b'<html>\n<title> - PROTECTING INFORMATION IN THE DIGITAL AGE: FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT EFFORTS</title>\n<body><pre>[House Hearing, 112 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n\n               PROTECTING INFORMATION IN THE DIGITAL AGE:\n         FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT EFFORTS\n\n=======================================================================\n\n                             JOINT HEARING\n\n                               BEFORE THE\n\n               SUBCOMMITTEE ON TECHNOLOGY AND INNOVATION\n\n                                AND THE\n\n             SUBCOMMITTEE ON RESEARCH AND SCIENCE EDUCATION\n\n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n                        HOUSE OF REPRESENTATIVES\n\n                      ONE HUNDRED TWELFTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                        WEDNESDAY, MAY 25, 2011\n\n                               __________\n\n                           Serial No. 112-19\n\n                               __________\n\n Printed for the use of the Committee on Science, Space, and Technology\n\n\n\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n\n       Available via the World Wide Web: http://science.house.gov\n\n\n\n\n\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n66-560 PDF                WASHINGTON : 2011\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC \narea (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC \n20402-0001\n\n\n\n\n\n\n\n\n\n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n\n                    HON. RALPH M. HALL, Texas, Chair\nF. JAMES SENSENBRENNER, JR.,         EDDIE BERNICE JOHNSON, Texas\n    Wisconsin                        JERRY F. COSTELLO, Illinois\nLAMAR S. SMITH, Texas                LYNN C. WOOLSEY, California\nDANA ROHRABACHER, California         ZOE LOFGREN, California\nROSCOE G. BARTLETT, Maryland         DAVID WU, Oregon\nFRANK D. LUCAS, Oklahoma             BRAD MILLER, North Carolina\nJUDY BIGGERT, Illinois               DANIEL LIPINSKI, Illinois\nW. TODD AKIN, Missouri               GABRIELLE GIFFORDS, Arizona\nRANDY NEUGEBAUER, Texas              DONNA F. EDWARDS, Maryland\nMICHAEL T. McCAUL, Texas             MARCIA L. FUDGE, Ohio\nPAUL C. BROUN, Georgia               BEN R. LUJAN, New Mexico\nSANDY ADAMS, Florida                 PAUL D. TONKO, New York\nBENJAMIN QUAYLE, Arizona             JERRY McNERNEY, California\nCHARLES J. ``CHUCK\'\' FLEISCHMANN,    JOHN P. SARBANES, Maryland\n    Tennessee                        TERRI A. SEWELL, Alabama\nE. SCOTT RIGELL, Virginia            FREDERICA S. WILSON, Florida\nSTEVEN M. PALAZZO, Mississippi       HANSEN CLARKE, Michigan\nMO BROOKS, Alabama\nANDY HARRIS, Maryland\nRANDY HULTGREN, Illinois\nCHIP CRAVAACK, Minnesota\nLARRY BUCSHON, Indiana\nDAN BENISHEK, Michigan\nVACANCY\n                                 ------                                \n\n               Subcommittee on Technology and Innovation\n\n                  HON. BENJAMIN QUAYLE, Arizona, Chair\nLAMAR S. SMITH, Texas                DAVID WU, Oregon\nJUDY BIGGERT, Illinois               JOHN P. SARBANES, Maryland\nRANDY NEUGEBAUER, Texas              FREDERICA S. WILSON, Florida\nMICHAEL T. McCAUL, Texas             DANIEL LIPINSKI, Illinois\nCHARLES J. ``CHUCK\'\' FLEISCHMANN,    GABRIELLE GIFFORDS, Arizona\n    Tennessee                        BEN R. LUJAN, New Mexico\nE. SCOTT RIGELL, Virginia                \nRANDY HULTGREN, Illinois                 \nCHIP CRAVAACK, Minnesota                 \nRALPH M. HALL, Texas                 EDDIE BERNICE JOHNSON, Texas\n                                 ------                                \n\n             Subcommittee on Research and Science Education\n\n                     HON. MO BROOKS, Alabama, Chair\nROSCOE G. BARTLETT, Maryland         DANIEL LIPINSKI, Illinois\nBENJAMIN QUAYLE, Arizona             HANSEN CLARKE, Michigan\nSTEVEN M. PALAZZO, Mississippi       PAUL D. TONKO, New York\nANDY HARRIS, Maryland                JOHN P. SARBANES, Maryland\nRANDY HULTGREN, Illinois             TERRI A. SEWELL, Alabama\nLARRY BUCSHON, Indiana                   \nDAN BENISHEK, Michigan                   \nRALPH M. HALL, Texas                 EDDIE BERNICE JOHNSON, Texas\n\n\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n                        Wednesday, May 25, 2011\n\n                                                                   Page\nWitness List.....................................................     2\n\nHearing Charter..................................................     3\n\n                           Opening Statements\n\nStatement by Representative Benjamin Quayle, Chairman, \n  Subcommittee on Technology and Innovation, Committee on \n  Science, Space, and Technology, U.S. House of Representatives..     8\n    Written Statement............................................     9\n\nStatement by Representative David Wu, Ranking Minority Member, \n  Subcommittee on Technology and Innovation, Committee on \n  Science, Space, and Technology, U.S. House of Representatives..    10\n    Written Statement............................................    11\n\nStatement by Representative Mo Brooks, Chairman, Subcommittee on \n  Research and Science Education, Committee on Science, Space, \n  and Technology, U.S. House of Representatives..................    12\n    Written Statement............................................    13\n\nStatement by Representative Daniel Lipinsky, Ranking Minority \n  Member, Subcommittee on Research and Science Education, \n  Committee on Science, Space, and Technology, U.S. House of \n  Representatives................................................    13\n    Written Statement............................................    15\n\n                               Witnesses:\n\nDr. George Strawn, Director, National Coordination Office, \n  Networking and Information Technology Research and Development \n  Program\n    Oral Statement...............................................    16\n    Written Statement............................................    18\n    Biography....................................................    22\n\nDr. Farnam Jahanian, Assistant Director, Directorate for Computer \n  and Information Science and Engineering, National Science \n  Foundation\n    Oral Statement...............................................    22\n    Written Statement............................................    24\n    Biography....................................................    34\n\nMs. Cita Furlani, Director, Information Technology Laboratory, \n  National Institute of Standards and Technology\n    Oral Statement...............................................    35\n    Written Statement............................................    36\n    Biography....................................................    42\n\nRear Admiral Michael A. Brown, Director, Cybersecurity \n  Coordination, Department of Homeland Security\n    Oral Statement...............................................    43\n    Written Statement............................................    44\n    Biography....................................................    52\n\n              Appendix: Answers to Post-Hearing Questions\n\nDr. George Strawn, Director, National Coordination Office, \n  Networking and Information Technology Research and Development \n  Program........................................................    68\n\nDr. Farnam Jahanian, Assistant Director, Directorate for Computer \n  and Information Science and Engineering, National Science \n  Foundation.....................................................    73\n\nMs. Cita Furlani, Director, Information Technology Laboratory, \n  National Institute of Standards and Technology.................    76\n\nRear Admiral Michael A. Brown, Director, Cybersecurity \n  Coordination, Department of Homeland Security..................    80\n\n \n               PROTECTING INFORMATION IN THE DIGITAL AGE:\n                    FEDERAL CYBERSECURITY RESEARCH\n                        AND DEVELOPMENT EFFORTS\n\n                              ----------                              \n\n\n                        WEDNESDAY, MAY 25, 2011\n\n                  House of Representatives,\n      Subcommittee on Technology and Innovation and\n     Subcommittee on Research and Science Education\n               Committee on Science, Space, and Technology,\n                                                    Washington, DC.\n\n    The Subcommittees met, pursuant to call, at 10:05 a.m., in \nRoom 2318 of the Rayburn House Office Building, Hon. Benjamin \nQuayle [Chairman of the Subcommittee on Technology and \nInnovation] presiding.\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n                            hearing charter\n\n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n\n               SUBCOMMITTEE ON TECHNOLOGY AND INNOVATION\n\n             SUBCOMMITTEE ON RESEARCH AND SCIENCE EDUCATION\n\n                     U.S. HOUSE OF REPRESENTATIVES\n\n               Protecting Information in the Digital Age:\n\n         Federal Cybersecurity Research and Development Efforts\n\n                        wednesday, may 25, 2011\n                         10:00 a.m.--12:00 p.m.\n                   2318 rayburn house office building\n\nI. Purpose\n\n    On Wednesday, May 25, 2011, the Subcommittee on Technology and \nInnovation and the Subcommittee on Research and Science Education will \nconvene a joint hearing to examine Federal agency efforts to improve \nour national cybersecurity and prepare the future cybersecurity talent \nneeded for national security. An overview of cybersecurity research and \ndevelopment activities will be provided by the Networking and \nInformation Technology Research and Development program (NITRD), the \nNational Science Foundation (NSF), the National Institute of Standards \nand Technology (NIST), and the Department of Homeland Security (DHS). \nIn reviewing the activities of the agencies\' cybersecurity programs, \nthe hearing will address: how each agency has responded to and \ncontinues to address objectives of the 2009 Cyberspace Policy Review; \nefforts to educate and develop the necessary cybersecurity personnel; \nand how standards development is coordinated with other relevant \nagencies.\n\nII. Witnesses\n\nDr. George O. Strawn is the Director of the National Coordination \nOffice for the Networking and Information Technology Research and \nDevelopment Program.\n\nDr. Farnam Jahanian is the Assistant Director of the Directorate for \nComputer and Information Science and Engineering at the National \nScience Foundation.\n\nMs. Cita Furlani is the Director of the Information Technology \nLaboratory at the National Institute of Standards and Technology.\n\nRear Admiral Michael Brown is the Director of Cybersecurity \nCoordination in the National Protection and Programs Directorate for \nthe U.S. Department of Homeland Security.\n\nIII. Overview\n\n    In January 2008, the Bush Administration established, through a \nseries of classified executive directives, the Comprehensive National \nCybersecurity Initiative (CNCI). The Obama Administration has continued \nthis initiative, with the goal of securing Federal systems and \nfostering public-private cooperation. In February 2009, the Obama \nAdministration called for a 60-day review of the national cybersecurity \nstrategy. The President\'s review required the development of a \nframework that would ensure that the CNCI was adequately funded, \nintegrated, and coordinated among Federal agencies, the private sector, \nand state and local authorities.\n    On May 29, 2009, the Administration released its Cyberspace Policy \nReview. The Review recommended an increased level of interagency \ncooperation among all departments and agencies, highlighted the need \nfor information sharing concerning attacks and vulnerabilities, and \nhighlighted the need for an exchange of research and security \nstrategies essential to the efficient and effective defense of Federal \ncomputer systems. Furthermore, it stressed the importance of advancing \ncybersecurity research and development, and the need for the Federal \nGovernment to partner with the private sector to guarantee a secure and \nreliable infrastructure. The Review also called for increased public \nawareness, improved education and expansion of the number of \ninformation technology professionals.\n    The House Committee on Science, Space, and Technology held three \nSubcommittee hearings in the 111th Congress to explore the state of \nfederal cybersecurity research and development, to review the findings \nand recommendations included in the Administration\'s Cyberspace Policy \nReview, and to review the findings and recommendations of a report from \nthe Government Accountability Office (GAO) \\1\\. Both the review and the \nreport called for an increase in effective public/private partnerships, \nand for clarification of roles and responsibilities.\n---------------------------------------------------------------------------\n    \\1\\  National Cybersecurity Strategy: Key Improvements Are Needed \nto Strengthen the Nation\'s Posture, Government Accountability Office, \nhttp://www.gao.gov/new.items/d09432t.pdf\n---------------------------------------------------------------------------\n    Since the release of the Cyberspace Policy Review and the hearings \nheld in the 111th Congress, NITRD has continued to provide leadership \nin coordinating the Federal unclassified research and development. DHS \nhas been tasked with monitoring Federal civilian networks for cyber \nattacks and coordinating the gathering and dissemination of information \non cyber attacks to Federal agencies and private industry. NIST \ncurrently develops cybersecurity standards for non-national security \nFederal information technology systems, and NSF acts as the principal \nagency supporting unclassified cybersecurity research and development, \neducation, and the development of cybersecurity professionals.\n\nIV. Legislation\n\n    In June 2009, GAO found that the Federal agencies responsible for \nprotecting the U.S. Information Technology (IT) infrastructure were not \nsatisfying their responsibilities, leaving the Nation\'s IT \ninfrastructure vulnerable to attack. In an effort to strengthen the \nwork of those Federal agencies, the U.S. House of Representatives \npassed the Cybersecurity Enhancement Act of 2010 (H.R. 4061) in the \n111th Congress. H.R. 4061 required increased coordination and \nprioritization of Federal cybersecurity research and development \nactivities, and the development of cybersecurity technical standards. \nIt also strengthened cybersecurity education and talent development and \nindustry partnership initiatives. The Senate did not act on the \nlegislation.\n    The Obama Administration released a cybersecurity legislative \nproposal \\2\\ on May 12, 2011. The proposed legislation is focused on \nsimplifying and standardizing data breach reporting and it sets \npenalties for computer crimes. The Administration\'s proposal requires \nthat DHS work with industry to identify the core critical-\ninfrastructure operators, and that the agency prioritize the most \nimportant cyber threats and vulnerabilities for those operators. In \naddition, specific cybersecurity risks must be addressed by \nstandardized frameworks, to be developed by private sector \nrepresentatives and evaluated by DHS. If DHS determines that the \nstandardized frameworks developed by industry are insufficient, DHS \nwill develop alternative frameworks with advice and guidance from the \nDirector of NIST. The Administration proposal would also update the \nFederal Information Security Management Act (FISMA) and would formalize \nDHS\'s current role in managing cybersecurity for the Federal \nGovernment\'s civilian computers and networks in order to provide \ndepartments and agencies with a shared source of expertise.\n---------------------------------------------------------------------------\n    \\2\\ http://www.whitehouse.gov/sites/default/files/omb/legislative/\nletters/Law-Enforcement-Provisions-Related-to-Computer-Security-Full-\nBill.pdf\n\nV. Issues and Concerns\n\n    Research and Development\n    Cybersecurity research and development efforts include working on \nthe prevention of cyber attacks, detecting attacks as they are \noccurring, responding to attacks effectively, mitigating severity, \nrecovering quickly, and identifying responsible parties. In December \n2010, the President\'s Council of Advisors on Science and Technology \n(PCAST) reported on Federally funded research and development in \nnetworking and information technology. The report made several \nrecommendations, including investing in long-term, multi-agency \nresearch initiatives in security and cyber infrastructure and enhancing \nthe effectiveness of government coordination of networking and \ninformation research and development.\n    Research and development provides a greater understanding of \nweaknesses in systems and networks and of how to protect those systems \nand networks. The Subcommittees will examine the integration of \nresearch and development activities within the Federal Government\'s \ncybersecurity efforts given its importance in increasing security over \nthe long term. The hearing will explore current government research and \ndevelopment investments to ensure they are properly focused to provide \neffective and lasting cybersecurity, and will assess the challenges to \nestablishing a prioritized national research and development agenda \nthat strategically includes near-term, mid-term, and long-term goals.\n\n    Education and the Development of Cybersecurity Professionals\n    Well trained professionals are essential to the implementation of \nsecurity techniques in critical computer and network systems. \nInstitutions of higher education are working to create and improve \ncyber education and training programs focused on ensuring an adequate \nnumber of relevant cyber professionals. Furthermore, public awareness \nabout protecting personal information is another area of identified \nneed within cybersecurity education. Federal agencies engaged in \ncybersecurity activities currently support a number of cybersecurity \neducation, training, and development programs. The Subcommittees will \nconsider the coordination and implementation of these activities across \nFederal agencies.\n\n    Standards Development\n    The Subcommittees will examine NIST\'s current and future role in \nthe development of benchmarks, guidelines, and standards for \ncybersecurity, in conjunction with other government agencies and the \nprivate sector. The Subcommittees will also examine the appropriate \nrole for NIST in facilitating the voluntary critical infrastructure \ncybersecurity standards as envisioned in the Administration\'s \nlegislative package.\n\n    Agency Coordination\n    Since 1991, Federal agencies have been required to set goals, \nprioritize investments, and coordinate activities in networking and \ninformation technology research and development. The Subcommittees will \nexplore what measures have been taken to improve the coordination of \nFederal cybersecurity research and development efforts and the best \napproach to improve the coordination of private sector critical \ninfrastructure and network cybersecurity. This hearing will also \nexamine how agencies are coordinating cybersecurity standards \ndevelopment.\n\nVI. Background\n\n    In the current system, Federal Government responsibilities for \ncybersecurity research and development, coordination, and education \nfall on many different agencies. The National Security Agency (NSA) is \nresponsible for all classified network systems. The Department of \nDefense (DOD) is responsible for military network systems, and DHS is \nthe lead agency for all Federal civilian network systems. Additionally, \nDHS is responsible for communicating information on cyber attacks to \nother Federal agencies. The NITRD program coordinates unclassified \ncybersecurity research and development across 14 Federal agencies and \nis currently chaired by the Director of National Coordinating Office \nand the NSF Assistant Director of the Directorate for Computer and \nInformation Science and Engineering. NSF funds a majority of Federal \nbasic cybersecurity research and development and education efforts. \nThree other key agencies, NIST, DHS and DOD also fund significant \ncybersecurity research and development. NIST develops and promulgates \nstandards to help secure Federal civilian network systems and the \nOffice of Management and Budget (OMB) implements and enforces the \nstandards set by NIST.\n\n    Networking and Information Technology Research and Development \nProgram\n    The Networking and Information Technology Research and Development \n(NITRD) program coordinates unclassified cybersecurity research and \ndevelopment across 14 Federal agencies (additional agencies informally \nparticipate in NITRD).\n    The High-Performance Computing Act of 1991 (PL 102-194) established \nNITRD. The Act has since been amended through the Next Generation \nInternet Research Act of 1998 and the America COMPETES Act of 2007. In \nthe 111th Congress, the U.S. House of Representatives passed the \nNational Information and Technology Research and Development \nReauthorization Act (H.R. 2020). The bill sought to prioritize and \nstrengthen Federal information technology activities across the Federal \ngovernment. The Senate did not act on this legislation.\n    In December 2010, the President\'s Council of Advisors on Science \nand Technology (PCAST) completed a legislatively required report on \nNITRD. The report, entitled Designing a Digital Future: Federally \nFunded Research and Development in Networking and Information \nTechnology, found that ``NITRD is well coordinated and that the U.S. \ncomputing research community, coupled with a vibrant Networking and \nInformation Technology (NIT) industry, has made seminal discoveries and \nadvanced new technologies that are helping meet many societal \nchallenges.\'\' \\3\\ The PCAST report included several recommendations, \nincluding increasing investments in long-term, multi-agency research \ninitiatives in security and cyberinfrastructure, and enhancing the \neffectiveness of government coordination of NIT research and \ndevelopment.\n---------------------------------------------------------------------------\n    \\3\\  President\'s Council of Advisors on Science and Technology, \nReport to the President and Congress December 2010, Designing a Digital \nFuture: Federally Funded Research and Development in Networking and \nInformation Technology, p. v\n---------------------------------------------------------------------------\n    In February 2011, NITRD released its Supplement to the President\'s \nBudget request. The Supplement is a summary of the NITRD research \nactivities planned and coordinated for Fiscal Year (FY) 2012. The NITRD \nrequest totals $3.9 billion for FY 2012, a 1.9 percent increase from FY \n2010 expenditures. The NITRD Supplement also breaks down budget \nrequests for the fourteen Federal agencies involved in NITRD according \nto Program Component Areas, including Cyber Security and Information \nAssurance and Social, Economic, and Workforce Implications of IT \\4\\:\n---------------------------------------------------------------------------\n    \\4\\  Subcommittee on Networking and Information Technology Research \nand Development, Supplement to the President\'s Budget for Fiscal Year \n2010, p. 28\n\n    National Science Foundation\n    NSF is the principal agency supporting unclassified cybersecurity \nresearch and development and education. NSF provides the largest \nFederal investment in cyber-related research and development \nactivities. The February 2011 NITRD Supplement to the President\'s FY \n2012.\n    Budget totals NSF\'s budget request for advanced technologies (which \ncombines eight Program Component Areas) at nearly $1.3 billion, with \n$94.7 million dedicated for cybersecurity and information assurance and \n$98 million dedicated to the social, economic, and workforce \nimplications of IT.\n    At NSF, the Directorate for Computer and Information Science and \nEngineering (CISE) is the principal directorate promoting the progress \nof computer and information science. CISE works across its three \nDivisions and across a number of NSF Directorates, focusing on theory, \npeople and systems. Programs like Trustworthy Computing and \nCybsersecurity Research, Computing Education for the 21st Century, \nScience and Engineering Beyond Moore\'s Law, and Cyber Infrastructure \nFramework for the 21st Century are only a handful of CISE cross-cutting \nprograms. CISE\'s FY 2012 budget request includes a 17.7 percent \nincrease over FY 2010 funding, totaling $728.4 million.\n    NSF has also made significant investments in cybersecurity \neducation and workforce through the Directorate on Education and Human \nResources (EHR). EHR\'s Scholarship for Service program provides awards \nto increase the number of students entering the computer security and \ninformation assurance fields, and to increase the capacity of \ninstitutions of higher education to produce professionals in these \nfields. EHR also offers Advanced Technological Education grants \neducating technicians for high-technology fields with a focus on two-\nyear colleges.\n\n    National Institute of Standards and Technology\n    The NIST Information Technology Laboratory (ITL) promotes \ninnovation and competitiveness through research and development in \ninformation technology, mathematics, and statistics. ITL, which is made \nup of six divisions, manages the majority of NIST cybersecurity \nactivities, primarily through the Computer Security Division (CSD). CSD \nprovides standards and technology to protect information systems \nagainst threats to the confidentiality, integrity, and availability of \ninformation and services.\n    NIST has extensive experience in developing cybersecurity standards \nand guidelines. NIST\'s core cybersecurity focus areas include: \nresearch, development, and specification; secure system and component \nconfiguration; and assessment and assurance of security properties of \nproducts and systems.\n    NIST develops and issues cybersecurity standards through Federal \nInformation Processing Standards (FIPS). NIST also develops standards \nin conjunction with national and international consensus standards \nbodies. NIST publishes cybersecurity guidelines through Special \nPublications (NIST SP) and Interagency Reports (NISTIR).\n    The Computer Security Act of 1987 (PL 100-235), later replaced by \nthe Information Technology Management Reform Act of 1996 (P.L. 104-\n106), gave NIST the authority to develop standards and guidelines to \nsecure non-classified Federal information systems. Title III of the E-\nGovernment Act (PL 107-347), entitled the Federal Information Security \nManagement Act of 2002 (FISMA), tasked NIST with developing \ncybersecurity standards, guidelines, and associated methods and \ntechniques for use by the Federal Government.\n    The Administration\'s 2009 Cyberspace Policy Review listed trusted \nidentities as a key issue in improving cybersecurity. On April 15, \n2011, the Administration released its National Strategy for Trusted \nIdentities in Cyberspace (NSTIC), with a focus on establishing identity \nsolutions and privacy-enhancing technologies to improve the security \nand convenience of sensitive online transactions. As part of the \nstrategy, the Administration plans to establish a National Program \nOffice (NPO), which will be led by NIST within the Department of \nCommerce, to manage the Federal Government\'s role in implementing \nNSTIC. NIST included $24.5 million in its FY 2012 budget request to \nfund the NPO and to provide grants and other funding programs to \nconduct pilot projects of trusted authentication systems.\n\n    Department of Homeland Security\n    DHS is responsible for coordinating the overall national effort to \nenhance the protection of the critical infrastructure and key resources \nof the United States \\5\\. DHS works to prevent or minimize disruptions \nto our critical information infrastructure in order to protect the \npublic, economy, government services, and the overall security of the \nUnited States by supporting a series of continuous efforts designed to \nfurther safeguard Federal Government systems by reducing potential \nvulnerabilities, protecting against cyber intrusions, and anticipating \nfuture threats.\n---------------------------------------------------------------------------\n    \\5\\  Homeland Security Presidential Directive-7: Critical \nInfrastructure Identification, Prioritization, and Protection. December \n17, 2003. http://www.dhs.gov/xabout/laws/gc_1214597989952.shtm#1\n---------------------------------------------------------------------------\n    The DHS Science and Technology Directorate (S&T) conducts and \nsupports research, development, testing, evaluation, and transition for \nadvanced cybersecurity and information assurance technologies to secure \nthe Nation\'s current and future cyber and critical infrastructures. The \nPresident\'s National Strategy to Secure Cyberspace \\6\\ and the \nComprehensive National Cybersecurity Initiative \\7\\ detail DHS S&T\'s \nresearch and development roles and responsibilities. Cybersecurity \nresearch within DHS S&T is planned, managed, and coordinated through \nthe Cyber Security Research and Development Center. This center \nsupports the research efforts of the Homeland Security Advanced \nResearch Projects Agency (HSARPA), coordinates the testing and \nevaluation of technologies, and manages technology transfer efforts. \nThe FY 2012 budget request for the DHS S&T Cybersecurity Division is \n$64.1 million.\n---------------------------------------------------------------------------\n    \\6\\  The National Strategy to Secure Cyberspace, February 2003. \nhttp://www.us-cert.gov/reading_room/cyberspace_strategy.pdf\n    \\7\\  Comprehensive National Cybersecurity Initiative. May 2009. \nhttp://www.whitehouse.gov/sites/default/files/cybersecurity.pdf\n---------------------------------------------------------------------------\n    Housed within the National Protection and Programs Directorate \n(NPPD) the National Cyber Security Division (NCSD) is the operational \narm of DHS\'s Office of Cybersecurity and Communications (CS&C). NCSD \nworks collaboratively with public, private, and international entities \nto secure cyberspace and America\'s cyber assets, and protect cyber \ninfrastructure through two overarching objectives: building and \nmaintaining an effective national cyberspace response system, and \nimplementing a cyber-risk management program for the protection of \ncritical infrastructure. Numerous programs housed within NPPD work on \ncybersecurity related issues. The total FY 2012 budget request, as \nrelated to cyber programs, totals more than $500 million.\n    NCSD programs include the United States Computer Emergency \nReadiness Team (US-CERT), which is responsible for analyzing and \nreducing cyber threats and vulnerabilities, disseminating cyber threat \nwarning information through the National Cyber Alert System, and \ncoordinating incident response activities. The National Cyber Response \nCoordination Group (NCRCG) is the principle Federal agency mechanism \nfor cyber incident response. In the event of a nationally significant \ncyber-related incident, the NCRCG, which is made up of 13 Federal \nagencies, helps to coordinate the Federal response, including that of \nUS-CERT, and the cybersecurity groups of DOD, the Federal Bureau of \nInvestigation, the NSA, and the intelligence community.\n    The coordinated efforts of DHS to reduce risk and improve the \nresilience of the nation\'s critical infrastructure are facilitated with \nmany departments and agencies. DHS works with OMB to reduce and \nconsolidate the number of external connections that Federal agencies \nhave to the internet through the Trusted Internet Connection \ninitiative. This initiative allows DHS to focus monitoring efforts, and \nblock against cyber attacks on government computers. The EINSTEIN \nsystem, which is designed to provide intrusion protection and early \nwarning of intrusions, shares information with DOD for enhanced \nsituational awareness. DHS, OMB, and NIST coordinate the protection of \nagency information systems through compliance with FISMA, and DHS also \ncoordinates with the Department of Justice to enable real-time \nassessments of baseline security postures across individual agencies \nand the Federal enterprise as a whole.\n\n    Chairman Quayle. The Subcommittee on Technology and \nInnovation and the Subcommittee on Research and Science \nEducation will come to order.\n    Good morning, everybody. Welcome to today\'s hearing \nentitled ``Protecting Information in the Digital Age: Federal \nCybersecurity Research and Development.\'\' In front of you are \npackets containing the written testimony, biographies and truth \nin testimony disclosures for today\'s witness panel.\n    Before we get started, since this is a joint hearing \ninvolving two Subcommittees, I want to explain how we will \noperate procedurally so all Members understand how the \nquestion-and-answer period will be handled. As always, we will \nalternate between the majority and the minority Members, and \nallow all Members an opportunity for questioning before \nrecognizing a Member for a second round of questions. We will \nrecognize those Members of either Subcommittee present at the \ngavel in order of seniority on the Full Committee, and those \ncoming in after the gavel will be recognized in order of \narrival. I now recognize myself for five minutes for an opening \nstatement.\n    It is next to impossible to ignore the relevance of \ncybersecurity these days. News coverage has increasingly \nfocused on cyber vulnerabilities covering stories such as \ncompanies losing personnel information or customers\' financial \ndata, or a government database being compromised by a malicious \nhacker. Perhaps most unsettling is that most stakeholders agree \nthat our national cybersecurity response has not kept pace with \nthe threats.\n    In early 2008, the need to increase network security was \nbrought to the forefront when President Bush formally \nestablished the Comprehensive National Cybersecurity Initiative \n(CNCI) to deal with widespread cyberattacks on federal \nnetworks. Early in his administration, President Obama \ncommitted to continue this effort, and expanded it through the \n2009 Cyberspace Policy Review, which identified a number of \nproblems to be addressed through both near-term and mid-term \nactions. At that time, the Committee on Science, Space, and \nTechnology held a series of hearings evaluating the state of \ncybersecurity research and development and the recommendations \ncontained within the review.\n    Security efforts are often focused on the past and designed \nto respond to the most recently faced attack. However, the \ntechnology sector is exceptionally dynamic, and where possible, \nwe need to attempt to anticipate vulnerabilities and future \nthreats. This is where research and development and proper \ncoordination can make a contribution.\n    It has now been a number of years since the review \nidentified vulnerabilities across federal agencies. We are here \ntoday in part to evaluate what progress has been made. \nAdditionally, as new threats emerge, we must assess whether we \nare staying ahead with research and development. Finally, we \nmust make sure that we are appropriately tracking federally \nfunded research and development initiatives. Since multiple \nagencies have cybersecurity responsibilities, and federal \nefforts in this area are growing, I am concerned that agencies \nmay compete with each other for cyber ownership.\n    Congress must ensure that agencies are working \ncollaboratively to prevent work from being duplicated at the \ncost of precious taxpayer funds.\n    Several agencies before us today have an important role in \nthe development of cybersecurity standards. We should not \nunderestimate the value of standards, whether they are minimum \nsecurity measures for use by federal government agencies to \nprotect information, or a framework to address cybersecurity \nrisks for critical infrastructure. The lead responsibility for \nworking closely with industry to develop successful standards \nhas historically fallen to NIST. We would like to ensure that \nany comprehensive cybersecurity legislation effectively \nleverages the expertise of all federal assets.\n    I should also note that today\'s hearing is focused on \nfederal cybersecurity stakeholders. Notably absent are those \nwho design, build, own and operate the majority of the digital \ninfrastructure in our nation. To that end, I intend to hold \nfurther discussions related to cybersecurity issues through \nfuture hearings of the Technology and Innovation Subcommittee \nthat will include voices from the private sector.\n    I would like to thank my co-Chairman, Congressman Brooks, \nfor sharing leadership on this important hearing. I also thank \nthe witnesses for being here today and I look forward to a \nproductive discussion.\n    [The prepared statement of Mr. Quayle follows:].\n             Prepared Statement of Chairman Benjamin Quayle\n    It is next to impossible to ignore the relevance of cybersecurity \nthese days. News coverage has increasingly focused on cyber \nvulnerabilities covering stories such as a company losing personnel \ninformation or customers\' financial data, or a government database \nbeing compromised by a malicious hacker. Perhaps most unsettling, is \nthat most stakeholders agree that our national cybersecurity response \nhas not kept pace with the threats.\n    In early 2008, the need to increase network security was brought to \nthe forefront when President Bush formally established the \nComprehensive National Cybersecurity Initiative (CNCI) to deal with \nwidespread cyberattacks on Federal networks.\n    Early in his administration, President Obama committed to continue \nthis effort, and expanded it through the 2009 Cyberspace Policy Review, \nwhich identified a number of problems to be addressed through both \nnear-term and mid-term actions. At that time, the Committee on Science, \nSpace and Technology held a series of hearings evaluating the state of \ncybersecurity research and development and the recommendations \ncontained within the Review.\n    Security efforts are often focused on the past, and designed to \nrespond to the most recently faced attack. However, the technology \nsector is exceptionally dynamic, and where possible, we need to attempt \nto anticipate vulnerabilities and future threats. This is where \nresearch and development and proper coordination can make a \ncontribution.\n    It has now been a number of years since the Review identified \nvulnerabilities across federal agencies. We are here today in part to \nevaluate what progress has been made.\n    Additionally, as new threats emerge, we must assess whether we are \nstaying ahead with research and development. Finally, we must make sure \nthat we are appropriately tracking federally funded research and \ndevelopment initiatives. Since multiple agencies have cybersecurity \nresponsibilities, and federal efforts in this area are growing, I am \nconcerned that agencies may compete with each other for cyber \nownership. Congress must ensure that agencies are working \ncollaboratively to prevent work from being duplicated at the cost of \nprecious taxpayer funds.