[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]
CYBER SECURITY R&D
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON RESEARCH AND
SCIENCE EDUCATION
COMMITTEE ON SCIENCE AND TECHNOLOGY
HOUSE OF REPRESENTATIVES
ONE HUNDRED ELEVENTH CONGRESS
FIRST SESSION
__________
JUNE 10, 2009
__________
Serial No. 111-31
__________
Printed for the use of the Committee on Science and Technology
Available via the World Wide Web: http://www.science.house.gov
----------
U.S. GOVERNMENT PRINTING OFFICE
49-966 PDF WASHINGTON : 2009
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP,
Washington, DC 20402-0001
COMMITTEE ON SCIENCE AND TECHNOLOGY
HON. BART GORDON, Tennessee, Chair
JERRY F. COSTELLO, Illinois RALPH M. HALL, Texas
EDDIE BERNICE JOHNSON, Texas F. JAMES SENSENBRENNER JR.,
LYNN C. WOOLSEY, California Wisconsin
DAVID WU, Oregon LAMAR S. SMITH, Texas
BRIAN BAIRD, Washington DANA ROHRABACHER, California
BRAD MILLER, North Carolina ROSCOE G. BARTLETT, Maryland
DANIEL LIPINSKI, Illinois VERNON J. EHLERS, Michigan
GABRIELLE GIFFORDS, Arizona FRANK D. LUCAS, Oklahoma
DONNA F. EDWARDS, Maryland JUDY BIGGERT, Illinois
MARCIA L. FUDGE, Ohio W. TODD AKIN, Missouri
BEN R. LUJAN, New Mexico RANDY NEUGEBAUER, Texas
PAUL D. TONKO, New York BOB INGLIS, South Carolina
PARKER GRIFFITH, Alabama MICHAEL T. MCCAUL, Texas
STEVEN R. ROTHMAN, New Jersey MARIO DIAZ-BALART, Florida
JIM MATHESON, Utah BRIAN P. BILBRAY, California
LINCOLN DAVIS, Tennessee ADRIAN SMITH, Nebraska
BEN CHANDLER, Kentucky PAUL C. BROUN, Georgia
RUSS CARNAHAN, Missouri PETE OLSON, Texas
BARON P. HILL, Indiana
HARRY E. MITCHELL, Arizona
CHARLES A. WILSON, Ohio
KATHLEEN DAHLKEMPER, Pennsylvania
ALAN GRAYSON, Florida
SUZANNE M. KOSMAS, Florida
GARY C. PETERS, Michigan
VACANCY
------
Subcommittee on Research and Science Education
HON. DANIEL LIPINSKI, Illinois, Chair
EDDIE BERNICE JOHNSON, Texas VERNON J. EHLERS, Michigan
BRIAN BAIRD, Washington RANDY NEUGEBAUER, Texas
MARCIA L. FUDGE, Ohio BOB INGLIS, South Carolina
PAUL D. TONKO, New York BRIAN P. BILBRAY, California
PARKER GRIFFITH, Alabama
RUSS CARNAHAN, Missouri
BART GORDON, Tennessee RALPH M. HALL, Texas
DAHLIA SOKOLOV Subcommittee Staff Director
MARCY GALLO Democratic Professional Staff Member
MELE WILLIAMS Republican Professional Staff Member
BESS CAUGHRAN Research Assistant
C O N T E N T S
June 10, 2009
Page
Witness List..................................................... 2
Hearing Charter.................................................. 3
Opening Statements
Statement by Representative Daniel Lipinski, Chairman,
Subcommittee on Research and Science Education, Committee on
Science and Technology, U.S. House of Representatives.......... 9
Written Statement............................................ 10
Statement by Representative Vernon J. Ehlers, Ranking Minority
Member, Subcommittee on Research and Science Education,
Committee on Science and Technology, U.S. House of
Representatives................................................ 11
Written Statement............................................ 12
Prepared Statement by Representative Eddie Bernice Johnson,
Member, Subcommittee on Research and Science Education,
Committee on Science and Technology, U.S. House of
Representatives................................................ 12
Witnesses:
Dr. Seymour E. Goodman, Professor of International Affairs and
Computing; Co-Director, Georgia Tech Information Security
Center, Georgia Institute of Technology
Oral Statement............................................... 13
Written Statement............................................ 15
Biography.................................................... 17
Ms. Liesyl I. Franz, Vice President, Information Security and
Global Public Policy, TechAmerica
Oral Statement............................................... 17
Written Statement............................................ 19
Biography.................................................... 22
Dr. Anita D'Amico, Director, Secure Decisions Division, Applied
Visions, Inc.
Oral Statement............................................... 23
Written Statement............................................ 24
Biography.................................................... 33
Dr. Fred B. Schneider, Samuel B. Eckert Professor of Computer
Science, Department of Computer Science, Cornell University
Oral Statement............................................... 33
Written Statement............................................ 34
Biography.................................................... 40
Mr. Timothy G. Brown, Vice President and Chief Architect, CA
Security Management
Oral Statement............................................... 41
Written Statement............................................ 43
Biography.................................................... 49
Discussion....................................................... 49
Appendix: Answers to Post-Hearing Questions
Dr. Seymour E. Goodman, Professor of International Affairs and
Computing; Co-Director, Georgia Tech Information Security
Center, Georgia Institute of Technology........................ 68
Ms. Liesyl I. Franz, Vice President, Information Security and
Global Public Policy, TechAmerica.............................. 73
Dr. Anita D'Amico, Director, Secure Decisions Division, Applied
Visions, Inc................................................... 76
Dr. Fred B. Schneider, Samuel B. Eckert Professor of Computer
Science, Department of Computer Science, Cornell University.... 80
Mr. Timothy G. Brown, Vice President and Chief Architect, CA
Security Management............................................ 87
CYBER SECURITY R&D
----------
WEDNESDAY, JUNE 10, 2009
House of Representatives,
Subcommittee on Research and Science Education,
Committee on Science and Technology,
Washington, DC.
The Subcommittee met, pursuant to call, at 10:04 a.m., in
Room 2318 of the Rayburn House Office Building, Hon. Daniel
Lipinski [Chairman of the Subcommittee] presiding.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
hearing charter
SUBCOMMITTEE ON RESEARCH AND SCIENCE EDUCATION
COMMITTEE ON SCIENCE AND TECHNOLOGY
U.S. HOUSE OF REPRESENTATIVES
Cyber Security R&D
wednesday, june 10, 2009
10:00 a.m.-12:00 p.m.
2318 rayburn house office building
1. Purpose
The purpose of this hearing is to explore the state of federal
cyber security research and development (R&D). The Subcommittee will
receive testimony from a panel of outside experts about priorities and
existing gaps in the cyber security research portfolio as well examine
the adequacy of cyber security education and workforce training
programs.
2. Witnesses:
Dr. Seymour Goodman, Professor of International Affairs and
Computing and Co-Director, Georgia Tech Information Security Center,
Georgia Institute of Technology
Ms. Liesyl Franz, Vice President, Information Security and
Global Public Policy, TechAmerica
Dr. Anita D'Amico, Director, Secure Decisions Division,
Applied Visions, Inc.
Dr. Fred Schneider, Samuel B. Eckert Professor of Computer
Science, Department of Computer Science, Cornell University
Mr. Timothy Brown, Vice President and Chief Architect, CA
Security Management
3. Overarching Questions:
Does the federal cyber security R&D portfolio adequately
address existing security concerns as well as new and emerging threats?
If not, what are the research gaps? Do the existing priorities for
federal research investment reflect any risk assessment of current and
future threats? Is the cyber security R&D portfolio appropriately
balanced between long-range, game changing research, and research
targeted toward incremental improvement?
How can the Federal Government facilitate effective public-
private partnerships and increase private sector engagement in
addressing common research needs for cyber security? How can the
Federal Government ensure that stakeholder outreach and the process for
input into cyber security R&D planning are adequate?
Is the ``human factor'' sufficiently integrated into the
cyber security R&D strategy? If not, what new and continuing areas of
basic research in the social and behavioral sciences could
significantly improve our ability to design more effective
technologies?
What is the state of cyber security education? Are future
cyber security professionals being adequately trained by colleges and
universities to meet the demands of the private sector? What role can
the Federal Government play in supporting formal cyber security
education and training, and in educating the general public about
protecting themselves and their networks against cyber threats?
4. Background
Information technology (IT) has evolved rapidly over the last
decade, leading to markedly increased connectivity and productivity.
The benefits provided by these advancements have lead to the widespread
use and incorporation of information technologies across major sectors
of the economy. This level of connectivity and the dependence of our
critical infrastructures on IT have also increased the vulnerability of
these systems. Reports of cyber criminals and nation-states accessing
sensitive information and disrupting services have risen steadily over
the last decade, heightening concerns over the adequacy of our cyber
security measures. For example, in 2008 the payment processors of an
international bank were penetrated allowing fraudulent ATM
transactions. In 2007, a U.S. retailer was the victim of a cyber attack
and the personal information of 45 million credit and debit card
holders was compromised.
According to Symantec's Government Internet Security Threat Report,
the telecommunications infrastructure was the predominant target of
cyber attack in 2008. Some estimate that the number of cyber attacks is
actually much higher because companies avoid reporting incidents due to
fear over plummeting stock prices and the possibility of further
attack. Firms that are subject to cyber attack typically observe a
decline of one to five percent in their stocks, which translates into a
loss of between $50 and $200 million for large companies.
In January 2008, the Bush Administration established through a
series of classified executive directives the Comprehensive National
Cybersecurity Initiative (CNCI). While the details of the CNCI are
largely classified, the goal of the multi-faceted initiative was to
secure federal systems.\1\ A number of security experts have expressed
concern that the classified nature of the CNCI has prohibited active
engagement with the private sector despite the fact that 85 percent of
the Nation's critical infrastructure is owned and operated by private
entities. While experts are concerned by the lack of transparency and
public-private cooperation under the CNCI, they have also urged
President Obama to build upon the existing structure rather than
starting from scratch. In February 2009, the Obama Administration
called for a 60-day review of the national cyber security strategy. The
President's review required the development of a framework that would
ensure that the CNCI was adequately funded, integrated, and coordinated
with the private sector and Congress.
---------------------------------------------------------------------------
\1\ The objectives of the CNCI have been assembled from various
press releases and media reports. An overview of the CNCI is available
in the CRS report entitled, ``Comprehensive National Cybersecurity
Initiative: Legal Authorities and Policy Considerations.''
---------------------------------------------------------------------------
On May 29, 2009, the Administration released its 60-day review of
cyberspace policy. The review team acknowledged the difficult task of
addressing cyber security concerns in a comprehensive fashion due to
the wide array of federal departments and agencies with cyber security
responsibilities and overlapping authorities. According to the review,
cyber security leadership must come from the top. To that end, the
President plans to appoint a ``cyber czar'' who will oversee the
development and implementation of a national strategy for improving
cyber security. The appointee will report to both the National Security
Council and the National Economic Council and will chair the
Information and Communications Infrastructure Interagency Policy
Council (ICI-IPC), an existing policy coordinating body to ensure ``a
reliable, secure and survivable global information and communications
infrastructure.'' The review also emphasizes the need for the Federal
Government to partner with the private sector to guarantee a secure and
reliable infrastructure. Furthermore, it highlights the need for
increased public awareness, the education and expansion of the IT
workforce, and the importance of advancing cyber security research and
development. The review contains the following action items that are
relevant to the Committee's work.
Near-Term Action Items:
1. Initiate a national public awareness and education campaign
to promote cyber security.
2. In collaboration with other Executive Office of the
President entities, develop a framework for R&D strategies that
focus on game-changing technologies that have the potential to
enhance the security, reliability, resilience, and
trustworthiness of digital infrastructure; provide the research
community access to event data to facilitate developing tools,
testing theories, and identifying workable solutions.
Mid-Term Action Items:
1. Expand support for key education programs and R&D to ensure
the Nation's continued ability to compete in the information
age economy.
2. Develop a strategy to expand and train the workforce,
including attracting and retaining cyber security expertise in
the Federal Government.
3. Develop a set of threat scenarios and metrics that can be
used for risk management decisions, recovery planning, and
prioritization of R&D.
4. Encourage collaboration between academic and industrial
laboratories to develop migration paths and incentives for the
rapid adoption of research and technology development
innovations.
5. Use the infrastructure objectives and the R&D framework to
define goals for national and international standards bodies.
Cyber Security R&D
Cyber security related activities are conducted across the Federal
Government, but three key agencies, NSF, DHS and DOD (specifically
DARPA) fund the majority of cyber security R&D.
The task of coordinating unclassified cyber security R&D has been
assigned to the Networking and Information Technology Research and
Development (NITRD) program. The NITRD program, which consists of 13
federal agencies, coordinates a broad spectrum of IT R&D activities,
but includes an interagency working group and program component area
focused specifically on cyber security and information assurance (CSIA)
R&D. The NITRD agencies have requested a total of $343 million for CSIA
R&D in FY 2010.
In 2006, the interagency working group produced a federal plan for
cyber security R&D. The recommendations of the working group were that
federal CSIA agencies: should explore high-impact threats; should
assess the security implications of emerging technologies; should
examine ways to build security in from the beginning; and should create
metrics for assessing cyber security. The working group also
recommended sustained interagency coordination and collaboration;
individual agency as well as interagency prioritization of cyber
security R&D; the targeting of R&D investments into strategic needs;
strengthened partnerships, including international partners; and more
effective coordination with the private sector. Finally, the working
group recommended the development of a subsequent roadmap or
implementation document, which to date has not been produced. There is
concern that while the NITRD program provides a mechanism for
coordination and collaboration among agencies, a lack of strong
leadership by the Office of Science and Technology Policy will result
in a patchwork of mission-driven objectives that fail to advance a
comprehensive cyber security R&D strategy. These concerns may be
mediated by the release of the 60-day review and the President's pledge
to make cyber security one of his key management priorities.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Agency Roles in Cyber Security R&D
NSF
With a budget of $127 million for FY 2010, NSF is the principal
agency supporting unclassified cyber security R&D and education. NSF's
request is an 8.6 percent increase above FY09 levels.
NSF's cyber security research activities are primarily funded
through the Directorate for Computer & Information Science &
Engineering (CISE). CISE supports cyber security R&D through a targeted
program, Trustworthy Computing, as well as through a number of its core
activities in Computer Systems Research, Computing Research
Infrastructure, and Network and Science Engineering. The cyber security
portfolio supports both theoretical and experimental research.
The Trustworthy Computing program, funded at $67 million for FY
2010, is an outgrowth of NSF's Cyber Trust program, which was developed
in response to the Cyber Security R&D Act of 2003. The program supports
research into new models, algorithms and theories for analyzing the
security of computer systems and data components. It also supports
investigation into new security architectures, methodologies that
promote usability in conjunction with protection, and new tools for the
evaluation of system confidence and security.
In addition to its basic research activities, NSF's Directorate for
Education & Human Resources (EHR) manages the Scholarship for Service
program which provides funding to colleges and universities for the
award of two-year scholarships in information assurance and computer
security fields. Scholarship recipients are required to work for two
years in the Federal Government, upon completion of their degree. EHR
also supports the development of cyber security professionals through
the Advanced Technological Education (ATE) program, which focuses on
the education of technicians for high-technology fields.
DHS
Cyber security research in DHS is planned, managed, and coordinated
through the Cyber Security Research and Development Center. The center
not only supports the research efforts of the Homeland Security
Advanced Research Projects Agency (HSARPA), but helps to coordinate the
testing and evaluation of technologies, as well as technology
transition. The FY 2010 budget includes $37.2 million for cyber
security R&D at DHS; this is an increase of $6.6 million over FY 2009.
In addition to conducting R&D, DHS has an operational and
coordination role in securing cyber space. The National Cyber Security
Division (NCSD) is the operational arm of DHS's cyber security group
and handles a host of tasks, including the analysis of cyber threats,
the dissemination of cyber threat warnings, the facilitation of cyber
security exercises, and the reduction of software vulnerabilities. The
budget request for the NCSD is $400 million, an increase of $87 million
above FY 2009. Within NCSD, The United States Computer Emergency
Readiness Team (US-CERT) is tasked with monitoring federal non-
classified computer systems and issuing warnings to both federal
agencies and the public when an attack occurs. Recent GAO reports have
criticized US-CERT, citing a lack of a national strategy, an absence of
operational relationships with other key cyber security groups, both
federal agencies and private entities, and an insufficient level of
action in response to a cyber attack.
DARPA
DARPA is the principal R&D agency of the DOD; its mission is to
identify and develop high-risk, high-reward technologies of interest to
the military. DARPA's cyber security activities are conducted primarily
through the Strategic Technology Office and the Information Assurance
and Survivability project, which is tasked with developing technologies
that make emerging information systems such as wireless and mobile
systems secure. The budget request for the Information Assurance and
Survivability project is $113.6 million in FY 2010. The project
includes a variety of targeted programs, for example the Intrinsically
Assured Mobile Ad-Hoc Network (IAMANET) program is tasked with
designing a tactical wireless network that is secure and resilient to a
broad range of threats, including cyber attacks, electronic warfare and
malicious insiders. The budget request for IAMANET is $14.5 million.
The goal of the Trustworthy Systems program, with a budget request of
$11.1 million, is to provide foundational trustworthy computer
platforms for Defense Department systems. DARPA is also examining
potential supply chain vulnerabilities in the Trusted, Uncompromised
Semiconductor Technology program (TrUST) by developing methods to
determine whether a microchip manufactured through a process that is
inherently ``untrusted'' (i.e., not under our control) can be
``trusted'' to perform just the design operations and no more. The
budget request for TrUST is $33.5 million.
Finally, DARPA is developing the National Cyber Range (NCR). The
NCR will provide a revolutionary environment for research organizations
to test the security of information systems. The NCR will be capable of
supporting multiple, simultaneous, segmented tests in realistically
configured or simulated testbed environments and will produce
qualitative and quantitative assessments of the security of various
cyber technologies and scenarios. According to DARPA officials, the
intent is have the NCR available for both classified and unclassified
research. The budget request for the NCR is $50 million for FY 2010.
NIST
NIST conducts limited cyber security research to identify
improvements in the development of standards and maintains a checklist
of security settings for federal computers. Cyber security activities
are conducted through NIST's Information Technology Laboratory which
has a budget request of $72 million for FY 2010, including $15 million
in support of the CNCI and $29 million for CSIA R&D. NIST's primary
mission in cyber security is to protect the federal information
technology network by creating cyber security standards for federal
non-classified computer systems, identifying methods for assessing the
effectiveness of security requirements, and conducting tests to
validate security in information systems. These tasks were appointed to
NIST in the Computer Security Act of 1987. The federal standards for
computing systems help establish a base level of protection against
intrusion, disruption and theft.
5. Questions for Witnesses:
Dr. Goodman and Dr. Schneider
Does the current range of federally supported
research adequately address existing cyber security threats as
well as new and emerging threats? If not, what are the research
gaps, and how would you prioritize federal research investments
in cyber security?
How can the Federal Government foster effective
partnerships between academia and the private sector?
What is the state of cyber security education? Are
future cyber security professionals being adequately trained by
colleges and universities to meet anticipated demands of the
private sector? If not, what kind of cyber security training is
appropriate and necessary for institutions to develop, and for
what kinds of students?
What role can the Federal Government play in
educating the general public about protecting themselves and
their networks against cyber threats?
Dr. Anita D'Amico
How can the behavioral and social sciences contribute
to the design and evaluation of more secure information
technologies? What new and continuing areas of basic research
in the social and behavioral sciences could significantly
improve our ability to design more effective technologies in
cyber security? Are there promising research opportunities that
are not being adequately addressed?
What is the nature of interactions and collaborations
between behavioral and social scientists, and computer
scientists and engineers? Is the Federal Government playing an
effective role in fostering such collaboration?
Does the current range of federally supported
research adequately address existing cyber security needs of
industry as well as new and emerging threats? If not, what are
the research gaps, and how would you prioritize federal
research investments in cyber security?
How does the private sector provide input regarding
its research needs into the process by which the federal
research portfolio is developed? Do you believe your needs are
adequately addressed by the federal research agenda? How can
the Federal Government more effectively partner with the
private sector to address common research needs?
Ms. Franz and Mr. Brown
Does the current range of federally supported
research adequately address the cyber security needs of
industry as well as new and emerging threats? If not, what are
the research gaps, and how would you prioritize federal
research investments in cyber security?
How does the private sector provide input regarding
its research needs into the process by which the federal
research portfolio is developed? Do you believe your needs are
adequately addressed by the federal research agenda? How can
the Federal Government more effectively partner with the
private sector to address common research needs?
What is the state of cyber security education? Are
future cyber security professionals being adequately trained by
colleges and universities to meet anticipated demands of the
private sector? If not, what kind of cyber security training is
appropriate and necessary for institutions to develop, and for
what kinds of students?
What role can the Federal Government play in
educating the general public about protecting themselves and
their networks against cyber threats?
Chairman Lipinski. This hearing will come to order.
Good morning, and I welcome you to today's hearing entitled
``Cyber Security R&D.''
Welcome to the Research and Science Education Subcommittee
hearing on cyber security research and development. Information
technology is an integral part of our daily lives. Computers,
cell phones and the Internet have greatly increased our
productivity and connectivity. Unfortunately, this connectivity
and the dependence on our critical infrastructures on
information technologies have increased our vulnerabilities to
cyber attacks. For example, last year the Pentagon reported
more than 360 million attempts to break into its networks, and
just two weeks ago, a cyber attacker accessed the design plans
for the $300 billion Joint Strike Fighter project.
But it is not just the Pentagon that needs to worry about
cyber security. Cyber crime is a problem for businesses large
and small, and for every single American. The FCC estimates
that identity theft costs consumers about $50 billion annually,
and even more alarmingly, it is the fastest-growing type of
fraud in the United States. These are not just individual
crimes or individual criminals. Increasingly, globalization and
the Internet mean that sophisticated organized crime groups can
mine information, selling it both nationally and
internationally.
In 2007, nearly 50 million credit card records were taken
when cyber criminals broke into computer systems used by the
retailer TJ Maxx. Some analysts put the total cost of the
breach at over $4 billion, and the stolen card data was used to
defraud retailers nationwide. As a result of this, Walmart lost
almost $8 million to fraudulent gift cards. Ultimately, 11
people were indicted including three U.S. citizens, two
individuals from China, one from Belarus, one from the Ukraine
and one from Estonia. This is what cyber attacks are about. It
is a worldwide challenge to law enforcement and it can affect
any American.
Improving the security of cyberspace is of the utmost
importance and it will take the collective effort of the
Federal Government, the private sector, our scientists and
engineers, and every American to be able to accomplish this.
In order to realize the full benefits of information
technology, we need advances in cyber security R&D. Cyber
threats are constantly evolving and cyber security R&D must
evolve in concert through a combination of near-term fixes and
long-term projects that build a more secure foundation.
People are perhaps the most important part of our IT
infrastructure, and according to experts, they are also the
weakest link in many systems. Better cyber security education
for both the general public and for current and future IT
professionals is vital. However, there is still a lot we don't
know about how humans interact with technology. Therefore, more
research into social and behavioral sciences has the potential
to significantly improve the security of our IT systems.
Today we will hear from witnesses who are actively engaged
in efforts to improve the security of our digital
infrastructure. I look forward to the witnesses providing
valuable insight into the challenges we face in tackling this
complex issue and the role of cyber security R&D and education
in any comprehensive solution.
The Science and Technology Committee has a key role to play
in improving cyber security, and to that extent, we are holding
a series of hearings to examine various aspects of this issue.
After we focus on R&D and education, next week our subcommittee
will hold a joint hearing with the Technology and Innovation
Subcommittee to hear how federal agencies are responding to the
Administration's 60-day cyberspace policy review. And later
this month, the Technology and Innovation Subcommittee will
hold a hearing to assess the efforts of DHS and NIST.
There is no doubt that our use of the Internet and other
communication networks is continuing to grow and evolve, and
that threats from individual hackers, criminal syndicates and
even other governments are growing and evolving too. I am glad
the President is taking an active role, and there is no doubt
in my mind that Administration leadership will help better
define and prioritize cyber threats, coordinate the federal
response and develop effective partnerships with the private
sector. As chairman of this subcommittee, I look forward to
working with my colleagues and the Administration to ensure the
development of a strong cyber security strategy.
I want to thank all of our witnesses for taking the time to
appear before the Subcommittee this morning and I look forward
to your testimony.
Now the Chair will recognize Dr. Ehlers for an opening
statement.
[The prepared statement of Chairman Lipinski follows:]
Prepared Statement of Chairman Daniel Lipinski
Good morning. Welcome to this Research and Science Education
Subcommittee hearing on cyber security research and development.
Information technology is an integral part of our daily lives.
Computers, cell phones, and the Internet have greatly increased our
productivity and connectivity. Unfortunately, this connectivity and the
dependence of our critical infrastructures on information technologies
have increased our vulnerability to cyber attacks. For example, last
year the Pentagon reported more than 360 million attempts to break into
its networks. Just two weeks ago, a cyber attacker accessed the design
plans for the $300 billion Joint Strike Fighter project.
But it's not just the Pentagon that needs to worry about cyber
security. Cybercrime is a problem for businesses large and small, and
for every single American. The FTC estimates that identity theft costs
consumers about $50 billion annually, and that even more alarmingly,
it's the fastest growing type of fraud in the United States. These
aren't just individual criminals. Increasing globalization and the
Internet means that sophisticated organized crime groups can mine
information, selling it both nationally and internationally.
In 2007, nearly 50 million credit card records were taken when
cyber criminals broke into computer systems used by the retailer TJ
Maxx. Some analysts put the total cost of the breach at over $4
billion, and the stolen card data was used to defraud retailers nation-
wide. Walmart lost almost $8 million to fraudulent gift cards.
Ultimately 11 people were indicted, including three U.S. citizens, two
individuals from China, one from Belarus, one from the Ukraine, and one
from Estonia. This is what cyber-attacks are about: it's a world-wide
challenge to law enforcement, and it can affect any American.
Improving the security of cyberspace is of the utmost importance
and it will take the collective effort of the Federal Government, the
private sector, our scientists and engineers, and every American to be
able to accomplish this.
In order to realize the full benefits of information technology we
need advances in cyber security R&D. Cyber threats are constantly
evolving and cyber security R&D must evolve in concert through a
combination of near-term fixes and long-term projects that build a more
secure foundation.
People are perhaps the most important part of our IT
infrastructure, and according to experts, they are also the `weakest
link' in many systems. Better cyber security education for both the
general public and for current and future IT professionals is vital.
However, there's still a lot we don't understand about how humans
interact with technology; therefore, more research into the social and
behavioral sciences has the potential to significantly improve the
security of our IT systems.
Today, we will hear from witnesses who are actively engaged in
efforts to improve the security of our digital infrastructure. I look
forward to the witnesses providing valuable insight into the challenges
we face in tackling this complex issue and the role of cyber security
R&D and education in any comprehensive solution.
The Science and Technology Committee has a key role to play in
improving cyber security, and to that end, we are holding a series of
hearings to examine various aspects of this issue. After we focus today
on R&D and education, next week our subcommittee will hold a joint
hearing with the Technology and Innovation Subcommittee to hear how
federal agencies are responding to the Administration's 60-day
cyberspace policy review. And later this month, the Technology and
Innovation Subcommittee will hold a hearing to assess the efforts of
DHS and NIST.
There is no doubt that our use of the Internet and other
communication networks is continuing to grow and evolve, and that
threats from individual hackers, criminal syndicates, and even other
governments are growing and evolving too. I am glad that the President
is taking an active role, and there is no doubt in my mind that
Administration leadership will help better define and prioritize cyber-
threats, coordinate the federal response, and develop effective
partnerships with the private sector. As Chairman of this subcommittee,
I look forward to working with my colleagues and the Administration to
ensure the development of a strong cyber security strategy.
I want to thank all of our witnesses for taking the time to appear
before the Subcommittee this morning and I look forward to your
testimony.
Mr. Ehlers. Thank you, Mr. Chairman. Almost a decade ago, I
was serving as a rapporteur for the NATO Parliamentary Assembly
Committee on Science and was charged with the responsibility
for writing a position paper on cyber security, and that was a
real eye-opener to me. I had never investigated and obviously
had to do a great deal of work to prepare the paper. We were of
course dealing with more than just the commercial cyber
security concerns, which are largely the concern today. We were
dealing not only with people trying to find out what was on the
federal cybernet but also how people could do damage to our
entire cyber superstructure in the United States through
various nefarious schemes. That was a real eye opener to me and
today continues my education on this program.
Cyber security is of great concern to both the Federal
Government and private industry, and that is quite a change
from a decade ago when it was considered entirely the concern
of the Federal Government. But this is an especially timely
hearing since a little over a month ago the House passed a
measure reauthorizing the Networking and Information Technology
Research and Development Act of 2009, better known as NITRD. As
you know, the NITRD program is responsible for the coordination
of all the unclassified federal research and development
efforts in federal security. However, cyber security efforts
are only a small part of the overall NITRD mission, and I am
glad that this hearing will focus special attention on this
subject.
As we become more dependent on virtual information and
services, security becomes more and more challenging to
maintain. Fostering trust between the public and private sector
will allow for the type of research partnerships necessary to
keep our information secure and exchanging information between
stakeholders is critical. I am also particularly interested in
learning how we are supporting the education and training of
students in this rapidly changing field and whether the current
mechanisms are adequate to ensure our national cyber security
interests.
I look forward to learning from our witnesses today about
their experiences in cyber security research, development and
education and how we can strengthen our federal efforts in this
area. I certainly thank you for your attendance and I am hoping
to learn much more than I learned a decade ago when I first got
involved in this field.
Thank you much for being here and I look forward to your
testimony. I yield back.
[The prepared statement of Mr. Ehlers follows:]
Prepared Statement of Representative Vernon J. Ehlers
Cyber security is of great concern to both the Federal Government
and private industry. This is a timely hearing, since a little over a
month ago the House passed the measure reauthorizing the Networking and
Information Technology Research and Development Act of 2009 (NITRD). As
you know, the NITRD program is responsible for the coordination of all
the unclassified federal research and development efforts in cyber
security. However, cyber security efforts are only a small part of the
overall NITRD mission and I am glad that this hearing will focus
special attention on this subject.
As we become more dependent on virtual information and services,
security becomes more and more challenging to maintain. Fostering trust
between the public and private sector will allow for the type of
research partnerships necessary to keep our information secure, and
exchanging information between stakeholders is critical. I am also
particularly interested in learning how we are supporting the education
and training of students in this rapidly changing field, and whether
the current mechanisms are adequate to ensure our national cyber
security interests.
I look forward to learning from our witnesses today about their
experiences in cyber security research, development and education, and
how we can strengthen our federal efforts in this area. Thank you for
your attendance.
Chairman Lipinski. Thank you, Dr. Ehlers, and I always
learn a great deal from you. It is always great to have you
here. You always have better stories to tell.
Mr. Ehlers. Just remember they are stories.
Chairman Lipinski. If there are Members who wish to submit
opening statements, your statements will be added to the record
at this point.
[The prepared statement of Ms. Johnson follows:]
Prepared Statement of Representative Eddie Bernice Johnson
Good morning, Mr. Chairman and Ranking Member.
Cyber security is an area that is worthy of federally-funded
research.
I appreciate you holding today's hearing. Members will be
interested to know the status of research in this area as well the
areas where there are knowledge gaps.
Consider the amount of communication and business that is done
using computers and the Internet.
E-mail, music, social networking, shopping, and banking: all of
these activities are conducted online.
Air traffic control is done using computers. Software manages
electronic patient records. Imagine the chaos that would occur if part
of that information was altered or otherwise compromised.
Our daily lives are so different from even twenty years ago.
Internet security attacks can happen on a large scale and with serious
consequences.
For example, in 2007, a U.S. retailer was victimized by a cyber
attack. As a result, 45 million credit and debit card holders were
compromised.
This past February, the Obama Administration called for 60-day
review of the national cyber security strategy.
The review will require the development of a framework to ensure
that the Comprehensive National Cybersecurity Initiative is adequately
funded and coordinated.
The review has since been released, and some of the action items in
it fall under the purview of the Science Committee.
Cyber security research is funded through several federal agencies,
including the Defense Advanced Research Projects Agency (DARPA) and
National Science Foundation.
