Mr. Chairman and members of the Committee, I appreciate the opportunity to appear before you today to discuss the importance of improving the security of our information infrastructure. Last November, as a result of the strong leadership that you provided, Congress enacted the Cyber Security Research and Development Act (Public Law 107-305) of 2002. This law authorizes important research and education activities to build our capacity to gird the Nation's critical information technology systems against failures from accident or attack.

The Cyber Security Research and Development Act accurately focuses on the need for research, enhanced integration of activities from the diverse disciplines that impact our ability to secure our systems, and production of computer professionals with the requisite skills needed to implement the latest cybersecurity techniques.

NSF agrees wholeheartedly with this focus and we are moving expeditiously to address these needs, both through focused investments with current year appropriations and by carefully fashioning plans for implementation in FY2004 and beyond.

Persistent Challenges and Preceding Actions

Computers and networked systems are ubiquitous in our society. Over the past decade, the Internet has grown tremendously, from its early state as a small network of academicians, into a full-fledged vital information infrastructure that Americans rely on as much as they rely on electricity, water, and roadway networks. Entire sectors of our economy run minute-to-minute mission critical operations over nationally and internationally networked systems. The increase in our reliance on these systems, combined with the increased threat of malicious attack, has shed new light on the importance of generating new knowledge to secure them. New knowledge workers are also needed to deploy and operate these systems safely and reliably.

Today's computing and communications infrastructure does many things well, but suffers from a number of flaws and weaknesses that make it less than dependable, particularly in the case of attacks. These shortcomings include (1) latent flaws in widely distributed software, (2) decreasing diversity of software components, (3) poor technical means for managing security infrastructure, (4) inadequate technical controls for needed collaboration policies, (5) lack of convenient, scalable, strong authentication, and (6) inadequate security mechanisms for new technologies. Further, the infrastructure lacks effective means for detecting when these flaws and weaknesses are exploited, and for responding when such exploitations are detected.

It is appropriate that government devote substantial public resources to develop knowledge and capabilities in the area of cybersecurity. Market pressures tend to emphasize time-to-market of software and systems. Often IT products are released with known flaws that weaken reliability of the system and may create severe vulnerabilities. Improving the quality and diminishing the costs associated with embedding security principles into all cyber systems design and development will be essential to our success.

NSF has a longstanding commitment to creating new knowledge that will improve the security of our Nation's computer and network infrastructure. NSF attention to cybersecurity dates back to a 1978 investment in cryptography, which led to the public key infrastructure that is widely used for secure cyber transactions today. Our expanded FY2003 investments in Trusted Computing, Data and Applications Security, Network Security and the Federal Cyber Service programs shows how our sense of urgency in this field has grown. With the passage of the Cyber Security Research & Development Act, Congress has allowed us to act on this sense of urgency and expand the Nation's capacity to guard against attacks on our computer and network systems.

Current Year Actions

Mr. Chairman, you and this Committee were an important part of the support for the appropriation increase that NSF received in February. Cybersecurity research funding has increased by $15 million over FY2002 to reach $30 million. With the Scholarships for Service program, this brings the agency's total FY 2003 investment in cybersecurity to $41 million.

A Strategic Approach

In short NSF seeks to enable discovery, learning and innovation that will:

• Secure today's systems;
  
• Embed contemporary security principles and practices in all aspects of cybersystems design and development of tomorrow's systems; and
  
• Prepare a world-class workforce of information technology professionals, with state-of-the-art security skills spanning research to operations.
  NSF will do so, informed by the interests and efforts of its partners in the cybersecurity field, including those in academe, industry and other government agencies.

Our investments are guided by three core strategies that have proven effective across all science and engineering domains.

1. Develop intellectual capital.
NSF invests in cybersecurity activities, including multidisciplinary projects, which enhance the individual and collective capacity to contribute cybersecurity solutions, thus building cybersecurity capacity for many years to come. The agency uses its competitive, merit-review process to ensure that only research and education projects of the highest quality are funded.

2. Integrate research and education.
NSF investments in cybersecurity integrate research and education, assuring that findings and methods of cybersecurity research are quickly and effectively communicated in a broader context, to a larger audience and are thus more effectively embedded in practice.

3. Promote Partnerships.
Effective collaboration and partnerships between researchers, educators and practitioners in academe, industry and government will enable the timely transformation of research outcomes into technological innovation that will secure critical cyber systems resident in both the public and private sectors. NSF has a strong institutional tradition of enabling partnerships among the Nation's leading scientists, engineers and educators. In convening researchers, educators, and other stakeholders we draw on the expertise and deliberations of a vigorous and critical scientific community, exposing new ideas and building consensus for them.

In FY2003 and beyond, NSF will build on and increase coordination between the activities that we have supported for some years. Beginning in FY2004, the entire suite of cybersecurity activities will be managed under one integrated, cross-cutting program called Cyber Trust.

I would note that we chose the title "Cyber Trust" because our understanding is that the public not only wants their information systems to be secure, but that they want to trust them in all kinds of situations. As a simple example, they need to be able to trust that data will be kept private.

The Cyber Trust portfolio of awards will include a range of multidisciplinary, multi-investigator awards, as well as more focused single investigator awards. This will ensure that NSF's whole investment in cybersecurity research and education is greater than the sum of its parts.

In order to generate innovative approaches to the complex computer and network security problems that our Nation faces, NSF will fund projects of sufficient scope and center-scale to foster multidisciplinary collaboration between computer scientists, engineers, mathematicians, and social science researchers. Awards will range from single investigator types to multi-investigator awards of up to $3,000,000. This portfolio of Cyber Trust investments will ensure that a rich mix of cutting-edge research is funded. NSF will also inform the community of opportunities to compete for center-scale awards in these and related areas through activities like the Science and Technology Center, Engineering Research Center, and Industry/University Cooperative Research Center programs.