\n    Several agencies before us today have an important role in the \ndevelopment of cybersecurity standards. We should not underestimate the \nvalue of standards - whether they are minimum security measures for use \nby federal government agencies to protect information, or a framework \nto address cybersecurity risks for critical infrastructure. The lead \nresponsibility for working closely with industry to develop successful \nstandards has historically fallen to NIST.\n    We would like to ensure that any comprehensive cybersecurity \nlegislation effectively leverages the expertise of all federal assets.\n    I should also note that today\'s hearing is focused on federal \ncybersecurity stakeholders. Notably absent are those who design, build, \nown, and operate the majority of the digital infrastructure in our \nnation. To that end, I intend to further the discussion of related \ncybersecurity issues through future hearings of the Technology and \nInnovation Subcommittee that will include voices from the private \nsector.\n    I would like to thank my co-Chairman, Congressman Brooks, for \nsharing leadership on this important hearing. I also thank the \nwitnesses for being here today and I look forward to a productive \ndiscussion.\n\n    Chairman Quayle. I would now like to recognize the \ngentleman from Oregon, Mr. Wu, for his opening statement.\n    Mr. Wu. Thank you, Mr. Chairman, for calling this very, \nvery important hearing, and thanks to all the witnesses for \nbeing with us today.\n    More and more of our personal information is making its way \nonline and our Nation\'s entire infrastructure from traffic \nsystems to the electricity grid to manufacturing to our health \ninformation is becoming increasingly dependent on secure and \nreliable access to the Internet, and I can think of few topics \nmore important to this Committee to address than cybersecurity, \nand in the last Administration it was referred to as the \ngreatest threat to our national security standing today, and I \nagree with that assessment.\n    Anyone following the headlines recently knows that \ncybercrimes are becoming more frequent. Sony\'s PlayStation \nnetwork has been repeatedly targeted, exposing the personal \ninformation of over 100 million users. A server at NASA was \nrecently targeted, revealing satellite data, and social media \nsites like Facebook are constantly targeted by phishing scams \nand other cyberattacks.\n    I am pleased that this Administration has provided Congress \nwith the legislative framework to consider ways to address \nvarious vulnerabilities. The proposal focuses primarily on the \nrole and authority of the Department of Homeland Security in \nsecuring non-defense systems. I look forward to working with \nChairman Quayle and the other Members of the Subcommittee and \nthe Full Committee to ensure that NIST\'s expertise in \ninformation security is maintained, especially in the \ndevelopment of technical standards and as a facilitator of \nprivate sector collaboration.\n    I am also interested in ensuring that any comprehensive \nHouse bill advances cybersecurity research and development and \nlays out a clear strategy for building a highly skilled federal \ncyber workforce.\n    According to OMB, last year federal agencies spent $12 \nbillion on cybersecurity to protect the $80 billion federal \ninformation technology infrastructure. Additionally, the \nFederal Government funds about $400 million in cybersecurity \nresearch each year.\n    Despite this considerable funding and many federal employee \nhours spent on this issue, the assessment remains the same: Our \ncybersecurity is insufficient. We need to use existing \nresources more efficiently and with specific achievable goals \nin mind.\n    Previously, federal efforts have been output-oriented, \nfocusing on metrics such as the number of programs, funds spent \nand the number of interagency working groups rather than \noutcome-driven. I am pleased that the current Administration is \nfocusing its efforts on achieving outcomes such as reducing \nbreaches of federal systems and cases of identity theft as well \nas ensuring the security of smart grid and health IT systems.\n    It is true that the Administration\'s Cyberspace Policy \nReview reemphasized recommendations from previous reports \nincluding improving information sharing, bolstering cross-\nsector coordination, modernizing the research agenda, and \nenhancing public cybersecurity awareness. But the review was \nalso successful in outlining a concrete vision and set of \nobjectives that have been steadily addressed by the \nAdministration over the last two years. For example, the \ncreation of a national initiative for cybersecurity education \nto educate consumers about online risks and to provide training \nto build a skilled cybersecurity workforce--I am fond of saying \nthat some aspects of cybersecurity are rocket science but \nothers are relatively simple like wearing your seat belt or \nwashing your hands--the development of the National Strategy \nfor Trusted Identities in Cyberspace to combat online fraud and \nstrengthen privacy, and the recent release of an international \nstrategy for cyberspace that calls for the development of \ninternational standards aimed at preventing barriers to trade, \ncommerce, and an open environment that fosters free expression \nand innovation around the world. By addressing these \nrecommendations, we are laying the building blocks for a new \noutcome-based approach to federal cybersecurity.\n    The agencies appearing before the Committee today have a \nsignificant role to play in creating that foundation. During \ntoday\'s hearing, I hope to learn how each agency has progressed \ntoward meeting the goals and objectives outlined in the \nAdministration\'s review, the agency\'s plans going forward, and \nthe impact of the Administration\'s legislative proposal on \ntheir current roles and authorities. This information will help \nguide the Committee\'s ongoing efforts to protect our Nation \nfrom cyberattacks.\n    Again, I would like to thank the witnesses for being here \ntoday and I look forward to your testimony.\n    Thank you, Mr. Chairman. I yield back the balance of my \ntime.\n    [The prepared statement of Mr. Wu follows:]\n             Prepared Statement of Ranking Member David Wu\n    Thank you, Chairman Quayle, for calling this hearing. And thank you \nto our witnesses for being here today.\n    More and more of our personal information is making its way online, \nand our nation\'s entire infrastructure-from traffic systems and the \nelectricity grid to manufacturing-is becoming increasingly dependent on \nsecure and reliable access to the internet. I can think of few topics \nmore important for this Committee to address than cybersecurity.\n    Anyone following the headlines recently knows that cybercrimes are \nbecoming more frequent- Sony\'s PlayStation network has been repeatedly \ntargeted by hackers, exposing the personal information of over 100 \nmillion users; a server at NASA was recently targeted revealing \nsatellite data; and social media sites like Facebook are consistently \ntargeted by phishing scams and other cyber attacks.\n    I\'m pleased that the Administration has provided Congress with a \nlegislative framework to consider ways to address various \nvulnerabilities. The proposal focuses primarily on the role and \nauthority of the Department of Homeland Security in securing non-\ndefense systems.\n    I look forward to working with Chairman Quayle and the other \nmembers of this Subcommittee to ensure that NIST\'s expertise in \ninformation security is maintained-especially in the development of \ntechnical standards and as a facilitator of private-sector \ncollaboration. I am also interested in ensuring that any comprehensive \nHouse bill advances cybersecurity research and development and lays out \na clear strategy for building a highly-skilled federal cyberworkforce.\n    According to OMB, last year Federal agencies spent $12 billion on \ncybersecurity to protect the $80 billion dollar federal information \ntechnology infrastructure. Additionally, the Federal government funds \nabout $400 million in cybersecurity research each year.\n    Despite this considerable funding and many federal employee hours \nspent on this issue, the assessment remains the same: our cybersecurity \nis insufficient. We need to use existing resources more efficiently and \nwith specific achievable goals in mind.\n    Previously, federal efforts have been output oriented-focusing on \nmetrics such as the number of programs, funds spent, and the number of \ninter-agency working groups-rather than outcome driven. I am pleased \nthat the current Administration is focusing its efforts on achieving \noutcomes--such as reducing breaches of federal systems and cases of \nidentity theft, as well as ensuring the security of smart grid and \nhealth IT systems.\n    It\'s true that the Administration\'s Cyberspace Policy Review re-\nemphasized recommendations from previous reports--including improving \ninformation sharing, bolstering cross-sector coordination, modernizing \nthe research agenda, and enhancing public cybersecurity awareness. But \nthe review was also successful in outlining a concrete vision and set \nof objectives that have been steadily addressed by the Administration \nover the last two years. For example:\n\n        <bullet>  the creation of a National Initiative for \n        Cybersecurity Education to educate consumers about online risks \n        and provide training to build a skilled cybersecurity \n        workforce;\n\n        <bullet>  the development of the National Strategy for Trusted \n        Identities in Cyberspace to combat online fraud and strengthen \n        privacy;\n\n        <bullet>  and the recent release of an International Strategy \n        for Cyberspace that calls for the development of international \n        standards aimed at preventing barriers to trade, commerce, and \n        an open environment that fosters free expression and innovation \n        around the world.\n    By addressing these recommendations, we are laying the building \nblocks for a new, outcome-based approach to federal cybersecurity. The \nagencies appearing before the Committee today have a significant role \nto play in creating that foundation.\n    During today\'s hearing, I hope to learn how each agency has \nprogressed toward meeting the goals and objectives outlined in the \nAdministration\'s review, the agencies\' plans going forward, and the \nimpact of the Administration\'s legislative proposal on their current \nroles and authorities. This information will help guide the Committee\'s \nongoing efforts to protect our nation from cyber attacks.\n    I\'d like to again thank the witnesses for being here today and I \nlook forward to your testimony. Thank you, Mr. Chairman. I yield back \nthe balance of my time.\n\n    Chairman Quayle. Thank you, Mr. Wu.\n    I now recognize the Chairman of the Subcommittee on \nResearch and Science Education, Mr. Brooks, for his opening \nstatement.\n    Mr. Brooks. Thank you, Chairman Quayle.\n    Good morning and welcome to each of our witnesses. As my \nfellow Chairman already pointed out, our hearing topic today, \ncybersecurity, is a dynamic issue that plays a role in a myriad \nof fields from our Nation\'s infrastructure to our private \nlives. It is an issue that is not only of interest to the \ngovernment and industry, but also affects each of us \npersonally.\n    The Research and Science Education Subcommittee, of which I \nam the Chairman, shares jurisdiction of this issue with the \nTechnology and Innovation Subcommittee for a number of reasons. \nIn large part, this is due to the essential basic research \ntaking place on cyber-related issues, conducted in large part \nthrough the National Science Foundation\'s Directorate for \nComputer and Information Science and Engineering (CISE). \nLikewise, NSF has an important role to fill regarding the \ncybersecurity workforce pipeline and education.\n    In addition, the Subcommittee also authorizes and has \noversight over the cyber-related work of the interagency \nNetworking and Information Technology Research and Development \nprogram, also known as NITRD, which coordinates the Nation\'s \nunclassified federal research development efforts in \ncybersecurity.\n    Today our witnesses include a number of federal agency \nrepresentatives who will be able to discuss specific agency \npriorities related to cybersecurity research and development, \nas well as the larger issue of collaboration and coordination \nacross the Federal Government.\n    While I recognize and understand the essential functions of \ncybersecurity research and development, I am looking forward to \nan earnest discussion on the recent fiscal year 2012 budget \nrequests. NSF\'s CISE Directorate requested over $728 million \nfor fiscal year 2012, a 17.7 percent increase over fiscal year \n2010. The fiscal year 2012 budget request for the NITRD program \nis $3.866 billion, a $73 million increase over fiscal year 2010 \nexpenditures. Our role in Congress is to ensure that federal \ninvestments are made wisely, and once made, investments must \nproduce significant value for the Nation.\n    I look forward to our discussion today. Thank you for \njoining us.\n    [The prepared statement of Mr. Brooks follows:]\n                Prepared Statement of Chairman Mo Brooks\n    Thank you Chairman Quayle. Good morning, and welcome to each of our \nwitnesses. As my fellow Chairman already pointed out, our hearing topic \ntoday, cybersecurity, is a dynamic issue area that plays a role in a \nmyriad of fields from our Nation\'s infrastructure to our private lives. \nIt is an issue that is not only of interest to the government and \nindustry, but also affects each of us personally.\n    The Research and Science Education Subcommittee, of which I am the \nChairman, shares jurisdiction of this issue with the Technology and \nInnovation Subcommittee for a number of reasons. In large part, this is \ndue to the essential basic research taking place on cyber-related \nissues, conducted in large part through the National Science \nFoundation\'s Directorate for Computer and Information Science and \nEngineering (CISE). Likewise, NSF has an important role to fill \nregarding the cybersecurity workforce pipeline and education.\n    In addition, the Subcommittee also authorizes and has oversight \nover the cyber-related work of the interagency Networking and \nInformation Technology Research and Development program (NITRD). NITRD \n(Niter-dee) coordinates the Nation\'s unclassified federal research \ndevelopment efforts in cybersecurity.\n    Today our witnesses include a number of Federal agency \nrepresentatives who will be able to discuss specific agency priorities \nrelated to cybersecurity research and development, as well as the \nlarger issue of collaboration and coordination across the Federal \ngovernment.\n    While I recognize and understand the essential functions of \ncybersecurity research and development, I am looking forward to an \nearnest discussion on the recent FY12 budget requests. NSF\'s CISE \nDirectorate requested over $728 million for FY12, a 17.7 percent \nincrease from FY10. The FY12 budget request for the NITRD Program is \n$3.866 billion, a $73 million dollar increase over FY10 expenditures.\n    Our role in Congress is to ensure that Federal investments are made \nwisely, and once made, investments must produce significant value for \nthe Nation. I look forward to our discussion today.\n    Thank you for joining us.\n\n    Chairman Quayle. Thank you, Mr. Brooks.\n    The Chair now recognizes Mr. Lipinski for an opening \nstatement.\n    Mr. Lipinski. Good morning. I want to thank you, Chairman \nQuayle, and also Chairman Brooks for holding this hearing.\n    I agree with my colleagues\' remarks on the nature and \nseverity of the challenges we face in cybersecurity in both the \npublic and private sectors. Cybercrime is a problem for our \nnational security, for businesses large and small, and for \nevery single American. Like Mr. Wu, I can think of no more \nimportant topic for this Committee to address.\n    While there are several other agencies not here today who \nalso play a significant role in cybersecurity, the three \nagencies that are represented here are all central to these \nefforts. I know some of my colleagues will address the cyber \nefforts of NIST and DHS, so I would like to highlight those of \nthe National Science Foundation.\n    NSF is the agency overseen by the Research and Science \nEducation Subcommittee and is second only to the Department of \nDefense in its support for cybersecurity research. In addition, \nNSF uniquely funds research across the entire range of science \nand engineering disciplines that are relevant to cybersecurity, \nand joins only DARPA in supporting truly game-changing \nresearch. It is also significant that the Director of the \ninteragency NITRD program is here today since all of the \ncivilian agencies coordinate their cybersecurity R&D activities \nthrough NITRD.\n    I want to highlight one particular area that is often left \nout of discussions on cybersecurity research needs, and that is \nthe human element of cybersecurity. People are perhaps the most \nimportant part of our IT infrastructure, and according to \nexperts, they are also the weakest link in many systems. Better \ncybersecurity education for both the general public and for \ncurrent and future IT professionals is vital. However, there is \nstill a lot we don\'t understand about how humans interact with \ntechnology. Therefore, more research into the social and \nbehavioral sciences has the potential to significantly improve \nthe security of our IT systems. I am happy to see that the \nsocial, behavioral, and economic sciences directorate at NSF \nnow has a more explicit role in the agency\'s Trustworthy \nComputing initiative. In the end, our cybersecurity efforts can \nonly be as strong as our weakest link. I look forward to \nhearing more from Dr. Jahanian about that.\n    We last held a series of hearings on cybersecurity in 2009, \nwhen I was Chair of the Research and Science Education \nSubcommittee. We learned at that time about the respective \nroles of different agencies and we received extensive outside \nexpert testimony. We also learned that a lot had changed since \nCongress, led by this Committee, enacted the 2002 Cybersecurity \nR&D Act. That is why last Congress I introduced the \nCybersecurity Enhancement Act of 2010, building on the 2002 \nAct. That bill, like today\'s hearing, was a joint effort \nbetween my Subcommittee and T&I, then chaired by my friend Mr. \nWu. Mr. McCaul, who has been a strong leader on cybersecurity \nissues, joined me as the lead Republican cosponsor, and the \nbill passed the House by a margin of 422 to 5. Since our bill, \nlike so many others, never made it through the Senate in the \nlast Congress, I am now joining Mr. McCaul in introducing an \nupdated version. We are still making some small modifications, \nbut I am hoping we can introduce the bill soon, perhaps as \nearly as this week. I know the witnesses were asked about this \nlegislation, and I look forward to hearing your thoughts and \nfeedback today.\n    We are anticipating that our R&D bill will be part of a \nbigger, bipartisan cybersecurity bill in both the House and \nSenate. The efforts to move a larger bill have stalled for some \ntime over disagreements about how to assign leadership and \ncoordination responsibilities across the government. I am glad \nthat the President is taking an active role in this discussion, \nand I hope that the proposal the White House sent up to \nCongress two weeks ago will help to move efforts along in both \nchambers. I look forward to working with both my colleagues and \nthe Administration to ensure the development of a strong cyber \nsecurity strategy.\n    I want to thank all of our witnesses for being here this \nmorning and I look forward to hearing your testimonies, and I \nyield back.\n    [The prepared statement of Mr. Lipinski follows:]\n          Prepared Statement of Ranking Member Daniel Lipinski\n    Ranking Member, Subcommittee on Research & Science Education\n    Good morning. I want to thank both Chairman Quayle and Chairman \nBrooks for holding this hearing. I agree with my colleagues\' remarks on \nthe nature and severity of the challenges we face in cybersecurity in \nboth the public and private sectors. Cybercrime is a problem for our \nnational security, for businesses large and small, and for every single \nAmerican. Like Mr. Wu, I can think of no more important topic for this \ncommittee to address.\n    While there are several other agencies not here today who also play \na significant role in cybersecurity, the three agencies that are \nrepresented here are all central to these efforts. I know some of my \ncolleagues will address the cyber efforts of NIST and DHS, so I\'d like \nto highlight those of the National Science Foundation. NSF is the \nagency overseen by the Research and Science Education Subcommittee and \nis second only to the Department of Defense in its support for \ncybersecurity research. In addition, NSF uniquely funds research across \nthe entire range of science and engineering disciplines that are \nrelevant to cybersecurity, and joins only DARPA in supporting truly \ngame-changing research. It is also significant that the Director of the \ninteragency NITRD program is here today since all of the civilian \nagencies coordinate their cybersecurity R&D activities through NITRD.\n    I want to highlight one particular area that is often left out of \ndiscussions on cybersecurity research needs, and that is the human \nelement of cybersecurity. People are perhaps the most important part of \nour IT infrastructure, and according to experts, they are also the \n`weakest link\' in many systems. Better cyber security education for \nboth the general public and for current and future IT professionals is \nvital. However, there\'s still a lot we don\'t understand about how \nhumans interact with technology; therefore, more research into the \nsocial and behavioral sciences has the potential to significantly \nimprove the security of our IT systems. I am happy to see that the \nsocial, behavioral, and economic sciences directorate at NSF now has a \nmore explicit role in the agency\'s trustworthy computing initiative. In \nthe end, our cybersecurity efforts can only be as strong as our \n`weakest link\'. I look forward to hearing more from Dr. Jahanian about \nthat.\n    We last held a series of hearings on cybersecurity in 2009, when I \nwas chair of the Research and Science Education Subcommittee. We \nlearned at that time about the respective roles of different agencies \nand we received extensive outside expert testimony. We also learned \nthat a lot had changed since Congress, led by this committee, enacted \nthe 2002 Cybersecurity R&D Act. That is why last Congress I introduced \nthe Cybersecurity Enhancement Act of 2010, building on the 2002 Act. \nThat bill, like today\'s hearing, was a joint effort between my \nsubcommittee and T&I, then chaired by my friend Mr. Wu. Mr. McCaul, who \nhas been a strong leader on cybersecurity issues, joined me as the lead \nRepublican cosponsor, and the bill passed the House by a margin of 422-\n5. Since our bill, like so many others, never made it through the \nSenate in the last Congress, I am now joining Mr. McCaul in introducing \nan updated version. We are still making some small modifications, but \nI\'m hoping we can introduce the bill soon, perhaps as early as this \nweek. I know the witnesses were asked about this legislation, and I \nlook forward to hearing your thoughts and feedback today.\n    We are anticipating that our R&D bill will be part of a bigger, \nbipartisan cybersecurity bill in both the House and Senate. The efforts \nto move a larger bill have stalled for some time over disagreements \nabout how to assign leadership and coordination responsibilities across \nthe government. I am glad that the President is taking an active role \nin this discussion, and I hope that the proposal the White House sent \nup to Congress two weeks ago will help to move efforts along in both \nchambers. I look forward to working with both my colleagues and the \nAdministration to ensure the development of a strong cyber security \nstrategy.\n    I want to thank all of our witnesses for being here this morning, \nand I look forward to hearing your testimonies.\n\n    Chairman Quayle. Thank you, Mr. Lipinski.\n    If there are Members who wish to submit additional opening \nstatements, your statements will be added to the record at this \npoint.\n    At this time I would like to introduce our witness panel. \nOur first witness is Dr. George Strawn, the Director of the \nNational Coordination Office for the Networking and Information \nTechnology Research and Development program. Prior to his \nappointment as Director at NITRD, Dr. Strawn served as the \nChief Information Officer at the National Science Foundation.\n    Next is Dr. Farnam Jahanian, Assistant Director of the \nDirectorate for Computer and Information Science and \nEngineering at the National Science Foundation. Prior to \njoining NSF, Dr. Jahanian served as Chair of Computer Science \nand Engineering at the University of Michigan.\n    Next is Ms. Cita Furlani, the Director of the Information \nTechnology Laboratory at the National Institute of Standards \nand Technology. Previously, Ms. Furlani has served as Director \nof the National Coordination Office for Information Technology, \nResearch and Development.\n    Finally, we will hear from Rear Admiral Michael A. Brown, \nDirector of Cybersecurity Coordination at the Department of \nHomeland Security. Rear Admiral Brown is also assigned as the \nDHS Senior Cybersecurity Representative to the United States \nCyber Command.\n    As our witnesses should know, spoken testimony is limited \nto five minutes each after which the Members of the Committee \nwill have five minutes each to ask questions.\n    I now recognize our first witness, Dr. George Strawn, the \nDirector of the National Coordination Office for the Networking \nand Information Technology Research and Development program.\n\nSTATEMENT OF DR. GEORGE STRAWN, DIRECTOR, NATIONAL COORDINATION \n  OFFICE, NETWORKING AND INFORMATION TECHNOLOGY RESEARCH AND \n                      DEVELOPMENT PROGRAM\n\n    Dr. Strawn. Thank you, and good morning. As you say, I am \nGeorge Strawn, Director of what we call the NCO, National \nCoordinating Office, of Networking and Information Technology \nResearch and Development, called both NITRD or NITRD, as the \ncase may be. I will use those shorthands, NCO and NITRD, in the \nrest of my comments in the interest of brevity.\n    With Dr. Farnam Jahanian of NSF, I also co-Chair the NITRD \nSubcommittee of the National Science and Technology Council. I \nwould like to thank Chairman Brooks, Chairman Quayle, Ranking \nMembers Lipinski and Wu, and the Members of the Subcommittee \nfor this opportunity to come before you today to discuss \nprotecting information in the digital age and NITRD\'s role in \nfederal efforts to improve cybersecurity.\n    The NITRD program provides for the coordination of research \nand development in networking and information technology across \n14 federal agencies and many other partners. Their combined \nefforts represent America\'s primary investment in research and \ndevelopment for IT-related technologies in general and \ncybersecurity in particular. The NCO supports the coordination \nof the activities of the NITRD program.\n    My written testimony responds to each of the five questions \nposed by the Subcommittees. In my oral comments today, I just \nwant to highlight three points.\n    First, the NITRD community strongly believes that this \nNation\'s cybersecurity infrastructure must be made more secure \nand trustworthy than it is today if we are to sustain our \ntechnological and economic leadership role in the global \ninformation age. Indeed, the agency developed NITRD\'s strategic \nplan. One of the most significant tests of technological \nleadership will be the ability to engineer and build IT systems \nthat inspire high levels of confidence because they function as \nintended: safely, securely, reliably and cost-effectively. The \nagencies added that fundamental research to ensure that digital \nnetworks, systems, devices, applications and communication \nprocesses earn and deserve the trust and confidence of society, \nthus constitutes an essential foundation for the Nation\'s \nfuture. Advancing our IT capabilities with radically improving \ncybersecurity technologies directly supports such U.S. \npriorities as national and homeland security, economic \ninnovation, global competitiveness, health care reform and job \ncreation.\n    My second point is that because cyberspace interconnects us \nall, both the problems and solutions of cybersecurity transcend \nany one federal agency, any one sector or even any one nation. \nThey involve not just a small number of discrete technologies \nbut global scale interdependencies among a vast array of \ntechnologies. The scope and complexity of these cybersecurity \nchallenges absolutely requires effective coordination of \nresearch and development between the federal agencies \nthemselves as well as collaboration with our private sector \npartners, and this is the central role of the NITRD program. \nThis coordination process is exemplified by NITRD\'s two \ncybersecurity and information assurance groups, one called a \nSenior Steering Group, the other called an interagency working \ngroup, which have responded to the Cyberspace Policy Review \nwith innovative conceptual framework for R&D intended to \nradically change the game of cybersecurity in favor of the \ndefendants.\n    NITRD\'s recently developed strategic plan for federal R&D \nand cybersecurity brings me to my third point. Visionary \nfederal R&D in cybersecurity is necessary but not sufficient. \nMuch of cybersecurity infrastructure is in the private sector \nand much of it is overseas. Federal strategic plan for R&D in \ncybersecurity expressly calls for new forms of federal outreach \nand partnerships with the private sector and international \nstakeholders to accelerate the deployment of promising research \ninto commercial applications and adoption. This transition to \npractice is currently exemplified in a variety of interagency \nprojects of NITRD members and within several of the NITRD \nworking groups.\n    Thank you for your interest in cybersecurity and the \nopportunity to appear before you today. The NITRD community \nlooks forward to working with you to realize the goal of a \ncyberspace in which we can all have trust and confidence.\n    [The prepared statement of Mr. Strawn follows:]\n    Prepared Statement of Dr. George O. Strawn, Director, National \nCoordination Office for Networking and Information Technology Research \n                            and Development\n    Good morning. I am George Strawn, Director of the National \nCoordination Office (NCO) for Networking and Information Technology \nResearch and Development (NITRD). With my colleague, Dr. Farnam \nJahanian of the National Science Foundation (NSF), I co-chair the NITRD \nSubcommittee of the National Science and Technology Council\'s (NSTC) \nCommittee on Technology. I want to thank Chairman Brooks and Chairman \nQuayle, Ranking Members Lipinski and Wu, and members of the \nSubcommittees for the opportunity to come before you today to discuss \nprotecting information in the digital age and NITRD\'s role in Federal \nefforts to improve cybersecurity.\n    The NITRD Program--now in its 20th year--provides a coordinated \nview of the Government\'s portfolio of unclassified investments in \nfundamental, long-term research and development (R&D) in advanced \nnetworking and information technology (IT), including cybersecurity and \ninformation assurance. All of the research reported in this portfolio \nis managed, selected, and funded by one or more of the 14 member \nagencies under their own individual appropriations. In addition to \ncybersecurity, the Program\'s current research areas are high-end \ncomputing, large-scale networking, human-computer interaction and \ninformation management, high-confidence software and systems, software \ndesign and productivity, and socioeconomic, education, and workforce \nimplications of IT. Advances in these areas further our nation\'s goals \nfor national defense and national security, economic competitiveness, \nenergy and the environment, health care, and science and engineering \nleadership.\n\n    Response to the Committee Request\n\n    Your invitation to testify here today asked me to address five \nspecific questions. But I would like to preface my comments with the \ngeneral statement that the NITRD agencies strongly concur that \nimproving the overall security of our cyber infrastructure--including \ncomputing systems, mobile devices, networks, digitally controlled \ncritical infrastructures, and the vast quantities of information that \nnow flow through cyberspace--is a critical national challenge. It is \nimperative that we successfully address this challenge, not only to \nstrengthen our national security but also to sustain the technological \nleadership that drives our economic innovation, global competitiveness, \nand science and engineering preeminence, and supports our quality of \nlife as Americans.\n    The 2010 strategic plan for NITRD developed by the Program\'s 14 \nmember agencies (and now awaiting White House sign-off) describes \n``trust and confidence\'\' in our systems, networks, and information as \none of three fundamental prerequisites for a bright U.S. future. The \nNITRD Plan states:\n    ``The perspective of the NITRD agencies is that one of the most \nsignificant tests of technological leadership in the years ahead will \nbe the ability to engineer and build IT systems that inspire high \nlevels of confidence because they function as intended--safely, \nsecurely, reliably, and cost-effectively. Fundamental research to \nensure that digital networks, systems, devices, applications, and \ncommunications processes earn and deserve the trust and confidence of \nsociety thus constitutes an essential foundation for the Nation\'s \nfuture.\'\'\n    The 14 NITRD member agencies and some two dozen other participating \nagencies represent the broad spectrum of Federal interests in \nnetworking and information technology R&D related to cybersecurity--\nsuch as national defense and intelligence capabilities; health records \nprivacy and confidentiality; the security of the national power grid; \nthe reliability and functionality of the air-traffic-control system; \nthe integrity and persistence of scientific research data; and the \nmaintenance of secure real-time communications systems in emergency \nresponse, weather forecasting, and the financial markets; and many \nother key national purposes. The role of the NITRD Program in advancing \nthe Government\'s cybersecurity efforts is to identify the \ntechnologically hard but critical problems and coordinate effective \nresearch and development to address them.\n    The Program\'s framework of regular and ongoing interagency \ncoordination enables the varied agencies to identify significant \nleverage, target common critical needs, avoid duplication of effort, \nmaximize resource sharing, and partner in investments to pursue higher-\nlevel goals. Moreover, because NITRD research is performed in \nuniversities, Federal research centers and laboratories, Federally \nfunded R&D centers, and in partnerships with private companies and \nnonprofit organizations across the country, continuous interaction, \ninformation exchange, and feedback takes place, providing new \nperspectives and insights to both Federal and private-sector \nstakeholders.\n    Initiatives #4 and 9 of the Comprehensive National Cybersecurity \nInitiative (CNCI) called for coordinating R&D efforts and developing \nenduring ``leap-ahead\'\' technology, strategies, and programs. The \nPresident\'s Cyberspace Policy Review builds on these goals to include \ndeveloping a framework for research and development strategies that \nfocus on game-changing technologies. The NITRD program has a key role \nin pursuing these goals. Research coordination has been strengthened \nthrough the establishment of a Cybersecurity and Information Assurance \n(CSIA) Senior Steering Group (SSG; made up of budget-level officials). \nThe SSG, in close cooperation with the Special Cyber Operations \nResearch and Engineering group (SCORE: convened by the Office of \nScience and Technology Policy and the Office of the Director of \nNational Intelligence) enables effective coordination between the \nclassified and unclassified Federal IT security R&D portfolios. This \nstrong framework for coordination and the partnerships it has \nengendered enabled a comprehensive response to the near- and mid-term \naction items of the Cyberspace Policy Review as described in my answer \nto question #2 below.\n    While individual members of the NITRD community are likely to be \ninvolved in multiple elements of the near- and mid-term action plans, I \nwould like to focus on three of these in which NITRD, supported by the \nNCO, has a prominent role:\n    Near-term Action Plan #9: Develop a framework for research and \ndevelopment strategies that focus on game-changing technologies that \nhave the potential to enhance the security, reliability, resilience, \nand trustworthiness of digital infrastructure; provide the research \ncommunity with access to event data to facilitate developing tools, \ntesting theories, and identifying workable solutions.\n    Over the last two years, NITRD\'s CSIA IWG and SSG have engaged in \nan intensive round of public discussions, brainstorming, and thorough \ntechnical examinations of cybersecurity issues in order to develop just \nsuch a game-changing R&D framework. The result is the soon-to-be-\nreleased Federal cybersecurity R&D strategic plan, ``Trustworthy \nCyberspace: Strategic Plan for the Federal Cybersecurity Research and \nDevelopment Program.\'\' The strategic plan provides game-changing themes \nto direct R&D efforts towards understanding the underlying root causes \nof known current threats with the goal of disrupting the status quo \nwith radically different approaches. The four themes serve as a \nframework to unify cybersecurity R&D activities. The themes are: \nDesigned-In Security (DIS), Tailored Trustworthy Spaces (TTS), Moving \nTarget (MT), and Cyber Economic Incentives (CEI), with focus areas on \nwireless mobile networks in the TTS theme and nature-inspired solutions \nand a deep understanding of cyberspace in the MT theme.\n    The process of building the R&D strategic plan began with a Leap-\nAhead Initiative, developed by the White House Office of Science and \nTechnology Policy (OSTP) and the CSIA SSG. The initiative solicited \npublic inputs and received more than 200 responses on ideas for how to \nchange the cybersecurity landscape. These ideas were distilled into \nfive fundamentally game-changing concepts in cybersecurity and provided \nas inputs to the National Cyber Leap Year Summit held August 17-19, \n2009, in Arlington, Virginia. The summit gathered innovators from the \nacademic and commercial sectors to explore these concepts. The outcomes \nof the summit were distilled into the three game-changing R&D themes. \nIn FY 2010, the themes were provided as inputs to the Administration\'s \ncybersecurity R&D agenda and introduced to the research community as \nstrategies for public-private actions to secure the Nation\'s digital \nfuture. Since the Summit, as the understanding of cyberspace has \nevolved, a new theme--Designed-In Security (DIS)--has been added to the \nFederal cybersecurity R&D plan. The next phase in this effort will be \nto develop, with private-sector input, a roadmap to implement the \nstrategic plan.