This subcommittee will be interested to know whether the current
range of federally-funded research is sufficient to understand and
prepare for cyber security threats.
Members will also be interested to know whether there exists a
strong pipeline of educated people to study cyber security.
If not, the Committee will want to know what federal programs are
best suited to cultivate a next generation of cyber security analysts
and researchers.
I would like to welcome today's witnesses.
The Committee values the depth of expertise represented on this
panel and looks forward to your testimony.
Chairman Lipinski. At this time I would like to introduce
our witnesses. First, Dr. Seymour Goodman is a Professor of
International Affairs and Computing and Co-Director of the
Georgia Tech Information Security Center at the Georgia
Institute of Technology. Ms. Liesyl Franz is the Vice President
of Information Security and Global Public Policy at
TechAmerica. Dr. Anita D'Amico is the Director of the Secure
Decisions Division at Applied Visions Inc. Dr. Fred Schneider
is the Samuel B. Eckert Professor of Computer Science in the
Department of Computer Science at Cornell University. And
finally, Mr. Timothy Brown is the Vice President and Chief
Architect for Security Management at CA Incorporated. As our
witnesses should know, you will each have five minutes for your
spoken testimony and your written testimony will be included in
the record for the hearing. When you have all completed your
spoken testimony, we will begin with questions and each Member
will have five minutes to question the panel, and right now it
is about 10:15. We are expecting votes at about 11:15, so we
would appreciate if the panelists could stick to that five-
minute timeframe and we will have a good amount of time then
for questions.
So we will start here with Dr. Goodman. Dr. Goodman.
STATEMENT OF DR. SEYMOUR E. GOODMAN, PROFESSOR OF INTERNATIONAL
AFFAIRS AND COMPUTING; CO-DIRECTOR, GEORGIA TECH INFORMATION
SECURITY CENTER, GEORGIA INSTITUTE OF TECHNOLOGY
Dr. Goodman. Thank you, Mr. Chairman, Ranking Member
Ehlers, distinguished Members and staff of the Subcommittee. In
addition to my academic positions at Georgia Tech, I also serve
or have recently served as Chair of the National Research
Council Committee that authored ``Towards a Safer and More
Secure Cyberspace,'' and as Vice Chair of the Institute for
Information Infrastructure Protection--a research consortium of
27 universities, national labs and federally funded non-
profits--and as the principal investigator of Georgia Tech's
NSF-funded Scholarship for Service Program.
A large fraction of the American people, its businesses and
government institutions have become increasingly dependent on
network information technologies. We are at risk because these
infrastructures are riddled with vulnerabilities and cannot be
fully trusted, and there are malicious people greatly enabled
by network connectivity seeking to exploit those
vulnerabilities. Like auto safety or public health, cyber
security should be viewed as a broad societal issue requiring
continued improved responses to dynamically changing
circumstances.
These responses will require better, larger and more agile
education and research programs and the effective and broad
deployment of the output of those programs in timely ways.
Technical progress will be of extreme critical importance but
not in itself sufficient. Policy, economic and behavioral
issues must also be addressed. In particular, market forces
have failed to provide the Nation with a level of cyber
security adequate for its needs. An authoritative,
interdisciplinary study of how this may be changed would be of
enormous benefit to the Nation.
I would like to raise two other specific subjects of both
near- and long-term urgency and importance. The first is what I
fear is a coming tsunami of insecurity due to the spread of
cellular telephones and other mobile devices. The second
concerns educating a professional workforce.
The ubiquitous spread of cell phones and other small
increasingly powerful computers with wireless connections is
likely to result in unprecedented opportunities for criminals,
stalkers, industrial spies, foreign intelligence agencies and
other unfriendly actors. Cell phone users number over 3.5
billion, already a majority of the world's population and
vastly outnumber traditional Internet users. This is leading to
increased possibilities for information insecurity, not least
because of the huge increase in the number of connected
potential malicious actors and potential victims. Attacks
employed against other computers will be deployed against the
mobile devices, especially as they become primary means of
access to the Internet. There are many additional
vulnerabilities because of battery limitations, the use of
airwaves instead of wires, the ease with which devices and the
information on them may be lost or stolen, particular forms of
denial of service attacks and new target applications such as
digital wallets.
The vulnerability of mobile devices potentially affects
almost every American citizen and organization. Its
international dimensions are without precedent. Research,
development and deployment efforts to improve security will
necessitate a solution to a large number of interdependent
technical and business problems, and require researchers from
multiple disciplines, and will depend on strong forms of
involvement with the private sector and international
institutions to ensure effective and widespread implementation.
A safer and more secure cyberspace will also demand many
more professionals in the workforce on the front-lines
defending organizations and infrastructures. This will require
new faculty and curricula at a wide range of educational
institutions.
I conclude by drawing your attention to one of the few
efforts to grow this workforce on a national scale, the NSF
Scholarship for Service Program. It provides scholarship
support to U.S. citizens who must start their careers in the
Federal Government. The results of this modestly funded program
on the order of about $10 million per year have been
impressive. Since 2003, 970 mostly Master's-level professionals
from 34 universities across the country have been placed in
agencies. Many of them would not have chosen to study cyber
security or work for the Federal Government without it. The
government has done well in establishing this program. It
should be continued and carefully augmented to have a more
extensive impact.
Thank you for inviting me to testify. I will be happy to
try to answer any questions that you have.
[The prepared statement of Dr. Goodman follows:]
Prepared Statement of Seymour E. Goodman
Mr. Chairman, Ranking Member Ehlers, and distinguished Members of
the Subcommittee: Thank for you for the opportunity to appear before
you today to discuss the subjects of Cyber Security R&D and Education.
I am Professor of International Affairs and Computing at Georgia
Tech, where I Co-Direct two centers: the Georgia Tech Information
Security Center and the Center for International Strategy, Technology,
and Policy. I also serve, or have recently served, as chair of the
National Research Council Committee that authored Toward a Safer and
More Secure Cyberspace in 2007; as Vice Chair of the Institute for
Information Infrastructure Protection (I3P), a research consortium of
27 universities, national labs, and federally funded non-profits; and
as the Principal Investigator for Georgia Tech's NSF-funded Scholarship
for Service Program.
A large fraction of the American people, its businesses, and
government institutions have become increasingly dependent on networked
information technologies. We are at risk because these infrastructures
are riddled with vulnerabilities and cannot be fully trusted, and there
are malicious people who are greatly enabled by network connectivity
seeking to exploit those vulnerabilities. Cyber security must be viewed
as a broad societal issue, in part because vulnerabilities in the
general commercial or home computing environments have profound
consequences for the vulnerability of many prominent or critical
targets. It must also be recognized that cyber protection will be an
ongoing need, requiring continually improved responses to dynamically
changing circumstances.
These responses will require better and larger education and
research programs, and the effective and broad deployment of the output
of those programs in timely ways. Technical progress will be of
critical importance, but not in itself sufficient. Policy, economic,
and behavioral issues must also be addressed. In particular, as
discussed in the NRC report, market forces have failed to provide the
Nation with a level of cyber security adequate for its needs. An
authoritative interdisciplinary research study on how this may be
changed could be of enormous benefit to the Nation. We must also ensure
that federally supported research has a broad impact on current and
future security challenges. The 2007 NRC report, and the recently
released NRC report Technology, Policy, Law, and Ethics Regarding U.S.
Acquisition and Use of Cyberattack Capabilities both note that much of
cyber security research is classified, and thus unlikely to have much
impact in improving civilian security.
I would like to address two particular subjects of both near- and
long-term urgency and importance. The first is what I fear is a coming
tsunami of insecurity due to the spread of cellular telephones and
other mobile devices that contain substantial computing capabilities.
The second addresses difficulties and progress with efforts to build
the capacity to educate a professional workforce that is necessary to
help achieve a safer and more secure cyberspace.
The ubiquitous spread of cell phones and other small, increasingly
powerful computers with wireless connections is likely to result in
unprecedented opportunities for criminals, hackers, terrorists,
industrial spies, foreign intelligence agencies, and other unfriendly
actors. Cell phone users currently number over 3.5 billion, a majority
of the world's population, and vastly outnumber traditional Internet
users, especially in developing nations. And cell phone use is growing
faster than Internet use. In the next five to ten years, most of the
people on the planet will likely be using powerful mobile devices for
more personal and professional functions. And these devices may
supplant desktop and laptop computers as the primary form of access to
a much larger Internet.
This is leading to increased possibilities for information
insecurity, not least because of the huge increase in the number of
connected potential malicious actors and potential victims. Forms of
attack currently employed against desktops and laptops will be deployed
against mobile devices. In addition, there are many vulnerabilities
more specific to them, because of battery limitations, the use of
airwaves instead of wires, the ease with which they and the information
on them may be lost or stolen, particular forms of denial of service
attacks, and new and attractive target applications like digital
wallets and pocket ATMs.
The vulnerability of mobile devices potentially affects almost
every American citizen and organization. Its international dimensions
are without precedent. Any research, development, and deployment effort
to improve security will necessitate solutions to a large number of
interdependent technical and business problems, will require
researchers from multiple disciplines, and will depend on strong forms
of involvement with the private sector and international institutions
to ensure effective and widespread implementation.
So we have warning of looming security problems in a rapidly
expanding domain. We have lots of experience and mistakes with the
Internet. This time, will we be able to get ahead of the problem and
make the world of mobile cyberspace safer and more secure before the
Tsunami forms, builds momentum, and hits us?
A safer and more secure cyberspace will also require many more
professionals in the workforce on the front lines defending
organizations and infrastructures. To produce these people, we need to
increase the capacities of a wide spectrum of educational institutions,
adding capable faculty and extensive new curricula, neither of which
can be created overnight.
I want to draw your attention to one of the few efforts to grow
this workforce on a national scale: the National Science Foundation
Scholarship for Service Program (SFS). This program provides some
support for universities to build their faculty and curriculum to
enable the offering of concentrations in information security and
assurance. It primarily provides up to two-year scholarship support to
U.S. citizens in the best of these programs who must (although most see
it as an opportunity, rather than an obligation) work in the Federal
Government for at least the same number of years as they were supported
by the scholarship. For embryonic information security programs many
universities find that these students help provide a critical mass for
enrollments for several early years. Graduates help improve the
security of the government's information systems and the agencies that
depend on them, but more broadly these programs, once established,
graduate others who work elsewhere to improve security postures.
The results of this modestly funded program (recently on the order
of $10 million per year) have been impressive. Since 2003, 970 mostly
MS-level professionals from 34 universities across the country have
been placed in agencies. Many programs at these universities may not
have become viable without the NSF support, and the majority of the
scholarship students would not have chosen to study cyber security and
work for the Federal Government without the visibility and inducements
of the program. Some of these universities have become assets to other
regional educational institutions, including schools for law
enforcement and two-year colleges.
Most of the curriculum being developed and offered is in the form
of computer science courses. These are necessary, but not sufficient,
to the educational needs. There is a need for multi-disciplinary
courses that introduce important matters relating to management, law,
policy, human behavior, and the international dimensions of cyber
security. Only a small number of universities have serious courses of
this kind. They should be designed with the intention of facilitating
export to many institutions since few have faculty in positions to work
on these aspects at this time. Perhaps an NSF program might help
address such needs?
The government has done well in establishing this program, to its
own direct benefit and the country's more generally. It should be
continued and carefully augmented to have a more extensive impact.
Thoughts along those lines might include the range of degrees supported
with the scholarships, and the range of employment options permitted,
for example, teaching at two-year colleges or in parts of the country
with particular needs.
A major capacity building bottleneck that affects all levels of
educational and research needs is the production of Ph.D.s in this
area. Today, at most levels of tertiary education, a Ph.D. is a
necessary credential for a long-term career. Many who are working these
problems as researchers and educators are recent additions to the
ranks, as newly minted Ph.D.s or converts from other fields. Building
the doctoral ranks takes time and others who can provide close
supervision. However the task is not insurmountable; it will take a
concerted effort that should be pursued with national-level vigor.
This concludes my statement. I will provide some additional written
material to the Subcommittee's staff.
Thank you for inviting me to testify. I would be happy to try to
take any questions you have.
Biography for Seymour E. Goodman
Seymour (Sy) E. Goodman is Professor of International Affairs and
Computing at the Sam Nunn School of International Affairs and the
College of Computing, Georgia Institute of Technology. He also serves
as Co-Director of the Center for International Strategy, Technology,
and Policy and Co-Director of the Georgia Tech Information Security
Center.
Prof. Goodman studies international developments in the information
technologies and related public policy issues. In this capacity, he has
over 200 publications and served on many academic, government and
industry advisory, study, and editorial committees. He has been the
International Perspectives editor for the Communications of the ACM for
almost 20 years, and has studied computing on all seven continents and
in about 90 countries. He recently served as Chair of the Committee on
Improving Cybersecurity Research in the United States, National
Research Council, Computer Science and Telecommunications Board,
National Academies of Science and Engineering.
Immediately before coming to Georgia Tech, Prof. Goodman was the
Director of the Consortium for Research in Information Security and
Policy (CRISP), jointly with the Center for International Security and
Cooperation and the School of Engineering, Stanford University. He has
held appointments at the University of Virginia (Applied Mathematics,
Computer Science, Soviet and East European Studies), The University of
Chicago (Economics), Princeton University (The Woodrow Wilson School of
Public and International Affairs, Mathematics), and the University of
Arizona (MIS, Soviet and Russian Studies, Middle Eastern Studies).
Prof. Goodman was an undergraduate at Columbia University, and
obtained his Ph.D. from the California Institute of Technology where he
worked on problems of applied mathematics and mathematical physics.
Chairman Lipinski. Thank you, Dr. Goodman.
The Chair now recognizes Ms. Franz.
STATEMENT OF MS. LIESYL I. FRANZ, VICE PRESIDENT, INFORMATION
SECURITY AND GLOBAL PUBLIC POLICY, TECHAMERICA
Ms. Franz. Chairman Lipinski, Ranking Member Ehlers and
distinguished Members and staff of the Subcommittee, thank you
for the opportunity to testify and to provide the technology
industry's perspective on cyber security research and
development and on the cyber workforce. I respectfully submit
my written statement for the record.
As innovators of technologic solutions as well as critical
infrastructure owners and operators, the private sector is a
key stakeholder and partner in improving our cyber security
posture. While there are many things we collectively need to do
on a real-time operational basis, we also need to be working on
longer-term strategic initiatives that will ensure our cyber
security posture and leadership for the future. R&D and
education for a skilled workforce are precisely those areas
that are strategic in nature and require immediate and
sustained attention. I will address both in my testimony today.
Currently, we expect about two-tenths of the Federal
Government's 2009 budget to go towards cyber security R&D. That
amounts to about $300 million, which in today's highly
networked and highly interdependent environment is deemed by
most to be inadequate. We welcome the Comprehensive National
Cybersecurity Initiative's R&D efforts under the Cyber Leap
Year project to identify the most promising game-changing ideas
to reduce vulnerabilities and we look forward to the results of
that process. We also welcome the R&D focus in President
Obama's Cyberspace Policy Review. We are very pleased with the
report's inclusion of R&D, its acknowledgment of the need for
public-private collaboration and we view this new impetus for a
framework as an opportunity to pursue greater cooperation.
Companies conduct R&D all the time to develop products and
services needed in the marketplace. On the more strategic side,
many companies also participate in partnership efforts to
assess and mitigate risk to the IT sector including R&D under
the National Infrastructure Protection Plan partnership
framework. However, there is no institutionalized mechanism for
providing input into the federal R&D portfolio development but
through increased collaboration we are enhancing the mutual
understanding on R&D efforts between industry and government.
Increased coordination is crucial to identify gaps and fill
them and to avoid unnecessary duplication between the projects
that industry might undertake and those that the government
might undertake. That is why we recommend a more formal
mechanism be put in place for industry's input, and
importantly, for public-private collaboration where necessary
and feasible--and especially in projects that are national in
nature and will reset the paradigm.
Another interesting concept is a national clearinghouse to
serve as an intermediary between government, industry, and
other stakeholders on dialogue and collaboration for R&D and
related projects.
I would like to take my remaining time to focus on the
cyber security workforce. The adoption of technology has far
out-paced our education and training capabilities for
developing a pool of skilled IT security professionals, so we
are short everywhere. Interestingly, on the way home from work
yesterday I was behind a city bus in D.C. and there was an
advertisement for a job fair for IT professionals for DISA and
JTFGNO, the DOD joint taskforce global network operations.
Believe me, that is something I never thought I would see on
the back of a bus, but it is one example of active government
recruiting efforts in this area.
Existing federal cyber-related education and service corps
programs like the one that Dr. Goodman mentioned are laudable
ones but they are not without their own challenges. Recruitment
and retention are both difficult. We need to continue efforts
to improve our university and existing job programs and develop
a relevant government career path to help meet and retain the
demand. In addition, we cannot rely only on a university
education to help shore up our personnel resources for the
future. We need to adjust our national education curriculum for
the K through 12 years to reflect the new environment as well.
Kids today are much more computer savvy than we ever dreamt of
being so we need to match and magnify that capability for our
future.
In sum, we have much to do but we welcome recent efforts
and are optimistic about the opportunity to work together to
leverage the momentum and make progress.
Thank you for the opportunity to appear before you today
and express industry's perspective on this important issue, and
I will try to answer any questions you may have.
[The prepared statement of Ms. Franz follows:]
Prepared Statement of Liesyl I. Franz
Chairman Gordon, Chairman Lipinski, Ranking Member Ehlers, and
distinguished Members of the Subcommittee, my name is Liesyl Franz, and
I am Vice President for Information Security and Global Public Policy
at TechAmerica. Thank you for giving us the opportunity to testify
today and to provide the technology industry's perspective on Cyber
Security Research and Development.
TechAmerica is a trade association with the strongest advocacy
voice for the technology industry in the U.S. formed by the January
2009 merger of four major technology industry associations--the
Information Technology Association of America (ITAA), AeA (formerly the
America Electronics Association), the Government Electronics and IT
Association (GEIA), and the Cyber Security Industry Alliance (CSIA).
The new entity brings together over 1,500 member companies in an
alliance that spans the grass roots--with operations in nearly every
U.S. state--and the global with relationships with over 70 national IT
associations around the globe. The U.S. technology industry is the
driving force behind productivity growth and jobs creation in the
United States and the foundation of the global innovation economy.
TechAmerica's members are the very companies--both hardware and
software manufacturers--that serve as the foundation of our national
digital infrastructure, as well as those that are providing systems
integration services, enterprise IT and management solutions, and a
wide variety of information security solutions for small, medium, and
large companies, consumers, and government agencies.
I am here today to highlight the critical role of technology,
research and development, and science education in helping to secure
cyberspace--one we share with our government partners, our customers
and users around the world. As critical infrastructure owners and
operators, the private sector is a key stakeholder--and partner--in
improving our cyber security posture. While there are many things we
collectively need to do on a real-time, operational basis, we also need
to be working on longer-term, strategic initiatives that will ensure
our cyber security posture and leadership for the future. Research and
Development and education for a skilled work force are precisely those
areas that are strategic in nature and require immediate and sustained
attention. I will address both in my testimony today.
TechAmerica, or formerly ITAA, has been very engaged in cyber
security effort from the beginning. We served as the IT sector
coordinator and founder of the IT Sharing and Analysis Center (IT-ISAC)
during the Clinton Administration, and we have been a leading industry
voice since. We actively advocated for the Cyber Security Research and
Development Act of 2002. We played a significant role for industry in
the development of the National Strategy to Secure Cyberspace and the
Cyber Security Summit that followed in 2003. We played a leading role
in the establishment of the IT Sector Coordinating Council (IT SCC)
under the National Infrastructure Protection Plan (NIPP), and I am
honored to serve as the current Secretary. We have a long-standing and
robust Information Security Committee that works on all manner of cyber
security policy issues, and we are happy to provide our input today.
The State of Cyber Security Research and Development Funding
In 2002, the Congress passed, and President Bush signed into law
the Cyber Security Research and Development Act, which provided for
over $900 million over five years in cyber security R&D funding for the
National Science Foundation (NSF) and the National Institute for
Standards Technology (NIST). That funding was sorely needed at the time
and has contributed to the body of knowledge that we have today to
address the kinds of threats we face in cyberspace.
Today, we understand that the Federal Government plans to spend
about $143 billion in 2009 on R&D. The Center for Strategic and
International Studies' (CSIS) Commission of Cyber Security for the 44th
Presidency noted that of that amount, two-tenths, or about $300
million, would go to cyber security. ``Given the important of cyber
security to all aspects of our national defense and economy coupled
with the more sophisticated cyber threats we face,'' the report stated,
``a $300 million R&D investment is in adequate.'' \1\
---------------------------------------------------------------------------
\1\ Securing Cyberspace for the 44th Presidency: A Report of the
CSIS Commission on Cybersecurity for the 44th Presidency, Center for
Strategic and International Studies; page 74; http://www.csis.org/
media/csis/pubs/081208-securingcyberspace-44.pdf
---------------------------------------------------------------------------
The CSIS Report acknowledges the introduction of the Comprehensive
National Cybersecurity Initiative (CNCI) and its recognition of the
shortfalls in cyber security related R&D funding, along with its
related efforts. The CNCI calls for increased cyber security R&D
funding in the future and has embarked on a consultative process under
the Networking Information Technology Research and Development (NITRD)
program's Cyber Leap Year project to ``identify the most promising
game-changing ideas with the potential to reduce vulnerabilities to
cyber exploitations.'' \2\ Currently in its third phase, the NITRD
request for information (RFI) process for Cyber Leap Year has canvassed
the cyber security community for ideas, is holding workshops to explore
the best ideas presented, and will publish its findings on game-
changing ideas, technical strategies for needed research,
productization and implementation of capabilities, and recommendations
for success, including funding.\3\ We look forward to the results of
the NITRD process.
---------------------------------------------------------------------------
\2\ http://www.nitrd.gov/leapyear/
\3\ http://www.nitrd.gov/leapyear/NCLY-RFI-3.pdf
---------------------------------------------------------------------------
Most recently, President Obama released his Cyberspace Policy
Review on May 29, 2009. In addition to his welcome announcement that he
would appoint a cyber security coordinator in the White House, the
President also committed his Administration to ``invest[ing] in the
cutting-edge research and development necessary for the innovation and
discovery we need to meet the digital challenges of our time.'' \4\ The
cyber review itself recommended that R&D frameworks should be linked to
infrastructure development and called about the Federal Government to
(1) work with industry to ``develop migration paths and incentives for
the rapid adoption of research and technology development, including
collaboration between academic and industrial laboratories,'' and (2)
``in collaboration with the private sector and other stakeholders . . .
use the infrastructure objectives and the R&D Framework to help define
goals for national and international standards bodies.'' In its
recommended near-term action plan, the report called for the
development of ``a framework for research and development strategies
that focus on game-changing technologies that have the potential to
enhance the security, reliability, resilience, and trustworthiness of
digital infrastructure; provide the research community to event data to
facilitate developing tools, testing theories, and identifying workable
solutions.'' \5\ We were very pleased with the call for working with
industry on these efforts.
---------------------------------------------------------------------------
\4\ http://www.whitehouse.gov/
the-press-office/Remarks-by-the-President-on-
Securing-Our-Nations-Cyber-Infrastructure/
\5\ Cyberspace Policy Review: Assuring a Trusted and Resilient
Information and Communications Infrastructure, p. 37, The White House;
http://www.whitehouse.gov/assets/documents/Cyberspace--Policy--Review--
final.pdf
---------------------------------------------------------------------------
Industry itself has coalesced its efforts around cyber security
research and development efforts that seek to affect the greater needs.
Of course, individual companies conduct R&D all the time on the
products and services it needs to drive market solutions and meet the
demands of their customers. In fact, the overwhelming bulk of cyber
security R&D is provided by private sector entities seeking to develop
the most innovative solutions to meet the broad market requirements.
While the protection of our national critical infrastructures relies on
these efforts, there are gaps in cyber security capabilities for which
there is such limited market demand or the lack of market awareness.
The Cyber Leap Year project under the CNCI and other efforts
demonstrate the Federal Government's understanding that such a gap
exists and we need to work together or fill it. Further, federal R&D
will result in technology that can improve the Nation's security if
that technology is transferred to industry--in accordance with existing
federal technology transfer policies--for further development and
integration into cyber infrastructures.
In addition to discrete company R&D projects, the IT industry has
been working together on the strategic side of R&D planning in the IT
SCC's Research and Development Committee. The R&D Committee is charged
with conducting annual reviews of R&D initiatives in the IT Sector and
recommending updates to industry priorities based on changes in
technology, threats, vulnerabilities, and risk. The sector has come a
long way in the last three years informing the process of R&D
prioritization through a risk assessment process. This process
identifies the cyber risks in our IT infrastructure and evaluating what
protective programs exist to cover those risks. R&D is leveraged to
evaluate innovative ways to cover gaps in the protective programs and
evolve programs with the risk. This R&D prioritization process is a
collaborative one between IT Sector and our Government counterparts.
Additionally, the IT risk assessment, protective programs, and R&D
efforts are coordinated across all critical infrastructure and key
resource sectors (CI/KR) through the Cross-Sector Cyber Working Group
(CSCSWG).
Until recently, this coordination has been limited to the
Department of Homeland Security (DHS) as the Sector Specific Agency
(SSA) for the IT SCC; however, through joint collaborative success, the
IT SCC has started coordinating prioritization with the Interagency
Working Group (IWG) on Cyber Security and Information Assurance (CSIA).
The purpose of this collaboration is to highlight the role of the
private sector in cyber security R&D and reduce duplication of
investment in private and public sector. The IT SCC R&D Committee has
developed a cyber security R&D information sharing framework that
highlights those risk areas that receive less private sector emphasis
due to the limited market need for the investment. With an overwhelming
amount of market R&D investment addressing commercially viable
concepts, there are those risks that are of greater interest and need
higher prioritization in government. The IT-SCC facilitates this
information sharing between the private sector and the CSIA to help
agencies better prioritize individual agency R&D spending, as well as
project selection as well as coordinate cross-agency spending on risks
that will receive less attention from private sector entities. As an
example, through the IT-SCC R&D Committee work we have learned that
there is not much private sector R&D on cyber forensics as it relates
to law enforcement evidence trail. As such, this area of investment
appears to be de-prioritized in the private sector and may need to be
prioritized by government R&D programs to garner the innovation
necessary to align with the need for the ability to analyze cyber
incidents. We have also learned that there are cases in which
government has undertaken R&D in areas where the private sector is
already making a significant investment, so the increased dialogue is
important to avoid such duplication.
There is no institutionalized mechanism for the private sector to
provide input into the process by which the federal research portfolio
is developed. It is the vision of the IT-SCC R&D Committee to provide a
collaborative, partnered environment that allows both government and
private sector to break down existing barriers and promote
collaboration in IT Sector security R&D. The goal is to better inform
both government and industry about existing and prospective work--and
needs--so that resources are allocated and used more efficiently and
government can leverage the already existing commercial investment such
that it can better target the limited R&D resources. While we believe
these efforts are making a difference in the coordination and dialogue
between industry and government, we strongly recommend a more formal
mechanism be put in place for such input and collaboration. Such a
mechanism should include all the elements of the R&D life cycle:
identification of current and prospective R&D in the industry;
determination of the gaps in the market that need to be filled by
government efforts; and, where necessary and feasible, joint industry
and government collaboration on R&D projects. Collaboration should also
take place with our global partners in government and industry so that
we can leverage, rather than duplicate, efforts.
As we note, there is discrete R&D occurring in industry and in
government, respectively. Presumably these are geared toward new
product development or solutions to problems in the existing
environment. However, we believe there is now an opportunity for a more
strategic public private partnership in research and development for
greater cyber security into the future. We have yet to create a
mechanism for true government-industry collaboration on specific
projects, particularly those that will re-set the paradigm. That will
take some effort to define, fund, and implement, but it will be crucial
for addressing longer-term challenges and cyber security measures for
the future.
Another notion that could be explored in order to help achieve
greater coordination and collaboration is the creation and funding for
a national clearinghouse to serve as an intermediary between government
and industry on dialogue and collaboration for R&D and, even, other
pertinent projects such as building a reference resource for standards,
best practices, and collaboration opportunities. Notionally, such an
entity could be created through a partnership between academia,
industry and government and be administered by a broad based national
nonprofit organization meeting such appropriate criteria as substantive
expertise and a distributed network with operations in most states.
The State of Cyber Security Education
The exponential growth in the use of information technology for
just about every aspect of our society and economy today has yielded
remarkable results in innovation, efficiencies, productivity, and new
business models for new product services. However, that growth has far
out-paced our education system and training capabilities for developing
a pool of skilled information technology--and information security--
professionals. So, we are short, both in industry and in government.
Certainly there have been efforts to incent universities to build
robust information security programs, such as the National Centers for
Academic Excellence in Information Assurance Education (CAEIAE)
sponsored jointly by the National Security Agency (NSA) and DHS.\6\
Currently 93 universities have met the criteria for a national center,
and students that graduate from these programs are eligible to apply
for scholarships and grants through the Department of Defense
Information Assurance Scholarship Program and the Federal Cyber Service
Scholarship for Service Program. The Federal Cyber Service Scholarship
for Service Program\7\ is a unique program designed to increase and
strengthen the cadre of federal information assurance professionals
that protect the government's critical information infrastructure. This
program provides scholarships that fully fund the typical costs that
students pay for books, tuition, and room and board while attending an
approved institution of higher learning. Additionally, participants
receive stipends of up to $8,000 for undergraduate and $12,000 for
graduate students. The scholarships are funded through grants awarded
by the National Science Foundation (NSF), and recipient students must
serve at a federal agency in an information assurance position for a
period equivalent to the length of the scholarship or one year,
whichever is longer.
---------------------------------------------------------------------------
\6\ http://www.nsa.gov/ia/academic-outreach/
nat-cae/index.shtml
\7\ https://www.sfs.opm.gov/
---------------------------------------------------------------------------
These are laudable programs, but they are not without their own
challenges. For example, designation as a national center does not
guarantee grant funding, and students in the ``cyber corps'' program do
not always find relevant, open positions in the government on a timely
basis. An additional challenge for government cyber security
professionals is that there is not a clear career path that includes
training and advancement opportunities for cyberspace specialists in
the Federal Government. Inevitably, skilled, trained, cyberspace
professionals seek jobs in the private sector. While that is not bad
for companies who are constantly looking for skilled cyber security
personnel, it reflects an imbalance in the system and still sees
shortages for everyone.
We cannot rely only on university education to help shore up our
personnel resources for the future. We need to adjust our national
education curriculum for K-12 years to reflect the new environment as
well. Yes, it is science and math, certainly, and we welcome President
Obama's new commitment to education in science in math as part of a
``national campaign to promote cyber security awareness and digital
literacy from our boardrooms to our classrooms, and to build a digital
workforce for the 21st century.'' \8\ Specifically, the President's
Cyber Policy Review recommends, as part of its mid-term action plan,
expanded support for key education programs (and R&D) and the
development of a strategy to expand and train the workforce, including
attracting and retaining cyber security expertise in the Federal
Government.\9\ We welcome the recommendations, and industry looks
forward to working with the government to help meet those objectives.
---------------------------------------------------------------------------
\8\ http://www.whitehouse.gov/
the-press-office/Remarks-by-the-President-on-
Securing-Our-Nations-Cyber-Infrastructure/
\9\ Cyberspace Policy Review: Assuring a Trusted and Resilient
Information and Communications Infrastructure, p. 38, The White House;
http://www.whitehouse.gov/assets/documents/
Cyberspace-Policy-Review-final.pdf
Conclusion
In sum, there are some key areas for short- and longer-term work on
cyber security R&D and education and training needs.
We commend the Congress for its early focus on cyber security
issues and this subcommittee for convening this panel today as part of
your cyber security series. This congressional session provides a
significant opportunity to make progress, and we look forward to
working with you and your colleagues to develop proposals for
meaningful change.
Thank you for the opportunity to appear before you today and
express industry's perspective on this important issue. I would be
happy to answer any questions you may have.
Biography for Liesyl I. Franz
Liesyl Franz is Vice President for Information Security and Global
Public Policy at TechAmerica, working with industry and government
leaders on such issues as cyber security, critical infrastructure
protection and Internet Governance. In this role she leads
TechAmerica's strategic and tactical efforts on public policy in these
areas with the Administration, Congress, and international
organizations. In addition, she represents TechAmerica in the
Information Technology Sector Coordinating Council (IT SCC) under the
National Infrastructure Protection Plan (NIPP), where she currently
serves as Secretary.
