IWS - The Information Warfare Site
News Watch Make a donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled
Google Ads




COMMITTEE ON SCIENCE
U.S. HOUSE OF REPRESENTATIVES

HEARING CHARTER

Cybersecurity Research and Development

Wednesday, May 14, 2003
10:00 a.m. - 12:00 Noon
2318 Rayburn House Office Building

1. Purpose

On Wednesday, May 14, 2003, the House Science Committee will hold a hearing to examine federal cybersecurity research and development (R&D) activities and implementation of last year's Cyber Security Research and Development Act (P.L. 107-305).

2. Witnesses

Dr. Charles E. McQueary is the Under Secretary for Science and Technology at the Department of Homeland Security. Prior to joining the Department, Dr. McQueary served as President of General Dynamics Advanced Technology systems, and as President and Vice President of business units for AT&T, Lucent Technologies, and as a Director for AT&T Bell Laboratories.

Dr. Rita R. Colwell is the Director of the National Science Foundation (NSF). Before joining the Foundation, Dr. Colwell served as President of the University of Maryland Biotechnology Institute and Professor of Microbiology at the University Maryland. She was also a member of the National Science Board from 1984 to 1990.

Dr. Arden L. Bement, Jr. is the Director of the National Institute of Standards and Technology (NIST). Prior to his appointment as NIST director, Dr. Bement was professor and head at the School of Nuclear Engineering at Purdue University. Before Purdue, he served in a variety of positions, including Vice President of Technical Resources and of Science and Technology for TRW Inc. and Deputy Under Secretary of Defense for Research and Engineering. Dr. Bement has also served as a member of the National Science Board and as chair of the NIST Visiting Committee on Advanced Technology.

Dr. Anthony J. Tether is the Director of the Defense Advanced Research Projects Agency (DARPA). Until his appointment as Director of DARPA, Dr. Tether held the position of Chief Executive Officer and President of The Sequoia Group. He has also been Chief Executive Officer for Dynamics Technology Inc. and Vice President of Science Applications International Corporation's (SAIC) Advanced Technology Sector. Dr. Tether has served on Army and Defense Science Boards.

3. Overarching Questions

The hearing will address the following overarching questions:

1. What is the current status of federally-supported cybersecurity research and development programs in the United States? What level and types of effort are needed to meet existing and emerging cyberterrorism threats?

2. How are cybersecurity research and development activities coordinated among Federal agencies? How are gaps in the research portfolio identified and filled? How will the new Department of Homeland Security affect the coordination process? How will it change the overall portfolio of programs?

3. What efforts are being made to develop a strong cybersecurity workforce and to establish and expand university educational and research programs relevant to cybersecurity?

4. How do the federal agencies work with industry on cybersecurity research and development efforts?

4. Brief Overview

  • Information technology systems underpin key industries such as telecommunications and financial services, and also play a vital role in the smooth functioning of critical infrastructures and services, such as transportation systems, the electric power grid, and emergency response capabilities. As the number of ways in which our economy depends on network and computer systems has grown, so has the number of attacks on these information technology systems. For example, the number of incidents reported to the computer security incident response center at Carnegie Mellon University increased 275% from 2000 to 2002, and over 42,000 incidents have already been reported in 2003.

  • Active research and development programs to produce new cybersecurity tools and techniques are necessary to enable us to maintain the performance of important networks and systems and improve our ability to defend against cyber and physical terrorism. Currently, cybersecurity research and development is supported and performed at a variety of federal agencies, including the National Science Foundation (NSF), the National Institute of Standards and Technology (NIST), and the Defense Advanced Research Projects Agency (DARPA). Within the new Department of Homeland Security, the Science and Technology Directorate will have responsibility for managing research and development programs relevant to cybersecurity.

  • In November of 2002, the President signed the Cyber Security Research and Development Act (P.L. 107-305), which authorized appropriations for the National Science Foundation and the National Institute of Standards and Technology to strengthen their programs in computer and network security (CNS) research and development and to support CNS research fellowships and training programs. However, FY 2003 appropriations and FY 2004 proposed funding are significantly below the authorized levels.

  • New hardware and software technologies are rapidly adopted in many industries and new ways of interfering with computer systems develop just as fast. Multiple federal agencies will need to coordinate their efforts to ensure that new understanding of information and network security is generated and that this knowledge is transitioned into useful cybersecurity products. Institutions of higher education will have develop and expand degree programs to ensure that an adequate workforce exists to put the new tools and techniques into practice. The private sector has a critical role to play, as it will contain the developers and suppliers as well as the major purchasers of new cybersecurity technologies and services.