\n    An important new strategic thrust introduced in the Federal \ncybersecurity R&D plan is to develop a science of security. A science \nof security is needed to ground research efforts and would have the \npotential of producing hypotheses subject to experimental validation \nand universal concepts that are predictive and transcend specific \nsystems, attacks, and defenses. Within 10 years, the aim is to develop \na scientific framework that applies to real-world settings and provides \nexplanatory value. The CSIA agencies are working with private-sector \nstakeholders to identify real-world data sets that can be used for \nresearch experimentation and testing without compromising privacy or \nproprietary and sensitive information.\n    Mid-term Action Plan #3: Expand support for key education programs \nand research and development to ensure the Nation\'s continued ability \nto compete in the information age economy.\n    The portfolio of research and development activities sponsored by \nthe NITRD agencies constitutes this country\'s only full-spectrum IT R&D \nenterprise, and thus these activities represent a unique resource for \nseeding U.S. innovation of all kinds. In addition, NITRD funding \nrepresents the single largest source of support for the education and \ntraining of new generations not only of U.S. IT research leaders but of \nIT entrepreneurs and technical experts in many fields of endeavor. Our \nNation\'s investments in this NITRD portfolio in general, and in its \ncybersecurity-related components in particular, have increased along \nwith the critical roles that these technologies play in our information \nage economy. NITRD agencies now support multiple NCO-coordinated \nactivities impacting research and development, education, and workforce \nreadiness for cybersecurity and the protection of our Nation\'s critical \ninfrastructure and its entire economy. Nevertheless, all recognize that \nthe challenge remains large and growing.\n    Mid-term Action Plan #11: Encourage collaboration between academic \nand industrial laboratories to develop migration paths and incentives \nfor the rapid adoption of research and technology development \ninnovations.\n    The forthcoming Federal cybersecurity R&D plan specifically \naddresses the need to accelerate the transition of R&D to practice. It \nstates that an explicit, coordinated process that transitions the \nfruits of research into practice is essential if Federal cybersecurity \nR&D investments are to have significant, long-lasting impact. As part \nof the transition to practice activities, the Federal cybersecurity \nresearch community plans to participate in activities related to \ntechnology discovery; test and evaluation; and transition, adoption, \nand commercialization. Planned activities in technology discovery \ninclude, for example, participation in the Information Technology \nSecurity Entrepreneurs\' Forum (ITSEF) and Defense Venture Catalyst \nInitiative (DeVenCI). In test and evaluation, NITRD agencies plan to \nleverage available operational and next-generation networked \nenvironments to support experimental deployment, test, and evaluation \nof novel security technologies in realistic settings in both public- \nand private-sector environments. For transition, adoption, and \ncommercialization, NITRD agencies plan to participate in the System \nIntegrator Forum (SIF) and Small Business Innovative Research (SBIR) \nConferences.\n    As part of their activities to engage with the cybersecurity \nresearch community, senior Federal agency cybersecurity officials are \npresenting the framework for R&D strategies and themes articulated in \nthe strategic plan to researchers attending the annual IEEE Security \nand Privacy Symposium, May 22-25, 2011 in Oakland, California.\n    I would like to note here that the transition to practice is also \nbeing addressed by NITRD\'s Large Scale Networking (LSN) agencies. They \nhave developed an innovative network-performance monitoring technology \ncalled perfSONAR, which provides network managers with unprecedented \ncapabilities to evaluate how well their networks are functioning, to \nfind problems, and to recognize anomalies in network security. The LSN \nagencies are now working with private-sector networks and international \nresearch network partners to implement deployment of this powerful new \ntool. The LSN teams, JET (Joint Engineering Team) and MAGIC (Middleware \nand Grid Infrastructure Coordination), are also closely involved in \ntransition to practice through their testing and implementation in \nadvanced research networks of security-enhancing technologies such as \nfederated identity management, IPv6, and DNSSec.\n    NITRD activities are supported by the NCO, which provides logistics \nas well as expert technical coordinators to support the operations of \nthe Subcommittee and an evolving collection of working groups (such as \nthe CSIA IWG) in which the agencies participate to coordinate their own \nresearch and development activities and to plan and oversee joint \nactivities when appropriate. They regularly share plans and \ndevelopments, host workshops, author papers, and interact with the \nacademic and private sectors as a means of defining and operating the \nmost effective programs of research and development attainable in their \nsubject areas.\n    The following snapshot examples illustrate how such interagency \ncollaboration can lead to substantially better results in research and \ndevelopment as well as education:\n\n        <bullet>  Partnership for Cyberspace Innovation--a partnership \n        of NIST, the Science and Technology Directorate of DHS, and the \n        Financial Services Sector Coordinating Council (FSSCC), with \n        the goal of speeding the commercialization of cybersecurity \n        research innovations that support our Nation\'s critical \n        infrastructures. This agreement will accelerate the deployment \n        of network testbeds for specific use cases that strengthen the \n        resiliency, security, integrity, and usability of financial \n        services and other critical infrastructures such as online \n        health services, the Smart Grid, water, and transportation.\n\n        <bullet>  Middleware And Grid Infrastructure Coordination \n        (MAGIC) Team--a partnership of agencies and Federal \n        laboratories including ANL, DHS, DOE/SC, FNAL, LANL, LBL, NASA, \n        NIH, NIST, NOAA, NSF, PNNL, and UCAR, and their industry \n        partners, which improves the Nation\'s cybersecurity and privacy \n        environment through research, development, and promotion of \n        Identity Management best practices, standards, and community \n        outreach.\n\n        <bullet>  Joint Engineering Team (JET)--a partnership of agency \n        and research networks including DoD, DOE, NASA, NSF, Internet2, \n        and National Lambda Rail that seeks to improve performance as \n        well as security by coordinating networking testbeds (for \n        optical, cloud, architecture, and networking research) and \n        promoting the deployment in advanced networks of more secure \n        technologies such as IPv6 and DNSSec.\n\n        <bullet>  National Initiative for Cybersecurity Education \n        (NICE)--a partnership led by NIST and including DHS, DoD, NSF, \n        ED, OPM, NSA, DOJ, NSA, ODNI, and others, with the goal of \n        establishing an operational, sustainable, and continually \n        improving cybersecurity education program to foster sound cyber \n        practices that will enhance the Nation\'s security.\n\n        <bullet>  The SEW-Education subgroup of the NITRD SEW \n        Coordinating Group, with a focus on raising the national \n        profile of computing-related knowledge through fundamental \n        changes in K-12 computer science education. This new group, one \n        of whose co-chairs leads the NIST cybersecurity education \n        initiative, is a participant in the NICE program and is now \n        developing its plan of action.\n    As Director of the NCO for NITRD, it is always a pleasure for me to \ndescribe how, by facilitating the collaborative efforts of \nrepresentatives from many agencies--by arranging meetings and \nteleconferences, hosting/supporting workshops and conferences, \npreparing ``zero-th\'\' drafts of brainstorming documents, communicating \nregularly with NITRD participants, and the like--the NCO helps empower \nthe collective intelligence of the NITRD community to accomplish \ntogether far more than any single agency could on its own. I believe \nthe NITRD model of cooperation among very disparate agencies truly \nworks, and has led to significant improvements in research and \ndevelopment as well as strategic planning and for cybersecurity.\n    As is described above, the NITRD Program currently supports an \nextensive process of coordination and planning across the Federal \nagencies involved in research and development. This process has led to \nthe development of the Federal cybersecurity R&D strategic plan, \nTrustworthy Cyberspace: Strategic Plan for the Federal Cybersecurity \nResearch and Development Program, which defines a set of interrelated \npriorities for the agencies of the U.S. government that conduct or \nsponsor R&D in cybersecurity. This plan aligns well with the planning \nobjectives noted in H.R. 4061, and is to be followed by coordinated \ndevelopment of a roadmap of steps guiding its implementation. In this \nprocess, NITRD and its agency members have hosted workshops for the \nexchange of information with academia and the private sector and have \nrequested comments from a wide range of stakeholders including the \npublic. NITRD member agencies are beginning to use language and \ndirection from this coordinated plan in agency research and development \nactivities. We greatly appreciate the interest of the Committee and the \nSubcommittees represented here today and share your commitment to \nresearch and development for better cybersecurity. We look forward to \ncontinuing to work closely with you on this shared goal with or without \nany additional legislation.\n    The proposed legislation directly promotes greater cybersecurity \nresearch and development, education, and workforce needs as one of five \nparts of its basic approach as outlined in SEC 243 (b). The same \nsection promotes the development and implementation of technical \ncapabilities in support of national cybersecurity goals. Many such \ntechnical capabilities of the future will represent the practical \nimplementations of the results of ongoing Federal research and \ndevelopment coordinated in the NITRD Program.\n    The legislation also calls for research and development in \ncybersecurity in SEC 243 (c) as an important component of a \nmultifaceted program to foster the development, in conjunction with \nother governmental entities and the private sector, of essential \ninformation security technologies and capabilities for protecting \nFederal systems and critical information infrastructure, including \ncomprehensive protective capabilities and other technological \nsolutions. Such research and development will be essential not only to \nbetter meet existing threats, but to provide the technical and \nscientific foundation for capabilities to meet emerging threats and \ndevelopments. The coordination of such research and development, and \nthe transition to practice of its successful results, are key \ncomponents of the NITRD contributions to improving cybersecurity. The \nproposed legislation for cybersecurity research and development, as \noutlined in Sections 243 (c) and (d), thus is consistent and aligns \nwith the R&D coordination in which the NITRD Program engages.\n\n  Biography for Dr. George O. Strawn, Director, National Coordination \nOffice, Networking and Information Technology Research and Development \n                                Program\n    Dr. George O. Strawn is the Director of the National Coordination \nOffice (NCO) for the Networking and Information Technology Research and \nDevelopment (NITRD) interagency program. He also serves as the Co-Chair \nof the Subcommittee on NITRD. The NCO reports to the Office of Science \nand Technology Policy (OSTP) within the Executive Office of the \nPresident.\n    Dr. Strawn is on assignment to the NCO from the National Science \nFoundation (NSF), where he most recently served as Chief Information \nOfficer (CIO). As the CIO for NSF, he guided the agency in the \ndevelopment and design of innovative information technology, working to \nenable the NSF staff and the international community of scientists, \nengineers, and educators to improve business practices and pursue new \nmethods of scientific communication, collaboration, and decision-\nmaking.\n    Prior to his appointment as NSF CIO, Dr. Strawn served as the \nexecutive officer of the NSF Directorate for Computer and Information \nScience and Engineering (CISE) and as Acting Assistant Director for \nCISE. Previously, Dr. Strawn had served as the Director of the CISE \nDivision of Advanced Networking Infrastructure and Research, where he \nled NSF\'s efforts in the Presidential Next Generation Internet \nInitiative.\n    Prior to coming to NSF, Dr. Strawn was a Computer Science faculty \nmember at Iowa State University (ISU) for a number of years. He also \nserved there as Director of the ISU Computation Center and Chair of the \nISU Computer Science Department. Under his leadership, ISU became a \ncharter member of MIDNET, a regional NSFNET network; he also lead the \ncreation of a thousand-workstation academic system based on an \nextension of the MIT Athena system; and under his leadership, the ISU \nComputer Science department was accredited by the then-new Computer \nScience Accreditation Board.\n    Dr. Strawn received his Ph.D. in Mathematics from Iowa State \nUniversity and his BA Magna Cum Laude in Mathematics and Physics from \nCornell College.\n\n    Chairman Quayle. Thank you very much.\n    I now recognize our second witness, Dr. Farnam Jahanian, \nfor five minutes.\n\n     STATEMENT OF DR. FARNAM JAHANIAN, ASSISTANT DIRECTOR, \n     DIRECTORATE FOR COMPUTER AND INFORMATION SCIENCE AND \n            ENGINEERING, NATIONAL SCIENCE FOUNDATION\n\n    Mr. Jahanian. Good morning. Chairmen Quayle and Brooks, \nRanking Members Wu and Lipinski, and Members of the \nSubcommittees, I am Farnam Jahanian, Assistant Director for the \nComputer and Information Science and Engineering Directorate at \nthe National Science Foundation.\n    As you know, NSF is dedicated to the support of fundamental \nresearch in all disciplines to the advancement of science and \nengineering and to educating a new generation of innovative \nleaders. I welcome this opportunity to present NSF\'s \ninvestments in cybersecurity research and education this \nmorning.\n    Investments in unclassified long-term research are critical \nto an effective national strategy of achieving trustworthy \ncyberspace. It is important to note that many powerful \ninformation technologies deployed today capitalize on \nfundamental research outcomes generated decades ago. NSF brings \nthe problem-solving capabilities of the Nation\'s best minds to \nbear on these challenges. It also promotes connections between \nacademia and industry which help to protect the cyberspace, \nsecure the Nation\'s critical infrastructure and fuel job \ngrowth.\n    In fiscal year 2011, NSF will invest up to $130 million in \ncybersecurity research including $55 million in the cross-\ncutting Trustworthy Computing program at NSF. Its projects \nrange from security at the microscopic level, detecting whether \na silicon chip contains a malicious circuit, to the macroscopic \nlevel, determining strategies for securing the next generation \nelectrical power grid.\n    Fundamental research in cryptography, formal specification, \nverification techniques and security testing all contribute to \nimproved methods for building systems that perform as intended, \neven in the face of threats. Research in secure programming \nlanguages and methodologies, secure operating systems and \nspecialty virtualization mechanisms on which many of the \nsecurity of cloud computing depends are also prominent in NSF\'s \nportfolio. Cybersecurity investments are also made in the \nsubdisciplines of computing and information sciences, for \nexample, in the physical cybersystems, algorithmic foundations \nand networking programs in my directorate.\n    Center-scale activities play an important role in NSF\'s \nportfolio. The Trust Center, a multidisciplinary collaborative \nresearch effort, is focused on science and technology for \ndeveloping and using secure information systems with almost 30 \nindustrial partners. Four cybertrust centers and two industry-\nuniversity cooperative centers also focus on a number of \nfoundational challenges. Research outcomes and innovations \ndeveloped with the funding from NSF and other federal partners \nare now being used by the private sector and government \nagencies to protect the Nation\'s cyber infrastructure. In \nrecent years, research outcomes have led to the formation of \nnumerous startup companies in the IT sector that bring \ninnovative solutions to the marketplace.\n    Education is embedded in all these projects through the \ntraining of graduate students, many of whom will join the \ncybersecurity workforce. CAREER NSF, most prestigious program \nfor junior faculty, carries specific requirements for the \nintegration of research and education. Research experiences for \nundergraduates, another NSF program, gives students \nopportunities to do cybersecurity research. Scholarship for \nService program provides tuition at academic institutions in \nexchange for government service following graduation. To date, \nthis program has provided 1,400 scholarships at 34 institutions \nand has placed graduates in 30 federal agencies. Advanced \ntechnology innovation education program educates technicians \nand has three regional centers: Cyber Watch in Maryland with 35 \ncommunity colleges, 15 universities from 20 States and an \nenrollment of 1,800 students; the CSSIA Center in Illinois, \neight institutions from five States with more than 1,400 \nenrolled; and a third regional center, the CSEC Center in \nOklahoma with 45 institutions from eight states and almost \n2,000 students enrolled.\n    NSF has been actively responding to the near-term and \nmidterm action plans outlined in the Cyberspace Review Policy. \nNSF also participates in the interagency NITRD program, which \nensures the coordination of cybersecurity investment across 14 \ngovernment agencies.\n    To conclude, the Internet plays a critical role in tightly \nintegrating the economic, political and social fabric of our \nglobal society. These interdependencies leave the Nation \nvulnerable to a wide range of threats that challenge the \nsecurity, reliability, availability and overall trustworthiness \nof all IT resources. In my testimony today, I have emphasized \nthat NSF\'s investment in cybersecurity research and education \nallows our society to benefit from a robust, secure, dependable \ninfrastructure that supports all application sectors including \nthose on which our lives depend.\n    This concludes my testimony. I would be happy to answer any \nquestions at this time.\n    [The prepared statement of Mr. Jahanian follows:]\n   Prepared Statement of Farnam Jahanian, Ph.D., Assistant Director, \n      Computer and Information Science and Engineering Directorate\n    Good afternoon, Chairman Quayle and Chairman Brooks, Ranking \nMembers Wu and Lipinski, and members of the Subcommittees. My name is \nFarnam Jahanian and I am the Assistant Director of the Computer and \nInformation Science and Engineering Directorate at the National Science \nFoundation.\n    I welcome this opportunity to highlight NSF\'s investments in cyber \nsecurity research and education. NSF aims to fund cyber security \nresearch at the frontiers of knowledge, to capitalize on the \nintellectual capacity of both young and experienced investigators in \nour Nation\'s academic and research institutions, and to partner with \nother U.S. government agencies and private sector and international \norganizations to meet the challenges of securing cyberspace. It is \nimportant to note that the many powerful information technologies (IT) \ndeployed today around the world capitalize on fundamental research \noutcomes generated decades ago. An effective national strategy for \nachieving a cyberspace that is deemed ``trustworthy\'\' must include \ninvestments in fundamental, unclassified, long-term research. These \ninvestments will allow our society to continue to benefit from a \nrobust, secure, dependable cyber infrastructure that supports all \napplication sectors, including those on which our lives depend.\n    Allow me to share with you some examples of the important \ncontributions made to date by the research community with both NSF and \nother Federal support. They include:\n\n        <bullet>  Cryptographic schemes and cryptographic-based \n        authentication, enabling today\'s Internet commerce, supporting \n        secure digital signatures and online credit card transactions;\n\n        <bullet>  Program analyses and verification techniques, \n        enabling the early detection of software vulnerabilities and \n        flaws, which can prevent cyber attacks, such as phishing, worms \n        and botnets;\n\n        <bullet>  New approaches to prevent and mitigate distributed \n        denial of service attacks have helped secure Internet\'s \n        underlying infrastructure;\n\n        <bullet>  Approaches to identify exploitable flaws in cyber-\n        enabled systems, including automotive control software and \n        medical device software, that have alerted industry to the need \n        for secure software and system development practices;\n\n        <bullet>  Technology to detect and defeat ``drive-by \n        downloads\'\' from malicious websites makes web browsing safer \n        for the public;\n\n        <bullet>  Innovative machine learning and data mining \n        approaches used in spam filtering, and methods for detecting \n        attacks, such as those involving credit card fraud;\n\n        <bullet>  CAPTCHAs, the distorted text that only humans--not \n        machines or bots--can decipher, to ensure that it is indeed a \n        human, and not a bot, who is buying a ticket on-line or setting \n        up an email account;\n\n        <bullet>  Open source tools that enable rapid analysis of \n        malware allow for quick detection and mitigation and new \n        methods to study botnets reveal the structure of the \n        underground economy, allowing investigators to make attribution \n        and prevent future attacks from the same sources;\n\n        <bullet>  Better understanding of how humans respond to \n        software security warnings gives designers new models for \n        designing usable and secure systems; and\n\n        <bullet>  The underpinnings for fully homomorphic encryption, \n        which means that we may eventually be able to perform encrypted \n        computations on untrusted platforms (such as on a distributed \n        ``cloud\'\' platform), just as today we can send encrypted \n        communications over untrusted networks.\n    The research contributions listed above and other research outcomes \nand innovations developed with funding from NSF and other Federal \npartners are now being used by the private sector and government \nagencies to protect the nation\'s cyber infrastructure. Moreover, in \nrecent years, NSF-funded research activities have led to the formation \nof start-up companies in the IT sector that bring innovative solutions \nand technologies to the marketplace, fueling job growth, and helping to \nprotect cyber space. By promoting a healthy connection between academia \nand companies, NSF further enhances its research portfolio in \ntrustworthy computing with foundational concepts and new ideas that are \ndirectly relevant to the commercial sector.\n    While the advances in cyber security research and development (R&D) \nare many, including those mentioned above, the Nation needs to continue \nits investments in long-term, game-changing research if our cyber \nsystems are to be trustworthy. As you know, every day, we learn about \nmore sophisticated and dangerous attacks. Why is the cyber security \nchallenge so hard? The general answer is that attacks and defenses co-\nevolve: a system that was secure yesterday might no longer be secure \ntomorrow. More specific responses to this question include:\n\n        <bullet>  The technology base of our systems is frequently \n        updated to improve functionality, availability, and/or \n        performance. New systems introduce new vulnerabilities that \n        need new defenses.\n\n        <bullet>  The settings in which our computing systems are \n        deployed and the functionality they provide are not static. \n        With new computing models/platforms, like cloud computing and \n        smart phones, come new content and function, which in turn \n        creates new incentives for attack and disruption.\n\n        <bullet>  The sophistication of attackers is increasing as well \n        as their sheer number and the specificity of their targets.\n\n        <bullet>  Achieving system trustworthiness is not purely a \n        technology problem. System developers, purchasers, operators \n        and users all have a role to play in system security, and ways \n        to incentivize them are required. Security mechanisms that are \n        not convenient will be ignored or circumvented; security \n        mechanisms that are difficult to understand will be ignored.\n\n        <bullet>  Humans can be tricked into performing insecure \n        actions or divulging confidential information through various \n        ruses of clever adversaries.\n\n    Emerging Threats\n\n    The Internet plays a critical role in tightly integrating the \neconomic, political, and social fabric of global society. These \ninterdependencies leave the Nation vulnerable to a wide range of \nthreats that challenge the security, reliability, availability, and \noverall trustworthiness of all information technology resources.\n    An evolution of means and motives. In retrospect, early threats, \nsuch as first-generation viruses and worms, while costly and dangerous, \ndid not seriously challenge the availability or security of the \nInternet. In practice, many attackers simply engaged in acts of \nvandalism. Quickly, however, global Internet threats underwent a \nprofound transformation--from attacks designed solely to disable all or \npart of the Internet to those that specifically targeted people and \norganizations. Driven in large part by financial incentives, attackers \nlearned that these systems offered a valuable resource, both in terms \nof the personal data they contained and as a resource that could be \nused for future attacks. Networks of these compromised machines, or \nbotnets, have become the delivery platform of choice and fuel a variety \nof threats, such as SPAM, identity theft, phishing, and Distributed \nDenial of Service Attacks (DDoS).\n    These threats continue to evolve both in the motives of the \nattackers and the means they employ to achieve their goals. Today, \nexclusively economic motivations have given way to a wide range of \ngoals, including the desire to project political will into cyber-space, \nsuch as the denial of service attacks that shadowed the clashes between \nRussia and Georgia over the region of South Ossetia in 2008, and the \nGhostnet cyber spying operation that infiltrated the computers of \nembassies, foreign ministries, and the offices of the Dalai Lama in \n2009. Both instances serve to highlight the scope of this problem and \nthe difficulty in discovering the persons or nations that launched the \nattacks. With these changing motivations, attackers continue to \ninnovate with new methods. Attacks continue to increase in size. They \nare more targeted, sophisticated, and stealthy. Furthermore, these \nattacks are more effective, propagating through high-level applications \nand through social engineering.\n    Future security challenges will follow Internet adoption patterns. \nWhile Internet threats are likely to continue along the trajectory \noutlined above, I believe new security challenges will emerge as \nattackers shadow Internet adoption patterns.\n    Mobile Internet use is growing quickly: it will become the \npredominant global Internet access method by 2014. Tens of thousands of \napplications available today support banking, ecommerce, highway \nnavigation, health and wellbeing, and social networking, for example; \nthe future will only bring more varied applications used in all facets \nof daily life. The current culture that encourages application \ndownloading makes mobile devices especially vulnerable to malware. For \nexample, in 2010, a smart phone weather application downloaded by \nmobile phone users demonstrated how a malicious attack could quickly \nco-opt a cohort of smart phones around the globe. Today, we lack the \nunderstanding and technology to enforce security policies in these \nsituations.\n    Machine rooms and data centers have long been a mainstay of \ncommercial information technology support. But new technology now \nenables the unprecedented aggregation of hardware and software, which \nis then provided in a comprehensive, highly-elastic service that we \ncall ``cloud computing.\'\' Cloud providers are adding infrastructure at \na rapid rate to support this new model. These opportunities bring new \nrisks. A new trust model is required. Users of cloud computing must \nplace their trust in a third party that could well be sharing its \nresources with competitors and adversaries. Moreover, the cloud--\nbecause it concentrates value--is especially attractive to attackers. \nThe ramifications of these changes require continued research and \ndevelopment; new approaches for protecting cloud infrastructure will be \nkey to its long-term success. For more information on the strengths and \nweaknesses of cloud computing, see the NIST draft recommendations for \ninformation technology policy makers: http://csrc.nist.gov/\npublications/drafts/800-146/Draft-NIST-SP800-146.pdf.\n    The trend toward increasingly cyber-enabled systems, i.e., the \nintegration of computation, communication, and control into physical \nsystems, offers new challenges. Healthcare, education, and finance have \nbeen at risk of attack for a long time, and physical infrastructure--\nmanufacturing, energy production, and transportation--are now at risk. \nRecent attacks demonstrate that even facilities not directly connected \nto the Internet can be targeted.\n    The Nation\'s researchers must start building systems whose \ntrustworthiness derives from first principles, i.e., proven \nassumptions. To do that, NSF is formulating and developing a \ncomprehensive research portfolio around a view of systems that are \ndeemed trustworthy, i.e., systems that people can depend on day after \nday and year after year to operate correctly and safely--from our \navionics, mass transit and automobile systems to medical devices \noperated remotely to save lives on battlefields. Included in this \nnotion of trustworthiness are a number of critical concepts: \nreliability (does it work as intended?); security (how vulnerable is it \nto attack?); privacy (does it protect a person\'s information?); and \nusability (can a human easily use it?). Research needs to be game-\nchanging and forward-looking; new policies and continued focus on cyber \nsecurity education, public awareness and workforce development are \ncritical to our success.\n    Given this summary of the emerging threats in cybersecurity and \nNSF\'s contributions to these challenges, let me now turn to the issues \nthat were raised by the Subcommittees in the invitation to this \nhearing.\n    (1) Please provide a brief overview of the National Science \nFoundation\'s (NSF) cybersecurity activities and how research and \ndevelopment is integrated into your agency\'s mission.\n    The National Science Foundation funds a broad range of activities \nto advance cybersecurity research, develop a well-educated and capable \nworkforce, and to keep all citizens informed and aware. Investments in \nthese activities include the Trustworthy Computing program in the \nDirectorate for Computer and Information Science and Engineering, the \nScholarships for Service program in the Directorate for Education and \nHuman Resources, the TRUST Science and Technology Center, and many \nrelated research projects across Engineering, Mathematical and Physical \nSciences, and Office of Cyberinfrastructure programs. As stated in its \norganic act, NSF\'s mission is ``to promote the progress of science; to \nadvance the national health, prosperity, and welfare; to secure the \nnational defense.\'\' Support for basic and applied research is integral \nto NSF\'s mission. NSF also supports development activities beyond the \nstage of research prototypes through its Small Business Innovative \nResearch (SBIR) and Small Business Technology Transfer (STTR) programs \nand in its support of science and engineering computing infrastructure \nthrough its Office of Cyberinfrastructure.\n\n    Cybersecurity Research\n\n    NSF has been investing in cyber security research for many years. \nIn FY 2011, NSF will invest almost $117 million in fundamental research \nin the science of trustworthiness and related trustworthy systems and \ntechnologies. Approximately one half of this $117 million is allocated \nto the cross-cutting Trustworthy Computing program, which in FY 2011 is \nfunded at a level of $55 million dollars. Currently, there are about \n500 projects that are active. About a third of these projects includes \nmore than one faculty researcher and all include graduate students. \nActive awards in the Trustworthy Computing program include $1.2M for \nsupport of 19 post-doctoral students as well. In addition to the \nTrustworthy Computing program, NSF continues to make cyber security \ninvestments in the core scientific sub-disciplines of the computing and \ninformation sciences, including the foundations of algorithms and \ninformation and communications, cyber physical systems, smart health \nand wellbeing, future internet architectures, networking technology and \nsystems, information integration and informatics, and in the social and \neconomic implications of developing secure, trustworthy systems.\n    NSF continues to cast a wide net and let the best ideas surface, \nrather than pursuing a prescriptive research agenda. It engages the \ncyber security research community in developing new fundamental ideas, \nwhich are then evaluated by the best researchers through the peer \nreview process. This process, which supports the vast majority of \nunclassified cyber security research in the United States, has led to \ninnovative and transformative results. Today, NSF\'s cyber security \nresearch portfolio includes projects addressing security from the \nmicroscopic level, detecting whether a silicon chip may contain a \nmalicious circuit, to the macroscopic level, determining strategies for \nsecuring the next generation electrical power grid, as well as at the \nhuman level, studying online privacy and security behaviors of both \nadolescents and senior citizens. Fundamental research in cryptography, \ncryptographic protocol analysis, formal specification and verification \ntechniques, static and dynamic program analysis, security testing \nmethods, all contribute to improved methods for building systems that \nperform as intended, even in the face of threats. Research in secure \nprogramming languages and methodologies, in securing operating systems \nand especially the virtualization mechanisms and hypervisors on which \nmuch of the security of cloud computing architectures depends is also \nprominent in NSF\'s portfolio. NSF\'s researchers are investigating novel \nmethods for detecting when security measures have failed, when \nintrusions have occurred, and when information may have been altered or \nstolen. NSF\'s portfolio includes projects studying security in human-\ncentric systems and in a variety of web application contexts as well as \nin smart phones, medical devices, and automotive systems.\n    Aside from single investigator and team awards, NSF also invests in \ncenter-scale activities. In FY 2012, NSF will provide the eighth year \nof funding for the Team for Research in Ubiquitous Secure Technology \n(TRUST) Science and Technology Center (STC). This center, which \nincludes University of California (UC), Berkeley, Carnegie Mellon \nUniversity, Cornell University, San Jose State University, Stanford \nUniversity, and Vanderbilt University and many industrial partners, is \nfocused on the development of cybersecurity science and technology that \nwill radically transform the ability of organizations to design, build, \nand operate trustworthy information systems for the Nation\'s critical \ninfrastructure by addressing the technical, operational, legal, policy, \nand economic issues affecting security, privacy, and data protection as \nwell as the challenges of developing, deploying, and using trustworthy \nsystems.\n    Since 2004, the Trustworthy Computing program has funded four \ncenters. All of these centers are coming to an end this year or next:\n\n        <bullet>  Trustworthy Cyber Infrastructure for the Power Grid \n        led by University of Illinois Urbana-Champaign, now \n        transitioned to Department of Energy (DoE) and Department of \n        Homeland Security (DHS) for continued funding\n    This research creates infrastructure technology that will convey \ncritical information to grid system operators despite partially \nsuccessful cyber attacks and accidental failures. Security and trust \nvalidation techniques are developed that can quantify the \ntrustworthiness of a proposed design with respect to critical \nproperties. An interactive simulator created by the project will allow \nusers to experiment with new power grid cyber-infrastructure design \napproaches.\n\n        <bullet>  Cybertrust Center for Internet Epidemiology and \n        Defenses led by UC San Diego and UC Berkeley\n    Understanding the scope and emergent behavior of Internet-scale \nworms seen in the wild constitutes a new science termed Internet \nepidemiology. To gain visibility into pathogens propagating across the \nglobal Internet, the Center has developed and operated an Internet \npathogen detection service of unprecedented scale. With this service, \nthe Center has demonstrated the speed and coverage over which such \npathogens can spread, and has developed mechanisms for deriving \n``signatures\'\' of a worm\'s activity and disseminating these to worm \nsuppression devices deployed throughout the global network.\n\n        <bullet>  Situational Awareness for Everyone led by Carnegie \n        Mellon University and University of North Carolina, Chapel Hill\n    This center focuses on how to make both users and organizations \nmore aware of their cybersecurity situation--the risks they face and \nhow they can deal with them in practice. For organizations, the center \nhas developed tools and techniques focused on network security \nawareness and management. Some of these tools are now operating in \nCalifornia\'s inter-campus network as well as Berkeley\'s and Carnegie \nMellon\'s internal campus networks; industry is also showing concrete \ninterest. The center has also focused on educating children and adults, \nreaching children through a novel game that educates users about \nsecurity issues and tailors its behavior for the age and background of \nthe player. It has been tested in Pittsburgh regional school districts \nand is now available on the Internet.