Liesyl joined TechAmerica (previously ITAA) from the Department of
Homeland Security, where she served as Deputy Director for Outreach and
Awareness and Director for International Affairs and Public Policy at
the National Cyber Security Division (NCSD). She led programs in the
areas of global affairs, public policy, communications and messaging as
well as stakeholder outreach, including building international
partnerships, coordinating public relations for key events such as the
Cyber Storm National Cyber Exercise and conferences, and managing
events for National Cyber Security Awareness Month held annually in
October.
Prior to her service at DHS, Liesyl was Director for Global
Government Affairs at EDS Corporation working on cyber security,
privacy, financial services, and trade issues, and she worked with the
Coalition of Service Industries where she managed industry's
participation and input into services trade negotiations in the World
Trade Organization (WTO).
Liesyl was recognized in 2005 by the Women's High Tech Coalition
with the Women in Cyber Security Award for her contribution to public-
private partnerships and international collaboration in cyber security.
She holds a BA in Political Science from the University of Texas at
Austin and an MA from the Elliott School of International Affairs at
George Washington University.
Chairman Lipinski. Thank you, Ms. Franz.
The Chair now recognizes Dr. D'Amico.
STATEMENT OF DR. ANITA D'AMICO, DIRECTOR, SECURE DECISIONS
DIVISION, APPLIED VISIONS, INC.
Dr. D'Amico. Thank you, Mr. Lipinski and Mr. Ehlers and the
Subcommittee. I am the Director of Secure Decisions, a division
of Applied Visions, which is a small business in New York. We
specialize in improving the situational awareness of cyber
defenders. We help them understand what is going on in the
network, find suspicious activity and figure out what to do
about it.
I would like you to note the name of my division, Secure
Decisions. As a psychologist, I wanted the name to reflect the
importance of human decisions of security professionals. I have
since learned we need to improve the decisions of a lot of
people, not just security professionals. We must teach
programmers to make secure design decisions that build security
into software from the beginning and not just tacked on at the
end. Home users need to be educated about the risks of their
Internet decisions before they click on the interesting ad.
Students need to learn the ethics of using computers for
entertainment and online socializing. We need to change the
culture to make good security second nature to all of us and
not something that we try to avoid.
But this change in culture is not going to be achieved by a
bunch of smart engineers designing new intrusion detection
systems. This cultural shift requires the expertise of those
who understand how to change minds, that is, the social
sciences. So my first take-away to this committee is that cyber
security education is not just for security wonks. We need to
broaden the base of those we teach and involve the social
sciences in the education of this larger audience.
My second take-away is that we have to get better at
training the people whose job is computer security. New
graduates with information security degrees have little
opportunity to learn by doing as prior generations had to do.
Young soldiers in particular have little time to become
proficient before rotating out to their next assignment. How do
we improve this? First, we need to formalize the mentorship of
the new generation. Before the old guard retires, they need to
share their knowledge with the newbies but mentorship is not
something that comes naturally to everyone and that is where
the social sciences can help.
Second, we need better ways for security practitioners to
share information with their own peers. New collaboration
techniques developed with social scientists can make a
difference.
Third, we need to train professionals on realistic yet safe
training networks where they can practice their skills without
bringing down eBay. This is also needed for researchers to test
out their new technologies. And speaking of research, few
results of federally funded cyber R&D ever make it into the
real-world operations. As a taxpayer, I find this disturbing.
Little research funding is directed at technology transition.
Once the paper is published, many researchers and government
program managers feel their job is done. The rest of the work,
making the technology affordable and usable, is abandoned in
the hope that someone else will pay for it. Furthermore,
academicians are judged by their publication history but few
scientific journals consider technology transition worthy of
their attention.
And finally, computer scientists are often just not into
the softer side of security, that is, how people use the
technology, yet studying how people use cyber security
technology is exactly what is needed to improve technology
transition. We need to study the usability of systems and to
test them in operational environments where real people get to
try them out. So my third take-away to the Committee is that
the government should fund projects through the technology
transition phase and should use transition to evaluate both
researchers and the government program managers.
My last message is about how little input the private
sector has in the federal research portfolio. With the
exception of a few ISACs, the private sector has no voice.
Furthermore, the private sector cannot easily tap into the
results of the federally funded research. I believe the
government should require researchers to publish their results
in the trade magazines and the online forums where security
professionals communicate, not just in the scientific journals.
In closing, please keep in mind what information security
experts often say: Cyber security is about people, processes
and technology. As educators and researchers, we must look at
all three of these things, not just technology. I am one of the
few psychologists actively engaged in cyber security R&D. I am
surrounded by computer scientists and engineers, but I hope
with this committee's support that in the future my position as
a psychologist in cyber security will just be a bit less
lonely. Thank you.
[The prepared statement of Dr. D'Amico follows:]
Prepared Statement of Anita D'Amico
Introduction
Thank you Chairman Lipinski, Ranking Member Ehlers, and Members of
the Subcommittee for the opportunity to testify on this important
topic.
I am the Director of the Secure Decisions division of Applied
Visions, Inc. I was educated as an experimental psychologist; applied
my skills as a human-factors psychologist in maritime ship operations,
manned spacecraft and surveillance aircraft; and for more than 15 years
have been involved in various aspects of cyber R&D. For the past nine
years I have been directing the Secure Decisions division of AVI to
enhance the situational awareness of those defending our critical
computing infrastructure.
As a small business engaged in custom software development, Applied
Visions recognized over a decade ago the frailty of our country's IT
infrastructure and the importance to our country of instilling and
monitoring good cyber security practices. AVI invested in a new
division dedicated to improving the situational awareness of those
responsible for defending our critical IT infrastructure. In under ten
years the Secure Decisions division has become, even as a small
business, a leader in cyber situational awareness R&D.
We perform R&D sponsored by the Department of Defense, the
Intelligence Community, and the Department of Homeland Security. And
from my perspective one of our most valuable contributions is when we
transfer that R&D into usable products for use in both DOD and in
industry. We publish research results--those that we are permitted to
disseminate--in peer-reviewed journals. We partner with large companies
like Raytheon and ITT, universities including Johns Hopkins and George
Mason, and other small businesses.
We owe our continued growth in cyber security research in part to
the U.S. Government's Small Business Innovation Research (SBIR)
program. Our company is a testimony to the valuable role that SBIRs
play in transforming cyber security research into operationally usable
software systems and products. Unlike many federally-funded R&D
programs that have little accountability for the ultimate operational
utility of their research, the SBIR structure holds us accountable
for--and rewards--the transition from early stage innovative concepts
to prototype development and technology transition planning, all within
a typical SBIR lifespan of three years.
The Human Element in Cyber Security
We named our division ``Secure Decisions'' to recognize the
importance of human decisions in cyber security. As a psychologist
working in a field predominated by computer scientists, I chose a name
that reflected our goal to enhance the situational awareness and
decision-making of cyber security practitioners. Of course, security
practitioners are not the only individuals whose decisions make our
critical computing infrastructure more or less secure. Many others,
including home-users of computers, policy-makers, cyber lawyers,
software developers, and educators, make us all more or less secure
through their individual actions.
The current emphasis in cyber security R&D has been technological:
creating or improving tools to enforce security. While this is indeed
necessary, there is a significant human element to the problem that
cannot be ignored. As researchers and educators, we must address all
the many different roles that we humans play in cyber security, beyond
just the security practitioner who administers firewalls, tunes
intrusion detection systems, and monitors networks. We must also
educate the software developer, lawyer, policy-maker, and all of us
users who are unwitting accomplices of the attacker. The
recommendations in the Cyberspace Policy Review just issued by the
White House\1\ recognize this.
---------------------------------------------------------------------------
\1\ Cyberspace Policy Review (2009); http://www.whitehouse.gov/
assets/documents/
Cyberspace-Policy-Review-final.pdf
---------------------------------------------------------------------------
Let's look at the software developer as one example of the need for
enhanced security education. From the very start of the software life
cycle--creating the software itself--software developers are
inadequately schooled in how to program securely; security is often
added on afterwards. Rewards are given for speed to market, not for
creating secure software. For example, just two programming errors
resulted in more than 1.5 million web site security breaches during
2008.\2\ And all too often, the developer's initial response to the
discovery of a vulnerability is something akin to ``gee, we never
thought a user would do that with it.'' We must change the way that
programmers go about understanding the needs and behaviors of us as
users, and in creating the software that we use.
---------------------------------------------------------------------------
\2\ SANS Security Leadership Essentials for Managers: Experts
Announce Agreement on the 25 Most Dangerous Programming Errors--And How
to Fix Them, January 12, 2009; http://www.sans.org/top25errors/
?utm-source=web&utm-medium=text-
ad&utm-content=Announcement-Bar-2009011
1&utm-campaign=Top25&ref=37029
---------------------------------------------------------------------------
Technical solutions must be easily deployable and usable. Gaining a
deeper understanding of how people use technology by bringing together
computer science and the behavioral sciences can make our technological
breakthroughs actually useful and relevant to society.
We then must educate the cyber policy-makers and legal
professionals in the fundamentals of confidentiality, integrity, and
availability of information systems so that they understand the context
in which they regulate and prosecute. The law generally has lagged far
behind technology; we need technology-savvy courts to keep pace with
the changing landscape. Few lawyers are sufficiently schooled in
technology and security issues to be able to understand the problem
well enough to decide whether or not proposed solutions to the problem
are legal--and as a result, the usual answer is ``no.''
And finally, we must educate the rest of us--the teeming masses who
actually use the software and cyber infrastructure of the Nation--in
how to better understand the risks associated with that use, and how to
make better decisions.
The cornerstone to this good security decision-making is our
understanding of risk. Like most of life, security is about making
decisions and choosing between options--making trade-offs between
security and convenience, risk and comfort, safety and freedom.
Overall, we're not bad at making security trade-offs.\3\ The problem we
have right now is that our understanding of risk, our basis for making
these choices about security; is still based primarily on our physical
environment and life as it has been for thousands of years. Our ability
to understand, evaluate, and react to risks has not yet acclimated to
our current environment, meaning the realities of the 21st century and
cyberspace. Our perceived risk and the actual risk do not match, and we
often make the wrong decisions as a result.
---------------------------------------------------------------------------
\3\ Schneier, Bruce. (2008) The Psychology of Security. http://
www.schneier.com/essay-155.html, Published Online.
---------------------------------------------------------------------------
Therefore, part of raising the awareness of our citizens is to
educate them in the actual, rather than the perceived, risks of
traveling through cyberspace.
The State of Cyber Education
The current approach to cyber education falls far short of
adequately preparing this universe of developers, practitioners, and
users for life in the cyber world. Current education is focused on
training security practitioners and educating computer scientists, but
little is being done for all of the other roles: security practitioner,
home user, business owner, software and hardware designer/developer,
policy-makers, legal professionals, and even young students using the
Internet.
Emphasis on Technology and Not People
Information security is often said to be about ``people, process,
and technology.'' Technological change can almost be taken for granted,
given the natural inclination of engineers and technologists to
constantly improve things. Instead, changing how people think and the
process by which we go about doing things should be our primary
concern. We should be developing a new breed of multi-disciplinary
cyber security experts educated in the areas of people, such as
psychology and organizational behavior, and processes, such as
management, business process, and the law.
There has indeed been an increase in the number of academic
institutions offering undergraduate and graduate degrees related to
cyber and information security, but the majority of these programs are
still technology-focused: computer science, computer engineering,
electrical engineering, and so forth. This is not enough. Technology
can shore up our defenses, but an emphasis on the social sciences can
change the way we look at things: how we as a society view the risks
and trade-offs in the digital world, and how we make those day-to-day
decisions that have such a significant impact on the safety of our
travels in cyberspace.
Unfortunately, there are not many examples of the collaboration
between the social sciences and the computer sciences required to
achieve this shift in education. Conferences like the Workshop on the
Economics of Information Security and the 2008 Workshop on Security and
Human Behaviour are initiating a dialogue between technologists and
social scientists, and we are beginning to see encouraging signs of
this collaboration at the educational level. In addition, a workshop
next month at the National Academy of Sciences, Usability, Security,
and Privacy of Information Systems, is focused on identifying new
research areas in ``usable security'' and will influence the research
agendas of both NSF and NIST, which are sponsoring the workshop.
Visionary leadership is needed to achieve these changes in
educational philosophy. As long as technology is viewed as the end-all
of cyber security research and education, the focus will remain on
problems in that area. And even if technology development remains the
focus of our cyber security research and education, we have several
major hurdles to overcome. One hurdle is the shortage of U.S. citizens
who are acquiring the requisite math and science skills needed to teach
and conduct hard research in cyber security.\4\ This leaves many of the
hard technology questions unanswered by our own citizens. Another
hurdle--and this one I feel very strongly about--is the limited
transfer of research findings into real-world use. Advanced education
programs (such as for a Ph.D. in Computer Science or Information
Systems) emphasize publication rather than transfer of findings into
real practice. The system of grants that fund the work of students and
their professors places more value on prior publications than practical
results. We need to transition the research into the everyday world of
Information Technology.
---------------------------------------------------------------------------
\4\ Zweben, Stuart. Computing Degree and Enrollment Trends, from
the 2007-2008 CRA Taulbee Survey, 2008, at 4, www.cra.org/taulbee/
CRATaulbeeReport-StudentEnrollment-07-08.pdf
---------------------------------------------------------------------------
There are encouraging examples of such visionary leadership in
interdisciplinary security. New York University, for example, recently
merged with Brooklyn Polytechnic University, and quickly set out to
build bridges between their engineering and social science communities.
They now have a program combining Economics with Computer Science.
Georgia Tech Information Security Center (GTISC) also recognizes the
importance of interdisciplinary studies, and has launched a cooperative
effort between their College of Computing and the Sam Nunn School of
International Affairs. Despite these forward-thinking programs, there
are few if any educational opportunities in cyber security that combine
psychology, anthropology, or sociology with computer science.
Educational Challenges in the Military
The military is also wrestling with this problem, although from a
different perspective: they see the need for cross-disciplinary
education to incorporate the social sciences into cyber operations in
order to better understand the impact of cyber operations on both
friend and foe--a form of ``battle damage assessment'' for cyber
warfare. This interdisciplinary approach needs to become the norm
rather than the exception: cross-disciplinary education needs to be not
only encouraged, but required.
The DOD faces other educational challenges that are somewhat unique
to their organizational model. In fact, there are two characteristics
of the DOD model that work together to make things quite difficult:
incoming technical staff are more often chosen by aptitude than by
experience, so that training must start at the most rudimentary level.
And, the military tends to rotate people through posts on a regular
basis, so that once they achieve some level of competency in cyber
security they are likely to be transferred to some other discipline.
This is further exacerbated by the fact that technical positions--such
as Computer Network Defense--are not known to be a path to advancement
(as opposed to traditional combat roles), and hence suffer high
turnover.
Conti and Surdu\5\ cite these challenges, among others, in their
rationale for creating a fourth branch of the service--a peer to Army,
Air Force, and Navy--to take on Cyberspace. This has cultural
significance. They propose that top-notch cyber talent will clamor to
join a service where cyber excellence is viewed as a path to
advancement, and where just being a member of that service is a point
of pride (as the Marines have achieved with their image as ``The Few,
The Proud . . .''). They observe that many young technically-talented
individuals make critical decisions in their formative years that
influence the direction of their lives. Perhaps the most important
decision made by these rising cyber stars is whether or not to engage
in illegal activity, like hacking. Creating an elite cyber
organization, complete with positive role models, will give these
people a chance to make the right choices in their lives.
---------------------------------------------------------------------------
\5\ Conti, Lt. Col. Gregory and Surdu, Col. John ``Buck.'' ``Army,
Navy, Air Force, and Cyber--Is it Time for a Cyberwarfare Branch of the
Military?'' IA Newsletter, Vol. 12 No. 1, Spring 2009, http://
iac.dtic.mil/iatac
Educating the Practitioners
Security practitioners have traditionally been trained rather than
educated: the emphasis has been on the practical application of tools
and techniques to defend the network, rather than on gaining
understanding of the principles and behaviors that inform cyber
security. The ``old guard'' practitioners learned about computer
security after their formal education was completed, through a form of
on-the-job-training as they ``wrote the book'' on security best
practices in the early years. Current practitioners may have had some
formal education or training, perhaps a degree in computer science or a
few courses that led them to obtain some certification, but most of
their real learning still happens on-the-job. What neither group
realizes is that much of that on-the-job training--which they view as
``learning the ropes'' with tools and techniques for security--is in
fact teaching them about the behavioral and social characteristics of
their adversaries. The newest; upcoming generation is indeed getting
more formalized education--for example, an MS in Information Security
is now an option at many universities--but they lack the context for
that education. Without real-world experience, and without including
behavioral and social sciences in their education, they too will not
gain a real understanding of the problems or of their adversaries until
they have been on the job for a while.
A few years ago we had an opportunity to conduct a formal Cognitive
Task Analysis of nearly eighty information assurance analysts in the
DOD and the Intelligence Community.\6\,\7\ We learned from
that analysis that mentorship of network defenders is very important.
Rapidly transferring corporate knowledge typically acquired through
years of experience from old guard to new guard will be particularly
important in the coming years as the first generation of network
defenders retires. One area ripe for research is how to improve this
mentorship to maximize the value of learning from the more-experienced
to the less-experienced practitioner. Social science work on learning,
mentorship, and collaboration can serve this need.
---------------------------------------------------------------------------
\6\ D'Amico, A. & Whitley, K. (2005). Achieving cyber situational
awareness: A cognitive task analysis of information assurance analysts.
In Proceedings of the Human Factors and Ergonomics Society 49th Annual
Meeting, Orlando, FL, pp. 229-233.
\7\ D'Amico, A. & Whitley, K. (2007). The real work of computer
network defense analysts: The analysis roles and processes that
transform network data into situation awareness. In Proceedings of the
Workshop on Visualization for Computer Security, Springer-Verlag Berlin
Heidelberg, pp. 19-37.
---------------------------------------------------------------------------
We also learned that the personality characteristics of entry-level
network defenders are perceived by experts as equally or more important
than their technical education. Such characteristics as curiosity,
perseverance, assertive questioning, and good communication skills were
considered strong markers of future success of an entry level defender.
How do we select for and train these characteristics in our future
cyber workforce to ensure that our defenses are as strong as possible?
This is answered by the social sciences as much as by the technical
disciplines.
Educating the Developers
The emphasis on ``securing the perimeter'' of networks is a side-
effect of a more fundamental issue: security is all too often an
afterthought. We build flawed software and then expend countless
resources trying to patch the cracks and shore up the defenses. And
when we do build flawed software products, the pressure to bring these
products to market causes many to be released before adequate security
testing has taken place. All of this raises questions about current
software engineering pedagogy.
We need to teach secure coding practices--and, more importantly, we
need to convey a fundamental understanding of the importance of
security--from the very start, in high school computer science classes.
Most of our computer science programs in higher education teach
students the fundamentals of developing software and systems, and
culminate with students building some hardware or software object, but
little attention is generally given to the design and implementation of
security within these objects.
Systems sometimes fail because the engineers considered a very
narrow range of threats; again, the issue is a lack of understanding of
the actual risks in the modern world. Information security needs to be
an integral part of the core curriculum of computer science for both
programmers and engineers. We must teach software developers and
systems engineers how to go beyond just functional requirements in the
design phase. They need to understand and anticipate all of the ways
that experts and non-experts may use their systems. Usability and
security testing needs to be performed side-by-side with functional and
performance testing during development; students need this as part of
their basic education.
Educating the Users
The most difficult audience to get a handle on, but one that
desperately needs more education, is ``the rest of us''--all of us who
use these technologies, who suffer the consequences of failed security,
and who all-too-often serve as unwitting accomplices to an attack.
We Need Realistic Test Data
Another challenge relevant to the whole educational and research
spectrum is the need for more realistic testing and evaluation of cyber
technologies and processes. In most disciplines some form of real-world
experimentation eventually becomes practical and necessary; for
example, psychologists can evaluate human subjects and compare the
results against control groups. In the cyber world this is
exceptionally difficult: one cannot perform security experiments on an
operational network (let alone on the Internet), yet ``simulating''
such an environment is a huge challenge. Many researchers have built
small-scale simulated networks in the lab, but the human element--real
people using the network for real tasks--is completely missing and
quite difficult to simulate. Realistic training and test data that can
scale to the size of large networks is needed to add operational
realism to training and research, and to increase the applicability to
real world conditions and the potential transfer to implementation.
With this sort of realistic simulation and test data we can properly
prepare practitioners and developers to operate in the cyber world;
without it, they have no other choice but to ``learn by doing'' in the
``real world,'' with risks and inefficiencies that implies.
The Contribution of Social Sciences to Computer Security
The social and behavioral sciences can play a valuable role in
studying and changing the various cultures--software developers,
college students, and especially home computer users--so that
individuals and societies engage in secure practices almost without
ever thinking about them.
We need to understand why our perception of security risk does not
match reality. Risk perception is critical to helping us understand how
to motivate secure behavior, make better decisions, and create policies
that discourage destructive or invasive behavior through real
consequences.
We need to apply what we know about cultural influence to creating
cultures that are supportive of secure and private computing.
Collaborative Techniques
Human collaboration is an important means for analyzing information
about potential attacks. There are numerous instances where one
government agency or commercial organization was aware of a serious
attack but did not have the authority, means or motivation to share
that information.
One group working to bridge this gap at the organizational level is
the Information Sharing and Analysis Centers (ISAC) Council. There are
several individual member councils that focus on various areas of
critical infrastructures, such as Communications and Information
Technology, but this group and its members represent the exception, not
the norm, and information-sharing is particularly problematic within
the government.
But we also must foster collaboration at the individual level, and
this is where the social sciences can help bring about positive change.
Individual network defenders and law-enforcement agents struggle every
day to find attackers. Often, several individuals are working at the
same time in pursuit of the same perpetrator, but they have no idea of
each other's existence or of their common goal. And worst of all, they
don't know that each of them holds a different piece of the puzzle that
carries the answer. If they had an effective means of communication,
whether through online collaboration or shared visualizations, and if
they have the understanding that they do not have to--and should not--
solve this problem alone, they would be able to work together more
effectively. It is at that individual collaboration level that
psychology and sociology can play a significant role.
So in addition to all of the effort that is currently being applied
to getting organizations to collaborate more effectively (as described
in the President's Cyberspace Policy Review), we must also work just as
hard to improve the ability of individuals to collaborate effectively
within and across organizational boundaries. Assuming that policies
allow for information sharing, we need to have media in place for
collaboration and shared situational awareness.
Usability to Enhance Security
There is a never-ending tug-of-war between security and usability.
The more protections that are built into our systems, the harder they
are to use. Apple famously lampooned Microsoft's attempts at improving
the security of Windows Vista by asking users to ``cancel or allow'' a
wide range of what users perceive as ``normal'' activities. And human
nature being what it is, users do their utmost to find ways of
circumventing these controls so they can get on with their work,
including developing a knee-jerk response to ``allow'' everything that
comes along.
A lot of attention is being paid to usability of computing systems
in general--making applications or web-sites more ``user friendly,''
for example--yet the concept is often ignored when security controls
are designed in. Think of the most basic problem of remembering
passwords. More stringent passwords, requiring nonsensical strings of
numbers, letters and special characters, are at odds with people's
innate ability to remember short, meaningful sequences of information.
As a result, people simply write them down on post-it notes and stick
them to their monitors for all to see. There are some encouraging
sparks of innovation in this area: for example, graphical passcodes\8\
for user authentication. These new types of password, which use
pictorial elements, take advantage of people's visual memory recall and
are remembered better than meaningless strings of alphanumerics.\9\
This sort of forward-thinking research needs to be applied across the
entire security problem.
---------------------------------------------------------------------------
\8\ http://www.passfaces.com
\9\ Johnson, K. & Werner, S. (2008) Graphical user authentication:
A comparative evaluation of composite scene authentication vs. three
competing graphical passcode systems. In Proceedings of the 52nd Annual
Meeting of the Human Factors and Ergonomics Society. New York, NY.
Need for Research on How People Value Information
The crux of information security is securing information that has
been designated as valuable. Nevertheless, we have little understanding
of what makes information valuable to people. Security practitioners
tend to ``guard the perimeter,'' treating everything within the
boundaries as if it is of equal value. Yet all information assets
behind a firewall are not equal. Some workstations or servers are more
valuable than others--perhaps because of the role of its user, the
content of its storage device, or the service it provides to the
enterprise. People want to protect the most valuable information; yet
there are no metrics or even basic insights into how the value of
information is determined.\10\
---------------------------------------------------------------------------
\10\ Stevens, J. (2005) Information Asset Profiling. Pittsburgh,
PA, Carnegie Mellon University.
---------------------------------------------------------------------------
If we knew how to measure the value of information, we would be
able to apply security measures that follow the high-value information,
even as it moves through a network. Just as the President's bodyguards
follow him as he moves, so too should security be able to move along
with important information. If U.S. network defenders can provide
greater protection to the most valued assets, adversaries may be
deterred by the extra time and resources required to break into well-
protected cyber assets. Of course, this requires the defender to know
which information systems contain high-value information--something
that is difficult without methods to value information and the means to
locate where the high-value information currently resides in a dynamic
network configuration.
If we better understood how people placed value on information, we
would be able to use that valuation to motivate individuals to comply
with security practices and change the culture of security. We could
also use that understanding of information value to support the
calculation of the Return on Investment of security. The ability to
recognize and quantify the value of information resident on a network
will help security practitioners better secure and protect information
and network assets, allow cyber defenders to prioritize their defensive
actions by focusing on the most critical net-work assets, and allow
business owners to immediately assess the impact of an attack on those
assets.
Understanding the relative value of information underlies all of
these decisions. But there is no current methodology used in the DOD
for assigning an actual value to information. Current
work\11\,\12\ on cyber information valuation within DOD has
advanced the theoretical discussion but remains only conceptual.
Metrics are not usable unless they have been validated against real-
world observations.
---------------------------------------------------------------------------
\11\ Grimaila, M.R. and L.W. Fortson. (2007) Towards an Information
Asset-Based Defensive Cyber Damage Assessment Process, Computational
Intelligence in Security and Defense Applications.
\12\ Hellesen, D. (2008) An Analysis of Information Asset Valuation
(IAV) Quantification Methodology for Application with Cyber Information
Mission Impact Assessment (CIMIA), Master's thesis, AFIT.
---------------------------------------------------------------------------
Research is needed to better understand how people place value on
information, to identify the most promising metrics for valuing
information, to apply those metrics to information observed in a real-
world environment, and to determine whether or not the conceptual
metrics are verifiable in real data.
The Private Sector's Role in the Cyber Security Research Agenda
Security practitioners in the private sector are on the front line
of cyber defense. These individuals write the security policies, deploy
the technologies, and attempt to compute ROI for security expenditures.
They have direct influence on the security practices of individual U.S.
workers and business owners whose inattention to security could have
cascading effects on our country's computing infrastructure. Security
practitioners deal with the people side of security, far more than any
of today's educators or researchers. Yet the security practitioners
have virtually no influence on the cyber security research agenda and
only indirect influence on the curriculum of computer science programs.
The government does not actively solicit input from the private
sector in crafting its R&D or education agenda, nor does the government
actively promote dissemination of the research results to media and
forums usually consulted by private security practitioners. As a
member, Board Director, and Advisor of the New York Metropolitan
Chapter of the Information Systems Security Association (ISSA), I
regularly meet with hundreds of chapter members who are security
professionals in New York-based businesses. We have never been asked
for input into a national research agenda. Our membership has been
genuinely surprised when they've heard about the results of my own work
sponsored by DHS, IARPA, the Air Force, and DARPA. Furthermore, these
members of the private sector are willing to participate in the
technical transition of the R&D--but they are rarely asked to do so.
Additionally, the ISACs and other organizations, such as the
National Academy of Sciences, could be tapped as conduits for
collaboration between the private sector and government in developing
the cyber security research agenda.
Conclusion
Effective cyber security is often said to be about ``people,
process, and technology.'' Although ``people'' come first in this
description, the emphasis in federally funded cyber security education
and research has been on the development of technology within the
academic environment of computer science and electrical engineering.
This needs to change.
Broaden the Base of Those Receiving Cyber Security Education
The current approach to cyber security education falls far short of
adequately preparing the universe of people who every day take actions
that make our computing infrastructure more or less secure. We must
offer information to--and influence the behavior of--software
developers, business owners, soldiers maintaining network-centric
systems, policy-makers, lawyers, students, and home-users. The source
of this education must go beyond college computer science courses. The
education and training of security awareness, good practices, and cyber
ethics should start in our elementary schools and extend beyond the
academic environment into the training programs offered by professional
organizations.
Schools of law and law enforcement must not only teach cyber law
and policy, but teach the foundations of the Internet and computer
usage that underlie the laws and policies.
Social science experts in cultural influence should be consulted on
how to raise our national awareness of cyber risks and change the
security practices of average Americans.
Experts in learning should advise the retiring old guard security
practitioners on how to effectively mentor new security professionals
and expedite the transfer of their corporate knowledge.
Computer science curricula must include building security into the
entire life cycle of software development.
We must increase the number of U.S. citizens who master the math
and science needed to advance cyber security technologies, and who
enroll in advanced degrees in information security.
Use Interdisciplinary Approaches to Make the Cyber Culture More Secure
Changing how people value security and behave with computer systems
and networks should be a primary concern of our cyber education and
research. It is clear that technological change will happen; it already
does. But safe and ethical behavior is not keeping pace with the
pervasiveness of computing for work, entertainment, and socializing.
Interdisciplinary approaches, which combine computer science with the
more people-centric disciplines of psychology, sociology and
anthropology, can extend our understanding of how to create a more
secure computing culture.
We need research on how people value information. Understanding how
people place value on information will help security professionals to
motivate compliance with security practices; it will inform the
security architects on where to place the greatest defense; and it will
form the foundation for security metrics.
Security must be more usable. Interdisciplinary approaches to
usability can make it easier for practitioners to install and tune
security technology, and for users to comply with security policies and
practices.
Human factors psychologists with expertise in collaborative media
should work with computer network defenders to develop effective means
for timely information sharing needed to rapidly detect cyber attacks
within and across organizations.
The disciplines of economics, business administration, and
information systems must study the interdependencies of computing
assets and business processes so that accurate ROI for security
investment can be computed, and data-driven plans for continuity of
operations can be developed.
Foster Technology Transition of Cyber Security Research
The existing research agenda, framed by and for computer
scientists, emphasizes publication of research results above technology
transition. Little current research and education funding is directed
to the operational implementation of the advanced technologies. The
problems encountered in getting a technology to work in the real
world--accreditation, affordability, usability--are not deemed worthy
of peer-reviewed publications and are therefore dismissed by many
professors, students, and funding agencies who measure their
achievements through publication history.
There is a short supply of U.S. citizens with security-related
advanced degrees who can transition technology into the DOD where
security clearances are required. Non-academic research institutions
who have U.S. citizens to transition technology, such as research
contractors or government laboratories, do not have the streamlined
Institutional Review Board processes required for technology evaluation
studies involving people; hence the human element is all too often left
out of the research.
To increase the likelihood of technology transition we must take
several steps:
Realistic, scalable test data must be provided to the
researchers by the funding agencies.
Funding agencies should include measures of
technology transition in their evaluation of grants and
research contracts.
Funds should be available for crossing the chasm from
prototype to operational deployment. This includes funding for
accreditation and usability evaluations.
The government should foster collaboration between
university researchers and nonacademic research organizations.
The universities can use their Institutional Review Boards to
guide corporations anal government laboratories in testing new
technologies with human subjects. Research companies with
personnel who have security clearances can assist universities
with technology transition into DOD sites that are not
ordinarily accessible to university students and professors.
Increased the Private Sector's Voice in Cyber Security Education and
Research
The private sector, which is a conduit both for attacks on our
critical information infrastructure as well as the prevention of those
attacks, has no significant influence on the federal R&D agenda in
cyber security. Security practitioners in the private sector, where
they can influence U.S. workers and businesses, are neither consulted
on the national agenda nor given easy access to the results of
federally sponsored R&D. This can be addressed in several ways:
The sponsors of cyber security R&D should conduct
outreach activities to professional societies of security
practitioners including ISSA, ISACA (Information Systems Audit
and Control Association), and (ISC)2 (International Information
Systems Security Certification Consortium).
