        as: cryptographic protocols and interfaces, public key \n        certificate management, biometrics, and smart tokens.\n\n        <bullet>  Systems and Network Security\n           The Systems and Network Security group maintains a number of \n        databases and checklists that are designed to assist public and \n        private network users in configuration of more secure systems. \n        The group also conducts research in all areas of network \n        security technology to develop new standards and transfer \n        technologies to the public.\n\n                 National Checklist Program--This program helps develop \n                and maintain checklists to guide network users to \n                configure network systems with basic security settings.\n\n                 National Vulnerability Database--This database \n                contains information on known vulnerabilities in \n                software and fixes for these vulnerabilities.\n\n                 Federal Desktop Core Configuration--This program \n                supplies security configurations for all federal \n                civilian network systems using either Microsoft Windows \n                XP or Vista. By supplying a standard configuration, \n                this program enables security professionals to default \n                to a known secure configuration for all new desktop \n                computers and when experiencing a cyber attack.\n\n        <bullet>  Security Management and Assistance\n           This group extends information security training, awareness \n        and education programs to both public and private parties.\n\n                 Federal Agency Security Practices (FASP)--This web \n                site provides information on cybersecurity best \n                practices for public, private, and academia use. It \n                contains implementation guides for education programs \n                and a contact list of FASP staff for consultation.\n\n                 Information Security and Privacy Advisory Board \n                (ISPAB)--This board advises NIST, the Secretary of \n                Commerce, and OMB on information security and privacy \n                issues pertaining to federal civilian network systems. \n                They also review proposed standards and guidelines \n                developed by NIST.\n\n                 Small Business Corner--This program provides workshops \n                for small business owners to learn how to secure \n                business information on small networks in a practical \n                and cost-effective manner.\n\n        <bullet>  Security Testing and Metrics\n           The Security Testing and Metrics group develops methods and \n        baselines to test security products and validate products for \n        government use.\n\nNational Science Foundation\n\n    NSF's cybersecurity research activities are primarily funded \nthrough the Directorate for Computer & Information Science & \nEngineering (CISE). CISE supports cybersecurity R&D through a targeted \nprogram, Trustworthy Computing, as well as through a number of its core \nactivities in Computer Systems Research, Computing Research \nInfrastructure, and Network and Science Engineering. The cybersecurity \nportfolio supports both theoretical and experimental research. NSF \ncybersecurity research and education activities are funded at $127 \nmillion for FY 2010.\n\n        <bullet>  Trustworthy Computing Program\n           The Trustworthy Computing program, funded at $67 million for \n        FY 2010, is an outgrowth of NSF's Cyber Trust program, which \n        was developed in response to the Cybersecurity R&D Act of 2003. \n        The program supports research into new models, algorithms, and \n        theories for analyzing the security of computer systems and \n        data components. It also supports investigation into new \n        security architectures; methodologies that promote usability in \n        conjunction with protection; and new tools for the evaluation \n        of system confidence and security.\n\n        <bullet>  Scholarship for Service\n           In addition to its basic research activities, NSF's \n        Directorate for Education & Human Resources (EHR) manages the \n        Scholarship for Service program which provides funding to \n        colleges and universities for the award of two-year \n        scholarships in information assurance and computer security \n        fields. Scholarship recipients are required to work for two \n        years in the Federal Government, upon completion of their \n        degree. EHR also supports the development of cybersecurity \n        professionals through the Advanced Technological Education \n        (ATE) program, which focuses on the education of technicians \n        for high-technology fields.\n\nDefense Advanced Research Projects Agency\n\n    DARPA is the principal R&D agency of DOD; its mission is to \nidentify and develop high-risk, high-reward technologies of interest to \nthe military. DARPA's cybersecurity activities are conducted primarily \nthrough the Strategic Technology Office and the Information Assurance \nand Survivability project, which is tasked with developing technologies \nthat make emerging information systems such as wireless and mobile \nsystems secure. The budget request for the Information Assurance and \nSurvivability project is $113.6 million in FY 2010.\n\n        <bullet>  Intrinsically Assured Mobile Ad-Hoc Network\n           The Intrinsically Assured Mobile Ad-Hoc Network (IAMANET) \n        program is tasked with designing a tactical wireless network \n        that is secure and resilient to a broad range of threats, \n        including cyber attacks, electronic warfare and malicious \n        insiders. The budget request for IAMANET is $14.5 million.\n\n        <bullet>  Trustworthy Systems & TrUST\n           The goal of the Trustworthy Systems program, with a budget \n        request of $11.1 million, is to provide foundational \n        trustworthy computer platforms for Defense Department systems. \n        DARPA is also examining potential supply chain vulnerabilities \n        in the Trusted, Uncompromised Semiconductor Technology program \n        (TrUST) by developing methods to determine whether a microchip \n        manufactured through a process that is inherently ``untrusted'' \n        (i.e., not under our control) can be ``trusted'' to perform \n        just the design operations and no more. The budget request for \n        TrUST is $33.5 million.\n\n        <bullet>  National Cyber Range\n           The goal of the NCR is to provide a revolutionary \n        environment for research organizations to test the security of \n        information systems. The budget request for the NCR is $50 \n        million for FY 2010.\n    Chairman Wu. This hearing will now come to order. Welcome \neveryone to this afternoon's hearing on the Administration's \nCyberspace Policy Review. This is the second of three hearings \nthe Science and Technology Committee is holding on \ncybersecurity. Last week the Research and Science Education \nSubcommittee held a hearing on the research needs for improved \ncybersecurity, and next week my Technology and Innovation \nSubcommittee will hold a hearing on the cybersecurity \nactivities of the National Institute of Standards and \nTechnology (NIST) and the Department of Homeland Security \n(DHS).\n    I have been long concerned by the lack of attention given \nto cybersecurity by the Federal Government and by the private \nsector. Previously, federal efforts were output oriented-\nfocused on things like the number of programs, funds spent, or \nnumbers of interagency working groups--rather than outcome \ndriven. I am pleased that the new Administration has made \ncybersecurity a top priority and is focusing efforts on \nachieving outcomes such as fewer breaches of federal systems, \nfewer cases of identity theft, and the security of smart grid \nsystems and health IT systems.\n    In order to achieve these very, very important results, it \nis essential to first conduct a review of our federal \ncybersecurity structure and efforts. The Administration's \ncyberspace review does not make any brand new recommendations. \nHowever, it is valuable as a frank assessment of current \nfederal activities and a roadmap for what needs to be fixed. In \ngeneral, the recommendations suggest improving interagency \ncoordination and coordination with the private sector, \nmodernizing the research agenda, and enhancing public education \non cybersecurity.\n    By addressing each of these recommendations we are laying \nthe building blocks for our new, outcomes-based approach to \nfederal cybersecurity. The four agencies appearing before the \nCommittee today have a significant role to play in creating \nthat foundation. During today's hearing, I hope to learn how \neach agency intends to improve its current cybersecurity \nefforts in response to the Administration's review. This \ninformation will help guide the Committee's ongoing efforts to \nprotect our nation's data, computer systems and its citizens.\n    [The prepared statement of Chairman Wu follows:]\n                Prepared Statement of Chairman David Wu\n    I want to welcome everyone to this morning's hearing on the \nadministration's cyberspace policy review. This is the second of three \nhearings the Science and Technology Committee is holding on \ncybersecurity. Last week the Research and Science Education \nSubcommittee held a hearing on the research needs for improved \ncybersecurity, and next week my Technology and Innovation Subcommittee \nwill hold a hearing on the cybersecurity activities at the National \nInstitute of Standards and Technology and the Department of Homeland \nSecurity.\n    I have long been concerned by the lack of attention given to \ncybersecurity by the Federal Government. Previously, federal efforts \nwere output oriented-focused on things like the number of programs, \nfunds spent, or numbers of interagency working groups--rather than \noutcome driven. I am pleased that the new Administration has made \ncybersecurity a top priority and is focusing efforts on achieving \noutcomes such as fewer breaches of federal systems, fewer cases of \nidentity theft, and the security of smart grid systems and health IT \nsystems.\n    In order to achieve those important results, it was essential to \nfirst conduct a review of our federal cybersecurity structure. The \nAdministration's cyberspace review does not make any brand new \nrecommendations. However, it is valuable as a frank assessment of \ncurrent federal activities and a roadmap for what needs to be fixed. In \ngeneral, the recommendations suggest improving interagency coordination \nand coordination with the private sector, modernizing the research \nagenda, and enhancing public education on cybersecurity.\n    By addressing each of these recommendations we are laying the \nbuilding blocks for our new, outcomes-based approach to federal \ncybersecurity. The four agencies appearing before the Committee today \nhave a significant role to play in creating that foundation. During \ntoday's hearing, I hope to learn how each agency intends to improve \ntheir current cybersecurity efforts in response to the Administration's \nreview. This information will help guide the Committee's ongoing \nefforts to protect our nation's data and citizens.\n\n    Chairman Wu. I want to thank our witnesses for appearing \nbefore us today, and now I would like to recognize \nRepresentative Smith for his opening statement.\n    Mr. Smith. Thank you, Chairman Wu, and thank you for \nholding this hearing today to review the Administration's \nefforts to strengthen cybersecurity as outlined specifically in \nthe White House's recently released Cyberspace Policy Review. \nWhile federal efforts to increase network security date back \nseveral years, they were brought to the forefront in early 2008 \nwhen President Bush formally established the Comprehensive \nNational Cyber Security Initiative to deal with widespread and \nsuccessful cyber attacks on federal networks. President Obama \nhas committed to fully continue this effort under his \nAdministration and emphasized its importance in a recent \nspeech.\n    It seems the continuity across the Bush and Obama \nAdministrations, as well as the increased attention being given \nto this issue in Congress, provide indication of a small but \nimportant advantage of where we were just a couple of years \nago. Awareness of this problem and the need for action is now \nnearly universal. There is broad agreement on the seriousness \nand magnitude of our cybersecurity vulnerabilities and the \ncomplexity of the technical and policy changes that must be \naddressed to overcome them.\n    However, while there is a consensus on the problem, we are \nstill at the earliest stages of identifying and implementing \nsolutions, and we are working through relatively unchartered \npolicy territory as we do so. Accordingly, I hope both Congress \nand the Administration will work to balance the pressure to act \nquickly and aggressively on cybersecurity with the need for \nthorough and deliberate consideration of all possible courses \nof action.\n    To this end, as we hold these hearings and consider \nlegislative options later this summer, I hope to focus on three \nbroad areas of cybersecurity policy: (1) R&D. Are we investing \nenough in R&D given its importance as the primary driver of \nincreasing security over the long-term? (2) DHS-led efforts to \nsecure the dot-gov domain. Are we confident that the reported \n$30 billion price tag of this initiative is appropriately \nfocused, and is its centerpiece program EINSTEIN going to \nprovide effective and lasting security? And (3) private sector \ncritical infrastructure. What is the best approach to improving \nthe security of these networks? Do new regulations or liability \nprotections make sense or could they be counterproductive to \nour security goals?\n    I hope today's hearing will serve to begin the process of \nanswering these questions. I thank the witnesses for being \nhere, and I certainly look forward to a productive discussion. \nI yield back.\n    [The prepared statement of Mr. Smith follows:]\n           Prepared Statement of Representative Adrian Smith\n    Mr. Chairman, thank you for holding this hearing today to review \nthe Administration's efforts to strengthen cybersecurity, as outlined \nspecifically in the White House's recently released Cyberspace Policy \nReview.\n    While federal efforts to increase network security date back \nseveral years, they were brought to the forefront in early 2008, when \nPresident Bush formally established the Comprehensive National \nCybersecurity Initiative to deal with widespread and successful \ncyberattacks on federal networks. President Obama has committed to \nfully continue this effort under his administration and emphasized its \nimportance in a recent speech.\n    It seems this continuity across the Bush and Obama \nAdministrations--as well as the increased attention being given to this \nissue in Congress--provide indication of a small but important \nadvantage over where we were just a couple of years ago: awareness of \nthis problem and the need for action is now nearly universal. There is \nbroad agreement on the seriousness and magnitude of our cybersecurity \nvulnerabilities, and the complexity of the technical and policy \nchallenges that must be addressed to overcome them.\n    However, while there is a consensus on the problem, we are still at \nthe earliest stages of identifying and implementing solutions, and \nwe're working through relatively un-chartered policy territory as we do \nso. Accordingly, I hope both Congress and the Administration will work \nto balance the pressure to act quickly and aggressively on \ncybersecurity with the need for thorough and deliberate consideration \nof all possible courses of action.\n    To this end, as we hold these hearings and consider legislative \noptions later this summer, I hope to focus on three broad areas of \ncybersecurity policy: (1) R&D--Are we investing enough in R&D given its \nimportance as the primary driver of increasing security over the long-\nterm?; (2) DHS-led efforts to secure the dot-gov domain--are we \nconfident that the reported $30 billion price tag of this initiative is \nappropriately focused, and is its centerpiece program EINSTEIN going to \nprovide effective and lasting security?; and (3) private sector \ncritical infrastructure--what is the best approach to improving the \nsecurity of these networks--do new regulations or liability protections \nmake sense, or could they be counterproductive to our security goals?\n    I hope today's hearing will serve to begin the process of answering \nthese questions. I thank the witnesses for being here and I look \nforward to a productive discussion.\n\n    Chairman Wu. Thank you very much, Mr. Smith. And now I \nwould like to recognize Representative Lipinski, Chairman of \nthe Research Subcommittee, for his opening statement.\n    Chairman Lipinski. Good afternoon. I would like to thank \nChairman Wu for joining me in holding this hearing. I look \nforward to working with him and other Members of this committee \non the critical issue of cybersecurity.\n    Last week my Research and Science Education Subcommittee \nheld a hearing on the state of cybersecurity R&D, and several \nof our witnesses emphasized the need for better partnerships \nand information sharing between the Federal Government and the \nprivate sector. We also discussed the challenges facing \nincentivizing agencies, companies, and individuals, especially \nthose that don't face an immediate or obvious threat to adopt \nestablished best practices and to disclose breaches in \nsecurity, and the expert panel echoed recent reports regarding \nconcerns over lack of prioritization in the federal R&D \nportfolio.\n    One additional issue we discussed in last week's hearing \nwas the importance of education. The panel emphasized that our \nIT workforce needs to be taught the skills necessary to \nincorporate security into software and systems from the \nbeginning. But IT professionals are not the only ones who need \nto be better educated. The panel agreed that increasing the \npublic's awareness of the risks and consequences of poor \nsecurity practices is also essential. People are the \nbeneficiaries of IT but also the weakest link in IT security, \nand computer scientists need to team with social scientists to \ngain a better understanding of how humans interact with and \nutilize technology.\n    We need a cultural change in the ways that Americans \npractice their computer hygiene.\n    Now, today I look forward to hearing from our witnesses \nabout their agency's responses to the cyberspace policy review. \nAs I said, this is a critical issue, and I am very happy that \nthe Administration has focused in on it and we are doing so \nhere on the Committee.\n    A secure and resilient cyberspace is vital not only for the \nFederal Government, but for businesses large and small and for \nevery single American. This goal can only be realized through \nour combined efforts and a multi-disciplinary approach to the \nproblem. So all of our witnesses and their agencies will play a \nkey role in maintaining this vital cyberspace. I want to thank \nthe witnesses for taking the time to appear before us this \nafternoon, and I look forward to your testimony.\n    [The prepared statement of Chairman Lipinski follows:]\n             Prepared Statement of Chairman Daniel Lipinski\n    Good afternoon. I'd like to thank Chairman Wu for joining me in \nholding this hearing, and I look forward to working with him on this \ncritical issue of cybersecurity.\n    Last week, my Research & Science Education Subcommittee held a \nhearing on the state of cybersecurity R&D. Several of our witnesses \nemphasized the need for better partnerships and information sharing \nbetween the Federal Government and the private sector. We also \ndiscussed the challenges faced in incentivizing agencies, companies, \nand individuals--especially those that don't face an immediate or \nobvious threat--to adopt established best practices and to disclose \nbreaches in security. And the expert panel echoed recent reports \nregarding concerns over a lack of prioritization in the federal R&D \nportfolio.\n    One additional issue we discussed in last week's hearing was the \nimportance of education. The panel emphasized that our IT workforce \nneeds to be taught the skills necessary to incorporate security into \nsoftware and systems from the beginning. But IT professionals are not \nthe only ones who need to be better educated. The panel agreed that \nincreasing the public's awareness of the risks and consequences of poor \nsecurity practices is also essential. People are the beneficiaries of \nIT but also the weakest link in IT security, and computer scientists \nneed to team with social scientists to gain a better understanding of \nhow humans interact with and utilize technology. We need a ``cultural \nchange'' in the ways that Americans practice ``computer hygiene.''\n    I look forward to hearing from our witnesses today about their \nagencies' responses to the Cyberspace Policy Review. As I said, this is \na critical issue. A secure and resilient cyberspace is vital not only \nfor the Federal Government, but for businesses--large and small--and \nfor every single American. This goal can only be realized through our \ncombined efforts, and a multi-disciplinary approach to the problem. So \nall of you and your agencies will play a key role in maintaining a \nvital cyberspace.\n    I want to thank the witnesses for taking the time to appear before \nus this afternoon and I look forward to your testimony.\n\n    Chairman Wu. Thank you, Chairman Lipinski. And now I would \nlike to recognize Mr. Ehlers for his opening statement, the \nRanking Member of the Research Subcommittee.\n    Mr. Ehlers. Thank you, Mr. Chairman. As the last and \nprobably least, I will try to keep my comments very short.\n    The security of our information is vitally important to all \nFederal Government entities and that includes the House of \nRepresentatives. Many of my colleagues are aware that our own \nnetworks are targeted daily by people and governments who would \nlike to do harm to us, our government, or to find out personal \ninformation that has been provided to us by our constituents or \nother friends in other countries.\n    It takes strategic planning and organization to avoid and \naddress these attacks. When considering the impacts of \ninformation security on policy development related to \nelectronic health records, national defense and technology \ndevelopment, for example, it quickly becomes obvious how \nimportant trusted networks are to the public and to \nlegislators.\n    All of the federal agencies testifying at the witness table \ntoday play a critical role in protecting the security of our \nsystems while maintaining the necessary freedom to exchange \nunfettered communication.\n    I look forward to your comments on how the agencies are \nadvancing the national cybersecurity efforts, and I expect to \nlearn a great deal from each one of you today. Thank you very \nmuch.\n    [The prepared statement of Mr. Ehlers follows:]\n         Prepared Statement of Representative Vernon J. Ehlers\n    The security of our information is vitally important to all Federal \nGovernment entities, including the House of Representatives. Many of my \ncolleagues are aware that our own networks are targeted daily by people \nwho would like to do harm to our government, and it takes strategic \nplanning and organization to avoid and address these attacks. When \nconsidering the impacts of information security on policy development \nrelated to electronic health records, national defense, and technology \ndevelopment, for example, it quickly becomes obvious how important \ntrusted networks are to the public and to legislators.\n    All of the federal agencies testifying at the witness table today \nplay a critical role in protecting the security of our systems while \nmaintaining the necessary freedom to exchange unfettered communication. \nI look forward to their comments on how the agencies are advancing our \nnational cybersecurity efforts.\n\n    Chairman Wu. Thank you, Dr. Ehlers. If there are other \nMembers who wish to submit opening statements, your statements \nwill be added to the record at this point.\n    [The prepared statement of Mr. Mitchell follows:]\n         Prepared Statement of Representative Harry E. Mitchell\n    Thank you, Mr. Chairman.\n    As the world becomes increasingly connected through the Internet, \nit is critical to ensure that we have an effective and secure \ncyberspace policy.\n    Today we will discuss the findings and recommendations of the Obama \nAdministration's 60-day Cyberspace Policy Review.\n    We will also review the response of the Department of Homeland \nSecurity (DHS), the National Institute of Standards and Technology \n(NIST), the National Science Foundation (NSF), and the Defense Advanced \nResearch Projects Agency (DARPA)'s response to the Administration's \npolicy review.\n    I look forward to hearing more from our witnesses on what steps \nneed to be taken to establish a more comprehensive cyberspace policy \nthat will improve our cybersecurity.\n    I yield back.\n\n    Chairman Wu. And now it is my pleasure to introduce our \nwitnesses. Ms. Cita Furlani is the Director of the Information \nTechnology Laboratory at the National Institute of Standards \nand Technology. Dr. Jeannette Wing is the Assistant Director at \nthe Directorate for Computer & Information Science & \nEngineering at the National Science Foundation. Dr. Robert \nLeheny is the Acting Director of the Defense Advanced Research \nProjects Agency, and Dr. Peter Fonash is the Acting Deputy \nAssistant Secretary at the Office of Cyber Security \nCommunications at the U.S. Department of Homeland Security.\n    The witnesses will have five minutes for spoken testimony, \nand your written testimony will be included in the record in \ntheir entirety. And when you complete you testimony, we will \nbegin with questions. Each Member will have five minutes to \nquestion the panel. Ms. Furlani, please proceed.\n\n    STATEMENT OF MS. CITA M. FURLANI, DIRECTOR, INFORMATION \n  TECHNOLOGY LABORATORY, NATIONAL INSTITUTE OF STANDARDS AND \n         TECHNOLOGY (NIST), U.S. DEPARTMENT OF COMMERCE\n\n    Ms. Furlani. Thank you, Chairman Wu and Chairman Lipinski, \nRanking Members Smith and Ehlers, and Members of the \nSubcommittees. I appreciate the opportunity to appear before \nyou today to discuss our role in cybersecurity and our \nperspective on the Administration's Cyberspace Policy Review.\n    Through our work in information technology, NIST \naccelerates the development and deployment of information and \ncommunication systems that are reliable, usable, inter-\noperable, and secure. It advances measurement science through \ninnovations in mathematics, statistics, and computer science \nand conducts research to develop the measurements and standards \ninfrastructure for emerging information technologies and \napplications.\n    Many of our vital programs impact national security, such \nas improving the accuracy and inter-operability of biometrics \nrecognition systems, and facilitating communications among \nfirst responders.\n    Research activities range from innovations in identity \nmanagement and verification, to metrics for complex systems, to \ndevelopment of practical and secure cryptography in a quantum \ncomputing environment, to automation of discovery and \nmaintenance of system security configurations and status, and \nto techniques for specification and automation of access \nauthorization in line with many different kinds of access \npolicies.\n    As you are aware, beginning in the early 1970's, NIST has \ndeveloped standards to support federal agencies' information \nassurance requirements. Through the Federal Information \nSecurity Management Act, or FISMA, Congress again reaffirmed \nNIST's leadership role in developing standards for \ncybersecurity. FISMA provides for the development and \npromulgation of Federal Information Processing Standards, or \nFIPS, that are compulsory and binding for federal computer \nsystems. NIST's mission in cybersecurity is to work with \nfederal agencies, industries, and academia to research, develop \nand deploy information security standards and technology to \nprotect information systems against threats to the \nconfidentiality, integrity, and availability of information and \nservices.\n    Consistent with this mission and with the recommendations \nof the President's Cyberspace Policy Review, NIST is actively \nengaged with private industry, academia, non-national security \nfederal departments and agencies, the intelligence community, \nand other elements of the law enforcement and national security \ncommunities in coordination and prioritization of cybersecurity \nresearch, standards development, standards conformance \ndemonstration, and cybersecurity education and outreach.\n    The national security community, a number of state \ngovernments, and major private sector organizations are also \nadopting the risk management framework and cybersecurity \ncontrols designed by NIST for the Federal Government. NIST is \nengaging industry to harmonize product assurance requirements \nto align with industry business models and system development \npractices.\n    We play a leading security role in supply chain risk \nmanagement, health care information technology, the Smart Grid, \nbiometrics and face authentication, next generation voting \nsystems, and cloud computing. We work with the intelligence and \ncounterterrorism communities to facilitate cross sector \ninformation sharing among federal, State and local government \norganizations. We team with the Department of Justice and the \nSmall Business Administration in extending cybersecurity \neducation and training beyond the Federal Government into the \nprivate sector.\n    For the first time, and as part of the ongoing initiative \nto develop a unified information security framework for the \nFederal Government and its contractors, NIST has included \nsecurity controls in its catalog for both national security and \nnon-national security systems. The updated security control \ncatalog incorporates best practices in information security \nfrom the United States Department of Defense, the intelligence \ncommunity, and civil agencies to produce the most broad-based \nand comprehensive set of safeguards and countermeasures ever \ndeveloped for information systems.\n    Under the provisions of the National Technology Transfer \nand Advancement Act, NIST is also tasked with the key role of \nencouraging and coordinating federal agency development and use \nof voluntary consensus standards and coordinating the public-\nprivate sector development of standards and conformity \nassessment activities through consensus standards \norganizations. NIST will continue to conduct the research \nnecessary to enable and provide cybersecurity specifications, \nstandards, assurance processes, training, and technical \nexpertise needed for securing the U.S. Government and critical \ninfrastructure information systems to mitigate the growing \nthreat. NIST will continue to closely coordinate with domestic \nand international private sector cybersecurity programs and \nnational security organizations.\n    Thank you for the opportunity to testify today on NIST's \nwork in the cybersecurity arena and our views on the \nPresident's Cyberspace Policy Review. I will be happy to answer \nany questions you may have.\n    [The prepared statement of Ms. Furlani follows:]\n                 Prepared Statement of Cita M. Furlani\n\nIntroduction\n\n    Chairmen Wu and Lipinski, Ranking Members Smith and Ehlers, and \nMembers of the Subcommittees, I am Cita Furlani, the Director of the \nInformation Technology Laboratory (ITL) at the Department of Commerce's \nNational Institute of Standards and Technology (NIST). Thank you for \nthe opportunity to appear before you today to discuss our role in \ncybersecurity and our perspective on the Administration's 60 Day \nCyberspace Policy Review.\n    As one of the major research components within NIST, our \ninformation technology work accelerates the development and deployment \nof information and communication systems that are reliable, usable, \ninter-operable, and secure; advances measurement science through \ninnovations in mathematics, statistics, and computer science; and \nconducts research to develop the measurements and standards \ninfrastructure for emerging information technologies and applications. \nNIST accomplishes these goals through collaborative partnerships with \nour customers and stakeholders in industry, government, academia, and \nconsortia. Based on input from these customers and stakeholders, we \nhave focused our R&D agenda on eight broad program areas: complex \nsystems; cyber and network security; enabling scientific discovery; \nidentity management systems; information discovery, use and sharing; \npervasive information technologies; trustworthy information systems; \nand virtual measurement systems.\n    Many of our vital programs impact national security, such as \nimproving the accuracy and inter-operability of biometrics recognition \nsystems and facilitating communications among first responders. The \ncombination of our mission and legislation such as the Federal \nInformation Security Management Act (FISMA) the Computer Security \nResearch and Development Act, the USA PATRIOT Act, the Enhanced Border \nSecurity Act, and the Help America Vote Act lead to rich programmatic \ndiversity.