\n\n        <bullet>  ACCURATE led by Johns Hopkins University\n    The voting system integrity problem is a paradigmatic hard cyber \ntrust problem, requiring trustworthy system architectures, security, \nintegrity, privacy, anonymity, high assurance, and human-machine \ninterfaces. Voting systems must preserve a voter\'s privacy and \nanonymity, while also being auditable and transparent. This center has \ngenerated new understanding of voting systems and has participated in \nthe California Secretary of State\'s ``Top to Bottom Review\'\' of voting \nsystems.\n    NSF has also invested in two active industry/university cooperative \nresearch centers:\n\n        <bullet>  CITeR: Center for Identification Technology Research \n        (Biometrics) at West Virginia University and the University of \n        Arizona\n    CITeR focuses on identification of people that includes iris, \nfingerprint and face recognition and will significantly enhance the \nresearch database available for the disciplines involved with security \nbiometrics technologies. Research is needed in large-scale, fully-\nautomated, distributed systems in several applications, ranging from \ndrivers license to passports and visas, for example.\n\n        <bullet>  S2ERC: Security and Software Engineering at Ball \n        State and other universities\n    S2ERC investigates integrated methods of engineering practical \nsoftware systems that are able to meet emerging security requirements. \nThis goal is of great importance to both industry and government in \norder for them to confidently deploy real-world software systems that \nmeet their mission goals in the face of a broad range of security \nattacks. Participants in S2ERC include Ball State University, DePaul \nUniversity, Indiana University- Purdue University Fort Wayne, Indiana \nUniversity--Purdue University Indianapolis, Iowa State University, \nJames Madison University, Pennsylvania State University, Purdue \nUniversity, University of Illinois at Chicago, University of West \nFlorida, Virginia Polytechnic Institute and State University, and West \nVirginia University.\n\n    Cybersecurity Education\n\n    Investments in cybersecurity research are accompanied by \ninvestments in cyber-security education and workforce development. \nResearch undertaken in academia not only engages some of our nation\'s \nbest and brightest researchers, but because these researchers are also \nteachers, new generations of students are exposed to the latest \nthinking from the people who understand it best. And when these \nstudents graduate and move into the workplace, they will bring this \nknowledge and understanding with them. Moreover, faculty members in \nthis dual role of researchers and teachers have incentives to write \ntextbooks and prepare other teaching materials that allow dissemination \nof their work to a wide audience, including teachers and students \nnationwide.\n    Over the years, the Trustworthy Computing program has supplemented \nits awards by giving small amounts of additional funding to researchers \nwho were willing to bring undergraduates into their labs through the \nResearch Experiences for Undergraduates (REU) program. This program \ngives many undergraduate students their first hands-on experiences with \nreal science and engineering research projects. In addition, the \nTrustworthy Computing program has funded up and coming young \ninvestigators through the CAREER program that offers NSF\'s most \nprestigious awards in support of junior faculty who exemplify the role \nof teacher-scholars through outstanding research, excellent education \nand the integration of education and research within the context of the \nmission of their organizations.\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    The NSF Directorate for Education and Human Resources (EHR) has \nfocused on increasing the number of professionals with degrees in \ncybersecurity. An overwhelming majority of these EHR developed \nprofessionals were supported by the Federal Cyber Service: Scholarship \nfor Service (SFS) and Advanced Technological Education (ATE) programs.\n    The SFS program seeks to increase the number of qualified students \nentering the field of cybersecurity and to increase the capacity of \nUnited States higher education enterprise to produce cybersecurity \nprofessionals. The SFS program is an interagency program administered \nby NSF in collaboration with the Office of Personnel Management (OPM), \nthe Department of Homeland Security (DHS), and the National Security \nAgency (NSA), among other agencies. SFS was established as a result of \na January 2000 Presidential Executive Order that defined the National \nPlan for Information Systems Protection. The SFS program supports two \ntracks.\n    The first track, the SFS Scholarship Track, provides funding to \ncolleges and universities to award scholarships to students in the \ninformation assurance and computer security fields. A recipient must be \na U.S. citizen, a full-time student within two years of graduation, \ndemonstrate academic talent, meet selection criteria for Federal \nemployment, be willing to undergo a background investigation for \nsecurity clearance and must agree to work for at least two years in the \nFederal government. To date, the SFS program has provided scholarships \nto 1400 students with 1100 of them successfully placed in the Federal \ngovernment. The SFS graduates were employed by more than 30 Federal \nagencies, including National Security Agency, Department of Homeland \nSecurity, Central Intelligence Agency, and Department of Justice.\n    From 2007 to 2010, twenty-eight awards were made totaling $46.75 \nmillion dollars. Currently, SFS Scholarships are offered at 34 \ninstitutions, with the largest enrollments at the University of Tulsa, \nCarnegie Mellon University, Mississippi State, and University of North \nCarolina.\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    The second track, the SFS Capacity Building Track, provides funds \nto colleges and universities to improve the quality and increase the \nproduction of information assurance and computer security \nprofessionals. Examples of projects include: developing faculty \nexpertise in information cybersecurity, creating learning materials and \nstrategies, outreach activities, or other innovative and creative \nprojects, which lead to an increase in the national cyber security \nworkforce. Proposing organizations must demonstrate expertise in \ncybersecurity education or research. From 2007 to 2010, twenty-four \nawards were made totaling $5.73 million dollars and covering every \nregion of the country.\n    With an emphasis on two-year colleges, the Advanced Technological \nEducation (ATE) program focuses on the education of technicians for the \nhigh-technology fields, including cybersecurity. Activities may have \neither a national or a regional focus, but not a purely local one. The \nATE program supports projects, centers, and targeted research in \ntechnician education. Currently, there are 14 active ATE awards in \ncybersecurity for a total of $17.1M, including $3M awarded in FY10. \nThree of these projects have been funded under the Regional ATE Center \ntrack, providing $3M for four years for each of the centers.\n\n        <bullet>  CyberWatch (Maryland)--The CyberWatch Center is \n        headquartered at Prince George\'s Community College. The mission \n        of the center is to ``increase the quantity and quality of the \n        cybersecurity workforce.\'\' It sponsors a K-12 program, college-\n        level model programs and courses, lab resources, articulation \n        agreements, and resources for faculty development. CyberWatch \n        has 50 institutional members, including 35 community colleges \n        and 15 universities from 20 states. More than 1800 students \n        were enrolled in cybersecurity courses at partnering community \n        colleges in 2009.\n\n        <bullet>  Center for Systems Security and Information Assurance \n        (CSSIA) (Illinois)--The CSSIA center has developed an \n        associate\'s degree program in information technology security, \n        and is providing professional development opportunities and \n        curricular materials. CSSIA has 8 institutional members, \n        including 6 community colleges and 2 universities from 5 \n        states--Illinois, Indiana, Michigan, Minnesota, and Wisconsin. \n        Their community college partner institutions enrolled more than \n        1400 students in cybersecurity courses in 2009.\n\n        <bullet>  Cyber Security Education Consortium (CSEC) \n        (Oklahoma)--The CSEC center is ``dedicated to building a \n        cybersecurity workforce who will play a critical role in \n        implementing the national strategy to secure cyberspace.\'\' The \n        center provides regional training workshops as well as \n        internships in SCADA security and digital forensics. CSEC has \n        45 institutional members, including 42 community colleges and 3 \n        universities from 8 states--Arkansas, Colorado, Kansas, \n        Louisiana, Missouri, Oklahoma, Tennessee, and Texas. Almost \n        2000 students enrolled in cybersecurity courses at partnering \n        community colleges in 2009.\n    (2) Describe NSF\'s role in meeting the objectives outlined in the \nnear-term and mid-term action plans included in the Cyberspace Policy \nReview, and detail past progress and future plans for meeting the \nobjectives outlined in the Review.\n    NSF supported the development of the Cyberspace Policy Review, \nproviding the task force that prepared the review with direct access to \nan extensive group of academic cyber security researchers. The \nCyberspace Policy Review Near-Term Action Plan lists ten items and the \nMid-Term Action Plan lists fourteen. The actions most concerned with \nNSF\'s mission are discussed below.\n    Near-term Action Plan #9 calls for (a) developing a framework for \nresearch and development strategies that focus on game-changing \ntechnologies that can enhance the trustworthiness of the digital \ninfrastructure and (b) providing the research community with access to \nevent data to facilitate developing tools, testing theories, and \nidentifying workable solutions.\n    (a)Specifically, over the past two years, NSF has participated in a \nset of activities designed to develop research themes related to game-\nchanging technologies, including the announcement of three such themes \nlast year: Moving Target, intended to raise the costs for attackers; \nTailored Trustworthy Spaces, intended to support the creation of \ntrustworthy computing environments that can respond to a range of trust \nrequirements; and Cyber Economic Incentives, intended to help \nunderstand how to motivate adoption of trustworthy technologies. NSF \nhas collaborated with its partner agencies in publicizing these themes \nto the research community and has incorporated them into related \nresearch solicitations. In the succeeding year, NSF has participated \nactively in a working group organized under the Networking Information \nTechnology R&D (NITRD) program\'s Cyber security and Information \nInsurance (CSIA) Interagency Working Group (IWG) to develop a strategic \nplan for the Federal cyber security research and development program. \nThis plan is expected to be released officially before the end of May.\n    (b)NSF has also actively promoted research access to event data. \nAlthough NSF itself does not possess any datasets appropriate for this \npurpose, it convened a workshop on cyber security data for \nexperimentation in August 2010 that brought companies and organizations \nthat possess such data together with members of the research community \nwho would like to study the data. Several companies have agreed to make \ndata available on their premises, and NSF has invited its researchers \nto request supplementary funds to support visits to data repositories \nthat are not available for remote access.\n    Mid-Term Action Plan #3: Expand support for key education programs \nand research and development to ensure the Nation\'s continued ability \nto compete in the information age economy.\n    As already described above, NSF supports a broad range of cyber \nsecurity research; in FY2011 NSF will invest almost $117 million in \nthis area; approximately half of this is in the Trustworthy Computing \nprogram. The balance of NSF\'s cyber security investments are made in \nthe many core scientific sub-disciplines of the computing and \ninformation sciences. In addition to single and multiple-investigator \nresearch grants, NSF has funded a Science and Technology Center, four \nCenter-Scale Activities, and Industry/University Cooperative Research \nCenters. Education is embedded in virtually all of these research \ngrants through the training of graduate students, many of whom will \njoin the industry or university workforce in cyber security research. \nNSF CAREER awards, among NSF\'s most prestigious grants, carry specific \nrequirements for integration of research and education. Cyber security \nresearch funds also support the Research Experience for Undergraduates \n(REU) program to grow student interest in cyber security research. The \nScholarships for Service (SFS) program ($52.5 million from 2007-2010) \nprovides tuition scholarships for students enrolled in cyber security \nprograms at a wide range of institutions across the nation in exchange \nfor a commitment to a period of service in a government post following \ngraduation. A component of the SFS program is also devoted to building \nadditional teaching capacity through curriculum and faculty \ndevelopment. The Advanced Technological Education (ATE) program \nsupports cyber security education in fourteen projects.\n    Mid-Term Action Plan #4: Develop a strategy to expand and train the \nworkforce, including attracting and retaining cyber security expertise \nin the Federal government.\n    As described earlier, NSF\'s Scholarships for Service program, \nincluding capacity building grants to support expansion of the \neducational resources available to train students in cyber security, is \na fundamental part of the national strategy to train and expand the \nworkforce in this key area; scholarships under this program carry a \ncommitment for service in the Federal government. Last fall, NSF \nsponsored a Summit on Education in Secure Software to help identify how \nto teach students to write programs that cannot easily be subverted. \nNSF is also participating in the National Initiative for Cyber security \nEducation (NICE) as co-lead with the Department of Education for Formal \nCyber security Education. This activity encompasses development of \neducation programs for K-12, higher education, vocational and other \ndiscipline-related programs in order to help provide a pipeline of \nskilled workers for private sector and government.\n    Mid-Term Action Plan #11: Encourage collaboration between academic \nand industrial laboratories to develop migration paths and incentives \nfor rapid adoption of research and technology development innovations.\n    NSF\'s Small Business Innovation Research (SBIR) and Small Business \nTechnology Transfer (STTR) programs aim to support the transition of \nsuccessful research projects into the marketplace. These programs have \nfunded several projects related to cyber security in recent years. Of \nthe current active projects, eight have direct linkage to cyber \nsecurity; these have been awarded about $4.5M to date.\n    CISE also participates in the Grant Opportunities for Academic \nLiaison with Industry (GOALI) program, which aims to promote academic-\nindustry partnerships on high risk, transformational research projects. \nCISE plans to supplement its regular Advisory Committee with a new \npanel of industry leaders to further promote the adoption of research \nresults by industry.\n    CISE also encourages academic industry partnerships. For example, \nas mentioned above, the NSF Team for Research in Ubiquitous Security \nTechnology (TRUST) Science and Technology Center works with a number of \nindustry partners who 1) help define the Center\'s strategic intent and \nresearch and education priorities through the Center\'s External \nAdvisory Board, and 2) interact directly with faculty and students on \nindividual research projects. Industry partners include Broadcom, \nCisco, eBay, Google, HP, IBM, Intel, Juniper, Microsoft, Oracle/Sun, \nQualcom, Raytheon, Symantec, United Technologies, and Yahoo. CISE has \nsimilar active engagement with industry across its portfolio, including \nin four Trustworthy Computing Centers and two Industry & University \nCooperative Research Centers.\n    The following areas--as stated in the Cyberspace Policy Review--are \nnot directly addressable by NSF; however, the Trustworthy Computing \nProgram has invested in foundational research that can facilitate \nprogress.\n    Mid-Term Action Plan #8: Develop mechanisms for cyber security-\nrelated information sharing that address concerns about privacy and \nproprietary information and make information sharing mutually \nbeneficial.\n    Example research areas include methods for specifying and enforcing \nprivacy policies, applying new cryptographic schemes to support access \ncontrol, developing techniques for anonymizing sensitive data, and \nsecure multiparty computation techniques.\n    Mid-Term Action Plan #9: Develop solutions for emergency \ncommunications capabilities during a time of natural disaster, crisis, \nor conflict while ensuring network neutrality.\n    Example research areas include communication patterns during \nemergencies; efficient, robust mesh networks that can operate through \ndisasters; and network architectures for first-responder \ncommunications.\n    Mid-Term Action Plan #13: Implement, for high-value activities \n(e.g., the Smart Grid), an opt-in array of interoperable identity \nmanagement systems to build trust for online transactions and to \nenhance privacy.\n    Example research areas include biometrics, cryptographic means for \nsecuring identities, and access management based on identity and \nexperience.\n    (3) Please discuss how cybersecurity research and development, \neducation and workforce training, and standards development are \ncoordinated with other relevant agencies;\n    NSF coordinates its cyber security research and planning activities \nwith other Federal agencies, including the Departments of Defense (DoD) \nand Homeland Security (DHS) and the agencies of the Intelligence \nCommunity, through the following ``mission-bridging\'\' activities:\n\n        <bullet>  NSF plays a leadership role in the interagency \n        Networking and Information Technology Research and Development \n        (NITRD) Program. The National Science and Technology Council\'s \n        NITRD Sub-Committee, of which I am co-chair, has played a \n        prominent role in the coordination of the Federal government\'s \n        cyber security research investments.\n\n        <bullet>  In January 2008, President Bush initiated the \n        Comprehensive National Cybersecurity Initiative (CNCI). The \n        current Administration supports and has continued efforts on \n        this initiative. One of the goals of the CNCI is to develop \n        ``leap-ahead\'\' technologies that would achieve orders-of-\n        magnitude improvements in cybersecurity. Based on this \n        directive, a NITRD Senior Steering Group (SSG) for \n        Cybersecurity R&D was established to provide a responsive and \n        robust conduit for cybersecurity R&D information across the \n        policy, fiscal, and research levels of the Government. The SSG \n        is composed of senior representatives of agencies with national \n        cybersecurity leadership positions, including: DoD, ODNI, DHS, \n        NSA, NSF, NIST, OSTP, and OMB. A principal responsibility of \n        the SSG is to define, coordinate, and recommend strategic \n        Federal R&D objectives in cybersecurity, and to communicate \n        research needs and proposed budget priorities to policy makers \n        and budget officials, including recommendations to OSTP, OMB, \n        and the Joint Inter-Agency Cyber Task Force (JIACTF). One of \n        CISE\'s Division Directors is the co-chair of this group.\n\n        <bullet>  The NITRD CyberSecurity and Information Assurance \n        Interagency Working Group (CSIA IWG) coordinates cyber security \n        and information assurance research and development across the \n        thirteen member agencies, including DoD, the Department of \n        Energy (DOE) and the National Security Agency (NSA).\n\n        <bullet>  To facilitate cross conversation between classified \n        and unclassified programs in the Federal government, a \n        coordinating group called Special Cyber Operations Research and \n        Engineering (SCORE) was established, which includes members \n        from the SSG. NSF research is reported in this forum. In the \n        past year, SCORE has organized a series of workshops \n        questioning some commonly held assumptions about technical \n        approaches to cybersecurity; NSF investigators have been active \n        participants.\n\n        <bullet>  Under the auspices of the NITRD program and the CSIA \n        SSG and IWG, NSF and the other member agencies have co-funded \n        and co-sponsored a number of workshops:\n\n        \x17  Science of Security Workshop, co-funded by NSF, NSA, and \n        IARPA (November 16-18, 2008): To discuss the foundations of \n        making security into a science.\n\n        \x17  Usability, Security, Privacy Workshop, hosted by the \n        National Academies\' Computer Science and Telecommunications \n        Board (July 21-22, 2009): To advance the study of usability and \n        ways to embed usability considerations into the research, \n        design and development of secure systems.\n\n        \x17  Workshop on Clean-Slate Security Architectures, co-funded by \n        NSF and DARPA (July 28, 2009): To frame a new security \n        architecture that could be the basis of clean-slate networks.\n\n        \x17  Workshop on Security Research for the Financial \n        Infrastructure, co-supported by Treasury, DHS and NSF (October \n        28-29, 2009): To gain a better understanding of the security \n        problems faced by the financial sector and how the research \n        community might help solve those problems.\n\n        \x17  Workshop on Cyber Security Data for Experimentation (August \n        26-27, 2010): To explore options for research access to event \n        data.\n\n        \x17  Summit on Education in Secure Software (October 18-19, \n        2010): To develop a comprehensive agenda focused on the \n        challenges of secure software education.\n\n        \x17  NSF Workshop on the Future of Trustworthy Computing (October \n        27-29, 2010): To provide context and direction for researchers \n        interested in Trustworthy Computing.\n\n        \x17  NSF/Microsoft Research Workshop on Usable Verification \n        (November 15-16, 2010): To stimulate advances in the usability \n        of tools for formal verification.\n\n        \x17  Workshop on Fundamental Research Challenges for Trustworthy \n        Biometrics (November 8-9, 2010): To identify underlying \n        biometrics research challenges.\n\n        <bullet>  A number of projects have received their seed or \n        beginning funding at NSF and then have been picked up by other \n        agencies as they see the value of applying basic research to \n        their mission challenges. NSF has also encouraged its \n        researchers to take advantage of research assets created by its \n        partner agencies. For example,\n\n        \x17  NSF funded the Trustworthy Cyber Infrastructure for the \n        Power Grid Center at UIUC; it has now transitioned to DoE/DHS \n        for continued funding.\n\n        \x17  NSF funded the DETER testbed in its early years; it is now \n        wholly funded by DHS.\n\n        \x17  NSF encourages its Principal Investigator (PI) community to \n        use the data available from the DHS-funded PREDICT repository \n        to validate and test their ideas.\n    (4) Please provide feedback on H.R. 4061, the Cybersecurity \nEnhancement Act of 2009, from the 111th Congress, by commenting on the \nmerits of that bill and any areas that you see room for improvement or \nchanges.\n    The Cyber Security Research and Development Act of 2002 has been an \nimportant asset in stimulating innovative research and development. \nNSF\'s activities are well-aligned with the provisions of the existing \nAct and its proposed enhancement. NSF has been working with the \nNational Coordinating Office (NCO) on a national strategy for research \nand development, which is one of the key points in the new draft \nlegislation. The addition of usability and social and behavioral \nfactors as areas of research interest is consistent with the path that \nNSF is currently pursuing, as is the focus on fostering curriculum \ndevelopment on principles and techniques of designing secure software. \nCalling out investments in center-scale activities is also consistent \nwith the importance that NSF places on funding centers to create \nvisibility and activity around important national challenges. As \nmentioned above, NSF actively encourages interaction across government, \nacademic, and commercial sectors. CISE plans to supplement its regular \nAdvisory Committee with a new panel of industry leaders to further \npromote the adoption of research results by industry. In summary, NSF\'s \ninvestments in cybersecurity research, education and workforce \ndevelopment are consistent with the provisions of H.R. 4061.\n    (5) How would the Administration\'s proposed cybersecurity \nlegislation impact NSF\'s cyber security activities?\n    The National Science Foundation is the Nation\'s premier agency for \nadvancing fundamental research and education in science and \nengineering. NSF\'s mission is to ``to promote the progress of science; \nto advance the national health, prosperity, and welfare; to secure the \nnational defense.\'\'\n    The Administration\'s proposal is offering a carefully tailored and \nmeasured approach that relies on private sector innovation. This \nproposal will enable cyber infrastructure owners and operators to adopt \nnew strategies and techniques to deal with cyber threats. NSF\'s R&D \ninvestments enable scientific discovery and engineering advances that \ncontinuously fuel that innovation.\n\n    Conclusions\n\n    In my testimony today, I\'ve tried to show that the pace and scope \nof today\'s cyber threats pose grand challenges to our national critical \ninfrastructure. I have outlined the investments in NSF\'s cyber security \nresearch and education portfolio, which show progress and significant \nadvances over the years. Nonetheless, the Nation needs to invest in \nlong-term, fundamental and game-changing research if our cybersystems \nare to remain secure in the future. I have indicated NSF\'s role in \naddressing the Near- and Mid-Term Action Plans included in the \nCyberspace Policy Review and have detailed our progress in meeting \nthose objectives. I have also discussed how NSF partners with other \nagencies and have given examples of many cross-agency activities. \nFinally, I have provided feedback on H.R. 4061, The Cybersecurity \nEnhancement Act of 2009, as well as on the Administration\'s proposed \ncybersecurity legislation. I appreciate the opportunity to have this \ndialogue with members of your Subcommittees on these very important \ntopics. With robust sustained support for cyber security research and \ndevelopment in both the executive and legislative branches, there is a \nunique opportunity to protect our national security and enhance our \neconomic prosperity for decades to come. This concludes my remarks. I \nwould be happy to answer any questions at this time.\n\nBiography for Dr. Farnam Jahanian, Assistant Director, Directorate for \n  Computer and Information Science and Engineering, National Science \n                               Foundation\n    Farnam Jahanian is the Assistant Director of the Computer and \nInformation Science and Engineering (CISE) Directorate at the National \nScience Foundation. Prior to joining NSF, he held the Edward S. \nDavidson Collegiate Professorship in Electrical Engineering and \nComputer Science at the University of Michigan, where he served as \nChair for Computer Science and Engineering from 2007--2011 and as \nDirector of Software Systems Laboratory from 1997--2000. Dr. Jahanian \nalso serves as co-chair of the Networking and Information Technology \nResearch and Development (NITRD) Subcommittee of the NSTC Committee on \nTechnology, providing overall coordination for activities of 14 \ngovernment agencies.\n    At CISE, Dr. Jahanian guides the directorate in its mission to \nuphold the nation\'s leadership in computer and information science and \nengineering through its support for fundamental and transformative \nadvances that are a key driver of economic competitiveness and crucial \nto achieving our major national priorities. With a budget of \napproximately $618 million, CISE supports ambitious long-term research \nand innovation, the creation of cutting-edge facilities and tools, \nbroad interdisciplinary collaborations, and education and training of \nthe next generation of computer scientists and information technology \nprofessionals with skills essential to success in the increasingly \ncompetitive, global market.\n    Over the last two decades at the University of Michigan, Dr. \nJahanian led several large-scale research projects that studied the \ngrowth and scalability of the Internet infrastructure and which \nultimately transformed how cyber threats are addressed by Internet \nService Providers. His work on Internet routing stability and \nconvergence has been highly influential within both the network \nresearch and the Internet operational communities. This work was \nrecently recognized with an ACM SIGCOMM Test of Time Award in 2008. His \nresearch on Internet infrastructure security formed the basis for the \nsuccessful Internet security services company Arbor Networks, which he \nco-founded in 2001. He served as Chairman of Arbor Networks until its \nacquisition by Tektronix Communications, a division of Danaher \nCorporation, in 2010.\n    The author of over 100 published research papers, Dr. Jahanian has \nserved on dozens of national advisory boards and government panels. He \nhas received numerous awards for his research, teaching, and technology \ncommercialization activities. He has been an active advocate for \neconomic development efforts over the last decade, working with \nentrepreneurs, and frequently lecturing on how basic research can be \nuniquely central to an innovation ecosystem that drives economic growth \nand global competitiveness. In 2009, he was named Distinguished \nUniversity Innovator at the University of Michigan.\n    Dr. Jahanian holds a master\'s degree and a Ph.D. in Computer \nScience from the University of Texas at Austin. He is a Fellow of the \nAmerican Association for the Advancement of Science (AAAS), the \nAssociation for Computing Machinery (ACM), and the Institute of \nElectrical and Electronic Engineers (IEEE).\n\n    Chairman Quayle. Thank you very much.\n    The Chair now recognizes our next witness, Ms. Furlani, for \nfive minutes.\n\nSTATEMENT OF MS. CITA FURLANI, DIRECTOR, INFORMATION TECHNOLOGY \n   LABORATORY, NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY\n\n    Ms. Furlani. Thank you very much, Chairmen Quayle and \nBrooks, Ranking Members Wu and Lipinski, and Members of the \nSubcommittee. I am Cita Furlani, the Director of the \nInformation Technology Laboratory at the Department of \nCommerce\'s National Institute of Standards and Technology. \nThank you for the opportunity to appear before you today to \ndiscuss NIST\'s role in protecting information in the digital \nage.\n    Since the early 1970s, NIST has developed standards to \nsupport federal agencies\' information assurance requirements. \nThrough FISMA, Congress reaffirmed NIST\'s leadership role in \ndeveloping standards for cybersecurity. FISMA provides for the \ndevelopment and promulgation of Federal Information Processing \nStandards, or FIPS, that are compulsory and binding for federal \ncomputer systems. The responsibility for the development of \nFIPS rests with NIST.\n    NIST works with federal agencies, industry and academic to \nresearch, develop and deploy information security standards and \nthe technology that is necessary to protect information systems \nagainst threats to the confidentiality, integrity and \navailability of information and services. Consistent with its \nmission and with the recommendations of the President\'s \nCyberspace Policy Review, NIST is actively engaged with private \nsector, academia, non-national security federal departments and \nagencies, the intelligence community and other elements of the \nlaw enforcement and national security communities to coordinate \nand prioritize cybersecurity research, standards development, \nstandards conformance demonstration, and cybersecurity \neducation and outreach.\n    Our research activities range from innovations in identity \nmanagement and verification, to metrics for complex systems, to \ndevelopment of practical and secure cryptography and quantum \ncomputing environments, to automation of discovery and \nmaintenance of system security configurations and status, to \ntechniques for specification and automation of access \nauthorization in line with many different kinds of access \npolicies. NIST is actively contributing to the objectives of \nseveral of the near- and midterm action plan activities from \nthe Cyberspace Policy review.\n    The National Initiative for Cybersecurity Education \nrepresents the evolution of the comprehensive National \nCybersecurity Initiative, the work on cybersecurity education, \nmoving it from a federal focus to a broader national focus. \nNIST has assumed the overall coordination role for this effort \nand is finalizing a strategic framework and a tactical plan of \noperation.\n    NIST and the National Security Agency lead an interagency \nactivity to establish strategic objectives in pursuing the \ndevelopment of timely, technically sound, international \nvoluntary consensus cybersecurity standards including a \ncommitment to the development of an international standards \nframework. NIST is an active member in each of the groups \ncoordinating cybersecurity R&D among federal agencies including \nthe NITRD CSIA, the SCORE and the Senior Steering Group, all \ndesigned to actively share cybersecurity R&D information across \nthe policy, fiscal and research levels of the government.\n    NIST participated in the creation of the National Strategy \nfor Trusted Identifies in Cyberspace, which calls for a \nnational program office to coordinate needed federal \nactivities. This office will be led by NIST and will have full \naccess to NIST technical expertise as NIST has been actively \ninvolved in the development and interoperability of secure \nidentity management for many years.\n    NIST believes that effective cybersecurity legislation \nrequires an appropriate balance between short- and long-term \ngoals as well as providing motivation for strong collaborations \nbetween federal agencies, industry, academia, state and local \ngovernments, and other interested stakeholders. Indeed, the \nlegislation proposed by the Administration is focused on \nimproving cybersecurity for the American people and our \nNation\'s critical infrastructure. NIST looks forward to \nleveraging its legacy of research, development and standards in \nthis area with other federal and private sector partners.\n    Thank you for the opportunity today, and I will answer any \nquestions you may have.\n    [The prepared statement of Ms. Furlani follows:]\nPrepared Statement of Cita M. Furlani, Director, Information Technology \n  Laboratory, National Institute of Standards and Technology, United \n                     States Department of Commerce\n    Chairmen Quayle and Brooks, Ranking Members Wu and Lipinski and \nMembers of the Subcommittees, I am Cita M. Furlani, Director of the \nInformation Technology Laboratory at the Department of Commerce\'s \nNational Institute of Standards and Technology (NIST). Thank you for \nthe opportunity to appear before you today to discuss our role in \nprotecting information in the digital age.\n    As Secretary of Commerce Gary Locke said at the White House during \nthe launch of the U.S. International Strategy for Cyberspace: ``To \npreserve and even improve on people\'s confidence in cyberspace, we need \nan environment that not only rewards innovation and empowers \nentrepreneurs, but one that also is constantly improving upon the \nintegrity of the interactions that take place online.\'\' NIST\'s mission \nto promote U.S. innovation and industrial competitiveness by advancing \nmeasurement science, standards, and technology in ways that enhance \neconomic security and improve our quality of life is well positioned to \nsupport that goal.\n    As one of the major research components of NIST, the Information \nTechnology Laboratory (ITL) accelerates, through standards, tests and \nmetrics, the development, deployment and use of secure, usable, \ninteroperable and reliable information systems that enable American \nbusinesses to be more innovative competitive. ITL enables world-class \nmeasurement and testing through research innovations in the areas of \ncomputer science and systems engineering, mathematics, and statistics. \nWe balance our research portfolio to be responsive to pressing national \npriorities while pursuing research necessary to meet future challenges \nin measurement science and technology. Our R&D agenda focuses on the \nfollowing broad program areas: cloud computing, complex systems, \ncybersecurity, biometrics, health information technology, National \nInitiative for Cybersecurity Education (NICE), National Strategy for \nTrusted Identities in Cyberspace (NSTIC), quantum information, \npervasive information technology, security automation, smart grid, \nvirtual measurement systems, and voting standards.\n    ITL addresses technical challenges through an integrated, \nmultidisciplinary and systems approach that emphasizes collaboration \nwith other NIST organizations, the Department of Commerce, other \ngovernment agencies, the U.S. private sector, standards development \norganizations, and other national and international stakeholders. Our \nrich programmatic diversity derives from our mission and mandates like \nthe Federal Information Security Management Act (FISMA), which charges \nITL to develop cybersecurity standards, guidelines, and associated \nmethods and techniques. Charged under other legislation, such as the \nUSA PATRIOT Act, the HITECH Act and the Help America Vote Act, we are \naddressing major challenges faced by the nation in the areas of \nhomeland security, health IT and electronic voting.