Researchers must be encouraged by the sponsors of
their research to publish the results of their work in trade
magazines and on-line forums where private security
professionals communicate.
The government should incentivize the private sector
to bring interns from academia into their IT infrastructure to
gain on-the-job experience prior to their graduation.
ISACs should be used as a medium for connecting
private sector needs with federally funded research.
In sum, there are many substantive ways in which the social
sciences can assist us in improving cyber security. My thanks to the
Committee for allowing me an opportunity to share my viewpoints.
Acknowledgements
I would like to acknowledge the contributions of Laurin Buchanan
and Frank Zinghini of AVI, and Geoff Mumford of the American
Psychological Association, to the preparation of this testimony.
Biography for Anita D'Amico
Dr. D'Amico is the Director of Secure Decisions, a division of
Applied Visions, Inc. She is a human factors psychologist and an
information security specialist, with interests in improving
situational awareness of information security analysts through
visualization and cognitive analysis. Her most recent work has been in
the area of combining geographic information with network security and
network management information to improve security and preserve
continuity of operations.
Dr. D'Amico joined Applied Visions in 2000 to help create and grow
the Secure Decisions division, building upon information visualization
technology developed by Applied Visions under an Air Force research
contract. The Secure Decisions division of Applied Visions is now
recognized as a leading provider of information visualization research
and technology development to the Department of Defense, the
Intelligence Community, and the Department of Homeland Security.
Prior to joining Applied Visions, Dr. D'Amico ran the Information
Warfare Group for Northrop Grumman, where she was responsible for
developing that new business area. In the years before that she had
applied her human factors and psychology training to a variety of
domains, all centered about the interaction between humans and
machines, including such disparate domains as aircraft design and ship
handling.
Dr. D'Amico has published widely on the topic of cyber security,
particularly from the perspective of human factors and the impact of
situational awareness on the effectiveness of cyber security
practitioners. She is a frequent keynote speaker on the topic at
industry conferences, and she chaired the 2003 Forum on Information
Warfare, presented by the Management Information Systems Training
Institute, Washington, DC. Recently, she conceived and conducted a
joint industry/government workshop on understanding and determining the
impact of cyber security breaches on organizational mission.
Dr. D'Amico received a B.A. from the University of Pennsylvania,
and an M.S. and Ph.D. in psychology from Adelphi University. She served
five years as a member of the Board of Directors of the New York Metro
chapter of the Information Systems Security Association (NYMISSA).
Chairman Lipinski. Thank you, Dr. D'Amico.
Dr. Schneider.
STATEMENT OF DR. FRED B. SCHNEIDER, SAMUEL B. ECKERT PROFESSOR
OF COMPUTER SCIENCE, DEPARTMENT OF COMPUTER SCIENCE, CORNELL
UNIVERSITY
Dr. Schneider. Thank you for inviting me here to testify
today. In the few minutes I have, I want to summarize the key
points in my written testimony.
I start with the observation that computing systems we
deploy today are not as trustworthy as they could be, and we
don't know how to make them as trustworthy as they need to be.
As the United States increases our dependence on these systems,
they become ever more attractive to attackers. Our defenses
don't keep up so we operate in a reactive mode and we improve
defenses only after they have been penetrated. We thus prepare
to fight the last battle rather than the next one. We need to
move beyond this reactive stance to a proactive one. In short,
we must build systems whose trustworthiness derives from first
principles. This proactive approach requires having a science
base for cyber security. We don't have one and we need to
develop one. Doing that will require making significant
investments in research and the investments will have to be
made on a continuing basis. Cyber security will never be a
solved problem. We are not going to find a magic bullet
solution. We have accepted this reality for medical research
and for defense. The same reality applies to cyber security.
The analogy with public health and medical research
highlights two disconnects between cyber security research
today and what is really needed. The first was the lack of
science base I just discussed. The second disconnect concerns
the policy part of the picture. Technology solutions that
ignore policy questions risk irrelevance as do policy
initiatives that ignore the limits and capabilities of
technology. This means that we should also be supporting
research in policy and research that aims to bridge the gap
between technology and policy.
Let me make two further observations about cyber security
research. First, when the work is classified, it cannot engage
many of the country's top researchers. It necessarily receives
less scrutiny by a diverse community of experts and it will be
slow to impact the civilian infrastructure on which we
increasingly depend. Second, cyber security research once was
funded by a diverse ecology of agencies. This was valuable
because different agencies have different needs, goals,
cultures, styles and criteria for reviewing proposals; but that
diversity has been eroding. Getting that diversity restored
should be a priority and it would undoubtedly bring better
value per research dollar spent.
I earlier made the observation that today's systems are not
as trustworthy as they could be. There are many reasons for
this, and university education certainly has an important role
to play in the solution here. With significant increases in
research funding, more faculty will be working on system
trustworthiness so more faculty will be available to teach
these subjects, and that is crucial; but understand that like
any new discipline, this field is in flux. There is not yet a
widespread agreement on the core, so we would be ill advised to
be legislating what gets taught. We would also be ill advised
to be legislating that everyone be taught. Only a fraction of
the students that our computer science department teaches end
up in system-building jobs. Also, many who are building our
nation's critical infrastructures were not computer science
majors. What I think we need is a new graduate professional
degree program. Lawyers, doctors, teachers and most other
professionals in our society are a good model. We need a post-
Bachelor's degree for systems trustworthiness professionals. On
the university side, this would mean developing courses, texts
and other teaching materials, and outside the university it
would mean creating a force field so people are compelled to
invest the time and money to pursue this new degree.
In closing, let me say how encouraged I am by all the
recent interest and activity at the federal level regarding
cyber security; but let me caution, long-term activities that
will require long-term investments are the only way to get a
long-term solution to this problem. We need to be making long-
term investments in research, and we need to be making long-
term investments in education.
Thank you. I look forward to your questions.
[The prepared statement of Dr. Schneider follows:]
Prepared Statement of Fred B. Schneider
Good morning Mr. Chairman and Members of the Committee. I
appreciate this opportunity to comment on cyber security research and
education. I am Fred B. Schneider, a Computer Science professor at
Cornell University and Chief Scientist of the NSF-funded TRUST\1\
Science and Technology Center, a collaboration involving researchers at
U.C.-Berkeley, Carnegie-Mellon University, Cornell University, Stanford
University, and Vanderbilt University.
---------------------------------------------------------------------------
\1\ Team for Research in Ubiquitous Secure Technology.
---------------------------------------------------------------------------
I have been a Computer Science faculty member since 1978, actively
involved in research, education, and in various advisory capacities for
both the private and public sectors. Besides teaching and doing
research at Cornell, I today serve as member of the Dept. of Commerce
Information Security and Privacy Advisory Board (ISPAB), as a member of
the Computing Research Association's board of directors, and as a
council member of the Computing Community Consortium. I also co-chair
Microsoft's TCAAB external advisory board on trustworthy computing.
Our nation's increasing dependence on computing systems that are
not trustworthy puts individuals, commercial enterprises, the public
sector, and our military at risk. If anything, this dependence will
accelerate with new initiatives such as the ``smart grid'' and
electronic health care records. Increased data, increased networking,
and increased processing all mean increased exposure. These systems
need to work as we expect--to operate despite failures and despite
attacks. They need to be trustworthy.
The growth in attacks we are seeing today should not be surprising.
The more we depend on a system, the more attractive a target it becomes
to somebody intent on causing disruption; and the more value that is
controlled by a system, the more attractive a target it becomes to
somebody seeking illicit gain. But more disturbing than the growth in
attacks is that our defenses can't keep up. The core of this problem is
the asymmetric nature of cyber security:
Defenders are reactive; attackers are proactive.
Defenders must defend all places at all times, against all
possible attacks (including those not known about by the
defender); attackers need only find one vulnerability, and they
have the luxury of inventing and testing new attacks in private
as well as selecting the place and time of attack at their
convenience.
New defenses are expensive to develop and deploy; new
attacks are cheap. Defenders have significant investments in
their approaches and business models, while attackers have
minimal sunk costs and thus can be quite agile.
The effectiveness of defenses cannot be measured;
attacks can. Since we cannot currently quantify how a given
security technology or approach reduces risk from attack, there
are few strong competitive pressures to develop defenses. So
vendors frequently compete on the basis of ancillary factors
(e.g., speed, integration, brand development, etc.). Attackers
see their return-on-investment and have strong incentives to
improve their offerings.
The result has been a cyber security mentality and industry built
around defending against known attacks. Our defenses improve only after
they have been successfully penetrated. And this is a recipe to ensure
some attackers succeed--not a recipe for achieving system
trustworthiness. We must move beyond reacting to yesterday's attacks
(or what attacks we predict for tomorrow) and instead start building
systems whose trustworthiness derives from first principles.
Yet today we lack the understanding to adopt that proactive
approach; we lack a ``science base'' for trustworthiness. We understand
that the landscape includes attacks, defense mechanisms, and security
properties. But we are only now starting to characterize the lay of the
land in terms of how these features relate--answers to questions like:
What security properties can be preserved by a given defense mechanism?
What attacks are resisted by a given mechanism? How can we overcome the
inevitable imperfections in anything we might build, yet still resist
attacks by, for example, forcing attackers to work too hard for their
expected pay-off. Having a science base should not be equated with
implementing absolute security or even concluding that security
requires perfection in design and implementation. Rather, a science
base should provide--independent of specific systems--a principled
account for techniques that work, including assumptions they require
and ways one set of assumptions can be transformed or discharged by
another. It would articulate and organize a set of abstractions,
principles, and trade-offs for building trustworthy systems, given the
realities of the threats, of our security needs, and of a broad new
collection of defense mechanisms and doctrines. And it would provide
scientific laws, like the laws of physics and mathematics, for
trustworthiness.
An analogy with medicine can be instructive here. Some maladies are
best dealt with in a reactive manner. We know what to do when somebody
breaks a finger, and each year we create a new influenza vaccine. But
only after significant investments in basic medical sciences are we
starting to understand the mechanisms by which cancers grow, and
developing a cure seems to require that kind of deep understanding.
Moreover, nobody believes that disease will some day be a ``solved
problem.'' We make enormous strides in medical research yet new threats
emerge and old defenses (e.g., antibiotics) are seen to lose their
effectiveness.
Like medicine and disease, system trustworthiness is never going to
be a ``solved problem''. There will be no ``magic bullet''
trustworthiness solution, just as there is not going to be a miracle
cure for all that ails you. We must plan to make continuing
investments, because the problem will continue evolving:
The sophistication of attackers is ever growing, so
if a system has vulnerabilities then they will find it. Any
assumption made when building a system does, in fact,
constitute a vulnerability, so every system will have
vulnerabilities of one sort of another. And with enough study,
attackers will find these vulnerabilities and find ways to
exploit them.
The technology base used by our systems is rapidly
changing. Systems are replaced on a three- to five-year time
span, not because computers or software wear out but because
newer software and hardware offers improved functionality or
better performance (which is then leveraged into new
functionality). New systems will work differently, will involve
different assumptions, and therefore will require new defenses.
The settings in which our computing systems are
deployed and the functionality they provide is not static. With
new settings come new opportunities for attack and disruption,
whether it is creating a blackout by attacking the ``smart
grid'' or stalking somebody by planting a virus on a GPS-
equipped cell phone.
We can expect to transcend the constant evolution only through the
understanding that a science base provides. A science base is also our
only hope for developing a suite of sound quantitative trustworthiness
measures, which in turn could enable intelligent risk-management
decisions, comparisons of different defenses, and incentivize
investments in new solutions.
A science base for trustworthiness would not distinguish between
classified and unclassified systems, nor would it distinguish between
government and private-sector systems. The threats and trade-offs might
be different; the principles are going to be the same. But even an
understanding of how to build trustworthy systems for the private
sector would by itself be useful in military and government settings,
simply because so-called COTS (commercial off the shelf) technologies
that are developed by the private sector for the private sector are
widely used within the government too.
Many equate cyber security research with investigations solely into
technical matters. This oversimplifies. Achieving system
trustworthiness is not purely a technology problem. It also involves
policy (economic and regulatory). Technological solutions that ignore
policy questions risk irrelevance, as do policy initiatives that ignore
the limits and capabilities of technology. So besides investing in
developing a science base for trustworthiness, we must also invest in
research that bridges the technical and the non-technical. We need to
understand when we might get more traction for trustworthiness from a
policy solution than from a technology one. For example, identifiers--
your mother's maiden name, your credit card number, your bank account
number, and your social security number--are not a good basis for
authentication because they will be known to many. So regulation that
prohibits the use of identifiers as authenticators might more
effectively defend against identity theft than new technology could. As
another example, there is talk about making the Internet more secure by
adding the means to trace packets back to their senders. But the
Internet is as much a social construct as a technological one, and we
need to understand what effects proposed technological changes could
have; forgoing social values like anonymity and privacy (in some sense,
analogous to freedom of speech and assembly) in order to make the
Internet more-trustworthy might significantly limit the Internet's
utility to some, and thus not be seen as progress.
Investments in cyber security research are best accompanied by
investments in cyber security education, because this provides an
efficient path for the research to reach industry where it can be
applied. In particular, research undertaken in academia not only
engages some of our nation's best and brightest researchers but because
these researchers are also teachers, new generations of students can be
exposed to the latest thinking from the people who understand it best.
And when these students graduate and move into the workplace, they will
bring this knowledge and understanding with them. Moreover, faculty in
this dual role of researchers and teachers have incentives to write
textbooks and prepare other teaching materials that allow dissemination
of their work to a very wide audience, including teachers elsewhere.
Question: Does the current range of federally supported research
adequately address existing cyber security threats as well as new and
emerging threats? If not, what are the research gaps, and how would you
prioritize federal research investments in cyber security?
Federal expenditures for unclassified cyber security research do
not match the severity of the threat. IT security expenditures are
estimated to reach $79 billion annually by 2010.\2\ According to the
NITRD Networking and Information Technology Research and Development
Program,\3\ $342.5M is being requested for FY 2010 ``Cyber Security &
Information Assurance.'' This means federal budget requests for
unclassified research in system trustworthiness total roughly .4
percent of the expenditures that might be leveraged by the research.
Moreover, anecdotal information about specific funding programs at
various key federal agencies suggests that only a portion of the
$342.5M is spent on academic research in cyber security. It then comes
as no surprise to find the recent National Research Council CSTB report
Toward a Safer and More Secure Cyberspace\4\ stating that funding
levels for cyber security research are low, preventing researchers from
pursuing their promising research ideas. And this echoes the findings
in the President's Information Technology Advisory Committee's
independent report Cyber Security: A Crisis of Prioritization\5\ which
stated that (i) cyber security solutions would emerge only from a
vigorous and well funded program of research and (ii) that levels of
funding were dangerously low to solve problems or to sustain a
community of researchers.
---------------------------------------------------------------------------
\2\ Information Security Products & Services--Global Strategic
Business Report, Global Industry Analysts, Inc., July 2007.
\3\ The Networking and Information Technology Research and
Development Program. Report by the Subcommittee on Networking and
Information Technology Research and Development, May 2009. Page 21.
http://www.nitrd.gov/Pubs/2010supplement/FY10Supp-FINAL-Preprint-
Web.pdf
\4\ Toward a Safer and More Secure Cyberspace. S. Goodman and H.
Lin (eds.), National Academies Press, Washington, DC, 2007. Appendix
B.6. http://books.nap.edu/catalog.php?record-id=11925
\5\ Cyber Security: A Crisis of Prioritization. President's
Information Technology Advisory Committee, Feb. 2005. http://
www.nitrd.gov/pitac/reports/20050301-cybersecurity/
cybersecurity.pdf
---------------------------------------------------------------------------
The NRC CSTB report also states that, excepting the National
Science Foundation (NSF), federal funding agencies predominantly target
short-term problems rather than addressing the harder, longer-term
challenges that constitute our only hope to win this war. A culture
that targets easily quantifiable progress is particularly dangerous,
because it discourages funding research efforts that, being more
forward-looking, could provide the real pay-offs.
The PITAC report also noted damage being caused by the lack of
continuity in cyber security funding and by the inadequate oversight
and coordination exerted by Federal Government over its cyber security
research programs. For example, a lack of funding continuity stymies
the development of a research community, because younger faculty and
graduate students are disinclined to enter fields where future funding
is uncertain. This, in turn, leads to a national shortage in cyber
security expertise.
PITAC argued, in vain, for a significantly increased investment in
``fundamental research in civilian cyber security,'' noting that
civilian systems comprise the lion's share of our nation's critical IT
infrastructure, and that the government and military rely in large
measure on civilian hardware and software components and systems.
Moreover, expenditures by the private sector for long-term cyber
security research have historically been quite small, probably because
return on such investments is expected to be low. If the Federal
Government doesn't make these investments then nobody else will, and we
all miss the opportunity for the revolutionary advances that are
unlikely to result from the current regime of funding evolutionary
steps. By the same token, the existence of a healthy IT-security
industry suggests that the private sector does make investments in
short-term research; so there is a less-compelling reason for federal
investments here.
There is a disconnect between research being funded and what is
needed. Federal research funding has been too focused on a few
established technical battle-fronts (e.g., firewalls, anti-virus,
intrusion detection, buffer overflows, etc.). In some cases, this focus
reflects views held by researchers; in other cases, the focus comes
from program management in the funding agencies. Whichever it is, this
mindset is a decade or more out of step with the reality of our current
adversaries. We need to re-imagine the scope of the cyber security
problem itself and refocus our attention the same way our adversaries
have refocused. We cannot afford simply to develop technologies that
plug holes faster; we need to think of security research more
holistically, determining how most efficiently to block, disrupt, or
dis-incentivize opponents.
We must establish a goal of developing a science base
for trustworthiness, as discussed in detail above. Such a
science base is crucial for understanding how to build systems
that are trustworthy.
We must investigate mechanisms--both operational and
forensic--for better attributing cyber-attacks to the actors
behind them, because this is essential for applying virtually
all other instruments of policy, from law enforcement to
diplomacy. This approach might well be a last resort, invoked
only after defenses to prevent attacks have failed. So it needs
to be an option, despite being technically quite challenging as
well as raising non-technical questions ranging from privacy
all the way to international law.
We must consider not merely hypothetical opponents,
but the real attackers we face today and those we expect to
encounter tomorrow. The military does not train against a
hypothetical adversary with hypothetical resources, strategies
and interests, nor should cyber security researchers
investigate defenses absent that information.
We must prioritize developing better quantitative
measures around cyber security risk, efficiency, and value. The
government and the private sector cannot invest arbitrary
amounts in securing our systems without better understanding
the return on this investment.
We must invest in research that bridges policy
(regulation and economics) with technology. To do research in
technology without knowledge of policy or vice versa risks
irrelevance.
We must better understand the human element in our
systems. Too often system security is synonymous with
inconveniencing users. And users are inclined to circumvent
security controls they find inconvenient, defeating a system's
defenses even before it is attacked.
We must continue to invest in research concerned with
building software systems: operating systems, networks,
programming languages, formal methods, database systems, etc.
Ultimately, the things that undermine a system's
trustworthiness will be traced to errors in design,
implementation, requirements, or assumptions--subjects that are
studied by software researchers. And we must continue making
research investments in the relevant theoretical areas, such as
logics and cryptography.
While there is certainly both a role and need for undertaking
classified research in trustworthy systems, there are significant
limitations that come with the secrecy. Classified research does not
engage many of the most capable cyber security researchers, is
necessarily less likely to receive broad scrutiny by a diverse
community of experts, and does not contribute to educating the next
generation of cyber security researchers and practitioners. Classified
research programs are also slow to impact the civilian cyber-
infrastructure and its equipment, on which so much of our nation's
critical infrastructure depends.
Having an Ecology of Federal Agencies is Valuable. There once was a
diverse ecology of funding sources for the various styles and topics
that trustworthiness research spans, but that ecosystem has been
eroding as funding agencies have redefined their priorities. Some of
these decisions are difficult to defend, given the central role that
system trustworthiness plays in the missions these agencies are suppose
to support.
Funding from a single agency (NSF) now dominates unclassified
federal cyber security research. In the past, DARPA had been a
significant source of funding for university researchers doing work in
systems and security, but for the last eight years DARPA has not been
making those investments. DHS has funded work in cyber security, but at
significantly lower levels and focusing on problems with a short-term
horizon. DOD, through AFOSR, ARO, and ONR, does fund some fundamental
research in security, but the number of projects supported is
relatively small and some of the funding is for special one-time
initiatives (i.e., the MURI program). IARPA inherited from its
predecessor organizations a small but strong trustworthiness research
program. That, however, is being terminated, and new programs to take
its place have been slow to get started. Also, the funding philosophy
at IARPA appears to be oriented more toward production of quantifiable
results than toward open-ended curiosity-driven explorations.
This ecology of different government agencies with their different
needs, goals, and cultures, could yield a robust and diverse research
climate. However, many of the potential benefits have not materialized,
both because the interagency coordination has been voluntary and
because tight budgets led some of the participants to reduce their
cyber security research investments and/or to focus those expenditures
on short-term work, which they saw as better suited for their missions.
Today, NSF is the only natural home for fundamental research in
civilian cyber security. They not only fund single-investigators doing
more-theoretical work, but they also fund larger-scale multi-
investigator efforts that involve prototyping non-trivial systems.
NSF's Trustworthy Computing (formerly Cyber Trust) program, the likely
agent for funding investigations that will have high payoff, is
woefully under-resourced. In the past, what had been DARPA's style
complemented NSF's style by supporting larger groups (three to five
investigators) to work for relatively longer periods (five to ten
years) in order to take a game-changing idea to a demonstrable
embodiment. The NSF and former DARPA styles are complementary, and both
ought to be supported. Another point of contrast between the different
styles concerns the manner they review and select proposals for
funding. External peer-review by the research community leads to
funding work having a different character from internal review (where
programmatic goals play a role in project selection).
There is a tension between maintaining a diverse ecology of federal
agencies to fund trustworthiness research and allowing each individual
funding agency the autonomy to alter its priorities. So we must be
mindful: seemingly local decisions within an agency actually can have a
broader impact by changing the federal portfolio of trustworthiness
research (as well as changing the total amount of federal expenditures
for trustworthiness research). This tension would be resolved if a
coordinating body were to monitor such decisions and offset their
impact on the federal portfolio by allocating additional resources and
recreating the now-absent styles at agencies electing to continue
funding trustworthiness research.
Finally, it is worth noting that new initiatives in energy (e.g., a
``smart grid''), transportation, and electronic medical records will
almost certainly require solving new trustworthiness research
questions. A failure to engage the community early in such initiatives
is a mistake. This kind of trustworthiness research is not done well in
a vacuum from applications; there is no substitute for direct
experience with the application area. Thus, part of these new
initiatives should be to involve the trustworthiness research
community, so they can help ensure that the inter-networked systems
required will be ones we can depend on.
Question: What is the state of cyber security education? Are future
cyber security professionals being adequately trained by colleges and
universities to meet anticipated demands of the private sector? If not,
what kind of cyber security training is appropriate and necessary for
institutions to develop, and for what kinds of students?
The University Landscape. Cyber security professionals are today
not being adequately trained to meet the needs of either the private
sector or the public sector.
Part of the problem is resources. University Computer
Science (CS) departments lack the faculty to offer the relevant
courses. Few faculty members have the necessary expertise to
offer courses in this area. And even if a CS department has
managed to hire a few cyber security specialists, they will
likely also be involved in teaching the large complement of
other classes that need to be covered by a department giving
undergraduate and graduate CS degrees.
Part of the problem is content. The field is
relatively young and fast moving. There is not yet widespread
agreement about what technical content must be covered, which
makes this an exciting time to be teaching cyber security at
the university level. But it also means that textbooks and
other teaching materials have short lives unless they are
frequently revised, which is a disincentive to some authors. So
there are fewer good textbooks than would be found in a more
mature subject. Yet, creating agreement on content by
legislating a curriculum would be a serious mistake at this
point, because it would retard the dissemination of new ideas
to students and it would discourage faculty from writing texts
that reflect improvements in our understanding of the field.
A Cyber Security Professional Degree. I believe that a well trained
cyber security professional needs to have exposure to a broad variety
of topics. One would expect to see courses that cover technical topics,
such as computer security principles, distributed systems and
networking, systems reliability, software engineering, cryptography,
and user interfaces and human factors. But I also strongly advocate
exposure to non-technical topics, including cyber-law (intellectual
property law, communications law, privacy law), ethics, economics of
computing and networking, business strategy, and human relations (i.e.,
management of people). This broad education would enable a cyber
security professional to use all conceivable technical and policy tools
for achieving trustworthiness. It would also ensure that solutions
could be evaluated in a broader societal context, so that risk-
management and trade-offs between different social values (such as
privacy versus accountability) can be contemplated.
There is likely more than one year's worth of content past today's
CS BS degree, but there is probably less than three years of course
material. This would argue for creating some sort of graduate,
professional degree program. It would be designed so that its students
would learn both the technical and the non-technical topics needed to
define and develop trustworthy computing systems, manage them, and
oversee their deployment, use, and evolution.
Undergraduate Education. Computer Science departments today educate
students to pursue a rather diverse set of careers. And, in particular,
not all undergraduate Computer Science majors are headed for system-
building careers. Thus, it would be inappropriate to impose a cyber
security requirement on all graduates from a Computer Science
department. The more sensible model would be for universities to offer
a programme of study for system trustworthiness, analogous to pre-law
or pre-med. Such a program is typically not associated with a single
university department but rather offered in conjunction with a various
majors; it prescribes a set of courses for the electives available in
that department's major. The courses would cover the subjects outlined
above in connection with the cyber security professional degree. And it
should be open to students in the various relevant majors.
Finally, it certainly seems reasonable that students destined to
build systems--no matter what their major--should have exposure to the
basic ideas needed for making those systems trustworthy. This means
that they need exposure to basic cyber security, software engineering,
and various systems topics (operating systems, networking, etc.). Such
students will be found enrolled in various majors. So while the CS
department is the obvious place to offer these courses, the courses
will not be populated only by CS majors. And this has implications
concerning what pre-requisites can be assumed.
Biography for Fred B. Schneider
Fred B. Schneider is Samuel B. Eckert Professor of Computer Science
at Cornell University. He joined the Cornell faculty in Fall 1978,
having completing a Ph.D. at Stony Brook University, preceded by a B.S.
in Engineering from Cornell in 1975. Schneider currently also serves as
the Chief Scientist for the NSF-funded TRUST Science and Technology
Center, which brings together researchers at U.C.-Berkeley, Carnegie-
Mellon University, Cornell University, Stanford University, and
Vanderbilt University.
Schneider's research has focused on various aspects of trustworthy
systems--systems that perform as expected, despite failures and
attacks. His early work concerned formal methods to aid in the design
and implementation of concurrent and distributed systems that satisfy
their specifications; he is author of two texts on that subject: On
Concurrent Programming and A Logical Approach to Discrete Mathematics
(co-authored with D. Gries). He has also known for his research in
theory and algorithms for building fault-tolerant distributed systems.
For example, his paper on the ``state machine approach'' for managing
replication brought an SOSP ``Hall of Fame'' award for seminal
research. More recently, his interests have turned to system security.
His work characterizing what policies can be enforced with various
classes of defenses is widely cited, and it is seen as advancing the
nascent science base for security. He is also engaged in research
concerning legal and economic measures for improving system
trustworthiness.
Schneider was elected Fellow of the American Association for the
Advancement of Science in 1992, the Association of Computing Machinery
in 1995, and the Institute of Electrical and Electronics Engineers in
2008. He was named Professor-at-Large at the University of Tromso
(Norway) in 1996, and was awarded a Doctor of Science honoris causa by
the University of NewCastle-upon-Tyne in 2003 for his work in computer
dependability and security.
Schneider has served since Sept. 2006 as a member of the
Information Security and Privacy Advisory Board (ISPAB), which advises
NIST, the Secretary of Commerce, and the Director of OMB on information
security and privacy issues pertaining to Federal Government
Information Systems. He chaired the National Academies CSTB study on
information systems trustworthiness that produced the 1999 volume Trust
in Cyberspace. He also served as a member of CSTB from 2002-2008 and
from 2004-2007 on the CSTB study committee for improving cyber security
research. Schneider was a member of the NSF CISE advisory committee
2002-2006. And in Fall 2001, he chaired the United Kingdom's pentennial
external review of research funding for academic Computer Science.
In 2007, Schneider was elected to the Board of Directors of the
Computing Research Association (CRA) and appointed to the steering
committee of CRA's Computing Community Consortium. CRA is an
association of more than 200 North American academic departments of
computer science, computer engineering, and related fields; part of
it's mission is to strength research and advanced education in the
computing fields and to improve public and policy-maker understanding
of the importance of computing and computing research in our society.
Schneider is a frequent consultant to industry, believing this to
be an efficient means of implementing technology transfer as well as
learning about the real problems. He is Co-Chair of Microsoft's
Trustworthy Computing Academic Advisory Board, which comprises outside
technology and policy experts who meet periodically to advise Microsoft
about products and strategy. He also provides technical expertise in
computer security as well as more broadly to a variety of firms,
including: BAE Systems, Fortify Software, Lockheed Martin, and
Microsoft.
Chairman Lipinski. Thank you, Dr. Schneider.
I now recognize Mr. Brown.
STATEMENT OF MR. TIMOTHY G. BROWN, VICE PRESIDENT AND CHIEF
ARCHITECT, CA SECURITY MANAGEMENT
Mr. Brown. Good morning, Chairman Lipinski, Ranking Member
Ehlers and the Members of the Subcommittee. My name is Timothy
Brown. I am the Vice President and Chief Architect for Security
Management for CA Incorporated. I will testify today on behalf
of CA, and I will draw in several instances upon the positions
of the Business Software Alliance, of which CA is an active
member. I appreciate the opportunity to testify today on cyber
security and R&D. I commend you for your focus on these issues
which are of great importance to CA and the cyber security of
the Nation.
The threats to our security are real and ever changing. The
days of the hobbyist hacker are long past. Today most threats
are posed by organizations for profit, groups which run very
much like businesses except their business plan is to steal
data, identities, credit card numbers and other valuable
information and convert them into profit. My job at CA is to
help stop these bad actors. We develop tools that individuals
and businesses can use to protect themselves, but the threats
are ever changing. For example, we have an immense and recent
growth in social networking sites like Twitter and Facebook.
This is a good development, but the cyber criminals look at
these developments as simply new business models.
So, what can we do about all this? We believe the solution
requires a multi-prolonged and smart approach consisting of
four elements. Industry and government need to work together,
set comprehensive goals that meet the full range of threats and
develop rapid and effective responses. As a country, we need to
invest more in basic research. The science must advance for us
to develop the tools we need to address the threat and we need
to make sure that those advances in the laboratory are quickly
turned into the products people and companies need to protect
themselves and maintain their security. We need more and better
educated security specialists. We have made some advances in
this area but our universities must be encouraged to devote
more resources to supplying the security professionals of
tomorrow.
Finally, we must ensure the public is fully aware of the
threats they face. Today, too many Internet users fail to take
the needed steps to ensure their data and valuable information
is safe and secure. One of these elements stands out. We
believe the indispensable element of addressing the security
threats is ensuring our country continues to invest in basic
research into the ever-changing information-sharing
environment. In my written testimony, I set these points out in
great detail. I would now like to highlight a few of the
technology changes that will create new opportunities for cyber
criminals.
First, increased bandwidth and connectivity to laptops and
smartphones is very important to our economic recovery and key
to our long-term growth, but this trend also poses new
challenges to security by pushing our existing security
technology to its limits. Second, demand for data storage and
computing power are ever increasing. Over the coming years we
expect these demands to increase sharply. More data means more
cyber criminals have more opportunity to do harm. Third, as I
have mentioned already, the emergence of social networking has
happened very fast and is transforming the way the Internet is
used both at home and work through increased collaboration and
information sharing, but the security systems used by social
networks need to get much better very quickly. Fourth, today
businesses collaborate and share data. They no longer operate
independently, and this is good. For example, hospitals
collaborate with other hospitals, universities, health care
providers, but more collaborations create more vulnerabilities.