\n    As you are aware, beginning in the early 1970s with enactment of \nthe Brooks Act, NIST has developed standards to support federal \nagencies' information assurance requirements for many years. Through \nFISMA, Congress again reaffirmed NIST's leadership role in developing \nstandards for cybersecurity. FISMA provides for the development and \npromulgation of Federal Information Processing Standards (FIPS) that \nare ``compulsory and binding'' for federal computer systems. The \nresponsibility for the development of FIPS rests with NIST, and the \nauthority to promulgate mandatory FIPS is given to the Secretary of \nCommerce. Section 303 of FISMA states that NIST shall:\n\n        <bullet>  have the mission of developing standards, guidelines, \n        and associated methods and techniques for information systems;\n\n        <bullet>  develop standards and guidelines, including minimum \n        requirements, for information systems used or operated by an \n        agency or by a contractor of an agency or other organization on \n        behalf of an agency, other than national security systems; and\n\n        <bullet>  develop standards and guidelines, including minimum \n        requirements, for providing adequate information security for \n        all agency operations and assets, but such standards and \n        guidelines shall not apply to national security systems.\n\n    NIST's mission in cybersecurity is to work with federal agencies, \nindustry, and academia to research, develop and deploy information \nsecurity standards and technology to protect information systems \nagainst threats to the confidentiality, integrity and availability of \ninformation and services. Consistent with this mission and with the \nrecommendations of the President's recent 60 Day Cyberspace Policy \nReview, NIST is actively engaged with private industry, academia, non-\nnational security federal departments and agencies, the intelligence \ncommunity, and other elements of the law enforcement and national \nsecurity communities in coordination and prioritization of \ncybersecurity research, standards development, standards conformance \ndemonstration and cybersecurity education and outreach activities. \nResearch activities range from innovations in identity management and \nverification, to metrics for complex systems, to development of \npractical and secure cryptography in a quantum computing environment, \nto automation of discovery and maintenance of system security \nconfigurations and status, to techniques for specification and \nautomation of access authorization in line with many different kinds of \naccess policies.\n    NIST addresses cybersecurity challenges throughout the information \nand communications infrastructure through its cross-community \nengagements. Enabled by Congressional funding increases in 2002 and in \nresponse to FISMA legislation, NIST is responsible for establishing and \nupdating, on a recurring basis, the Federal Government risk management \nframework and cybersecurity controls. The national security community, \na number of State governments and major private sector organizations \nare also adopting the risk management framework and cybersecurity \ncontrols designed by NIST. NIST is engaging industry to harmonize \nproduct assurance requirements to align with industry business models \nand system development practices. NIST is also playing a leading \nsecurity role in supply chain risk management, health care information \ntechnology (HCIT), the Smart Grid, biometrics/face authentication, next \ngeneration voting systems, and cloud computing. NIST is working with \nthe intelligence and counterterrorism communities to facilitate cross \nsector information sharing among Federal, State and local government \norganizations. NIST teams with the Department of Justice and the Small \nBusiness Administration in extending cybersecurity education and \ntraining beyond the Federal Government into the private sector.\n    Recognizing the importance of security-related standards beyond the \nFederal Government, NIST leads national and international consensus \nstandards activities in cryptography, biometrics, electronic \ncredentialing, secure network protocols, software and systems \nreliability, and security conformance testing.\n    Under the provisions of the National Technology Transfer and \nAdvancement Act (P.L. 104-113) and OMB Circular A-119, NIST is tasked \nwith the key role of encouraging and coordinating federal agency use of \nvoluntary consensus standards and participation in the development of \nrelevant standards, as well as promoting coordination between the \npublic and private sectors in the development of standards and in \nconformity assessment activities. NIST works with other agencies to \ncoordinate standards issues and priorities with the private sector \nthrough consensus standards organizations such as the American National \nStandards Institute (ANSI), the International Organization for \nStandardization (ISO), the Institute of Electrical and Electronic \nEngineers (IEEE), the Internet Engineering Task Force (IETF), and the \nInternational Telecommunication Union (ITU).\n    Key contributions NIST has made include:\n\n        <bullet>  Development of the current federal cryptographic and \n        cybersecurity assurance standards that have been adopted by \n        many State governments, national governments, and much of \n        industry;\n\n        <bullet>  Development of the identity credentialing and \n        management standard for federal employees and contractors (also \n        becoming the de facto national standard);\n\n        <bullet>  Development of the standard and conformance test \n        capability for inter-operable multi-vendor fingerprint minutia \n        capture and verification;\n\n        <bullet>  Development and demonstration of quantum key \n        distribution;\n\n        <bullet>  Establishment of a national cyber vulnerability \n        database; and\n\n        <bullet>  Establishment and oversight of an international \n        cryptographic algorithm and module validation program. (This \n        Cryptographic Module Validation Program (CMVP) achieved a \n        significant milestone on August 15, 2008, by issuing the \n        program's 1,000th certificate.)\n\n    NIST hosts the Information Security Automation Program (ISAP), \nwhich formalizes and advances efforts to enable the automation and \nstandardization of technical security operations, including automated \nvulnerability management and policy compliance evaluations. The NIST \nNational Vulnerability Database (NVD) is the United States Government \nrepository of standards-based vulnerability management reference data. \nThe NVD makes available information on vulnerabilities, impact \nmeasurements, detection techniques, and remediation assistance. It \nprovides reference data that enable the ISAP's security automation \ncapabilities. NIST's security automation program is based on the NIST \nSecurity Checklist program and the Security Content Automation Protocol \n(SCAP) activity. The SCAP Validation Program performs conformance \ntesting to ensure that products correctly implement SCAP. NVD also \nplays a pivotal role in the Payment Card Industry (PCI) in their \nefforts to mitigate vulnerabilities in credit card systems. The PCI has \nmandated that NVD's vulnerability severity scores be used for measuring \nthe risk to payment card servers world-wide and for determining which \nvulnerabilities must be fixed.\n    Included in the scope of NIST cybersecurity activities are the \nusability of systems such as voting machines and software interfaces; \nresearch in mathematical foundations to determine the security of \ninformation systems; the National Software Reference Library, computer \nforensics tool testing, software assurance metrics, tools, and \nevaluation; approaches to balancing safety, security, reliability, and \nperformance in SCADA and other Industrial Control Systems used in \nmanufacturing and other critical infrastructure industries; \ntechnologies for detection of anomalous behavior, quarantines; \nstandards, modeling, and measurement to achieve end-to-end security \nover heterogeneous, multi-domain networks; biometrics evaluation, \nusability, and standards (fingerprint, face, iris, voice/speaker, \nmulti-modal biometrics) and initiating an international competition for \na next generation Secure Hash Algorithm (SHA-3). NIST and the National \nScience Foundation are co-funding a workshop in July on usability \nissues associated with security. Among the topics to be investigated \nare methods to inform individual users of actions they take that could \nimperil their systems also providing informative justifications, \nmethods and tools to assist administrators of systems in the \nconfiguration of their systems to provide secure operation, and \nforensic tools to help administrators deal with the aftermath of \nattacks.\n    Recognizing the value of interagency coordination of research as \nwell as of standards development, NIST actively contributes to the \nNetworking and Information Technology Research and Development (NITRD) \nprogram and the development of the NITRD five-year strategic plan. \nWithin the past year, as provided in the America COMPETES Act (P.L. \n110-69), the NITRD Program has assumed expanded responsibilities for \ncoordination of federal cyber R&D and NIST is well represented in, and \nleverages, these activities. In addition, NIST collaborates with \nacademia, e.g., individual institutions such as Purdue, and consortia, \nsuch as the Institute for Information Infrastructure Protection (or \nI3P).\n    NIST works with other members of the Cyber Security and Information \nAssurance Interagency Working Group in establishing priorities for \nresearch and development to prevent, resist, detect, respond to, and/or \nrecover from actions that compromise or threaten to compromise the \navailability, integrity, or confidentiality of computer- and network-\nbased systems. These systems provide both the basic infrastructure and \nadvanced communications in every sector of the economy, including \ncritical infrastructures such as power grids, emergency communications \nsystems, financial systems, and air-traffic-control networks. These \nsystems also support national defense, national and homeland security, \nand other vital federal missions, and themselves constitute critical \nelements of the IT infrastructure. Broad areas of concern which NIST \nresearch addresses include Internet and network security; \nconfidentiality, availability, and integrity of information and \ncomputer-based systems; new approaches to achieving hardware and \nsoftware security; testing and assessment of computer-based systems \nsecurity; and reconstitution and recovery of computer-based systems and \ndata.\n\n60-Day Cyberspace Policy Review\n\n    We concur in the findings of the 60-Day Cyber Review relative to \nthe increasingly serious and pervasive threat posed by breaches of--or \nthreats to--our cyber systems, and relative to the need to strengthen \nthe capability of the Executive Office of the President to coordinate \nthe Federal Government's response to that threat. We also concur in the \nreport's observation that it is our total national information \ninfrastructure, not just the federal information infrastructure that is \nfaced with the aforementioned threat. We agree that a coordinated \nresponse is necessary to prevent catastrophic consequences for those \ncritical infrastructures which integrate information systems into their \noperations.\n    While agreeing that it is necessary to integrate the responses of \nnational security organizations and those of federal organizations that \ndo not have a primarily national security mission, we observe that the \nintelligence community, the other elements of the national security \ncommunity, and NIST are, in response to the Federal Information \nSecurity Management Act of 2002, actively coordinating their standards \nand processes for cybersecurity. This effort is producing a single set \nof requirements, rather than the past's three independent sets of \nrequirements (Intelligence community, national security systems and \nNIST) for consumers and providers of information processing and \ninterchanges resources.\n    On June 3rd, NIST announced the release of the final public draft \nof Special Publication 800-53, Revision 3, Recommended Security \nControls for Federal Information Systems and Organizations. The final \npublic draft of Special Publication 800-53, Revision 3, is historic in \nnature.\n    For the first time, and as part of the ongoing initiative to \ndevelop a unified information security framework for the Federal \nGovernment and its contractors, NIST has included security controls in \nits catalog for both national security and non-national security \nsystems. The updated security control catalog incorporates best \npractices in information security from the United States Department of \nDefense, Intelligence Community, and civil agencies, to produce the \nmost broad-based and comprehensive set of safeguards and \ncountermeasures ever developed for information systems.\n    We are encouraged to observe that the 60-Day Cyberspace Policy \nReview recognizes that cybersecurity strategies and solutions must be \nstructured in a manner that accommodates commerce, economic growth, \nscientific collaboration, and individual liberties. The report reflects \nthe notion that we are not looking for ``lockdown solutions'' that \nachieve security at the expense of robust commerce, essential services \nor civil liberties.\n    Recognizing the economic impact of cyberspace, NIST is working to \nprovide measurement techniques to facilitate offsetting the cost of \nboth public sector and private sector security solutions by decreases \nin losses or cost of insurance or increases in business due to \nincreases in trust. Meeting the cyber threat to our national \ninfrastructure would be accelerated by both the public and private \nsectors if new measurement techniques can demonstrate that increased \nsecurity is good business sense. We note that not all of these measures \nneed to be technical or regulatory in nature. Some simple, relatively \ninexpensive, procedural steps can have a materially positive effect on \nsecurity. One example is the financial sector's having introduced a \ndelay into the conversion of electronically transferred funds into \ntangible assets, a delay sufficient to permit invocation of fraud \ndetection processes.\n    We were particularly encouraged by the report's recognition of the \nrole of international standards in protecting our information \ninfrastructure. Our infrastructure is inextricably integrated into a \ncomplex of global networks. NIST's role in documentary standards has \nlong been established in law and executive direction. We are actively \nworking with our sister agencies on improving our common understanding \nof how we can collectively participate, in cooperation with the private \nsector, in fostering international standards and protocols that are \nconducive to a free and safe information processing and interchange \nenvironment.\n    NIST and the National Telecommunications and Information \nAdministration (NTIA) are working with the Internet Corporation for \nAssigned Names and Numbers (ICANN) and VeriSign on an initiative to \nenhance the security and stability of the Internet. The parties are \nworking on an interim approach to deployment, by year's end, of a \nsecurity technology--Domain Name System Security Extensions (DNSSEC)--\nat the authoritative root zone (i.e., the address book) of the \nInternet. There will be further consultations with the Internet \ntechnical community as the testing and implementation plans are \ndeveloped. In collaboration with the Department of Homeland Security \nScience and Technology Directorate, NIST has been an active participant \nwithin the international community in developing the DNSSEC protocols \nand has collaborated with various U.S. agencies in deploying DNSSEC \nwithin the .gov domain.\n    We, at the NIST and the larger Department of Commerce, recognize \nthat we have an essential role to play in realizing the vision set \nforth in the 60-Day Cyberspace Policy Review. We look forward to \nworking with our Federal Government partners, with our private sector \ncollaborators, and with our international colleagues to establish a \ncomprehensive set of technical solutions, standards, guidelines, and \nprocedural measures necessary to realizing this vision.\n\nConclusion\n\n    NIST will continue to conduct the research necessary to enable and \nto provide cybersecurity specifications, standards, assurance \nprocesses, training and technical expertise needed for securing the \nU.S. Government and critical infrastructure information systems to \nmitigate the growing threat. NIST will continue to closely coordinate \nwith domestic and international private sector cybersecurity programs \nand national security organizations. Finally, consistent with the NIST \nThree-Year Planning Report, NIST plans to expand its focus on \ncybersecurity challenges associated with health care IT, the Smart \nGrid, automation of federal systems security conformance and status \ndetermination, and cybersecurity leap-ahead research.\n    Thank you for the opportunity to testify today on NIST's work in \nthe cybersecurity arena and our views on the President's 60-Day \nCyberspace Policy Review. I would be happy to answer any questions you \nmay have.\n\n                     Biography for Cita M. Furlani\n    Cita M. Furlani is Director of the Information Technology \nLaboratory (ITL). ITL is one of nine research Laboratories within the \nNational Institute of Standards and Technology (NIST) with an annual \nbudget of $85 million, 335 employees, and about 150 guest researchers \nfrom industry, universities, and foreign laboratories.\n    Furlani oversees a research program designed to promote U.S. \ninnovation and industrial competitiveness by advancing measurement \nscience, standards, and technology through research and development in \ninformation technology, mathematics, and statistics. Through its \nefforts, ITL seeks to enhance productivity and public safety, \nfacilitate trade, and improve the quality of life.\n    Furlani has several leadership responsibilities in addition to \nthose at NIST. Currently, she is Co-Chair of the Interagency Working \nGroup on Digital Data, Co-Chair of the Subcommittee on Quantum \nInformation Science, and Co-Chair for Strategic Planning for the \nSubcommittee on Networking and Information Technology Research and \nDevelopment, all under the auspices of the National Science and \nTechnology Council. She also serves as Co-Chair of the Technology \nInfrastructure Subcommittee of the Interagency CIO Council.\n    Furlani has served as the Chief Information Officer (CIO) for NIST. \nAs CIO, Furlani was the principal adviser to the NIST Director on the \nplanning, execution, evaluation, and delivery of information technology \nservices and support.\n    Furlani also served as Director of the National Coordination Office \nfor Networking and Information Technology Research and Development. \nThis office, reporting to the White House through the Office of Science \nand Technology Policy and the National Science and Technology Council, \ncoordinates the planning, budget, and assessment activities for the 12-\nagency Networking and Information Technology R&D Program.\n    Previously, Furlani was Director of the Information Technology and \nElectronics Office within the Advanced Technology Program (ATP) at \nNIST. Before joining ATP, Furlani served as Chief of the Office of \nEnterprise Integration, ITL, NIST, coordinating Department of Commerce \nactivities in the area of enterprise integration. Furlani also served \nas special assistant to the NIST Director in the Director's role as \nChair of the Committee on Applications and Technology of the \nAdministration's Information Infrastructure Task Force. Previously, \nFurlani was on detail as technical staff to the Director of NIST in the \nposition of Senior Program Analyst. Prior to August 1992, she managed \nresearch and development programs within the NIST Manufacturing \nEngineering Laboratory, applying information technology to \nmanufacturing since 1981.\n    She earned a Master of Science degree in electronics and computer \nengineering from George Mason University and a Bachelor of Arts degree \nin physics and mathematics from Texas Christian University. She was \nawarded two Department of Commerce Bronze Medal Awards in 1985 and 1993 \nand the Department of Commerce Silver Medal Award, in 1995.\n\n    Chairman Wu. Thank you, Ms. Furlani. Dr. Wing, please \nproceed.\n\n    STATEMENT OF DR. JEANNETTE M. WING, ASSISTANT DIRECTOR, \n COMPUTER AND INFORMATION SCIENCE AND ENGINEERING DIRECTORATE, \n               NATIONAL SCIENCE FOUNDATION (NSF)\n\n    Dr. Wing. Thank you very much. Good afternoon, Chairman Wu \nand Chairman Lipinski, Ranking Members Smith and Ehlers, and \nMembers of the Subcommittees. I am Jeannette Wing, and I am the \nAssistant Director of the Computer and Information Science and \nEngineering Directorate at the National Science Foundation.\n    I am delighted to have the opportunity to speak with you \ntoday about NSF's support for cybersecurity research at the \nfrontiers of knowledge, investments that capitalize on the \nintellectual capacity of the best and the brightest in our \nnation's colleges and universities, as well as their many \npartners in the private sector. The research outcomes generated \nwith NSF support will undoubtedly contribute to the security, \nstability and integrity of our global cyber infrastructure for \nmany years to come.\n    To begin, I would like to emphasize that many cybersecurity \nmeasures deployed today build upon the fundamental research \noutcomes generated decades ago. Thus, as the recent 60-Day \nCyberspace Policy Review concludes, a national strategy to \nsecure cyberspace in both the near- and the long-term must \ninclude investments in fundamental, unclassified, long-term \nresearch.\n    Allow me to share with you just a few important fundamental \nresearch contributions made to date by the open research \ncommunity, many originally developed with applications other \nthan security in mind.\n    Cryptographic schemes and cryptographic-based \nauthentication, enabling today's Internet commerce, such as \nonline banking.\n    Program analyses and verification techniques, enables early \ndetection of software vulnerabilities, thereby often preventing \ncyber attacks such as phishing, worms and botnets.\n    Machine learning and data mining approaches are now used in \nfiltering spam and detecting credit card fraud.\n    CAPTCHAs, the distorted text that only humans, not \nmachines, can decipher, ensuring that it is indeed a human, not \na bot, who is buying a ticket online.\n    These and many other research results developed with NSF \nfunding are being used routinely in numerous corporations \ntoday. Moreover, NSF-funded projects have spawned start-up \ncompanies that bring critical technologies to the marketplace, \ncreating new jobs, expanding the economy, and helping to secure \ncyberspace.\n    This year, NSF will invest almost $137 million in cutting-\nedge research on the science and engineering of trustworthy \nsystems. Our interdisciplinary Trustworthy Computing Program, \nis a significant component of this investment and supports more \nthan 800 principal investigators, co-principal investigators, \nand graduate students.\n    We contribute to the Comprehensive National Cyber Security \nInitiative, CNCI, through this program with the focus on three \nvital areas, the scientific foundations of trustworthiness, \nprivacy, and usability.\n    NSF coordinates its cybersecurity research and planning \nactivities with other agencies primarily through the Networking \nand Information Technology Research and Development program, \nNITRD, and the InfoSec Research Council. We play a leadership \nrole in both activities.\n    NSF and the academic community greatly appreciated the \nopportunity to contribute to the 60-Day Cyberspace Policy \nReview. We are pleased that the review recognizes the \nimportance of investments in both fundamental unclassified \ncybersecurity research, the kind of research NSF supports, and \ncybersecurity education. The review also recognizes the \nimportance of a strong academia-industry-government partnership \nin which NSF plays a central enabling role.\n    For example, the NSF Science and Technology Center, called \nTRUST, and three Cyber TRUST Centers, all work directly with \nindustry partners to speed the transition of research outcomes \ninto products and services.\n    Looking ahead, there are several areas ripe for industry-\nuniversity collaboration. First, industry has data that are \notherwise unavailable to academics. Providing access to real \ndata, appropriately sanitized, anonymized, and scrubbed, based \non real adversaries and real users of operational systems and \nnetworks will allow researchers to test their theories and to \ngain new insights.\n    Second, industry has problems looming on the horizon that \nthey just don't have time to solve or they can't even imagine \nbecause they are so focused on the present. These are exactly \nthe kinds of problems academic researchers can work on, \nanticipating the threats of tomorrow so that when they arrive, \nsolutions will be ready.\n    In my testimony today, I have provided examples of the ways \nin which NSF works with its partners in the Federal Government, \nthe private sector, and academe to catalyze research advances \nin cybersecurity.\n    With robust sustained support for research in both the \nexecutive and legislative branches, we have a unique \nopportunity to increase our nation's investments in \nfundamental, open, long-term cybersecurity research. Investing \nnow for the future means a more secure future.\n    This concludes my remarks. Thank you very much.\n    [The prepared statement of Dr. Wing follows:]\n                Prepared Statement of Jeannette M. Wing\n    Good afternoon, Chairman Wu and Chairman Lipinski, Ranking Members \nSmith and Ehlers, and Members of the Subcommittees. I am Jeannette \nWing, and I am the Assistant Director of the Computer and Information \nScience and Engineering Directorate at the National Science Foundation.\n    I am delighted to have the opportunity to talk with you today about \nNSF's support for cybersecurity research at the frontiers of \nknowledge--investments that capitalize on the intellectual capacity of \nthe best and the brightest in our nation's colleges and universities, \nas well as their many partners in the private sector. The research \noutcomes generated with NSF support will undoubtedly contribute to the \nsecurity, stability and integrity of our global cyberinfrastructure for \nmany years to come.\n    To begin, it is essential that I note that many cybersecurity \nmeasures deployed today capitalize on fundamental research outcomes \ngenerated decades ago. Thus, as the recent 60-Day Cyberspace Policy \nReview concludes, a national strategy to secure cyberspace in both the \nnear- and the long-term must include investments in fundamental, \nunclassified, open, long-term research. Investments in such research \nwill allow our society to continue to benefit from a robust, secure, \ndependable cyberinfrastructure that supports all application sectors, \nincluding those on which our lives depend.\n    Allow me to share with you just a few important fundamental \nresearch contributions made to date by the open research community, \nmany developed with applications other than security in mind and long \nbefore situations arose that demanded their use.\n    The basic research community developed:\n\n        <bullet>  Cryptographic schemes and cryptographic-based \n        authentication, enabling today's Internet commerce, supporting \n        secure digital signatures and online credit card transactions, \n        and providing some of the building blocks needed for the safe, \n        secure and private exchange of electronic health records;\n\n        <bullet>  Program analyses and verification techniques, \n        enabling the early detection of software vulnerabilities and \n        flaws, thereby often preventing cyber attacks such as phishing, \n        worms and botnets;\n\n        <bullet>  Innovative machine learning and data mining \n        approaches now used in spam filtering, and methods for \n        detecting attacks such as those involving credit card fraud; \n        and the final example,\n\n        <bullet>  CAPTCHAs, the distorted text that only humans--not \n        machines or hots--can decipher, to ensure that it is indeed a \n        human, and not a bot, who is buying a ticket online or setting \n        up an e-mail account.\n\n    These research outcomes and many others developed with NSF funding \nare being used in numerous corporations including Amazon, Apple, e-Bay, \nGoogle, Intel, Microsoft, and Yahoo!. Moreover, NSF-funded projects \nhave spawned start-up companies that bring critical technologies to the \nmarketplace, creating new jobs, expanding the economy, and helping to \nsecure cyberspace.\n\nPlease summarize the current range of National Science Foundation \nsupported cybersecurity research, including associated funding.\n\n    NSF has been investing in cybersecurity research for many years.\\1\\ \nIn FY 2009, we will invest almost $137 million in fundamental research \nin the science of trustworthiness and related trustworthy systems and \ntechnologies. This includes $20 million from the American Recovery and \nReinvestment Act. Approximately one half of this $137 million is \nallocated to our interdisciplinary Trustworthy Computing program, which \nin FY 2009 is funded at a level of $65 million and supports more than \n800 principal investigators, co-principal investigators, and graduate \nstudents. In addition to the Trustworthy Computing program, we continue \nto make cybersecurity investments in the core scientific sub-\ndisciplines of the computing and human sciences, including the \nfoundations of communications and information, networking technology \nand systems, algorithmic foundations, information integration and \ninformatics, and in the social and economic implications of developing \nsecure, trustworthy systems.\n---------------------------------------------------------------------------\n    \\1\\ FY 2005: $68.81M, FY 2006: $76.73M, FY 2007: $96.70M, FY 2008: \n$106.90M, FY 2009 estimate: $136.70M (including $20M ARRA), FY 2010 \nRequest: $126.70M\n---------------------------------------------------------------------------\n    The totality of NSF investments supports a broad range of topics in \ntrustworthy systems and applications. NSF supports foundational \nresearch in: cryptography, including key management, conditional and \nrevocable anonymity; defense mechanisms against large-scale attacks \nsuch as worms, viruses, and distributed denial of service; formal \nmodels and methods for specifying, verifying, and analyzing system \nsecurity; hardware enhancements for security, such as virtualization \nand trusted platform modules; metrics, especially for risk-based \nmeasurement; privacy, including privacy-preserving data-mining, \nlocation privacy, and privacy in RFID networks; network security, \nincluding for wireless and sensor networks and pervasive computing; and \ntestbeds to run scalable experiments and to analyze anonymized network \ntraffic data. NSF-funded research also addresses cybersecurity in the \ncontext of many application areas, including critical infrastructure \n(including the power grid), health records, voice over IP, geospatial \ndatabases, digital media, electronic voting, and federated systems.\n    The relentless pace of innovation in information technology and \nrelated services leads inevitably to new research questions, \nopportunities and challenges. For example, increasing interest in \n``cloud computing'' leads to new opportunities but also raises new \nresearch challenges in security and privacy, and innovations in \nservice-oriented architectures raise new research challenges in \nresiliency and verification. In the longer-term, new computing \nparadigms such as quantum computing will raise new research questions \nin cryptography and computational complexity.\n    As you may know, FY 2009 represents the first full year of the \ninteragency Comprehensive National Cybersecurity Initiative--CNCI. \nNSF's contributions to the CNCI include a specific focus on three \ncritical areas:\n\n        <bullet>  The scientific foundations of trustworthiness, so \n        that new trustworthy systems, technologies, and tools can be \n        developed and understood from first principles. New models, \n        logics, algorithms, and theories are being explored for \n        analyzing and reasoning about all aspects of trustworthiness--\n        security, privacy, reliability, and usability--about all \n        communication, control, and data components of systems and \n        their composition. Researchers are exploring the fundamentals \n        of cryptography, inventing new specification and programming \n        languages and techniques to prevent or detect security \n        vulnerabilities in software and hardware, defining new security \n        architectures for system design, and exploring new computing \n        models that have potential to improve trustworthiness and our \n        ability to reason with different aspects of trustworthiness.