5. Background

Cyberthreats to Critical Infrastructures

Information technology systems underpin key industries such as telecommunications and financial services, and also play a vital role in the smooth functioning of critical infrastructures and services, such as transportation systems, the electric power grid, and emergency response capabilities. Remote operation of chemical plant functions and management of the aircraft control system also depend on software and computer networks. Thus vulnerabilities in various components of networks and computers could be exploited to disrupt and damage these critical systems. For example, distributed denial of service attacks could slow Internet traffic and bring down important web sites. Cyberattacks on supervisory control and data acquisition (SCADA) systems could shut down power plants or disrupt processes at chemical manufacturing facilities. Interference with emergency responder communications technology could amplify the effects of a physical terrorist attack.

The vulnerability of the nation's information technology infrastructure has been demonstrated many times in the past several years. "Hackers" are arrested for breaking into computer systems to steal and corrupt data, or just to disrupt government or industry services. Major "infections" of computer viruses and worms make the news, and smaller "outbreaks" occur daily. While the impact on physical systems has been minimal to date, the economic impact of successful attacks can be significant. For example, in 2001, the Code Red and Nimda worms spread through e-mail, corporate networks, and Web browsers. Together, they are estimated to have produced $3 billion in costs worldwide due to lost productivity and expenses related to testing, cleaning, and deploying patches to computer systems. In January of 2003, the Slammer (or Sapphire) Worm took advantage of vulnerabilities in server software to generate a damaging level of network traffic, so Internet users experienced difficulty accessing web sites and sending email. In addition, Bank of America automated teller machines were taken off line, Continental Airlines reservation computer systems experienced widespread problems, and an emergency call center in Seattle was essentially blacked out. Thus developing new defenses is critical to ensure that small weaknesses are not exploited to produce major economic consequences.

The above examples show how a terrorist could target computer systems or networks and create a great deal of disruption and damage. However, terrorists could also use information technology systems to amplify the effects of a physical attack on people or property. For example, a terrorist planning to release a chemical or biological agent could first send an email that appears to be from a trustworthy source (a police department or a news agency) to order or urge evacuation of buildings in order to increase the number of people out in the streets when he spreads his toxin. Cyberattacks could also be used to interfere with first responder communication and coordination systems, hindering the ability to respond to a crisis. Thus protection of information systems is a critical part of homeland defense.

The National Strategy to Secure Cyberspace was released by the Administration in February 2003. It includes a number of recommendations to improve the nation's cybersecurity now, both in federal systems and in privately-owned infrastructures. Currently the federal government's effort to deploy cybersecurity tools and techniques (the "operational" cybersecurity programs) are scattered over many agencies. The National Institute of Standards and Technology provides guidance and tools to federal agencies and to private industry that enable them to evaluate their cybersecurity needs and the performance of their security systems. The National Security Agency has significant programs in encryption. The Department of Homeland Security will have significant responsibilities in this area, both in new programs in its Information Analysis and Infrastructure Protection directorate, and in programs that are being transferred in, like the Federal Computer Incident Response Center (FedCIRC), which provides civilian agencies and departments with offerings in computer security incident prevention, reporting, analysis, and recovery. There are also private organizations, such as the federally-funded CERT Coordination Center at Carnegie Mellon University, whose activities include providing technical advice about and coordinating responses to security incidents, publishing security alerts, and tracking information about vulnerabilities and intruder activities.

The Need for Cybersecurity Research and Development Programs

In addition to discussing ways to reduce cyberinfrastructure vulnerabilities now, the National Strategy to Secure Cyberspace also emphasizes the importance of developing and carrying out a cybersecurity research and development agenda for the federal government.

Cybersecurity research and development programs focus on ways to prevent attacks, to detect them as they are occurring, to respond to them effectively, to mitigate the severity of their effects, to recover as quickly as possible from them, and to find the people responsible. In addition to enabling us to avoid damage from cyberterrorism, a greater understanding of the weaknesses in computer systems and networks and how to protect them will allow computer operators to deflect the actions of cybercriminals-out to steal credit card numbers and personal information-and hackers-out to disrupt and destroy for the fun of it.

In March 2003, the National Academy of Science released Information Technology for Counterterrorism: Immediate Actions and Future Possibilities. This report outlines an extensive research agenda for information technology research in many areas. In the information and network security field, the areas of emphasis are: authentication (determining that a system's users are those with permission to use it), detection (being aware that an attack, or attempted attack, is occurring), containment (mitigating the effects of an attack), and recovery (getting the system back up and functioning after an attack). The report also lists a number of research areas in which advances will impact all facets of the effort to improve cybersecurity. These areas include reducing the "bugginess" of software, managing the trade-offs between security and functionality more successfully, and gathering information on new and emerging techniques for cyberattacks.