Finally, the source of risk is also changing. Too often today,
the threats come from within an organization rather than from
malicious outsiders trying to infiltrate systems. To date we
have not given enough attention to these insider threats.
To address these problems, we recommend the following ways
federal support for advanced research can help: developing test
tools and products that can identify vulnerabilities, logical
inconsistencies and inappropriate back doors; ways to ensure
security measures can keep pace with data being used by
hundreds, sometimes thousands of people simultaneously; new
identity management technology and business models that are
acceptable to consumers and industry, models enabling people to
collaborate and interact securely; research into insider threat
detection and advanced data leakage protection. But this is not
enough. Colleges and universities have made great progress and
security courses are now mandatory in many programs. However,
the security knowledge tends to focus more on secure coding
practices and less on implementation and design of secure
systems. We need simply more security professionals well
trained in areas such as identity and access management, threat
detection and response, and cryptographic systems.
Finally, we believe we need to significantly increase our
national effort to raise public awareness about cyber security.
This would decrease the likelihood that consumers will become
victimized as well as decrease the likelihood that the
computers would be hijacked to serve as launching pads for
larger attacks. We simply need to develop a national cyber
security public awareness and education strategy.
I would be happy to answer any questions you may have for
me. Thank you.
[The prepared statement of Mr. Brown follows:]
Prepared Statement of Timothy G. Brown
Good morning Chairman Lipinski, Ranking Member Ehlers, and Members
of the Subcommittee. My name is Timothy Brown. I am the Vice President
and Chief Architect for Security Management for CA, Inc. I will testify
today on behalf of CA. However, in several instances, I will also draw
upon the cyber security policy positions of the Business Software
Alliance (BSA), an association representing the world's commercial
software industry and its hardware partners. CA is a member of BSA and
we actively participated in the development of those positions.\1\
---------------------------------------------------------------------------
\1\ The Business Software Alliance (www.bsa.org) is the foremost
organization dedicated to promoting a safe and legal digital world. BSA
is the voice of the world's commercial software industry and its
hardware partners before governments and in the international
marketplace. Its members represent one of the fastest growing
industries in the world. BSA programs foster technology innovation
through education and policy initiatives that promote copyright
protection, cyber security, trade and e-commerce. BSA members include
Adobe, Apple, Autodesk, Bentley Systems, CA, Cisco Systems, CNC
Software/Mastercam, Corel, CyberLink, Dassault Systemes SolidWorks
Corporation, Dell, Embarcadero, HP, IBM, Intel, Intuit, McAfee,
Microsoft, Minitab, Quark, Quest Software, Rosetta Stone, SAP, Siemens,
Sybase, Symantec, and The MathWorks.
---------------------------------------------------------------------------
CA (www.ca.com) is one of the world's largest information
technology management software providers, providing software and
expertise support to more than 99 percent of Fortune 1000 companies,
as well as United States Federal, State and local government entities,
educational institutions and thousands of other companies and
governmental organizations worldwide. Founded in 1976, CA is a global
company with headquarters in the United States, 150 offices in more
than 45 countries, and more than 5,300 developers worldwide. To
strengthen relationships among research communities and our company, we
established CA Labs in 2005. CA Labs works closely with universities,
professional associations and government on various projects that
relate to CA products, technologies and methodologies. The results of
these projects include research publications, best practices, and new
directions for products. We also work with many universities to enable
and promote innovation--including funding university research projects
in specific areas, working with faculty to enhance curriculum, and
providing opportunities to interact with CA research and development
experts.
I appreciate the opportunity to testify today on cyber security
research and development (R&D), cyber security in higher education, and
public education and awareness of cyber security. These three issues,
which you raise in the questions you have asked that I answer, are of
great importance to CA and to the cyber security of our nation, and I
commend you, Mr. Chairman, and Ranking Member Ehlers, for focusing on
them. They correspond to three key aspects of cyber security: R&D is
central to our capacity to provide innovative and secure information
technology products and services; university-level education directly
impacts our workforce's ability to both develop and operate secure
information technology products and services; and public awareness
contributes to a sound foundation of technology and security savvy
users.
INDUSTRY AND THE FEDERAL CYBER SECURITY RESEARCH AGENDA
I would like to start by addressing the issue of the role of the
private sector in setting the federal cyber security research agenda.
Specifically, you asked the following question:
How does the private sector provide input regarding its research needs
into the process by which the federal research portfolio is developed?
Do you believe your needs are adequately addressed by the federal
research agenda? How can the Federal Government more effectively
partner with the private sector to address common research needs?
As a prelude, let me first say that the recently released
Cyberspace Policy Review, announced by President Obama on May 29,
reflects cyber security concerns understood by virtually all
information security professionals. The state of cyber security today
clearly shows that we need to deliver game-changing security
innovations and practices. Cyber criminals, State and non-State actors,
and other cyber adversaries move rapidly and adeptly to exploit
weaknesses and vulnerabilities in systems, networks, applications and
practices. They are successful at taking control of machines and
stealing data. Their motivation may be monetary gain or broader, more
sinister goals, but they all have the luxury of picking and choosing
both targets and methods to take advantage of the weakest links
available. They are increasingly sophisticated and technically adept.
So today's reality is that we are in a very tactical arms race with our
adversaries.
The software industry has raised the bar considerably in the past
few years. We have implemented mature, responsible vulnerability
disclosure practices, internal secure code training, penetration
testing, and code inspection tools. Large software vendors now have
security as one of the major architectural components of any software
they build and have made important changes to their development
processes based on the demand of their corporate customers. The
industry has also worked to simplify security and make it more user-
friendly.
However, we need to supplement these tactical successes with
strategic ones. We face increasing cyber security risks emerging from
factors such as the extension of the enterprise externally to partners
and customers, the rapid pace of technology adoption, the integration
of physical devices into a networked environment, and increasingly
sophisticated threats. Industry's research efforts are typically
directed to product feature development and relatively short-term
objectives that have a high probability of success in the marketplace.
Game changing, strategic research is a difficult investment because of
financial risk and unclear return on investment. Because of this,
federal research programs can and should look to longer-term research
requirements that prepare us not for the past or present, but for the
future, a research agenda that will focus on strategic, systemic and
structural cyber security issues not addressable by short-term,
tactical solutions.
The federal research agenda is laid down in the Federal Plan for
Cyber Security and Information Assurance Research and Development
(hereafter ``the CSIA plan''). I will now address the shortcomings of
this plan and of the process by which it was developed. I will also
propose solutions to make this agenda more inclusive of the needs of
industry. In doing so, I will draw upon the positions of the BSA.
First, while it identifies many worthy cyber security R&D
priorities, the CSIA plan does not propose national-level objectives.
Rather, it is an aggregation of the cyber security R&D objectives of
the federal agencies that fund or conduct cyber security R&D. While it
is appropriate for these agencies, in support of their individual
missions, to have specific cyber security R&D objectives, their
aggregation does not produce a cohesive picture of the Nation's overall
R&D needs.
CA and BSA recommend that the objectives of the CSIA plan be
established on the basis of a truly comprehensive and holistic view of
the cyber security needs of the Nation. Once a set of comprehensive,
national objectives has been identified with the input of government,
industry and academia, then the plan can determine what entities--
government, industry and academia, whether by themselves or in
partnerships--are, or should be, pursuing each of them. The Office of
Science and Technology Policy is responsible for coordinating the
Federal Government's efforts surrounding cyber security R&D, and should
ensure that federal R&D actually supports the Nation's strategic cyber
security goals. President Obama announced on May 29, 2009 the future
appointment of a Cyber Security Coordinator in the White House. CA and
BSA recommend that the Cyber Security Coordinator provide joint
oversight and direction to this effort, alongside OSTP. Once a national
framework for R&D has been established, individual agencies should be
assigned R&D projects within their areas of expertise.
Second, for the CSIA plan to reflect the cyber security R&D needs
of the Nation, a wide community of stakeholders needs to play an
integral role in the creation of the plan and the identification of its
objectives. CA and BSA recommend that stakeholders, and in particular
the owners and operators of critical cyber infrastructure and
developers of critical cyber technology, be involved from the earliest
stages of the process and throughout the creation of the plan, as well
as when the plan's objectives and implementation activities are
reviewed. The IT industry is a key stakeholder not only because it owns
and operates the critical infrastructure of cyberspace and develops its
underlying technology, but also because it invests tens of billions of
dollars each year in R&D.
Another important avenue for identifying cyber security research
gaps is via industry-government partnership initiatives organized
jointly by the Department of Homeland Security and industry
organizations such as the Information Technology-Information Sharing
and Analysis Center (IT-ISAC) and the Information Technology Sector
Coordinating Council (IT-SCC).
An extremely timely example of such an initiative is the IT Sector
Baseline Risk Assessment, a major report that will be released soon,
which results from a multi-year partnership between the IT-SCC, IT-
ISAC, industry subject matter experts and DHS. The IT Sector's Baseline
Risk Assessment is intended to provide a cyber and all-hazards risk
profile that IT Sector partners can use in particular to inform
resource allocation for security research and development in core IT
functions. Those key functions include producing and providing IT
products and services; incident management capabilities; domain name
resolution services; identity management and associated trust support
services; Internet-based content, information and communications
services; and Internet routing, access and connection services. With a
powerful methodology for assessing risks and identifying necessary
mitigation requirements, the Baseline Risk Assessment can serve as a
foundation and industry-supported model for developing a strategic
cyber security R&D agenda and plan of action.
I believe the inclusiveness is very much in line with the recently
released conclusions of the White House Cyberspace Policy Review, which
states that ``the Federal Government should greatly expand coordination
of [NITRD and other R&D-related] strategies with industry and academic
efforts.''\2\
---------------------------------------------------------------------------
\2\ Cyberspace Policy Review, pp. 32-33.
---------------------------------------------------------------------------
Third, in addition to contributing to the identification of the
overall objectives of the national cyber security R&D plan, companies
can play a role downstream in the definition of specific R&D projects
that will contribute to reaching those national objectives. CA and BSA
believe that it would be appropriate to facilitate federal support for
specific research topics or projects that were not conceived originally
by a federal agency, but rather pro-actively suggested to an agency by
a company. In such a situation, the company is awarded funding as a
``sole source.'' We believe a mechanism should be found that would make
it easier for agencies to act upon such suggestions. Today, such a
process is insufficiently used, because of legitimate concerns
regarding the fairness of the award process. CA and BSA's goal is to
encourage more companies to suggest promising avenues for cyber
security innovation to the Federal Government. Naturally, projects pro-
actively suggested by private industry should be closely related to the
national R&D plan, as well as to the particular part of that plan that
was delegated to the agency to which the idea was suggested.
We would like to make it clear that we do not in any way oppose the
mechanism by which companies receive federal funding because they
submitted proposals in response to a competitive federal solicitation.
In fact, CA and other companies actively review and respond to such
proposals, and we believe it should continue to represent a large part
of the federal R&D funding. We merely want to find a way to ensure
that, in addition to this reactive role, companies can play a more pro-
active role in the definition of R&D projects.
Fourth, I would like to address the issue of short-term vs. long-
term R&D. We believe it is appropriate to include both. As a general
rule, however, CA and BSA recommend that the government focus on long-
term and basic cyber security research. We believe it is appropriate
for the government to be involved in applied R&D if: the technological
solution that is sought is not commercially available; and its absence
creates a measurable security gap.
In most cases, when government agencies seek to develop specific
technologies, we are concerned that they do not check beforehand
whether commercially available solutions provide the same or an
equivalent capability. We recommend requiring federal agencies to
ascertain whether or not commercial solutions exist--or could be
readily adapted--before they invest in an R&D project to develop
equivalent capabilities. This would allow the government to better
leverage its limited resources. Importantly for industry, it would also
ensure that the federal effort focuses more on research that may bring
breakthroughs of considerable importance to the cyber security of our
nation's infrastructure in the long run, but lacks demonstrated short-
or medium-term commercial viability. Commercial companies rarely
undertake such research by themselves, but it is an ideal topic for
federal research. This recommendation aligns with the White House
Cyberspace Policy Review's emphasis on R&D in ``game-changing
technologies that will help meet infrastructure objectives.'' \3\
---------------------------------------------------------------------------
\3\ Cyberspace Policy Review, p. 32.
---------------------------------------------------------------------------
We note, however, that cyber security research is underfunded when
compared to other research programs. For example:
``. . . the President's fiscal year 2009 budget requests $29.3
billion for life science research, $4.4 billion for earth and
space sciences, $3.2 billion for the Advanced Energy
Initiative, $2.0 billion for the Climate Change Science
Program, and $1.5 billion for nanotechnology. The National
Information Technology R&D (NITRD) programs will receive $3.5
billion. Cyber security will receive about $300 million.'' \4\
---------------------------------------------------------------------------
\4\ From ``Securing Cyberspace for the 44th Presidency: A Report of
the CSIS Commission on Cyber security for the 44th Presidency,''
December 2008, page 74. This report is available at http://
www.csis.org/media/csis/pubs/
081208-securingcyberspace-44.pdf
In order to increase cyber security for the Nation, funding for
fundamental and applied research in cyber security is required. Keeping
current funding levels will result--at best--in maintaining the current
level of progress and therefore the current inadequate level of cyber
security.
Companies have an important role to play in fostering greater
engagement with academic institutions and government. For example, CA
today works with universities in a number of ways. Through the CA
Academic Initiative, colleges and universities can get free access to
select CA products, faculty education, professional courseware and
technical support. CA also has a strong partnership with Universities
for research. For example, CA is working with the University of
California Davis and Pacific Northwest National Laboratory on insider
threat research and with Dartmouth University on determining the
benefits seen by organizations in the deployment of security software.
CA is also working with Carleton University in Canada on data leak
prevention research. This research is partially funded through the
Canadian government's NSERC Strategic Network Grant.
Finally, for federal cyber security R&D to best address the needs
of industry, it is important that we facilitate the migration path of
technologies developed through federal R&D, so that they can more
quickly and widely contribute to improving our nation's cyber security.
This is another issue on which our recommendations are consistent with
the direction advocated by the White House in its Cyberspace Policy
Review.\5\ CA and BSA propose two avenues to ease technology transition
onto the marketplace. First, provide greater incentives for industry to
participate in federally funded cyber security R&D by looking at the
status of the intellectual property (IP) it generates. We recommend
that Congress explore ways to make such industry participation more
appealing through improved IP ownership or licensing, similar to what
Congress did for small businesses, non-profits and universities through
the Bayh-Dole Act in 1980. Second, the Federal Government should
improve its sharing of the innovations generated by cyber security R&D
conducted by federal agencies. Too often, those innovations are not
shared with industry, where they could benefit the Nation as a whole
through productization, even with licensing conditions that
appropriately reward the agency in question.
---------------------------------------------------------------------------
\5\ Cyberspace Policy Review, p. 33: ``To enhance U.S.
competitiveness, the Federal Government should work with industry to
develop migration paths and incentives for the rapid adoption of
research and technology development.''
SPECIFIC CYBER SECURITY R&D TOPICS
The second issue that you asked that I discuss in my testimony is
that of specific topics and gaps in federal cyber security R&D:
Does the current range of federally supported research adequately
address existing cyber security needs as well as new and emerging
threats? If not, then what are the current research gaps and
priorities?
As I discussed above, we need a long-term, strategically-focused,
national research agenda developed in partnership between the Federal
Government and industry. As we look to the future, we see a number of
trends that will impact both the cyber infrastructure as well as
specific cyber functionalities. An understanding of these trends can be
useful in informing research planning and prioritization. What are some
of these important trends?
Increased bandwidth and connectivity to a virtually
unlimited number of devices. The number of devices connecting
to the cyber infrastructure continues to grow: desktops,
laptops, smart phones, GPS devices, cars, houses and many more
to come. The available bandwidth continues to grow both in the
cellular environment, the wireless environment and the wired
environment. Managing cyber security risks in this new world
will push our existing security technology beyond its limits
given the sheer scale of networked devices and speed of
communications.
CA recommends federal support for advanced
research in the area of threat detection, systems
management and security management allowing security
controls to scale to this emerging cyber generation.
Huge amounts of storage and computing power will be
present in the home, in the enterprise and in the network. More
sensitive data in huge volumes will be stored and shared among
businesses, government agencies and consumers. The technical
disciplines of digital rights management, data leakage
protection, and data classification are in their infancy from a
technology perspective. Digital rights management is the
process of embedding and managing access control within data.
Data leakage protection refers to the identification and
control of sensitive data. Data classification refers to the
process of tagging data to indicate it is sensitive, owned by
an individual or part of a larger system, and to associate it
with controlling policies.
CA recommends federal support for advanced
research to move these technologies into the mainstream
where data can be tagged appropriately and managed in
accordance with policy-driven rules, under the control
of the entity or individual responsible for its care.
Greater expectations for managing identity risks. The
exponential growth of interconnected applications and systems
will require advances in identity management technology.
Today's user name and password model is inadequate. Stronger
forms of authentication are available, but their acceptance and
adoption have been slow. Similarly, the lack of a monetization
model for strongly validated identities has limited their
commercial success.
CA recommends federal support for advanced
research to help with the development of new technology
and new business models that are acceptable to
consumers and industry.
Emergence of new, interactive social networking
applications. Social networking continues to go through many
changes.
CA recommends federal support for advanced
research to develop models enabling people to
collaborate safely and securely, both to share the data
they wish to share and to maintain anonymity as needed.
Universal business connectivity, collaboration and
partnerships. Businesses no longer operate independently; it is
necessary for them to collaborate and share data as well as
establish enforceable security policies. For example, a small
hospital with 5,000 employees typically has 50,000 people in
its user directories and collaborates with other hospitals,
universities and health care providers. Today's technology can
support these business and clinical relationships, but more
advanced technology is necessary to truly enable a secure and
auditable infrastructure as the collaborative environment
expands almost exponentially.
CA recommends federal support for advanced
research to enable a federated model where security and
responsibility are technically manageable at the scales
we expect to occur.
User manageability and interaction. It is becoming
more and more difficult for someone to live an unconnected
life. Although technology has provided amazing capabilities,
the device-human interfaces used to connect and interact with
context and applications have not fundamentally changed.
Although browsers have greatly improved and
are now being embedded in personal devices, as we look
to the future CA recommends federal support for
advanced research into flexible and manageable
technical interfaces, displays and supporting
instrumentality that incorporate seamless
understanding, manageability and security functionality
for users in many different environments and contexts.
Increasingly sophisticated cyber adversaries. As I
said at the beginning of this testimony, our cyber adversaries
are sophisticated, they move rapidly and adeptly to exploit
weaknesses and vulnerabilities.
CA recommends federal support for advanced
research to create test tools and products that can
identify vulnerabilities, logical inconsistencies and
inappropriate ``back doors.'' A new generation of tools
would give application builders the ability to identify
and fix vulnerabilities as well as meet industry
security certifications more quickly and reliably.
The growing focus on insider threats. As industry
reacts to threats, cyber adversaries look for alternative
business models. The insider is one of the most effective.
CA recommends federal support for advanced
research into insider threat detection and advanced
data leakage protection.
Let me now briefly turn to the final two questions you have raised.
CYBER SECURITY IN HIGHER EDUCATION
What is the state of cyber security education? Are future cyber
security professionals being adequately trained by colleges and
universities to meet anticipated demands of the private sector? If not,
what kind of cyber security training is appropriate and necessary for
institutions to develop, and for what kinds of students?
My comments focus on the education of the technical workforce that
will be responsible for the engineering of our applications, the
implementation of our systems and the processes necessary to run these
systems. Security is an important element to each one of these areas.
Cyber security education should consist of courses in secure coding
practices, security architectures and security of complex systems.
Colleges and universities have made great progress and security courses
are mandatory in many programs. While still inconsistently deployed,
there is also a movement within universities to incorporate secure
coding practices into programming courses.
The level of security knowledge for graduates has greatly
increased, but in many cases it lacks real world experience. The
security knowledge tends to focus more on secure coding practices and
less on implementation and system design. In order to fill the gap
large software vendors have implemented programs to reinforce security
design and secure software development practices to their existing and
new employees.
Separate from the issue of developing secure systems is that of
developing security systems and architectures. In this latter case
students require more specialized knowledge of security, such as
identity and access control, authentication, threat detection and
response, cryptographic systems such as public-key cryptography, etc.
Knowledge at this level tends to be obtained at the graduate level, and
can be broadly categorized as operationally focused (typically the
Master's level degrees) and research focused (doctoral degrees).
The National Security Agency has a history of supporting security
education through their National Centers of Academic Excellence in
Information Assurance Education program, where they certify programs
that meet a minimum set of requirements. These programs produce
students who have a broad understanding of security and who can perform
operational roles ranging from being responsible for the information
security of an organization to understanding functional requirements
for security-related software.
At the doctoral level, the focus is on longer-term research in
order to improve the cyber security field. This requires not only
students who are interested in cyber security research, but also
faculty who are active in this field. Government support at this level
consists of providing support for students (e.g., through National
Science Foundation grants and scholarship-for-service programs) and of
supporting faculty research. Such programs should be strengthened.
PUBLIC AWARENESS AND EDUCATION
Allow me to turn to the last topic that you had asked me to
address, that of cyber security awareness of the general public.
Specifically, your question was:
What role can the Federal Government play in educating the general
public about protecting themselves and their networks against cyber
threats?
To address the need to increase public awareness of cyber security,
I will draw upon the position of the BSA. CA and BSA believe we need to
increase our national efforts to educate and raise awareness of the
public about their cyber risks, and how they can protect themselves
online, for two reasons. First, to decrease the likelihood that they
will become victims of identity theft, and other harms that may befall
them online. Second, to decrease the likelihood that consumers'
computers will be hijacked to serve as launching pads for larger
attacks against businesses, the infrastructure and our government--the
botnet phenomenon.\6\
---------------------------------------------------------------------------
\6\ A bot is a computer that has been infected by a cyber
criminal--known as a bot-master--so that the bot-master can control it
remotely and use it, along with many other hijacked bot computers, to
carry out various types of large cyber attacks, from sending out spam
and phishing e-mails, to disseminating to malicious code, to performing
distributed denial of service (DDOS) attacks against banks or
government IT systems. The largest networks of botnets (networks of
bots) can number in the hundreds of thousands, if not millions.
---------------------------------------------------------------------------
CA and BSA agree with the White House's Cyberspace Policy Review's
recommendation that the Federal Government, in partnership with
educators and industry, should develop a national cyber security public
awareness and education strategy. Its objective should be to educate
about the threat as well as about changing public attitudes online,
towards greater cyber security as well as digital safety and ethics, to
promote a responsible and ethical use of the Internet.\7\ There are
many such efforts: the National Cyber Security Alliance is a
partnership between the Department of Homeland Security (DHS), the
Multi-State Information Sharing and Analysis Center (MS-ISAC),
corporate and non-profit partners to promote cyber security awareness
for home users, small and medium size businesses, and in primary and
secondary education. Information about their year-round campaigns,
which culminate in National Cyber Security Awareness Month every
October--and I note that Congress has for several years now recognized
the October campaign in a resolution of support--can be found at
www.staysafeonline.org I also want to mention the www.onguardonline.gov
effort led by the Federal Trade Commission, as well as the
www.playitcybersafe.com campaign of BSA, which offers tools and
educational material for children, parents and educators about how to
use the Internet safely and responsibly.
---------------------------------------------------------------------------
\7\ Cyberspace Policy Review, pp. 13-14.
---------------------------------------------------------------------------
One final comment: educational programs will be most effective when
targeted to specific age groups. For example online activities may be
very different for five- to ten-year-olds, 10- to 13-year-olds, 13- to
17-year-olds and people over 18. Each age group has specific needs and
should have appropriate messaging and education. The non technical
community in all age groups is moving to cyber platforms at an
unprecedented rate, and all need to understand the rules and the risks
in the context of their work, social and academic life, and
environment. This is another area where partnership initiatives are
vitally important.
Mr. Chairman, Ranking Member Ehlers and Members of the
Subcommittee, I appreciated the opportunity to appear before you to
share some thoughts on cyber security R&D, cyber security education,
and public education and awareness of cyber security. CA shares the
Subcommittee's goal of helping to enhance cyber security, and we would
be happy, together with the Business Software Alliance, to work with
you towards this goal.
I would be happy to answer any questions you may have for me.
Thank you.
Biography for Timothy G. Brown
Timothy G. Brown is the Vice President and Chief Architect for
Security Management for CA, Inc. He has overall technical direction and
oversight responsibilities for the CA security products. This includes
Identity Management, Server Security, Data Leakage Protection, Web
Access Management and Single Sign On.
With over 20 years of information security expertise, Brown has
been involved in many areas of security including compliance, threat
research, vulnerability management, consumer and enterprise identity
and access management, network security, encryption and managed
security services. In his career, Brown has worked with many companies
and government agencies to implement sound and practical security
policies and solutions.
Prior to joining CA, Brown spent 12 years at Symantec's CTO office,
where he was responsible for company-wide technical architecture,
integration, gap analysis and technical strategy. Prior to joining the
Symantec CTO office, Brown focused on Symantec's enterprise security
architecture and the collection, correlation and prioritization of
security data. Brown joined Symantec through the company's acquisition
of Axent Technologies. At Axent he was responsible for the Identity
Management, Single Sign On and multi-factor authentication products.
Brown is an avid inventor with 14 filed patents in the security
field. He is active in promoting cross industry initiatives and has
participated on a number of standards boards.
Brown earned a Bachelor of Science degree in computer science from
MCLA and has participated in the Wharton School of Business Executive
Education program.
Discussion
Chairman Lipinski. Thank you, Mr. Brown. I thank all our
witnesses for their testimony. At this point we are going to
begin our first round of questions, which is the real fun point
of these, so I am going to save my questions for the end and I
am going to recognize Mr. Tonko for five minutes.
Mr. Tonko. Thank you, Chairman. It was made mention that we
need to constantly update curriculum and make certain that we
are creating state-of-the-art education for our cyber security
professionals.
Dr. Schneider, you and I claim New York as our base of
operations, and we have a wealth of community colleges. Is
there potential to draw in the infrastructure of our community
colleges and develop some earlier investment in cyber security
professionals? And I would throw out, into the question I would
make the statement of the unusual glut that seems to be
emerging in terms of professionals from outside our borders
that are addressing this field, this arena, and we are not
growing and cultivating domestically the talent we require.
Dr. Schneider. Yes. Thank you for the question, and I
completely agree with the premise that we need to employ a
broad-spectrum educational approach to the problem. We are not
going to solve this problem only with Ph.D.s or only with
Bachelor's graduates. There are jobs that are suitable for
somebody educated at the level of a community college, and
there is life, which means people educated at the level of K
through high school--and actually those of us who have
graduated long ago and need to exist for some years to come--
need to have a much more sophisticated view of what is going
on. So I believe there is going to be a broad spectrum of jobs
available, some of which we would do best to train people at
the community college level for, and I believe the community
college will become more and more sophisticated as we get a
better understanding of some of the cyber security challenges.
Mr. Tonko. Are there others on the panel--and by the way,
let me thank the panelists. Your information is very helpful.
Is there anyone else that would like to respond to that? Dr.
D'Amico.
Dr. D'Amico. I think you raise a very interesting point
about the role of community colleges, and I fully agree with
you that there are not enough U.S. citizens who are being
trained in this area. I think community colleges can
participate in the training of security professionals because
as we have learned, this is not all about academic education.
There is a lot of learning by doing, and I think that we should
incentivize the private sector to bring the community college
students into internships. I sit on the Board of Directors of
the Metro chapter of ISSA, which is the second-largest chapter
of security professionals in the world right in New York City.
We have people who want to bring in interns from places like
community colleges to work with them, so I think this is part
of structuring a mentorship program.
Mr. Tonko. Thank you.
Dr. Goodman.
Dr. Goodman. Let me return to the Scholarship for Service
program for a moment and talk about one of the offshoots of
that effort. Having these students, by the way, has enabled
quite a number of departments--computer science departments or
MIS departments around the country--to build their own
capacity, and several of them use that greater capacity to seek
roles in trying to develop curriculum and educate students
regionally in other institutions, particularly community
colleges and law enforcement schools in their areas. I mention
in particular Mississippi State University and the University
of Tulsa. And there is a very strong feeling among most people
who are very seriously concerned about developing a workforce
and an educated user community that this effort must be
extended far more broadly than just the universities in this
country, and I would also again endorse the idea of programs
that specifically are geared to do that.
Mr. Tonko. Thank you.
Ms. Franz.
Ms. Franz. Thank you. I would only like to add the notion
that as we discuss a broad spectrum of the kinds of education
and skills that can contribute to resolving the problem that we
don't then funnel all of our students into very rigid, specific
requirements for cyber security professionals. The
multidisciplinary nature, the multi-faceted types of education
that can contribute to resolving the problem is something we
need to retain. Imagine that those that might be working in the
cyber security field now did not get a college degree and yet
they are doing--they are big contributors. If they were shut
out of the ability to provide that, that would be a detriment.
Mr. Tonko. Thank you.
Thank you, Mr. Chair.
Chairman Lipinski. Thank you, Mr. Tonko, for your
questions.
The Chair now recognizes Dr. Ehlers for five minutes.
Mr. Ehlers. Thank you, Mr. Chairman. It is a little hard to
know where to start. It has been very rich testimony and very,
very helpful. Several of you testified there needs to be better
interaction between the government and the private sector with
regard to cyber security, and by the way, these questions are
going to be for everyone because I picked up ideas from all of
you.
And Ms. Franz, I believe, testified a more formal mechanism
needs to be put in place for private sector input and
collaboration, and so one of the questions I am asking is, what
has your involvement been with NITRD or any of the mission
agencies to initiate such interactions or discussion? Have you
been rebuffed or have you been accepted, and if you have been
accepted, how have the conversations gone?
Dr. Goodman, you also note in your testimony that market
forces have failed to provide the Nation with a level of cyber
security adequate for its needs, and this seems to imply that
government regulation or other significant intervention is
required to achieve adequate cyber security, but it seems to me
the government hasn't done that good a job itself in governing
its own needs, and so the question is, can the government
really provide the leadership you need or it is just the money
you need, or how can we reach the point that you and I both
seem to want to get to?
One other aspect as some of you mentioned, it is hard to
recruit people for security jobs, and it wasn't clear to me
whether it is because these jobs are not particularly
appealing. Perhaps computer experts would rather be programming
rather than playing cops-and-robbers. I don't know. Or maybe
you have to appeal to cops-and-robbers people and provide them
with appropriate cyber security training. But I am just
wondering if the cyber security jobs are just not appealing
enough to the people that you are trying to get. So it is a
potpourri of questions but I think you are all sort of focusing
in that same area.
So, Dr. Goodman, if you would kick it off, and we will just
go down the line.
Dr. Goodman. Thank you, Mr. Ehlers. I think a fundamental
problem out there that is largely behind the statement that I
made is that for a variety of reasons, cyber security has
frankly not been taken as seriously as it should be in putting
all of these systems out there that are simply so vulnerable.
Security has not been a major design consideration. It has not
been a major driver for the businesses who are out there in
cyberspace doing whatever they do in cyberspace. There has been
no pressure on them, and when things go wrong, they usually are
not the people who suffer the consequences. I am a believer
that, as is the case with lots of other security and safety
issues and other infrastructural domains, that some
requirement, if you would like, needs to be made on those who
are in the best position to mitigate risk to do so; and that
may in fact require regulation, may require certain kinds of
laws that for example heighten liability; it may benefit from
coming up with the kind of technology that is so easy to use
and so cheap to use and so easily integratable with what we
have out there now that you just cannot not use it.
Nevertheless, we have a situation where much of cyber defense
is pushed on the end users, you and me and all the other
citizens and organizations that are out there. This is partly
built into the architecture of the Internet and other things,
and we are increasingly incapable of defending ourselves
against increasingly capable attacks and attackers. So an
effort must be made to get those people who are in the best
position to mitigate risk to do so, and I think what should be
done and it has been done in other areas, industry and
government need to get together and they need to get together
under some perhaps formal form or other kind of institutional
mechanism with the mandate that they come up with greater
security in cyberspace. It is as simple as that. There are
again other--most recently this seems to have produced some
results in the electric power industry where there has been
great concern about how vulnerable increasingly IT-controlled
electric power generation and distribution may be to outside
attacks or to other forms of failure, and FERC, the Federal
Energy Regulatory Commission, got together with the industry
associations and basically came up with mandated standards for
the systems that they use to generate and distribute power, and
I fear something like that will have to be necessary,
particularly with regard to mobile telephony but elsewhere as
well.