\n\n        <bullet>  The essential systems property of protecting privacy. \n        NSF is supporting the exploration of new scientific and \n        computational models, methods, logics, algorithms, and software \n        tools to define and reason about privacy, to detect and resolve \n        conflicts among privacy policies, to safeguard information of \n        individuals wherever it may digitally reside, and to explore \n        the interplay among privacy, security and legal policies. One \n        major technical challenge is identity management, especially \n        for federated systems that may be beyond the control of any one \n        organization; academic researchers are exploring attack-\n        resistant methods and protocols for identity management, \n        commensurate with application requirements to preserve privacy \n        and with security and legal requirements to provide \n        accountability.\n\n        <bullet>  Usability--the methods, tools and techniques that \n        make it easy for people to use computing systems while \n        protecting both people and systems from unforeseeable attacks \n        on their security and privacy. Users range from individuals \n        concerned about their home computers to administrators \n        responsible for large enterprises. Incorporating \n        trustworthiness into a system should not place undue demands on \n        human users or impact human or system performance. Since people \n        can be the weakest link in security, striking a balance between \n        control and convenience is a key challenge. Researchers are \n        developing new approaches to integrating and balancing \n        different system functionalities, understanding human \n        perception of trust including privacy, informing users of \n        potential pitfalls, and predicting the impact of user \n        decisions. New methods are needed, supported by automation, to \n        promote usability and provide users with security controls they \n        can understand. An especially active area of research is \n        digital forensics, where new automated methods will help all \n        users respond effectively in the aftermath of a security \n        incident.\n\nHow is NSF coordinating its own cybersecurity research and planning \nactivities with other relevant federal agencies?\n\n    At NSF, we coordinate our cybersecurity research and planning \nactivities with other federal agencies, including the Departments of \nDefense (DOD) and Homeland Security (DHS) and the agencies of the \nIntelligence Community, through the following ``mission-bridging'' \nactivities:\n\n        <bullet>  NSF plays a leadership role in the interagency \n        Networking and Information Technology Research and Development \n        (NITRD) Program. The National Science and Technology Council's \n        NITRD Sub-Committee, of which I am Co-Chair, has played a \n        prominent role in the coordination of the Federal Government's \n        cybersecurity research investments. For example,\n\n                <bullet>  The NITRD Senior Steering Group (SSG) for \n                Cyber Security is overseeing the unclassified research \n                and development component of the CNCI. We recently \n                established the National Cyber Leap Year during which \n                we asked our research leaders in government, academia, \n                and industry, to propose ``game-changing'' concepts for \n                securing cyberspace. Our next step is to hold focused \n                meetings with the community to pursue some of the more \n                promising ideas, toward an integrated private-public \n                approach that considers technical, social, and economic \n                factors in cybersecurity. This work is immediately \n                responsive to one of the near-term action \n                recommendations published recently in the 60-Day \n                Cyberspace Policy Review.\n\n                <bullet>  The NITRD CyberSecurity and Information \n                Assurance Interagency Working Group (CSIA IWG) \n                coordinates cybersecurity and information assurance \n                research and development across the thirteen member \n                agencies, including DOD, the Department of Energy (DOE) \n                and the National Security Agency (NSA). In 2006, the \n                CSIA IWG published a national research and development \n                agenda for strengthening the security of the Nation's \n                cyberinfrastructure. This report continues to inform \n                our investments today.\n\n        <bullet>  NSF also plays a leadership role in the multi-agency \n        Infosec Research Council (IRC), whose members include the DOD, \n        agencies representing the Intelligence Community and a number \n        of other federal agencies and entities (e.g., DOE, National \n        Institute of Standards and Technology, and National Library of \n        Medicine). The IRC provides a forum for the discussion of \n        critical scientific and technical issues in cybersecurity, \n        serves as a catalyst for the establishment of new programs and \n        technical emphases, and helps minimize duplication of effort. \n        In the past several years, IRC members have hosted a number of \n        academic-industry-government workshops, such as the recent \n        workshop on the Science of Security Workshop, which identified \n        new principles and methodologies in support of a more \n        foundational approach to security. This workshop was co-funded \n        by NSF, the Intelligence Advanced Research Project Activity \n        (IARPA), and NSA.\n\n    These and other interagency settings, both formal and informal, \nprovide a range of opportunities for interagency coordination and \ncollaboration.\n\nIn particular, how is NSF coordinating its (unclassified) research and \nplanning activities with Department of Defense or other federal \nclassified research and research infrastructure, including cyber test \nbeds?\n\n    Jointly sponsoring workshops, such as the one I just cited, is \nrepresentative of the types of interactions that take place between \nagencies supporting classified and/or unclassified components of the \nfederal cybersecurity research portfolio. There is, of course, a rather \nsignificant classified component in the CNCI. Coordination between the \nlarger classified component and the more modest unclassified component \nis achieved through the engagement of individuals who participate in \nboth. These individuals share and promulgate knowledge generated in the \nunclassified component with those participating in the classified \ncomponent.\n    Through some of the coordinating mechanisms I have just described, \nNSF also works with its sister agencies in the deployment of \ncybersecurity testbeds. For example, the cyber-DEfense Technology \nExperimental Research Environment project (DETER)--a testbed that \nsupports research on next-generation cybersecurity technologies--has \nbeen supported jointly by DHS and NSF. In another example, the \nWisconsin Advanced Internet Laboratory (WAIL), which is supported by \nNSF, the Defense Advanced Research Project Agency (DARPA)\\2\\ and DHS, \nallows networking and distributed systems researchers to recreate end-\nto-end instances of the real Internet, thereby permitting realistic \nnetwork testing in support of security. As we look to the future, the \nDARPA National Cyber Range (NCR) is envisioned as a testbed that will \nallow researchers to perform qualitative and quantitative assessments \nof the security of cyber technologies and scenarios. Among the many \nexperimental testbeds that have been developed, DARPA is considering \nDETER and WAIL as starting points for the NCR--demonstrating the value \nof ``mission-bridging'' from NSF's basic research mission to the quite \nfocused application needs of other agencies. If the NCR is opened to \nunclassified research, then NSF would welcome the opportunity to \ncoordinate with DARPA to provide academic researchers with an \nopportunity to run their experiments on this testbed.\n---------------------------------------------------------------------------\n    \\2\\ DARPA does not provide funding for the Wisconsin Advanced \nInternet Laboratory as indicated in the written testimony. NSF noted \nthis error on June 19, 2009.\n\nWhat changes, if any, does NSF plan to make to its research portfolio, \nplanning, or interagency coordination efforts in response to the \nfindings and recommendations in the Administration's 60-day federal \n---------------------------------------------------------------------------\ncybersecurity review?\n\n    NSF and the academic community very much appreciated the \nopportunity to contribute to the 60-day Cyberspace Policy Review. As I \nstated in my opening remarks, the Review clearly recognizes the \nimportance of investments in fundamental, unclassified research, in \nsupport of which NSF plays a significant role.\n    The Review also recognizes the importance of cybersecurity \neducation. Besides our support of research, NSF plays an increasingly \nimportant role in the preparation of current and future generations of \ncomputing professionals and of a scientifically-literate national \nworkforce. We are grateful that the Review recognizes the important \nrole of several of our education programs, most notably the Pathways to \nRevitalized Undergraduate Education in Computing, and the Scholarships \nfor Service programs.\n    NSF's current portfolio of investments spans the many important \ntopics highlighted in the Review. Further, our interdisciplinary reach \nto the broad academic community, and beyond into the private sector, \nprovides an unparalleled opportunity to establish bold, new ``game-\nchanging'' directions in long-term cybersecurity research that are \ninformed both by social and economic needs and by national security \nrequirements. Our aspirations for the Trustworthy Computing program, \nwhich takes a holistic, interdisciplinary approach to establishing the \nscience of trustworthiness and its embodiment in the engineering of \ntrustworthy computing systems and technologies, are consistent with the \nreview's recommendations.\n    NSF will continue to support interagency workshops that promote \ninteragency collaboration and coordination. Workshops are planned on \nhow to measure success in security-related research activities, on \ndeveloping metrics to assess the security and privacy of complex \nsystems, and on how to achieve security in the financial \ninfrastructure. This last workshop will be coordinated with the \nDepartment of the Treasury.\n    NSF and its many partners in academe, industry, and government \nstand ready to respond to the national imperative to secure cyberspace, \nboth today and for the foreseeable future. We welcome the opportunity \nto collaborate with our partners in creating a comprehensive response \nto the recommendations expressed in the review.\n\nTo what extent is NSF's cybersecurity research portfolio shaped by the \ncybersecurity needs and related research priorities of the private \nsector? How is NSF soliciting input from the private sector regarding \nits research portfolio?\n\n    In the academia-industry-government ecosystem, organizations and \nindividuals in all three sectors bear a responsibility for shaping a \nfuture cyberinfrastructure that is usable, secure, dependable, and \nresistant to attack, for the benefit of science, our economy, and our \nsociety. The recent Cyberspace Policy Review clearly recognizes the \nvalue of a healthy academia-industry-government ecosystem in \nstrengthening our nation's cybersecurity posture.\n    At a strategic level, NSF's research investments are shaped by \nadvice provided by private sector representatives serving on the \nNational Science Board and NSF Advisory Committees.\n    NSF also catalyzes the formation of strong partnerships between \nacademia and the private sector by providing programmatic incentives \nthat encourage both sectors to work together, thereby speeding the \ntransition of research and education outcomes into products and \nservices. For example, the NSF Team for Research in Ubiquitous Security \nTechnology (TRUST) Science and Technology Center works with a number of \nindustry partners who 1). help define the Center's strategic intent and \nresearch and education priorities through the Center's External \nAdvisory Board, and 2). interact directly with faculty and students on \nindividual research projects. Industry partners include Cisco, Deloitte \nand Touche, eBay, GE, HP, ING, Intel, Microsoft, Nortel Networks, \nOracle, Qualcom, Raytheon, Silicon Valley Bank, Sun Microsystems, \nSymantec, and Visa.\n    NSF's Cyber Trust program also supports three Centers with strong \nindustry partnerships. For example, the Trustworthy Cyber \nInfrastructure for the Power grid (TCIP) center, which also receives \nsupport from DHS and DOE, works with its industry partners to create \ncybersecurity research advances that will make the Nation's power grid \nmore secure, reliable and safe. Industry and other partners in this \nventure include ABB, Amerren, Areva, California ISO, Cisco, Entergy, \nEPRI, Exelon, GE, Gerhrs, Instep, ISIsoft, Kema, Multili, Open Systems \nInternational, Pacific Northwest National Laboratory, Power World \nCorporation, Siemens, and Starthis.\n    In addition to academic-industry partnerships encouraged through \nNSF programmatic incentives, many NSF-supported faculty and students \nhave informal connections with industry, and many students in computing \nfields do summer internships in industry. Using these informal \nmechanisms, research results from NSF investments in cybersecurity also \noften find their way into industry products and services. For example, \na team of researchers from UC-Berkeley, Stanford, and University of \nMaryland College Park developed an open source version of their static \nanalysis tools for finding software vulnerabilities. These tools have \nbeen adapted by Microsoft and other large software developers and \nincorporated into their products.\n    Looking to our cybersecurity future, there are several areas ripe \nfor industry-university collaboration. First, industry has data that \nare otherwise unavailable to academics. Providing access to real data--\nappropriately sanitized, anonymized, and otherwise scrubbed--based on \nreal adversaries and real users of operational systems and networks is \nessential. This access enables researchers to test whether their \ntheoretical ideas play out in practice. Do they scale? What are the \nedge cases? Furthermore, researchers gain new insights by examining \nreal data. Patterns and anomalies emerge from looking at real data that \nwould not from synthetic data. These discoveries in turn raise new \nscientific questions. Second, industry has problems looming in the \nhorizon that they just don't have time to solve or problems they can't \neven imagine because they are so focused on the present; those are \nexactly the kinds of problems academic researchers can work on: \nanticipating the threats of tomorrow so that when they arrive, \npotential solutions will be available. Moreover, academics are freer to \nthink out of the box and thus may come up with creative solutions that \nwhile impractical today, may be quite practical in the future.\n    In my testimony today, I've tried to provide examples of the ways \nin which NSF works with its partners in the Federal Government, in the \nprivate sector, and in academe to catalyze long-term research advances \nin cybersecurity. In his May 29 speech on the roll-out of the 60-day \nCyberspace Policy Review, the President stated that ``America's \neconomic prosperity in the 21st century will depend on cybersecurity'' \nand the Administration ``will continue to invest in the cutting-edge \nresearch and development necessary for the innovation and discovery we \nneed to meet the digital challenges of our time.'' Your Subcommittees \nalso clearly recognize the importance of research advances in \ncybersecurity to the Nation's future.\n    With robust sustained support for fundamental research in both the \nexecutive and legislative branches, we have a unique opportunity to \nincrease our nation's investments in fundamental cybersecurity \nresearch, thereby securing our nation's future for many decades to \ncome.\n    This concludes my remarks. I would be happy to answer any questions \nat this time.\n\n                    Biography for Jeannette M. Wing\n    Dr. Jeannette M. Wing is the President's Professor of Computer \nScience in the Computer Science Department at Carnegie Mellon \nUniversity. She received her S.B. and S.M. degrees in Electrical \nEngineering and Computer Science in 1979 and her Ph.D. degree in \nComputer Science in 1983, all from the Massachusetts Institute of \nTechnology. Currently on leave from CMU, she is the Assistant Director \nof the Computer and Information Science and Engineering Directorate at \nthe National Science Foundation.\n    Professor Wing's general research interests are in the areas of \nspecification and verification, concurrent and distributed systems, \nprogramming languages, and software engineering. Her current interest \nis on the foundations of trustworthy computing where by trustworthy she \nincludes reliability, security, privacy, and usability. Her current \nprojects are on specifying and verifying privacy policies.\n    She has published extensively in top journals and major conferences \nand has given nearly 300 invited, keynote, and distinguished lectures. \nShe was or is on the editorial board of twelve journals, including the \nJournal of the ACM and the Communications of the ACM.\n    Professor Wing has been a member of many advisory boards, \nincluding: the Networking and Information Technology (NITRD) Technical \nAdvisory Group to the President's Council of Advisors on Science and \nTechnology (PCAST), the National Academies of Sciences's Computer \nScience and Telecommunications Board, the DARPA Information Science and \nTechnology (ISAT) Board, NSF's CISE Advisory Committee, Microsoft's \nTrustworthy Computing Academic Advisory Board, the Intel Research \nPittsburgh's Advisory Board, Dartmouth's Institute for Security \nTechnology Studies Advisory Committee, and the Idaho National \nLaboratory and Homeland Security Strategic Advisory Committee. She was \na Member-at-Large on ACM Council and served on the ACM Kanellakis Award \nCommittee and the ACM Karlstrom Outstanding Educator Award Committee. \nShe was on the Microsoft New Faculty Fellowship Selection Committee and \nthe Sloan Research Fellowships Program Committee. She was the Co-Chair \nof the Technical Symposium of Formal Methods '99, co-organizer of the \nUW-MSR CMU 2003 Software Security Summer Institute, and Co-Chair of the \nFirst International Symposium on Secure Software Engineering.\n    Administratively at Carnegie Mellon, she served as Head of the \nComputer Science Department during 2004-2007, overseeing 90 faculty. \nShe was Associate Dean for Academic Affairs for five years, overseeing \nthe operations of the educational programs offered by the School of \nComputer Science, including at the time: ten doctoral programs or \nspecializations, ten Master's programs, and the Bachelor's program. She \nalso served as Associate Department Head for nine years, running the \nPh.D. Program in Computer Science.\n    She was on the Computer Science faculty at the University of \nSouthern California and has worked at Bell Laboratories, USC/\nInformation Sciences Institute, and Xerox Palo Alto Research \nLaboratories. She spent sabbaticals at MIT in 1992 and at Microsoft \nResearch 2002-2003. She has consulted for Digital Equipment \nCorporation, the Mellon Institute (Carnegie Mellon Research Institute), \nSystem Development Corporation, and the Jet Propulsion Laboratory. She \nis a member of AAAS, ACM, IEEE, Sigma Xi, Phi Beta Kappa, Tau Beta Pi, \nand Eta Kappa Nu. She was elected an ACM Fellow in 1998, IEEE Fellow in \n2003, and AAAS Fellow in 2007.\n\n    Chairman Wu. Thank you very much, Dr. Wing. Dr. Leheny, I \nam going to get you started, and Chairman Lipinski is going to \ntake over for a while. Dr. Leheny, please proceed.\n\n  STATEMENT OF DR. ROBERT F. LEHENY, ACTING DIRECTOR, DEFENSE \n            ADVANCE RESEARCH PROJECTS AGENCY (DARPA)\n\n    Dr. Leheny. Mr. Chairman, Subcommittee Members and staff, \nthank you very much for this opportunity to discuss DARPA's \nprograms, information assurance, and cybersecurity.\n    As I believe you are already aware, DARPA's mission is to \ninvest in high-risk, high-reward technologies that create new \ncapabilities for our military. And information assurance and \ncybersecurity are important elements in our current portfolio \nof programs. Let me begin today by commenting on the \nsignificance of robust secure self-forming networks to the \ndefense department.\n    Like many commercial enterprises, the department is \ntransforming to network centric operations, so DARPA's programs \nare focused on ensuring that these networks can operate \nindependently in a robust and secure manner. We are interested \nin two types of networks, strategic high-speed optical and \nsatellite based global networks, networks relying on commercial \nhardware technologies for the most part. For these types of \nnetworks, our focus is largely on operations, survivability \nunder attack, and security.\n    At the other extreme are practical, largely wireless \nnetworks, networks directly supporting the war fighter on the \nfront lines. Wireless networks present both hardware and \nsoftware challenges. They must be agile and adaptive, capable \nof operating in any environment, as well as be able to manage, \ndefend, and heal themselves at speeds beyond human \ncapabilities. And they must be self-forming without recourse to \nthe infrastructure or cell towers of the commercial provider.\n    As network capabilities become ever more essential to \noperations, these networks above all else must be secure. We \nwill spend about $127 million on information assurance and \ncybersecurity in the current fiscal year, and we are requesting \nan increase of more than 14 percent to $164 million for 2010. \nWhile most of these investments are targeted to software \narchitecture and protocol issues, to ensure networks are secure \nfrom the ground up, their underlying hardware must also be \nsecure. So in what is truly a DARPA hard problem, we are \ninvesting in a program we call TRUST, oddly enough the same \nname that the NSF has for one of its programs, but we are doing \nsomething completely different. What we are doing is \ninvestigating methods for detecting malicious features inserted \ninto semiconductor chips during their design, manufacture, and \nprogramming. All of these efforts focus on the department \nchallenges, but we believe our successes, as has been the case \nin the past, will eventually impact commercial network \ntechnologies as well.\n    At this time, perhaps our most visible program, one of \nparticular interest to this committee which we took on as part \nof the Comprehensive National Cyber Initiative, is our program \nto develop a National Cyber Range. Recognizing that scientific \nprogress has always been paced by advances in our ability to \nobserve, test and perform rigorous experiments, we are \ndesigning this range to be a vehicle for a significantly \nadvancing progress in cyber understanding and capabilities, to \nbe a tool for rapid, realistic, and quantitative simulation \nassessment of cyber technologies. Researchers will be able to \noperate at either the classified or unclassified levels and \nwith many more nodes than current cyber test ranges with highly \nautomated tools and regiment techniques, they will have access \nto revolutionary research capabilities, capabilities that will \nallow rapid network simulation under real-world conditions, \nenabling efficient development and testing of information \nassurance and cybersecurity strategies.\n    The program has three phases. In the current first phase, \nwe began by seeking ideas from multiple sources which after a \ngovernment panel review resulted in our placing seven teams \nunder contract to develop competing designs for delivery later \nthis summer. At that time, the government team will evaluate \nand select the best among these designs to continue into a \nPhase II program to produce a limited number of prototype \nranges. In a third phase, the most capable prototype range will \nbe further developed into the operational range to be completed \nin 2012. DARPA is managing the National Cyber Range \ndevelopment, but we will transition the completed range to \nanother organization for operation. The details are a work in \nprogress. Presently two government working groups are studying \nthe issues. One is developing a technical vision and business \nmodel for the range operations. The other is focused on \nsecurity issues for accrediting the range for use by all \nagencies across the government. In the end, I believe the range \nwill operate like other national research assets with a panel \nto review and prioritize user proposals and an administrator to \nmaintain facilities and facilitate research or access.\n    Regarding how we coordinate our research with other \nagencies, I can assure you that we actively coordinate our \nefforts. Two specific examples include the multi-agency \nparticipation in the development of the National Cyber Range, \nand our teaming with the NSF to organize two cybersecurity \nworkshops this summer. But in general, in the process of \ndeveloping new programs, our program managers routinely engage \nwith their counterparts in other agencies to scope out the best \nway forward to achieve a specific research goal. Regarding the \n60-Day Cyberspace Policy Review, this high-level document \nranges over a wide variety of policy issues, but I note that it \nspecifically recognizes the importance of innovation in \nachieving cybersecurity, explicitly calling out the supply \nchain threat which our TRUST program is addressing and the \nimportance of modeling and simulation capabilities that the NCR \nwill enable.\n    In conclusion, as the department expands its net-centric \noperation, information assurance remains a critical concern. In \ndealing with this concern, we are committed to working with \norganizations across the government to contribute to the \nnational goals for a secure cyberspace, and when the new DARPA \nDirector is in place, refining our plans, programs and budgets \nfor cybersecurity will be high on our agenda.\n    I would be pleased to answer your questions.\n    [The prepared statement of Dr. Leheny follows:]\n                 Prepared Statement of Robert F. Leheny\n    Mr. Chairman, Subcommittee Members and staff: I am Bob Leheny, \nActing Director of the Defense Advanced Research Projects Agency \n(DARPA). I am pleased to appear before you today to discuss DARPA's \nongoing work in cybersecurity, or what we in the Department of Defense \n(DOD) call ``information assurance.''\n    I'd like to set the context for my remarks today by briefly \ndescribing DARPA's mission and how we work.\n    DARPA's mission is to prevent technological surprise for us and to \ncreate technological surprise for our adversaries. DARPA conducts this \nmission by searching for revolutionary high-payoff ideas and sponsoring \nresearch projects that bridge the gap between fundamental discoveries \nand their military applications. Stealth aircraft, developed at DARPA \nmore than 25 years ago, is one among many important examples of how we \ncreate technological surprise.\n    To understand DARPA's role in DOD's science and technology (S&T) \nestablishment, consider an investment timeline that runs from ``near'' \nto ``far,'' indicative of the time required for an investment to be \nincorporated into an acquisition program. The ``near side'' represents \ninvestments that characterize much of the work of the Department's \nother S&T organizations, which tend to gravitate to the near-term \nbecause they emphasize investments in capabilities required to meet \ntoday's mission requirements. These investments are excellent S&T and \nare crucial to DOD because they continuously hone U.S. military \ncapabilities, e.g., improving the efficiency of jet engines and making \nexisting radios more reliable. This S&T is usually focused on known \nsystems and problems.\n    At the other end of the investment timeline--the ``far side''--are \nthe smaller basic research investments made by various federal agencies \nand the Military Services that support fundamental discoveries, where \nnew science, ideas, and radical concepts typically first surface. \nInvestigators working on the far side generate ideas for entirely new \ntypes of devices or new ways to put together capabilities in a \nrevolutionary manner, but often find that obtaining funding is \ndifficult, if not impossible.\n    DARPA was created to bridge the gap between these two groups. The \nAgency finds the people and ideas on the far side and accelerates those \nideas to the near side for transition to the DOD S&T and acquisition \ncommunities as quickly as possible. DARPA's work is high-risk and high-\npayoff precisely because it bridges the gap between fundamental \ndiscoveries and their military use.\n    DARPA's success depends heavily on the freedom of its program \nmanagers to pursue the far side ideas that other S&T organizations \noverlook or, for a variety of reasons, decide not to consider. DARPA \nhires program managers for limited terms of four to six years, which \nensures a steady input of new energy and ideas. Given their relatively \nshort tenure, these program managers focus their time on quickly \ngenerating ideas and starting new programs. DARPA's senior leadership \nprovides an overall technical vision and oversees the organizational \ncoordination and collaboration activities required of any DOD \norganization, thus freeing the program managers to focus on their \nprograms. This approach has enabled DARPA to pursue the ideas and \nprograms that have benefited DOD for more than 50 years.\n    DARPA's strategy for accomplishing its mission is embodied in a set \nof strategic thrusts that guide its investments. The current strategic \nresearch thrusts that DARPA emphasizes today are:\n\n        <bullet>  Robust, Secure, Self-Forming Networks\n\n        <bullet>  Detection, Precision ID, Tracking, and Destruction of \n        Elusive Targets\n\n        <bullet>  Urban Area Operations\n\n        <bullet>  Advanced Manned and Unmanned Systems\n\n        <bullet>  Detection, Characterization, and Assessment of \n        Underground Structures\n\n        <bullet>  Space\n\n        <bullet>  Increasing the Tooth-to-Tail Ratio\n\n        <bullet>  Bio-Revolution\n\n        <bullet>  Core Technologies, which span investments in quantum \n        science and technology, bio-info-micro, materials, power and \n        energy, microsystems, information technology, mathematics, \n        manufacturing science and technology, and lasers.\n\n    Today, I will discuss DARPA's vision for DOD's Robust, Secure, \nSelf-Forming Networks and the investments in information assurance to \nsecure those networks.\n\nRobust, Secure, Self-Forming Networks\n\n    DOD is in the middle of a transformation to network-centric \noperations, which has as its goal turning information superiority into \na distinct advantage so U.S. forces can operate far more effectively \nthan any adversary. Network-centric operations fuse the typically \nseparate functions of intelligence and operations to dramatically speed \nup the observe-orient-decide-act (OODA) loop.\n    At the core of this concept are robust, secure, self-forming \nnetworks. These networks must be at least as reliable, available, \nsecure, and survivable as the weapons and forces they connect. They \nmust distribute huge amounts of data quickly and precisely across a \nbattlefield, a theater, or the globe, delivering the right information \nat the right place at the right time. The networks must form, manage, \ndefend and, when disrupted, heal very quickly.\n    Military network technology requirements are divided according to \ntheir application into either tactical or strategic networks. Tactical \nnetworks are largely wireless and directly support units and their \nequipment on the front lines. They must be agile, adaptive and \nversatile, and connect units and their equipment that are operating \ntogether, sometimes with different communication equipment, at local \narea ranges in all environments, including urban areas. Strategic \nnetworks are largely optical wired and/or satellite-based, are often \noperated by commercial suppliers, and provide broadband links between \noverseas command centers and the United States. Strategic networks \nglobally link air, ground, and naval forces for operational maneuver \nand strategic strike and enable the distribution of knowledge, \nunderstanding, and supply throughout the force.\n    Network-centric operations require connectivity between the \nstrategic and tactical echelons so they can rapidly and effectively \nshare information. Technology advancements now provide the opportunity \nto connect these two families of networks. DARPA is bridging strategic \nand tactical operations with high-speed, high-capacity communications \nnetworks. The DOD strategic, high-speed fiber optic network--the Global \nInformation Grid (GIG)--is an integrated network with a data rate of \nhundreds to thousands of megabits per second. To reach deployed \nelements, data on the GIG must be converted into a wireless format for \nreliable transmission to the various units within theater. This creates \nproblems in the timely delivery of information.