Dr. Rita Colwell
Director, National Science Foundation
Before the U.S. House of Representatives
Committee on Science
May 14, 2003
Mr. Chairman and members
of the Committee, I appreciate the opportunity to appear before
you today to discuss the importance of improving the security
of our information infrastructure. Last November, as a result
of the strong leadership that you provided, Congress enacted the
Cyber Security Research and Development Act (Public Law 107-305)
of 2002. This law authorizes important research and education
activities to build our capacity to gird the Nation's critical
information technology systems against failures from accident
The Cyber Security
Research and Development Act accurately focuses on the need for
research, enhanced integration of activities from the diverse
disciplines that impact our ability to secure our systems, and
production of computer professionals with the requisite skills
needed to implement the latest cybersecurity techniques.
NSF agrees wholeheartedly
with this focus and we are moving expeditiously to address these
needs, both through focused investments with current year appropriations
and by carefully fashioning plans for implementation in FY2004
and Preceding Actions
Computers and networked
systems are ubiquitous in our society. Over the past decade, the
Internet has grown tremendously, from its early state as a small
network of academicians, into a full-fledged vital information
infrastructure that Americans rely on as much as they rely on
electricity, water, and roadway networks. Entire sectors of our
economy run minute-to-minute mission critical operations over
nationally and internationally networked systems. The increase
in our reliance on these systems, combined with the increased
threat of malicious attack, has shed new light on the importance
of generating new knowledge to secure them. New knowledge workers
are also needed to deploy and operate these systems safely and
Today's computing and
communications infrastructure does many things well, but suffers
from a number of flaws and weaknesses that make it less than dependable,
particularly in the case of attacks. These shortcomings include
(1) latent flaws in widely distributed software, (2) decreasing
diversity of software components, (3) poor technical means for
managing security infrastructure, (4) inadequate technical controls
for needed collaboration policies, (5) lack of convenient, scalable,
strong authentication, and (6) inadequate security mechanisms
for new technologies. Further, the infrastructure lacks effective
means for detecting when these flaws and weaknesses are exploited,
and for responding when such exploitations are detected.
It is appropriate that
government devote substantial public resources to develop knowledge
and capabilities in the area of cybersecurity. Market pressures
tend to emphasize time-to-market of software and systems. Often
IT products are released with known flaws that weaken reliability
of the system and may create severe vulnerabilities. Improving
the quality and diminishing the costs associated with embedding
security principles into all cyber systems design and development
will be essential to our success.
NSF has a longstanding
commitment to creating new knowledge that will improve the security
of our Nation's computer and network infrastructure. NSF attention
to cybersecurity dates back to a 1978 investment in cryptography,
which led to the public key infrastructure that is widely used
for secure cyber transactions today. Our expanded FY2003 investments
in Trusted Computing, Data and Applications Security, Network
Security and the Federal Cyber Service programs shows how our
sense of urgency in this field has grown. With the passage of
the Cyber Security Research & Development Act, Congress has
allowed us to act on this sense of urgency and expand the Nation's
capacity to guard against attacks on our computer and network
Current Year Actions
Mr. Chairman, you and
this Committee were an important part of the support for the appropriation
increase that NSF received in February. Cybersecurity research
funding has increased by $15 million over FY2002 to reach $30
million. With the Scholarships for Service program, this brings
the agency's total FY 2003 investment in cybersecurity to $41
A Strategic Approach
In short NSF seeks
to enable discovery, learning and innovation that will:
- Secure today's
- Embed contemporary
security principles and practices in all aspects of cybersystems
design and development of tomorrow's systems; and
- Prepare a world-class
workforce of information technology professionals, with state-of-the-art
security skills spanning research to operations.
NSF will do so, informed by the interests and efforts of its
partners in the cybersecurity field, including those in academe,
industry and other government agencies.
Our investments are
guided by three core strategies that have proven effective across
all science and engineering domains.