Mr. Ehlers. Thank you. Good comments.
Ms. Franz.
Ms. Franz. Thank you for your question on the partnership
efforts. Most of the interaction that we have had with NITRD
has been through our increasing dialogue with the Interagency
Working Group on Cyber Security and Information Assurance, so
we have had more and more discussions in the work of the
Information Technology Sector Coordinating Council, or ITSCC,
under the NIT framework that I mentioned, and that has been
increasingly positive as well. However, I would like to say
that we would like to see that discussion and dialogue start at
the very beginning of a process rather than at the end, you
know, where a document may be presented for review and input
but at that point it is almost too late to do so, so the
dialogue hasn't started in the beginning so you might see
overlaps at a time that is too late. You might miss gaps in
things that needed to be done and weren't. And you might see
areas where innovation might be stifled by the proposals that
the government may make. So I would say that in order to avoid
all of those landmines, we would want that partnership to start
earlier. But our dialogue has been increasingly positive and
rich and we are finding out a lot more about what industry is
doing, what government is doing and where we can coalesce those
efforts more productively.
Mr. Ehlers. So progress is being made but you would like it
to be more formalized and proceed more rapidly?
Ms. Franz. Agreed. I mean, I think that a more formal
process, a mechanism, as I mentioned, would enable that
interaction at the earliest stage and get the expertise of both
government and industry and other stakeholders in the room at
the table, perhaps with a blank document, as some have
mentioned, rather than a fully fledged product.
Mr. Ehlers. Okay. Dr. D'Amico, what can you add?
Dr. D'Amico. Thank you. You have raised some interesting
questions. I would like to address the one about how we
increase the number of cyber security experts in the United
States. The thing that is keeping this from happening is not
the money. We know that they are well paid. In industry, the
average salary for a security manager is $108,000, in the
Federal Government, it is $98,000, and in the state and local,
it is $79,000. So it is not the money. I think it has to do
with three things. One is the availability of jobs, the second
is the perceived status and the third is the lack of U.S.
citizens. There are not that many jobs available in industry,
and I think it is because they don't see the return on
investment. The only reason that people are really investing in
security is because of the compliance legislation, but from an
economic perspective, they don't see the ROI. In the military,
there is no real perceived status for being a techie in the
military. If you are in the cyber defense force, you are not on
the path to advancement and so you have to move out of that in
order to advance in the military. And then with respect to U.S.
citizens, more and more of the advanced degrees in information
security and computer science are not granted at--not as many
of them are granted to U.S. citizens as in prior years, and so
a lot of Bachelor's degrees are given to U.S. citizens. Only, I
think, eight percent of the degrees are to foreign nationals
but by the time you get to Ph.D.s, there 38, 39 percent are
given to foreign nationals, so we need to change that around as
well.
Mr. Ehlers. Thank you. Dr. Schneider.
Dr. Schneider. If you want somebody to get to do something,
there is this basic dichotomy of the carrot versus the stick.
The only way industry that plays in cyberspace--not the cyber
security industry but companies that benefit by doing business
over it--are going to build more-secure systems, is if they are
somehow incentivized to do that. Return on investment is the
carrot. Legislation is the stick. I am not an expert on
suggesting which way to go but I will point out that if there
was an incentive structure, then two problems would be solved.
One, there would be employment of experts and cyber security
experts might be technical and they might be policy oriented,
and second, companies would be very anxious to facilitate tech
transitions from researchers into companies. You have only to
look back at the dot com era to notice that lots of good ideas
were being discovered in research and were very quickly being
monetized in the industry community. So there was an incentive
structure. It was a carrot in this case, and it moved. It is
the lack of incentive structure that in my opinion is what is
holding things up.
Mr. Ehlers. Thank you. And finally, Mr. Brown.
Mr. Brown. It is one of the things when we look at research
gaps and try to resolve some of those between industry and
government. You know, we look at these gaps, we identify these
gaps. Industry today is focused, you know, primarily on
satisfying their customers' needs today. We prioritize those
needs. We staff for those needs. We make sure that we are
creating products that can meet those needs today. One of the
major challenges industry has is, how can we prepare for things
that are going to happen five, six, seven years from now, how
can we set up that infrastructure that is really going to
prepare us for that, and, you know, there is a challenge there
that says those investments are very high risk. You know, how
many of those investments are going to really be fruitful, and
as we looked at the list of the research areas, when we see
those, we see that they are identified as areas but really
plans are not put into place to say how we are going to address
those areas. Some of those areas are better left to research of
government. Some of those areas are better left to research for
public and private partnerships. Some of those research areas
are better for university research. It is important that we lay
out plans to address each one of those areas and stay to those
plans.
Mr. Ehlers. Okay. Thank you very much, very useful.
Chairman Lipinski. Thank you, Dr. Ehlers, for your
questions, but now you know that you have used up your question
time for the next two hearings also, so----
Mr. Ehlers. That is fine.
Chairman Lipinski. No, that was very interesting and very
good questions and good answers, very interesting responses
there. I will now recognize myself for five minutes.
Some of the things that I was going to ask about, some of
the other Members have asked questions along those lines. I
want to follow a little bit more--I am not sure if there is
more we can learn or not but I just want to push a little bit
more on one of those questions Dr. Ehlers just asked. It seems
like one of the issues that we face with cyber security is that
everyone thinks that it is not their problem, from individuals
to companies, whether they have, you know, companies are
producing software or operating systems or companies that just
have data that is not protected. So I think that one of the
issues--and I also think that there is not enough attention
paid to this also. I am very happy that the Administration is
paying attention to it because it is shining a light on this
and what is going on and that is not just a political
statement. I am very happy to see that because I think that is
really needed in our country because a lot of people, they hear
cyber security, they don't realize how much impact it is going
to have on them. But just take an example. Yesterday Microsoft
issued updates that patched 31 vulnerabilities in Windows and
Office programs including 18 bugs that they marked critical.
You know, just focusing on Microsoft there, yes, I do use an
Apple computer, a Macintosh operating system, always have, but
not just to pick on Microsoft. But where--how do we better
incentivize? Like I said, you have all kinds of different
individual types of companies. How do we better incentivize
trying to get these, whether it is on software programs, how do
we keep data better protected? You touched a little bit on
this, but does anyone have anything to add on that right now?
Dr. Schneider.
Dr. Schneider. I think some sunlight would help. I think we
don't do a good job of informing the population about the risk
or about the consequences. You have a good notion of what the
chances of being burglarized if you walk in any part of this
city or probably the city you have come from. You don't have
any notion of how often successful penetrations are occurring
at banks or military installations or any of the attractive
targets. There are good reasons why these institutions don't
make this information public, yet if you look at the success of
the California breach legislation that is now spreading
throughout the Nation whereby when private information is
disclosed, the institution that leaked it is obligated to
inform the potential victims. That has had a very interesting
effect and raised the consciousness both of the owners of this
data and of people at large. So I see all this talk about
raising public consciousness and public campaigns. I think if
business were more obligated to be candid about what was
happening, we would all understand and build a better model of
the risks, and once people are more concerned about it, I think
that is going to drive innovation and deployments.
Chairman Lipinski. Mr. Brown.
Mr. Brown. Yeah, in the past few years, you have to
remember that the software industry is, you know, ever
changing. Our threats are ever changing. The adversaries we are
up against are changing as well. So when we look at software
vulnerabilities, you know, just four or five years no one had a
plan in place to train their software professionals. Now I
can't think of any large software vendor that doesn't put their
coders through at least secure code training. So the level of
awareness has raised to, you know, a very good extent. Now, we
have to deal with a lot of things from the past so software
that was written five years ago is still in place. Software
slowly moves out of both industry and consumers, and, you know,
the industry has done better at announcing vulnerabilities and,
you know, they should be applauded for announcing
vulnerabilities and working with--working in ways to patch
those vulnerabilities as quickly as possible. So overall, I
think the industry is getting better. Now, can we do more?
Absolutely. Should we have more trained people coming into our
organizations? Yes. Should we have better, more trained
professionals? Absolutely. But things are taking time but they
are getting better. So we have to remember where we were three
years ago versus today.
Chairman Lipinski. Ms. Franz.
Ms. Franz. I would like to build on a couple of things that
my other distinguished panelists have mentioned. First, I think
there is still a great need for awareness or sunlight, as Dr.
Schneider said, on what the issue is, and particularly there is
only a small community that knows what the threats are to them
or what the activity is in cyberspace and so we have often
asked for a mechanism that allows more information sharing
between the government and industry on just what the problem is
and what are the problems we are trying to solve. That
certainly needs to be done in as trusted environment as
possible, so that goes back to the partnership mechanism, but
that information sharing and exchange is important.
I would like to touch upon the incentive piece from a
positive side of the equation, more of a carrot and stick, I
suppose. Dr. Schneider mentioned the data breach notification
laws and certainly that is something TechAmerica has been
actively engaged in, particularly looking at the requirement
for notification when there is a breach and providing for a
safe harbor for industry and companies or other organizations,
government or academic institutions if they have taken
protective steps to protect that data before it could even be
breached, to render that data unreadable, unusable, and so
there is a presumption of a lack of harm in that instance. And
so on the one hand, it incentivizes companies and other
organizations to take protective mitigative steps before hand
and then makes the data unreadable, unusable if it is accessed.
So that is a positive incentive to look at sort of the carrot-
and-stick approach. I also might suggest that we consider ways
that the tax structure could benefit efforts in R&D or other
investments in cyber security efforts.
Chairman Lipinski. Thank you. I am over time, but I want to
throw one other part in here. Dr. D'Amico talked about how we
need a cultural shift here so that people understand that what
they are doing and the damage that can be caused, and I will
give the credit where it is due. John Veysey, who works for me,
sitting behind me, said if I wanted to cause trouble, what I
would do would be to take some thumb drives and throw them out
in the parking lot with a Trojan horse on there because almost
everyone is going to pick it up, take it in the office and plug
it into their machine just to even see who this might belong
to, just things as simple as that. How do we change people's
habits and just automatic reactions that they have that can be
very dangerous and cause these vulnerabilities? How do we reach
out to the general public to do that? Dr. D'Amico.
Dr. D'Amico. We need a marketing campaign, and Americans
are very good at marketing and there is a lot of research on
how to market effectively to Americans. People want to be good
U.S. citizens and we really need some kind of marketing
campaign for individuals and for companies that you too can
make a difference, engaging good computer hygiene so that
before--they wouldn't touch a dirty object on the ground
because of health considerations. They shouldn't touch a
potentially dirty thumb drive on the ground because of computer
hygiene considerations, and I think it is well within our
capability to engage in a public awareness campaign using
everything we know about good marketing. I think the second
thing, and this is much harder, is that we really need to
understand what the impact is of any single failure. So if
somebody picks up that thumb drive and sticks it into the
computer and they get some kind of infection, what are the
cascading effects of that? We really don't know, and this
really is a ripe area for research. We don't know enough about
the interdependencies within an enterprise and across
enterprise to be able to say you pick up that thumb drive, you
put it into your computer, well, guess what? Somebody in a bank
account two states away from you is going to have some money
taken out of their account. We just don't know that and we need
to study that.
Chairman Lipinski. Dr. Goodman.
Dr. Goodman. The problem of educating the public or making
the public really fear what might happen to them out there is
very, very difficult in this domain. We have a situation--I
mean, in other domains usually there is some immediate physical
threat that gets public interest and arouses them to protect
themselves and to get help from others to protect them. This
kind of threat for most users, not only in this country but
especially around the world, it is so remote, it is so
abstract, they are connected to these systems. They see all the
good stuff that is going on out there. That is why they are
spending so many hours at terminals, on their cell phones and
what have you, and any kind of threat is out in oblivion
someplace, okay, and physically it may well be out on the other
side of the world. They don't see the immediacy. They don't
see--and it is very difficult to educate them to this, given so
many other things they have to think about. And we have again a
situation where even when the public has seen immediacy, for
example, in the world of automobile safety, those industries
that are in the best position to do something about it have had
to have a great deal of government push to do something to
protect the public, and I don't think the public--each
individual out there can do things to help them as they do with
their homes, with locks on their doors and what have you. That
is not going to be enough, and the public doesn't fully
appreciate it and I am not sure what kind of educational
program will bring it home what kinds of risk they have out
there.
Chairman Lipinski. Thank you. I have gone way over time
here so I am going to conclude at that and recognize Mr.
Neugebauer.
Mr. Neugebauer. Thank you, Mr. Chairman, and thank you for
calling this hearing. I think the first question, in most of
your testimony you indicate that a lot of the infrastructure
for cyberspace is in the private sector, and a lot of ideas
have kicked around of how to enhance the cyber security, and
one of those is to establish a rigorous regulatory regime to
impose on these private companies and I think the second one is
to somehow give those companies some kind of liability
protection for maybe mandates that the government would impose
on those companies to do certain activities. So those are two
ideas. One of them sounds like more big government. You know,
what are your thoughts on the current things that are being
talked about. And third is, are there better ideas that we need
to be thinking about? I will throw that open to whoever wants
to jump in.
Ms. Franz. I will take the first cut at that. I think that
certainly right now we see a lot of proposals for the kinds of
things that either regulatory or--the regulatory nature or with
regard to practice requirements. The problem is, while the bulk
of the information technology or cyber security or critical
infrastructure is owned and operated by the private sector, the
issue is, it moves so quickly. We see transitions and
evolutions in the technology at a very rapid pace and
legislation is not always the best way to address that, at
least not in very specific ways. It usually is a blunt hammer
for a very specific problem. So if there is a way to identify
the problem, and again, I would suggest doing that in a
collaborative sense, and then finding the best way to approach
it, either through a standard or a best practice in many of the
collaborative bodies that we have, either standards bodies
nationally and internationally. Again, it is also a global
issue. We don't want to put into place a regime that is
restrictive, would be irrelevant in a very short period of time
and then is either conflicting or provides--causes extra burden
on companies or other organizations that have national and
multinational operations. So it requires a really good robust
dialogue on the best way for legislation to address the issue
as well as other mechanisms.
Mr. Brown. Ms. Franz also brought up the point of
standards, and standards are extremely important when we look
at adhering to--as software is developed, adhering to standards
will help us have more consistent and more secure
infrastructure across the board. So that is also an extremely
important component of this. You know, the infrastructure
players in the private sector are--you know, they are driven to
do the best that they can. You know, you see who is out there
and who hasn't survived, and, you know, the bottom line is, if
they don't do their job, they don't do things securely, they
don't do things in high-bandwidth methods, then, you know, they
won't survive as a company. So there are a lot of incentives
for the private sector to do the right thing here.
Mr. Neugebauer. I agree with you, and I think that is one
of the things that kind of concerns me about, you know, the
government stepping in. Sometimes when the government does
that, it leaves a false impression that oh, the government is
watching out for me now and so I don't have to be careful, I
can pick up that thumb drive, you know, and so I think we ought
to--because most companies are very competitive business.
Mr. Brown. Absolutely.
Mr. Neugebauer. And, you know, they encourage you to buy
firewalls and virus software because they know that if you have
a disruption in your service, something that came over their
network, whether they could have, you know, prevented it or
not, there is problems to do that.
I want to move to another area, and that is with the huge
amount of growth in the use of PDAs and cell phones and
texting, you know, that has become a huge piece of our world.
Dr. Goodman, you kind of mentioned that in your testimony. What
is going on as far as threats to my PDA and to my cell phone
and what--I don't know. There may be virus software and
firewalls for PDAs but, you know, I am not aware of it. So can
you kind of update us on that?
Dr. Goodman. There is nothing in this world, I mean world,
expanding faster than cellular telephony and mobile devices
more generally, and to perhaps restate some of what I said
earlier, I think before you came, the devices are becoming
increasingly powerful computers. Many are not yet around the
world but the trend is very much there, and as such, they have
all of the vulnerabilities, particularly as they become the
principal devices for most of the world to connect to the
Internet, that you have such things as laptops and desktop
computers. So everything that is seen as a vulnerability that
can be exploited with desktops and laptops will be coming with
those cellular devices. I can guarantee that. Plus, and I
rattled off a number of other features that are associated with
mobile devices, that are uniquely vulnerable to them such that
they use airwaves. They have very limited battery power and
there is a disinclination on the part of everybody, the
providers, the cell phone manufacturers and what have you to
use up some of that battery power for security kinds of
functions. I could go on and on. The list is really very
substantial. I believe, and I used the word ``tsunami'' in my
oral statement, that there is a tsunami of insecurity far
greater than what we are seeing now coming with those devices,
okay, and it will be worldwide, and to make another point with
regard to worldwide on a comment that you raised, Mr.
Representative, there are limitations. You used the term
``rigorous regulatory regime'' and I advocated more regulation
or at least thinking about regulation. There are limitations to
that and everything else that everybody has raised here with
regard to educating the American public and what have you and
that is, we are dealing with infrastructure to an extent like
no other on this planet that is connected to the rest of the
world and you can regulate U.S. businesses, you can regulate
U.S. users. Universities have been dropping. Our universities
are not the best protected places on earth, I hate to say, but
what sort of leverage does that regulation or law enforcement
have on the other 200 countries or semi-sovereign entities
where the Internet and cellular telephony all come to ground
and some real thought has to be given to that and I am afraid
close to no thought has been given to that except from a law
enforcement standpoint around the world. And I will also say
that as a crime and punishment approach, you know, people who
are doing things out there are almost safe from being caught
and prosecuted. Real attention needs to be given to prevention
and recovery, and the world as a whole, much even worse than
the United States, is giving very little thought to that.
Mr. Neugebauer. Just a quick follow-up, Mr. Chairman?
Chairman Lipinski. Thank you. We are going to have to--if
we have time, we can come back. We have a couple more members
that have questions to get in here. The Chair will now
recognize Mr. Carnahan for five minutes.
Mr. Carnahan. Thank you, Mr. Chairman, and welcome to the
panel. I had a few questions I wanted to jump through, so I
will try to move this along.
First, I wanted to ask, what is in the panel's opinion the
most effective route for small innovative companies that have
new cutting-edge technologies to get visibility and
consideration within the Federal Government cyber security
area? Yes?
Dr. D'Amico. Well, I am from a small business in New York
and we do cyber security research, so I could say from
experience that the Small Business Innovation Research Program
is one of the best vehicles for small businesses to become
involved in cyber security. It is an excellent program and it
requires that the small businesses not just work in cyber
security and R&D but also transition the technology. So I think
that that is very important. One of the things that hurts small
businesses and innovations is the common criteria certification
that is required on security products. In order to get a new
security product used in the Federal Government, one has to go
through a very expensive common criteria certification. Entry-
level price is about a quarter of a million dollars and very
few small businesses can afford that, so as a result you have
some of the most innovative ideas that really never get into
the Federal Government because of this certification
requirement.
Mr. Carnahan. Thank you. Anybody else on that? Ms. Franz.
Ms. Franz. I would like to touch upon two aspects. One is I
think building upon the awareness aspect. There are several
mechanisms for making small business and other users more aware
of the steps they can take to protect themselves, so looking at
it from that perspective, what does a small business need to do
vis-a-vis what a large company or individuals need to do, and
one great resource for that is the National Cyber Security
Alliance, which is involved in a lot of awareness efforts and a
partnership with the Department of Homeland Security. Those
kinds of efforts certainly could be bolstered to have more of a
marketing campaign-like effect that Dr. D'Amico alluded to
earlier and I think would be positive.
With regard to how they can take advantage of cyber
security efforts in the government, I just think it is a great
awareness need, outreach need, a look at how procurement
efforts can be undertaken to take those into consideration and
make it easier for them to participate.
Mr. Carnahan. Thank you. In the defense reauthorization
bill, section 254, entitled ``Trusted Defense Systems,'' it
calls for an assessment of various methods of verifying the
trust of semiconductors procured by the Department of Defense
from commercial sources for use on mission-critical components
potentially vulnerable defense systems. How can the Federal
Government better prepare and provide for these critical needs
in a more comprehensive manner and a more timely schedule to
meet those critical semiconductor requirements today? Yes?
Dr. Schneider. So I think you are alluding to what is known
as the supply chain problem wherein we are now purchasing
semiconductors, boards and software from abroad, either through
U.S. companies or not, and using them in defense systems, and
we are using them also in private sector systems which are used
in defense and which are controlling critical infrastructures
that are not used in defense. This is a big problem, and it
does not have a short-term solution. It is a very difficult
problem involving probably five to ten years' worth of research
before we will have some basic engineering approaches to solve
it, and we should appreciate the severity of the threat and
hope that the sophistication of our attackers is not at the
level it could be.
Mr. Carnahan. Anyone else on that? Ms. Franz.
Ms. Franz. I would just like to highlight the notion that
suppliers, whether they be U.S. companies or otherwise, are
very aware of the vulnerabilities they have if something goes
wrong. So they have taken steps in a number of ways to address
their supply chain cycles and efforts in order to shore that up
along the way. Of course, there are always situations in which
that doesn't happen. Those measures aren't undertaken and not
only the company but others could possibly see the
ramifications of that, but before we do anything that disrupts
the economic model that many companies and governments are
benefiting from, we need to have a discussion about how best to
construct that in a positive way. So again, that partnership is
really important to figure out exactly what is happening, what
is industry doing, perhaps what it is and what the parts that
need to be addressed before we disrupt the system, and thereby
restrict the kinds of innovations that government can get in a
timely manner. Certainly the spectrum of sensitivity or
classification or criticality of a mission needs to be taken
into consideration as well, where do they need the most
critical, the most secure solutions and where might they be
able to leverage a global marketplace better. So that
discussion and consultation is necessary for that.
Mr. Carnahan. Let me just wrap up with the last question.
There was a recent article in the New York Times entitled
``Contractors Vie for Plum Work Hacking for the U.S.'' that
focused in part on the growing demand for cyber warriors. How
can the government and our educational system ensure that we
meet the demands for these, not only meet the demand but also
win the cyber security race and stay ahead of the curve here?
Dr. D'Amico. I recall that article, and there are a few
things about it. One is that they mentioned that there are very
few people who have the security clearances that are needed to
engage in some of that work. We need to have more U.S. citizens
who get advanced degrees in computer science, engineering and
the interdisciplinary areas that are related to computer
security. The second thing is that a lot of those people came
out of the military. One of the reasons they came out of the
military is because of something that I alluded to before, that
if you are a techie in the military, you don't get an
advancement. We really need to have in the military a way of
rewarding those people who are cyber defenders, cyber warriors,
and then you will grow them in the military, and then when they
retire they will be there to help in those areas that were
mentioned in the New York Times article.
Mr. Carnahan. Mr. Brown.
Mr. Brown. Yeah, I think one of the other things--so
education is definitely important. Educating people--you know,
a lot of our workforce is coming out of universities with
education on secure coding capabilities but not really secure
systems. Understanding how to design systems in a secure
fashion is actually a lot more difficult than understanding how
to code securely. A lot of the threats that we see are really
more systems threats. You know, you are using fine software
throughout your system but, you know, it has got a weak
password rule or those types of things are in place. So making
sure that we have people that understand those and are coming
up through the ranks of our universities that understand how to
design secure systems. Now, we do have--you know, we have been
producing more of those professionals in the last few years but
it is still just a growing field so we need to do more. It is
also important that we institute strong internship programs,
strong programs that link them with industry, link them with
government because the university environment only gives so
much focus to the real world essentially. So a lot of our work
with universities today, we fund university research, but when
we see the researchers come in, a lot of those researchers, we
are teaching them about the real world and trying to give them
enough knowledge to have impact in other places.
Mr. Carnahan. Thank you all very much.
Chairman Lipinski. Thank you, Mr. Carnahan. Mr. Neugebauer
had a follow-up question so the Chair recognizes Mr.
Neugebauer.
Mr. Neugebauer. Well, thank you. I was just going to go
back to our conversation that Dr. Goodman was talking about in
the cell phone area, and we talked about the devices
necessarily may not be equipped to process some of the threats,
but I guess the question is, what is the industry doing I guess
out there to make sure that, you know, their systems have
integrity because obviously a lot of people, it is big business
so other panel members, if you have some knowledge on that, I
think it would be helpful for us as well.
Dr. Goodman. I will let Fred also respond, but from where I
sit, I don't see--and it is big business. I mean, it is big
business worldwide, not just the providers of the service but
the makers of the devices and so on and so forth. So far I
don't see much. I would also like to say something hopefully
encouraging in that we are at the beginning of what I perceive
to be a very rapidly rising curve in this domain. We have a
certain amount of history with mistakes and not getting ahead
of the game with regard to the Internet and all sorts of other
security areas. Right now most of the users of cell phones,
most of that 3.5, probably four billion people in the world now
are using fairly weak devices that limit the kind of risk they
are taking. That is going to be changing rapidly. Can we all of
us, industry, government, governments around the world actually
for once get ahead of the curve on this and do something to
mitigate these risks before it becomes the kind of tsunami that
I am afraid is going to become?
Mr. Neugebauer. Mr. Brown? I thought you----
Mr. Brown. Yes. Thank you. So when we look at--you know, I
agree. In some cases we are in infancy in the cell phone/PDA
world. We have opportunity to do a lot better in this world
than we have in the laptop/desktop world. The threats are going
to be different here though as we open up new interfaces and
new capabilities to these phones. You know, Apple first put out
their iPhone and they said a browser will be your only
interface. That was easy to secure. But guess what? Consumers
demanded that I have an application for everything, as the
Apple commercial says, and each one of those applications now
has increasing functionality. Each one of those applications
has potential vulnerabilities. You know, we have--they have
done a better job at securing things but there are more
vulnerabilities, more opportunities to either socially engineer
threats, which is actually probably more of a threat than
software engineering of a threat. So we are at the point where
we can do more and not have the same problems that we had sort
of in the desktop/laptop world.
Mr. Neugebauer. Dr. Schneider.
Dr. Schneider. Let me point out a few technical differences
between the cell phone world and the desktop world and the way
they are evolving that might give you some reason to sleep at
night. First, there is no dominant producer of the operating
system for cell phones. There are a fair number of producers.
That means there is not a monoculture so it is difficult for a
single attack to attack all the processors. Second, early in
the evolution of cell phones, the phone companies established a
model that they owned the software and that they would
periodically change your software without telling you when they
decided to make a change in feature or fix a bug. So the model
that we have for desktop software where Microsoft announces a
bunch of patches for some vulnerabilities, notice they didn't
announce that they were successfully attacked. They were
preempting that. But the model where it is the user's
responsibility to configure the system and it is the user's
responsibility to keep it up to date has been abandoned and at
least for the basic operating system of the cell phone, this is
under the control of the manufacturer. There is a possibility
now that everyone is going to be able to download their own
applications and they will be responsible for that piece of the
picture. That will be a problem. But if the cell phone
manufacturers retain the view that they manage your security,
then we might be better off.
Mr. Neugebauer. Thank you, Mr. Chairman.
Chairman Lipinski. Thank you. We keep pushing back. I am
looking at the TV screen here to see about when we are going to
vote. I don't want to get into--we don't have much time so I
just want to very briefly get into--throw out one more
question. I was looking through my notes that I had made so I
will recognize myself for five minutes but hopefully we can
keep it to shorter than that. Dr. D'Amico talked about need to
incentivize technology transfer and Dr. Schneider also talked
about needing to bridge the gap between the research and
policy. How do we do this? And this is always an issue that is
facing so many different areas in technology transfer. It is
something I am very interested in because I think it is very
critical, getting that research, especially from our
universities and getting them together with industry. How do we
do that in this instance? So Dr. D'Amico?
Dr. D'Amico. We really need to make the government program
managers who are monitoring this federally funded research
accountable for the technology transition and make the
researchers incentivized to do it. First of all, the programs
that are funded should include a technology transition phase
and not stop at well, you have built a prototype, you have
demonstrated in a laboratory and now we are done and we write
the paper. It really has to go through usability testing and
operational environment, and the money has to be there to do
it. The second thing, and this is something I raised in my oral
testimony, is that I think that the researchers need to go out
to the security professionals who are ultimately going to be
using the results of their work. So much of research is
really--so many researchers brief themselves or their
community. They publish papers within their community and they
never really go out and talk to the security practitioners, and
we need to have the results of the research brought out to
those security practitioners, write an article for information
security, see if you can turn your research into something that
makes sense to the practitioners, and it may change the way you
do your research. So those are two of the ideas that I have.
Chairman Lipinski. Thank you.
Dr. Schneider.
Dr. Schneider. Let me comment on two things. First, so I am
one of those researchers and I do get government grants. I run
a fairly big operation. Today if you want to get a grant, you
are much better off being able to assert in the grant
application what your successful technology transitions were
than to list publications. At least in many of the funding
agencies, there is a culture that people who succeed in having
a real impact are the ones they want to fund and publications
don't matter so much. The other question has to do with
teaching policy and technology. I think academia may be a bit
ahead of the curve here but when I read places asserting we
need to teach all our students the list of common security
holes and secure coding practices and the next step is to teach
them how to do secure designs, I think we need to teach them
ethics, I think we need to teach them law, because if they
don't understand these things, they are not going to know when
they can trade off between a technological solution and a
policy solution. If they don't have a good sense of ethics and
sociology, then they won't understand how when they change the
Internet so it is more secure, the fact that it became less
usable makes it a less attractive place for all of its users
and it gets ruined in another way, and so I think it is the
responsibility of universities and any educator to have a much
broader view than this kind of technology, and we shouldn't get
railroaded into believing that we should produce technologists
to solve this problem because they will come up with solutions
but they are not going to be good solutions in the big picture.
Chairman Lipinski. Thank you.
Mr. Brown.
Mr. Brown. Just one quick comment. When you talk about
moving from research into products and applications, we have to
understand that some of that takes a long time. You know, even
if I come up with the greatest idea today within my company,
within my position, I am a year and a half out before that idea
gets into a product because we are mid-cycle in products, we
are going to take that time. So patience and diligence,
diligence and follow-through is critical to get anything done.
So we have great ideas, we have great research. They take time
to get implemented in products and they take time for people to
implement them in the commercial sector or in the government
sector. So we need to have processes in place that are going to
attract those that research that we are doing through its life
cycle and not give up on it after a year or two years.
Chairman Lipinski. Thank you.
You have to be very brief, Dr. Goodman.
Dr. Goodman. Very brief, I guess. There is another side to
this. The implication in a lot of what has just been said is
that somehow the innovators, the people who do the research
need to push what they have done into the real world, and
perhaps by offering things get policy changed or what have you.
There is the other side of things, and that is that people who
are going to be the primary consumers of better security,
whether they are trying to manifest this through policy or
through what they think will really help their products, their
commercial activities be more secure, they have got to send
serious signals that there is a demand for certain kinds of
research to solve certain kinds of problems, and that demand I
think will filter into the research community and with funding
they will get results. It is a two-way street to get things
from ideas into useful practice.
Chairman Lipinski. Thank you, and I want to thank all of
our witnesses for your testimony today. I certainly have
learned a tremendous amount, and as we move forward right now,
we have, as I said, two more hearings on cyber security. As we
move forward with legislation in this area, we are certainly
going to take a lot of what you have said and any more follow-
up that you may have for us, we would appreciate. The record
will remain open for two weeks for additional statements from
Members and for answers to any follow-up questions the
committee may ask of the witnesses.
So again, I thank the witnesses for their testimony. I
thank the Members for their participation, and the witnesses
are excused and the hearing is now adjourned.
[Whereupon, at 11:42 a.m., the Subcommittee was adjourned.]
Appendix:
----------
Answers to Post-Hearing Questions
Answers to Post-Hearing Questions
Responses by Seymour E. Goodman, Professor of International Affairs and
Computing; Co-Director, Georgia Tech Information Security
Center, Georgia Institute of Technology
Questions submitted by Chairman Daniel Lipinski
Q1. The Administration's Cyberspace Policy Review calls for the
development of an R&D framework that focuses on game-changing
technologies, but at the same time new threats that need immediate
attention are constantly emerging. What is the appropriate balance
between long-term, game changing research and research targeted toward
incremental improvement?