\n    To connect the tactical warrior to the GIG, DARPA is developing \nhigh-speed network technology that can robustly disseminate voice, \nvideo, text, and situation awareness information to the various \nmilitary echelons and coalition forces. To accomplish this, the high \ndata rate capability of optical communications is being combined with \nthe high reliability and adverse-weather performance of radio frequency \n(RF) communications.\n    The goal of DARPA's Optical RF Communications Adjunct (ORCA) \nprogram is to create a high data rate backbone network via several \nairborne assets that nominally fly at 25,000 feet and up to 200 \nkilometers apart and provide GIG services to ground elements up 50 \nkilometers away from any one node. ORCA provides billions of \ninformation bits per second, error-free on an optical link and, at \nradio frequencies, hundreds of millions of information bits per second \nwhen clouds block the optical link.\n    For applications at sea, DARPA is working to bridge strategic and \ntactical maritime operations with a revolutionary new capability for \nsubmarine communications based on a blue laser efficient enough to make \nsubmarine laser communications at depth and speed a near-term reality. \nIf successful, it will dramatically change how submarines communicate \nand greatly improve their operations and effectiveness, enabling \nsubmarines to become truly persistent nodes for network-centric \noperations at sea.\n    At the tactical ground level, radio inter-operability has plagued \nDOD for decades. To connect tactical ground, airborne, and satellite \ncommunications platforms and terminals together, the Network-Centric \nRadio System (NCRS) program has developed a mobile, self-healing, ad \nhoc network gateway that provides total radio/network inter-operability \namong these platforms moving in any terrain. NCRS builds inter-\noperability into the network itself--rather than into each radio--\nallowing any radio to communicate with any other radio. Now, previously \nincompatible legacy tactical radios can link seamlessly among \nthemselves and to more modern systems, including military and \ncommercial satellite systems. DARPA is taking this technology and \nworking on commercial components and practices to make NCRS more \naffordable at low rate initial production quantities. A follow-on \nprogram, Mobile Ad hoc Information Network GATEway (MAINGATE), is \nfocused on providing this capability at a low unit cost ($60,000 each) \nin small volumes (1,000 units).\n    Another wireless challenge is frequency spectrum; it is scarce and \nvaluable. DARPA's NeXt Generation (XG) Communications technology is \nmaking up to 10 times more spectrum available by taking advantage of \nspectrum assigned to others, but unused at a particular place and time. \nXG technology senses the spectrum being used and dynamically makes use \nof the spectrum that is not busy. Recently, XG conducted a series of \nsuccessful experiments and demonstrations at several military \nlocations, and various organizations within DOD are planning to \ntransition XG technology broadly into current and existing wireless \ncommunication systems.\n    DARPA is developing communication networks specifically for the \nkind of urban environments our troops are encountering today. As is the \ncase for civilian wireless networks, urban clutter can create multiple \nsignals from diverse reflections (``multipath'') of the initial signal, \nand the result is weak or fading communications. This problem is being \nturned into an opportunity through the DARPA Mobile Networked Multiple-\nInput/Multiple-Output (MNM) program, which is actually exploiting \nmultipath phenomena to improve communications between moving vehicles \nin cities without using a fixed communications infrastructure. MNM has \ndemonstrated reliable non-line-of-sight communications during on-the-\nmove field trials in urban environments. The program successfully \nexploited multipath to increase information throughput and reliability \nwhile maintaining high data rates. It also demonstrated reliable \ncommunications in the face of interference by enabling multiple signals \nto simultaneously occupy the same frequency band, resulting in \nincreased capacity of that channel.\n    Building on XG, MNM, and other technologies, the Wireless Network \nafter Next (WNaN) program is developing an affordable communication \nsystem for reaching to the ``tactical edge.'' The WNaN low-cost, highly \ncapable radio will allow the military to communicate with every \nwarfighter and every fielded device at all operational levels. WNaN \ntechnology will exploit high-volume, commercial components and \nmanufacturing techniques so DOD can affordably evolve the capability. \nThe radio cost will be low enough so that they can be refreshed after a \nfew years of use with updated, more capable radios--as are today's \ncommercial cell phones. DARPA is working with the Army to make a ``low \ncost hand-held networking radio'' for about $500 apiece a reality. In \nfact, we recently signed a memorandum of agreement that could lead to \nthe Army buying large numbers of units for military use.\n\nInformation Assurance for DOD Networks\n\n    The vision for DOD's networks covers great scope and depth, \nstarting with the building blocks of component hardware and software, \nranging from smaller networks for individual systems and tactical use \nto huge global networks; from wired to wireless; from mobile to fixed; \nand many combinations in between. These networks give the U.S. military \nsignificant advantages, which make them a very attractive, high value \ntarget for any adversary. The United States must assume its adversaries \nwill seek ways to destroy, disrupt, distort, or infiltrate DOD's \nnetworks.\n    Those networks must be reliable in any environment for extended \nperiods and protected against cyber threats. As technologies are \ndeveloped and deployed to successfully block overt cyber attacks, \nadversaries will likely attempt to insert malicious code to disrupt the \nnetworks. DOD, with some of the most sophisticated and complex networks \nand facing the most sophisticated attacks, must rigorously protect its \nnetworks or suffer terrible consequences. The ever-growing \nsophistication of these threats has surpassed the ability of current \ncommercial markets to provide DOD with rapid and robust solutions.\n    While many threats and problems are common to most types of \nnetworks--private, civilian government, and military--and many private \nand non-DOD researchers are addressing them, DARPA's efforts are \nfocused on technologies to solve the Defense Department's information \nassurance operational challenges. Funding for our information assurance \nresearch is primarily contained in two places in our budget: an applied \nresearch budget project called ``Information Assurance and \nReliability'' and a program element called ``Cyber Security \nInitiative,'' which covers the National Cyber Range. The total in these \nfor FY09 is about $127M, and we are requesting about $164M in FY10. The \ndetails on these requests may be found in our budget, which is \navailable online at www.darpa.mil/budget.html.\n    Critical to DOD's transformation to network-centric operations are \nthe wireless networks known as Mobile Ad Hoc NETworks (MANETs), which \nare designed to fluidly and automatically connect moving vehicles and \ndismounts as needed without a static network infrastructure. A rough \nanalogy is a cell phone network made up only of cell phones--without \ncell towers or a telephone company. For example, a television ad for a \ntelecommunications company shows a large crowd of people standing \nbehind its network. MANETs must operate without this support, yet \nremain fully functional networks while being vigorously attacked.\n    The DARPA Intrinsically Assurable Mobile Ad Hoc Network (IAMANET) \nprogram is aimed directly at building DOD MANETs that are secure from \nthe ground up. IAMANET is developing network architectures and \nprotocols to authenticate and authorize all traffic on a MANET, \nquarantine problems so they don't spread, and prevent data from \ncorruption and unauthorized exfiltration. In contrast, the current \nInternet does not deny unauthorized traffic by default and violates the \n``principle of least privilege,'' where a user is given no more \nprivilege than required to perform a given task. Existing protocols are \nnot resistant to malicious acts that can produce faulty outputs and \ninconsistent behavior. IAMANET technology will provide a smart router \ntechnology for ad hoc network environments that will not forward \nmalicious traffic, preventing infections from spreading through the \nnetwork and securing information within the network.\n    IAMANET builds on earlier DARPA research from the Dynamic \nQuarantine of Worms (DQW) program. DQW technology creates an integrated \nsystem that automatically detects and responds to worm-based attacks \nagainst military networks, provides advanced warning to other DOD \nnetworks, studies and determines the worm's propagation, and \nautomatically immunizes the network against these worms. The system \nquickly quarantines so-called ``zero-day worms'' to limit the number of \nmachines affected and restores the infected machines to an \nuncontaminated state in minutes, rather than hours and days. The \nMarines are now conducting tests of DQW-protected systems.\n    MANETs are of such significance to DOD that DARPA is sponsoring \nbasic research to develop Information Theory for Mobile Ad Hoc Networks \n(ITMANET) to provide a more powerful theory for mobile wireless \nnetworks. The ITMANET program is motivated in part by a major \nscientific accomplishment of the last century: Claude Shannon's \ninformation theory, which provides a mathematical foundation for \nunderstanding information capacity in wired, point-to-point networks. \nThis theory is an essential foundation for today's information \nrevolution, but is incomplete when dealing with wireless MANETs. \nITMANET is extending Shannon's classic description of information \ncapacity to the more complex mobile ad hoc network case. Stanford \nUniversity and the University of Texas are leading two research teams \nin this effort, which involves 24 faculty members from several \nuniversities. Important program results are being reported in peer-\nreviewed professional journals, and, based on this research, a popular \nscience magazine is planning a tutorial article on MANETs to popularize \nthe concepts among a wider audience. While this work may not seem to be \nstrictly information assurance, DARPA researchers believe it will help \nus understand the limits of what can and cannot be done in MANETs and \ninform the design of MANETs that are more secure.\n    DARPA's information assurance programs for wired networks will \nlikely yield results that could be useful to a wide range of users \nbeyond DOD.\n    The Trustworthy Systems program is developing innovative methods to \ndetect unusual traffic in networks. These methods promise to be orders \nof magnitude more effective than traditional approaches by leveraging \nrecent advances in statistical physics, information theory, and \nthermodynamics. The goal is to detect 99 percent of attacks launched \nwith no more than a single false alarm per day--all at gateway speeds, \nin the gigabits-per-second range.\n    The Self-Regenerative Systems (SRS) program is developing \ntechniques to allow networks to work through attacks and automatically \nadjust themselves to provide critical functions in the presence of \nattacks. Over time, SRS will ``learn'' their own vulnerabilities and \nhow to correct them, even protecting against incorrect or improper \nactions by authorized users. Started in 2004, the SRS program involves \nseveral universities and research firms and is advancing four key cyber \ndefense technologies: automated software diversity, scalable \nredundancy, insider threat mitigation, and self-healing. The current \nphase of the program will move SRS technologies from the laboratory to \nan actual DOD system to show that the system can automatically heal \nitself from expert attack, while maintaining a viable level of service.\n    The DARPA Application Communities (AC) program is building an \nautomatic cyber defense infrastructure for large deployments of similar \napplications in many places, for example, the same web browser running \nsimultaneously on many separate computers. As a network comes under \nattack, continued comparison across the network permits the online \nconstruction of a universal software patch for all affected machines. \nThe core technology for the AC program was developed at MIT and will be \ndemonstrated in the current phase of the program in conjunction with \nMIT's commercial partner.\n    All networks rely on hardware, and to work properly that hardware \nmust be secure. With much of the microelectronics used in DOD and other \nsystems manufactured off-shore, the question naturally arises, ``How do \nwe know we are getting what we asked for in the microelectronics and \nonly what we asked for?'' The integrity of the hardware components is \ncommonly not addressed when considering cybersecurity and networks, but \nit is a key issue in DOD information assurance. To the extent DOD \nsystems use microelectronics purchased from several vendors, including \nforeign sources, they are at risk.\n    DARPA's Trusted, Uncompromised Semiconductor Technology (TRUST) \nprogram, a major information assurance program, is directly tackling \nthis issue. Pursuing a series of complementary technologies and \ntechniques to ensure that DOD's microelectronics will do only what they \nare supposed to do and nothing more, TRUST program research addresses \nthe full production cycle of microelectronics, including design and \nfabrication. The program is studying ways to determine whether \nmalicious features have been inserted during the design or fabrication \nof application-specific integrated circuits or during the programming \nof field programmable gate arrays. DARPA is at the forefront of \nresearch in this area, confronting these issues in a comprehensive \nmanner for the first time with expected results that will enhance and \nensure the trustworthiness of microelectronics--regardless of where \nthey have been manufactured.\n\nNational Cyber Range\n\n    DARPA's most prominent information assurance program is the \nNational Cyber Range (NCR) project, which is part of the Comprehensive \nNational Cybersecurity Initiative (CNCI). DARPA was selected to run \nthis program because we have some experience in the area of \ncybersecurity testing.\n    The NCR will result in a testbed on which researchers and \ndevelopers can simulate and measure technologies and their performance \nin a realistic environment, allowing cybersecurity technology testing \nunder real-world conditions and across a variety of network types.\n    DARPA believes the NCR will accelerate the development of leap-\nahead cybersecurity technology for the larger research community. The \nfundamental idea underlying the rationale to develop a large-scale \ncyber test range is the recognition that scientific progress is often \npaced by advances in the instrumentation available to observe and test \nnew phenomena and to run rigorous experiments to verify the \nsignificance of these observations and theoretical insights they \nstimulate. Just as developments in microscopes and telescope \ntechnologies opened new worlds to scientific exploration and \nrevolutionized our understanding of nature, the NCR, if successful, \nwill provide the same opportunity for the cybersecurity research \ncommunity.\n    The design goal for the NCR is to enable researchers to rapidly \ncreate network architectures under a variety of conditions, from high \noperational demand to aggressive cyber attack, and develop responses \nbased on the collected data. Simulations conducted with the highly \nautomated cyber range will allow a variety of user and network \nbehaviors, providing researchers insight and deeper understanding of \nhow cybersecurity and situational awareness tools function in complex \nenvironments.\n    When completed, the NCR will allow realistic, quantifiable tests \nand assessments of cybersecurity scenarios and defensive technologies, \nrevolutionizing cybersecurity testing by offering vastly improved cyber \ntesting capabilities in terms of:\n\n        <bullet>  Scope. The NCR will allow unclassified and classified \n        testing on the same facilities, including wired and wireless \n        networks, MANETs, supervisory control and data acquisition \n        systems, and other features to simulate an extremely large \n        variety of networks. It will allow defensive technologies to be \n        tested against realistic offensives and greatly improve and \n        accelerate researchers' abilities to produce solutions and \n        rapidly deploy them.\n\n        <bullet>  Scale. The NCR will have orders of magnitude more \n        nodes than currently available test ranges, providing a much \n        more realistic and valid test environment.\n\n        <bullet>  Flexibility Through Automation. Under software \n        control, the NCR will be able to quickly set up a wide variety \n        of test networks and permit multiple, independent experiments \n        on the same infrastructure. A graphical user interface will \n        allow test directors to use a drag-and-drop feature to quickly \n        lay out a network architecture, its hosts, system latency, \n        environmental characteristics, and other pertinent test \n        qualities and requirements. Once this infrastructure is \n        created, it will be ready for testing immediately; the impact \n        will be to dramatically change the time required to create a \n        test environment from months to minutes.\n\n        <bullet>  Efficiency. The NCR's state-of-the-art \n        instrumentation and forensics technology will enable far better \n        use of test time.\n\n    I think that NCR could operate much like other major National \nresearch assets and laboratories. A number of potential operating \nmodels exist, including the DOD's High Performance Computing \nModernization Program, which has been run by the DOD since the early \n1990s and makes high performance computing facilities available to \nDefense researchers for both classified and unclassified projects.\n    I believe, for example, that NCR could have a panel that reviews \nand prioritizes proposals submitted by potential users for time on the \nrange. One of their guiding principles would be to ensure that the \nportfolio of research fulfills the mission of the range. Such a panel \nwould then schedule who gets access to the range and when, and what \nthey can do on the range. An administrator would facilitate users' \naccess and use of the range and ensure their individual research goals \non the range are met. I am sure that other possible operating models \nexist.\n    Two primary technical challenges must be tackled to achieve NCR's \ngoals: (1) How are large-scale, highly heterogeneous networks simulated \nrealistically, and what is the scale and scope needed for realistic \nexperiments?; and (2) What instruments can be created to monitor \nperformance during experiments to provide the greatest meaningful \nunderstanding of the results, even providing quantitative measures of \nperformance? Real-world cybersecurity events are taking place all the \ntime, but existing network administration techniques provide little \ninsight into their cause without considerable effort. The point of the \nNCR is to incorporate highly sophisticated, fast, flexible, and \nefficient instrumentation and administration technologies, in a \ncontrolled environment, to enable full understanding of such phenomena \nrapidly and with little effort.\n    In November 2007, DARPA released an unclassified Request for \nInformation where we solicited the community for ideas to improve cyber \ntesting. In May 2008, DARPA released a Broad Agency Announcement and \nconducted a two-day unclassified industry day soliciting solutions from \nthe community and answering questions posed by the community. A \ngovernment-wide source selection process selected the best of breed \nfrom those proposed. The NCR program is in its first phase. During this \nphase, there are seven teams of defense contractors, universities, \nsmall businesses, vendors, and service providers working on competing \ndesigns to be completed and delivered this summer. The next phase will \nbe to take several selected design teams forward to build small-scale \nprototypes. We expect that selection and build phase to be completed in \nfall of next year, and then move on to completion and operation of the \nrange.\n    DARPA will not own or operate the NCR when completed. Historically, \nDARPA facilities and institutional interests have been held to an \nabsolute minimum, allowing the Agency to be open to new ideas. To \nremain consistent with this management philosophy, DARPA will not own \nor operate the NCR once it is built.\n    The NCR is an integral part of the CNCI, and within NCR are two key \nworking groups. The NCR Joint Working Group is a stakeholders' panel \nheaded by DARPA that is developing the technical vision and business \nmodel for the NCR. This work informs the technical capabilities needed \nand provides options on how the NCR will operate. Many issues are being \nstudied, including who will manage the NCR, how it will be funded, who \nwill have access, and conditions for use. Working group members \nrepresent DOD; the Intelligence Community; Departments of Homeland \nSecurity, Energy, and Treasury; National Science Foundation; Federal \nBureau of Investigation; National Institute of Standards and \nTechnology; the New York State Governor's Office; and the New Jersey \nState Police. They are invited to participate in all the steps from \nconcept development to performer selection and periodic program \nreviews.\n    A separate working group focuses on the crucial issue of NCR \nsecurity requirements. The range will have to be certified to run \nclassified and unclassified testing, and the various agencies have \ndifferent security requirements and nomenclatures. This working group \nseeks security protocols that will allow the NCR to be properly \naccredited by agencies from across the Government.\n\nCoordination of Research\n\n    Much of the coordination of DARPA research with other government \nagencies occurs as a bottom-up process within technical communities. \nDARPA program managers are hired from government, industry, and \nacademia in large measure because they are world-class technical \nexperts with extensive knowledge of the research being done in their \ntechnical areas. In the last eight years, roughly one-third of DARPA \nprogram managers have come from industry, one-third from other parts of \nDOD, one-quarter from academia, and one-tenth from elsewhere. More than \n95 percent of DARPA's program managers have advanced degrees and are \nsubject matter experts from a wide variety of backgrounds. DARPA's \npolicy of rotating program managers after four to six years ensures a \nsteady stream of new people bringing fresh ideas to the Agency.\n    Because DARPA conducts none of its research in-house, its program \nmanagers look externally for ideas and research performers. During the \nprocess of starting programs, they seek good ideas wherever those ideas \ncan be found, frequently by hosting workshops attended by researchers \nand other government experts. Engaging a wide spectrum of experts in a \nfield through this extensive outreach effort is how DARPA coordinates \nideas and research.\n    With that overall process in mind, let me give you some examples of \nhow we have worked with the National Science Foundation (NSF) in \ninformation assurance.\n    DARPA co-funded three projects through the NSF Cybertrust Program \n(led by Stanford, University of Texas, and Princeton) dealing with \nfundamental software techniques for high assurance and security. NSF \nadministered these grants to university researchers after their \nselection through the Foundation's standard, community-based, merit \nreview process.\n    This summer, DARPA and NSF will co-sponsor two research workshops \nrelated to cybersecurity. Both workshops will bring together key \nthought leaders from universities, National Institute of Standards and \nTechnology, Department of Homeland Security, National Science \nFoundation, and DARPA. The first workshop is in clean slate security \narchitectures, which will identify paths to fundamentally redesigning \ncomputers for modern threats. The second workshop is meant to begin re-\nthinking the Internet. As you know, DARPA played a key role in \ndeveloping the Internet, and our interest in the future Internet design \nworkshop is to identify fundamental new network concepts that are far \nmore resistant to attack than the current Internet.\n\n60-Day Cyberspace Policy Review\n\n    The report that came out of the 60-day Cyberspace Policy Review is \na high-level document covering a very wide variety of policy issues, \nincluding leadership, organization, legal, education and training, and \noperations and incident response. With respect to research issues, the \narea of DARPA's expertise, the review clearly recognizes the centrality \nof innovation to our national cybersecurity capabilities. In \nparticular, it contains a discussion of the supply chain threats that \nwe are addressing in our TRUST program--a problem that may not be \nwidely appreciated outside the national security community. It also \ndiscusses the need for modeling and simulation, capabilities that could \nbe provided by the NCR when it is completed. In general, between the \ngame-changing technology we are promoting and the new tools and \nfacilities of the NCR, DARPA will be able to make a significant \ncontribution to the innovation goals of the Cyberspace Policy Review.\n    We are at the early stages of what will come out of the 60-day \nreview, but having senior leadership at the White House looking hard at \ncybersecurity across the Federal Government will keep it high on the \nnational agenda and stimulate progress throughout the field. As this \nprocess moves forward and we get a new Director at DARPA, we will be \nsure to continue to evaluate our own plans, programs and budgets for \ncybersecurity. We have been a leader in promoting cybersecurity \nresearch, and we look forward to continuing our role promoting radical \ninnovation for national security as the implications of 60-day review \ndevelop more fully.\n    The DOD's move toward network-centric operations means that \ninformation assurance will remain a crucial and long-standing concern. \nI hope my testimony today has given you a sense of DARPA's plans and \nambitions.\n    I would be pleased to answer your questions.\n\n                     Biography for Robert F. Leheny\n    Dr. Robert F. Leheny was named Acting Director of the Defense \nAdvanced Research Projects Agency (DARPA) February 20, 2009. He \ncontinues to serve as Deputy Director of DARPA, a position he has \noccupied since June 2, 2003.\n    DARPA is the principal Agency within the Department of Defense for \nresearch, development, and demonstration of concepts, devices, and \nsystems that provide highly advanced military capabilities.\n    Prior to assuming his current positions, Dr. Leheny served as \nDirector of DARPA's Microsystems Technology Office. He joined DARPA in \nOctober 1993 as a Program Manager in the area of optoelectronics.\n    Prior to joining DARPA, from 1987 to 1993, Dr. Leheny was an \nExecutive Director for Network Technology Research in the Applied \nResearch Laboratory of Bell Communications Research, Inc. (Bellcore, \nnow known as Telcordia Technologies, Inc.), Red Bank, NJ. In this \nposition he was responsible for managing an organization researching \nmaterials and device designs for communication systems. From 1984 to \n1987, he was Director of the Electronic Device Research Group in the \nsame Laboratory at Bellcore. From 1967 to 1983 he was a member of \ntechnical staff in Electronics Research Lab at Bell Laboratories, Inc., \nHolmdel, NJ. From 1962 to 1967, he was a graduate student at Columbia \nUniversity and from 1960 to 1962, he was employed as a Radar Systems \nEngineer with the Sperry Gyroscope Co., Great Neck, NY.\n    Dr. Leheny received his BS from the University of Connecticut in \n1960 and a Doctor of Engineering Science Degree from Columbia \nUniversity in 1966. In 1983, he was named a Bell Labs Distinguished \nMember of Technical Staff and in 1992 he was named a Distinguished \nGraduate of the University of Connecticut School of Engineering. In \n2003, Dr. Leheny was presented with the DOD Distinguished Civilian \nService Award, the highest award the Department of Defense can give to \ncareer civil servants. He has published over 70 papers, co-edited a \nbook and authored four book chapters. He is a Fellow of the IEEE and a \nmember of the American Physical Society, American Association for the \nAdvancement of Science, and the New York Academy of Sciences.\n\n    Chairman Lipinski. [Presiding] Thank you, Dr. Leheny. I now \nrecognize Dr. Fonash for five minutes.\n\n   STATEMENT OF DR. PETER M. FONASH, ACTING DEPUTY ASSISTANT \nSECRETARY, OFFICE OF CYBERSECURITY AND COMMUNICATIONS, NATIONAL \n    PROTECTION AND PROGRAMS DIRECTORATE, U.S. DEPARTMENT OF \n                    HOMELAND SECURITY (DHS)\n\n    Dr. Fonash. Good afternoon, Chairman Wu, Chairman Lipinski, \nand Members of the Subcommittees. Thank you for the opportunity \nto discuss the White House's recently released Cyber Policy \nReview as it relates to the Department of Homeland Security's \nongoing efforts to secure the federal, civil, executive branch \nnetworks and information systems and to coordinate activities \nfocused on securing the Nation's critical infrastructure.\n    One of the greatest threats facing our nation is a cyber \nattack to the critical infrastructure on which we depend. Our \nsociety relies on technology and telecommunications to support \nour economy and critical government functions. The cyber \nthreats to these systems are real, growing, and evolving. They \nare large, diverse and range from independent, unsophisticated, \nopportunistic hackers to technically competent adversaries and \nnation states.\n    The Nation must be vigilant, proactive and innovative as it \naddresses and mitigates the service disruptions. The \nDepartment's National Cyber Security Division, or NCSD, serves \nas the national focal point for cybersecurity on behalf of DHS. \nIt works with the private sector and Federal, State, local, \ntribal and international governments to assess and mitigate \ncyber risk and prepare for, prevent, and respond to cyber \nincidents.\n    The Cyberspace Policy Review assesses the current state of \nU.S. cybersecurity policies and structures. Based on this \nassessment, future decisions will be made regarding U.S. \ncybersecurity policy and appropriate structures to execute it. \nIt is anticipated that those decisions will focus on the \nfollowing five key areas outlined in the Review which build \nupon existing programs and activities: (1) developing a new, \ncomprehensive strategy to secure America's information and \ncommunications infrastructure; (2) ensuring an organized and \nunified response to future cybersecurity incidents; (3) \nstrengthening public, private, and international partnerships; \n(4) investing in cutting-edge research and development; and (5) \nbeginning a national campaign to promote cybersecurity \nawareness and digital literacy and to build a digital workforce \nfor the 21st century.\n    Within those areas, a series of near- and mid-term actions \nare set forth. DHS and NCSD, working with interagency partners, \nare actively engaged in advancing these actions. As many of \nthem align with current NCSD activities, such as cybersecurity-\nrelated information sharing with federal, State, local and \nprivate sector partners, supply chain risk management, cyber \nworkforce development, and the promotion of cybersecurity \nthrough national public awareness and education efforts, NCSD's \nfiscal year 2010 budget request provides further justification \ndetails on how DHS tends to grow and support these and other \ncybersecurity activities necessary to protect the Nation from \ncyber threats.\n    Before I address some of NCSD's current initiatives, let me \nemphasize that privacy and civil liberty considerations are at \nthe center of our efforts. Protecting the privacy of Americans \nand their personal information is not just a priority, it is \nrequired by law and we take it very seriously.\n    DHS leads a multi-agency approach to coordinate the \nsecurity of federal, civil, executive branch networks. The \nUnited States Computer Emergency Readiness Team, or US-CERT, \nserves as a central federal information security incidence \ncenter and is the focal point for the security of federal civil \nexecutive branch networks. Agencies report instances to US-\nCERT, and it guides agencies on enhancing detection \ncapabilities and works with them to mitigate information \nsecurity incidence. US-CERT compiles and analyzes incident \ninformation, shares the information with the operators of \nfederal information systems. US-CERT provides products ranging \nfrom current and potential information security threats to \nalerts about vulnerabilities.