\n\n    Overview of NIST Cybersecurity Activities\n\n    As you are aware, beginning in the early 1970s with enactment of \nthe Brooks Act, NIST has developed standards to support federal \nagencies\' information assurance requirements. Through FISMA, Congress \nagain reaffirmed NIST\'s leadership role in developing standards for \ncybersecurity. FISMA provides for the development and promulgation of \nFederal Information Processing Standards (FIPS) that are ``compulsory \nand binding\'\' for Federal computer systems. The responsibility for the \ndevelopment of FIPS rests with NIST, and the authority to promulgate \nmandatory FIPS is given to the Secretary of Commerce. Section 303 of \nFISMA states that NIST shall:\n\n        <bullet>  have the mission of developing standards, guidelines, \n        and associated methods and techniques for information systems;\n\n        <bullet>  develop standards and guidelines, including minimum \n        requirements, for information systems used or operated by an \n        agency or by a contractor of an agency or other organization on \n        behalf of an agency, other than national security systems; and\n\n        <bullet>  develop standards and guidelines, including minimum \n        requirements, for providing adequate information security for \n        all agency operations and assets, but such standards and \n        guidelines shall not apply to national security systems.\n\n    NIST\'s mission in cybersecurity is to work with federal agencies, \nindustry, and academia to research, develop and deploy information \nsecurity standards and technology to protect information systems \nagainst threats to the confidentiality, integrity and availability of \ninformation and services. Consistent with this mission and with the \nrecommendations of the President\'s Cyberspace Policy Review, NIST is \nactively engaged with private industry, academia, non-national security \nfederal departments and agencies, the intelligence community, and other \nelements of the law enforcement and national security communities in \ncoordination and prioritization of cybersecurity research, standards \ndevelopment, standards conformance demonstration and cybersecurity \neducation and outreach activities. Research activities range from \ninnovations in identity management and verification, to metrics for \ncomplex systems, to development of practical and secure cryptography in \na quantum computing environment, to automation of discovery and \nmaintenance of system security configurations and status, to techniques \nfor specification and automation of access authorization in line with \nmany different kinds of access policies.\n    NIST addresses cybersecurity challenges throughout the information \nand communications infrastructure through its cross-community \nengagements. Enabled by Congressional funding increases in 2002 and in \nresponse to FISMA, NIST is responsible for establishing and updating, \non a recurring basis, the federal government risk management framework \nand cybersecurity controls. The national security community, a number \nof state governments and major private sector organizations are also \nadopting the risk management framework and cybersecurity controls \ndesigned by NIST. NIST is engaging industry to harmonize standards \nconformance requirements to align with industry business models and \nsystem development practices. NIST is also playing a leading security \nrole in supply chain risk management, Health Information Technology, \nthe Smart Grid, biometrics/face authentication, cybersecurity education \nand training beyond the federal government, next generation voting \nsystems, and cloud computing. NIST is working with the intelligence and \ncounterterrorism communities to facilitate cross sector information \nsharing among federal, state and local government organizations.\n    Recognizing the importance of security-related standards beyond the \nfederal government, NIST leads national and international consensus \nstandards activities in cryptography, identity management, biometrics, \nelectronic credentialing, secure network protocols, software and \nsystems reliability, and security conformance testing.\n    Included in the scope of NIST cybersecurity activities are the \nusability of systems such as voting machines, electronic health records \nand software interfaces; network security, including standards and \ntests for Internet Protocol version 6, Domain Network Security \n(DNSSec), and wireless network protocols; research in mathematical \nfoundations to determine the security of information systems; the \nNational Software Reference Library, computer forensics tool testing, \nand mobile device forensics; software assurance metrics, tools, and \nevaluation; approaches to balancing safety, security, reliability, and \nperformance in SCADA and other Industrial Control Systems used in \nmanufacturing and other critical infrastructure industries; \ntechnologies for detection of anomalous behavior, quarantines; \nstandards, modeling, and measurements to achieve end-to-end security \nover heterogeneous, multi-domain networks; biometrics evaluation, \nusability, and standards (fingerprint, face, iris, voice/speaker, \nmultimodal biometrics) and an international competition for a next \ngeneration Secure Hash Algorithm (SHA-3).\n\n    NIST Role in Cyberspace Policy Review Activities\n\n    NIST is actively participating in meeting the objectives of several \nof the near- and mid-term action plan activities from the Cyberspace \nPolicy review.\n    National Initiative for Cybersecurity Education\n    Cyberspace Policy Review Near-Term Action Item 6: Initiate a \nnational public awareness and education campaign to promote \ncybersecurity\n    Cyberspace Policy Review Mid-Term Action Item 3: Expand support for \nkey education programs and research and development to ensure the \nNation\'s continued ability to compete in the information age economy\n    Cyberspace Policy Review Mid-Term Action Item 4: Develop a strategy \nto expand and train the workforce, including attracting and retaining \ncybersecurity expertise in the Federal government.\n    The National Initiative for Cybersecurity Education (NICE) \nrepresents the evolution of the Comprehensive National Cybersecurity \nInitiative (CNCI) work on cybersecurity education. The scope of the \ninitiative has been expanded from a federal focus to a broader national \nfocus. NIST has assumed the overall coordination role for the effort, \nand is finalizing a strategic framework and a tactical plan of \noperation to support that framework. This expansion and the overall \ncoordination role by NIST are in response to the President\'s priorities \nas expressed in Chapter II, Building Capacity for a Digital Nation, of \nthe President\'s Cyberspace Policy Review.\n    NIST is currently readying the NICE strategic plan for public \nreview, which should be available this summer. The strategic plan \ndescribes the goals and objectives that support the NICE Vision: a \nsecure digital nation capable of advancing America\'s economic \nprosperity and national security in the 21st century through innovative \ncybersecurity education, training, and awareness on a grand scale.\n    NIST\'s NICE Team is working to unify and coordinate federal \nresources to enable the larger national effort to improve cybersecurity \nawareness, education, and training for the entire country. This effort \nis targeted to all U.S. citizens of all ages, and all types of \nprofessions whether it be academia, federal/state/local government, \nbusiness partners (small-medium to large size businesses/companies), \nand local community groups. NICE is comprised of four components.\n\n        <bullet>  Component 1: National Cybersecurity Awareness \n        Campaign, encouraging a national culture of security in \n        cyberspace; lead agency Department of Homeland Security (DHS), \n        supported by Department of Education (ED), National Science \n        Foundation (NSF),\n\n        <bullet>  Department of Defense (DoD), Office of the Director \n        of National Intelligence (ODNI) and others as identified.\n\n        <bullet>  Component 2: Formal Cybersecurity Education, enabling \n        a broader pool of skilled workers for a cyber-secure nation; \n        lead agencies DoED and NSF, supported by Office of Personnel \n        Management (OPM), DHS, National Security Agency (NSA) and \n        others as identified (e.g., Department of Labor)\n\n        <bullet>  Component 3: Cybersecurity Workforce Structure, \n        defining cybersecurity jobs, attraction, recruitment, \n        retention, and career path strategies; lead agency DHS and \n        supported by OPM.\n\n        <bullet>  Component 4: Cybersecurity Workforce Training and \n        Development, enabling the development and maintenance of an \n        unrivaled cyber workforce; lead agencies DHS, DoD and ODNI, \n        supported by OPM, DoED, NSF, and others as identified.\n\n    In addition, NIST co-chairs the Networking and Information \nTechnology Research and Development (NITRD) Social, Economic, and \nWorkforce Implications of IT and IT Workforce Development (SEW) \nCoordinating Group Education Team. The NITRD SEW Education Team was \nrecently established to focus on workforce development, training, and \neducation needs arising from the growing demand for productive \ninformation technology-skilled workers and the role of innovative IT \napplications in education and training. The group is currently \ndeveloping a draft set of priority federal research areas in education \nand IT.\n    International Cybersecurity Policy Framework\n    Cyberspace Policy Review Near-Term Action Item 7: Develop U.S. \nGovernment positions for an international cybersecurity policy \nframework and strengthen our international partnerships to create \ninitiatives that address the full range of activities, policies, and \nopportunities associated with cybersecurity.\n    Cyberspace Policy Review Mid-Term Action Item 12: Use the \ninfrastructure objectives and the research and development framework to \ndefine goals for national and international standards bodies\n    To support the U.S. Government\'s international cybersecurity policy \nframework and strengthen our international partnerships, NIST and the \nNational Security Agency lead an interagency activity to establish \nstrategic objectives in pursuing the development of timely, technically \nsound international voluntary consensus cybersecurity standards. This \nincludes commitment to the development of an international standards \nframework that:\n\n        <bullet>  Ensures the availability of standards that promote \n        security and resiliency for all U.S. information systems;\n\n        <bullet>  Specifies performance criteria rather than detailed \n        design criteria;\n\n        <bullet>  Is open to innovation; and\n\n        <bullet>  Discourages barriers to international trade.\n\n    Game Changing Technologies\n    Cyberspace Policy Review Near-Term Action Item 9: In collaboration \nwith other EOP entities, develop a framework for research and \ndevelopment strategies that focus on game-changing technologies that \nhave the potential to enhance the security, reliability, resilience, \nand trustworthiness of digital infrastructure; provide the research \ncommunity access to event data to facilitate developing tools, testing \ntheories, and identifying workable solutions.\n    NIST is an active member in the groups that coordinate the \ncybersecurity research and development agenda for federal agencies. The \nNITRD Cyber Security and Information Assurance Interagency Working \nGroup (CSIA IWG), co-chaired by NIST, coordinates research and \ndevelopment to prevent, resist, detect, respond to, and/or recover from \nactions that compromise or threaten to compromise the availability, \nintegrity, or confidentiality of computer- and network-based systems. \nThe Special Cyber Operations Research and Engineering (SCORE) \nInteragency Working Group works in parallel to the CSIA IWG to \ncoordinate classified cybersecurity R&D. Representatives from both of \nthese groups participate together in the Senior Steering Group (SSG) \nfor CSIA R&D, to actively share cybersecurity R&D information across \nthe policy, fiscal, and research levels of the Government.\n    In May 2010, the CSIA IWG released its ``Cybersecurity Game-Change \nResearch & Development Recommendations,\'\' \\1\\ identifying three primary \nR&D themes to motivate future Federal cybersecurity research \nactivities: (a) Moving Target, (b) Tailored Trustworthy Spaces, and (c) \nCyber Economic Incentives. These themes are designed to inspire Federal \nand private cybersecurity researchers to discover novel solutions to \nincrease the nation\'s cybersecurity protections. The NITRD CSIA IWG is \ncurrently developing a ``Trustworthy Cyberspace: Strategic Plan for the \nFederal Cybersecurity Research and Development Program.\'\'\n---------------------------------------------------------------------------\n    \\1\\  The full document is available at http:1//nitrd.gov/PUBS/\nCSIA_IWG_%20Cybersecurity_%20GameChange_RD_%20Recommendations_20100513.p\ndf 6\n---------------------------------------------------------------------------\n    Many of NIST\'s research activities include standards and \ntechnologies that will address the three R&D themes recommended by the \nCSIA IWG, including, but not limited to,\n\n    Multi-Factor Authentication methods\n\n        <bullet>  NIST has successfully initiated an international \n        standards project on anti-spoofing/liveness detection within \n        ISO/IEC JTC 1 SC 37 (Biometrics). This is the first standards \n        projects in this field, with the goal of strengthening the \n        security of biometrics as an authentication factor for \n        unattended applications. NIST is leading an international \n        ``team\'\' of co-editors and has completed the first official \n        working draft.\n\n        <bullet>  On March 31, NIST released results from the latest in \n        its series of tests of fingerprint minutiae match-on-card (MOC) \n        implementations. The report, NIST Interagency Report 7477, \n        Revision II, details results for 17 MOC implementations \n        submitted by 12 fingerprint-provider card-provider teams. The \n        study shows that there are now five implementation providers \n        that can meet the error rate requirements for Homeland Security \n        Presidential Directive/HSPD-12 Personal Identify Verification \n        (for biometric matching off card) while being able to process \n        the comparison on a smartcard. This is a great example of \n        successful standards and testing work to provide multi-factor \n        authentication that is a privacy-enhancing solution.\n\n        <bullet>  NIST is collaborating with OASIS, ANSI/INCITS M1 and \n        ISO JTC 1 SC 37 in developing web services protocols to enable \n        the use of biometrics as a second factor for remote \n        authentication of users for applications requiring higher \n        levels of assurance. Biometrics and Web services may be \n        combined to enhance mobile identification and remote \n        authentication capabilities.\n\n    Foundations of Measurement Science for Information Systems\n\n        <bullet>  Developing measurement and modeling techniques needed \n        to enable the characterization, prediction, and control of the \n        security of dynamic, large-scale interconnected information \n        systems\n\n    Emerging Virtual Technologies\n\n        <bullet>  Implementing a cloud computing and virtualization \n        test environment to evaluate the security of virtualization \n        techniques and the cloud computing systems and to develop ideas \n        to mitigate security vulnerabilities in virtualized and cloud \n        systems.\n\n        <bullet>  Leverage the test environment to support some of the \n        Standards Acceleration to Jumpstart Adoption of Cloud Computing \n        (SAJACC) use cases by implementing a proof of concept for \n        supporting the NIST 800-53 security control requirements for \n        low and moderate impact baseline to a cloud computing service \n        model such as infrastructure as a service reference \n        implementation, which includes typical virtual workloads \n        running on commercial hypervisors.\n\n        <bullet>  Define some typical use cases involving migrating \n        virtual workloads from a private cloud to a public or community \n        cloud while demonstrating compliance with the security and \n        audit requirements.\n\n    Usability of Security\n\n        <bullet>  Developed an in-depth interview instrument to explore \n        users\' perception of online risk, trust, privacy, and their \n        knowledge of computer security terms and mechanisms. The goal \n        of this effort is to understand user\'s mental models in order \n        to assist in computer security education and training.\n\n        <bullet>  Completed the analysis of the password survey that \n        was performed at NIST. Now analyzing the survey results from \n        all of the Bureaus with the Department of Commerce; the survey \n        closed at the end of April 2011.\n\n        <bullet>  Preparing to implement a second usability pilot based \n        on the lessons learned with the Homeland Security Presidential \n        Directive/HSPD-12 Personal Identify Verification (PIV) pilot at \n        NIST.\n\n        <bullet>  Planning studies to evaluate the tradeoff of error \n        rates in the human limitation between memory and typing and the \n        complexity of the password.\n\n    Quantum Computing\n\n        <bullet>  Researching cryptographic algorithms for public key-\n        based key agreement and digital signatures that are not \n        susceptible to cryptanalysis by quantum algorithms. Results are \n        expected to be submitted to relevant standards development \n        organizations.\n\n    Mobile Handheld Device Security and Forensics\n\n        <bullet>  Developing tests and methodologies that will improve \n        the security of mobile devices and enable the advancement of \n        the state of the art in mobile device forensics.\n\n    Security for Pervasive Systems and Grid Computing\n\n        <bullet>  Investigating trust management frameworks, protocols, \n        and application programming interfaces for generalized \n        pervasive systems security functions.\n\n    National Strategy for Trusted Identities in Cyberspace\n\n    Cyberspace Policy Review Near-Term Action Item 10: Build a \ncybersecurity-based identity management vision and strategy that \naddresses privacy and civil liberties interests, leveraging privacy-\nenhancing technologies for the Nation.\n\n    Cyberspace Policy Review Mid-Term Action Item 13: Implement, for \nhigh-value activities (e.g., the Smart Grid), an opt-in array of \ninteroperable identity management systems to build trust for online \ntransactions and to enhance privacy.\n\n    Under the leadership of the National Cybersecurity Coordinator, a \nmulti-agency team, of which NIST was a substantial partner, created \n``The National Strategy for Trusted Identities in Cyberspace,\'\' which \nlaid out the vision for individuals and organizations to be able to \nutilize secure, efficient, easy-to-use, and interoperable identity \nsolutions to access online services in a manner that promotes \nconfidence, privacy, choice, and innovation. The Strategy calls for a \nNational Program Office to facilitate the carrying out of the Strategy \nand the development of interoperable technology standards and \npolicies--an ``Identity Ecosystem\'\'--where individuals, organizations, \nand underlying infrastructure--such as routers and servers--can be \nauthoritatively authenticated. The goals of the Strategy are to promote \nprivate sector capabilities for protecting individuals, businesses, and \npublic agencies from the high costs of cyber crimes like identity theft \nand fraud, while simultaneously helping to ensure that the Internet \ncontinues to support innovation and a thriving marketplace of products \nand ideas in a privacy enhancing manner.\n    The National Program Office (NPO), to be established within the \nDepartment of Commerce, will coordinate the federal activities--\nincluding coordination of cooperative public/private efforts--needed to \nimplement NSTIC. The office will be led by NIST with activities \ninvolving public policy development and privacy protections to be led \nby the National Telecommunications and Information Administration. The \nNPO will have full access to NIST technical expertise, both in the \ndevelopment and acceptance of broad consensus-based standards. NIST has \nbeen actively involved in the development and interoperability of \nsecure identity management for many years and recently initiated \nresearch into how to make such identity schemes easy to use and hard to \nmisuse.\n    NIST has hired an internationally recognized expert in identity \nmanagement to manage the establishment of the NSTIC NPO. NIST has also \nannounced the first in a series of workshops to collect public comments \non possible private-sector led governance structures for the Identity \nEcosystem. This first workshop will be held June 9-10, 2011 in \nWashington, D.C. Finally, NIST is working with others in the Department \nof Commerce to develop and release a Notice of Inquiry to achieve even \ngreater public comment on the issue of governance.\n\n    Risk Management Framework\n\n    Cyberspace Policy Review Mid-Term Action Item 6: Develop a set of \nthreat scenarios and metrics that can be used for risk management \ndecisions, recovery planning, and prioritization of R&D.\n    NIST has produced Special Publication 800-34 ``Contingency Planning \nGuide for Federal Information Systems\'\' to assist with planning for \nsystem recovery and is currently working on\n    Special Publication 800-30 revision 1, ``Risk Management Guide,\'\' \nwhich will provide guidance to agencies in threat identification, \nthreat modeling, and threat metrics for use in risk management \ndecisions. The current set of NIST Security Automation specifications \nincludes the Common Vulnerability Scoring System which is a metric-\nbased score for known vulnerabilities in the National Vulnerability \nDatabase. This information is used by federal agencies, industry, and \ninternationally as an input to threat metrics for risk based decision \nmaking. NIST plans to extend these specifications into additional \ninformation areas to further facilitate threat discovery, \nidentification, and measurement.\n\n    NIST Cybersecurity Coordination with Other Government Agencies\n\n    As mentioned above, NIST is actively engaged with private industry, \nacademia, and other Federal agencies, including those in the NITRD \ncommunity, in coordination of cybersecurity research and development.\n    In addition, under the provisions of the National Technology \nTransfer and Advancement Act (PL 104-113) and OMB Circular A-119, NIST \nis tasked with the key role of encouraging and coordinating federal \nagency use of voluntary consensus standards and participation in the \ndevelopment of relevant standards, as well as promoting coordination \nbetween the public and private sectors in the development of standards \nand in conformity assessment activities. NIST works with other agencies \nto coordinate standards issues and priorities with the private sector \nthrough consensus standards organizations such as the American National \nStandards Institute (ANSI), the International Organization for \nStandardization (ISO), the Institute of Electrical and Electronic \nEngineers (IEEE), the Internet Engineering Task Force (IETF), the \nOrganization for the Advancement of Structured Information Standards \n(OASIS), and the International Telecommunication Union (ITU). Key \ncontributions NIST has made include:\n\n        <bullet>  Development of the current Federal cryptographic and \n        cybersecurity assurance standards that have been adopted by \n        many state governments, national governments, and much of \n        industry;\n\n        <bullet>  Development of the identity credentialing and \n        management standard for Federal employees and contractors (also \n        becoming the de facto national standard);\n\n        <bullet>  Development of the standard and conformance test \n        capability for interoperable multi-vendor fingerprint minutia \n        capture and verification;\n\n        <bullet>  Development and demonstration of quantum key \n        distribution;\n\n        <bullet>  Establishment of a national cyber vulnerability \n        database;\n\n        <bullet>  Establishment of U.S. Government IPv6 Test Program;\n\n        <bullet>  Assisting the General Services Administration in \n        deploying DNSSec on the .gov Top Level Domain; and \n        Establishment and oversight of an international cryptographic \n        algorithm and module validation program. (Over 1,440 \n        cryptographic module validation certificates have been issued, \n        representing over 3,100 modules. These modules have been \n        developed by more than 335 domestic and international vendors.)\n\n    Cybersecurity Legislation\n\n    The President made cybersecurity an Administration priority upon \ntaking office. During the release of his Cyberspace Policy Review in \n2009, the President declared that the ``cyber threat is one of the most \nserious economic and national security challenges we face as a \nnation.\'\'\n    Over the past two years, the Administration has taken significant \nsteps to ensure that Americans, our businesses, and our government are \nbuilding better protections against cyber threats. Departments and \nagencies have implemented programs to enhance their risk management \nwith regard to federal systems.\n    NIST believes that effective cybersecurity legislation requires an \nappropriate balance between short and long term goals, as well as \nproviding motivation for strong collaborations between federal \nagencies, industry, academia, state and local governments and other \ninterested stakeholders. The proposed legislation is focused on \nimproving cybersecurity for the American people, our Nation\'s critical \ninfrastructure, and the Federal Government\'s own networks and \ncomputers. NIST looks forward to playing its part, leveraging its \nlegacy of research, development, and standards in this area with other \nfederal and private sector partners.\n\n    Conclusion\n\n    NIST is actively involved with other federal agencies, industry and \nacademia to address the highest priority cybersecurity research and \ndevelopment needs. NIST\'s expertise and mission provide the best \nenvironment for performing the research necessary to enable the \ninnovative cybersecurity specifications, standards, assurance \nprocesses, and training needed for securing U.S. Government and \ncritical infrastructure information systems as well as many other \nelements of the Nation\'s digital infrastructure to mitigate the growing \nthreat. Finally, consistent with the NIST 3-Year Planning Report, NIST \nplans to expand its focus on cybersecurity challenges associated with \nhealthcare IT, the Smart Grid, automation of federal systems security \nconformance, and cybersecurity game-changing research.\n    Thank you for the opportunity to testify today on NIST\'s Federal \ncybersecurity research and development efforts. I would be happy to \nanswer any questions that you may have.\n\n   Biography for Ms. Cita Furlani, Director, Information Technology \n       Laboratory, National Institute of Standards and Technology\n    Cita M. Furlani is Director of the Information Technology \nLaboratory (ITL). ITL is one of six research Laboratories within the \nNational Institute of Standards and Technology (NIST) with an annual \nbudget of $120 million, 367 employees, and about 160 guest researchers \nfrom industry, universities, and foreign laboratories.\n    Furlani oversees a research program designed to promote U.S. \ninnovation and industrial competitiveness by developing and \ndisseminating standards, measurements, and testing for \ninteroperability, security, usability, and reliability of information \nsystems, including cybersecurity standards and guidelines for Federal \nagencies and U.S. industry, supporting these and measurement science at \nNIST through fundamental and applied research in computer science, \nmathematics, and statistics. Through its efforts, ITL seeks to enhance \nproductivity and public safety, facilitate trade, and improve the \nquality of life.\n    Within NIST\'s traditional role as the overseer of the National \nMeasurement System, ITL is addressing the hard problems in IT \nMeasurement Research. ITL\'s research results in metrics, tests, and \ntools for a wide range of subjects such as complex systems, pervasive \ninformation technologies, and virtual measurements, as well as issues \nof information and software quality, integrity, and usability.\n    ITL has been charged with leading the nation in utilizing existing \nand emerging IT to meet national priorities that reflect the broad-\nbased social, economic, and political values and goals of the country. \nUnder the Federal Information Security Management Act, ITL is charged \nwith developing cybersecurity standards, guidelines, and associated \nmethods and techniques. Under other legislation, such as the USA \nPATRIOT Act, the Help America Vote Act, and the American\n    Recovery and Reinvestment Act, ITL is addressing the major \nchallenges faced by the nation in the areas of homeland security, \nelectronic voting, and health information technology.\n    Furlani has served as the Acting Director of the NIST Advanced \nTechnology Program and as Chief Information Officer for NIST. She \npreviously served as director of the National Coordination Office for \nNetworking and Information Technology Research and Development.\n    This office, reporting to the White House through the Office of \nScience and Technology Policy and the National Science and Technology \nCouncil, coordinates the planning, budget, and assessment activities \nfor the Networking and Information Technology Research and Development \nProgram.\n    She has been awarded the Department of Commerce Silver and Bronze \nMedal Awards.\n\n    Chairman Quayle. Thank you, Ms. Furlani.\n    The Chair now recognizes our final witness, Rear Admiral \nBrown, for five minutes.\n\n     STATEMENT OF REAR ADMIRAL MICHAEL A. BROWN, DIRECTOR, \n  CYBERSECURITY COORDINATION, DEPARTMENT OF HOMELAND SECURITY\n\n    Admiral Brown. Good morning, Chairmen Quayle and Brooks, \nRanking Members Wu and Lipinski, and distinguished Members of \nthe Committee. It is a pleasure for me to be here today to \ndiscuss the important issue of cybersecurity.\n    My testimony will provide an overview of the current \ncybersecurity environment, the cybersecurity mission carried \nout by the National Protection and Programs Directorate, and \nthe coordination of this mission with our public and private \nsector partners.\n    As you well know, these operational missions benefit from \nand drive many of the requirements for the research and \ndevelopment work of the DHS Science and Technology Directorate. \nWe also coordinate closely with our interagency partners such \nas the National Institute of Standards and Technology in the \ndevelopment and application of cybersecurity standards that are \nrelevant across our mission set. Of note, the legislative \nproposal recently introduced by the Administration would, if \nenacted, provide a single statutory authorization which would \nenable DHS to better fulfill our critical infrastructure and \ncivilian government cybersecurity responsibilities.\n    As you stated, we are very dependent in digital networks as \npart of our day-to-day lives. Without a secure cyberspace, many \naspects of modern life, our economies, our health care systems \nand our transportation and communications networks would grind \nto a halt. DHS\'s roles and missions reflect a bipartisan \nagreement as established under the previous Administration and \nexpanded upon under the current Administration. We have several \nspecific roles in cybersecurity.\n    The first is protecting the federal Executive Branch \ncivilian agencies, in other words, the dot-gov world. The \nsecond is leading the protection of critical infrastructure \nsuch as power plants, financial markets, communication systems \nand major transportation hubs. Thirdly, DHS must lead the \nnational response to major cyber incidents. Finally, we lead \nthe educational efforts to raise public awareness about the \nneed for cyber hygiene and responsible use of computers. These \nmissions require a full range of partners including other \ngovernment agencies, the private sector and individual users of \nthe Internet.\n    At the Department, we believe cyberspace is fundamentally a \nvibrant civilian space similar to a neighborhood, a library, a \nmarketplace or a workshop. We also know that it can facilitate \nconflict, exploitation and criminal activity. Just last year, a \nleading cybersecurity firm reported a 93 percent increase in \ncyberattacks compared with the year before. DHS\'s role within \nthat space which constitutes both the dot-gov and the dot-com \nenvironments results in unique technical, legal and policy \nchallenges. Our responsibilities cover distributed networks \nwith vastly different ownership, configuration and legal \nconsiderations as compared to DOD networks that are relatively \nclosed and owned by DOD.\n    We have accomplishments. We are moving on several fronts. \nThe Department is deploying an intrusion detection system known \nas EINSTEIN to protect the dot-gov world and we are providing \nthe latest tools and information to our infrastructure partners \nto support the financial services, transportation, energy and \ndefense industries, to name a few. We have also deployed fly-\naway teams to assist private companies as they seek to prevent \nand combat cyber attacks against their networks. In addition, \nthe Department has spearheaded the development and testing of \nthe first-ever National Cyber Incident Response Plan, which \nenables us to coordinate the response at all levels. This is \nnot a standalone document. It has been used to respond to \nsignificant real-world events this year. We are focused on \nbuilding a world-class cybersecurity team of professionals, \ncomputer engineers, scientists, analysts to secure the Nation\'s \ndigital assets and critical infrastructure.\n    From the National Cyber Security Division, we have \ncoordinated with the Science and Technology Directorate for \nmany years on research and development requirements for \ncybersecurity. Our NCSD\'s Research and Standards Integration \nTeam communicates regularly our R&D requirements for inclusion \nin S&T\'s broad area announcements and Small Business Innovation \nResearch information. The NCSD research is currently working \nwith the S&T to identify and pursue specialized technologies \nthat could be integrated into our operational posture. In the \npast, while some adopted technologies did not work well, we \nhave worked to prevent this problem in the future, and NCSD is \nfinalizing a technology transition process to ensure these new \ntechnologies will deliver the desired functionalities and be \ncompatible. In addition, we have regular, ongoing efforts with \nNIST in developing standards related to software assurance, \nsmart grid technologies and supply chain risk management.\n    Thank you, and I look forward to your questions.\n    [The prepared statement of Admiral Brown follows:]\n   Prepared Statement of RADM Michael Brown, Director, Cybersecurity \nCoordination, National Protection and Programs Directorate, Department \n                          of Homeland Security\n    Chairmen Quayle and Brooks, Ranking Members Wu and Lipinski, and \ndistinguished Members of the Committee, it is a pleasure to appear \nbefore you today to discuss the important issue of cybersecurity. My \ntestimony will provide an overview of the current cybersecurity \nenvironment, the cybersecurity mission carried out by the National \nProtection and Programs Directorate (NPPD), and the coordination of \nthis mission with our public and private sector partners. As you well \nknow, these operational missions benefit from, and drive the \nrequirements for, the research and development work of the DHS Science \nand Technology directorate. We also coordinate closely with our \ninteragency partners, such as the National Institute of Standards and \nTechnology, in the development and application of cybersecurity \nstandards that are relevant across our mission set.\n    I look forward to exploring how we might work collaboratively with \nthe Committee, and I applaud the Committee for holding this hearing as \na step toward such important cooperation.\n    Moving forward, we would like to work more closely with you to \nconvey the relevance of cybersecurity to average Americans. \nIncreasingly, the services we rely on for daily life, such as water \ndistribution and treatment, electricity generation and transmission, \nhealthcare, transportation, and financial transactions depend on an \nunderlying information technology and communications infrastructure. \nCyber threats put the availability and security of these and other \nservices at risk.\n\n    The Current Cybersecurity Environment\n\n    The United States confronts a combination of known and unknown \nvulnerabilities, strong and rapidly expanding adversary capabilities, \nand a lack of comprehensive threat and vulnerability awareness. Within \nthis dynamic environment, we are confronted with threats that are more \ntargeted, more sophisticated, and more serious.\n    Sensitive information is routinely stolen from both government and \nprivate sector networks, undermining confidence in our information \nsystems, the information collection and sharing process and, as bad as \nthe loss of precious national intellectual capital is, we increasingly \nface threats that are even greater. We currently cannot be certain that \nour information infrastructure will remain accessible and reliable \nduring a time of crisis.\n    We face persistent, unauthorized, and often unattributed intrusions \ninto Federal Executive Branch civilian networks. These intruders span a \nspectrum of malicious actors, including nation states, terrorist \nnetworks, organized criminal groups, or individuals located here in the \nUnited States. They have varying levels of access and technical \nsophistication, but all have nefarious intent. Several are capable of \ntargeting elements of the U.S. information infrastructure to disrupt, \ndismantle, or destroy systems upon which we depend. Motives include \nintelligence collection, intellectual property or monetary theft, or \ndisruption of commercial activities, among others. Criminal elements \ncontinue to show increasing levels of sophistication in their technical \nand targeting capabilities and have shown a willingness to sell these \ncapabilities on the underground market. In addition, terrorist groups \nand their sympathizers have expressed interest in using cyberspace to \ntarget and harm the United States and its citizens. While some have \ncommented on terrorists\' own lack of technical abilities, the \navailability of technical tools for purchase and use remains a \npotential threat.\n    In the virtual world of cyberspace, malicious cyber activity can \ninstantaneously result in virtual or physical consequences that \nthreaten national and economic security, critical infrastructure, \npublic health and welfare, and confidence in government. Similarly, \nstealthy intruders can lay a hidden foundation for future exploitation \nor attack, which they can then execute at their leisure- and at their \ntime of greatest advantage. Securing cyberspace requires a layered \nsecurity approach. Moreover, securing cyberspace is also critical to \naccomplishing nearly all of DHS\'s other missions successfully.