A1. It is easy to wish for R&D leading to ``game changing
technologies.'' But it is much harder to identify promising ways to go,
and to see them through to widespread and effective adoption, a
necessary condition if any game is really going to change. Identifying
good candidate possibilities must be done by exercising bold expert
assessments of the possibilities, with an appreciation of what
successful pursuit of those R&D possibilities might mean for effective
and comprehensive cyber security. There will not be many such
proposals, but funding should be available to pursue the most promising
to stages where they may prove their viability as serious game changing
candidates.
To that end, what might ``game changing'' technologies actually do?
The National Research Council committee and report that I recently
chaired (Toward a Safer and More Secure Cyberspace, National Academies
Press, 2007) proposed a Cybersecurity Bill of Rights that consisted of
``10 basic provisions that the committee believes users should have as
reasonable expectations for their online safety and security.'' I
suggest that new technologies, and policies for their implementation,
leading to demonstrable progress towards making a significant part of
this vision a reality would constitute game changers.
There is also a pressing need for effective and timely work on
extremely important emerging problems. A prime example that I raised in
my oral testimony is comprehensive security for mobile devices,
especially cellular phones, with an eye toward getting ahead of the
problem and ``getting security right,'' or at least much better than is
now the case, as they become more powerful computing devices that will
be truly ubiquitous, including the likelihood that they will become the
primary vehicle everywhere in the world for access to the Internet.
Another may be ``cloud computing.'' Both have the promise for creating
massive new waves of cyber insecurity unless we can get ahead of the
technology and diffusion curves. Some people might consider successful
work on these problems as ``game changing'' since they are so
important, rapidly emerging, and would affect very large user
communities. Certainly this would amount to much more than
``incremental improvement.''
I believe an appropriate balance should be weighted towards
problems like these, with no more than about 20 percent devoted to
finding grander and more comprehensive ``game changing'' solutions, and
no more than about 20 percent devoted to incremental improvement. I
believe most of the latter should be done by industry, including
funding third party research and development people. If promising
directions towards ``game changers'' are clearly demonstrated, the
funding agencies should have the flexibility to redirect resources
toward their aggressive pursuit.
As stated in my oral testimony, I believe a fundamental issue for
both the near and long terms is effectively assigning responsibility
for exploiting the results of R&D and implementing security in the real
world of cyberspace. Right now this doesn't exist to anywhere near the
extent it should. People and organizations who are most at risk of
being victims are among the least capable of defending themselves and
doing what needs to be done to protect what might be called the ``cyber
commons.'' Analogies can be made with the histories of safety and
security in other infrastructures, e.g., with seat belts, shatter proof
windshields, air bags, traffic laws and police and courts (but we must
be careful of trying to make such analogies too close). One might argue
that responsibility needs to be with those who are in the best position
to make cyberspace significantly more secure. I would argue that
resolving this problem is both researchable--although not in the narrow
computer science sense, and will require thinking about incentives,
regulation and law, economics, the makeup of the IT industry, and
technical feasibility--and a necessary precursor for any effective
``game changer.''
Q2. Beyond the Scholarship for Service program, discussed in your
testimony, do you have any specific recommendations for existing
federal agency programs that should be expanded or new programs that
might be created to address cyber security education needs? Is there a
specific level of education that is in need of increased attention?
A2. Two opposite ends of the education spectrum need much increased
attention: the general user community and graduate level education. The
first addresses people who are most vulnerable, and most defenseless
against increasingly sophisticated threats. They need to understand
more about the risks they are subject to in cyberspace and what they
can do to decrease their vulnerabilities. My response to Rep. Hall's
fourth question below addresses two important age brackets of the
general user community. My comments here are mostly concerned with the
second, the post-graduate degree granting institutions.
People with graduate education are needed to professionally protect
organizations, the ``cyber commons,'' and parts of the relatively
defenseless general user community. People with graduate education will
be necessary to do most of the research, development, and the
deployment of better technology and policies, and become the teachers
of others. Presently, there are far too few to meet these needs.
Currently I would estimate that there are fewer than 50
universities each capable of graduating even a small, steady stream of
graduate level professionals in information security. For example,
Georgia Tech has one of the largest and most substantial programs,
sustained by an unusual number of faculty members seriously concerned
with cyber security, but we graduate only about 30-40 new MS and Ph.D.
people a year in this area. And, again, we are one of the largest.
It is not easy to create more, as partially evidenced by the fact
that the capacity building track of the SFS program has not worked out
particularly well. And it is not easy to build up those schools that
exist, e.g., because of internal competition from other areas for
faculty hiring and coverage, and enrollment problems in computer
science departments where most of this capacity resides. There is much
less in information systems departments that are typically part of
business or public policy schools, and efforts must be made to get
cyber security into their programs. A necessary condition for doing
better is to build up the number of Ph.D. level faculty members, and
this takes time. One possible way of trying to deal with this might be
to expand the SFS program to include more Ph.D. students, and to permit
them to satisfy their immediate service obligations through teaching
and program development in a range of K-12 and post-secondary
educational institutions, including universities and community
colleges.
Questions submitted by Representative Ralph M. Hall
Q1. Some experts have suggested that we should consider taking
critical infrastructure networks such as those that control electricity
transmission and distribution ``off the grid''--into a network
physically not connected to the public Internet, just as we do with our
classified military networks. Please comment on whether you think such
an approach warrants further consideration, and if so what potential
benefits as well as challenges would accompany it.
A1. If much of the risk to these networks arises through connectivity
to the public Internet, then that risk must be mitigated. Until this is
effectively done in ways that permit safe forms of connectivity, it
might be best to keep at least some of them disconnected, although
connectivity has become such that this may be harder to do than it
sounds. In the discussions about balancing the risks of insecurity
against other factors, e.g., profitability, efficiency, or convenience,
security usually seems to come up short.
But at least for the electric power distribution industry and
infrastructure, the regulator (the Federal Energy Regulatory
Commission) seems to be trying to step up to the problem. For a
discussion of this effort, and much more, I refer you to a recent paper
by one of my colleagues at Georgia Tech: Stephen J. Lukasik, ``Reducing
Threats to Users of the Global Cyber Commons,'' Center for Strategy,
Technology, and Policy, Georgia Institute of Technology, Atlanta, GA
2009. A copy of this paper has been left with the Committee staff.
The positions that Dr. Lukasik has held over the years include
Deputy Director and then Director of ARPA (now DARPA) when the ARPANET
was being conceived and first implemented, and the first Chief
Scientist of the Federal Communications Commission. In the spirit of
this question, and given the precarious state of cyber security more
generally, Dr. Lukasik suggests, ``users should seriously revisit the
premise that any two things are better connected than left
unconnected.'' I would endorse that cautionary statement.
Q2. The comprehensive cyber security initiative that was created by
President Bush and is continuing under President Obama focused on
improving cyber security coordination across government and on funding,
game-changing ``leap-ahead'' technologies. Do you agree with these
priorities? If you had an additional $100 million to spend on cyber
security R&D, to what agencies and research areas would you devote it?
Is there general agreement within the scientific community regarding
security research priorities?
A2. Our 2007 NRC report, referenced in my response to Rep. Lipinski's
first question, advocated a broad, defense in depth approach covering a
number of important and complementary technologies. As also discussed
in my response to that question, some effort to identify and develop
game changing, ``leap-ahead'' technologies should be pursued, but the
problems of cyber security are so extensive and complex that such
silver bullets may be hard to come by at best, and are unlikely to come
quickly.
Some areas, like improving methodologies for designing and
engineering or re-engineering of more fundamentally secure systems and
applications, would underlie almost anything else that would be done.
So would research into architectures that would be fundamentally more
secure than what we now have. I believe there is fairly general
agreement within the scientific community on these points, but less so
on many others. Again, I would place a large fraction on any new
funding on dealing with the security problems associated with very
large and rapidly emerging new technologies, notably mobile phones and
other devices, and cloud computing, and also on research that looks
into the problems of the timely, effective, and widespread
implementation of new security policies and technologies. Many of the
latter problems are at least as much matters of management,
organization, and incentives as they are matters of technology. The
problem of effective, widespread adoption is so enormous and complex
that it might well negate good new technology if it is not given
serious attention.
There are many agencies under the NITRD umbrella. I would hope that
some of them would see these problems as particularly relevant to their
mission statements and eagerly step up to producing solutions.
Q3. The strategy of both the past and current administration has
focused most of our cyber security investment several billion dollars
annually--on procuring and deploying intrusion detection systems. Due
to the cat-and-mouse nature of cyber warfare and defense that several
of you noted in your testimony, it seems that these systems are only
effective against threats that we already know about and understand.
Given this reality, can this type of approach produce effective results
over the medium- or even short-term? If not, is research on a new and
fundamentally secure Internet architecture the only long-term answer?
A3. Given the attention and investment over a long period in R&D for
intrusion detection systems (IDS), I would suggest that it is time for
a serious assessment of its impact. This would provide a far better and
more constructive answer than what I might offer in this short
response. I believe that most R&D in cyber security should be done as
if application matters. In keeping with that, we must learn to do
serious evaluations of progress towards a safer and more secure
cyberspace, and IDS is a good place to start.
Are we able to detect almost all intrusions into almost all of our
computers? Are we doing anything that is effective against emerging
threats? If so, what combination of technical R&D and deployment
incentives and strategies made this possible? What has this gotten us
in terms of safer and more secure computers? Have we been able to
thwart the intents and limit the damage done by these intrusions? Are
we really limited to those threats that we failed to anticipate and
prevent and ultimately learned about the hard way?
If not, then we need to understand why not before we pour billions
of dollars and other resources more into IDS or something else. With
most of the well-educated professionals among the good guys, why can we
not pre-empt new forms of intrusions as they are happening or before
they happen? Do we have good technical solutions that are not being
implemented? Is the technology just not up to it, or are our systems so
fundamentally insecure and there are so many threat possibilities that
we should not have unrealistic expectations here, or is part of the
problem apathy or resistance on the parts of the people and
organizations in the best positions to implement and sustain these
solutions? If the latter is the case, what can change this?
Note that intrusion detection is largely a matter of computer
security. A ``new and fundamentally secure Internet architecture'' is
more about network security and some different kinds of forensics,
although it might have some positive effect on computer security. It
may well be the necessary and best long term answer. There is no doubt
that we could do better producing a more secure architecture today than
was originally the case, but ``fundamentally secure'' is a very tall
order, especially if it also is to be effective in protecting us from
insecure applications that could be put on the net. And ultimately
there is the massive and very difficult problem of the huge legacy
Internet to be abandoned or moved to the new architecture. In this
regard, we have not always been very successful on much smaller scales.
Q4. When this committee discusses a STEM education issue, we don't
just focus on higher education: We start at the pre-K levels and extend
beyond post-graduate work. Most of the education-related testimony has
focused on our adult population either from an academic and workforce
perspective, a behavioral perspective, or a public awareness
perspective. What are your education recommendations for our children
when it comes to cyber security in all of these areas?
A4. Children and young people in the age range usually associated with
primary and high schools, roughly ages 5-18, are a particularly
vulnerable and important category of general user. In the United
States, beyond the first few grades as a group they are probably coming
increasingly close to being almost 100 percent users of the Internet or
mobile phones and other devices. And the Internet has become part of
many programs in K-12 educational institutions in this country, even if
just as an augmentation to or substitute for traditional hard copy
libraries.
It is important to include the concept of ``safety'' in addition to
the common usages of ``security'' in discussing this age group. Some
undesirable Internet enabled activities specifically involving children
and teenagers range from the unauthorized use of credit cards (to
paraphrase a classic New Yorker cartoon: ``on the Internet, nobody
knows if you are a child''), to massive violations of the intellectual
property of others, to risking their own privacy on an unprecedented
scale, to hacking for sport, bragging rights, and profit, to enabling a
huge worldwide child pornography underworld, to providing unprecedented
entries for people who physically or mentally prey on children.
Furthermore, the naive or undereducated or malicious use of the
Internet by children and teenagers may put others at risk.
But this is an age group that is almost totally accessible through
their schools. Education covering the safe, secure, and ethical use of
cyberspace is thus arguably a necessary and desirable addition to the
curriculum in the primary and secondary schools. More generally, I
would reflect a view expressed in the Association for Computing
Machinery (ACM), the oldest and one of the largest professional
associations devoted to computing, that we should look for ways to
integrate grade-appropriate cyber security curriculum into existing
courses, but we also need to expand the teaching of core computing
concepts at the K-12 level. Computer science education is too often
missing from the K-12 education landscape. As computing becomes
ubiquitous through platforms such as hand-held or cellular devices and
its role grows in society, it is imperative that students have a better
grasp of the fundamentals of computing. We can do this by making a
rigorous and engaging computing education part of the core that
students must know and by making safe, secure, and ethical use a
central part of this education.
If a narrower focus is desired, many precedents exist for helping
K-12 students to cope with some of the problems in the real world, for
example, for hygiene, nutrition, driver and sex education. But it will
be more difficult to deal with this subject since the risks are more
abstract and usually not physically proximate. And the problems are
much more dynamic and rapidly changing.
We also have much to do with regard to educating the educators,
i.e., developing capable teachers and the materials for them to use.
This is not likely to be done well on a purely voluntary or local
basis. In some ways and locales it is likely to be controversial, and
care must be taken to get together material that is sensible,
interesting, well presented, and does not needlessly scare the wits out
of children (or senior citizens, see below). As stated above, the
subject might be treated as a separate course, or distributed
throughout the computer-using curriculum. It would also need to be
reinforced in other public domains such as libraries and Internet
cafes. This is a difficult assignment that must be given to the
Department of Education, with start-up help from the NSF. Other
professional organizations could also be constructively involved. These
might include the ACM, the IEEE Computer Society, the Computer Science
Teachers Association, the International Society for Technology in
Education, and some industry associations.
I have one final concern at the opposite end of the spectrum, with
an adult age group that usually does not figure into the academic or
workforce discussions noted in the statement of this question. A
sizable and growing fraction of senior citizens are users of the
Internet, having been coerced and cajoled into doing so for what are
often good reasons. But many do not take to computing as easily and
``naturally'' as young people. I believe that seniors are particularly
vulnerable to exploitation and accident, and to fraud in particular.
Some thought and effort should be given to help them. The institutional
means of broadly educating this group is much less obvious and more
diversified than is the case for children and teenagers. But there are
a large number of vehicles for ``lifelong learning'' in the United
States, and safe computing and computing more generally should be made
a much larger part of their curricula than is now the case. Again the
professional associations, and the AARP in this case, might be
constructively engaged in dealing with this problem.
Answers to Post-Hearing Questions
Responses by Liesyl I. Franz, Vice President, Information Security and
Global Public Policy, TechAmerica
Questions submitted by Representative Ralph M. Hall
Q1. Some experts have suggested that we should consider taking
critical infrastructure networks such as those that control electricity
transmission and distribution ``off the grid''--onto a network
physically not connected to the public Internet, just as we do with our
classified military networks. Please comment on whether you think such
an approach warrants further consideration, and if so what potential
benefits as well as challenges would accompany it.
A1. There would be considerable impacts on the usability and innovation
derived from critical infrastructure networks should they be ``taken
off the grid'' and put onto a classified-like proprietary network. In
fact, in many cases such separation would be incompatible with the
vision for improved, data-driven efficiencies that motivates ``smart
grids.'' With regard to electricity transmission specifically,
TechAmerica member companies cite such examples of pooling and analysis
of real-time, end-devise power-consumption data that enables more
efficient electricity generation and transmission. In addition, we
caution against policies that would adversely impact innovation in home
networks or consumer products, either in inhibiting the very innovation
that helps drive our economic growth or in establishing one-size-fits-
all cyber security requirements that stifle functionality and, in many
cases, may not deliver greater security.
With regard to this question, specifically, I highlight two key
principles: (1) Cyber security is not a one-size-fits-all endeavor, and
no one solution will meet all the needs of any given client. Therefore
it is imperative that government, industry, and even individual network
owners and operators undertake a risk management approach to the
security of their operations. (2) As manufacturers and users of
innovative technological solutions consider ways to ensure inter-
operability and security measures, they should engage in appropriate,
and global, standards development organizations in order to meet the
specific needs of each product or service and involve all stakeholders.
Q2. The comprehensive cyber security initiative that was created by
President Bush and is continuing under President Obama focused on
improving cyber security coordination across government and on funding
game-changing ``leap-ahead'' technologies. Do you agree with these
priorities? If you had an additional $100 million to spend on cyber
security R&D, to what agencies and research areas would you devote it?
Is there general agreement within the scientific community regarding
security research priorities?
A2. The IT industry does support efforts to improve cyber security
coordination across government and on funding for the development of
``leap ahead'' technologies. As such we support the intent of the R&D
efforts that are part of the Comprehensive National Cyber Security
Initiative (CNCI). However, we believe those efforts can only be
successful if they incorporate consultation and coordination with
industry and the science community on identifying priorities. The IT
sector is undertaking efforts now to engage the U.S. Government and
provide suggestions and exchange information on R&D programs. The
primary goal of these efforts is to ensure support for allocation of
funds for projects that do not duplicate existing or ongoing work and
help the government identify areas for research funding that lack a
viable commercial market opportunity or incentives.
Implicit behind the premise of ``leap ahead'' research is the idea
that there may be problems too intractable to be addressed in a timely
fashion through incremental research. At times, useful discoveries may
occur from unanticipated multi- or cross-disciplinary investigations.
The creation of public/private partnership models to support
revolutionary (as opposed to evolutionary) research is an important
part of a balanced national strategy for cyber security research and
development.
Another important part of balanced approach to R&D is ensuring that
the benefits of that research are made available to others. Such
technology transfer is the ultimate goal of industrial research
programs that bring the effect of research successes to the market and
to product users. To the extent that government can streamline the
environment for technology transfer the greater the benefit.
With regard to research areas where additional funding could be
applied, we highlight two that have been part of recent discussions,
including the recent Nation Cyber Leap Year Summit. First, given new
challenges to IT management as systems become more automatically
adaptable or self-modifying in order to resist attacks, we may benefit
from research into the management of adaptive systems. Second, research
into cyber security metrics is another area where there is significant
opportunity for progress.
Lastly, whichever agency or agencies receive funding for such
research and development efforts, we strongly urge requirements for
coordination and collaboration with other agencies and with the private
sector and the academic community.
Q3. The strategy of both the past and current administration has
focused most of our cyber security investment--several billion dollars
annually--on procuring and deploying intrusion detection system. Due to
the cat-and-mouse nature of cyber warfare and defense that several of
you noted in your testimony, it seems that these systems are only
effective against threats that we already know about and understand.
Given this reality, can this type of approaches produce effective
results over the medium- or even short-term? If not, is research on a
new and fundamentally secure Internet architecture the only long-term
answer?
A3. It is precisely the dynamic and evolving threat environment that
calls for taking a risk management and all-hazards approach to
protecting ourselves from cyber attacks, to include not only
technology, but people and processes as well. Certain technologies will
address specific kinds of attacks, while a more sophisticated
enterprise architecture will help defend against various kinds of
intrusions. Each enterprise--or individual--needs to assess their
specific usage, system, and security needs and make their investments
accordingly. While R&D on a new Internet architecture may be something
to consider, such an approach must be evaluated with all the
stakeholders at the table to ensure a thorough vetting of the
objectives, potential solutions, and intended and possibly unintended
consequences. In the meantime, however, we must continue to invest in
key cyber security R&D for both short and medium term innovative
solutions to today's challenges.
Q4. When this committee discusses a STEM education issue, we don't
just focus on higher education. We start at the pre-K levels and extend
beyond post-graduate work. Most of the education-related testimony has
focused on our adult population either from an academic and workforce
perspective, a behavioral perspective, or a public awareness
perspective. What are your education recommendations for our children
when it comes to cyber security in all of these areas?
A4. At the most rudimentary level, we should be including ways to
sensitize our children to cyber security considerations when they are
learning how to use a computer and the Internet, something which is
occurring at very young ages today. We can take advantage of that early
learning to infuse good user practices that address safety (what
information you put on the Internet about yourself), security (if you
are learning how to download any number of ``fun'' applications, you
can also download anti-virus software and encrypt your wireless
connection), and ethics (consequences of cyber bullying or cyber
fraud). Building such elements into the K-12 curriculum must recognize
the dynamic nature of the cyber medium and the threats it faces and,
therefore, be set up in a way that is flexible to be updated as
necessary, and to provide resources for educators and students about
where they can go to get the most up-to-date information. One good
source for such information is www.staysafeonline.org, which is run by
the National Cyber Security Alliance (NCSA), a non-profit public-
private partnership to build cyber security awareness with all user
groups.
At a more strategic level, we can be developing curriculum that
lays the foundation for a workforce that is capable of designing secure
systems. Congress could call for a short-term task force that engages
industry, academia, the Department of Education, the Department of
Homeland Security, and the Department of Commerce's National Institute
for Science and Technology (NIST) to make recommendations for
establishing such a foundation, evaluating and building upon any
existing efforts and/or developing new ones.
Q5. Ms. Franz, in your testimony you call for a ``true government-
industry collaboration on research projects.'' Please elaborate on this
recommendation. How would it be structured, and how would research
priorities be identified? What agency or agencies do you think should
fund such an effort?
A5. In my testimony, I wanted to emphasize the need for collaboration
among government-industry partners on equal footing. Such equal footing
could be achieved a number of ways, including through a structure that
ensures engagement with government and industry representatives at the
very beginning of any evaluation and prioritization process. In
addition, a governance structure could ensure that each partner has
equally weighted ``votes'' in the deliberation process. Too often one
partner works on a process alone for so long that once the other
partner is brought into the process, it is too late for a fully
deliberated discussion and prioritization. Finally, true collaboration
would include commensurate stakes and investment by each partner. For
example, should the government fund an effort, industry could provide
expertise that meets the need--and the stated level of partnership.
Such ``true'' collaboration would require a change in how government
and industry each approach the R&D discussion today and bring them
together at the beginning of the partnership process--even in how that
process is conceived.
For funding a cyber security R&D collaborative effort, I believe
any number of agencies could--and should be involved to maximize not
only the funding sources but also the expertise from various
constituencies and bring them--and their industry stakeholders--
together for such a project.
Answers to Post-Hearing Questions
Responses by Anita D'Amico, Director, Secure Decisions Division,
Applied Visions, Inc.
Questions submitted by Chairman Daniel Lipinski
Q1. In your written testimony you indicate that good security
decisions are based on an understanding of risk. How is cyber security
risk assessed and are the current methods or tools adequate? If current
measures of cyber security are not adequate, what research is needed to
improve cyber security risk assessment?
A1. The methods and tools for measuring cyber security risk are not
adequate. There is an excellent May 2009 publication entitled
``Measuring Cyber Security and Information Assurance'' by the
Information Assurance Technology Analysis Center (IATAC) which is
available through the Defense Technical Information Center. It
summarizes the state-of-the-art of measuring cyber security, which is a
prerequisite to understanding and measuring the actual risk associated
with the security state, and describes several measurement approaches.
It concludes: ``there are no universally recognized, reliable, and
scalable methods to measure the security of [IT] assets.''
Even if the risk measurement tools and methods were scalable and
reliable, their value for enhancing security state would be minimized
without commitment by the decision-makers to consistently use the tools
and methods. However, business managers have not yet committed to
regular measurement and mitigation of the discovered risks. What will
it take for risk measures to be embraced by corporate and military
officers?
Answer the ``Risk to what?'' question--The broad
usage of security risk measurement is more likely to occur if
the industry managers and military commanders understand the
impact of these risks to their specific mission, whether that
mission is to build a greater revenue stream or protect Afghani
citizens from terrorists. Risks must be put into the context of
the goals of the organization and the individual investing in
the risk measurement. A ripe research area is to identify
methods for automatically linking the availability,
confidentiality and integrity of IT assets to the specific
business processes or mission tasks that the organization or
individual must perform.
Establish the credibility of the risk measures--As
with any metric, it must be grounded in systematic observation
of lots of data. The data on which the metric is based must be
recognized as meaningful to the ultimate users of the metrics.
Make it easy to collect--Automated tools for
collecting relevant data from the network enterprise and
calculating the risk measures would decrease resources needed
to perform risk measurement. Research and technology
development is needed to determine the best methods for
collecting and calculating risk measures in real-time.
Make it easy to mitigate--The IATAC report cites a
need for research in ``self-healing'' measures in which an
automated response would be triggered when a threshold of risk
metric is reached. In addition to the automated mitigation
approaches, we need methods of presenting the outcome of risk
measurement in intuitive and actionable form.
Finally, most cyber security risk measurement is focused on wired
networks, ignoring the ubiquity of wireless devices. Wireless access
points, wireless cards within laptops, and smart phones can be
exploited by attackers to penetrate critical wired networks. Even
though wireless networks may be excluded by policy from many military
and industry organizations, the mobile devices carried by the personnel
hold high-value information which can be exploited by cyber criminals
or foreign agents. Future research in risk measurement must factor the
wireless landscape into the calculation of risk.
Questions submitted by Representative Ralph M. Hall
Q1. Some experts have suggested that we should consider taking
critical infrastructure networks such as those that control electricity
transmission and distribution ``off the grid''--onto a network
physically not connected to the public Internet, such as we do with our
classified military networks. Please comment on whether you think such
an approach warrants further consideration, and if so what potential
benefits as well as challenges would accompany it.
A1. I don't feel I have the background to respond to this question.
Q2. The comprehensive cyber security initiative that was created by
President Bush and is continuing under President Obama focuses on
improving cyber security coordination across government and on funding
game-changing ``leap-ahead'' technologies. Do you agree with these
priorities? If you had an additional $100 million to spend on cyber
security R&D, to what agencies and research areas would you devote it?
Is there general agreement within the scientific community regarding
security research priorities?
A2. I thought the NITRD Cyber Leap Year call for leap-ahead
technologies was an innovative approach to exciting the cyber security
research community. They reviewed 238 responses, and produced five
categories of technology that NITRD cited as critical areas for
funding:
Digital Provenance--basing trust decisions on
verified assertions
Moving-Target Defense--attacks only work once if at
all
Hardware-Enabled Trust--knowing when we've been had
Health-Inspired Network Defense--move from forensics
to real-time diagnosis
Cyber Economics--crime doesn't pay
I concur that all of these are important areas for future funding.
However, there are a few areas that I believe warrant government
investment such as the $100 million to which you referred:
Cascading effects of an attack--More work is needed
in understanding the interdependencies within the cyber
infrastructure, and between the cyber infrastructure and other
critical infrastructures. Other work is needed to understand
the dependencies of critical business operations on the IT
infrastructure and how a cyber attack can cascade to affect
several business operations within and across organizations.
Resiliency and recovery--Attackers will get into our
systems. The cascading effects of an attack will occur. How do
we continue to work through and fight through the attack?
Information value--The cascading effects of an
attack, and recovery decisions, are based in part on the value
of the information needed to maintain critical operations.
However, we have little understanding of what makes information
valuable to people and critical operations. If we knew how to
measure the value of information, we would be able to apply
security measures to follow the high-value information, even as
it moves throughout a network.
Attack attribution and legal response--Proving the
source of an attack remains difficult. Research is needed on
how to identify the attack source. Additional work on the legal
aspects of cyber crime must determine the appropriate level of
evidence needed for attack attribution, and the laws and
policies that will permit the collection of that evidence.
Security of socially connected wireless devices--The
steady rise of social networking, much of it performed with
mobile devices, poses threats to our cyber infrastructure as
well as potential opportunities for remediation. Research in
this area is still in its early stages, and should be continued
with greater investment.
A few minor criticisms of the Cyber Leap Year format for
solicitation:
There would have been more responses, particularly
from some of the large industrial R&D organizations, if NITRD
had made a provision for protecting proprietary approaches and
proposing classified ideas. The companies with the biggest
Internal R&D funding were unlikely to toss out their best ideas
for anyone on the Internet to review.
It is surprising that none of the 238 responses were
deemed of sufficient merit to warrant a topic-specific
workshop. The fact that no one got an invitation to a workshop
based on the merit of their response is likely to negate future
enthusiasm for such a program.
Regarding which agencies should receive the funding, I think the
decision should be guided in large part by which agencies are most
likely to transition the resulting technology into widespread
operations, and are most likely to manage research that combines
researchers from various communities, i.e., academia, industry,
government, classified and unclassified. I believe that the service
laboratories (e.g., Army Research Laboratory, Air Force Research
Laboratory, Naval Research Laboratory) and DHS Cyber Security R&D are
in an excellent position to bring together academic, industry and
government researchers. NSF is largely biased toward academic
researchers. NSA requires clearances that many academicians don't have.
The service laboratories and DHS-CSRD also have the mindset and
contractual experience to handle classified and unclassified work and
address contract terms relevant to both academia and industry.
Perhaps most important, the service laboratories are in a position
to help transition the technology into military and homeland security
programs.
Q3. The strategy of both the past and current administration has
focused most of our cyber security investment--several billion dollars
annually--on producing and deploying intrusion detection systems. Due
to the cat-and-mouse nature of cyber warfare and defense that several
of you noted in your testimony, it seems that these systems are only
effective against threats that we already know about and understand.
Given this reality, can this type of approach produce effective results
over the medium, or even short, term? If not, is research on a new and
fundamentally secure Internet architecture the only long-term answer?
A3. Intrusion detection systems, while not the ultimate solution, can
be useful in the short term because they add a layer (albeit weak) of
defense that thwarts script kiddies and other amateurs. They also
creates a nuisance for more-sophisticated attackers, thereby increasing
the amount of time and effort they must expend in order to penetrate
our systems. However, intrusion detection systems do not warrant
significant government research funding, as the commercial companies
deploying them are incentivized by their sales to continue this work.
Government research does need to focus on the larger, game-changing
issues in order to achieve real security. A new and fundamentally
secure Internet architecture is an excellent long-term goal. However we
must accept the fact that no system or architecture can achieve
complete security without completely sacrificing openness. Therefore
research needs to continue to focus on defensive techniques, but from
the new perspectives discussed earlier--not from the perspective of
just making better intrusion detection systems.
Q4. When this committee discusses a STEM education issue, we don't
just focus on higher education. We start at the pre-K levels and extend
beyond post-graduate work. Most of the education-related testimony has
focused on our adult population either from an academic and workforce
perspective, a behavior perspective, or a public awareness perspective.
What are your education recommendations for our children when it comes
to cyber security in all of these areas?
A4. Students need to acquire an understanding about computers and the
Internet as basic elements of life in the digital age. Safe computing
should be a basic element of our K-12 curriculum, like math and
reading, not an elective. Organizations such as the National Cyber
Security Alliance are already working to support safe computing
education for K-12, but additional assistance and attention is needed.
Education of children is also the first step in a cultural shift
towards a more secure digital world and away from the current view of
digital information as a free-for-all. The ease with which information
can be shared, copied, pirated, and distributed has created a sense in
the current generation that the information itself has no real value.
Teaching adults to fear the Internet and to be careful about
downloading may achieve behavioral change to some degree, but does not
affect cultural change.
The younger generation is the driving force in this cultural shift:
they are the ones stealing music and movies, posting personal
information on social networking sites, installing peer-to-peer
software on their computers without concern for the security risks, and
in general treating their digital lives with the same carelessness with
which they clutter their rooms. They do this because they can, and
because they have not been taught that this is all wrong. This
fundamental lesson of respect for information--its financial value, its
privacy implications, its intrinsic importance to their lives--must be
ingrained in them from the earliest days. From this will flow a
cultural shift away from the information-wants-to-be-free attitude of
the early Internet days towards a more mature, and secure, digital
world.
The building of a culture of safety, respect and ethics in the
digital world should begin in early elementary school education. This
should start with awareness training in elementary school for cyber
safety and cyber security basics such as safe browsing and e-mail,
identity theft, and issues around social networking--think of it as
hygiene lessons for the digital world--and should also instill the
ethics of information. Children need to learn that information has real
value, and must be protected and respected just as much as physical
treasure. Most well-raised American children wouldn't even consider
walking into a Wal-Mart store and stealing a Nintendo game, yet
millions of them think nothing of downloading music illegally from Lime
Wire every day.
Cyber education should progress during the middle school years to
more advanced issues of cyber security and ethics such as data
protection, data sensitivity, privacy, and digital copyright. Digital
privacy issues should be emphasized in grades five through nine.