\n    In addition, US-CERT is improving its capabilities to \nprotect the federal enterprise in response to growing cyber \nthreats, in large part to ramp up the current activities due to \nthe Comprehensive National Cybersecurity Initiative, or CNCI. \nOver the last year, DHS has led the CNCI effort to establish a \nfront-line defense for federal executive branch. As part of \nthis effort, DHS works with the Office of Management and Budget \nto reduce federal executive branch's external connections \nthrough the Trusted Internet Connection, or TIC, program. \nConsolidating such connections is the first step to creating \nfront-line defense. As we reduce external connections, we will \ndeploy EINSTEIN, an intrusion detection system, at trusted \nInternet connections which will allow us to more effectively \nanalyze malicious activity across federal executive branch \nnetworks. We also work with federal agencies to develop \nadditional capabilities to detect and eventually prevent \nintrusions. Such collaboration will help inform the products \nnecessary to provide actionable information to our critical \ninfrastructure community.\n    In addition to coordinating the security of federal civil \nbranch networks, we work with industry and government partners \nto secure the Nation's critical infrastructure networks. The \nvast majority of the Nation's cyber infrastructure is owned by \nthe private sector. As such, cybersecurity is not exclusively a \nfederal responsibility, and the key to our assured success is \nprotecting cyber infrastructures' collaboration with the \nprivate sector. It is for this reason DHS will continue to \nstrengthen and build upon a public-private partnership \nframework created under the National Infrastructure Protection \nPlan, or NIPP. The NIPP was used for one of the CNCI \ninitiatives whose focus is on improving protection of privately \nowned critical network infrastructure through public-private \npartnership. It is often referred to as Project 12.\n    State, local, tribal governments and international \ncommunities also play crucial roles in improving cybersecurity. \nRecognizing the contributions that can be made by leveraging \nsuch partnerships, DHS works with all levels of government and \nin the international community to help them increase awareness. \nDHS also works with other agencies to develop a plan for \nretaining a skilled, trained workforce. We need to build the \nnext generation of our cybersecurity workforce that will help \nus maintain a competitive advantage. Over the coming years, we \nwill focus resources on the education and training of our \ncurrent workforce and developing and recruiting new talent. DHS \nis also encouraging university programs and provides \nscholarships to promising students.\n    In conclusion, as a nation becomes ever more dependent upon \ncyber networks, we must address cybersecurity strategically. \nOvercoming new cybersecurity challenges is a difficult task \nrequiring a coordinated, focused approach to better secure the \nNation's technology communications infrastructure. President \nObama's Cyberspace Policy Review reaffirms that cybersecurity \nis among the most significant issues facing the Nation's \neconomic and national security and it solidifies the priority \nthat the Administration places on improving cybersecurity.\n    Thank you for your time today. I appreciate the opportunity \nto discuss the Department's efforts in advancing our \ncybersecurity posture. I would be happy to answer any questions \nfrom the Subcommittee.\n    [The prepared statement of Dr. Fonash follows:]\n                 Prepared Statement of Peter M. Fonash\n\nIntroduction\n\n    Good afternoon, Chairman Wu, Chairman Lipinski and Members of the \nSubcommittees. Thank you for the opportunity to speak about the \nDepartment of Homeland Security's (DHS) ongoing efforts to secure the \nFederal Executive Branch civilian networks and information systems, the \nWhite House's recently released Cyberspace Policy Review, as well as \ncoordinating activities focused on securing portions of the Nation's \ncritical infrastructure.\n    One of the greatest threats facing our nation is a cyber attack to \nour critical infrastructure and key resources (CIKR), on which our \nnation depends. Our information communications technology systems are \nintegral to our daily lives. Our society relies on technology and \ntelecommunications to support our economy and business operations, and \nalso support critical functions of government. An attack could cause \ndisruption to any or all of our key sectors and could jeopardize not \nonly the private sector, but the government's ability to provide \ncritical services to the public. Such an attack could also create \ncascading effects throughout the country due to the integrated and \nglobal nature of business today.\n    The cyber threats to these systems are very real, growing, and \nevolving. The Nation must be vigilant, proactive, and innovative in its \nefforts to address and mitigate disruptions of service. What makes this \nendeavor ever more challenging is the volume and composition of these \nthreats. They are large and diverse and range from independent \nunsophisticated opportunistic hackers to very technically competent \nadversaries and nation states.\n    Our adversaries--both criminal and nation states--have become \nincreasingly sophisticated in their methods and ability to coordinate \nmalicious activities. The United States Government is aware of, and has \nresponded to, malicious cyber activity directed at its civilian and \nmilitary systems and networks over the past few years. We continue to \nremain concerned that this activity is growing more sophisticated, more \ntargeted, and more prevalent.\n    I am here to underscore the Department's resolve to collaborate and \nshare actionable information with stakeholders to mitigate known \nthreats. Engagement, however, cannot be a one-way information flow with \nthe goal of simply relaying information. We must create a two-way \ndialogue and facilitate continuous feedback that helps us improve \nnotification products, such as informational notices and situational \nawareness reports.\n    Information sharing is an essential part of cybersecurity and we \nmust continue to increase our current public/private information \nsharing and coordination efforts via the National Infrastructure \nProtection Plan (NIPP) framework. Using the NIPP framework, DHS has \nbuilt robust working channels to exchange and integrate information \nwith and among our partners in industry. Our efforts in this area have \nalready begun. Through the Cross-Sector Cyber Security Working Group \n(CSCSWG), we have convened an Information Sharing Subgroup to look at \nways to facilitate the bi-directional sharing of cyber information, \nindications, and warnings through the operational capabilities within \nand across the sectors and government. Specifically, we are looking at \nhow to better share cyber threat and vulnerability information with \nthose in industry who need it, understanding that some of this \ninformation is very sensitive. We are also developing plans on how to \nwork with industry partners to obtain greater situational awareness on \nthe status of CIKR networks.\n    As you know, DHS is the lead agency in a multi-agency approach in \ncoordinating the security of Federal Executive Branch civilian \nnetworks. In large part, activities currently under way are due to the \ncreation of the Comprehensive National Cybersecurity Initiative (CNCI), \nwhich is designed to further protect federal networks and explore new \nways to assist industries in securing their infrastructure. There is \nwide agreement that the CNCI moved the ball in the right direction. \nHowever, more needs to be done. President Obama's call for, and \nsubsequent completion of, the White House Cyberspace Policy Review \nreaffirms that cybersecurity and cyber threats are among the most \nsignificant issues facing the economic and national security of our \nnation.\n    At DHS we have been focused on three main areas as part of the \nCNCI:\n\n        1)  Establishing a front line of defense;\n\n        2)  Seeking ways to defend against a full spectrum of threats \n        through intelligence and supply chain security; and\n\n        3)  Taking cybersecurity to the next level through workforce \n        education.\n\n    Over the last year, DHS has been leading the effort to establish a \nfront line of defense by reducing vulnerabilities and preventing \nnetwork intrusions in the Federal Executive Branch civilian networks. \nWe are improving our cybersecurity posture in this area by focusing \ngovernment efforts on reducing external connections through the Trusted \nInternet Connection program and deploying EINSTEIN, our intrusion \ndetection system. DHS is also working in close coordination with our \ninteragency partners to develop additional capabilities and capacity to \ndetect and eventually prevent intrusions. Such collaboration with our \nfederal partners will also help to inform the products necessary to \nprovide actionable information to our CIKR community.\n    The Department is also seeking ways to better protect Federal \nExecutive Branch civilian information systems and networks from the \nfull spectrum of threats, such as from malicious code embedded in \nhardware or software products. This requires improving our global \nsupply chain defense through increased awareness of threats, \nvulnerabilities, and consequences as well as collaborating with the \nNational Institute of Standards and Technology in the development of \nstandards, policies and best practices across the federal civilian \nenterprise. In conjunction with the Department of Defense (DOD), DHS is \nworking to increase the capabilities of all federal departments and \nagencies to ensure the protection of their supply chains as well as \ntheir ability to mitigate risks.\n    A strong workforce is also necessary to ensure the continual \nadvancement of our cybersecurity posture. Successful detection and \nmitigation of threats requires us to maintain a workforce at a high \nskill level. For the safety of our information systems and networks, \nnow and in the future, DHS is focusing its resources on building the \nnext generation cyber workforce by improving workforce training and \neducation, recruiting new talent, and providing funding for college and \nuniversity scholarships.\n    In addition, we are working with industry and government partners \nto secure the Nation's critical infrastructure networks. As you well \nknow, the Federal Government does not own the Nation's information \ntechnology networks or communication infrastructures. The vast majority \nof the Nation's cyber infrastructure is in the hands of the private \nsector. For this reason, cybersecurity is not exclusively a federal \nresponsibility, and as I mentioned earlier, collaboration with the \nprivate sector is essential.\n    The Department's National Cyber Security Division (NCSD) serves as \nthe national focal point for cybersecurity on behalf of the Department. \nThe NCSD works in concert with the DHS Science and Technology \nDirectorate to cohesively develop technologies that address current and \nfuture technology gaps. The NCSD also works with the private sector and \nFederal, State, local, tribal and international governments to assess \nand mitigate cyber risk and prepare for, prevent, and respond to cyber \nincidents. The Department maintains a strong and positive relationship \nwith the National Security Agency (NSA). NSA has provided a number of \nsenior level detailees to the Office of Cybersecurity and Communication \n(CS&C) and the National Cyber Security Division (NCSD) within CS&C. \nThese personnel assist in the execution of CNCI and provide integral \ntechnical and operational expertise to the Department as we build our \ncapacity and capabilities. It is a true team effort. More broadly, NCSD \nthrough United States Computer Emergency Readiness Team (US-CERT) \ncoordinates and shares incident information with law enforcement, the \nintelligence community, as well as other key stakeholders.\n    DHS is committed to advancing the resiliency of the government's \ncyber posture to better secure Federal Executive Branch civilian \nsystems. DHS has a number of initiatives under way that I will discuss \nwith you today. Before I move onto the initiatives, let me emphasize, \nfor the record, privacy and civil liberties considerations are at the \ncenter of our efforts. Protecting privacy and ensuring the proper use \nof personally identifiable information is not just a priority; it is \nrequired by law and something we take very seriously.\n\nSecuring Our Federal Networks\n\n    US-CERT has been identified by the Office of Management and Budget \n(OMB) as the central federal information security incident center \nrequired by the Federal Information Security Management Act of 2002 \n(FISMA) and serves as the operational center for the security of \ncyberspace of Federal Executive Branch civilian networks and CIKR \nnetworks. Agencies report incidents to US-CERT, including the \nidentification of malicious code, denial of service, improper usage, as \nwell as incidents that involve Personally Identifiable Information \n(PII). Operating a 24/7/365 operations center, the US-CERT is the lead \nentity in the national effort to provide timely technical assistance to \noperators of agency information systems regarding cybersecurity \nincidents. In this capacity the US-CERT guides agencies on detecting \nand handling information security incidents, compiles and analyzes \ninformation about incidents that threaten information security, and \ninforms operators of agency information systems about current and \npotential information security threats, and vulnerabilities.\n    US-CERT, working with OMB, is building additional capacity to \nfulfill its responsibilities under FISMA, as well as to better protect \nthe Federal Executive Branch civilian systems and networks or ``.gov.'' \nAs a means of securing these networks, DHS is focused on implementing \nthe Trusted Internet Connection (TIC) Initiative, which is led by the \nOffice of Management and Budget. In addition, DHS is enhancing its \nEINSTEIN system, an intrusion detection capability, and deploying it at \nTICs across the Federal Government and at Networx Managed Trusted \nInternet Protocol Service (MTIPS) locations. Both of these programs \nsupport the efforts of the US-CERT--our 24/7/365 operations center that \nprovides early watch, warning, and detection capabilities that enable \nus to more swiftly to identify and respond to malicious activity and to \ncoordinate with our public and private sector partners.\n    The TIC initiative is a multi-faceted program which seeks to \nimprove the U.S. Government's cybersecurity posture and build capacity \nto respond to incidents by reducing and consolidating the number of \nexternal connections which Federal Executive agencies have to the \nInternet. The multitude of external access points gives our adversaries \ntoo many avenues to seek out vulnerabilities and exploit potential \nsecurity gaps in our networks. By limiting the number of entranceways \ninto our networks to a smaller number, we can better monitor traffic \nentering and exiting the network and more rapidly identify when it is \npenetrated by an attacker.\n    During this process, the U.S. Government has learned a great deal \nabout the federal networks. We initially identified more than 4,500 \nexternal access points, including Internet points of presence, across \nthe Federal Government. Over the past year, departments and agencies \nhave reduced that number. While it is important for the government to \nreduce external access points, we also must ensure configuration \nmanagement of the technical architecture. Through the DHS-led multi-\nagency TIC technical working group, comprised of TIC Access Providers, \nwe are working to develop and implement a standard technical \narchitecture for perimeter security which is tested through the DHS TIC \ncompliance validation process.\n    Consolidating external connections and configuration management are \nthe first step to creating a front line of defense. As we reduce \nexternal connections, we will deploy the EINSTEIN system at those TIC \nlocations. This will allow us to more effectively analyze activity \nacross Federal Executive Branch civilian networks. The EINSTEIN system \nhelps to identify unusual network traffic patterns and trends that \nsignal unauthorized network activity, allowing US-CERT to identify and \nrespond to potential threats. DHS installed the first TIC on its own \nnetwork and deployed the upgraded EINSTEIN 2 system. We will be using \nthe lessons learned from our implementation process to assist other \ndepartments and agencies as we continue to build more TIC locations and \ninstall more EINSTEIN 2 systems.\n    In addition to installing the EINSTEIN 2 system on DHS's network, \nwe created the National Cybersecurity Protection System (NCPS) to \ncreate the framework under which EINSTEN 2 and future upgrades will be \ndeveloped and deployed. NCPS is part of the overall formal acquisition \nprogram developed to enable the acquisition of technology that supports \nthe NCSD mission including US-CERT and CNCI-related tasking.\n    NCPS supports the acquisition and deployment of EINSTEIN 2. We have \ncreated a plan for EINSTEIN 2 deployment that includes four phases each \nwith the following status:\n\n        <bullet>  Phase 1--DHS Deployment: Deployment is complete and \n        operating at initial operating capability.\n\n        <bullet>  Phase 2--Deployment at five selected Departments or \n        Agencies: Deployment has been completed and DHS expects initial \n        operating capability at these locations in June 2009. Technical \n        discussions for deployment and installation of the EINSTEIN 2 \n        system at the final Phase 2 location are ongoing.\n\n        <bullet>  Phase 3--Deployment at Networx/MTIPS Vendor Sites: \n        Conducted technical discussions with each of the Networx/MTIPS \n        contract awarded vendors. As the vendors complete their \n        technical architectures, DHS is providing the EINSTEIN 2 \n        capability and working with departments and agencies on \n        implementation. DHS has commenced installation activities with \n        one MTIPS awarded vendor.\n\n        <bullet>  Phase 4--Deploy to remaining Single Service TIC \n        Access Provider Departments or Agencies: Technical discussions \n        have begun with some of the remaining agencies. Deployments \n        will occur as these agencies become more technically stable in \n        their TIC implementations.\n\n    In the future, NCPS will provide US-CERT analysts with an automated \ncapability to better aggregate, correlate, and visualize information. \nIn addition, DHS envisions developing an Intrusion Prevention System, \nEINSTEIN 3, for Federal Executive Branch networks and systems. The \nsystem once fully deployed will provide the government with an early \nwarning system and situational awareness, near real-time identification \nof malicious activity, and a more comprehensive network defense.\n    Together, TIC's reduction of Internet access points and EINSTEIN's \nsituational awareness capabilities are examples of two of DHS's key \ninitiatives designed to secure federal networks. The eventual expansion \nof the EINSTEIN system, to include intrusion prevention, will create an \nenvironment that will make it more difficult, more time-consuming, and \nmore expensive for our cyber adversaries to reach our federal networks.\n    US-CERT is also taking additional steps to improve its capabilities \nand better protect the federal enterprise in response to the growing \nthreat. We recently hired additional personnel to advance US-CERT's \ncapacity to improve information sharing and help government and \nindustry analyze and respond to cyber threats and vulnerabilities. This \nwill further enable us to respond more rapidly and mitigate damage when \nattacks do occur. Work is also ongoing to improve collaboration with \nfederal departments and agencies. For example, US-CERT recently \ndeveloped the Joint Agency Cyber Knowledge Exchange (JACKE) to improve \nsituational awareness and recommend actions for federal agency security \noperation centers. We are actively looking to expand the participation \nof the JACKE program to include all 26 major departments and agencies.\n    Working with the National Institute of Standards and Technology, \nDHS has established the U.S. National Vulnerability Database, the \ngovernment's repository of standard reference data on computer \nvulnerabilities. Its data is built upon the NIST Security Content \nAutomation Protocol which enables NVD data to be used by commercial \nproducts for standardization and automation of vulnerability \nmanagement, measurement, and technical policy compliance checking.\n\nDefending Against a Full Spectrum of Threats\n\n    Globalization of the commercial information and communications \ntechnology marketplace provides increased opportunities for those bent \non doing the United States harm by penetrating our supply chain and \npoisoning critical software and hardware. We need to make sure that \nproducts do not contain malicious code embedded in hardware or software \nthat could compromise our systems and help our adversaries gain \nvaluable national security information or disrupt our networks. Thus, \nit is imperative that we work towards a stronger supply chain defense \nto reduce the potential for adversaries to manipulate our information \ntechnology and communications products before they are installed.\n    Protecting U.S. Government networks through global supply chain \nrisk management requires a multi-pronged approach. DHS and the DOD have \nformed a partnership to coordinate supply chain risk management (SCRM) \nactivities in the government. DHS has taken responsibility for non-\nnational security related systems, while DOD is responsible for \nnational security systems. Addressing this risk requires greater \nawareness of threats, vulnerabilities, and consequences. It will also \nrequire sound acquisition policies and practices, and will require the \nadoption of supply chain and risk managements standards and best \npractices. We are working with the National Institute of Standards and \nTechnology and several other agencies towards the long-term goal of \nenhancing Federal Government skills and capabilities, and to provide \ndepartments and agencies with the necessary tool sets to better manage \nand mitigate supply chain risk.\n    The DHS SCRM Program will improve our capabilities through \nconducting SCRM pilots and establishing formal working groups within \nthe government and private sector to inform program activities. The \nprogram is structured to meet requirements through testing, \ncounterintelligence risk methodologies, best practices, controls, and \nother elements of supply chain risk management. Finally, enhancing our \npublic-private partnership is essential, as the Federal Government \ncannot by itself ensure the integrity of the supply chain.\n\nLeveraging/Partnerships\n\n    Key to succeeding in protecting our cyber infrastructure is \ncollaboration with the private sector. As previously noted, most of our \ncritical infrastructure and the Nation's cyber networks are owned and \noperated by private industry. Thus, a comprehensive, holistic \ncybersecurity strategy cannot be successful without an intensive \nengagement and collaboration with the private sector. Both government \nand private sectors have much to gain from working and sharing \ninformation with one another. The creation of a strong partnership \nbetween these two sectors will help greatly in securing our cyber \nsystems.\n    One of the initiatives under the CNCI was dedicated to improving \nprotection of privately owned critical network infrastructure through \npublic private partnership (Project 12). This is one of the ways DHS is \ntrying work with the private sector to improve and institutionalize \ninformation sharing. As a part of this initiative, we are also looking \nto increase our public-private information sharing and coordination \nefforts and are engaging in discussions with the private sector to \nencourage collaboration with the business community nationwide. These \ndiscussions serve as information forums for businesses to better \nunderstand the cyber threats identified by government and for \ngovernment to understand better the private sector's prodigious \ncybersecurity capabilities. This bi-directional information flow is \ncrucial. DHS is also working to leverage the good work that DOD has \ndone with the defense industrial base sector to increase actionable bi-\ndirectional information sharing of real and usable information with \nother sectors.\n    State, local, tribal governments and international communities also \nplay crucial roles in improving the U.S. cybersecurity posture. \nRecognizing the contributions that can be made by leveraging such \npartnerships, DHS is working with all levels of government across the \nNation to help increase awareness regarding cybersecurity and related \npreparedness and response issues. Specifically, DHS provides technical \nand operational assistance to State cybersecurity partners to assist in \nplanning and executing cyber exercises. To expand this effort, NCSD is \ndeveloping a repeatable cyber exercise assistance program that will be \ndeployed to assist states with their cyber exercise needs. This program \nwill include background and educational materials, the potential for a \n``train the cyber exercise trainer'' program, staff and technical \nassistance with developing and executing exercises, as well as tools \nand resources to build upon past exercise efforts, and to integrate \ninto future efforts such as the Cyber Storm Exercise series.\n    Cyber threats do not stop at traditional physical boundaries, so \nDHS collaborates with the international community to manage global \ncyber risk. In coordination with the our federal partners, we are \nengaging both with multilateral organizations and in multilateral \nforums, such as the European Union, the Group of 8, and the Meridian \nConference, to enhance information sharing and situational awareness, \nimprove incident response capabilities and coordinate on strategic \npolicy issues.\n\nCybersecurity Workforce Education: Improving and Maintaining Our \n                    Workforce\n\n    In addition to being responsible for advances in our cybersecurity \nposture, DHS is working with other agencies to develop a plan for the \nretention of a skilled, trained workforce. Our adversaries are skilled \nand motivated, requiring us to constantly stay one step ahead of their \nactions. In order to address cybersecurity challenges, we need to build \nthe next generation of our cybersecurity workforce that will help us \ndevelop a competitive advantage. Thus, we are focusing our resources on \neducation and training of our current workforce, as well as recruiting \nnew talent in order to develop a world-class workforce. DHS is also \nencouraging university programs and providing scholarships to promising \nstudents.\n    DHS believes that workforce development is critically important to \nour cybersecurity mission. DHS is actively recruiting and looking to \nfill new cybersecurity positions at NCSD. These positions range from \nentry level to management. For example, increases to US-CERT's staff, \nas DHS's watch and warning center, greatly enhance its ability and \ncapacity for preparedness and response activities. We are actively \nrecruiting for these open positions in order to improve our \ncapabilities and expand our core leadership team.\n    Beyond the government domain, DHS is focusing its efforts on \nproviding individuals within the cybersecurity sector of private \nindustry with a baseline set of cyber skills. To achieve this, DHS \nworked across the public and private sector to develop the first \nInformation Technology Security Essential Body of Knowledge to provide \nthe cybersecurity community with the baseline skills and knowledge all \ninformation technology security professionals should possess to \nsuccessfully perform their jobs. Cybersecurity is the responsibility of \nus all. Thus, we are striving to minimize our cyber gaps and \nvulnerabilities through both top-down and bottom-up approaches.\n    As part of our shared responsibility, we cannot simply focus on the \npresent. We must also look to the future. This requires us to not only \nshape the workforce, but the community of computer users as well. \nCybersecurity and cyber safety are learned behaviors, and we need to \nteach children how to be secure online. Here we are building from the \nground up. By teaching children skills at a young age, we are laying \nthe foundation from which our future cybersecurity workforce will come, \nwhile simultaneously improving our cyber defense. DHS is working with \nthe National Cybersecurity Alliance (NCSA) to make this vision a \nreality. In addition to ongoing work with the K-12 community, the NCSA \nrecently launched its Cybersecurity Awareness Volunteer Education (C-\nSAVE) Project. This program encourages security professionals to put \ntheir knowledge and expertise to work in their local schools and help \nfill a tremendous gap in educating young people to use the Internet \nsecurely and safely. We are very pleased to be working with the NCSA on \nthis program as this is a crucial endeavor to ensure the continued \nsuccess and advancement of our cybersecurity mission.\n\nWhite House Cyberspace Policy Review\n\n    On February 17, 2009, President Obama initiated a White House \nCyberspace Policy Review of cybersecurity policies and issues affecting \nthe Nation. On May 29, 2009, the results of that review were published \nby the White House in a report entitled Assuring a Trusted and \nResilient Information and Communications Infrastructure. The review \nsolidified the priority that the Administration places on improving the \nNation's cybersecurity, and DHS will continue to have a key role as the \nlead agency for securing Federal Executive Branch civilian networks and \ncollaborating with the private sector to enhance the cybersecurity of \nnon-Federal CIKR networks.\n    DHS will have a significant role in several near-term actions \noutlined in the report, including updating the national strategy, \nstrengthening international partnerships, increasing public awareness, \nand preparing a national response plan for cyber incidents. These near-\nterm actions will enable DHS in collaboration with its government and \nindustry partners to continue to address the growing and evolving cyber \nthreat. Additionally, the operational goals of the comprehensive \nnational strategy will include better coordination, response, recovery, \nand mitigation capacity across all stakeholder communities.\n\nConclusion\n\n    The cyber threat is rapidly growing and evolving. As the Nation \nbecomes ever more dependent upon cyber networks, we must address \ncybersecurity swiftly and surely. Overcoming new cybersecurity \nchallenges is a difficult task requiring a coordinated, focused \napproach to better secure the Nation's information technology and \ncommunications infrastructures. Accordingly, DHS is actively working \nwith its federal partners to secure the ``.gov'' domain by implementing \na holistic strategy for securing our civilian networks and systems.\n    Through government-wide programs such as TIC and EINSTEIN, we are \nenhancing the government's cybersecurity posture by reducing the number \nof external connections, including connections to the internet, while \nimproving our detection and response capabilities. We are also striving \nto create a strong supply chain defense and develop an enduring, robust \nworkforce.\n    It cannot be over-emphasized that, while DHS is focused on \ndeveloping the necessary analytical, response, and technical \ncapabilities to create a comprehensive network defense to secure the \nNation's CIKR, we are not in this alone. A truly comprehensive cyber \nstrategy requires an open partnership with the private sector, and it \nis in this arena that we are continually working to advance our \nmission. Everyone plays a role in cybersecurity, from the Federal, \nState, local, tribal and international governments to the private \nsector to the citizens who access computers for personal use. DHS is \ncommitted to its cybersecurity mission and will continue to reach out \nto these parties to promote cyber awareness, identify best practices, \nmitigate risks and improve its ability to respond to cyber incidents. \nThe Department is also actively pursuing avenues to further \ncollaboration and information sharing with these partners. The \ndevelopments DHS has made in strengthening federal systems, enhancing \nour operational cyber response capabilities, and strengthening the \npublic-private partnership have been significant, but we are committed \nto doing more.\n    Thank you for your time today. I appreciate the opportunity to \ndiscuss the Department's efforts in advancing our cybersecurity posture \nand increasing our security of federal networks. I will be happy to \nanswer any questions from the Subcommittees.\n\n                     Biography for Peter M. Fonash\n    Dr. Peter M. Fonash is currently the Chief Technology Officer for \nthe Department of Homeland Security's Assistant Secretary for CS&C. He \nassumed the additional duty of Acting Director of NCSD on 16 March \n2009. He has been a member of the Senior Executive Service since 1998.\n    Prior to this appointment, Dr. Fonash was Deputy Manager and \nDirector of the National Communications System (NCS), serving nine \nmonths as the acting Deputy Manager, and then becoming the full-time \nDirector in April 2005. From 1998 until July 2004, Dr. Fonash was \nChief, NCS Technology and Programs Division. He managed priority \ncommunications services technology development, network modeling and \nanalysis, specialized telecommunications research and development, and \npriority services standards.