Existing Federal Cybersecurity Research and Development Programs

The National Science Foundation (NSF) and the National Institute of Standards and Technology (NIST) currently have active cybersecurity-related programs. To support and expand these programs, the Cyber Security Research and Development Act was signed in November 2002. Under this Act, NSF was authorized to expand its computer and network security grants programs and establish new research centers in this area and to provide grants to institutes of higher education and provide fellowships to students to increase the number of people receiving degrees in this area. NIST was authorized to create new program grants for partnerships between academia and industry, new post-doctoral fellowships, and a new program to encourage senior researchers in other fields to work on computer security. The Act authorizes $903 million over five years for these new programs, to ensure that the U.S. is better prepared to prevent and combat terrorist attacks on private and government computers. Specifically, for FY 2004, $110.25 million was authorized for NSF, and $47.29 million for NIST, to enable them to carry out the above programs. However, actual appropriations in FY 2003 and the presidential proposals for FY 2004 both fall far short of the authorized numbers. As a result, NIST will be entirely unable to establish the grants program for academic-industrial research partnerships, and NSF's grants programs will be significantly smaller than those envisioned in the Act.

The Department of Homeland Security is currently setting up its organizational structure and defining its programmatic priorities for FY 2003 and FY 2004. In the department, responsibility for managing research and development efforts relevant to cybersecurity rests in the Science and Technology directorate, while operational responsibilities for implementing cybersecurity fall in the Information Analysis and Infrastructure Protection directorate. Public statements have been made indicating that there will be no "box" in the organization with specific responsibility for cybersecurity in either the operational or research arenas. Operationally, programs to secure the cyberinfrastructure will be an element of the broader critical infrastructure protection efforts. In the Science and Technology directorate, cybersecurity research and development programs will be part of the Threat and Vulnerability, Testing and Assessment program, and will focus on meeting critical needs of other DHS units, such as the Information Analysis and Infrastructure Protection directorate and the U.S. Secret Service. Less than 1 percent of the Science and Technology directorate's $803 million budget will be directed toward cybersecurity research and development. The absence of a clear advocate for cybersecurity at the Department is of particular concern in light of the Administration's decision in February 2003 to eliminate the President's Critical Infrastructure Protection Board. The Board, which was established after the attacks of September 11, 2001, authored the National Strategy to Secure Cyberspace and the Board's director, Richard Clarke, did much to raise the level of awareness about the vulnerabilities of the nation's cyberinfrastructure and the need for improved cybersecurity.

The Defense Advanced Research Projects Agency (DARPA) has played a critical role in information technology research, including cybersecurity programs. The first firewall, significant advances in intrusion detection systems, and important internet security protocols were all developed through DARPA programs. In the late 1990's, the agency made a large investment in "defensive" information warfare, which included unclassified research on computer systems' security and survivability. However, DARPA does not have a history of sustained, stable support of cybersecurity research and development programs, and, since 2000, the size of this program has declined (from approximately $90 million in 2000 to $30 million in 2003). Part of this decline is due to the fact that DARPA's focus has shifted to classified research on "offensive" information warfare. Classified research on information security is also done by the National Security Agency (NSA). NSA's funding for information assurance work is estimated to be roughly $750 million, with roughly half spent on research, development, testing, and evaluation; a significant part of this effort focuses on cryptography. While defense-related work on cybersecurity is necessary, it is important to recognize that the impact such classified work has on the overall national cybersecurity is often limited because the research is mainly performed at government facilities and contractors, and the results are seldom shared publicly or transferred to the commercial sector.

Overall, it is currently very difficult to determine the total spending on cybersecurity research and development programs across the federal government. Information is currently collected and reported on a variety of relevant areas (such as networking and information technology research and development), but the programs specifically devoted to cybersecurity research and development have not been pulled out. OSTP has indicated that agencies will be asked to quantify cybersecurity research and development funding within their FY 2005 request.

Another factor to be considered in assessing the quality of cybersecurity operations and cybersecurity research in the United States is the critical role of the private sector in both areas. As new results emerge from cybersecurity research and development activities, information technology companies will have to turn new knowledge into new technologies and services, and industries from banking to electric power will have to choose to take advantage of these new capabilities. Therefore, federal cybersecurity research and development programs will have to consider ways to encourage technology transfer and facilitate technology uptake.