\n    In cyberspace, we need to ensure that the federal environments are \nsecure and that legitimate traffic is allowed to flow freely while \nmalicious traffic is prevented from penetrating our defenses. \nSimilarly, we need to support our state and local government and \nprivate sector partners as they secure themselves against malicious \nactivity. Collaboratively, public and private sector partners must use \nour knowledge of these systems and their interdependencies to prepare \nto respond should our defensive efforts fail. This is a serious \nchallenge, and DHS is continually making strides to improve the \nnation\'s overall operational posture and policy efforts.\n\n    The DHS Cybersecurity Mission\n\n    The Department of Homeland Security is responsible for helping \nFederal Executive Branch civilian agencies secure their unclassified \nnetworks. DHS also works with owners and operators of critical \ninfrastructure and key resources (CIKR) sectors-whether private sector, \nstate, or municipality-owned-to bolster their cybersecurity \npreparedness, risk assessment and mitigation, and incident response \ncapabilities. The Department has a number of foundational and \nforwardlooking efforts under way, many of which stem from the 2008 \nComprehensive National Cybersecurity Initiative (CNCI). We are reducing \nand consolidating the number of external connections federal agencies \nhave to the Internet through the Trusted Internet Connections (TIC) \ninitiative. Further, DHS continues to deploy its intrusion detection \ncapability, known as EINSTEIN 2, to improve the security of \ncommunications entering or leaving the federal government through those \nTICs. In addition, through the United States Computer Emergency \nReadiness Team (US-CERT), we are working more closely than ever with \nour public and private sector partners to share what we learn from \nEINSTEIN 2 and to deepen our collective understanding, identify threats \ncollaboratively, and develop effective security responses.\n    In a reflection of the bipartisan nature with which the federal \ngovernment continues to approach cybersecurity, President Obama \ndetermined that the CNCI and its associated activities should evolve to \nbecome key elements of the broader national cybersecurity efforts. \nThese CNCI initiatives play a central role in achieving many of the key \nrecommendations of the President\'s Cyberspace Policy Review: Assuring a \nTrusted and Resilient Information and Communications Infrastructure. \nFollowing the publication of those recommendations in May 2009, DHS and \nits components developed a long-range vision of cybersecurity for the \nDepartment and the nation\'s homeland security enterprise, which is \nencapsulated in the Quadrennial Homeland Security Review (QHSR). The \nQHSR provides an overarching framework for the Department and defines \nour key priorities and goals. One of the five priority areas detailed \nin the QHSR is safeguarding and securing cyberspace. Within the \ncybersecurity mission area, the QHSR identifies two overarching goals: \nto help create a safe, secure and resilient cyber environment; and to \npromote cybersecurity knowledge and innovation.\n    In alignment with the QHSR, Secretary Napolitano consolidated many \nof the Department\'s cybersecurity efforts under the National Protection \nand Programs Directorate (NPPD). The Office of Cybersecurity and \nCommunications (CS&C), a component of NPPD, focuses on reducing risk to \nthe nation\'s communications and information technology infrastructures \nand the sectors that depend upon them, as well as enabling timely \nresponse and recovery of these infrastructures under all circumstances. \nThe functions and mission of the National Cybersecurity Center (NCSC) \nare now supported by CS&C. These functions include coordinating \noperations among the six largest federal cyber centers. CS&C also \ncoordinates national security and emergency preparedness communications \nplanning and provisioning for the federal government and other \nstakeholders. CS&C comprises three divisions: the National Cyber \nSecurity Division (NCSD), the Office of Emergency Communications, and \nthe National Communications System.\n    Teamwork-ranging from intra-agency to international collaboration-\nis essential to securing cyberspace. Simply put, the cybersecurity \nmission cannot be accomplished by any one agency; it requires teamwork \nand coordination. Together, we can leverage resources, personnel, and \nskill/sets that are needed to accomplish the cybersecurity mission.\n    NCSD collaborates with federal government stakeholders, including \ncivilian agencies, law enforcement, the military, the intelligence \ncommunity, state and local partners, and private sector stakeholders, \nto conduct risk assessments and mitigate vulnerabilities and threats to \ninformation technology assets and activities affecting the operation of \ncivilian government and private sector critical infrastructures. NCSD \nalso provides cyber threat and vulnerability analysis, early warning, \nand incident response assistance for public and private sector \nconstituents. To that end, NCSD carries out the majority of DHS\' non-\nlaw enforcement cybersecurity responsibilities.\n\n    National Cyber Incident Response\n\n    The President\'s Cyberspace Policy Review called for ``a \ncomprehensive framework to facilitate coordinated responses by \ngovernment, the private sector, and allies to a significant cyber \nincident.\'\' DHS coordinated the interagency, state and local \ngovernment, and private sector working group that developed the \nNational Cyber Incident Response Plan. The plan provides a framework \nfor effective incident response capabilities and coordination among \nfederal agencies, state and local governments, the private sector, and \ninternational partners during significant cyber incidents. It is \ndesigned to be flexible and adaptable to allow synchronization of \nresponse activities across jurisdictional lines. In September 2010, DHS \nhosted Cyber Storm III, a response exercise in which members of the \ndomestic and international cyber incident response community addressed \nthe scenario of a coordinated cyber event. During the event, the \nNational Cyber Incident Response Plan was activated and its incident \nresponse framework was tested. Based on observations from the exercise, \nthe plan is in its final stages of revision prior to publication.\n    Cyber Storm III also tested the National Cybersecurity and \nCommunications Integration Center (NCCIC)-DHS\' 24-hour cyber watch and \nwarning center-and the federal government\'s full suite of cybersecurity \nresponse capabilities. The NCCIC works closely with government at all \nlevels and with the private sector to coordinate the integrated and \nunified response to cyber and communications incidents impacting \nhomeland security.\n    Numerous DHS components, including US-CERT, the Industrial Control \nSystems Cyber Emergency Response Team (ICS-CERT), and the National \nCoordinating Center for Telecommunications (NCC), are collocated into \nthe NCCIC. Also present in the NCCIC are other federal partners, such \nas the Department of Defense (DoD) and members of the law enforcement \nand intelligence communities. The NCCIC also physically collocates \nfederal staff with private sector and non-governmental partners.\n    By leveraging the integrated operational capabilities of its member \norganizations, the NCCIC serves as an ``always on\'\' cyber incident \nresponse and management center, providing indications and warning of \nimminent incidents, and maintaining a national cyber ``common operating \npicture.\'\' This facilitates situational awareness among all partner \norganizations, and also creates a repository of all vulnerability, \nintrusion, incident, and mitigation activities. The NCCIC also serves \nas a national point of integration for cyber expertise and \ncollaboration, particularly when developing guidance to mitigate risks \nand resolve incidents. Finally, the unique and integrated nature of the \nNCCIC allows for a scalable and flexible coordination with all \ninteragency and private sector staff during steady-state operations, in \norder to strengthen relationships and solidify procedures as well as \neffectively incorporate partners as needed during incidents.\n\n    Providing Technical Expertise to the Private Sector and Critical \nInfrastructure\n\n    US-CERT provides remote and onsite response support and defense \nagainst malicious cyber activity for the Federal Executive Branch \ncivilian networks. US-CERT also collaborates and shares information \nwith state and local government, industry, critical infrastructure \nowners and operators, and international partners to address cyber \nthreats and develop effective security responses.\n    In addition to specific mitigation work we conduct with individual \ncompanies and sectors, DHS looks at the interdependencies across \ncritical infrastructure sectors for a holistic approach to providing \nour cyber expertise. For example, the electric, nuclear, water, \ntransportation, and communications sectors support functions across all \nlevels of government including federal, state, local, and tribal \ngovernments. Government bodies and organizations do not inherently \nproduce these services and must rely on private sector organizations, \njust as other businesses and private citizens do. Therefore, an event \nimpacting control systems has potential implications at all these \nlevels, and could also have cascading effects upon all 18 sectors. For \nexample, water and wastewater treatment, chemical, and transportation \ndepend on the energy sector, and failure in one of these sectors could \nsubsequently affect the operations of state, local, or even federal \ngovernment.\n    NCCIC\'s operations are complemented in the arena of industrial \ncontrol systems by ICS-CERT. The term ``control system\'\' encompasses \nseveral types of systems, including Supervisory Control and Data \nAcquisition (SCADA), process control, and other automated systems that \nare found in the industrial sectors and critical infrastructure. These \nsystems are used to operate physical processes that produce the goods \nand services that we rely upon, such as energy, drinking water, \nemergency services, transportation, postal and shipping, and public \nhealth. Control systems security is particularly important because of \nthe inherent interconnectedness of the CIKR sectors and their \ndependence on one another.\n    As such, assessing risk and effectively securing industrial control \nsystems are vital to maintaining our nation\'s strategic interests, \npublic safety, and economic well-being. A successful cyber attack on a \ncontrol system could result in physical damage, loss of life, and \ncascading effects that could disrupt services. DHS recognizes that the \nprotection and security of control systems is essential to the nation\'s \noverarching security and economy. In this context, as an example of the \nmany related initiatives/activities, DHS-in coordination with the \nDepartment of Commerce\'s National Institute of Standards and Technology \n(NIST), the Department of Energy, and DoD-has provided a forum for \nresearchers, subject matter experts and practitioners dealing with \ncyber-physical systems security to assess the current state of the art, \nidentify challenges, and provide input to developing strategies for \naddressing these challenges. Specific infrastructure sectors considered \ninclude energy, chemical, transportation, water and wastewater \ntreatment, healthcare and public health, and commercial facilities. A \n2010 published report of findings and recommendations is available upon \nrequest.\n    ICS-CERT provides onsite support to owners and operators of \ncritical infrastructure for protection against and response to cyber \nthreats, including incident response, forensic analysis, and site \nassessments. ICS-CERT also provides tools and training to increase \nstakeholder awareness of evolving threats to industrial control \nsystems.\n    A real-world threat emerged last year that significantly changed \nthe landscape of targeted cyber attacks on industrial control systems. \nMalicious code, dubbed Stuxnet, was detected in July 2010. DHS analysis \nconcluded that this highly complex computer worm was the first of its \nkind, written to specifically target mission-critical control systems \nrunning a specific combination of software and hardware.\n    ICS-CERT analyzed the code and coordinated actions with critical \ninfrastructure asset owners and operators, federal partners, and \nInformation Sharing and Analysis Centers. Our analysis quickly \nuncovered that this sophisticated malware has the ability to gain \naccess to, steal detailed proprietary information from, and manipulate \nthe systems that operate mission-critical processes within the nation\'s \ninfrastructure. In other words, this code can automatically enter a \nsystem, steal the formula for the product being manufactured, alter the \ningredients being mixed in the product, and indicate to the operator \nand the operator\'s anti-virus software that everything is functioning \nnormally.\n    To combat this threat, ICS-CERT has been actively analyzing and \nreporting on Stuxnet since it was first detected in July 2010. To date, \nICS-CERT has briefed dozens of government and industry organizations \nand released multiple advisories and updates to the industrial control \nsystems community describing steps for detecting an infection and \nmitigating the threat. As always, we attempt to balance the need for \npublic information sharing while limiting the information that \nmalicious actors may exploit.\n    Looking ahead, the Department is concerned that attackers could use \nthe increasingly public information about the code to develop variants \ntargeted at broader installations of programmable equipment in control \nsystems. Copies of the Stuxnet code, in various different iterations, \nhave been publicly available for some time now. ICS-CERT and the NCCIC \nremain vigilant and continue analysis and mitigation efforts of any \nderivative malware.\n    ICS-CERT will continue to work with the industrial control systems \ncommunity to investigate these and other threats through malicious code \nand digital media analysis, onsite incident response activities, and \ninformation sharing and partnerships.\n\n    Protecting Federal Civilian Government Networks\n\n    In addition to its support of private sector owners and operators \nof infrastructure, DHS also collaborates with its partners to increase \nthe security of Federal Executive Branch civilian agency networks. As \npart of the CNCI, DHS works with the Office of Management and Budget \n(OMB) to reduce and consolidate the number of external connections that \nfederal agencies have to the Internet through the TIC initiative. This \ninitiative reduces the number of potential vulnerabilities to \ngovernment networks and allows DHS to focus monitoring efforts on \nlimited and known avenues through which Internet traffic must travel. \nDHS conducts onsite evaluations of agencies\' progress toward \nimplementing TIC goals.\n    In conjunction with the TIC initiative, the EINSTEIN system is \ndesigned to provide the U.S. government with an early warning system \nfor intrusions to Federal Executive Branch civilian networks, near \nreal-time identification of malicious activity, and automated \ndisruption of that malicious activity. The first iteration of EINSTEIN \nwas developed in 2003 and automates the collection and analysis of \ncomputer network security information from participating agency and \ngovernment networks to help analysts identify and combat malicious \ncyber activity that may threaten government network systems, data \nprotection and federal communications infrastructure. The second phase \nof EINSTEIN, developed in 2008 as part of the CNCI, incorporates \nintrusion detection capabilities into the original EINSTEIN system. DHS \nis currently deploying EINSTEIN 2 to Federal Executive Branch civilian \nagency TIC locations and Networx Managed Trusted Internet Protocol \nServices (MTIPS) providers, which are private internet service \nproviders that serve federal agencies, to assist them with protecting \ntheir computers, networks and information. EINSTEIN 2 has now been \ndeployed at 15 of the 19 large departments and agencies who maintain \ntheir own TIC locations. Also, the four MTIPS providers currently \nprovide service to seven additional federal agencies. In 2010, EINSTEIN \n2 sensors registered 5.4 million ``hits,\'\' an average of more than \n450,000 hits per month or nearly 15,000 hits per day. A hit is an alert \ntriggered by a predetermined intrusion detection signature that \ncorresponds to a known threat. Each hit represents potential malicious \nactivity for further assessment by US-CERT.\n    DHS is currently developing the third phase of the EINSTEIN system-\nan intrusion prevention capability which will provide DHS with the \nability to automatically detect and disrupt malicious activity before \nharm is done to critical networks and systems. In advance of this \ndevelopment, DHS, in coordination with the National Security Agency \n(NSA), conducted the CNCI Initiative 3 Exercise. US-CERT successfully \nmet the objectives of the CNCI Initiative 3 Exercise, including the \nsuccessful deployment of one signature, scenario and countermeasure, \nand the demonstrated ability to share alert data with DoD. As a result \nof the countermeasures deployed during the exercise, US-CERT was \nsuccessful in denying the entry of more than 36,473 potentially \nmalicious threats into the federal agency customer\'s network \ninfrastructure. The CNCI Initiative 3 Exercise advanced the potential \ncapabilities of the EINSTEIN system by demonstrating defensive \ntechnology, sharing near real-time threat information with DoD for \nenhanced situational awareness, and providing a platform upon which an \noversight and compliance process can be implemented for the evolving \nset of EINSTEIN capabilities. The Department\'s Privacy Office and its \nOffice for Civil Rights and Civil Liberties carefully reviewed the \nexercise concept of operations, and the Privacy Office worked with US-\nCERT to publicly release a detailed Privacy Impact Assessment \nevaluating the exercise. US-CERT also briefed the exercise to the cyber \nsubcommittee of the independent DHS Data Privacy and Integrity \nCommittee.\n    Beyond the TIC initiative and the EINSTEIN system, DHS, OMB, and \nthe National Institute for Standards and Technology work cooperatively \nwith agencies across the federal government to coordinate the \nprotection of the nation\'s federal information systems through \ncompliance with the Federal Information Security Management Act of 2002 \n(FISMA). US-CERT monitors EINSTEIN 2 sensors for intrusion activity and \nreceives self-reported incident information from federal agencies. This \ninformation is reported to OMB for use in its FISMA oversight capacity. \nIn 2010, DHS also began to administer oversight of the CyberScope \nsystem, which was developed by the Department of Justice. This system \ncollects agency information regarding FISMA compliance and, as DHS, OMB \nand their agency partners move toward automated reporting, the system \nwill enable real-time assessments of baseline security postures across \nindividual agencies and the federal enterprise as a whole. This \nactivity complements the development of reference architectures that \nDHS designs for federal agency stakeholders that are interested in \nimplementing security solutions based on standards and best practices. \nDHS also works with the General Services Administration to create \nBlanket Purchase Agreements that address various security solutions for \nfederal agencies.\n\n    The DHS Cybersecurity Workforce\n\n    As DHS continues to make progress on initiatives such as TIC and \nEINSTEIN, the Department is also mindful that the cybersecurity \nchallenge will not be solved by a single technology solution. Multiple \ninnovative technical tools are necessary and indeed, technology alone \nis insufficient. The mission requires a larger cybersecurity \nprofessional workforce, governance structures for enhanced \npartnerships, more robust information sharing and identity protection, \nand increased cybersecurity awareness among the general public. \nResponsibility for these solutions is, and will remain, distributed \nacross public and private sector partners.\n    DHS is focused on building a world-class cybersecurity team by \nhiring a diverse group of cybersecurity professionals-computer \nengineers, scientists, and analysts-to secure the nation\'s digital \nassets and protect against cyber threats to our critical infrastructure \nand key resources. NCSD continues to hire cybersecurity and information \ntechnology professionals, nearly tripling its cybersecurity workforce \nin FY 2009 and nearly doubling that number again in FY 2010. NCSD \ncurrently has more than 230 cybersecurity professionals on board, with \ndozens more in the hiring pipeline.\n    Several initiatives are designed to increase the nation\'s number of \nhighly qualified cybersecurity professionals. DHS and NSA co-sponsor \nthe Centers of Academic Excellence in Information Assurance Education \nand Research programs, the goal of which is to produce a growing number \nof professionals with information assurance expertise in various \ndisciplines. DHS and the Department of State co-hosted Operation Cyber \nThreat (OCT1.0), the first in a series of government-wide experiential \nand interactive cybersecurity training pilots designed to apply \nlearning concepts and share best practices in a secure, simulated \nenvironment to build capacity within the federal workforce. In December \n2010, the Institute of Electrical and Electronics Engineers Computer \nSociety, the world\'s leading organization of computing professionals, \nformally recognized the Master of Software Assurance (MSwA) Reference \nCurriculum, which DHS sponsored through its Software Assurance (SwA) \nCurriculum Project. The MSwA program is the first curriculum of its \nkind to focus on assuring the functionality, dependability, and \nsecurity of software and systems. Finally, DHS co-sponsored the annual \nColloquium for Information Systems Security Education and the \nScholarship for Services (SFS) Job Fair/Symposium, which brought \ntogether 55 federal agencies and more than 200 SFS students.\n    The National Initiative for Cybersecurity Education (NICE) has the \ndual goals of a cyber-savvy citizenry and a cyber-capable workforce. \nWorking with NIST, which is the overall interagency lead, DHS heads the \nNICE awareness elements and co-leads the training and professional \ndevelopment components with DoD and the Office of the Director of \nNational Intelligence.\n\n    Interagency and Public-Private Coordination\n\n    Overcoming new cybersecurity challenges requires a coordinated and \nfocused approach to better secure the nation\'s information and \ncommunications infrastructures. President Obama\'s Cyberspace Policy \nReview reaffirms cybersecurity\'s significance to the nation\'s economy \nand security. Establishment of a White House Cybersecurity Coordinator \nposition solidifies the priority the Administration places on improving \ncybersecurity.\n    No single agency controls cyberspace and the success of our \ncybersecurity mission relies on effective communication and critical \npartnerships. Many government players have complementary roles-\nincluding DHS, the Intelligence Community, DoD, the Department of \nJustice, the Department of State, and other federal agencies-and they \nrequire coordination and leadership to ensure effective and efficient \nexecution of our collective cyber missions. The creation of a senior-\nlevel cyber position within the White House ensures coordination and \ncollaboration across government agencies.\n    DHS works closely with its federal, state and local partners to \nprotect government cyber networks. In September 2010, DHS and DoD \nsigned a memorandum of agreement that aligns and enhances America\'s \ncapabilities to protect against threats to our critical civilian and \nmilitary computer systems and networks, including deploying a National \nSecurity Agency support team to the NCCIC to enhance the National Cyber \nIncident Response Plan and sending a full-time senior DHS leader and \nsupport team to the National Security Agency.\n    This initiative builds upon pre-existing liaison exchanges DHS has \nwith the National Security Agency/Central Security Service Threat \nOperation Center (NTOC), United States Cyber Command and United States \nNorthern Command. Liaisons to DHS operate out of US-CERT and the NCCIC. \nThe initiative also further supports DHS\' already active partnership \nwith DoD. The partnerships ensure that agile coordination and technical \ncapabilities support any cyber contingency.\n    In November 2010, the Multi-State Information Sharing and Analysis \nCenter (MS-ISAC) opened its Cyber Security Operations Center, a 24-hour \nwatch and warning facility, which will both enhance situational \nawareness at the state and local level for the NCCIC and allow the \nfederal government to quickly and efficiently provide critical cyber \nrisk, vulnerability, and mitigation data to state and local \ngovernments. An MS-ISAC analyst/liaison is collocated in the NCCIC.\n    Private industry owns and operates the vast majority of the \nnation\'s critical infrastructure and cyber networks. Consequently, the \nprivate sector plays an important role in cybersecurity, andDHS has \ninitiated several pilot programs to promote public-private sector \ncollaboration. In its engagement with the private sector, DHS \nrecognizes the need to avoid technology prescription and to support \ninnovation that enhances critical infrastructure cybersecurity.\n    In February 2010, DHS, DoD, and the Financial Services Information \nSharing and Analysis Center (FS-ISAC) launched a pilot designed to help \nprotect key critical networks and infrastructure within the financial \nservices sector by sharing actionable, sensitive information. In June \n2010, DHS implemented the Cybersecurity Partner Local Access Plan, \nwhich allows security-cleared owners and operators of CIKR, as well as \nstate technology officials and law enforcement officials, to access \nsecret-level cybersecurity information and video teleconference calls \nvia state and local fusion centers. In November 2010, DHS signed an \nagreement with the Information Technology Information Sharing and \nAnalysis Center (IT-ISAC) to embed a fulltime IT-ISAC analyst and \nliaison to DHS at the NCCIC, part of an ongoing effort to collocate \nprivate sector representatives alongside federal and state government \ncounterparts. The IT-ISAC consists of information technology \nstakeholders from the private sector and facilitates cooperation among \nmembers to identify sector-specific vulnerabilities and risk mitigation \nstrategies.\n    In December 2010, DHS and NIST signed a Memorandum of Understanding \nwith the Financial Services Sector Coordinating Council. The goal of \nthe agreement is to speed the commercialization of cybersecurity \nresearch innovations that support our nation\'s critical \ninfrastructures. This agreement will accelerate the deployment of \nnetwork testbeds for specific use cases that strengthen the resiliency, \nsecurity, integrity, and usability of financial services and other \ncritical infrastructures.\n    In July 2010, DHS worked extensively with the White House on the \npublication of a draft National Strategy for Trusted Identities in \nCyberspace, which seeks to secure the digital identities of \nindividuals, organizations, services and devices during online \ntransactions, as well as the infrastructure supporting the transaction. \nThis fulfills one of the near-term action items of the President\'s \nCyberspace Policy Review. The strategy is based on public-private \npartnerships and supports the protection of privacy and civil liberties \nby enabling only the minimum necessary amount of personal information \nto be transferred in any particular transaction. Its implementation \nwill be led by the Department of Commerce.\n\n    Public Education and Outreach\n\n    While considerable activity is focused on public and private sector \ncritical infrastructure protection, DHS is committed to developing \ninnovative ways to enhance the general public\'s awareness about the \nimportance of safeguarding America\'s computer systems and networks from \nattacks. Every October, DHS and its public and private sector partners \npromote efforts to educate citizens about guarding against cyber \nthreats as part of National Cybersecurity Awareness Month. In March \n2010, Secretary Napolitano launched the National Cybersecurity \nAwareness Challenge, which called on the general public and private \nsector companies to develop creative and innovative ways to enhance \ncybersecurity awareness. In July 2010, seven of the more than 80 \nproposals were selected and recognized at a White House ceremony. The \nwinning proposals helped inform the development of the National \nCybersecurity Awareness Campaign, Stop. Think. Connect., which DHS \nlaunched in conjunction with private sector partners during the October \n2010 National Cybersecurity Awareness Month. Stop. Think.Connect, a \nmessage developed with the private sector, has evolved into an ongoing \nnational public education campaign designed to increase public \nunderstanding of cyber threats and how individual citizens can develop \nsafer cyber habits that will help make networks more secure. The \ncampaign fulfills a key element of President Obama\'s Cyberspace Policy \nReview, which tasked DHS with developing a public awareness campaign to \ninform Americans about ways to use technology safely. The campaign is a \ncomponent of the NIST National Initiative for Cyber Education (NICE).\n    Throughout its public and private sector activities, DHS is \ncommitted to supporting the public\'s privacy, civil rights and civil \nliberties. Accordingly, the Department has implemented strong privacy \nand civil rights and civil liberties standards into all of its \ncybersecurity programs and initiatives from the outset. To support \nthis, DHS established an Oversight and Compliance Officer within NPPD, \nand key cybersecurity personnel receive specific training on the \nprotection of privacy and other civil liberties as they relate to \ncomputer network security activities. In an effort to increase \ntransparency, DHS also publishes privacy impact assessments on its \nwebsite, www.dhs.gov, for all of its cybersecurity systems.\n\n    Conclusion\n\n    Set within an environment characterized by a combination of known \nand unknown vulnerabilities, strong and rapidly expanding adversary \ncapabilities, and a lack of comprehensive threat and vulnerability \nawareness, the cybersecurity mission is truly a national one requiring \ncollaboration across the homeland security enterprise. The Department \nof Homeland Security is committed to creating a safe, secure and \nresilient cyber environment while promoting cybersecurity knowledge and \ninnovation. We must continue to secure today\'s infrastructure as we \nprepare for tomorrow\'s challenges and opportunities. It is important to \nrecognize that we do not undertake cybersecurity for the sake of \nsecurity itself, but rather to ensure that government, business and \ncritical societal functions can continue to use the information \ntechnology and communications infrastructure on which they depend. We \nare confident that the cyber legislative proposal put forward by the \nAdministration will, if enacted, enhance our ability to more \neffectively execute our cybersecurity missions.\n    Distinguished Members of the Committee, let me end by reiterating \nthat I look forward to exploring opportunities to advance this mission \nin collaboration with the Committee and my colleagues in the public and \nprivate sectors. Thank you again for this opportunity to testify. I \nwould be happy to answer your questions.\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    Chairman Quayle. I would like to thank the whole panel for \ntheir testimony today. Now, I want to remind Members that \nCommittee rules limit questioning to five minutes. The Chair \nwill at this point open the round of questions, and I will \nrecognize myself for five minutes.\n    My first question is to you, Dr. Strawn. In your testimony, \nyou stated that the research in NITRD\'s portfolio is managed, \nselected and funded by one or more of the 14 member agencies \nunder their own individual appropriations. Now, my question is, \nhow do we avoid duplication here and is there some sort of \nmechanism that you currently have in place to monitor where all \nthese federally funded research initiatives are going and what \nthey are accomplishing?\n    Mr. Strawn. Thank you for the question. We do believe, Mr. \nQuayle, that one of the primary functions of the NITRD program \nwhich provides for interaction among the agencies and \ndiscussion of what their plans and programs are for the coming \nyears results in cooperative ventures in finding out that other \nagencies are doing something that they thought they would need \nto do and now they can rely on the other agencies\' results \nrather than doing so. So filling gaps and avoiding overlaps is \nsomething that I think we have always considered to be an \nimportant part of our obligations.\n    Chairman Quayle. So you think that you have the ability to \nmake sure that we are not having duplicative research and also \nwithin the various agencies? One of the other things within \nthat is that there are some concerns that as various agencies \ntry to fight for turf, especially within the cybersecurity \nrealm, that they are going to less likely to want to work with \nother agencies because they have that protective turf battle \ngoing on.\n    Mr. Strawn. Well, I suppose agencies are a little like \ncompanies in that there is cooptition going on, cooperating at \nsome places and yet there is a limited amount of federal funds \nand so forth they are in competition for appropriations. \nCertainly the NITRD program as a venue for cooperation doesn\'t \nenforce or attempt to boss the agencies around in these regards \nbut when they become aware of what each other is doing, we have \nseen plenty of cases where it has led to cooperation and better \nextension of federal funds.\n    Chairman Quayle. Thank you.\n    My next question is for Ms. Furlani. When you have the \nchanging nature of cyber threats, and we are going to be \nstarting to develop some standardization for cybersecurity \nprocedures, and standardization always conjures up a very \ninflexible model, how do we make sure that we do set up the \nprocedures so that we have the flexibility to address these \nchanging cyber threats because they will continue to change as \nyears go on?\n    Ms. Furlani. We frequently change our recommended standards \nfor the Federal Government and we do that because we work so \nclosely with industry, who is aware of what is changing and \nthey give us that feedback and that recognition of how we \nshould be modifying. We put out our drafts for public comment. \nWe get comments internationally as well as locally and we adapt \nas we go, and we also work to move our standards and other \nstandards along in the international arena because we also have \nthe responsibility to work with industry to develop voluntary \nconsensus standards and make sure that the Federal Government \nis using voluntary, consistent standards wherever applicable. \nAnd so being aware and connected with industry as closely as we \nare has been very effective in making sure that we are adapting \nas we move along because technology moves just too fast for \nstanding in one place.\n    Chairman Quayle. So as different best practices are \ndeveloped in various industries that you deal with, especially \non the cybersecurity front, that you just have an evolving \nstandards practice basically?\n    Ms. Furlani. We are flexible enough to adapt to new \nchanges, new needs and we listen and we have our mechanisms \nthat work that through and again try to move them into the \ninternational standards so our industries can compete globally.\n    Chairman Quayle. Okay. Thank you very much.\n    Now, Rear Admiral Brown, the Administration has proposed a \ncybersecurity legislative package tasking the Secretary of DHS \nwith working with interested parties to propose standardized \nframeworks to address cybersecurity risks to critical \ninfrastructure. The package also states that the Secretary \nshould work with the Director of NIST to develop alternate \nstandards if the voluntary standards developed by the \ninterested parties do not meet the required criteria. What \nrole, if any, does the Secretary envision for NIST in the \ninitial voluntary standards development process?\n    Admiral Brown. Sir, we already have a very close \nrelationship with NIST. We have been working in particular on \nseveral parts of the private sector and believe that building \nupon that information and the relationship that we have, the \ndevelopment of the standards, and from DHS\'s operational \nperspective that we will continue to leverage that and apply \nthat in the rule sets that we will be putting forward.\n    Chairman Quayle. Okay. Thank you very much.\n    The Chair now recognizes Mr. Wu for five minutes.\n    Mr. Wu. Thank you very much, Mr. Chairman.\n    I would like to use my five minutes to put two questions to \nwhomever on the panel wishes to answer them. The concept of \nanonymity and privacy are frequently conflated in our \ndiscussions, and setting privacy aside for the moment, I would \nlike to focus on anonymity. It is very, very legitimate to very \nmuch completely identify someone who is going into look at, \nsay, medical information or banking information whereas if \nsomeone is going to read a newspaper or do a posting on a \npolitical wall, at least in our society we would view that as \nsomething which should be protected by anonymity if the user so \nchooses. There are increasingly attribution technologies. Also, \nif you come off your Facebook page, you are locked in by your \ncommunity pretty much as your identity and there are also \nproposals for inherently secure Internet backbone, which may \nalso lead to traceability on the Internet. Could you all \naddress how these what we view as advantageous technologies can \nalso be reconciled with a continuing need for freedom of the \nInternet so that certain societies, certain governments will \nnot be further empowered to crack down on what we view as \ninherently private and desirable activities.\n    Mr. Strawn. Let me take a quick crack at that, Mr. Wu. I \nthink that better identity management may also help assure \nanonymity in the right situations. For example, in the academic \nworld, library checkouts are an example of where anonymity has \ntypically been appropriate and probably continues to be, but \nlet us say at a university, only students of that university \nand perhaps some others are permitted to check books out or do \nwhat have you. If we have the ability to do identity management \nby attribute as opposed to just by name, if a person can log \ninto a trusted identity management and indicate that they are \nin fact a student because it is trusted who they are, then the \nattribute of being a student can be used to check out the books \nand the publications at a library, and so better identity \ncontrol can enable anonymity in that sense as well as enable \nfull identity when appropriate.