\n    Before arriving at the NCS, Dr. Fonash served as the Chief with the \nDefense Information System's Agency Joint Combat Support Applications \nDivision, providing technical software integration services to the \nfunctional communities and guiding functional applications' compliance \nwith the standard common operational environment. He also worked for \nthe Office of the Assistant Secretary of Defense for Command, Control, \nCommunications and Intelligence, and was responsible for Defense \ncommunications infrastructure policy and program oversight. He was also \nChairman of the Office of the Secretary of Defense Information \nTechnology (IT) Architecture Council\n    From 1986 to 1994 Dr. Fonash held various Defense Information \nSystems Agency (DISA) technical positions, including Director of \nTechnology, and Chief of the Advanced Technology Office. He wrote \nDISA's strategic plan and managed the development of the Technical \nArchitecture for Information Management--the forerunner of today's \nEnterprise Architecture.\n    Before joining the Federal Government, Dr. Fonash worked for AT&T \nand the Burroughs Corporation (Unisys).\n    Dr. Fonash has a Bachelor of Science in Electrical Engineering and \na Master of Science from the University of Pennsylvania, a Master of \nBusiness Administration from the University of Pennsylvania Wharton \nSchool, and a Doctor of Philosophy in Information Technology and \nEngineering from George Mason University. His Ph.D. dissertation was on \nsoftware reuse metrics.\n\n                               Discussion\n\n    Chairman Lipinski. Thank you, Dr. Fonash. We will now move \nonto questions. Chairman Wu is down there. I am not sure if you \nwant to take back the Chair here or lead off with questions or \nshall I go?\n    Chairman Wu. Go ahead.\n    Chairman Lipinski. Okay. This Chair will recognize himself \nfor five minutes to lead off with the questions. Dr. Wing, you \nknow, I was there yesterday at NSF and met with Dr. Bement and \nthe AD's. Some of these things that I am going to ask about are \nnot going to be a surprise to you or anyone actually who knows \nmy background as a social scientist. I brought up in my opening \nstatement that one of the most important things that I think is \noften overlooked and probably the weakest link that we have \nright now for cybersecurity is the general population.\n    Now, I want to lead off by asking, what is NSF doing right \nnow in terms of research? What research is being funded by the \nNSF or where are you trying to search out for research that \ninvolves social science aspects of cybersecurity and \nfacilitating collaboration between social scientists and \ncomputer scientists?\n    Dr. Wing. Thank you for your question. It gives me an \nopportunity to speak about the Trustworthy Computing program \nwhich is one of the things I wanted to do when I got to the \nNational Science Foundation, was to actually broaden the scope \nof what we were doing in cybersecurity to make sure to include \ntopics like privacy and usability, which absolutely includes \nunderstanding social science and how humans behave, how \norganizations behave.\n    And so one of the things we specifically did was to broaden \nthe scope of our Cyber TRUST Program to include privacy and \nusability, to work with our social science colleagues to make \nsure that, for instance, we have reviewers from their \ncommunities looking at proposals that speak directly to these \nkinds of issues. In fact, cybersecurity is of course not just \nsecurity, reliability, privacy, and usability. It is not just \nthe technical issues that all of us scientists and engineers \nlike to address, but there are much broader issues like legal \nand ethical which, if you look at the whole problem, we really \nneed expertise from both the scientific and engineering \ncommunities as well as these less-technical communities.\n    So we are very much keen at the National Science Foundation \nin looking at the broader picture.\n    Chairman Lipinski. Thank you, Dr. Wing. I want to throw out \na general question for each one of you actually going along \nthese lines to tell me what rules do you have at your agency, \nwhat type of education do you do for your employees so that \nthey do not wind up practicing bad computer hygiene at the \nagency? So we will start with Ms. Furlani. Tell me if there is \nanything that you do along those lines for your employees.\n    Ms. Furlani. Well, of course, because we write the \nstandards for the Federal Government, we expect our employees \nto live up to a higher standard. So we do work very diligently \nwith our Chief Information Officer to ensure the understanding \nof what needs to be accomplished to protect the systems and the \ncitizens that are interacting with us are deployed \nappropriately into the staff. It is something that we pay a lot \nof attention to in probably a more unique situation than \nothers.\n    Chairman Lipinski. Actually, I have a friend who works for \nNIST who was going around to places where you can get your \npictures printed up. He was trying to get to see where he could \nfind a certain--I don't know if it was a virus or what exactly \nit was, but he was trying to find places where he could pick \nthat up because he knew that this was going around to just get \na better handle on all of this. Thank you. Dr. Wing.\n    Dr. Wing. Yes, at NSF we have a Secure Information \nTechnology Awareness Program. Every single NSF employee is \nrequired to go through a training every year, and it covers all \nthe topics from how to choose a good password to shutting down \nyour machine to make sure that screens with confidential \ninformation are not displayed and so on. And there are policy \ndocuments about this thick that everyone is expected to read. \nSo we have a very serious--we take security very seriously, and \neveryone goes through this training program.\n    Chairman Lipinski. Dr. Leheny.\n    Dr. Leheny. DARPA is a relatively small agency with under \n200 government employees. We have a large number of contractors \nthat work within our environment. We have no formal training \nprogram with regard to computer security, but as an agency \nwithin the Defense Department, our computers are a part of a \nlarger enclave that is monitored very closely. We have a very \nrobust information resource directorate that is available to \nhelp people work their way through problems they might be \nhaving with their computers. And so far we have been successful \nin locking large numbers--as you might imagine, our computer \nsystem is regularly under attack, and we have had good success \nat preventing those attacks from having any adverse affect on \nthe operations of our computers.\n    Chairman Lipinski. Thank you, Dr. Leheny. Dr. Fonash.\n    Dr. Fonash. Yes, sir. Thank you. First of all, we follow \nall the FISMA best practices, and we closely follow FISMA. Our \nCIO is the person responsible for making sure those things are \nimplemented across our department. We also are very much into \nsecurity awareness training, and we annually require people to \ntake security awareness. In fact, I have to take that tonight \nwhen I get home.\n    We also have to sort of eat our own dog food in the sense \nof what we do is again, I mentioned the TRUST Internet \nconnections, and we actually have two TRUST Internet \nconnections and we are moving to have all our network traffic \ngo through those trusted Internet connections. And we have a \nclose relationship between our security operations center and \nour US-CERT. Thank you.\n    Chairman Lipinski. Thank you. My time is expired. I will \nnow recognize Mr. Smith.\n    Mr. Smith. Thank you, Mr. Chairman. For Dr. Fonash, if we \ncould maybe discuss a little bit the prioritization of the \ndefenses, and with the deployment of EINSTEIN I know that \napproximately five agencies right now have already been \ndeployed with EINSTEIN, is that correct?\n    Dr. Fonash. We have deployed. The systems are not \noperational yet. We are actually right now in the process of--\nthere are several agreements that have to be set up. There is \nthe service-level agreement, there is a memorandum of \nunderstanding. So those have to go through legal reviews, and \nin particular we have to address privacy issues. So we actually \nphysically have those things established at those locations, \nbut we are working the legal issues at this point in time.\n    Mr. Smith. And then following will be eventually all \nagencies?\n    Dr. Fonash. Well, the idea is we are doing it in phases. \nWhat we are doing, first of all, is we are doing it at DHS, and \nthat is one of the five agencies I included. And then we are \nworking now with Justice, Department of Agriculture, and State \nDepartment and NASA in terms of deploying trusted Internet \nconnections, actual, the physical EINSTEIN devices to those \nlocations. We have also worked with GSA, and we actually put on \ncontract, we actually made contract modifications working with \nGSA on the networks contract, and now agencies can go to the \nnetworks contract and get those services, trusted Internet \nconnection services, from the networks contract vehicle. And so \nwe are actually working with the carriers right now, AT&T, \nSprint, Verizon to get them so that they can provide the \ncapabilities. For example, they have to have a secure facility \nto do this trusted Internet connection. So right now the \ncarriers are working those particular instances of what \nequipment they need to put in place so they can offer those \nservices.\n    So that will be available to any agency that wants to do \nthat. And then our next phase would deploy at 25 additional \nagencies and then the rest at some future point in time.\n    Mr. Smith. And so can you speak to the prioritization and \nperhaps the need to deploy with every single agency?\n    Dr. Fonash. I think that clearly the larger the agency and \nthe more--you know, beauty is in the eye of the beholder, sir. \nSo let me say that. So each agency has to make its own \ndetermination how important it feels its need to get this \ntrusted Internet connection. We clearly at DHS have moved \nforward and actually have installed trusted Internet \nconnections. In addition to that, we believe that State and \nJustice and NASA and Department of Agriculture, key locations \nthat needed those trusted Internet connections, and then we \nhave made available to anyone who feels that they have the need \nto immediately move to those contract vehicle. Those contract \nvehicles will be available and actually the services will be \noffered to use those capabilities through the networks \ncontract, and that is the determination by those individual \nagencies as they want to move toward that capability.\n    And then we have a list of 25 other agencies that we can \nprovide to you if you wish in terms of what we feel are the top \n25----\n    Mr. Smith. Okay. Thank you.\n    Dr. Fonash.--beyond that.\n    Mr. Smith. Relating to privacy, I appreciate the fact that \nthe President said, with emphasis, that he would seek not to \ninclude monitoring the private sector networks or Internet \ntraffic. Then in the New York Times last Saturday stated that \nsenior Administration officials have admitted those assurances \nmay be challenging to guarantee and practice and that some \nAdministration officials have begun to discuss whether laws or \nregulations must be changed to allow law enforcement, military \nor intelligence agencies greater access to networks or Internet \nproviders when significant evidence of a national security \nthreat was found. So I mean, maybe it is easier said than done \nto say that no private sector networks or Internet traffic \nwould be included in this.\n    How would you respond?\n    Dr. Fonash. What we do is because of the capabilities that \nwe have with EINSTEIN we are actually able to--we do not track \nthe individual personal part of the messages. What we do is we \ndrop that and what we do is we track information, what is \ncalled header information, basically the information, where it \ncame from, where it is going to, and we also will look at--if \nwe also recognize code, we will have patterns. A particular \ncode, a particular program has certain pattern, a bit pattern \nin it, so you are able to actually recognize for example \nmalware. So if you have Conficker traffic or some type of \nmalicious code going past, you can actually recognize what is \ncalled the signature of that and pick that up. But for example, \nwe wouldn't get into the privacy of a person's e-mail unless \nthere was some issue, a national security issue, or something \nlike that. But clearly what you can do is protect the privacy \nby looking at the header information, and there will be issues \nabout PKI capture as we go forward, but we will address that. \nWe will make sure we are doing that linked up with the privacy \npeople, you know, making sure we are protecting the privacy of \nthe individual.\n    Mr. Smith. And do you suggest any legislative or regulatory \nchanges?\n    Dr. Fonash. I think that is something that needs to be \naddressed as we go forward. At this point in time, I cannot \nrecommend it.\n    Mr. Smith. You do not recommend it?\n    Dr. Fonash. I would not be one to say yes or no at this \npoint in time. I think that is an issue that needs further \nstudy.\n    Mr. Smith. Okay. Thank you.\n    Chairman Wu. The gentleman from New Mexico, recognized for \nfive minutes.\n    Mr. Lujan. Mr. Chairman, thank you very much. I know that I \nread a lot in the testimonies about the need for coordination. \nIf you could briefly touch upon how you were together, how the \ncoordinating is working. If it is not working, what suggestions \nyou may have, and also if any of you worked directly with any \nof the expertise that we have within any of our NNSA \nlaboratories.\n    Dr. Wing. So let me take that question on coordination. The \ncoordination happens at all levels, and the best coordination \nhappens in fact at the lowest level or with the technical \npeople, at different agencies working together, informing each \nother about what each agency does in terms of what we fund, \nwhat we actually do. So we have program directors who talk to \neach other at the different agencies, and we coordinate things \nlike running joint workshops to reach the academic community, \nthe private sector jointly, and that coordination works \nbeautifully from my perspective.\n    We also have more formal techniques for coordination. For \ninstance, NITRD, Networking Information Technology Research and \nDevelopment Program, and specifically we have been overseeing \nthe senior steering group of the CNCI, the National Cyber Leap \nYear that is happening right now, and we are working very well \ntogether on that.\n    Let me also say as far as NSF goes, in working with other \nagencies like DHS and DARPA, we are actually working together \non deploying cybersecurity testbeds. A couple of the testbeds \nthat we jointly support with the other agencies, like DHS and \nDARPA, are actually starting points for DARPA's cyber range. So \nI think we coordinate quite well together.\n    Mr. Lujan. Dr. Wing, do you work at all with any of the \nexpertise at any of our NSA laboratories, that you are aware?\n    Dr. Wing. They contribute to NITRD.\n    Mr. Lujan. To which?\n    Dr. Wing. NITRD.\n    Mr. Lujan. And what is NITRD?\n    Dr. Wing. The Networking Information Technology Research \nand Development program.\n    Mr. Lujan. Okay.\n    Dr. Wing. It is a coordination--an organization that \ncoordinates over 13 federal agencies on networking information \ntechnology and research and development.\n    Mr. Lujan. Okay.\n    Dr. Leheny. I would support Dr. Wing's comments about how \ncoordination occurs largely at the program manager working \nlevel. As you may be aware, DARPA is an agency that does almost \nall of its research activities outside the Agency by contract. \nOver 90 percent of our budget goes out as contracts to \nindustry, academia and federal laboratories. Specifically, \nSandia, for example, is an active participant in many of our \nprograms including the National Cyber Range Development that I \nspoke about in my oral testimony. I would like to point out \nthat innovation and creativity in research is an individual \nproperty or characteristic of individuals, and it is not a type \nof activity that works well when it is driven from above. I \nlike to characterize DARPA as a bottoms-up organization. It is \nnot the case that I wake up in the morning and come into work \nand ask my secretary to send me a program manager to manage \ngreat ideas I had overnight. Rather, it is the case that I \narrive at work, open my e-mail and find that one of my program \nmanagers is trying to get on my calendar to come and tell me \nabout his or her great idea. And it is in that way that new \nideas, new programs, are created.\n    Of course, in order to support the argument for creating a \nprogram, a program manager has to reach out to other workers in \ntheir particular field in order to be able to put together a \ncase for why a particular program should be started and \nexecuted, relying solely on their own internal creation of the \nprogram idea. It is usually not a good way to make a convincing \ncase. You want to draw on as wide a body of people familiar \nwith the technology and the challenges that the program is \ngoing to address that you possibly can in order to make the \nstrongest case that you can.\n    Mr. Lujan. Thank you, Mr. Chairman. As my time expires, I \nwant to see if I may be available, if time permits, for a \nsecond round of questions. I would like to still look a little \nbit more into the true collaboration with the NNSA \nlaboratories. Not too long ago we did include an amendment to \nNITRD to include our national laboratories because there was a \nconcern that maybe we weren't using the coordination as much as \nwe should have been in the past. And so I would like to explore \na little bit more and specifically pin down to the expertise \nthat does exist within NSA with the attacks that they \nexperience on a regular basis and then a few other questions I \nmay have. So thank you very much, Mr. Chairman.\n    Chairman Wu. Very good. We will come back to the gentleman.\n    Now, the gentleman from Michigan, Dr. Ehlers, is recognized \nfor five minutes.\n    Mr. Ehlers. Thank you, Mr. Chairman. And I have a question \nfor Dr. Wing, although any of you could try to answer it if you \nwish. But I was surprised to discover approximately six months \nago that the number of students in colleges and universities \ndeciding to major in computer science has gone down \ndramatically and also that there is not that much interest in \nhigh schools in getting involved. Everyone likes to play with \ntheir computer, but not very many are saying I would like to do \nthis and build a better computer some time in my life. Since \nyou are at NSF, you have access to all this data. What is \nhappening? Is the enrollment continuing to be down? I raise \nthis in the context of this hearing because if we are not \nproducing the right people, we are not going to get anywhere \nwith our discussions on cybersecurity, and particularly \nimplementation of new ideas and new approaches. Could you \nenlighten me on that?\n    Dr. Wing. Yes, thank you very much for that question. It is \na concern, of course, at the National Science Foundation and my \ndirectorate about the decline in enrollments in the computer \nscience undergraduate level. We had seen a decline for the past \nfew years, primarily because of the dot-com bust and other \nworries. But fortunately, this past year we actually saw an \nuptick, and the community at large is much more optimistic now \nabout seeing the enrollments go back up. So we are crossing our \nfingers and hoping that that will be a trend, a positive trend.\n    I do share your concern that we are not producing enough \ntrained and educated students in computing, not just because \nthey are likely the ones to be designing and building next \ngeneration information technology systems that we are all going \nto enjoy using on a daily basis, but we are working as a \ncommunity to try to increase the pipeline to increase--to \nimprove how it is we project what computer science is so that \nwe can attract the best and brightest to the field.\n    Mr. Ehlers. I hope you are successful. It looks like Dr. \nLeheny would like to make a comment, too.\n    Dr. Leheny. Yes. Thank you very much for this opportunity. \nDARPA has no specific charter to advance undergraduate or below \neducation. However, we have two programs that I would like to \ninform you about that I think are attempting to overcome some \nof the issues that you raise.\n    The first program is one we call Computer Science Study \nGroup. It is a program targeted to untenured, young faculty \nmembers in computer science, and it is a three-year program. \nOver the period of three years the support level for the \nindividual in the program could reach as much as a million \ndollars, and as part of the program, we bring these individuals \nonto military installations and expose them to specific areas \nof interest to the Defense Department in the hope that we can \nencourage them to think about their research agenda in terms of \nsolving the kinds of problems that the Defense Department has \nto deal with.\n    Currently, with the three-year program, as I mentioned, we \nbringing in about ten untenured faculty into the program each \nyear. We currently have about 30 in the program. As you may be \naware, a few years ago, we ran a series of what we called grand \nchallenges which were targeted to demonstrate the ability of \nunmanned automobiles to navigate through difficult terrain. We \nfound that there was an enormous amount of interest among \nstudents in that program and in participating in that program. \nAnd so we asked in our budget last year for a modest amount of \nfunds, on the order of a couple million dollars, to create a \nspecial program that would reach out to high school students, \nparticularly students interested in things like robotics in an \nattempt to stimulate interest among students and the kinds of \nproblems that we have to deal with. Thank you.\n    Mr. Ehlers. Also the robotics FIRST program is----\n    Dr. Leheny. Yes, that is one of the groups that we expect \nto be supporting.\n    Mr. Ehlers. Dr. Wing, you have something else?\n    Dr. Wing. Yes, Mr. Ehlers. I forgot to mention one of the \nprograms that my directorate runs is called CPATH, and it was \nrecognized in fact by the 60-Day Cyberspace Policy Review as a \nway to again address a problem that you are concerned about, \nattracting the best and the brightest to computer science. And \nthe whole notion of the program is to really revitalize the \nundergraduate curriculum in computer science. And one of the \nthings I am very keen on doing is to actually do outreach to \nthe K through 12 level because I do believe that it is \nincreasing the pipe even before they get to college to explain \nwhat computing is all about and to get them into the field. So \nI wanted to mention the CPATH program. Thank you.\n    Mr. Ehlers. Well, that is good. Thank you. And I try to do \nmy part. As members of Congress, we get invited to speak in \nschools regularly, and whenever I speak in high schools I \nalways tell the students they have to choose their subjects \nvery carefully and they should not overlook math and science \nbecause when they get out and start looking for a job, they \nwill discover that they will either be a nerd or work for a \nnerd and ask which they would prefer doing. And of course, they \ndon't believe that, and then I simply ask them who is the \nrichest man in the world? And finally the light starts to dawn \na bit.\n    But you know, they just haven't heard this. They don't \nrealize it. They don't understand the possibilities. They may \nlove to play with their computer, even to do esoteric things \nwith it. But the thought of doing that as a career doesn't \nalways cross their mind, probably because they don't have a \ncontact with people who do that on a regular basis.\n    Thank you very much. I yield back.\n    Chairman Wu. Thank you, Dr. Ehlers. The National Science \nFoundation has data that indicates you are having success in \nyour efforts.\n    The gentleman from New York, recognized for five minutes.\n    Mr. Tonko. Thank you, Mr. Chair. Dr. Wing, the investments \nthat are made long-term wise in cybersecurity research by our \nFederal Government and certainly by the private sector can bear \ngreat benefits. How do you see us or NSF facilitating and \nencouraging the transfer of research from academia into that \nequation?\n    Dr. Wing. Well, this a very good question because it is \nspecifically relevant for cybersecurity, obviously. Academics \ncan do their research, write their papers, produce students, \nand so on, but what really matters in the end is protecting and \nsecuring our cyberspace. And if the private sector owns most of \nthat, then there has to be this more engagement between the \nacademic community and the private sector.\n    NSF, as I mentioned, through the Science and Technology \nCenters that we run here and the Cyber TRUST Centers that NSF \nsupports, has direct connections to industry. There are \nindustrial partners who serve on the advisory boards on all of \nthese centers and also--so they are formal mechanisms that we \nhave. Even the large awards that we grant through the PIs or \nour normal programs, often those PIs will have connections to \nindustry.\n    It goes without saying that a lot of the researchers, \nespecially in cybersecurity, want to see that their research \nideas are relevant and can help. And so they have a personal \nmotivation to actually work with industry. Some of the \ntechniques just get out there immediately. So for instance, one \nof the results recently has been in developing secure web \nbrowsers. And so now one of the open source web browsing \ncompanies has picked up those techniques immediately. A part of \nit is because many of the researchers have personal contacts in \nindustry, and these kinds of things transfer informally but \nquickly.\n    Another mechanism that is not formal but very useful is \nmany of the students, graduate students, that are funded \nthrough NSF often take summer internships at companies like \nGoogle and Microsoft and Yahoo and so on, and one of the \nreasons that they do that is in fact how they can get access to \nreal data. So there is great incentive to actually do that. \nPlus it is a very good opportunity for students to see what it \nis like to do research in an industrial setting.\n    So there is a lot of free flow of information in that way, \nand it is easy for academics to talk to industry and get ideas \nout there.\n    Mr. Tonko. On the flip side, how do you envision the \nprivate sector having the greatest influence or impact on \ncreating the research agenda for NSF? Do they have a way to \ninfluence that agenda?\n    Dr. Wing. Well, our agenda is officially--it is actually \nvery much like what Dr. Leneny was saying. We are a very \nbottom-up organization as well, and it is the academic \ncommunity that speaks to us as far as where they see the \nfrontiers of research going, where the frontiers of science \ngoing, what the challenging science questions are, and they \ncome to us with brilliant ideas and say, well, this is where \nthe field is going. And in those conversations, we are always \nengaging industry. So whenever we run these planning workshops, \nindustry is as invited as the academic community. So even from \nthe very beginning, we try to engage the private sector in \nthese kinds of strategic, agenda-setting programs, processes. \nWe of course have the National Science Board where there is \nindustry input through the Science Board. That helps the \nFoundation, helps us set priorities. And then as I mentioned \nbefore, some of the larger centers that we fund, like the TRUST \nCenter, and we actually have four Cyber TRUST Centers, have \nindustrial members on the advisory boards.\n    So there are formal and informal mechanisms that industry \ncan use to provide input into the academic research agenda.\n    Mr. Tonko. And is there room for a lot more participation \nfrom the private sector or do you think that the awareness is \nout there and it has been pretty much heightened in the last \ncouple of years, or do you think there is room for improvement \nin that?\n    Dr. Wing. I actually think there is a heightened interest, \nso I have gotten specific queries from IBM, AT&T labs, besides \nthe usual IT companies like Microsoft, Google, and so on. We \ninteract with them very closely on all sorts of reasons. But \nspecifically, I have been hearing from some of these companies \nthat they would like to participate more in telling the \nacademics what the real problems are and what they should be \nworking on, and the academics, you know, can listen.\n    The other mechanism I forgot to mention is of course in our \nreview process, through the panel reviews, through the \ncommittee of visitors that we have. We always have industry \nrepresentatives there to help with the reviews so that they can \ngive some sanity check. Well, that is an interesting problem, \nbut it is not relevant for industry. They can also help in the \ncommittee of visitors and provide input on the portfolio of \ninvestments that we make.\n    So there are a lot of ways in which industry, either \ninformally or formally, provides input to NSF.\n    Mr. Tonko. Thank you. Thank you, Chair.\n    Chairman Wu. Thank the gentleman. Mr. Smith, recognized for \nfive minutes.\n    Mr. Smith. I am inclined to ask about the use and \napplication of sanity checks, but maybe there is not enough \ntime here. I am just teasing.\n    Dr. Fonash, if you wouldn't mind further discussion here, \nwhen it comes to public-private partnerships, I was pleased \nthat the President did say that the Administration will not \ndictate security standards for private companies but will \ninstead collaborate with industry to find technology solutions. \nIs that your take on his comments, briefly?\n    Dr. Fonash. Yes, sir, I believe that is correct. What we \nneed to do is, you know, our mission right now is predominantly \nfocused on protecting the Federal Government and protecting the \ndot-mil domain and then working with our private partners, and \nin particular, our critical infrastructures and making sure \nthat they are aware of the situation so we do a lot of \ninformation sharing, so we are working on information sharing \nprograms so they are aware of the threat and so that they take \nthe appropriate measures to protect the network. And I think it \nis the issue of the--appropriate level of security for the \ninfrastructure which depends upon if you are dealing with a \ncritical defense contractor who has critical national security \ninformation and is protecting that versus Walmart protecting \nthe latest sales price on their network. So it is a relative \nissue. It is an issue that is somewhat based on the business \ncase, you know, in terms of what is the risk, and you have to \ndo risk mitigation.\n    Mr. Smith. Right.\n    Dr. Fonash. And so you put the appropriate investment in \nbased on risk.\n    Mr. Smith. In your testimony you mentioned public-private \npartnership objectives as being key. Could you elaborate on \nthat and you know, really maybe define how we go about that? I \nmean, I know that we want to take care of government and then \nthe private sector, but I think we need to acknowledge that \nalready there is a great degree of overlap there and already \npublic-private partnerships do exist, and there is transfer of \ninformation across the Internet between government and the \nprivate sector. So how do we sort through that and especially \nwith the broadened use of the key objective being public-\nprivate partnerships?\n    Dr. Fonash. So the Federal Government clearly does not \noperate in a vacuum. We do our business. You know, the critical \ninfrastructure that we even actually use on our own networks is \nactually owned by the ISPs or commercial carriers such as \nVerizon or AT&T. So we heavily rely on the public \ninfrastructure to provide us services, to provide us \ncommunications, for us to do our business. And so what we do is \nwe actually have under national infrastructure protection, have \nset up a process where we work with the critical \ninfrastructures in terms of protecting those critical \ninfrastructures. And we, the National Cyber Security Division, \nare actually the sector lead for the IT infrastructure. And \nthen within cybersecurity and communications is the sector for \ncybersecurity and communications is the national communications \nsystem, and that is actually the sector lead for \ncommunications. So the two critical communications and IT \nsectors are within that authority, and we work closely with \nindustry to develop risk mitigation. We are actually developing \nright now an IT risk mitigation process, and we will publish \nthat in the near future so there is actually a process where \nthey can actually look at the IT sector and determine, you \nknow, how they do risk mitigation. That is actually a process \nthat we actually developed with industry.