Identification and Coordination of Cyber Security Priorities

NSF, in its discussions with the scientific and engineering community, has identified five vital research areas at the frontier:

1. Manageable security
2. Empirical cybersecurity studies
3. Cybersecurity foundations
4. Cybersecurity for next generation technology
5. Cybersecurity across disciplines

These research areas include and are representative of the many research areas included in Section 4(a) of the Act.

NSF believes that a highly collaborative and inclusive, coordinated effort is necessary to overcome the many technological challenges inherent in securing the nation's cyber systems. Only by drawing upon the expertise resident in relevant stakeholder organizations, including industry, academia, and government, and by aligning the interests and investments of these broad stakeholder groups, can we ensure that the best solutions are identified and enacted to protect the nation's vital information technology resources.

Accordingly, NSF will seek to establish a multi-sector cybersecurity partnership. The partnership will allow NSF to develop a strategic framework to guide future research and education investments in the field; investments likely to be made by both the public and the private sectors.

NSF will engage key federal agencies in the partnership endeavor, by drawing on current interagency efforts in this area. For example, NSF staff are very active in formal interagency activities that support cybersecurity collaborations, such as in the Networking and Information Technology Research and Development (NITRD) Interagency Working Group (IWG) that includes representatives from the Defense Advanced Research Projects Agency, the Department of Defense, the National Security Agency, and others.

Dr. Peter Freeman, the NSF Assistant Director for Computer and Information Science and Engineering (CISE) has talked with Dr. Arden Bement to establish formal collaboration between NSF and NIST in the area of cybersecurity and program staff will carry the coordination forward. As chair of the NITRD IWG Dr. Freeman has also met with Dr. David Nelson, Director of the National Coordination Office for NITRD, to discuss ways to enhance the coordination activities of the IWG in the area of cybersecurity.

Demonstrating further NSF leadership in cybersecurity, an NSF/CISE Program Officer co-chairs the High Confidence Software and Systems program coordination area of NITRD. This subgroup is working to define the Federal portfolio of cybersecurity research and development, and will identify gaps. NSF will draw upon the work of this group to inform its future research investments.

NSF also has a long tradition of working with industry partners in science and engineering. By encouraging strong industry participation in the development of a cybersecurity research and education framework, and in the subsequent funding of appropriate research and education activities, NSF hopes to improve both the transfer of new knowledge into the marketplace and the capacity of current and future generations of IT and information assurance professionals.

Capacity Building

To establish the partnership, NSF will convene a series of workshops to begin in summer 2003. These workshops will engage researchers, educators and practitioners representing academic, industry, and government stakeholder organizations to develop community consensus on cyber security research and education needs and opportunities. In addition to refining research opportunities, the workshops will focus on integration, scale, and capacity building.

The first workshops planned are described below.

1. Comprehensive Cybersecurity Needs Assessment

In August 2003, NSF will convene an invitational workshop of academic, industrial, and government leaders to help assess the needs and identify the strategies necessary to prepare a world-class cybersecurity workforce. In order to facilitate educational innovation in cybersecurity, design concepts for new cybersecurity-related curricula will be devised. Implementation strategies will be discussed to determine the best way to deliver cyber security education to a broad audience. Strategies will focus on curriculum for three levels of education:

• Bachelor's/Associate's degree programs to prepare systems administration and IT security operations professionals.
  
• Bachelor's and master's degree programs to prepare systems design and development professionals with specified skills in security.
  
• Ph.D. programs to prepare researchers and educators for careers in information security.

The workshop will also examine implementation strategies to support faculty traineeships in cybersecurity. These programs will enable recent Ph.D. graduates to pursue academic careers in cybersecurity.

Following this workshop, NSF will assess the extent to which its current capacity-building programs address the needs defined by the workshop attendees. For example, the Advanced Technology Education (ATE) centers are comprehensive national or regional cooperative efforts involving two-year colleges, four-year colleges and universities, secondary schools, business, industry, and government. This program might serve as a valuable model for other such activities in the future. In the meantime it will provide a potential platform for cybersecurity activities at the bachelor's and associate's degree levels.

I should also note that the Federal Cyber Service: Scholarships for Service (SFS) program "seeks to increase the number of qualified students entering the fields of information assurance and computer security and to increase the capacity of the United States higher education enterprise to continue to produce professionals in these fields to meet the needs of our increasingly technological society." This program directly addresses the future needs of the Federal government for access to skilled information security bachelor's, master's, and Ph.D. recipients. The program also provides funding to schools to "improve the quality and increase the production of information assurance and computer security professionals through professional development of information assurance faculty and the development of academic programs."

2. Cybersecurity Community

In order to facilitate multidisciplinary research and education activities, NSF will convene a meeting of all Principal Investigators (PIs) from the newly integrated Cyber Trust Program. This group of PIs will form a Research Collaboration Network. The RCN will facilitate interaction between groups of investigators, to communicate and coordinate research efforts across disciplinary, organizational, institutional, and geographical boundaries. It will lead to integration of the research activities of scientists working independently on cybersecurity topics of common interest, to nurture a sense of community among cyber security researchers, to attract new scientists to the field, and to minimize isolation and maximize cooperation in research, training, outreach and educational activities. Together, the members of this network will explore further means by which to address the complex issues faced by the cybersecurity community as a whole.

The Cyber Security Research and Development Act addresses a critical weakness in the security of our Nation. NSF is appreciative to the Committee for extending its confidence to us. We look forward to working with you to ensure that the goals of the Act are fulfilled.