\n    Ms. Furlani. Yes, I would like to amplify on that because \nof the National Strategy for Trusted Identities in Cyberspace. \nThis is one of the goals to have an ecosystem where there might \nbe credentials and you could choose, each individual could \nchoose whether they want to be anonymous today or whether they \nwant their bank to know who they are, that they really can move \nthat money around, and so that is one of the goals. We have \nworkshop coming up in June to explore what it means to have \nsuch a system, and we will be talking with industry as usual to \nunderstand how this could be facilitated.\n    Mr. Jahanian. I would just add that as my colleague \nhighlighted already, identity management is key to this. I \nwould also like to add that at National Science Foundation, we \nhave a number of research activities that look at this issue, \nparticularly at anonymization techniques, identity management, \nand we all recognize that ultimately we have to reach a balance \nbetween protecting public privacy and public safety, national \nsecurity and economic prosperity. So I do want to add that we \nhave a number of research activities that are ongoing \naddressing the very issue that you highlighted.\n    Mr. Wu. Thank you very much.\n    My second question is directly international rather than \nobliquely international, and that is that just as the proposed \nlegislation preempts a lot of state legislation, so many of the \nproblems really are of a multinational nature. But there has \nbeen already a lot of jockeying about international standards, \nand could you address the issue of how to negotiate truly \ninternational standards and the issue of certain countries \njockeying for advantage in setting up islands of technology and \nthese islands not only grant commercial advantage but they also \npotentially decrease Internet freedom in those islands?\n    Ms. Furlani. Certainly this is an issue that we work with, \nand the openness and the way that the international standards \nare developed and we try to make sure that our experts are \nparticipating actively and the value is seen of having \nstandards that everyone can use and setting that baseline has \nbeen pretty effective in solving this issue, and we continue to \nwatch out for such opportunities to make sure that the \nunderstanding is there because it is really a value proposition \nthat if we can collaborate on these, we all benefit.\n    Mr. Wu. Let me just add that I look forward to NIST \ncontinuing to take a lead role in international negotiation. \nThank you for your tolerance, Mr. Chairman.\n    Chairman Quayle. Thank you, Mr. Wu.\n    The Chair now recognizes Mr. Brooks for five minutes.\n    Mr. Brooks. Thank you, Mr. Chairman. As much as I am going \nto be able to be here for the entire hearing, some of the other \nMembers have time constraints, I am going to defer my time to \nMr. Smith.\n    Mr. Smith. Thank you, Mr. Chairman. Thank you, Mr. Brooks. \nI appreciate the courtesy there.\n    I have a couple of questions, and the first question is for \nall Members, all witnesses here today, and Dr. Furlani, I \nrealize you have touched on this subject in response to the \nChairman\'s question a while ago but I would like to ask all of \nyou this. One of the concerns that is often voiced about the \nFederal Government\'s approach to cybersecurity is that it does \nnot take into consideration often enough the expertise that is \navailable in the private sector, and so I would like to ask \neach of you how your agency intends to collaborate with the \nprivate sector, private industry to take advantage of their \nexpertise, and I guess, Dr. Strawn, we will begin with you.\n    Mr. Strawn. Thank you, Mr. Smith. I think that a little \nhistorical example might help. I mentioned previously that our \nagencies have been working on a strategic plan for \ncybersecurity research, and that plan has not only involved \nagency collaboration but has involved several interactions with \nthe private sector, holding workshops where private sector \nexperts are invited in to comment and assist us in formation of \nthat plan. We have a history of doing that with other \nactivities as well and we continue to see that mechanism both \nin asking for public feedback from documents that we prepare \nand prior to that asking input as we prepare documents from \nexperts in the various fields.\n    Mr. Smith. Thank you.\n    Dr. Jahanian?\n    Mr. Jahanian. Yes, I am happy to answer that. Our panel \nreview process actively involves not only scholars from \nacademic institutions but also government folks as well as \nexperts from industry, so that is one aspect of it. We run a \nnumber of workshops that involve both academics as well as \nindividuals from the private sector as they advise us about our \nprograms, about the future of research investments and so on, \nbut I also want to highlight a couple of other things. For \nexample, the research contributions that I have listed in my \nwritten testimony and other outcomes and innovations that have \nbeen developed with National Science Foundation\'s funding and \nother federal partners are now being used by the private sector \nas well as government agencies. In fact, recently I did a quick \ncount of past five years of various technology that has been \ntransferred from the cybersecurity program from National \nScience Foundation. I was pleasantly surprised to see the \nnumber of technologies that have made it into the private \nsector, commercialized, used by Federal Government agencies and \nby the private sector. I counted 20 startups that have been \nlaunched just over the last 2, three years based on the \nresearch that we funded. I also highlight that some of this of \ncourse is leading toward securing our infrastructure, \nprotecting our national security, but also is fueling job \ngrowth. Another program that I want to highlight is that the \nNational Science Foundation relies heavily on SBIR and STTR to \nfuel innovation and foster adoption of that innovation by \ngovernment as well as the private sector.\n    Mr. Smith. Okay. Thank you.\n    Dr. Furlani?\n    Ms. Furlani. Yes. I had mentioned it earlier that we hardly \ndo anything without talking with industry first. If we see a \nproblem that we need to consider and how we might formulate \nsome strategy for protecting cyberspace, we would typically \nopen a workshop and ask anyone of interest to come and discuss \nit. Then once we collect our thoughts and put something down in \nwriting that people can react to, it is put out for public \ncomment and we take those comments extremely seriously. We work \nthrough every one. We put back publicly what we have done with \neach comment, and if whatever draft we put out changes \nsignificantly, then we put it out again so that there is a \nsecond round, so we move very carefully.\n    Mr. Smith. Thank you.\n    Admiral Brown, since I am almost out of time, let me ask \nyou to address another question in addition, if you would. In \nSan Antonio, we have an Operations Warfare Center at Lackland \nAir Force Base that you are probably familiar with, very \nsimilar to the National Counterterrorism Center. The Operations \nWarfare Center helps the Department of Defense in planning to \nstop or prevent cyberattacks. Do you think there is any \npossibility of that kind of operations center might be a \nprototype and useful to the government in other areas?\n    Admiral Brown. Yes, sir. Tied to your first question, what \nwe have established inside DHS is the National Cybersecurity \nand Communications Integration center. It is an operations \ncenter to be able to look at and provide situational awareness, \nand tied to your first question, that is part of our \nrelationship with the private sector. We have representatives \nthere from an operational view and so that has proved to be \nvery effective in our ability to operate in the environment \nthat we see.\n    Mr. Smith. Thank you, Admiral Brown.\n    Thank you, Mr. Chairman.\n    Mr. McCaul. [Presiding] The Chair now recognizes a good \nfriend from Illinois, we co-introduced the Cybersecurity \nEnhancement Act the last Congress, which passed overwhelmingly, \nMr. Lipinski.\n    Mr. Lipinski. Thank you, Mr. McCaul.\n    I want to start out by asking a question of Dr. Jahanian \nand Dr. Strawn. In a 2009 hearing before this Committee, one \nexpert described the ``never ending tug of war between security \nand usability,\'\' and this is, I think, a very important issue \nthat has at times been overlooked. I think we are now giving a \nbetter focus to this. I just wanted to ask if you can describe \nhow research in social, behavioral and economic sciences can \nimprove both usability and security, and also how is social \nscience research incorporated into the soon-to-be-released R&D \nstrategic plan, whoever wants to start?\n    Mr. Strawn. Thank you, Mr. Lipinski. I will say a quick \nword on it and then I will turn to my colleague since much of \nthis work is done in the National Science Foundation. But the \nNITRD program has had working groups in socioeconomic impacts \nof information technology for some time. It also has a subgroup \nof that group specifically in education purposes, which is a \nsocial science activity, I would say. The cybersecurity \nresearch program, research strategic program that we have has a \ndimension of seeking economic incentives for better \ncybersecurity practices. So I think that within the NITRD \nprogram, we have a number of cases where socioeconomic research \nis functioning and is a part of the overall picture.\n    Mr. Jahanian. Congressman Lipinski, you raise a very \nimportant point. The issue of cybersecurity goes far beyond \ntechnology. It involves human beings. It involves humans in a \nloop, if you will. Two years ago when we launched the--3 years \nago when we launched the trustworthy cross-cutting program at \nNational Science Foundation, we actually acknowledged that \nthere are four components or themes to this program. One is \nsecurity, how vulnerable is it to attack, the system is \nvulnerable to attack; reliability, does it work as it is \nintended, privacy, does it protect a person\'s information, and \nfinally, usability, can human beings use the system in an \nefficient way, in a secure way. I do believe that in fact the \nprograms that we have launched in recent years directly address \nthe usability issue. We have a number of research activities \nthat are funded by National Science Foundation that recognize \nhumans in the loop and interaction of humans with computer \nsystems.\n    As part of our new initiative, we are also looking at \ncybereconomic incentives, and if you permit me in 30 seconds I \nwill try to explain what that is. Consider the attacks that \nexploit human behavior, user behavior, weak passwords, for \nexample. We are also seeing increasingly social engineering \nwhere you receive an e-mail and you click on a link in your e-\nmail and inadvertent you download, one downloads a program that \ninfects your computer and can be used for all sorts of \nmalicious activities. So recognizing that, we need to look at \nhuman behavior, understanding human behavior and also \nunderstanding the motivation of attackers and be able to \nreconcile that with the technologies that we develop and \ntechnologies that we deploy. Also, we need to consider \nincentives that make cybersecurity ubiquitous. Why is it that \nnot everybody is using good hygiene, if you will, when it comes \nto cybersecurity? How do you incentivize good behavior and \ndisincentivize bad behavior? Also, understanding the motivation \nbehind bad actors, as I mentioned, and also understanding \nvarious kinds of user models. Incentives to facilitate adoption \nof trustworthy technologies is not just limited to individuals, \nit also includes government agencies and the private sector. So \nunderstanding all of that plays an important and critical role \nin our solution and our approach to dealing with this important \nproblem.\n    Mr. Lipinski. Thank you. In the very short time I have \nleft, what is being done--because I think cybersecurity \neducation and building our workforce to address cyber \nchallenges is very important. Is there anything that you are \ndoing with K-12 students, any of the agencies, for education? \nJust quickly.\n    Admiral Brown. Yes, sir. From DHS, we have an ongoing \nrelationship with the National Cybersecurity Alliance, a \nprogram called C-SAVE, and that is very much focused on K-12 \nand we are going to continue to build that capability.\n    Ms. Furlani. And also with the National Initiative on \nCybersecurity Education, we work as the lead but the Department \nof Education is one of our partners and looking at that very \nissue.\n    Mr. Jahanian. NSF is also participating in that same \nactivity and looking at the issue.\n    Mr. Lipinski. Thank you very much. I yield back.\n    Mr. McCaul. Thank you.\n    The Chair now recognizes the gentleman from Maryland, Mr. \nBartlett.\n    Mr. Bartlett. Thank you very much.\n    In the Department of Defense, our weapons system \ndevelopments take a very long time. They can easily take a \ndecade. Obviously in that decade, technologies are changing, \nsome of them dramatically. So when we begin a development, we \nare interested in the technologies and how fast they can \ndevelop and what is the ultimate achievable. For an airplane, \nfor instance, we are interested in stealth and how little can \nwe look to the radar. On the other hand, we are also interested \nin how fast the capability of radar will grow so that they can \nsee us, although we are really tiny, and then what about the \ncapability of once they have identified our airplane of taking \nit out with a missile from another airplane or from the ground \nor by and by maybe something from a satellite.\n    A bit ago, Gina Dugan, the director of DARPA, was in my \noffice and I asked her if she could help us in that kind of an \nanalysis because we are looking to develop a new deep strike \nheavy bomber, and I have no idea which of those technologies is \ngrowing the faster and I don\'t want to put billions of dollars \nin developing a plane that is simply going to be easily spotted \nand taken out of the sky when it is finally fielded 12, 15 \nyears from now. She said oh, we really can help you with that \nsort of thing, and what she gave me as an example was something \nin cybersecurity, and she showed me a graph, and it showed that \nthe codes, the lines of code that the bad guys use in malware \nis not increasing but the lines of code that we are using to \ndefend ourselves is increasing exponentially. Every month, \nevery year it gets bigger and bigger.\n    What we are asking of the system is two things which kind \nof appear to be mutually exclusive. On the one hand, we want it \nwide open so that it is readily accessible, and on the other \nhand, we want it really secure. Are we going to be able to bend \nthat curve, that exponentially increasing curve of the lines of \ncode that we use to defend ourselves and will our systems \nultimately be consumed with the necessity of protecting \nthemselves so they won\'t be able to do any useful work for us?\n    Mr. Jahanian. Congressman Bartlett, we should have you \nwrite our solicitations for the National Science Foundation. \nYou articulated the problem extremely well. The technology base \nfor our systems is rapidly evolving. Every three to five years, \nwe deploy new computers, new systems because their new \nfunctionalities have come out, new performance enhancements. \nThe settings in which our computer systems are being deployed \nand the functionalities that they provide also is not static. \nMy belief is that future security challenges will follow \nadoption of Internet patterns that we see. For example, mobile \ndevices with cloud computing, different settings are going to \nimpose new challenges for us.\n    So you are absolutely right that the code base is \nincreasing. The complexity of systems that we are trying to \nsecure is definitely getting more challenging. We are also \nseeing an increasing trends toward cyber-enabled \ninfrastructures and system such as power grids. Information \ntechnology has become so pervasive that we are seeing it in \npower grids, we are seeing it in the financial sector, \ntransportation networks and so on and so on, and it has been \nidentified already our national critical infrastructure has \nbecome so dependent on information technology and computer \nnetworks that the vulnerability is there and we need to do \nsomething about it.\n    From a research point of view, our thoughts and our \nthinking, I should say, the thinking of the broader scientific \ncommunity is that we need to develop a scientific foundation \nfor dealing with this problem. We cannot be just chasing the \nbad guys, trying to stay slightly ahead of the latest attack \nand latest trends that we see. The scientific approach must \npromote discovery of new laws, if you will, meaning scientific \nlaws. We have to be able to do hypothesis testing. We have to \nbe able to demonstrate repeatable experiments. We have to \nenable data gathering. We need new metrics. We need to have \ncritical analysis to this problem. In doing so, I should just \nhighlight that the National Science Foundation did launch a \nprogram in our trustworthy computing program that focuses on \nthe overall trustworthiness of our critical infrastructure and \nit directly addresses the scientific foundation that is needed \nto solve this problem.\n    Mr. Bartlett. Thank you. Clearly, this affects just about \nevery one of us and every part of our government, and I still \nam not certain that we can bend that curve. It seems to me that \nwe are going to be using ever-increasing percentages of our \ncapability just to protect ourselves. It is a huge problem. \nThank you all for being involved, and thank you, Mr. Chairman, \nfor holding this hearing.\n    Mr. McCaul. And thank you, Mr. Bartlett, for your \nexpertise.\n    The Chair now recognizes the gentleman from Maryland, Mr. \nSarbanes.\n    Mr. Sarbanes. Thank you very much, Mr. Chairman. Thank you \nall for your testimony today.\n    Congressman Bartlett and I and other Members of the \nMaryland delegation are very excited and proud that the new \ncyber command is going to be stood up at Fort Meade in our \nstate, and we are trying to prepare for that as well as we can, \nand I wanted to go back and maybe give you all a little bit \nmore time to speak to the question that Congressman Lipinski \nposed about how you prepare a workforce because that is \nobviously something we are very interested in seeing happen in \nMaryland and sort of where do you start, where does that \npathway, that career pathway to being ready to take these \ndiverse set of job opportunities that cybersecurity will \nprovide, you know, chief security officers, analysts, forensics \nexperts, etc., where that pipeline starts, what is the kind of \ncoursework you think is important to offer, what is the role of \ntwo-year colleges, community colleges as well as the four-year \ncolleges? And in particular, I would be curious to have you \nspeak to the complications with respect to security clearance. \nThat always seems to be an issue. You can deliver up a cohort \nof highly qualified people and they still have to jump through \nthe security clearance process. Are there ways to anticipate \nthat and integrate it into the educational process so that when \nthey kind of graduate from the pipeline, they are actually \nready to get right into the job? And so I offer that to any of \nthe panel members to respond to. There is three minutes. Thank \nyou.\n    Mr. Strawn. I will just say a quick overview about how \nimportant the NITRD program agrees or believes that these \nissues are. We have also recently been working on a strategic \nplan for the whole NITRD activity in addition to the Strategic \nPlan for Cybersecurity, and the three pillars of the NITRD \nstrategic plan are technology and its increasing partnership \nwith us and new ways of use. That is pillar one. Pillar two is \ntrust and confidence, which we are here talking about today, \nand pillar three is a cyber-ready society including pipeline \nissues of professionals and general knowledge for the public to \nfully utilize cyber. So we are focusing our efforts to focus on \nthese activities directly.\n    Admiral Brown. Sir, I will talk a little bit about what we \nare doing at DHS, but I also want to right up front talk about \nwhat the teamwork is that you see here. We have already \nmentioned the efforts that NICE has. We have mentioned the fact \nthat I think there are over 106 centers of academic excellence \nthat DOD and DHS have been working on scholarship for service \nto identify people early on to be able to get them the right \nskill sets and afford them an opportunity to work for the \ngovernment. We have also just recently started, again, DOD, \nDHS, doing the same type of center for academic excellence for \nthe two-year schools that you mentioned.\n    The clearances are an issue but part of what we have been \ndoing, particular under the NICE initiative, is to identify all \nthe skills that are required, career paths. There are many that \ndon\'t necessarily require clearances and so we need to take \nadvantage of that opportunity and the skills and the people \nthat come there. And finally from a DHS perspective on that \nlast point that you talked about, trying to bring them in so \nthey are ready, we started an intern program inside DHS as well \nas a fellowship program, and we look to be able to take that \nmodel and expand it and bring it across the rest of the Federal \nGovernment. That is just some of the things that we are doing.\n    Mr. Jahanian. May I add a couple of points? As you probably \nknow from my bio, in addition to my academic experience, I have \nprivate sector experience, particularly in cybersecurity. I \nthink this problem of education, workforce development, \ncurriculum development is extremely important to the Nation. It \nis a very, very important problem that is being addressed by \nmultiple agencies. I will highlight a couple of programs. \nScholarship for Service, that was mentioned. National Science \nFoundation has been extremely pleased with our involvement in \nthe Scholarship for Service program. In particular, it is being \noffered at 34 institutions today and more than 1,000 students \nwho have graduated from this program have returned to \ngovernment service, so it is a great success story.\n    Another track related to Scholarship for Service includes \ncapacity building. Again, we offer funds to universities and \ncolleges to develop curriculum, and there are a number of \ncenter-scale activities that have been launched related to this \nwhich involve multiple institutions collaborating, developing \nnew curriculum specifically in the cybersecurity area.\n    Another program that I think is extremely important in \nterms of training technicians and training particularly entry-\nlevel positions is the Advanced Technological Education program \nwhich addresses directly the two-year colleges. In my \ntestimony, I highlighted three regional centers, and again, it \nis a terrific success story, allowing individuals to be \nretrained or go through a two-year program led by our community \ncolleges, be trained and go back into the workforce, \nparticularly the government sector.\n    Mr. McCaul. The Chair now recognizes the gentleman from \nAlabama, Mr. Brooks.\n    Mr. Brooks. Thank you, Mr. Chairman.\n    Dr. Strawn, in the Administration\'s proposed legislation \nreleased in early May, you mention a few places where research \nand development is mentioned. For the sections you reference, \nit is clear that NITRD would lead these efforts--excuse me. Is \nit clear that NITRD would lead these efforts? Is it necessary \nfor that leadership to be explicitly defined in the statute?\n    Mr. Strawn. Mr. Brooks, we are usually careful to use the \nword ``coordinate\'\' as opposed to ``lead\'\' in terms of the \nactivities of the NITRD program based on the fact that each \nagency has their separate mission, has their separate \nappropriations and appropriations committees, and our goal is \nto make the whole greater than the sum of the parts by bringing \neveryone together in terms of the knowledge of what is going \non, finding ways to work together and collaborate, but given \nthe way the government is organized, it seems to us that \ncollaboration is the way we can best fulfill our mission.\n    Mr. Brooks. Thank you.\n    Next, Dr. Jahanian, is there a current need for \npostdoctoral research fellowships in cybersecurity and are \ncybersecurity postdocs eligible for already established NSF \nfellowship programs?\n    Mr. Jahanian. At this point in time, we don\'t believe that \nwe need to have a separate postdoc program for the \ncybersecurity area in particular. As you probably know, \ninformation technology and computer science is a very hot, \nexciting area. There are jobs available for our Ph.D.s all over \nthe country, in the private sector, in government as well as \nour academic institutions, and yes, the postdoc funding that is \navailable through the National Science Foundation through my \ndirectorate that goes through our research programs is \navailable to support postdocs across the field.\n    I do want to highlight that during the recent economic \ncrisis 2, three years ago, we recognized that there were a \nnumber of bright minds who were getting their Ph.D.s and were \npotentially leaving the research field, so we came up with a \nprogram which lasts only two or three years called computing \ninnovation fellows that allowed us to support postdocs \nspecifically for a short period of time to maintain the \npipeline for our research activities, research programs in \nacademic institutions and industry, and it has been a very, \nvery successful program, supporting more than 100 postdocs. But \nI don\'t believe in the long run this is something that we need \nto invest in. However, it is something that we are looking at \nand we are going to continue to consider.\n    Mr. Brooks. Thank you. Another unrelated question to Dr. \nJahanian. The fiscal year 2012 budget request includes $12 \nmillion in new spending for cyber activities within the Social, \nBehavioral and Economic Sciences Directorate. What is the need \nand purpose for this funding? Does SBE have appropriate \nexpertise in cybersecurity issues to accomplish the goals of \nthis funding or will other directorates be taking the lead?\n    Mr. Jahanian. I briefly alluded to this issue of our need \nto address the role of humans in dealing with cybersecurity \nchallenges. First, let me state that we expect that there will \nbe a single cybersecurity solicitation from NSF including the \nscience directorate, SBE and Office of Cyber Infrastructure, so \nthese are not independent programs that are all going to be \nunder one umbrella.\n    The second thing that I want to raise is that we expect \nfully to have scientists from various disciplines to \nparticipate in addressing some of the issues dealing with \ncybersecurity including computer scientists, mathematicians as \nwell as economists. I responded to an earlier question about \nour thoughts toward cybereconomic incentives, in particular, \ndealing with the kind of threats that involve social \nengineering. By that I mean, when you receive an e-mail and you \nclick on a link and suddenly your machine is infected, your \ncomputer is infected. So we need to understand incentives that \nmake cybersecurity ubiquitous, how do we incentivize, as I \nmentioned, good behavior and disincentivize bad behavior, \nunderstand the motivation behind bad actors and understand new \nuser models, and I also mentioned that we need to incentivize \nfacilitation of adoption of trustworthy technologies by various \ngovernment agencies as well as the private sector. So \nunderstanding all of that allows us to develop new technologies \nand incorporate some of that into the technologies that we \nexpect will come down the road.\n    Mr. Brooks. Thank you, Dr. Jahanian.\n    I yield the remainder of my time.\n    Mr. McCaul. Thank you, Mr. Brooks.\n    The Chair now recognizes himself for five minutes. As I \nmentioned, Congressman Lipinski and I introduced a \ncybersecurity enhancement bill last Congress that passed \noverwhelmingly. We plan to reintroduce that as early as next \nweek, but we wanted to have the benefit of your testimony on \nthis bill. I know you have had a opportunity to review the \nlegislation, and if I could go over four major points to the \nlegislation that I wanted to cover, and the first deals with, \nDr. Strawn and Dr. Furlani, the NIST standards, giving NIST the \nauthority to set security standards for federal networks. Can \nyou give me your comments in terms of whether that is helpful \nto the Federal Government? Dr. Strawn?\n    Mr. Strawn. I think the fact that NIST has been involved \nwith setting standards for us for the last decade in my direct \nexperience as CIO has been very helpful and so any additional \nresponsibilities that NIST might take such as identified in the \nproposed legislation I think would be helpful.\n    Mr. McCaul. Ms. Furlani?\n    Ms. Furlani. We have been working in that space for some \ntime, particularly thinking about the security aspects of \ndomain name security and working to deploy that in the dot-gov \nand dot-com domains and so I think it is a reasonable fit.\n    Mr. McCaul. The next area establishes a federal university-\nprivate sector taskforce to coordinate research and development \nand also authorizes I think much-needed cybersecurity research \nand development programs. I think, Dr. Jahanian, you may be \nbest qualified to speak to that provision.\n    Mr. Jahanian. Yes. I think it is very important and it has \nbeen already highlighted by others that we need to involve the \nprivate sector as we think about addressing the issues that \nconfront the country, cybersecurity challenges that impact our \neconomic security, national security and of course public \nsafety. So as I indicated already in my testimony, the National \nScience Foundation and other agencies actively involve the \nprivate sector in how we approach cybersecurity in our research \nprograms, in our merit review programs, in the workshops we \nrun, SBIR, STTR, So expanding that and bringing the private \nsector and academics together, I think it serves the country \nwell.\n    Mr. McCaul. Well, thank you for that.\n    And lastly, there has been a lot of talk about a \ncybersecurity workforce professionals. The bill creates \nscholarship programs, both undergraduate and graduate, at the \nNSF, and that is to be repaid with federal service. So I think \nthat question actually could go to both Dr. Jahanian and to Mr. \nBrown in terms of DHS having a cyber federal workforce. Dr. \nJahanian?\n    Mr. Jahanian. Yes. The question was--as I indicated in \nanswer to a previous question, I believe the issue of workforce \ndevelopment, education and curriculum development and capacity \nbuilding is extremely important. It has to be at the center of \nour response to cybersecurity challenges. So this is very much \naligned with the needs of the country.\n    Mr. McCaul. Admiral Brown?\n    Admiral Brown. Sir, I think Scholarship for Service is \nextremely important. It has been great for us in the public \nsector. From DHS perspective, we have teamed extremely well \nwith NSF on that, and we have reaped some of the benefits. Some \nsenior leaders have been graduates of that program as well as \nsome of our phenomenal analysts, so it is a great program.\n    Mr. McCaul. So I take then from the witnesses\' testimony \nthat you are all supportive of this legislation? Is that \ncorrect? You don\'t have to all yell at once.\n    Mr. Jahanian. I forgot to push the button.\n    Mr. McCaul. One last question, and this has to do probably \nmore when I was ranking Member on the Cybersecurity \nSubcommittee on Homeland Security, Admiral Brown. The cyber \ncommand is standing up at Fort Meade. In my home state, \nLackland Air Force Base which, as you know, conducts cyber \noperations, and the coordination between DHS and I think the \nDOD and NSA is very important in terms of the left hand knowing \nwhat the right hand is doing. It seems to me, you can\'t fully \nprotect and defend the Nation as DHS is charged with their \nmission if you are not coordinating with those who know the \noffensive capability the best. Has that enhanced over the years \nand can you tell me to the extent you can in an open setting \nwhat your relationship is now with the Air Force?\n    Admiral Brown. Sir, the basic premise of your question, the \nanswer is, you just described my job description. As the \ncybersecurity coordinator for DHS, my responsibility is to work \nwith both NSA and with U.S. Cyber Command so that we are \nsynchronizing, we are from both the DOD and DHS perspective \naware of our operations, that we are capable of working \ntogether, and for U.S. Cyber Command, that means working with \nits components like the 24th Air Force. So that is part of my \njob is to make sure that I am providing that situation \nawareness to DHS so that we are prepared when we are looking at \nprotecting the dot-gov and working with the private sector and \nthe dot-com and vice versa to be able to provide that \ninformation, to be able to work with NSA and with U.S. Cyber \nCommand as they are executing their missions and \nresponsibilities.\n    Mr. McCaul. That is excellent news, because five years ago \nwhen we held hearings on the issue, that was not the case. \nThere wasn\'t that kind of coordination, so I commend you for \ntaking the lead on that, and I think that is going to make the \ncountry a lot safer.\n    Thanks to the witnesses. We have one last round of \nquestions, as I understand. Mr. Wu is recognized.\n    Mr. Wu. Thank you, Mr. Chairman, and I understand, this may \nbe the last question. I want to do the Congressional hearing \nquestion equivalent of a core dump. There has been a lot of \ndiscussion about cloud computing. We have also migrated to \nmobile devices, a lot of computing there, a lot of information \nsharing. Could whomever wants to address this, address the \nsecurity implications and challenges of cloud computing and \nmobile devices and directions to go to try to solve some of \nthose issues?\n    Mr. Strawn. Thank you, Mr. Wu. You have nailed some \nimportant questions right there, and they are illustrative of \nthe history of IT that every time we think we are on top of \nthings, something new emerges, and therefore we have to sort of \nthink it over again and start up and we are always looking for \nbasic principles like Dr. Jahanian was talking about but many \ntimes we are simply reacting to the new technologies. It is \ncertainly true that cloud computing for one is a potentially \nvery important technology. The NIST activities have been taking \nsome lead in that and I am sure that Ms. Furlani will have \nsomething to say about that.\n    I have an opinion that once we are over the transition to \ncloud computing, we will actually be in a more secure \nenvironment rather than a less secure environment because we \nwill have people whose core competencies are to provide secure \ninformation and secure access to information. The various \norganizations that are required to provide that type of \nsecurity for themselves, it isn\'t a core competency, so once we \nare over the transition, I look for actually superior security.\n    Ms. Furlani. Yes, we are leading the Federal Government\'s \nlook at how standards need to be deployed and worrying about \nthe cybersecurity privacy and security issues, and we have \nrecently published a special publication to look at those \nspecific issues. It is out for public comment right now. We \nhave also established the--proposed a definition for cloud \ncomputing which has been taken up by everyone so that we are \nall at least speaking on the same terms so that we know what we \nare speaking about, which helps get us over that hump. The \nsecond piece I wanted to mention is the mobile devices. That is \nsomething we have been looking at and again holding workshops \non understanding what we need to be thinking in that aspect \nfrom the standards and testing point of view.\n    Admiral Brown. Sir, just to build off of what Ms. Furlani \nhad said, we have been active participants in that work, \nparticularly the cloud computing, the definitions and \ninteragency efforts have been going on, but from a mobile-\ndevice standard, U.S. Cyber Command on a regular basis is \nputting out information to the public sector about what the \nthreats are, the best practices that need to be done and making \nsure that some of that is available as we continue to look at \nthe employment and deployment of those capabilities.\n    Mr. Wu. Thank you very much.\n    Mr. McCaul. Thank you, Mr. Wu.\n    I want to thank the witnesses for their valuable testimony. \nThe record will remain open for two weeks and so Members may \nhave additional questions for you in writing. I would ask that \nyou respond.\n    With that, the witnesses are excused and this hearing is \nadjourned.\n    [Whereupon, at 11:30 a.m., the Subcommittees were \nadjourned.]\n                                Appendix\n\n                              ----------                              \n\n\n                   Answers to Post-Hearing Questions\n\n\n<SKIP PAGES = 000>\n\n                   Answers to Post-Hearing Questions\nResponses by Dr. George O. Strawn, Director, National Coordination \n        Office for Networking and Information Technology Research and \n        Development\n\n        <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n        \n                   Answers to Post-Hearing Questions\n\n\nResponses by Dr. Farnam Jahanian, Assistant Director, Directorate for \n        Computer and Information Science and Engineering, National \n        Science Foundation\n\nQuestion submitted by the Honorable Mo Brooks\n\n    Q1. Your testimony touches on the way investments in cybersecurity \nresearch are tied to investments in cybersecurity education and \nworkforce development. Why is this important? Are there real-world \nimplications if federal investments shift from education and workforce \ndevelopment in this field?\n\n    A1. If these investments were to shift or stop, the pipeline of \ncybersecurity scientists, engineers and professionals would be slowed. \nWith insufficient cybersecurity experts, the US would no longer be \ncompetitive in the science and engineering of cybersecurity and in the \ndevelopment of new cybersecurity technologies and start-ups.\n    For example, the Scholarship for Service (SFS) program at NSF \nprovides direct evidence that investments in cybersecurity education \ncan have a profound impact on the Nation and its ability to secure \ncyberspace. To date, SFS has admitted 1400 students; 1100 of the \ngraduates have been successfully placed in the Federal government, \nincluding at the National Security Agency, Department of Homeland \nSecurity, Central Intelligence Agency, and the Department of Justice.\n    The Advanced Technology Education (ATE) program focuses on the \neducation of technicians in high technology fields. The ATE center-\nscale track is funding three cybersecurity education centers. Each \ncenter has myriad partners, including a dozen or more community \ncolleges and universities; each center has enrolled over 1500 students \nsince its inception. Both SFS and ATE reach every region of the country \nand significantly increase the pool of cybersecurity professionals \navailable for jobs in the U.S.