\n    Going back to the R&D, we actually work with industry. \nThere is a government sector committee and there is actually a \npublic industry sector community. And within that industry \nsector committee, there is actually a group that works with us \non the R&D portion. And they actually provide us what they \nbelieve are the IT R&D requirements and the communications R&D \nrequirements which we then pass on to the R&D community through \nour S&T directorate and also through attendance of their \nappropriate meetings.\n    So we work that way. We also work from an operational point \nof view. We work for the US-CERT which provides the information \nsharing, and information security center that we run for the \nFederal Government. But we make that information available to \nour private partners in terms of the warnings. And we also are \nbuilding upon something the Defense Department started was \nDefense Industrial Base, if you are familiar with the Defense \nIndustrial Base. What that is is through the contracting \nprocess at DOD----\n    Mr. Smith. We can maybe get into that. I just have limited \ntime here, and I was just wondering, you talked a little bit \nabout critical infrastructure protection. Can you perhaps \nindicate whether or not there is any intent to take the \ncritical infrastructure off of the so-called Internet grid as a \nmeans of protection?\n    Dr. Fonash. At this point in time, there are no plans to \nmake it off the grid because for the most part, there are two \nreasons. First of all, the cost in terms of trying to make the \ngovernment and private sector a private network. The cost is \nvery large. It wouldn't be robust in many ways because--for \nexample, because you have a separate network, you wouldn't have \nthe robustness of the public network, and so I don't think \nthere would be any--and then also from a security point of \nview, since you are really all using the same network--when you \ntalk about the Internet, you are really talking about AT&T, \nVerizon and Sprint. And so everyone uses those networks. So it \nis a common carrier perspective here. So it is very difficult \nto take it off grid. So what we have to do is work together \nwith industry in making sure it is secure, and you can have \nportions of it that are more secure. So for example looking at \nDNSSEC is something that we're looking at and going toward and \ngoing on the trusted Internet connection so that certain \nenclaves are more secure than others.\n    Mr. Smith. Okay. Thank you.\n    Chairman Wu. Thank you. Mr. Lujan, recognized for five \nminutes.\n    Mr. Lujan. Thank you very much, Mr. Chairman. Ms. Furlani, \nI will begin with you. I have a few questions about the role \nthat NIST pays with the payment card industry, if you can help \nme understand that and the coordination with that and what \nrequirements maybe NIST has established for PCI.\n    Ms. Furlani. What we have is the national vulnerability \ndatabase which works with industry and with government to \nprovide data on what the vulnerabilities are. And the PCI, the \npayment card industry, decided to use that database as their \nmechanism to determine whether their companies meet certain \ncriteria. We don't tell them what to do, but we provide the \nresources that they can measure against and understand whether \ntheir criteria are being met before they issue a payment card.\n    Mr. Lujan. So let me see if I understand that correctly. \nNIST does not mandate or prescribe any standards if you will \nthat PCI has to follow? They utilize your database as a tool, \nbut there is no requirement that NIST provides for them, is \nthat correct?\n    Ms. Furlani. We are not a regulatory agency except for the \nstandards for the Federal Government to use in their \ncybersecurity.\n    Mr. Lujan. Are you aware of any organization that has \nstandards that the credit card industry has to follow in \nprotecting consumer information against cybersecurity crimes?\n    Ms. Furlani. I am not.\n    Mr. Lujan. And Ms. Furlani, I am not, either. I have looked \ninto this. I just thought maybe there is something out there. \nThe reason I bring it up, Mr. Chairman, if there is no \nobjection, I would like to submit an article from the National \nJournal 2/7/09, The Cybercrime Wave, into the record, that \nmaybe we could review which outlines some of the alarming rates \nof crime, security breaches that are increasing year to year, \nmoney lost, Mr. Chairman, and I would make this available to \nthe Committee and make sure we get a copy for the record if \nthere is no objection, Mr. Chairman.\n    Chairman Wu. No objection, so ordered.\n    [The information follows:]\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n\n    Mr. Lujan. The reason I say that, Mr. Chairman, is as we \nlook at this, I couldn't agree more with some of our \ncolleagues. Coordination must take place from a public and \nprivate perspective to be able to protect consumers' \ninformation when they are getting hit at enormous rates. I \nthink the average that an individual gets hit back to 2007 \nanyway that was measured according to the article is, depending \non the type of crime, between $3,000 and $3,500, but just \ndepending on what it may hit. We all know that we are trying to \nhelp people out more and more today, Mr. Chairman, that are \nsometimes getting taken advantage of. And this is an area where \nI think we could truly coordinate to provide some of those \nneeded protections. One of the things, Mr. Chairman, that \nvendors, as an example, are required to do is to actually keep \nthe data and back it up. And those are some of the areas where \nthe largest breaches occur. The article highlights a breach \nthat most of us are familiar with, at TJMaxx where I think it \nwas 90 million records were actually taken advantage of. To see \ntruly what the requirement of the merchants are, vendors are, \nas we are looking at this cybersecurity loophole or lapses \nsometimes that take place to see what we can learn from there \nto be able to help individuals out. This is something that we \ntouched on a little bit in our Homeland Security Committee \nhearing not too long ago, Mr. Chairman. I thought it was \nimportant to bring up.\n    Lastly, Mr. Chairman, the reason that I asked the question \nabout the coordination is the first item in the report says \nthat we need to improve interagency coordination. And so I know \nthat we read about this, and what I would ask, Mr. Chairman, if \nour witnesses today are able to provide us with any thoughts or \nideas, whether they support that point that was brought up or \nif they have suggestions on what can be brought up. Ms. \nFurlani, before I go, I would just like to highlight the point \nI was trying to make earlier, Mr. Chairman, around the \nexpertise that we have within some of our NNSA laboratories who \nhave to deal with cyber attacks on a daily basis. Not only do \nthey have the sophistication from a technological perspective \non some of the data sets that they have compiled with how we \ncan combat some of these attacks, but they have an interface \nwith the Government and private sector as well, especially \nbecause of the nature of them being classified and also being \ncivilian organizations because of how they have been created \nand that we look to them to see how we could utilize that \nexpertise. And with the time remaining, Mr. Chairman, I would \ngo to Ms. Furlani.\n    Ms. Furlani. I would like to specifically mention the \ninteragency coordination that has led to our new draft Special \nPublication 800-53 which recommends security controls for low-, \nmedium-, or high-risk systems and the agreement with the \nDirector of National Intelligence CIO, the DOD, the Committee \non National Security Systems, and of course, NIST, so there is \none base line for all the Federal Government which will enable \nvendors to sell into the government much more easily. Then \nother agencies that have much higher security requirements than \nwhat NIST normally promulgates can set their standards higher. \nThis was just recently released, and it is a true outcome of \nthe coordination, particularly in response to the Cyber \nSecurity Review.\n    Chairman Wu. Thank you very much, and I want to thank you \nall for appearing before the Committee this afternoon. The \nrecord will remain open for two weeks for additional statements \nfrom Members and for answers to any follow-up questions the \nCommittee may ask of witnesses. The witnesses are excused, and \nthe hearing is now adjourned.\n    [Whereupon, at 4:05 p.m., the Subcommittee was adjourned.]\n                               Appendix:\n\n                              ----------                              \n\n\n                   Answers to Post-Hearing Questions\n\n\n<SKIP PAGES = 000>\n\n                   Answers to Post-Hearing Questions\nResponses by Cita M. Furlani, Director, Information Technology \n        Laboratory, National Institute of Standards and Technology \n        (NIST), U.S. Department of Commerce\n\nQuestions submitted by Chairman David Wu\n\nQ1.  The Cyberspace Policy Review recommends an increased collaboration \nwith international standards bodies and the private sector to foster \ninternational standards and cyber-crime protocols. What are your \ncurrent international cybersecurity standards activities and how will \nyou change them to meet this recommendation?\n\nA1. NIST is actively participating with industry in international \nstandards bodies, including the Internet Engineering Task Force (IETF), \nthe Institute of Electrical and Electronics Engineers (IEEE), the \nInternational Standards Organization (ISO), and, in coordination with \nthe State Department, the International Telecommunication Union's \nTelecommunication Standardization Sector (ITU-T). NIST participation \nincludes leadership positions in the IETF, IEEE, and ISO in addition to \nits technical contributions. NIST's security standards activities are \nprimarily focused on preemptive measures to enhance the security of \nsystems and network protocols, but we are also supporting the \ndevelopment of standards for exchange of information about security \nincidents. In response to the recommendations of the Cyberspace Policy \nReview, NIST will work closely with other agencies, the private sector \nand international standards bodies to ensure that our leadership and \ntechnical efforts focus on the highest priority activities.\n\nQ2.  The Cyberspace Policy Review calls for increased collaboration \nwith the private sector to create cybersecurity standards and \nguidelines. Witnesses at the Subcommittee's June 25 hearing also \nspecifically recommended that NIST develop consensus standards for \nprivate industry with industry collaboration. How will you improve your \ncollaborative efforts to implement these recommendations?\n\nA2. While NIST's statutory authority makes Federal Information \nProcessing Standards (FIPS) mandatory only for federal agencies, we \nalways strive for broad, but voluntary, adoption of NIST standards. To \npromote convergence, NIST works collaboratively with industry in open \nstandards forums (e.g., IETF, IEEE, and ISO) on many initiatives. We \nreference consensus standards in NIST publications where possible. In \nthe rare cases where consensus standards are not the foundation, the \nNIST standards development process is an open process and always \naffords opportunities for public review and comment. Many standards \nefforts include public workshops to ensure the public, including \nindustry, is informed about NIST standards activities and has early \nopportunities to provide input. In response to the Cyberspace Policy \nReview, NIST will work with the private sector to form new national \nstandards bodies (e.g., within ANSI) as needed, to address additional \ncybersecurity requirements. In addition, NIST will increase its efforts \nto work with additional industry associations in the cybersecurity \narena.\n\nQ3.  The Cyberspace Policy Review also recommends increased interagency \ncoordination. How you will change your current efforts to meet this \nrecommendation?\n\nA3. NIST works closely with many federal agencies both formally and \ninformally. NIST maintains the Computer Security Resource Center (CSRC) \nto distribute security standards and guidelines and encourage broad \nsharing of information security tools and practices. The Computer \nSecurity Program Managers Forum provides a mechanism for NIST to share \ninformation directly with federal agency information security program \nmanagers. As with industry, all agencies are provided the opportunity \nto review and comment on NIST standards before final publication and \nare invited to participate in our public workshops. NIST participates \nin cross-agency committees such as the Committee on National Security \nSystems (CNSS) and the CIO Council and its Information Security and \nIdentity Management Committee (ISIMC). NIST is an active participant in \nthe National Science and Technology Council's (NSTC) Networking and \nInformation Technology Research and Development (NITRD) Subcommittee \nand the NITRD Cyber Security Information Assurance Interagency Working \nGroup, as well as in the NSTC Subcommittee on Biometrics & Identity \nManagement. NIST also participates in the Information and \nCommunications Interagency Policy Committee and related subcommittees \nto share information security technical expertise as national security \nand economic policies are developed for cyberspace. NIST works actively \nwith State and local governments to promote adoption of NIST's security \nstandards. To increase coordination in response to the Cyberspace \nPolicy Review, NIST will reach out to additional multi-agency working \ngroups to identify gaps and requirements for new capabilities to \nbenefit all agencies.\n                   Answers to Post-Hearing Questions\nResponses by Jeannette M. Wing, Assistant Director, Computer and \n        Information Science and Engineering Directorate, National \n        Science Foundation (NSF)\n\nQuestions submitted by Chairman Daniel Lipinski\n\nQ1.  Witnesses at the June 10th hearing emphasized the importance of \nunderstanding human behavior to improve cybersecurity. What is NSF's \ncurrent investment in the social aspects of cybersecurity and how is \nNSF facilitating collaboration between social scientists and computer \nscientists? Do we need new models for such collaborations?\n\nA1. Cybersecurity must be addressed not just from a technical \nviewpoint, but also from social, economic, legal, and policy \nviewpoints. In FY09, NSF deliberately broadened the scope in its \nTrustworthy Computing Program to include privacy and usability, \nencouraging computer scientists to work with social scientists on these \ntopics. NSF also supports research on economic models, including game \ntheory, for network security. Here are some examples of projects NSF \nsupports that address the socio-technical aspects of cybersecurity:\n\n        <bullet>  A team from Stanford and New York University composed \n        of computer scientists and social scientists developed a novel \n        ``Contextual Integrity Model,'' which considers social values \n        and legal constraints in characterizing and evaluating the flow \n        of information in organizations. The team has applied the \n        Contextual Integrity Model to privacy policies such as Health \n        Insurance Portability and Accountability Act (HIPAA), \n        Children's Online Privacy Protection Act (COPPA), and Sarbanes-\n        Oxley (SOX).\n\n        <bullet>  Behavioral scientists and security researchers from \n        the University of Massachusetts Lowell and Carnegie Mellon are \n        working together to identify the factors that influence a \n        user's trust in computer systems in general, and in robot \n        systems in particular.\n\n        <bullet>  Through the multi-disciplinary NSF Team for Research \n        in Ubiquitous Secure Technology (TRUST), a lawyer, working with \n        computer science colleagues, investigates how technology and \n        the law interact. She spearheaded the California law that \n        requires companies who lose individuals' personal information \n        to disclose to the individuals impacted by the loss.\n\n        <bullet>  A team at the NSF Cyber Trust Internet Epidemiology \n        and Defenses Center at the University of California, San Diego \n        and the University of California, Berkeley, is modeling the \n        cyber underground economy, a glowing concern because there is \n        significant criminal activity using the Internet. Of particular \n        interest as a ``metric'' is what bots cost on the open market \n        since there is as entire community that engages in bartering \n        for such machines.\n\n    NSF facilitates collaborations between social scientists and \ncomputer scientists through these mechanisms: Direct funding of regular \nawards and Centers that support multiple principal investigators (PIs) \nfrom different disciplines (as in all the above examples); co-funding \nof awards between the Computer and Information Science and Engineering \n(CISE) Directorate and the Social, Behavioral, and Economics Sciences \n(SBE) Directorate; joint programs between CISE and SBE (e.g., Social-\nComputational Systems); Dear Colleague Letters joint with SBE (e.g., \nResearch on Data Confidentiality) and/or with private foundations such \nas the Alfred P. Sloan and the Ewing Marion Kauffman Foundations (e.g., \nCreating New Cyber-Enabled Data on Innovation in Organizations, which \nhas a specific focus on privacy); and workshops that bring together \ndifferent communities (e.g., the National Academies' July 2009 \nUsability, Security, Privacy Workshop, co-sponsored by NSF and NIST). \nThe NSF-wide Cyber-enabled Discovery and Innovation investment also \nprovides an opportunity for collaboration between computer and social \nscientists. All these mechanisms, i.e., models of engagement, are \nextremely successful ways to foster collaborations between computer \nscientists and social scientists and they suffice to achieve the multi-\ndisciplinary challenges of cybersecurity. For the future, we envision \nstrengthening ties between the two communities as both recognize that \ncybersecurity is a multi-faceted problem: technical solutions are not \nsufficient, understanding human behavior is critical, and policy-makers \nmust be informed of what is or is not technically feasible.\n\nQ2.  A major recommendation of the Administration's Cyberspace Policy \nReview is to increase cybersecurity education. The review specifically \nmentioned two NSF programs, Scholarship for Service and CPATH, in \naddition to those, how does NSF plan to change or expand its programs \nto address the education needs identified in the review? Specifically, \nhow can NSF address cybersecurity education at the K-12 level?\n\nA2. In FY09, NSF challenged the computing community in its CISE \nPathways to Revitalize Undergraduate Education in Computing (CPATH) \nProgram to focus on teaching ``computational thinking,'' the concepts \nunderlying computer science, not just computer programming. Concepts \nsuch as algorithms, data structures, State machines, and invariants, \nwhich are driven by computational questions of efficiency and \nreliability are useful to everyone, regardless of one's field of study \nand regardless of one's eventual career or profession. To test out this \nview, the National Academies is conducting two workshops on \n``Computational Thinking for Everyone''; the first workshop was held in \nFebruary 2009 and the second will be in early 2010. The focus of these \nworkshops is particular for computational thinking in early grades, K-\n6.\n    The CPATH program also reaches out beyond the undergraduate level. \nSpecifically, in the FY09 solicitation, we wrote ``. . . CISE \nencourages the exploration of new models that extend from institutions \nof higher education into the K-12 environment; activities that engage \nK-12 teachers and students to facilitate the seamless transition of \nsecondary students into Computational Thinking-focused undergraduate \nprograms are particularly encouraged.''\n    NSF is also expanding its Broadening Participation in Computing by \nsupporting efforts which bring the two thrusts of computational \nthinking and K-12 together. For example, NSF is working with the \nCollege Board to revisit the Computer Science Advanced Placement course \nand exam; this multi-year effort will hopefully result in a novel CS \nsequence of courses that will stress computational concepts early and \ndepict a rich and in-depth view of computer science to high school \nstudents.\n    For the future, we intend to promote a focus on computational \nconcepts that would benefit everyone's analytical skills and a focus on \noutreach to K-12, through programs from across the Foundation.\n    Specific to cybersecurity, let's consider three populations of \npeople: users of computing technology, developers of computing \ntechnology, and deployers of computing technology. Users of computing \ntechnology need to have some basic awareness of security hygiene; for \nexample, not to open e-mail attachments in messages received from \npeople one does not know. Through our Cyber Trust Centers and the TRUST \nCenter (cited above), and even through our regular awards, we can \nleverage the participating institutions' reach into local communities \nto expand cybersecurity hygiene education. An example of such a project \nis MySecureCyberspace (https://www.mysecurecyberspace.com/), developed \nat Carnegie Mellon and partially funded by NSF. It is a portal for all \nage ranges, from children to seniors, who need to know the basics of \nsafe and secure interaction for oneself and with others on the \nInternet.\n    Developers of computing technology are responsible for designing \nsystems, especially software-intensive systems, with security in mind \nfrom the very beginning. They need to understand and be able to apply \nprinciples of software engineering, state-of-the-art tools to support \nsecure coding, advanced programming languages that avoid entire classes \nof security vulnerabilities, and security architectures that derive \nfrom threat modeling. These technical topics are already covered in \nspecific courses at most colleges and universities that offer computer \nscience degree programs. Those who major in computer science will \nencounter these course offerings; non-majors who plan a career in \nsoftware development should be encouraged to take such courses as well. \nTo highlight the importance of these kinds of courses (for majors and \nnon-majors), NSF is currently engaging the computer science community \nin a discussion on cybersecurity education at the undergraduate level.\n    Deployers of computing technology, for example, system \nadministrators, are the front line defense in today's cybersecurity \nbattlefield. They benefit most from programs such as Scholarship for \nService and certification programs offered by professional \norganizations and industry. NSF's Education and Human Resources (EHR) \nDirectorate will continue to support the Scholarship for Service \nprogram.\n\nQuestions submitted by Representative Ben R. Lujan\n\nQ1.  The Cyberspace Policy Review recommends an increased level of \ninteragency coordination and a renewed emphasis on cybersecurity \nresearch and development. Per the Administration's recommendation, what \nwill NSF change in its current interagency activities? How is NSF \nleveraging the expertise of the National Labs and the Federally Funded \nResearch and Development Centers?\n\nA1. Through leadership positions, NSF already actively engages in \ninteragency cybersecurity activities through these formal mechanisms:\n\n        <bullet>  Networking and Information Technology Research and \n        Development (NITRD) Program. The NSF CISE Assistant Director \n        serves as the Agency Co-Chair of NITRD. NITRD has 13 member \n        agencies.\n\n                \x17  The NITRD Senior Steering Group (SSG) is composed of \n                senior representatives of agencies with national \n                cybersecurity leadership positions. The NSF CISE AD \n                serves as a co-chair for SSG. The SSG provides overall \n                leadership for cybersecurity research and development \n                (R&D) coordination, serving as a conduit between \n                agencies and budget officials, between classified and \n                unclassified federal R&D, and among government, \n                academia, and industry. An example activity is the \n                National Cyber Leap Year, as part of the Comprehensive \n                National Cybersecurity Initiative (CNCI), which is \n                identifying ``game-changing'' concepts for securing \n                cyberspace.\n\n                \x17  The NITRD Cyber Security and Information Assurance \n                Interagency Working Group (CSIA IWG) coordinates the \n                efforts of NITRD agencies' cybersecurity programs, \n                ensuring complementary and completeness (to the extent \n                possible) in coverage of the cybersecurity R&D needs of \n                the Nation. NSF program directors are active \n                participants in CSIA IWG.\n\n        <bullet>  The INFOSEC Research Council (IRC) consists of U.S. \n        Government sponsors of information security research from the \n        Department of Defense, the Intelligence Community, and Federal \n        Civil Agencies. An NSF program director co-chairs the IRC. \n        Discussions are both technical and strategic.\n\n    As there is heightened and growing interest by the Federal \nGovernment in R&D for cybersecurity, NSF expects to work in the future \nwith other agencies more closely and in more and more activities, both \ninformal and formal. NSF's deep and broad reach into the academic \ncomputer science community puts NSF in a unique position: to bring the \nattention of the academic community to nearer-term and/or mission-\nspecific R&D cybersecurity needs of other federal agencies and to \nintroduce federal agencies to the problem-solving capability, research \nresults, and trained workforce of the academic community. As one \nexample of how NSF's interactions have grown in just FY09, here is a \nlist of cybersecurity workshops NSF has been instrumental in helping to \nfoster, host, and coordinate with other agencies:\n\n                \x17  Science of Security Workshop, co-funded by NSF, NSA, \n                and IARPA (November 16-18, 2008). Goal: To deliberate \n                on making security into a science with measurable \n                metrics, inspired by established sciences and theories, \n                such as biology, control theory, and reliability \n                theory.\n\n                \x17  Usability, Security, Privacy Workshop, hosted by the \n                National Academies' Computer Science and \n                Telecommunications Board (CSTB), co-funded by NSF and \n                NIST (July 21-22, 2009). Goal: To advance objectives in \n                usable security and privacy, taking into account the \n                broad class of users, security administrators and \n                services, and explore research opportunities and \n                potential roles for the Federal Government, academia, \n                and industry and ways to embed usability considerations \n                in research, design, and development of secure systems.\n\n                \x17  Workshop on Clean-Slate Security Architecture, \n                hosted by NSF, co-funded by NSF and DARPA. (July 28, \n                2009). Goal: To frame a new security architecture that \n                could be the basis for new host, network and \n                applications.\n\n                \x17  Workshop on Security Research for the Financial \n                Infrastructure. Co-run with Treasury and co-funded by \n                NSF and DHS (October 28-29, 2009). Goal: By bringing \n                together the financial sector and academia, to gain a \n                better understanding of the security problems faced by \n                the financial sector and how the research community can \n                help solve those problems.\n\n    Looking ahead, a possible outcome of holding such joint workshops \nis the creation of one or more joint programs between NSF and other \nagencies.\n    Through NITRD, NSF formally coordinates with national laboratories, \nincluding the Department of Energy's National Nuclear Security Agency \n(NNSA). NSF also participated in a joint workshop with DHS and IARPA, \nco-organized by MIT and Sandia National Laboratory in November 2007. \nThis ``NCDI (National Cyber Defense Initiative) Workshop-grass roots \neffort towards defining a cyber research agenda for the Nation'' was a \nprecursor to CNCI. Through the ``DOE Workshops to Assess the Technology \nto Cope with Attacks to DOE systems, such as the Power Grid,'' held \nbetween 2007 and 2009 and organized by the Pacific Northwest National \nLaboratory, NSF presented research projects it funds on a more secure \npower grid, highlighting the Cyber Trust Trustworthy Computing \ninfrastructure for the Power Grid (TCIP) Center at the University of \nIllinois, Urbana-Champaign. Finally, NSF funds academic researchers who \nthemselves may directly collaborate with National Labs; for example, we \nrecently funded a CAREER awardee at the University of New Mexico who \ncollaborates with investigators at Sandia and Los Alamos on developing \nquantitative models of Internet censorship.\n    NSF supports researchers who can tap into the expertise of \nFederally Funded Research and Development Centers. In particular, NSF \nfunds the Cyber Trust Situational Awareness for Everyone (SAFE) Center \nat Carnegie Mellon, whose researchers potentially can interact with the \nCarnegie Mellon Software Engineering Institute (SEI), which is an \nFFRDC. The SEI houses the Computer Emergency Response Team (CERT) \nCoordination Center, which collects data about security vulnerabilities \nand coordinates responses to security breaches.\n    Academic researchers funded by NSF often cannot interact more \nclosely with members of the National Labs and FFRDCs if the systems of \ninterest are classified, such as those within National Labs, or data \nare proprietary, such as that collected by CERT.\n                   Answers to Post-Hearing Questions\nResponses by Peter M. Fonash, Acting Deputy Assistant Secretary, Office \n        of Cybersecurity and Communications, National Protection and \n        Programs Directorate, U.S. Department of Homeland Security \n        (DHS)\n\nQuestions submitted by Chairman David Wu\n\nQ1.  The Cyber Space Policy Review calls for increased collaboration \nwith the private sector. How will you improve your collaboration \nefforts to implement this recommendation?\n\nA1. The National Cyber Security Division (NCSD) within the Department \nof Homeland Security (DHS) collaborates closely with the private sector \non a wide variety of initiatives in line with the Cyberspace Policy \nReview, and has always engaged in a variety of activities designed to \nfurther this collaboration. Specifically, NCSD engages with public and \nprivate-sector partners through the Critical Infrastructure Partnership \nAdvisory Council (CIPAC) within the National Infrastructure Protection \nPlan (NIPP) framework. Since 2007, NCSD and its private-sector partners \nhave co-chaired the Cross-Sector Cyber Security Working Group (CSCSWG) \nunder CIPAC. The CSCSWG's membership includes public and private-sector \nrepresentatives from each of the 18 Critical Infrastructure and Key \nResources (CIKR) sectors under the NIPP. The CSCSWG meets monthly and \noffers a mechanism for public-private collaboration on cybersecurity \ninitiatives, such as improving information sharing, considering \nprivate-sector incentives for increased cybersecurity, and developing \ncybersecurity metrics that can be used by multiple CIKR sectors. The \nco-chairs of the CSCSWG have recently formed a Steering Committee to \nensure that the agenda and work areas undertaken by the group meet the \nneeds of all CIKR sectors.\n    One area of focus for the CSCSWG in the near future will be \ndevelopment of a Cyber Incident Response Plan. This plan will be \ndeveloped in collaboration with industry and government partners and \nwill provide a much needed overall framework to significantly improve \ncoordination in response to cyber incidents.\n    Under CIPAC, NCSD will continue to expand its engagement with \nprivate-sector partners to address additional issues necessary to \nsecure the Nation's cyber assets, networks, systems, and functions. \nControl systems security represents an area of cyber concern that will \nsee a substantially increased level of collaborative efforts, including \nthe continued expansion of the Industrial Control Systems Joint Working \nGroup (ICSJWG) and the Industrial Control Systems Cyber Emergency \nResponse Team (ICS-CERT). Both of these groups are based on a model of \npublic-private partnership and represent a growing area of \ncollaboration.\n    NCSD, in conjunction with the National Communications System, can \nalso leverage the National Coordinating Center for Communications \n(NCC). The NCC is a joint industry-government operation. It involves \nthe U.S. telecommunications industry and Federal Government \norganizations that are involved in responding to the Federal \nGovernment's National Security and Emergency Preparedness (NS/EP) \ncommunications service requirements and supports planning for a more \nresilient national and international communications system to satisfy \nthose requirements.