Workforce Issues

Research and development goals and useful new cybersecurity tools are of no use if there are not people to carry out the research programs and put the new techniques into practice. The Cyber Security Research and Development Act, the National Strategy to Secure Cyberspace, and the National Academy of Sciences' report all emphasize the importance of expanding the relevant workforce. Recommended actions range from developing undergraduate and masters programs to train operational cybersecurity personnel to fellowships for postdoctoral and senior scientists and engineers to increase participation in information security research programs. Current programs in this area are quite small. The National Science Foundation has a Cyber Security Scholarship for Service program ($16 million requested for FY 2004). This program provides scholarships to students in the fields of information assurance and computer security in return for a commitment following graduation to work for a federal agency. The Department of Defense started a program in 2000 to provide re-training fellowships for researchers and recent Ph.D.'s looking to transfer into the cybersecurity field, but this program is ending in 2003. The Cyber Security Research and Development Act authorizes NIST to establish a senior research fellowship program that will be open to established researchers who seek to change fields into cybersecurity research, but no funds were requested for that program in FY 2004.

6. Current Issues

The most pressing issue in cybersecurity research and development is the underfunding of relevant programs. The NSF and NIST programs are well under the authorized levels. DARPA is ramping down relevant unclassified programs. The proposed effort in DHS is small. Yet the cyberinfrastructure of the United States penetrates all critical infrastructures and forms a fundamental base of the nation's physical security and economic and social stability. Significant investment in research and development in computer and network security will be needed to maintain homeland security. Delaying this investment will not only increase current and future vulnerabilities, but will also raise future cybersecurity expenses, from the costs associated with damage done by cyberattacks to the expenses of retrofitting security systems onto existing hardware and software.

Each federal agency has its own mission and thus each has its own special role to play in cybersecurity research and development. Multi-agency collaboration and a coherent cross-agency strategy are needed to maximize the impact of federal investment and to ensure that gaps do not develop in the effort to develop the tools needed to build a multi-layer defense of the cyberinfrastructure. In addition, since many information technology products and their implementations in critical infrastructures are developed and owned by the private sector, close communication with industry will be required. Finally, growth is needed in educational programs to expand research and development programs and to train the workforce required to implement security techniques in critical computer and network systems.

7. Witness Questions

The witnesses were asked to address the following questions in their testimony:

Questions for Dr. Charles McQueary

  • How will the cybersecurity research and development agenda at the Department of Homeland Security be defined? Will the department's science and technology directorate develop in-house cybersecurity expertise and programs? How will it coordinate with the department's operational cybersecurity programs?
  • What mechanisms will the Department of Homeland Security use to coordinate its cybersecurity research and development activities with other Federal agencies, such as NSF, NIST, and DARPA, with active programs in this area?
  • How will the department interact with cybersecurity research and development efforts underway in industry? How will it interact with university-based cybersecurity programs?

Questions for Dr. Rita Colwell

  • What actions has the National Science Foundation (NSF) taken in response to the Cyber Security Research and Development Act? In particular, how is NSF fulfilling its role as the lead agency for cybersecurity research and development as specified in Section 7 of the Act?
  • What are NSF's priorities in cybersecurity research and development? How are these priorities determined?
  • How does NSF coordinate its cybersecurity research and development activities with other Federal agencies?
  • To what extent is NSF identifying and working to fill gaps in the federal cybersecurity research and development portfolio?

Questions for Dr. Arden Bement

  • What actions has NIST taken in response to the Cyber Security Research and Development Act?
  • How does NIST coordinate its cybersecurity research and development activities with other Federal agencies? How does NIST interact with industry on cybersecurity research and development activities?
  • What are NIST's priorities in cybersecurity research and development? How are these priorities determined?

Questions for Dr. Anthony Tether

  • How have DARPA's information assurance research and development programs evolved over the past few years? Is there an increased emphasis on military or offensive applications? How is the balance between classified and unclassified efforts changing?
  • How does DARPA coordinate its cybersecurity research and development activities with other Federal agencies?
  • How is information about results or technologies that are applicable to the protection of commercial networks and privately-owned infrastructures provided to relevant research and development communities in industry and academia?
  • What are DARPA's priorities in cybersecurity research and development? How are these priorities determined?

Appendix I

Links to referenced documents on cybersecurity research and development:

Public Law 107-305: The Cyber Security Research and Development Act (November 2002):
-PDF Format

The National Strategy to Secure Cyberspace (February 2003)
http://www.whitehouse.gov/pcipb/

Information Technology for Counterterrorism: Immediate Actions and Future Possibilities, National Academy of Sciences (March 2003):
http://bob.nap.edu/html/IT_counterterror/

IWS Mailing Lists






Mailing Lists Overview