\n    Our investment in fundamental, unclassified, long-term research in \ncybersecurity has an educational component as well. NSF-funded research \nprojects are the training grounds for the graduate students who will \nturn into the next generation of advanced cyber security professionals. \nNSF principal investigators (who are usually university faculty) \nrecruit graduate students to work with them side by side to make \ndiscoveries. This day by day faculty-student research training is the \nbasic way we ensure a continuing supply of innovators. Trustworthy \nComputing currently has about 500 ongoing projects; most of them have \nat least one graduate student. These NSF principal investigators also \nrecruit undergraduates to work in their labs through supplements to \ntheir grants in the Research Experiences for Undergraduates (REU) \nprogram. Finally, NSF\'s most prestigious program that supports junior \nfaculty--the CAREER program--explicitly addresses the integration of \nresearch and education to ensure that young faculty learn early in \ntheir careers the critical connection between fundamental research and \nscience and engineeering education.\n\nQuestion submitted by the Honorable David Wu\n\n    Q1. In Rear Admiral Brown\'s testimony, he notes that no single \nagency controls cyberspace and the success of our cybersecurity mission \nrelies on effective communication and critical partnerships across the \ngovernment. However, the Administration\'s legislative proposal released \non May 12th recommends consolidating a significant amount of \ncybersecurity related activities at DHS, arguably making DHS the de \nfacto lead on cybersecurity activities in the Federal government. If \nthis structure is enacted, how can we ensure that it will not reduce \nincentives for other agencies to be actively engaged on cybersecurity, \nbelieving that DHS has it covered?\n\n    A1. The model proposed in the legislation reflects established \npartnerships with Department of Homeland Security (DHS) on broad \ncybersecurity operational matters and those involving FISMA legislative \nand policy requirements. In addition, NSF interacts with DHS and other \nagencies to share cybersecurity ``best practices\'\' and ``lessons \nlearned\'\' through the government-wide Chief Information Security \nOfficer forum and routinely leverages DHS expertise to address an \nincreasingly dynamic threat environment. DHS conducts independent \nbenchmarking and qualitative reviews of Federal agency cybersecurity \nprograms as part of the FISMA review process. NSF has participated in \nthese assessments for the last two years, and has used the results to \nmake continued improvements to our cybersecurity program.\n    Such a framework clearly defines the structure of the authorities \nand responsibilities of the partners. In this case, subsection 3553 \nassigns DHS a leadership role in setting overall policy and providing \nguidance and requirements. Subsection 3554 assigns specific \nresponsibilities to agencies, including: assessing risk; determining \nappropriate levels of security; implementing policies and procedures; \nactively monitoring effectiveness; and sharing cybersecurity \ninformation. Thus, the proposal envisions DHS and the agencies working \ntogether towards better cybersecurity operations across the federal \ngovernment.\n    NSF frequently works in partnership with other agencies. Another \nexample--focused on cybersecurity education--is the National Initiative \nfor Cybersecurity Education (NICE), which is led by NIST with the \nparticipation of the Departments of Homeland Security, Defense, Labor, \nand Education, the Office of Personnel Management, the National Science \nFoundation, the Director of National Intelligence, and other Federal \nagencies.\n    NSF remains the lead agency, however, for long-term, foundational \nresearch in cybersecurity. In FY 2011, NSF will invest up to $129.4 \nmillion in cybersecurity research, including $55 million in the cross-\ncutting Trustworthy Computing program. Its projects range from security \nat the microscopic level, detecting whether a silicon chip contains a \nmalicious circuit, to the macroscopic, determining strategies for \nsecuring the next generation electrical power grid. These investments \nare critical to an effective national strategy of achieving a \n``trustworthy\'\' cyberspace.\n\nQuestion submitted by the Honorable Randy Neugebauer\n\n    Q1. What aspects of the current federal system of research and \ndevelopment in the United States allow us to stay ahead of the curve in \npredicting and responding to future cybersecurity threats? What must be \nimproved?\n\n    A1. A major reason that cybersecurity is such a challenging problem \nis that attacks and defenses co-evolve. Every day, we learn about more \nsophisticated and dangerous attacks: systems that were secure yesterday \nare no longer secure. To respond to this continued escalation, we have \ncreated a healthy and vibrant U.S. cybersecurity R&D ecosystem that--\nwith effective nurturing--has kept us at the frontier of innovation and \ndeployment.\n    This ecosystem is driven by fundamental research. It is important \nto note that many of our cybersecurity technologies deployed today \ncapitalize on fundamental research and discoveries made years, even \ndecades, ago. Fundamental problems that are being addressed now are \noften difficult to solve but may bear fruit that will give us dramatic \nnew advantages against cyberthreats. For example, doubly homomorphic \nencryption is a technique that will allow us to secure computers at the \nsame level we can currently secure networks: even physical access to a \ncomputer would not allow useful information to be stolen. While this \napproach was first proposed back in 1978, recent NSF-funded research \nhas led to its implementation, but only in limited ways. With continued \nwork by our brightest researchers, we could soon see a fully practical \napproach that will be adopted by industry.\n    NSF\'s cybersecurity research efforts are focused on building \nsystems whose trustworthiness derives from first principles. To do \nthat, we are formulating and developing a comprehensive research \nportfolio around a view of systems that are deemed trustworthy, i.e., \nsystems that people can depend on day after day and year after year to \noperate correctly and safely. Such systems include transportation \nsystems (avionics, metro, automobile systems), medical devices (medical \nimplants, robotic surgery operated remotely that can be used to save \nlives in remote areas and on battlefields), and the rapidly developing \nsmart power grid. Included in this notion of trustworthiness are a \nnumber of critical concepts: reliability (does it do the right thing?); \nsecurity (how vulnerable is it to attack?); privacy (does it protect a \nperson\'s information?); and usability (can a human easily use it?). \nSuch research needs to be game-changing and forward-looking.\n    Of course, one program in one agency cannot solve the challenges of \ncybersecurity alone, and so part of the research ecosystem is the rich \nexchange of ideas, goals, and results. This exchange is across \ndisciplines, across governmental agencies via the NITRD program, \nbetween industrial partners and research institutions, and across \nnations; it has fueled new ideas, approaches, and results.\n    Exchanges between academia and industry bring fundamental results \ninto practice. NSF-funded principal investigators, working with \nindustry partners and mission agencies, continually seed translation of \nknowledge into new technologies and more effective practice. NSF-funded \nresearch activities have led to the formation of start-up companies in \nthe IT sector that are bringing innovative solutions and technologies \nto the marketplace, both helping to protect cyberspace and fueling job \ngrowth. Other NSF-funded research activities have led to current \nindustries directly adopting results to harden existing IT \ninfrastructure. By promoting a healthy connection between academia and \nindustry, NSF further enhances its research portfolio in trustworthy \ncomputing with foundational concepts and new ideas that are directly \nrelevant to the commercial sector.\n    For example, the NSF Team for Research in Ubiquitous Security \nTechnology (TRUST) Science and Technology Center combines 6 \nuniversities with 16 industrial partners, and has produced new \nknowledge ranging from how to protect automobile control systems from \nattack to revealing flaws in methods used by websites to guard against \nattacks by programs impersonating people. Such partnerships need to be \nencouraged.\n    The trend toward increasingly cyber-enabled systems, i.e., the \nintegration of computation, communication, and control into physical \nsystems, offers new challenges. Healthcare, education, and finance are \nalready at risk of attack, and physical infrastructure--manufacturing, \nenergy production, and transportation--will be next. An effective \nnational strategy to secure cyberspace must include investments in \nthese areas of research, which will allow our society to continue to \nbenefit from a robust, secure, dependable cyber infrastructure that \nsupports all application sectors, including those on which our lives \ndepend. NSF will continue to make significant investments in support of \na secure cyberinfrastrucrue.\n    Cybersecurity researchers need access to research infrastructure \nwith operational data in order to develop and validate their new \ntheories, approaches, and technologies. For many reasons, such data has \nbeen hard to obtain. One excellent example of a long-term effort to \nprovide such data is the PREDICT archive, developed by the Department \nof Homeland Security\'s Science & Technology Directorate. In partnership \nwith industry and other organizations, more data archives like this \nneed to be developed and put into routine use.\n    More broadly, as we become ever more cross-disciplinary, cross-\nagency and international, the coordination costs of supporting the R&D \nenterprise increase. Partnerships are a critical component, but they \nalso require considerable investments of time. We need to develop tools \nand approaches to become more efficient and effective. For example, new \ntechnologies need to be employed that allow for more effective remote \ncollaboration such as virtual presence, as well as for research \nportfolio and gap analysis.\n                   Answers to Post-Hearing Questions\n\n    Responses by Ms. Cita Furlani, Director, Information Technology \nLaboratory, National Institute of Standards and Technology\n\nQuestions submitted by Representative Ben Quayle\n\n\n    Q1. I understand the National Initiative for Cybersecurity \nEducation (NICE) and the expectation of a NICE strategic plan being \nreleased in the near future. Can anyone provide further clarity on when \nthat document will be available for our review?\n\n    A1. The NICE strategic plan is expected to be released for public \nreview in mid-July.\n\n    Q2. You mention NIST\'s participation in international consensus \nstandards. Could you elaborate on how cybersecurity standards \ndevelopment happens in conjunction with other nations? How are other \nnations dealing with the protection of their civilian networks?\n\n    A2. Cybersecurity standards development occurs in conjunction with \nother nations in open, consensus based standards organizations. NIST \nand other U.S. agencies participate in these international bodies and, \nin particular, NIST and other U.S. agencies work closely with the \nAmerican National Standards Institute (ANSI), a federation of standards \ndevelopers, government, industry, consumers, and other stakeholders. \nANSI is the U.S. Member Body (i.e., representative) to the \nInternational Organization for Standardization (ISO) and serves to \npromote and facilitate U.S. voluntary standards development activities. \nANSI\'s collaboration with the U.S. government performs a vital \ncoordinating role for the entire standards community, ensuring that \nU.S. interests are adequately represented in international standards \narenas.\n\n    Q3. Under the Administration\'s proposed cybersecurity legislative \npackage, the Secretary of DHS is tasked with working with interested \nparties to propose standardized frameworks to address cybersecurity \nrisks to critical infrastructure. The package also states that the \nSecretary should work with the Director of NIST to develop alternate \nstandards if the voluntary standards developed by the interested \nparties do not meet the required criteria. What role, if any, do you \nenvision for NIST in the initial voluntary standards development \nprocess?\n\n    A3. NIST has a long history and depth of expertise in voluntary \nconsensus standards development processes. We will continue to work \nclosely with DHS in areas of cybersecurity standards and standardized \nframeworks. In this case we plan to continue to bring our technical \nexpertise, experience working with industry and extensive cybersecurity \nbody of work to assist with organizations who are working on addressing \ntheir cybersecurity risks.\n\n    Q4. Some witness testimony touched on cloud computing. Could you \nprovide more detail about how cybersecurity impacts the growing cloud \nservices, and what your agency is doing to secure this region?\n\n    A4. Concerns over cybersecurity are having a number of impacts on \nthe growing cloud services. Significant impacts include:\n        <bullet>  For some customers, limiting their use of public \n        cloud services primarily to low security impact data and \n        processing. Many customers are reticent to use a cloud solution \n        for moderate or high security impact data and processing.\n        <bullet>  Some customers choose the private cloud deployment \n        model for security reasons. In some cases, use of the private \n        deployment model is a temporary phase during which a customer \n        gains familiarity with cloud services before migrating to a \n        public cloud solution. In other cases, customers may retain \n        some portion of their cloud-based work in private deployments.\n        <bullet>  Cloud providers often implement vendor-specific \n        security measures (such as monitoring of customer processing) \n        and impose customer agreements (contracts) that specify that a \n        customer\'s account will be terminated if it uses a cloud \n        service to launch cyber attacks.\n    NIST is addressing the need for cybersecurity in cloud services \nthrough several complementary efforts: NIST has produced three draft \nspecial publications (SP800-144, SP800-145, and SP800-146) focusing on \ncloud computing. Two of these address security. SP800-144 addresses \nsecurity issues in public cloud computing, and SP800-146 provides \ngeneral guidance on cloud computing, including security.\n    <bullet>  The NIST Cloud Computing program runs a working group \ndedicated to security issues. The group is generating a document that \nwill list security impediments that could limit the adoption or \nusefulness of cloud computing and, for each impediment, information on \nhow to mitigate it. The mitigation of a security impediment may be a \nNIST-led effort or may refer to efforts conducted by other entities. \nThe NIST Cloud Security Working Group\'s output will be incorporated \ninto the ``NIST U.S. Government Cloud Computing Technology Roadmap\'\' \ndocument. Release 1.0 of this document, for public comment, is planned \nfor early November 2011.\n    <bullet>  NIST is working with various voluntary consensus \nstandards bodies. These include, but are not limited to,\n        <bullet>  European Telecommunications Standards Institute \n        (ETSI),\n        <bullet>  Distributed Management Task Force (DMTF),\n        <bullet>  IEEE,\n        <bullet>  Organization for the Advancement of Structured \n        Information Standards (OASIS),\n        <bullet>  Open Grid Forum (OGF),\n        <bullet>  Object Management Group (OMG), and\n        <bullet>  US National Body contributing to the International \n        Organization for Standardization (ISO).\n    <bullet>  The NIST Cloud Computing program also runs several other \nworking groups that relate to security. The Standards Roadmap Working \nGroup includes security in its consideration of the standards needed \nfor cloud computing adoption. The Reference Architecture Working Group \nincludes security as a key element for cloud architectures. The \nBusiness Use Cases Working Group identifies security requirements which \nmust be implemented to support an agency\'s deployment and use of cloud \ncomputing to support its mission. The Standards Acceleration to \nJumpstart Adoption of Cloud Computing (SAJACC) Working Group considers \ntechnical security aspects in low-level technical use case scenarios.\n    <bullet>  NIST also serves in a Cloud Computing technical advisory \nrole to the U.S. Chief Information Officer Council. The scope of this \neffort includes security. An example is the security guidance NIST \nprovides to the Federal Risk and Authorization Management Program \n(FedRAMP), which specifies requirements to satisfy a number of controls \nfor managing security in cloud services.\n\n    Q5. In mid-April, the Obama Administration released the National \nStrategy for Trusted Identities in Cyberspace (N-STIC). It establishes \na framework for the development of securing online transactions, and \nwithin the FY12 budget request is the establishment of a National \nProgram Office focused on interagency coordination, headed by NIST. \nCould you please discuss your agency roles in NSTIC, and why NIST has \nbeen selected to lead the implementation of the Strategy? \n\n    A5. The National Program Office (NPO) will be responsible for \ncoordinating the processes and activities of organizations that will \nimplement the Strategy. NIST - with its long history of working \ncollaboratively with the private sector to develop standards and best \npractices for cybersecurity and identity management - is uniquely \nsuited to work with the private sector to bring the collective \nexpertise of the nation to bear in implementing the Strategy.\n    The NPO will lead the day-to-day coordination of NSTIC activities, \nworking closely with the Cybersecurity Coordinator in the White House. \nThe National Program Office will:\n        <bullet>  Promote private-sector involvement and engagement;\n        <bullet>  Support interagency collaboration and coordinate \n        interagency efforts associated with achieving programmatic \n        goals;\n        <bullet>  Build consensus on policy frameworks necessary to \n        achieve the vision;\n        <bullet>  Identify areas for the government to lead by example \n        in developing and supporting the Identity Ecosystem, \n        particularly in the government\'s role as a provider and \n        validator of key credentials;\n        <bullet>  Actively participate within and across relevant \n        public- and private-sector fora; and\n        <bullet>  Assess progress against the goals, objectives, and \n        milestones of the Strategy and the associated implementation \n        activities.\n    A core focus of NSTIC is to help the country address some of the \nkey policy and technology challenges - such as cost, interoperability \nand privacy - that have prevented Americans from obtaining and \nregularly using stronger authentication technologies. Passwords today \nare easily defeated through a variety of attacks from cybercriminals \nand identity thieves, and do not provide appropriate levels of security \nfor many online transactions. Because of this, many transactions that \ncould be online - in health care, banking, government, and other \nsectors - still require individuals to appear in person. NIST will work \ncollaboratively with industry to develop standards and best practices \nthat will address these challenges, enabling American consumers, \nbusinesses, governments and other organizations to more easily adopt \nstronger types of authentication that augment or replace passwords \nwhile enhancing individuals\' privacy.\n\nQuestion submitted by Representative David Wu\n\n\n    Q1. In Rear Admiral Brown\'s testimony, he notes that no single \nagency controls cyberspace and that the success of our cybersecurity \nmission relies on effective communication and critical partnerships \nacross the government. However, the Administration\'s legislative \nproposal released on May 12th recommends consolidating a significant \namount of cybersecurity-related activities at DHS, arguably making DHS \nthe de facto lead on cybersecurity activities in the Federal \ngovernment. If this structure is enacted, how can we ensure that it \nwill not reduce incentive for other agencies to be actively engaged on \ncybersecurity, believing that DHS has it covered?\n\n    A1. Cybersecurity is a dynamic and complex space that needs to \nleverage a combined talent of active partnerships with industry and \nacademia. No one organization can have it covered and this very hard \nproblem requires collaboration for us to continue to succeed in \ncyberspace. Two of the many great attributes of NIST are its close \ncollaboration with other agencies, industry and academia as well as \nNIST\'s open processes used to develop, design and deploy its extensive \ncybersecurity tools, guidelines and reference materials for doing \neverything from DNSSec for securing the internet to Information \nSecurity Best Practices for Small Businesses.\n\nQuestions submitted by Representative Randy Neugebauer\n\n\n    Q1. What aspects of the current federal system of research and \ndevelopment in the United States allow us to stay ahead of the curve in \npredicting and responding to future cybersecurity threats? What must be \nimproved?\n\n    A1. One aspect for NIST is our active and collaborative work with \nother agencies, industry and academia in areas of research and \ndevelopment. This gives NIST access to a large body of experts whose \ncutting edge work in the IT industry enables us to stay ahead of the \ncurve on the development, design and deployment of new technologies. \nNIST uses this extensive knowledge base and legacy of connections to \ncontinue its internationally recognized cybersecurity research and \ndevelopment efforts. As a result, NIST\'s cybersecurity-related R&D and \nassociated technology transfer has directly resulted in the adoption by \nthe public and private sectors of many commonly assumed security \nprograms such as USCERT, CERT-CC, Role Based Access Controls, PIV \nCards, eCommerce, Security Automation and Digital Signatures. NIST is \nalways looking to improve its methods, techniques and reference \nmaterials for conducting accurate and repeatable measurements in all \nareas of science and technology, including cybersecurity.\n\n    Q2. In your testimony, you mention the international voluntary \nconsensus cybersecurity standards. What is the assessment of both the \nstrength of current international standards and their flexibility in \nresponding to unanticipated events in the future? What are key areas in \nwhich international consensus standards must be strengthened or \nimproved?\n\n    A2. The U.S. Government recognizes the importance of international \nvoluntary cybersecurity standards for both US industry and US citizens. \nThis focus aligns well with NIST\'s mission. Consistent with that focus \nand in keeping with our mission, NIST ensures its cybersecurity experts \nplay key and leading roles in international standards bodies whether \nserving as members, co-chairs or chairs in various cybersecurity \nworkgroups. These standards bodies are comprised not only with experts \nfrom government, but mostly from the US private sector, to ensure that \nthey continue to be responsive to the needs of U.S. industry.\n    National and international cybersecurity standards efforts include, \nbut are not limited to 100\'s of published standards and current \nstandards projects such as:\n        <bullet>  Biometric standards for data interchange formats, \n        common file formats, application program interfaces, profiles, \n        and performance testing and reporting\n        <bullet>  Management of information security and systems\n        <bullet>  Management of third party information security \n        service providers\n        <bullet>  Intrusion detection\n        <bullet>  Network security\n        <bullet>  Incident handling\n        <bullet>  IT Security evaluation and assurance\n        <bullet>  Cryptographic and non-cryptographic techniques and \n        mechanisms\n        <bullet>  Security of the global supply chain\n        <bullet>  Identity management\n        <bullet>  Privacy enhancing technologies.\n    Based on current technology, the relevant cybersecurity standards \nportfolio is quite strong in most of the areas listed above, while \nothers are still actively being developed. As an example, one new \ntechnology for which current cybersecurity standards are being revised \nor for which new standards are being pursued is cloud computing. NIST \nis actively engaged to ensure that this standards work comes to \nfruition as quickly as possible and is focused on standards that will \nbe immediately useful. All stakeholders must be vigilant to ensure that \nthese and other cybersecurity standards are updated to keep pace with \ntechnology advances.\n                   Answers to Post-Hearing Questions\n\n    Responses by Rear Admiral Michael A. Brown, Director, Cybersecurity \nCoordination, Department of Homeland Security\n\nQuestions submitted by Representative Ben Quayle\n\n\n    Q1. What will be the impacts on U.S. industry if other countries do \nnot adopt similar approaches to cybersecurity as proposed in the \nAdministration\'s legislation? How can we assure that there would be a \nbalance between legitimate risk reduction efforts and the ability of \nU.S. businesses to compete globally?\n\n    A1. The Administration will make every effort to coordinate our \ndomestic efforts to secure critical infrastructure with our \ninternational engagement. As President Obama stated in the May 2011 \nInternational Strategy for Cyberspace, "the United States is committed \nto working with like-minded states to establish an environment of \nexpectations, or norms of behavior, that ground foreign and defense \npolicies and guide international partnerships." To that end, as the \nUnited States moves forward with efforts to better protect critical \ninfrastructure networks, we will collaborate with our international \npartners in an effort to harmonize those efforts, where appropriate.\n    The Administration\'s cybersecurity proposal would establish a risk \nmitigation regime, in which industry would develop the solutions to \ncommon cyber risks, and other critical infrastructure companies would \nuse those frameworks as a guide to better secure their own networks. \nUnder this proposal, the Administration does not encourage a top-down, \ngovernment-developed approach, but rather a broader implementation of \nsecurity practices that are currently working for global companies. The \nAdministration believes that companies that already have robust \ncybersecurity practices will not be significantly impacted by this \nproposal, regardless of where they do business. However, to ensure that \nindustry has a strong voice in the process and that U.S. business \ninterests are adequately considered, the proposed risk mitigation \nregime would be implemented through a public rulemaking process.\n\n    Q2. Some witness testimony touched on cloud computing. Could you \nprovide more detail about how cybersecurity impacts the growing cloud \nservices, and what your agency is doing to secure this region?\n\n    A2. Cloud computing raises many of the same security issues that \nemerged when shared computer services were created in the 1960s; \nhowever, the cybersecurity mission to protect integrity, availability, \nand confidentiality remains the same. The inherent advantages of cloud \ncomputing create some security challenges, but they also provide a \nnumber of security advantages. Although we may never fully eliminate \nall cloud computing risks, we are able to tolerate the different levels \nof risk posed to different users, organizations, and missions. Even if \nprivate, community, and public cloud computing business models use the \nsame security mitigations and countermeasures, different business \nmodels create different security risk environments. The Department of \nHomeland Security (DHS) encourages cloud computing providers to propose \ninnovative security solutions that effectively protect Federal systems, \ninformation, and communications.\n    DHS does not support requiring providers to follow particular \ndesigns or architectures for cloud computing. Such an approach would \ninterfere with the innovative and entrepreneurial forces that created \ncloud computing. Instead, DHS is collaborating with industry and \ngovernment partners to establish cloud computing security standards. \nFor example, the Federal Chief Information Officer established the \nFederal Risk and Authorization Management Program (FedRAMP) to provide \na standardized approach to assessing and authorizing cloud computing \nservices and products. The National Protection and Program \nDirectorate\'s Office of Cybersecurity and Communications is actively \nparticipating in FedRAMP development. FedRAMP allows joint \nauthorizations and continuous security monitoring services for \ngovernment and commercial cloud computing systems intended for multi-\nagency use.\n\n    Q3. In mid-April, the Obama Administration released the National \nStrategy for Trusted Identities in Cyberspace (N-STIC). It establishes \na framework for the development of securing online transactions, and \nwithin the FY12 budget request is the establishment of a National \nProgram Office focused on interagency coordination, headed by NIST.\n    Could you please discuss your agency roles in NSTIC, and why NIST \nhas been selected to lead the implementation of the Strategy?\n\n    A3. The Department of Homeland Security (DHS) provided its privacy \nand cybersecurity subject matter expertise during the development of \nthe National Strategy for Trusted Identities in Cyberspace (NSTIC). \nThis effort enabled the Administration to obtain input from public and \nprivate sector critical infrastructure partners through working groups \nthat meet under the Critical Infrastructure Protection Advisory Council \nand the National Infrastructure Protection Plan partnership frameworks.\n    The Department uses NSTIC to build a shared foundation for \nauthentication of identity across government, business, and the general \npublic. DHS\'s cybersecurity mission allows it to work with Federal, \nstate, local, and critical infrastructure partners to encourage and \nemploy improved authentication policies and technologies. A healthy \ncyber ecosystem, however, is dependent on privacy-enhancing, \ninteroperable, and reliable risk-based authentication capabilities for \ninformation and data exchanges that occur within domestic and \ninternational commerce. The Department of Commerce is well-positioned \nto promote this aspect of the cyber ecosystem through the NSTIC. \nBecause users\' communication devices need to be interoperable, \nappropriate underlying standards are necessary. The National Institute \nof Standards and Technology (NIST), in collaboration with DHS and other \nFederal, state, local, and private sector partners, can effectively \naddress standards requirements on both the national and international \nlevels. Additionally, DHS has provided a detailee to NIST to support \nthe implementation of the NSTIC and will continue to support the NSTIC \nthrough additional subject matter expertise as needed.\n\nQuestions submitted by Representative Lamar Smith\n\n\n    Q1. How does the cybersecurity division work of the Science and \nTechnology Directorate\'s Homeland Security Advanced Research Projects \nAgency (HSARPA) inform the activities of the National Protection and \nPrograms Directorate (NPPD) and the National Cybersecurity Center \n(NCSC)? Conversely, how does the NPPD and the NCSC inform the research \nand development direction of the cybersecurity division? Is there \nanyone who serves as a formal liaison between these entities within \nDHS?\n\n    A1. The National Protection and Programs Directorate\'s Office of \nCybersecurity and Communications\' (CS&C) Research and Standards \nIntegration (RSI) program serves as the formal liaison between the \noperational needs of CS&C and the Homeland Security Advanced Research \nProjects Agency\'s (HSARPA) Cyber Security Division (CSD). RSI\'s mission \nis to gather cybersecurity-related research and development (R&D) \nrequirements from all elements within CS&C, including the National \nCyber Security Division and the National Cybersecurity and \nCommunications Integration Center (NCCIC), and prioritize and harmonize \nthem. RSI then communicates these requirements to CSD for inclusion in \nits overall R&D requirements. RSI also participates in the \nidentification and selection of R&D supported by CSD. By participating \nin principal-investigator meetings, RSI tracks and helps apply CSD\'s \nR&D results to enhance operational capability within CS&C through the \nuse of a repeatable technology transition process.\n    CS&C has detailed a member of the Senior Executive Service to \nHSARPA/CSD to assist in the establishment of the Transition to Practice \nprogram, which is aimed at identifying projects and technologies that \ncan be transitioned and commercialized. This detailee works to identify \ntechnologies related to the cybersecurity needs of CS&C.\n\n    Q2. Over the past several years, DHS cybersecurity personnel have \ngrown from around 30 to over 400 full time employees. The legislative \nplan proposed by the Administration codifies and expands many of DHS\'s \ncurrent cybersecurity responsibilities. How much additional funding \nwill be needed to carry out these duties and employ the necessary \nworkforce? Recognizing the growth of cyber threats, can we expect the \ncosts of managing these responsibilities to continue to grow in future \nyears? How can we guarantee any sort of cost containment?\n\n    A2. Similar to the Department of Homeland Security\'s (DHS) public \nand private sector partners, DHS is growing its cybersecurity \nworkforce. The Department estimates that within the National Protection \nand Programs Directorate, the workforce will continue to steadily \nincrease from current strength during the next several years. However, \nwe do not anticipate the Administration\'s legislative proposal to \nincrease the Department\'s resource needs substantially as much of the \nproposal is codifying ongoing activities. Additionally, the mandatory \ncritical infrastructure risk mitigation regime was purposely crafted to \nminimize Federal Government growth and utilize existing private sector \nresources. DHS has requested a modest increase in cybersecurity funding \nfor FY 2012 and does not intend to alter that request based on the \nlegislative proposal.\n\nQuestion submitted by Representative David Wu\n\n\n    Q1. In your testimony, you note that DHS\'s operational missions \nbenefit from, and drive the requirements for, the research and \ndevelopment work of the Science and Technology Directorate. In the \nfiscal year 2012 homeland security appropriations bill passed by the \nHouse on June 1st the budget proposed for the Science and Technology \nDirectorate was $398 million, a 54 percent reduction from fiscal year \n2010. How would the proposed budget for the Science and Technology \nDirectorate impact the ability of DHS to meet its operational goals and \nmission in the area of cybersecurity?\n\n    A1. The proposed budget passed by the House allocates $398 million \nfor the Science and Technology Directorate\'s (S&T) Research, \nDevelopment, Acquisition, and Operation (RDA&O). At that funding level \nS&T would have virtually no money for discretionary research and \ndevelopment. S&T would not fund any cybersecurity R&D.\n\n    Q2. To what extent was the Science and Technology Directorate \ninvolved in the development of the first and second iterations of \nEINSTEIN? And what involvement does the Science and Technology \nDirectorate currently have with the development of the third phase of \nthe EINSTEIN system?\n\n    A2. The Department of Homeland Security\'s (DHS) Science and \nTechnology Directorate (S&T) served as the testing oversight body for \nthe deployment of EINSTEIN\'s Security Incident and Event Management \nanalytics capability (referred to as National Cybersecurity Protection \nSystem Block 2.1). S&T did not perform any testing activities for the \nfirst or second iterations of EINSTEIN. EINSTEIN 1 was not an \nacquisition program and did not require test and evaluation. The MITRE \nCorporation performed test and evaluation oversight for EINSTEIN 2.\n    With respect to EINSTEIN 3, the S&T Test and Evaluation and \nStandards Office designated a Test Area Manager for Test & Evaluation \noversight of the Program. This Manager has been engaged in the EINSTEIN \n3 project since October 2010. S&T\'s focus in this area is on the formal \noperational test and evaluation of the acquisition. The S&T \nrepresentative is also a standing member of the DHS Acquisition Review \nTeam, in support of the DHS Acquisition Review Board, and is actively \ninvolved in the bi-weekly EINSTEIN 3 integrated product team meetings \nand the Test and Evaluation working integrated product team meetings. \nS&T has been actively engaged with the program throughout the \ndevelopment of test related acquisition artifacts and is providing \nsubject matter expertise for the duration of EINSTEIN 3\'s testing \nactivities.\n\nQuestion submitted by Representative Randy Neugebauer\n\n\n    Q. What aspects of the current federal system of research and \ndevelopment in the United States allow us to stay ahead of the curve in \npredicting and responding to future cybersecurity threats? What must be \nimproved?\n\n    A. The Department of Homeland Security (DHS) participates in the \nNetworking and Information Technology Research and Development (NITRD) \nCyber Security and Information Assurance Interagency Working Group \n(CSIA IWG) to enhance the flow of rapidly changing information \nassurance needs and recent research and development (R&D) advancements \nacross the Federal R&D community. The CSIA IWG is co-chaired by DHS\'s \nScience and Technology Directorate (S&T) and the National Institute of \nStandards and Technology\'s Computer Security Division. Through \ncollaborative execution of the R&D roadmap and national R&D theme \nareas, DHS works with other stakeholders in the R&D community to ensure \nthat current and future threats are addressed.\n    DHS S&T has led the development of a Federal R&D Strategic Plan \nwithin the CSIA IWG. A primary objective of the Federal cybersecurity \nR&D strategic plan is to express a vision for the research necessary to \ndevelop technologies that can neutralize the attacks on the cyber \nsystems of today and lay the foundation for a scientific approach that \nbetter prepares the field to meet the challenges of securing the cyber \nsystems of tomorrow.\n    Maintaining a long-term focus on the national theme areas and their \nrelationship to the R&D requirements of DHS is essential to providing \nconsistent and continuous support to the Federal R&D community. While \nthe threats rapidly change, R&D approaches must be maintained to \nfacilitate the fundamental breakthroughs necessary to predict and \nrespond to future cybersecurity threats.\n    An important area of improvement is reconciling the tension between \nshort-term needs for operational tools and long-term acquisition \ncycles. We need to develop efficient and effective processes for \nrapidly transitioning new R&D products into operational use. The \nFederal R&D Strategic Plan includes the definition of an inter-agency \nprogram for transitioning government-funded R&D into commercial \noperations.\n\n                                   \x17\n\x1a\n</pre></body></html>\n'