Current middle-schoolers, though conscious of their privacy needs at
home, really have no sense of digital privacy--something that some
adults unfortunately exploit. The kids cry ``invasion of privacy'' when
Mom cleans their room and finds some sort of contraband under the bed,
yet they think nothing of installing bitTorrent on their iMac and
opening their files for the entire world to see. They cringe if you put
their class photo on the refrigerator, yet they gleefully post photos
of their latest binge on Facebook.
By the time students reach high school, they should be prepared to
drive themselves in the digital world. The goals should be similar to
those of driver education: know how to operate the equipment, be
knowledgeable of the laws and the repercussions of breaking them, and
be able to travel without injury to yourself or others. Those with even
greater interest can learn how to build, take apart and speed up the
information technology--always with safety in the forefront.
Answers to Post-Hearing Questions
Responses by Fred B. Schneider, Samuel B. Eckert Professor of Computer
Science, Department of Computer Science, Cornell University
Questions submitted by Chairman Daniel Lipinski
Q1. In your written testimony you indicate that good security
decisions are based on an understanding of risk. How is cyber security
risk assessed and are the current methods and tools inadequate. If
current measures of cyber security are not adequate, what research is
needed to improve cyber security risk assessment?
A1. Risk is usually defined as an ``expected value'' (in the
statistical sense) and, therefore, requires identifying all possible
hazards and then estimating the cost and probability of each. Applying
this definition to a computing system would require calculating or
estimating these costs and probabilities (as well as identifying all
hazards), and that is far beyond the state of the art. Moreover,
historical data, which works so well for writing life, health, and
property insurance policies does not help for doing a cyber security
risk assessment: a system's internals (hence the system's
vulnerabilities), where systems are being deployed (hence the
consequences and cost of a successful attack), and attacker
sophistication (hence the likelihood of an attacker's success) change
too rapidly for the past to be a good predictor of the future.
Given these inherent difficulties in measuring the constituents of
the ``expected value'' that defines cyber security risk, I believe we
would be better off focusing our research investments on science and
engineering that helps ascertain a system's compliance with given
behavioral specification or properties. This is, in a sense, the flip
side of cyber security risk, since risk involves the probability of a
system's exhibiting behavior that departs from those specifications.
Examples of the kinds of research I am advocating can be found in
(among others) the area of programming language design and the area of
automated tools for analyzing program execution--for instance, research
into rich type systems for programming languages and model checking for
program verification. These technologies can help establish that a
program's execution will exhibit certain properties and, as a side
effect, enable tools to detect large classes of code vulnerabilities.
We should also invest in research that aspires (i) to developing a
principled way for extracting ``trust assumptions'' in systems and (ii)
to understanding how various security technology relocates ``trust
assumptions'' from one component to another, since this is a way to
surface the risks in a system design.
Although this proposed research ignores the probabilities and costs
of attacks, its fruit doesn't prevent individuals from using insights
about threats, system internals, or the circumstances of a system's
deployment when deciding how best to manage the risk of cyber attacks.
Here, broadly disseminating information about attackers, successful
attacks, and cost or consequences of attacks would be in everyone's
best interest, because system operators and their users all could then
evolve a better understanding of the risks they face and have a basis
to make more intelligent decisions. Therefore, I advocate putting in
place incentives for public reporting of successful attacks, attacker
capabilities, and their consequences as another key step toward being
able to assess cyber security risk.
Q2. One of the near-term action items of the Administration's
Cyberspace Policy Review is to provide the research community with
event data. What is the quality event data currently utilized by the
research community and is it a realistic representation of network
activity.
A2. Event data is today not broadly available to the research
community. This means researchers do not have good data against which
to evaluate solutions they develop nor do they have a way to gain the
kind of first-hand experience that is often crucial for understanding
the real problem and inventing solutions.
Today we find that to avoid undermining public trust, information
about successful attacks is generally kept confidential. Information
about vulnerabilities is generally not made public until after a
defense has been widely deployed. And information about network traffic
is not generally available from ISPs or from other network operators
because it can reveal information about their cost and pricing models;
it also can reveal users' private information.
Network traffic data sometimes is made available today to selected
researchers if they agree not to further disclose that data nor
disclose its attribution in publications that analyze the data. Such
data cannot be shared with other researchers, making comparative
analysis of work done in different labs impossible.
Various test-beds allow researchers to experiment ``at scale'' and
sometimes it is possible to use those as a source of data. However,
load (including attacks) in these testbeds is either generated
artificially or (in the case of PlanetLab\1\ ) would depend on
concurrently executing experiments (hence is difficult to reproduce).
In short, today's testbeds are a poor substitute for experiments that
use real, operational, datasets.
---------------------------------------------------------------------------
\1\ http://www.planet-lab.org/
---------------------------------------------------------------------------
Recently, the Office if Science and Technology Policy invited the
National Science Foundation to organize a group of NSF-supported
computing researchers and provide a white paper detailing specific
kinds networking and cyber security data that would be useful for the
academic research community. Professor Nick Feamster (Georgia Tech)
coordinated that effort, and a short white paper is now available.\2\
---------------------------------------------------------------------------
\2\ Jean Camp, Lorrie Cranor, Nick Feamster, Joan Feigenbaum,
Stephanie Forrest, Dave Kotz, Wenke Lee, Patrick Lincoln, Vern Paxson,
Mike Reiter, Ron Rivest, William Sanders, Stefan Savage, Sean Smith,
Eugene Spafford, Sal Stolfo. Data for Cybersecurity Research: Process
and ``Wish List.'' June 10, 2009. Available at http://
www.cc.gatech.edu/feamster/papers/data-wishlist.pdf
Q3. Do you have any specific recommendations for existing federal
agency programs that should be expanded or new programs that might be
created to address cyber security education needs? Is there a specific
---------------------------------------------------------------------------
level of education that is in need of increased attention?
A3. I am aware of two federal programs in support of cyber security
education:
The Federal Cyber Service Scholarship for Service
(SFS)
National Centers of Academic Excellence in IA
Education (CAEIAE)
I have no direct experience with SFS.
I have some experience with CAEIAE. This program certifies whether
a college or university offers an educational program deemed by the
National Security Agency (NSA) to provide a suitable background for
working in information assurance. The criteria for CAEIAE designation
include requirements about what is taught and about the qualifications
of who does the teaching.
I decided not to pursue CAEIAE for Cornell because I did not find
current thinking about cyber security well represented in the
curriculum requirements for CAEIAE certification. And while the number
of schools with CAEIAE certification is rather substantial, Cornell is
hardly the only outsider. Only Carnegie Mellon University (CMU) of the
five universities in the NSF funded TRUST Science and Technology Center
pursued a CAEIAE certification, yet these five universities are among
the very top cyber security programs in the country; also only two (CMU
and University of Illinois) of the top five ranked Computer Science
departments are listed on the CAEIAE web site as having CAEIAE
certification. Recently, Purdue, which hosts the nationally known
Center for Education and Research in Information Assurance (CERIAS),
decided against renewing its CAEIAE certification. Professor Eugene
Spafford, Director of CERIAS, contributed to creating the CAEIAE
program in 1997; he details his reasons to now forgo CAEIAE
certification in his on-line blog.\3\
---------------------------------------------------------------------------
\3\ http://www.cerias.purdue.edu/site/blog/post/
centers-of-academic-adequacy/
---------------------------------------------------------------------------
The field is moving rapidly, and what we teach needs to keep pace
with what is known and with the needs of all the stakeholder
communities; CAEIAE doesn't. Moreover, the dividing line between what
constitutes training and education is shifting, with various software
producers now taking an active role in training their workforces about
(for example) secure coding and avoiding common vulnerabilities. What
gets taught in the university should reflect those realities and not
waste time duplicating current industry-training efforts. Needless to
say, one way that I believe the Federal Government can help move cyber
security education forward is by not imposing constraints on content.
Second, our very best faculty, who typically are exploring new
approaches to organizing and teaching cyber security, need incentives
to spend that extra time and effort necessary for disseminating this
work (just as the academic culture today provides incentives that
prompts the dissemination of research results). So, for example,
programs for funding cyber security education should endeavor to
attract research-focused faculty at our Tier 1 institutions. And
although funding is an important part of the picture, it is not the
only part--it is crucially important that opportunities for peer
recognition be present and that some means exist to surface evidence of
national impact from a faculty member's efforts to further cyber
security education.
I believe the greatest opportunities for having impact in cyber
security education--and ultimately on the workforce--hence the place to
focus increased attention, is in creating a new cyber security
professional degree, analogous to what we have today in law and
medicine. The undergraduate major serves a broad set of needs and, as a
result, offers few opportunities for adding new content. Moreover,
there is simply not enough time for an undergraduate to get a broad
education in Computer Science and also be exposed to all the material
that a cyber security expert (or even an apprentice) should see.
Graduate education, by contrast, allows the flexibility to require
substantial course work in specialized areas.
Universities and students will not invest in a new degree unless
there is some clear benefit. Requiring some sort of credential for
cyber security professionals is often suggested, just as lawyers and
doctors have their respective credentials. But if we are going to
pursue this, then we should first understand the options (since,
looking across the other professions, there are many possibilities) and
be clear about the consequences. Therefore, I would argue that before
mandating a credential, we first commission one or more objective
bodies, such as the National Research Council's Computer Science and
Telecommunications Board (CSTB) and/or the Government Accountability
Office (GAO), to do a study that lays out the options. Inputs should be
solicited from researchers, educators, systems builders, and systems
operators (private sector and the government). And the study should:
1. Assess what (if any) benefits would come from imposing
liability-based and/or regulation-based incentives for
credentialing cyber security professionals. What would the
costs be?
2. Identify practical structures for defining and evolving the
content that a cyber security credential covers, and consider
the various candidate examination instruments.
In parallel, we should make investments in community workshops,
planning grants, and curriculum development, as a way both to
understand whether a new cyber security professional degree is workable
and to facilitate building a community consensus for such a new degree
program. Yes, there is a crucial and immediate need for better-educated
cyber security experts and what I am proposing will take some time. But
a poorly thought-out credential and mandating the wrong content for our
students is not going to improve matters (and might well set things
back).
Questions submitted by Representative Ralph M. Hall
Q1. Some experts have suggested that we should consider taking
critical infrastructure networks such as those that control electricity
transmission and distribution ``off the grid''--onto a network
physically not connected to the public Internet, just as we do with our
classified networks. Please comment on whether you think such an
approach warrants further consideration, and if so what potential
benefits as well as challenges would accompany it.
A1. Separating the networks used by critical infrastructures from the
Internet could entail a significant opportunity cost, and it would be
virtually impossible to enforce. I therefore think it would be unwise
to pursue this approach.
The opportunity cost of separating the networks comes from the
potential loss of services. First, certain Internet services could
provide important benefits to critical infrastructures; isolating the
networks would make those services unavailable to those critical
infrastructures. Access to on-line weather predictions, for example,
could be useful in automatically controlling electric-generation
capacity, allowing new generators to spin-up in time to serve peak air-
conditioning loads on a summer day. So-called network-guard technology
could be deployed here and connect the networks, but this sacrifices
the bullet-proof appeal of complete isolation. And the critical
infrastructure's network could not be designed under the assumption
that this network is completely isolated from the Internet, since
attacks have been known to pass through guards.
Second, the Internet provides pervasive connectivity that would be
quite costly to replicate. And there will be strong temptations to use
that connectivity in making our critical infrastructures more
convenient, more efficient, and more effective. For example, an
engineer in charge of controlling a critical infrastructure might well
prefer to make after-work unexpected adjustments from his home rather
than trekking into the office at odd hours, and an Internet connection
to that critical infrastructure could be used for that--quite securely,
if VPN (virtual private network) technology is employed. And a smart
grid might serve us better if homeowners could remotely control
appliances, thermostats, or even the class of electric service being
purchased to run the household at any time. But implementing this kind
of functionality would mean sacrificing isolation because there would
be devices connected both to the Internet and to the network
controlling a critical infrastructure.
Regarding the enforceability of a network-isolation mandate, it
takes but one person connecting a single computer to both networks for
the isolation to be destroyed. Likely this connection would be done as
a matter of convenience and, judging from past experience reported for
the public telephone network, the connection would be made by a low-
level technician and without the consent or knowledge of management.
Desktop machines running commercial operating systems are not known for
their strong security guarantees, so we would be unwise to depend on
the desktop's security to provide isolation between the networks when
both are connected to the same machine.
Q2. The comprehensive cyber security initiative was created by
President Bush and is continuing under President Obama focused on
improving cyber security coordination across government and on funding
game-changing ``leap-ahead'' technologies. Do you agree with these
priorities? If you had an additional $100 million to spend on cyber
security R&D, to what agencies and research areas would you devote it?
Is there general agreement within the scientific community regarding
security research priorities?
A2. I am not knowledgeable about the details of CNCI, because the
initiative has been classified and, therefore, information about it has
not been generally available to the academic research community. I
nevertheless can offer high-level comments about what seem to be the
key elements.
Better coordination of cyber-defense across government should be a
national priority. A cyber-defense is only as good as its weakest link.
So a coordinated defense, if overseen by a technically strong
organization that has the power to compel federal agencies to deploy
specific cyber-defensive measures, is likely to decrease the chances
that any agency's computing system becomes such a ``weak link.'' The
existence of a central clearinghouse for information about attacks--on-
going and past--also would be valuable for cyber-defense.
To deploy new cyber-defenses will require replacing and
reconfiguring systems. I presume funding for these activities is a
large part of the CNCI budget. We will want to be sure this money is
spent wisely, and the absence of opportunities here for advice from the
research community or from the private sector concerns me. Some
government agencies are well served being advised by the intelligence
community, with its strong track record of securing our nation's
classified systems. But other agencies are more like the commercial
organizations found in the private sector, with different needs and a
different tolerance for risk. Such agencies might benefit more from
advisors outside the intelligence community. Finally, I should report
that the utility of various CNCI-proposed defenses has been questioned
by cyber security experts in the private sector and in the research
community (albeit, people who did not receive classified briefings and
therefore have an incomplete understanding of the problem and
solution). This questioning suggests that any kind of central
coordination should be in conjunction with some sort of advisory board
that is populated by cyber security experts (technical and policy) from
the private sector and academia.
The CNCI emphasis on ``game-changing `leap-ahead' technologies''
seems well intentioned, but we should be careful about exactly how this
is interpreted. For sure, if we continue with business as usual then we
will never get to the point of running networked information systems
that are trustworthy. But, as noted in my testimony, the way to be
proactive and have the greatest chances of revolutionary advances--what
I presume is meant by ``game-changing leap-ahead technology''--is to
build a science base for trustworthiness. The science base must come
first; an initiative that focuses on only the technologies would likely
fail without a science base.
Second, the advances CNCI seeks are not going to come if we just
concentrate on developing new technologies and educating the workforce.
Economics and law play a significant role in determining what (if any)
investments system builders and operators actually do make in support
for system trustworthiness. If we as a nation are not prepared to make
game-changing alterations to our values and policies, then business as
usual will continue despite any game-changing technologies we might
develop, because it is virtually certain that trustworthiness will be
far from free.
Finally, I note that we might ``leap-ahead'' but our attackers will
surely follow. Cyber security is not a game that can be won once and
for all. We must win it each day anew. Let nobody believe that we only
need one set of ``game-changing `leap-ahead' technologies.''
How to spend an additional $100M on cyber security research? Page 6
of my testimony gave a list of research areas. This list was based on
(i) a consensus view of academic cyber security researchers NSF brought
together earlier this year to provide input\4\ for Melissa Hathaway's
White House 60-day Cyber-Policy review as well as (ii) a recent
National Research Council study\5\ on a cyber security research agenda;
I was directly involved in both efforts.
---------------------------------------------------------------------------
\4\ Notes for White House 60-day Cyber-Policy Review. Available on
WWW at http://www.cs.cornell.edu/fbs/publications/SciPolicyNSFnotes.pdf
\5\ Toward a Safer and More Secure Cyberspace. S. Goodman and H.
Lin (eds.), National Academies Press, Washington, DC, 2007. Available
on WWW at http://books.nap.edu/catalog.php?record-id=11925
---------------------------------------------------------------------------
NSF is the obvious agency to distribute additional cyber security
research funding. Up to 200 additional researchers in cyber security
could be funded at $500K per year, and I would argue that an individual
researcher's funding needs to be at (or preferably above) that level if
we can have hopes of supporting enough graduate students to make in-
roads into the demand for additional faculty and private sector
experts. But should all the money be sent to NSF? I have no basis for
justifying a scheme to divide the funds among various funding agencies.
For example, there is now a new DARPA director, with indications that
she will return DARPA to its past role in funding cyber security
research at universities. This would be a wonderful development,
because DARPA-funded research has a very different character from the
efforts that NSF supports; I have no idea whether this redirection of
effort within DARPA would require additional funding. The Air Force,
Army, and Navy also have (modest) cyber security research programs that
fund faculty; these have yet a different character from the DARPA and
NSF programs, and they likely would make good use of additional funds.
Q3. The strategy of both the past and current administration has
focused most of our cyber security investment--several billion dollars
annually--on procuring and deploying intrusion detection systems. Due
to the cat-and-mouse nature of cyber warfare and defense that several
of you noted in your testimony, it seems that these systems are only
effective against threats that we already know about and understand.
Given this reality, can this type of approach produce effective results
over the medium- or even short-term? If not, is research on a new and
fundamentally secure Internet architecture the only long-term answer.
A3. Despite the difficulty with intrusion detection that is noted in
the question statement, this approach does have defensive value if
relatively little time elapses between isolating the signature of a new
attack and distributing that signature to intrusion detection
subsystems on hosts that have not yet been attacked. Some recent
research results will help put this into context. Simulations of the
Internet done by cyber security researchers at U.C.-San Diego (and
elsewhere) have shown that a worm could spread though the Internet so
quickly that having a human involved anywhere in the path from
signature-isolation to signature-distribution would introduce too much
delay for intrusion detection to be effective. That suggests intrusion
detection has limited value against attacks that propagate rapidly. But
investigators at Microsoft Research designed and prototyped an
automated system that can detect a successful worm attack,
automatically generate filters and/or patches for that attack, and
disseminate those defenses to other systems ahead of the worm. Thus,
there are deployments that avoid direct human involvement on the
critical path for defense.
Virus scanners can be seen as a special case of intrusion
detection. And they have been quite effective at defending desktop
systems against malware, which to date has tended to propagate through
the Internet slowly. Even for malware that is not slowly propagating,
downloading a new signature file for a virus detector is usually faster
and less likely to destabilize a production system than patching the
vulnerability being exploited by that malware. So updating a virus
detector's signature file is often the fastest way to securely
reconnect a system that had been vulnerable to Internet malware.
However, new attacker technology, which obfuscates different copies of
a given virus differently, can make it impossible to create the
malware-signatures needed by today's virus scanners. Thus, virus
scanners are likely to become less and less effective.
The design and deployment of a ``fundamentally secure Internet
architecture'' would be important step towards improving the
trustworthiness of our networked information systems. However, we
should be clear about what it involves and what would be its
consequences. It involves new research--various proposals for improved
Internet architectures have been made, but there is much investigation
and prototyping to be done before we might attempt to use these
proposals as a basis for replacing the Internet. These investigations
might take a decade or more.
And having a ``fundamentally secure Internet architecture'' would
not mean the problem is solved. Today's networked information systems
comprise end-systems (desktops and servers) interconnected using the
Internet. For example, the DNS service is part of the Internet
architecture but services (like Google and Amazon) and desktops
(running Windows and Linux) are end-systems. Virtually all attacks
originate at the end-systems and most attacks are directed at the end-
systems today because the compromise of end-systems offers value to
attackers and these end-systems are low-hanging fruit. Thus, having an
Internet that is ``fundamentally secure'' only solves part of the
problem--to solve the entire problem, we must also have end-systems
that are ``fundamentally secure.''
It does seem clear that designing a new, secure, Internet
architecture is a crucial step towards supporting trustworthy networked
information systems, and it seems equally clear that a new Internet
architecture (notably, one that supports stronger notions of provenance
and accountability) would be a key enabler for building ``fundamentally
secure'' end-systems. Yet, leveraging accountability would also depend
on making progress on policy matters. New privacy questions would be
raised and need to be resolved; and international agreements about
jurisdiction and extradition would need to be negotiated, since the
premise of accountability is that attackers can be found and punished.
Q4. When this committee discusses a STEM education issue, we don't
just focus on higher education. We start at the pre-K levels and extend
beyond post-graduate work. Most of the education related testimony has
focused on our adult population either from an academic and workforce
perspective, a behavioral perspective, or a public awareness
perspective. What are your education recommendations for our children
when it comes to cyber security in all of these areas?
A4. Our children use computers, so it is sensible to suggest that they
ought to be told something about actions they might take that could be
risky. And some risky behaviors are indeed simple enough to teach a
child about (e.g., don't play with matches and don't accept candy from
strangers). But other behaviors are not (e.g., don't attend movies with
adult themes)--we as a society prevent such behaviors, not by educating
the child but instead with other safeguards. So the real issue is
whether we can devise guidance even a child can understand and that, if
followed, would serve that child well when venturing in cyberspace.
I'm afraid the flexibility and universal nature of computers that
is their strength is also the reason simple guidance is unlikely to be
useful in describing to children (or even to many adults) a large space
of potentially unsafe behaviors. Unlike Smokey the Bear's exhortation
about the prevention of forest fires (``Only you can . . .''), vague
exhortations about risky cyber security behaviors are hard to apply
when defenses and attacks co-evolve, since what is risky periodically
changes.
For example, consider what we might tell a child concerning web
sites he/she might visit or what actions might be ``safe'' when
visiting a web site. The browser interface changes every few years, and
attacks seem to keep pace with the creation of defenses these
interfaces embody. In fact, ``human-computer interaction'' research
studies have now demonstrated that people taught about a browser
security icon (e.g., the ``key icon'' signifying an https connection)
are still fooled by attackers who--knowing what these users have been
told--create a facsimile of the icon or fashion some message that
convinces users all is safe even with the icon absent. In general, as
each defense fails, we as defenders create a new symbol or structure;
attackers then find a way to spoof that, causing people who practice
what we have previously preached to fall prey.
In light of this co-evolution of attacker and defender, we must
disseminate a message for each defense we deploy. And we have a choice
about that message:
If we disseminate messages that are general enough so
they don't have to be changed for each defense, then our
messages are likely to require sophistication to interpret and
act on. Children (and many adults) will not be well served by
such messages.
If we disseminate very specific messages that are
easy to interpret and act on, then the message must change for
each new generation of defense. Moreover, the different
messages might have to be inconsistent with each other. Again,
children (and many adults) will not be well served by such
messages.
What we really need first is good tools (i) for informing users
what they can trust and (ii) for users to authenticate what is at the
other end of an Internet connection. Until we have such tools, our
``public education'' campaigns will have to be vague, hence have
limited effectiveness because they cannot be converted into advice that
a child can act on.
Q5. You testify that cyber security professionals are not being
adequately trained to meet our needs citing lack of faculty resources
and technical curriculum content as the major problems. Which of these
do you consider to be the biggest challenge and what recommendations do
you have to address both of these issues.
A5. The number of cyber security faculty is the bottleneck for getting
research done as well as for the development of the much needed
curriculum and the delivery of that content to undergraduates, masters
students, and doctoral students. Moreover, the rate at which we can
graduate additional cyber security faculty will accelerate only if we
can increase the number cyber security faculty members who are teaching
and actively engaged in research at Ph.D.-granting institutions.
How many cyber security faculty does the Nation need? Here is one,
conservative, analysis. Approximately 250 faculty are today doing
research in cyber security, judging from attendance levels at research
conferences and numbers of grants made by agencies that fund this kind
of work. Since there are approximately 125 Ph.D.-granting institutions,
that works out to approximately two researchers per institution. In
reality, the distribution is skewed--the top-raked departments have
more (maybe three or four) because cyber security is today a hot
research area.
The list of cyber security research topics is long enough to easily
justify a community of 500 researchers, since that size would allow
approximately five researchers per topic area (and anything smaller
does not constitute a critical mass to form a community or make
significant progress). So that would mean an average of four faculty
per institution, which is also a reasonable number given the number and
variety of courses that should be covered.
Answers to Post-Hearing Questions
Responses by Timothy G. Brown, Vice President and Chief Architect, CA
Security Management
Questions submitted by Representative Ralph M. Hall
Q1. Some experts have suggested that we should consider taking
critical infrastructure networks such as those that control electricity
transmission and distribution ``off the grid''--onto a network
physically not connected to the public Internet, just as we do with our
classified military networks. Please comment on whether you think such
an approach warrants further consideration, and if so what potential
benefits as well as challenges would accompany it.
A1. Although there are instances where it may be desirable to segment
networks completely, with no interconnection (for example, this
approach is considered valuable for separating commercial aircraft
flight control systems from passenger Internet access and entertainment
systems), as a practical matter effective management of networked
information systems, including such critical infrastructure assets as
electrical generation and transmission systems facilities, require
interconnection to ensure effective management, administration,
maintenance and reliability. Internet connectivity is becoming
increasingly necessary, as we can see from new proposals for the
``smart grid,'' which may require Internet communications from business
premises and customer homes to help monitor electricity demand and
other factors important to support national energy policy.
Even in the existing environment, companies have implemented
Supervisory Control and Data Acquisition systems using the Internet to
enable logins to remote sites to check systems and fix problems.
Without Internet access, the cost of taking these systems off-line and
putting them on a private network would be enormous.
Related to this are the fact that for all practical purposes even
separate networks will rely on Internet Protocol (IP) technologies,
standards and products to operate and will require the assessment and
management of cyber security risks. In today's environment, even very
sensitive government networks require some connectivity to the public
Internet, but have in place very strong controls to mitigate known
risks.
The bottom line is that proposals to completely separate control
systems from the public Internet are typically not feasible. We do have
a responsibility, however, to treat our critical infrastructure
networks differently. We should understand the risks and design systems
and procedures that appropriately address these risks. In some rare
cases this may require a dedicated network, but in most cases a mature
well designed system of processes and technology will suffice. Our
focus must be on effective cyber security risk management.
Q2. The comprehensive cyber security initiative that was created by
President Bush and is continuing under President Obama focused on
improving cyber security coordination across government and on funding
game-changing ``leap-ahead'' technologies. Do you agree with these
priorities? If you had an additional $100 million to spend on cyber
security R&D, to what agencies and research areas would you devote it?
Is there general agreement within the scientific community regarding
security research priorities?
A2. Many details related to CNCI are classified, and so it remains
difficult for private sector subject matter experts to assess the 12
CNCI components and their relative priorities in sufficient detail to
understand how ``leap-ahead'' technologies development--technology is
only one of the CNCI focus areas--ranks in terms of dollars and
importance. To many external experts, the broad bias in the CNCI's
publicly-available descriptions appears to be on the defense and
response aspects of cyber security, such as reducing the number of
Internet connections, intrusion detection, intrusion prevention systems
and situational awareness.
The absence of designated components in the critical areas of
identity management, authentication, authorization, data leak detection
and prevention, insider threats, and governance areas such as records
management and e-discovery does not mean they are not being addressed
or given priority in the research and development initiative, but they
are not given emphasis in public information. This reinforces the
points I made in my testimony about the need for much more trusted
collaboration between the government and industry in developing an
effective national cyber security research and development agenda.
In terms of what to do with $100 million in cyber security R&D
funding, my response would be that a reasoned way to answer that
question is to put into place the model which I advocated in my
testimony: a collaborative research agenda, reflecting tactical, mid-
term and strategic research investments, and an accountability system
for achieving results. Again, it is very important that our limited
research dollars are not allocated using the current contracts and
grants model. That model must be improved.
Q3. The strategy of both past and current administration has focused
most of our cyber security investment--several billion dollars
annually--on procuring and deploying intrusion detection systems. Due
to the cat-and-mouse nature of cyber warfare and defense that several
of you noted in your testimony, it seems that these systems are only
effective against threats that we already know about and understand.
Given this reality, can this type of approach produce effective results
over the medium- or even short-term? If not, is research on a new and
fundamentally secure Internet architecture the only long-term answer?
A3. As suggested in my previous response, an unbalanced focus on
intrusion detection systems (IDS) overlooks the complexity of the cyber
security infrastructure and the multiple, interrelated areas of risk
that must be managed as part of a balanced cyber security risk
management program.
With respect to IDS specifically, in the academic arena IDS
research has focused largely on anomaly detection, certainly an area of
promise for detecting new attacks (unlike signature-based approaches).
However the false positive rate is still far too high, and it is
possible that funding of research might help over the medium-term.
However, IDS, while important, can never be the complete solution. IDS
is a known entity in cyber warfare and as a known entity, it can be
subverted. Therefore, we must address other critical areas of cyber
security risk, and I would focus long-term research in the areas which
I listed in my testimony.
For the long-term, I am not convinced that a ``new and
fundamentally security Internet architecture'' is possible. For
example, even in terms of advanced Internet protocols (which also have
security implications), we have not seen the widespread deployment of
Internet Protocol Version 6 (IPv6), despite many operational benefits.
And so the adoption of a completely new architecture would be more
challenging by an order of magnitude.
Perhaps a better approach is to fund research into how you can
build accountability into systems, and what changes would be required
to the current Internet to do that. Accountability may not be possible
at the packet level, but it may be possible with changes in deployed
software and applications, which may contribute to some measure of
improvement to cyber security risk management.
Q4. When this committee discusses a STEM education issue, we don't
just focus on higher education. We start at the pre-K levels and extend
beyond post-graduate work. Most of the education-related testimony has
focused on our adult population either from an academic and workforce
perspective, a behavioral perspective, or a public awareness
perspective. What are your recommendations for our children when it
comes to cyber security in all of these areas?
A4. It cannot be repeated too often: cyber security risk management
represents an unprecedented challenge for government, business and
individuals and the global society, and one of its many components is
the need to educate Internet users at all ages. As I noted in my
testimony, education must play its appropriate role and do its part to
provide cyber security awareness, knowledge, skills for our youngest
students, and also contribute to the widespread adoption of ethical
behaviors and practices by our youngest technology users.
I believe educational programs should be developed to ensure that
teachers and schools have the skills and resources they need to make
this possible and can tailor their programs to specific age groups,
which have specific characteristics and needs, and must have age-
appropriate content, messaging and approaches. Like cyber security
itself, the programs need to address complicated subjects and issues,
and an effective program will require a strong partnership and broad-
based partnership among many stakeholders: school boards, educators and
administrators, parents, and other communities. This is an area where
well-understood approaches to educating the very young can and must be
applied in support of a national cyber security educational agenda.
Again, this is an area where collaboration and partnering among key
stakeholders is critical.
Q5. You suggest in your testimony that it would be appropriate for a
company to be awarded ``sole source'' federal funding for bringing a
specific new research idea or project to the attention of government. I
applaud your proactive approach and agree that there are many research
ideas out there that will be conceived by the private sector and not by
one of our federal agencies. However, I also agree with you awarding
the company with the idea raises ``legitimate concerns about the
fairness of the award process.'' How would you suggest we make this
work and encourage companies to participate, while at the same time
ensuring the integrity of competitive federal solicitations? Wouldn't
the government and the American taxpayer gain more by an open
solicitation process that would perhaps even stimulate better ideas?
A5. As I indicated in my testimony, a sole source approach would not
supplant open solicitations, but would serve an important role in
augmenting the current process. If my proposal for a jointly-developed,
partnership-based cyber security research and development agenda were
implemented, it would make possible the identification of clear
categories and specific areas of research, a prioritized ranking based
on risk imperatives, and a new process for funding contracts and grants
using existing research funding agencies and programs. This national
cyber security R&D strategy could also incorporate a category for
novel, unanticipated, breakthrough ideas that could be submitted via
unsolicited proposals or that could be awarded by research funding
agencies directly outside the competitive solicitation process.
Whether agency-identified or proposed by external research
entities, the awards process would require that the sole source grant
or contract be awarded transparently, be viewed within the frame of the
overall national research strategy, and be subject to accountability
and performance controls.
In effect, I am proposing an approach that injects greater speed
and flexibility into the research grants and contracts process for
proposals that align with national objectives, but are out of cycle
with the regular solicitation process or are extremely novel. I do not
see sole source awards as a major tranche of awards, but as a way to
augment the current process.
Finally, I believe that this option, as part of a broader national
R&D strategy and plan, would serve as a clear incentive for research
funding agencies to be more receptive to unsolicited proposals and see
them as valuable--and supportable.