\n    The mission of the National Coordinating Center is to assist in the \ninitiation, coordination, restoration and reconstitution of NS/EP \ntelecommunications services or facilities. The NCC is the mechanism by \nwhich the Federal Government and the communications industry jointly \nrespond to NS/EP telecommunications service requirements. It provides \nfor the rapid exchange of information and expedites NS/EP \ncommunications responses. While the primary focus of the NCC is the NS/\nEP telecommunication service requirements of the Federal Government, \nthe NCC also monitors the status of all essential telecommunication \nfacilities including public switched networks.\n    In addition, DHS is partnering with the Department of Defense and \nthe Office of the Director of National Intelligence to engage with \nsenior leadership, at the Chief Executive Officer level, in the \ninformation technology and defense industrial base sectors, under the \nEnduring Security Framework. This CIPAC working group recently formed \nto address the risks and opportunities to the U.S. cyber infrastructure \ninherent in globalization.\n    The Office of Intelligence and Analysis (I&A) has recently \nincreased the production rate of cyber threat intelligence products \nintended for use by the private sector, State and local authorities, \nand federal civilian departments and agencies. These products are \nintended to provide awareness of the cyber threats and in some cases \nprovide warnings so that the appropriate resources and actions can be \nimplemented to counter these cyber threats.\n    I&A also, in coordination with NPPD, provides cyber threat \nbriefings (classified and unclassified) to private sector \nrepresentatives. In August and September 2009, I&A has provided or is \nscheduled to provide cyber threat intelligence briefings to the \nAmerican Petroleum Institute (API), the Oil and Natural Gas Sector \nCoordinating Council (SCC), the Chemical SCC, and the Nuclear SCC.\n    In the area of cybersecurity research and development (R&D), DHS \npursues collaboration with the private sector through participation in \nthe Networking and Information Technology Research and Development \n(NITRD) program. A representative from the DHS Science and Technology \nDirectorate co-chairs the NITRD Cyber Security and Information \nAwareness (CSIA) interagency working group and is a member of the NITRD \nSenior Steering Group for Cyber Security. During the past year, these \ngroups have issued three Requests for Information through the Federal \nRegister (garnering more than 230 private-sector white paper responses) \nand held a National Cyber Leap Year Summit with more than 100 private-\nsector participants (participants reports summarizing Summit outcomes \nare available at www.nitrd.gov/NCLYSummitIdeas.aspx). The private \nsector will continue to be engaged in the development of a game-\nchanging cybersecurity R&D strategy.\n    Finally, we continue to look for new and better ways to enhance our \npartnership with the private sector, on both an operational and policy \nlevel.\n\nQ2.  The Cyber Space Policy Review also recommends increased \ninteragency coordination. How will you change your current efforts to \nmeet this recommendation?\n\nA2. Overall Federal interagency cybersecurity policy coordination \noccurs through the Interagency Policy Committee (IPC) framework under \nthe President's National Security Council system. The Information and \nCommunications Infrastructure IPC serves as a focal point for \ncybersecurity matters and several Sub-IPCs are used to consider \nspecific topics, such as incident response and information sharing.\n    The National Cyber Security Division (NCSD) within the Department \nof Homeland Security (DHS) continually strives to identify additional \nmethods to facilitate coordinated responses to cyber threats. NCSD \nmaintains many, often multi-faceted, relationships with government \nagency partners to fulfill its cybersecurity mission, and as we add \npersonnel to meet mission needs, we will enhance not only our \neffectiveness but our ability to work with other agencies. Our existing \nrelationships include operational coordination, information sharing, \nand policy formulation. NCSD's United States Computer Emergency \nReadiness Team (US-CERT) is charged with providing response support and \ncoordinating the defense against cyber attacks for the Federal Civil \nExecutive Branch (.gov). US-CERT focuses on improved customer service \nand improved interagency coordination in a variety of ways. For \nexample, the Joint Awareness Cyber Knowledge Exchange meets biweekly to \nprovide a classified forum for federal departments and agencies to \nexchange cyber threat and defense information, with US-CERT providing \nregular briefings and updates on specific ongoing threats.\n    Other NCSD programs also offer significant opportunities to improve \nagency coordination, and we continue to look for new and better ways to \nbuild partnerships. Through the Trusted Internet Connection (TIC) \nInitiative and deployment of the National Cybersecurity Protection \nSystem (NCPS), operationally known as EINSTEIN, NCSD has the ability to \nwork with all federal civilian departments and agencies in a \ncoordinated approach to reduce and consolidate external connections \n(access points) and implement or acquire security services. DHS \ncoordinated with departments and agencies to create and refine TIC \ntechnical requirements and architecture, bringing technical expertise \nand issue awareness from early deployments to bear as additional \ndepartments and agencies are added to the program. DHS also meets \nquarterly with the TIC Interagency Working Group to address specific \nimplementation challenges and provide definitions and clarification, as \nwell as formal recommendations for TIC policy to the Office of \nManagement and Budget. NCSD will continue to work with these groups to \ntrack TIC implementation progress, lessons learned, and recommendations \nfor improvement. In addition, planned enhancements to NCPS will improve \nUS-CERT's ability to share information about cyber incidents across the \ndepartments and agencies, thereby increasing interagency cybersecurity \nsituational awareness.\n    NCSD also engages with public and private-sector partners through \nthe Critical Infrastructure Partnership Advisory Council (CIPAC) \nprocess within the National Infrastructure Protection Plan framework. \nSince 2007, NCSD and its private-sector partners have co-chaired the \nCross-Sector Cyber Security Working Group (CSCSWG) under CIPAC. One \narea of focus for the CSCSWG in the near future will be development of \na Cyber Incident Response Plan. This plan will be developed in \ncollaboration with industry and government partners and will provide a \nmuch-needed overall framework--supported by sub-frameworks, concepts of \noperations, and operating procedures--to enable significantly improved \ncoordination in response to cyber incidents. Under the CIPAC engagement \nframework, NCSD will continue to expand its engagement with private-\nsector partners to address additional issues necessary to secure the \nNation's cyber assets, networks, systems, and functions.\n    In light of the Cyber Space Policy Review recommendations for \nincreased interagency coordination, the Office of Intelligence and \nAnalysis (I&A) will continue to strengthen its established \nrelationships with the members of the Intelligence Community, the cyber \nintelligence elements of the Department of Defense, and law enforcement \nentities. I&A coordinates with interagency partners on its cyber \nproducts and participates in the interagency development of national \nlevel intelligence products. In the near-term, I&A will be striving to \nincrease our interactions with the intelligence components of the Non-\nTitle 50 and Title 10 departments and agencies. I&A continues to \nparticipate in intelligence community interagency coordination and \nworking groups to ensure effective intelligence information sharing on \ncyber threat actors and will seek out additional partnership \nopportunities to include embedding I&A analysts in sister intelligence \ncommunity elements. I&A plays an active role in developing all-source \ncollection requirements and information needs through interagency \ncoordination and working groups across the community. To ensure \nincreased coordination I&A will seek to further involve DHS component \norganizations Federal, State, local and Tribal (FSTL) governments and \ncritical infrastructure and key resource (CIKR) partners both public \nand private with cyber or infrastructure protection missions into the \nrequirements development process to insure information deemed relevant \nto the operational components is collected by the intelligence \ncommunity and disseminated to FSTL and CIKR partners.\n    In the area of cybersecurity research and development (R&D), DHS \npursues collaboration across the federal landscape through \nparticipation in the Networking and Information Technology Research and \nDevelopment (NITRD) program. A representative from the DHS Science and \nTechnology Directorate co-chairs the NITRD Cyber Security and \nInformation Awareness (CSIA) interagency working group and is a member \nof the NITRD Senior Steering Group for Cyber Security.\n\nQuestions submitted by Representative Adrian Smith\n\nQ1.  You stated in your testimony that when this effort began, the \nFederal Government had more than 4,500 access points to the Internet. I \nunderstand that the original plan was to reduce this number to below \n100 to enable manageable deployment of EINSTEIN. Is this still the \nobjective? If not, why not, and what is the new target number of TICS? \nHow much does a change in the target number of TICS change the expected \ncosts of the TIC initiative?\n\nA1. The Comprehensive National Cybersecurity Initiative's Initiative 1 \n(the Trusted Internet Connection [TIC] Initiative) currently has the \nfollowing objectives: to reduce and consolidate external access points \nacross the federal enterprise; to manage the security requirements for \nNetwork and Security Operations Centers (NOCs/SOCs); and to establish a \ncompliance program to monitor department and agency (D/A) adherence to \nTIC policy. Working together, DHS and OMB are making progress towards \nmeeting this initiative.\n    NCSD, OMB, and the other Federal Department and Agencies, are \nconstantly assessing the appropriate number of TICS required for the \n.gov domain.\n    The primary cost driver in this initiative is the number of \nphysical locations where sensors need to be deployed. Multiple access \nconnections can go through a single location. Therefore, changes in the \nnumber of access connections would not greatly affect cost.\n\nQ2.  Due to the geographical distribution of existing TICS, efforts to \ndramatically reduce Federal Government access points to the Internet \npresumably require a significant re-routing of traffic, which \npresumably adds additional cost to agencies' Internet Service Providers \n(ISPs). Is this correct, and if so, how (a) how significant are re-\nrouting costs; and (b) how will this additional expense be paid for? \nAre these additional costs accounted for in agency budgets and \nplanning?\n\nA2. The geographic distribution of Trusted Internet Connections (TICs), \nin general, is not a cost factor. The TIC program is a consolidation of \nagencies' connections to external networks, not new connections. The \nInternet Service Providers (ISPs) can automatically reroute traffic on \ntheir network to a designated location. Pricing for traffic on an ISP \nbackbone is not distance sensitive. The price sensitivity is the number \nof connections and the bandwidth of the connection to the ISP by the \nagency. Consolidation has a long-term financial benefit--namely, the \nlarger the connection bandwidth, the lower the cost per unit of \ntraffic. In general, there are additional charges for access lines in \nrural or remote locations.\n    An agency connection to an ISP has two cost elements: the cost of \nthe dedicated access circuit and a service enabling device (SED) at the \nagency location (e.g., gateway router). The TIC program introduces the \nfollowing additional access costs: capital cost and maintenance costs \nfor the TIC equipment and facilities.\n    There may be additional costs for rerouting traffic within an \nagency's enterprise network; however, those costs largely depend on how \neach agency chooses to implement the TIC initiative. Agencies \ndesignated as TIC Access Providers (TICAPs) that are building their own \nTIC locations may incur additional costs for rerouting circuits, but \nthat will depend on the outcome of negotiation efforts with the \ncarriers. An option for TICAP agencies is to use a ``hybrid'' approach \ncombining a subscription to the Networx Managed Trusted IP Service \n(MTIPS) with agency-specific TICs to reduce rerouting circuit costs. \nAgencies not designated as TICAPs, or those considered as seeking \nservice, may comply with the TIC mandate by subscribing to the Networx \nMTIPS directly.\n    The MTIPS pricing contains three primary elements: a local \ndedicated access circuit, a SED at the agency location (e.g., a \nrouter), and the MTIPS Port. Only the local dedicated access circuit \ncost may be distance sensitive. If agencies are already using a Networx \nprovider, there should not be a change to the cost per unit of traffic \nfor the local circuit. If the agency chooses separate Networx \ncontractors or MTIPS contractors, or has other agency-specific \nrequirements, a new local dedicated access circuit or new SEDs may be \nrequired, increasing the cost.\n    The guidance from the Office of Management and Budget was for \nagencies to cover any additional costs out of existing funding.\n\nQ3.  What performance measures are associated with EINSTEIN and how \nwill they be used to assess effectiveness and improve performance?\n\nA3. The National Cyber Security Division (NCSD) within the Department \nof Homeland Security (DHS) has created performance goals under the \nGovernment Performance Reporting Act (GPRA) and applies Key Performance \nParameter (KPP) performance measures to the National Cybersecurity \nProtection System (NCPS), operationally known as EINSTEIN.\n    Consistent with our GPRA goals, NCSD measures the percentage of \nTrusted Internet Connections (TICs) covered by NCPS. This measure \ntracks the percentage of TICS where NCPS sensors are deployed. Tracking \nthis coverage of approved Internet access points for the Federal \nGovernment demonstrates the extent of coverage of .gov traffic that \nNCPS is providing at any given time.\n    KPPs are developed as part of the DHS acquisition review process. \nKPPs demonstrate the performance capabilities that will be purchased \nwith requested funding. The KPPs are broken out by the Block \ncapabilities--to match NCPS deployment plans--and each builds on the \nprevious Block's capability. Additionally, each measure contains both a \nthreshold and objective target. The threshold is the baseline ``what-\nmust-be-achieved'' measure; the objective is what the NCPS is \nattempting to achieve. The table below contains the Block KPPs and \ntheir thresholds and objectives:\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\nQ4.  What if any traffic volume or throughput limitations exist \nassociated with EINSTIEN? Are you confident that this system can \nprovide the processing power necessary to effectively analyze traffic \nand ensure against significant network delays, especially as online \ncommunications (including those on government networks) increasingly \ntransition to more data and video intensive applications? Has the \nsystem's capability been validated in practice?\n\nA4. Capacity challenges were identified as a risk; however, a \nmitigation approach was built into its development. There are two steps \nto the mitigation approach. First, initial deployment meets immediate \nand near-term bandwidth requirements as reported by the Department and/\nor Agency receiving EINSTEIN. Second, the commercially scalable \nplatform and collection of technologies that make up EINSTEIN, as \ndesigned, allow for the seamless expansion of available computing \nresources as needs arise. This flexibility is best suited to meet \ntoday's bandwidth requirements and provides the ability to rapidly \naccommodate future increases.\n    Developmental, integration, and operational testing have been \nsuccessfully conducted and validated to ensure that EINSTEIN's \nprocessing power scalability meets the increasing bandwidth demands of \nthe federal network enterprise. Such testing and evaluation are part of \na continual process as the Department of Homeland Security's National \nCyber Security Division implements a phased deployment of EINSTEIN.\n\nQ5.  Given that cybersecurity is a cat-and-mouse problem where network \ndefenders and attackers are both constantly changing their technologies \nand methods, how confident are you that the EINSTEIN system can remain \neffective over the medium- and long-term? Is it possible (or plausible) \nthat, three to four years from now, our adversaries will be employing \ncompletely different technological means of penetrating networks that \ncould render EINSTEIN obsolete? In other words, how adaptable is the \nEINSTEIN system to changing threats, technologies, and methods?\n\nA5. We agree that attackers are constantly changing their technologies \nand methods, and therefore network defenders must quickly evolve their \ncapabilities through continuous technology insertion and evolution. DHS \nis necessarily concerned both with today's threats and those unknown \nthreats that are certain to surface and evolve. With the goal of \naddressing current and future threats firmly in mind, the National \nCyber Security Division (NCSD) recently issued a Request for \nInformation to identify new capabilities from industry. NCSD's goal is \nto deploy and operate today's cybersecurity technology while \nimplementing the processes to ensure that EINSTEIN can address medium \nand long-term threat technologies and methods. The Department's Science \nand Technology Directorate (S&T) has substantial efforts, coordinated \nwith NCSD, to identify and fund research and development (R&D) that \nwould enable NCSD's future EINSTEIN capability to adopt to changing \nthreats, technologies and methods. Additionally, the Office of \nIntelligence and Analysis continues to work with its intelligence \ncommunity partners to understand the tactics, techniques and procedures \nof threat actors as they evolve. The Department believes we can achieve \nthis goal and meet future cybersecurity challenges.\n\nQ6.  You note in your testimony that EINSTEIN deployment has been \ncompleted at five agencies. Is it correct that the EINSTEIN system was \noriginally intended to be deployed at all agencies? Is this still the \ncase? If not, how is agency participation being determined-voluntarily \nby agencies or through a government-wide prioritization effort? Does \nthe lack of participation by some agencies notably increase the \nvulnerability of intrusions and information breeches at participating \nagencies?\n\nA6. The EINSTEIN program is designed under the Comprehensive National \nCybersecurity Initiative to provide coverage to the federal civil \nagencies. The Administration is requiring all federal civil agencies to \nparticipate. Success of the program depends upon full participation. \nLack of participation by some agencies could increase risk to all the \nothers--including those that have deployed EINSTEIN--by slowing the \nidentification of vulnerabilities and breaches and thereby increasing \nthe likelihood of cascading effects within the .gov space.\n\nQ7.  In response to a question about the privacy of data collected \nthrough EINSTEIN at the hearing, you stated that ``we wouldn't get into \nthe privacy or a person's e-mail unless there was some issue, a \nnational security issue, or something like that.'' How is ``national \nsecurity'' defined in this context? What agency or official is \nresponsible for making a national security determination that would \nauthorize inspection of content traveling across federal networks, and \nwhat is the associated process for doing so?\n\nA7. EINSTEIN 2 supports the Department of Homeland Security's (DHS's) \ncritical information infrastructure protection mission as established \nby the Homeland Security Act, the Federal Information Security \nManagement Act (FISMA), Homeland Security Presidential Directive 7 \n(HSPD-7), National Security Presidential Directive 54/Homeland Security \nPresidential Directive 23, and related authorities. FISMA requires the \nOffice of Management and Budget (OMB) to oversee and ensure the \noperation of a central federal information security incident center \nthat provides departments and agencies with cyber detection, analysis, \nwarning, and mitigation support. In 2004, OMB identified the United \nStates Computer Emergency Readiness Team (US-CERT), which is the \noperational branch of DHS's National Cyber Security Division, to carry \nout these responsibilities.\n    Under HSPD-7, DHS is ``responsible for coordinating the overall \nnational effort to enhance the protection of the critical \ninfrastructure and key resources of the United States.'' ``Critical \nInfrastructure'' is specifically defined in the USA PATRIOT Act to mean \n``systems and assets, whether physical or virtual, so vital to the \nUnited States that the incapacity or destruction of such systems and \nassets would have a debilitating impact on security, national economic \nsecurity, national public health or safety, or any combination of those \nmatters.'' Malicious cyber activity that threatens one or more of these \nelements establishes the context under which EINSTEIN 2 is used by US-\nCERT.\n    EINSTEIN 2 passively observes network traffic to and from \nparticipating Federal Civilian Executive Branch department and agency \nnetworks. No human being reviews any of this data via EINSTEIN 2 unless \nand until specific pre-defined signatures designed to detect identified \npatterns of network traffic that may affect the integrity, \nconfidentiality, or availability of computer networks or information \nare triggered. Only if such risk factors are identified within the data \nwill US-CERT be alerted of potential malicious network activity. Thus, \nUS-CERT does not obtain the content of all electronic communications \npassing over the protected networks but rather receives the network \ntraffic relevant to a specific signature, along with the network \ntraffic that is reasonably related to, and associated with, the network \nconnection that caused the alert. Moreover, when an alert does occur, \nUS-CERT has adopted procedures for reviewing signatures and handling \ninformation collected to ensure that the privacy of individuals is \nprotected.\n    As discussed in greater detail in the DHS Privacy Impact Assessment \n(PIA) prepared for EINSTEIN 2,\\1\\ EINSTEIN is not programmed to \nspecifically collect or locate PII. While future signatures might be \ndeveloped in response to threats that use what appears to be PII, the \npurpose of these signatures is to prevent malicious activity from \nreaching federal networks, not to collect or locate PII. US-CERT also \nfollows procedures to remove any personal information from its products \nso that only US-CERT would see the full details of any personal \ninformation in the flow records, alerts, and related network traffic. \nThe PIA provides additional details on the minimization process and \nrelated US-CERT analyst training.\n---------------------------------------------------------------------------\n    \\1\\ Available at http://www.dhs.gov/xlibrary/assets/privacy/\nprivacy<INF>-</INF>pia<INF>-</INF>einstein2.pdf\n---------------------------------------------------------------------------\n    If it comes to DHS's attention that there may be a computer network \nevent or incident that has ``national security'' implications, the \nproper entity with responsibility over that event would be notified in \naccordance with laws and policies.\n\nQ8.  What oversight and accountability mechanisms are in place to \nensure that only data traveling to and from federal networks is routed \noff of Internet Service Provider (ISP) systems and through to EINSTEIN?\n\nA8. Internet traffic flows to an EINSTEIN sensor either through the use \nof a Managed Trusted Internet Protocol Service (MTIPS) provided by an \nInternet Service Provider (ISP) or to the EINSTEIN sensor located at a \ndepartment or agency's Internet access point, referred to as a Trusted \nInternet Connection (TIC). Safety mechanisms are in place under either \nEINSTEIN option to ensure that only data traveling to and from federal \nnetworks is routed off of ISP systems and through to EINSTEIN. Both \noptions require the relevant department or agency to work with its ISP \nto ensure that only data traveling to and from federal networks is \nrouted through to EINSTEIN based on Internet Protocol (IP) ranges \nassigned to the department or agency. Because federal networks do not \nallow non-agency, commercial traffic to traverse their infrastructure, \nthe restriction of EINSTEIN monitoring to these IP ranges should limit \nmonitoring to traffic directed to or originating from government \nsystems.\n\nMTIPS\n    With respect to a department or agency that contracts with an ISP \nfor MTIPS, the contract contains a provision requiring the ISP to \nensure that only data routed to or from the department or agency's IP \naddresses is routed to the EINSTEIN sensor. Specifically, the ISP's \nGeneral Services Administration Networx MTIPS Statement of Work \nprovides that:\n\n         traffic collection and distribution supports the transport of \n        government-only IP traffic between Agency Enterprise WANs [Wide \n        Area Networks] and TIC Portals . . .. The TIC Portal . . . \n        monitoring and management systems shall be dedicated to the \n        management and monitoring of the subscribing agencies hosted by \n        the contractor's portal and shall be isolated from commercial \n        customers.\n\n    The ISP further confirms its responsibility to isolate government \ntraffic from that of its commercial customers through a memorandum of \nagreement (MOA) executed with the Department of Homeland Security \n(DHS), which references the Statement of Work provisions. A department \nor agency that is using MTIPS also executes an MOA with DHS. Pursuant \nto this MOA, the department or agency is responsible for ensuring, in \nconjunction with the MTIPS provider, that only department or agency IP \ntraffic is routed through the TIC portal where the EINSTEIN sensor is \nlocated.\n\nTIC\n    A department or agency using a TIC would already have a contractual \nrelationship in place with its ISP. Pursuant to that relationship, the \nISP, in its ordinary course of business, would use routing tables to \nensure that only traffic intended for the department or agency's IP \naddresses is routed to the department or agency's networks. In \naddition, a department or agency with an EINSTEIN sensor placed at a \nTIC also must sign an MOA with DHS. Pursuant to that MOA, the \ndepartment or agency is responsible for ensuring that only traffic \nintended for, or originating from, that department or agency is routed \nthrough the EINSTEIN sensor.\n    Because EINSTEIN collects net flow information for all traffic \ntraversing a sensor, in the rare case that the contractual routing \nprotections fail, net flow information would be collected. A US-CERT \nanalyst may detect the error by doing flow analysis, but the volumes of \ntraffic make this unlikely. EINSTEIN's intrusion detection system (IDS) \nwould only alert an analyst if the mis-routed traffic triggers an \nEINSTEIN signature. In the event of an IDS alert, and upon further \ninspection and investigation with the department or agency receiving \nthe incorrectly routed traffic, a US-CERT analyst would be able to \nidentify an incorrectly routed traffic error. US-CERT would then work \nwith the National Cyber Security Division's Network Security Deployment \nand Federal Network Security branches, the relevant department or \nagency, the ISP and, if necessary, the MTIPS vendor to remedy the \nrouting problem. In the unlikely event that an ISP's routing tables \nmistakenly assign a government IP address to a commercial client, a \nrouting loop would result and would be detected by the ISP in its \nordinary course of business. This would signal to the ISP a need to \ncorrect the routing table.\n\nQ9.  What performance measures or other assessment tools have been \ndeveloped for the CNCI? What are the primary risks to the success of \nthe initiative going forward?\n\nA9. The Department of Homeland Security's (DHS's) National Cyber \nSecurity Division (NCSD) is the lead or co-lead for six of the 12 \ninitiatives within the Comprehensive National Cybersecurity Initiative \n(CNCI).\n    Currently, DHS reports both weekly and quarterly to the Joint \nInteragency Cybersecurity Taskforce. This reporting includes both \nactivities and performance metrics. Performance information is reported \nquarterly to the Executive Office of the President. In addition, we \nwork closely with the Office of Management and Budget on Initiatives 1-\n3.\n\nQ10.  Some organizations are calling for using liability protection \n(such as that provided by the SAFETY Act) as a tool for incentivizing \ngreater private efforts to address cybersecurity. Is this being \ndiscussed and considered as part of your effort to collaborate with the \nprivate sector?\n\nA10. Yes, the National Cyber Security Division (NCSD) within the \nDepartment of Homeland Security (DHS) collaborates closely with the \nprivate sector on a wide variety of initiatives and has always engaged \nin a variety of activities designed to further this collaboration. \nSpecifically with respect to incentives, NCSD has engaged with public \nand private-sector partners through the Critical Infrastructure \nPartnership Advisory Council (CIPAC) process within the National \nInfrastructure Protection Plan (NIPP) partnership framework. Since \n2007, NCSD and its private-sector partners have co-chaired the Cross-\nSector Cyber Security Working Group (CSCSWG) under CIPAC. The CSCSWG's \nmembership includes public and private-sector representatives from each \nof the 18 critical infrastructure and key resources (CIKR) sectors \nunder the NIPP. The CSCSWG, which meets monthly, offers a mechanism for \npublic-private collaboration on cybersecurity initiatives, such as \nimproving information sharing, considering private-sector incentives \nfor increased cybersecurity, and developing cybersecurity metrics that \ncan be used by multiple CIKR sectors. The co-chairs of the CSCSWG have \nrecently formed a steering committee to ensure that the agenda and work \nareas undertaken by the group meet the needs of all CIKR sectors.\n    Leveraging this public-private partnership, DHS solicited \nrecommendations and advice from industry partners on a wide range of \nincentives--from leveraging federal procurement power, to cyber \ninsurance, to ensuring inclusion of cyber investments in the utility \nrate base--for increased cybersecurity. One incentive considered by the \nworking group concerns increased use of the SAFETY Act to address \ncybersecurity, including the issue of liability protection. The SAFETY \nAct Office is receiving and approving applications for cybersecurity \ntechnologies. These recommendations will be reviewed and considered by \nthe appropriate members of the interagency and taken into consideration \nin light of the significant differences in business models and \nperspectives across the sectors.\n\nQ11.  As an alternative to regulatory- or liability-based tools to \naddress private sector critical infrastructure, some have proposed \nsimply taking critical infrastructure ``off the Internet grid''--that \nis making the networks necessary for managing infrastructure such as \nthe electricity grid completely closed, similar to how we operate our \nclassified networks. Is this something the administration is looking \nat, and do you think it could help to eliminate the security \nvulnerabilities inherent to being connected to the Internet?\n\nA11. The strategy of taking critical infrastructure ``off the Internet \ngrid'' is not an option the Department of Homeland Security is pursuing \ndue to the inherent complexities and feasibility problems associated \nwith the concept. The Nation's critical infrastructure and related \ninformation technology systems and networks are interconnected, \ndiverse, and unique, such that taking them off of the global Internet \ngrid would generate a wide range of problems that make the task \nunfeasible on both strategic and practical levels. Many critical \ninfrastructure networks were built with a specific architecture \ndesigned for Internet access. Their day-to-day communications and \nbusiness operations require this access for functions ranging from \ninventory management to customer communications. Sequestering these \nnetworks behind barriers, in a manner similar to how classified \nnetworks operate, would result in multiple problems and logistical \ndifficulties. This would require a complete revision of the design and \nfunction of critical infrastructure and key resources (CIKR) sector \nnetworks, as well as changes to the operations and business models of \nCIKR sector members. An example of this is the Financial Services \nSector, which depends on the Internet to provide real-time \ncommunications and transfer of electronic payments and account \ninformation. Additionally, several other government agencies outside of \nthe Department of Homeland Security have responsibilities or regulatory \nauthorities related to CIKR sectors and would have their own views on \nthis subject.\n\n\n\n\x1a\n</pre></body></html>\n"