1. Develop intellectual capital.
NSF invests in cybersecurity activities, including multidisciplinary
projects, which enhance the individual and collective capacity
to contribute cybersecurity solutions, thus building cybersecurity
capacity for many years to come. The agency uses its competitive,
merit-review process to ensure that only research and education
projects of the highest quality are funded.
2. Integrate research and education.
NSF investments in cybersecurity integrate research and education,
assuring that findings and methods of cybersecurity research are
quickly and effectively communicated in a broader context, to
a larger audience and are thus more effectively embedded in practice.
3. Promote Partnerships.
Effective collaboration and partnerships between researchers,
educators and practitioners in academe, industry and government
will enable the timely transformation of research outcomes into
technological innovation that will secure critical cyber systems
resident in both the public and private sectors. NSF has a strong
institutional tradition of enabling partnerships among the Nation's
leading scientists, engineers and educators. In convening researchers,
educators, and other stakeholders we draw on the expertise and
deliberations of a vigorous and critical scientific community,
exposing new ideas and building consensus for them.
In FY2003 and beyond,
NSF will build on and increase coordination between the activities
that we have supported for some years. Beginning in FY2004, the
entire suite of cybersecurity activities will be managed under
one integrated, cross-cutting program called Cyber Trust.
I would note that we
chose the title "Cyber Trust" because our understanding
is that the public not only wants their information systems to
be secure, but that they want to trust them in all kinds of situations.
As a simple example, they need to be able to trust that data will
be kept private.
The Cyber Trust portfolio
of awards will include a range of multidisciplinary, multi-investigator
awards, as well as more focused single investigator awards. This
will ensure that NSF's whole investment in cybersecurity research
and education is greater than the sum of its parts.
In order to generate
innovative approaches to the complex computer and network security
problems that our Nation faces, NSF will fund projects of sufficient
scope and center-scale to foster multidisciplinary collaboration
between computer scientists, engineers, mathematicians, and social
science researchers. Awards will range from single investigator
types to multi-investigator awards of up to $3,000,000. This portfolio
of Cyber Trust investments will ensure that a rich mix of cutting-edge
research is funded. NSF will also inform the community of opportunities
to compete for center-scale awards in these and related areas
through activities like the Science and Technology Center, Engineering
Research Center, and Industry/University Cooperative Research
Identification and Coordination of Cyber Security Priorities
NSF, in its discussions
with the scientific and engineering community, has identified
five vital research areas at the frontier:
1. Manageable security
2. Empirical cybersecurity studies
3. Cybersecurity foundations
4. Cybersecurity for next generation technology
5. Cybersecurity across disciplines
These research areas
include and are representative of the many research areas included
in Section 4(a) of the Act.
NSF believes that a
highly collaborative and inclusive, coordinated effort is necessary
to overcome the many technological challenges inherent in securing
the nation's cyber systems. Only by drawing upon the expertise
resident in relevant stakeholder organizations, including industry,
academia, and government, and by aligning the interests and investments
of these broad stakeholder groups, can we ensure that the best
solutions are identified and enacted to protect the nation's vital
information technology resources.
Accordingly, NSF will seek to establish a multi-sector cybersecurity
partnership. The partnership will allow NSF to develop a strategic
framework to guide future research and education investments in
the field; investments likely to be made by both the public and
the private sectors.
NSF will engage key
federal agencies in the partnership endeavor, by drawing on current
interagency efforts in this area. For example, NSF staff are very
active in formal interagency activities that support cybersecurity
collaborations, such as in the Networking and Information Technology
Research and Development (NITRD) Interagency Working Group (IWG)
that includes representatives from the Defense Advanced Research
Projects Agency, the Department of Defense, the National Security
Agency, and others.
Dr. Peter Freeman,
the NSF Assistant Director for Computer and Information Science
and Engineering (CISE) has talked with Dr. Arden Bement to establish
formal collaboration between NSF and NIST in the area of cybersecurity
and program staff will carry the coordination forward. As chair
of the NITRD IWG Dr. Freeman has also met with Dr. David Nelson,
Director of the National Coordination Office for NITRD, to discuss
ways to enhance the coordination activities of the IWG in the
area of cybersecurity.
NSF leadership in cybersecurity, an NSF/CISE Program Officer co-chairs
the High Confidence Software and Systems program coordination
area of NITRD. This subgroup is working to define the Federal
portfolio of cybersecurity research and development, and will
identify gaps. NSF will draw upon the work of this group to inform
its future research investments.
NSF also has a long
tradition of working with industry partners in science and engineering.
By encouraging strong industry participation in the development
of a cybersecurity research and education framework, and in the
subsequent funding of appropriate research and education activities,
NSF hopes to improve both the transfer of new knowledge into the
marketplace and the capacity of current and future generations
of IT and information assurance professionals.
To establish the partnership,
NSF will convene a series of workshops to begin in summer 2003.
These workshops will engage researchers, educators and practitioners
representing academic, industry, and government stakeholder organizations
to develop community consensus on cyber security research and
education needs and opportunities. In addition to refining research
opportunities, the workshops will focus on integration, scale,
and capacity building.
The first workshops
planned are described below.
1. Comprehensive Cybersecurity
In August 2003, NSF
will convene an invitational workshop of academic, industrial,
and government leaders to help assess the needs and identify the
strategies necessary to prepare a world-class cybersecurity workforce.
In order to facilitate educational innovation in cybersecurity,
design concepts for new cybersecurity-related curricula will be
devised. Implementation strategies will be discussed to determine
the best way to deliver cyber security education to a broad audience.
Strategies will focus on curriculum for three levels of education:
degree programs to prepare systems administration and IT security
- Bachelor's and master's
degree programs to prepare systems design and development professionals
with specified skills in security.
- Ph.D. programs to
prepare researchers and educators for careers in information
The workshop will also
examine implementation strategies to support faculty traineeships
in cybersecurity. These programs will enable recent Ph.D. graduates
to pursue academic careers in cybersecurity.
Following this workshop,
NSF will assess the extent to which its current capacity-building
programs address the needs defined by the workshop attendees.
For example, the Advanced Technology Education (ATE) centers are
comprehensive national or regional cooperative efforts involving
two-year colleges, four-year colleges and universities, secondary
schools, business, industry, and government. This program might
serve as a valuable model for other such activities in the future.
In the meantime it will provide a potential platform for cybersecurity
activities at the bachelor's and associate's degree levels.
I should also note
that the Federal Cyber Service: Scholarships for Service (SFS)
program "seeks to increase the number of qualified students
entering the fields of information assurance and computer security
and to increase the capacity of the United States higher education
enterprise to continue to produce professionals in these fields
to meet the needs of our increasingly technological society."
This program directly addresses the future needs of the Federal
government for access to skilled information security bachelor's,
master's, and Ph.D. recipients. The program also provides funding
to schools to "improve the quality and increase the production
of information assurance and computer security professionals through
professional development of information assurance faculty and
the development of academic programs."
2. Cybersecurity Community
In order to facilitate
multidisciplinary research and education activities, NSF will
convene a meeting of all Principal Investigators (PIs) from the
newly integrated Cyber Trust Program. This group of PIs will form
a Research Collaboration Network. The RCN will facilitate interaction
between groups of investigators, to communicate and coordinate
research efforts across disciplinary, organizational, institutional,
and geographical boundaries. It will lead to integration of the
research activities of scientists working independently on cybersecurity
topics of common interest, to nurture a sense of community among
cyber security researchers, to attract new scientists to the field,
and to minimize isolation and maximize cooperation in research,
training, outreach and educational activities. Together, the members
of this network will explore further means by which to address
the complex issues faced by the cybersecurity community as a whole.
Security Research and Development Act addresses a critical weakness
in the security of our Nation. NSF is appreciative to the Committee
for extending its confidence to us. We look forward to working
with you to ensure that the goals of the
Act are fulfilled.